[go: up one dir, main page]

HK1168667A - Device and method for controlling an automated system, in particular a railway system - Google Patents

Device and method for controlling an automated system, in particular a railway system Download PDF

Info

Publication number
HK1168667A
HK1168667A HK12109365.4A HK12109365A HK1168667A HK 1168667 A HK1168667 A HK 1168667A HK 12109365 A HK12109365 A HK 12109365A HK 1168667 A HK1168667 A HK 1168667A
Authority
HK
Hong Kong
Prior art keywords
unit
data
arrangement
disconnection
control unit
Prior art date
Application number
HK12109365.4A
Other languages
German (de)
French (fr)
Chinese (zh)
Other versions
HK1168667B (en
Inventor
Hans Schwenkel
Christoph Weishaar
Original Assignee
Pilz Gmbh & Co. Kg
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pilz Gmbh & Co. Kg filed Critical Pilz Gmbh & Co. Kg
Publication of HK1168667A publication Critical patent/HK1168667A/en
Publication of HK1168667B publication Critical patent/HK1168667B/en

Links

Abstract

A device for controlling an automated system, in particular a railway system, comprises a number of sensors (40) and actuators. A programmable control unit (12) executes an application program in order to process the input data from the sensors (40) and generate control commands for the actuators (38). The sensors (40) and the actuators (38) are connected to a local I/O unit (14, 16), which is connected to the control unit (12) by way of a communication network (18). The control unit (12) and the I/O unit (14, 16) exchange data telegrams (20, 22, 24) in order to transmit the input data and the control commands. The device comprises a local shut-off unit (32), which is coupled to the local I/O unit (14, 16) remotely from the input data and control commands. The control unit (12) is designed to integrate special verification data (54) for the shut-off unit (32) into the data telegrams (20, 22) for the I/O unit (14). The shut-off unit (32) is designed to deactivate the I/O unit (14, 16) depending on the special verification data (54).

Description

The present invention relates to a control device for controlling an automated plant, in particular a railway plant, comprising sensors and actuators, with a programmable control unit for executing an operator program, with a local E/A unit to which a plurality of sensors and actuators are connected, with a local switching unit connected to the local E/A unit, and with a communication network connecting the control unit and the local E/A unit, wherein the control unit is trained to process input data from the sensors depending on the operator program to generate control commands for the actuators, wherein the control unit and the E/A unit are trained to exchange data telegrams via the communication network to transmit the input data and the control commands, wherein the control unit is trained to integrate verification data into the data telegrams for the E/A unit, and wherein the switching unit is trained to deactivate the E/A unit depending on the verification data.
The invention relates further to a method for controlling an automated plant, in particular an railway plant, which comprises sensors and actuators, with the steps of: Providing a local E/A unit to which a number of sensors and actuators are connected, providing a local shutdown unit in the area of the E/A unit and connecting the local shutdown unit with the local E/A unit, providing a control unit for processing the sensor input data and for generating control commands for the actuators, exchanging data packets between the control unit and the E/A unit over a communication network connecting the control unit and the local E/A unit, wherein the control unit controls the actuators dependent on the sensor input data with the help of the data packets, wherein the control unit integrates verification data into the data packets for the E/A unit and wherein the shutdown unit deactivates the E/A unit dependent on the verification data.
A similar apparatus and a similar method are - however not for an railway installation - disclosed in WO 2006/011578 A1. This document discloses a safety control having a so-called master and several slaves, which are connected to one another by a communication network in the form of a ring bus. Both the master and the slaves have a so-called MPU processing unit, which can execute a program, as well as an input/output module for connecting sensors and actuators and an interface for the connection to the communication network. A so-called test bit string is embedded in the data telegrams transmitted between the master and the slaves, which makes it possible to determine the number of bit errors in a erroneously transmitted data telegram.
DE 10 2007 039 154 A1 discloses a so-called safety system for a railway network comprising a control level and controllable field elements. An example of a field element is a switch. Such switch installations historically are built strongly centralised and a small change therefore affects the whole system. This also applies to the software that must be adapted from the control level down to the field elements such as switches, driving signals etc. in order to simplify the adaptation and extension of such a safety system, the print publication suggests a modular construction, where the control level is trained as a master and the field elements as slaves, and where the master and the slaves are connected to each other by a communication system. The slaves should also be steerable by a controller that is connectable to the communication system via a communication interface common to all slaves.
The proposed realization is in advance that the communication system guarantees an unaltered and unalterable transmission of data telegrams between the master and the slaves. In other words, the proposed solution requires a fault-tolerant communication system between the master and the slaves. This leads to the fact that both the master and the slaves must have a special communication interface for a fault-tolerant communication system. Such an implementation may bring an advance in terms of flexibility when adapting or expanding earlier security systems, from which DE 10 2007 039 154 A1 proceeds. However, this realization is disadvantageous when one wants to adapt existing railway installations, as it is based on the use of a special and therefore usually proprietary communication system.
DE 197 42 716 A1 describes a tax and data transmission device comprising a tax unit and several E/A units. In the tax unit and the E/A units, security-related building groups are integrated, which negate incoming and outgoing data to be transmitted and redundantly transmit them to the original data. The redundant data transmission requires a specially trained and thus proprietary communication interface and correspondingly trained E/A units. Therefore, this tax and data transmission device is also disadvantageous if existing railway installations should be modernized.
Against this background, the present invention is to specify a setup and a process of the type described in the introduction, which allows a cost-effective flexible adaptation or expansion of an automated installation with safety-relevant components, in particular of a railway installation.
In accordance with one aspect of the present invention, the task is solved by a device and a method of the type disclosed herein, wherein the local clock unit is not included in the processing and transmission of the input data and control commands, so that the function of clock unit and A / D unit is separated and independent of each other.
根据另一个方面,提供一种用于前面所描述的装置的末端单元,具有数据接口,用于连接到本地的E/A单元,具有数据处理单元,用于处理由控制单元集成到E/A单元的数据电报中的验证数据,这些数据来自输入数据和控制命令之外,并且通过数据接口是可提供的,以及具有一个用于根据特定的验证数据来禁用E/A单元的禁用单元,其中,末端单元不包括输入数据和控制命令的处理和传输,因此,末端单元的功能与E/A单元是分开的,是独立的。
The new arrangement and the new method use an additional, local termination unit that is connected to the local E/A-unit. However, the termination unit is not integrated into the processing and transmission of the input data and control commands. Advantageously, the termination unit is positioned in the area of the E/A-unit. The termination unit receives special verification data via a data telegram addressed to the E/A-unit, which are embedded by the (preferably central) control unit in the data telegrams. Thus, the termination unit can check, based on the verification data, whether the coupled E/A-unit has received a data telegram that the control unit actually directed to the coupled E/A-unit.
In preferred implementations, the local termination unit is not directly connected to the communication network via the communication network, i.e., the local termination unit does not have its own interface for connection to the communication network. The local termination unit exclusively receives the verification data in this case via the local E/A unit. However, it is also conceivable to equip the local termination unit additionally with a communication interface for a direct connection to the communication network in order to enable a direct communication between the control unit and the local termination unit, for example, for remote maintenance of the local termination unit from any access point to the communication network.
Regardless of whether or not the termination unit is connected to the communication network, the termination unit is mainly designed to process verification data that are integrated into the data telegram that is sent to the E/A unit. The termination unit only receives these verification data when the corresponding data telegram actually reached the coupled E/A unit. In this way, the termination unit can check whether the coupled E/A unit received an addressed data telegram. Only if the termination unit receives correct verification data, it will enable the operation of the E/A unit. If the verification data are missing or do not match the expected condition in the termination unit, the termination unit will deactivate the coupled E/A unit. Therefore, the termination unit prevents the control unit from accessing the local E/A unit depending on the verification data.
Verification data are independent of input data and tax instructions, and specifically for the final unit. The E/A unit does not need verification data to interpret tax instructions. Accordingly, the verification data are not evaluated in the preferred implementation examples from the E/A unit. Instead, the E/A unit passes the verification data in the preferred implementation examples "unread", i.e. without interpreting the data, to the final unit. Conversely, the processing and evaluation of input data and tax instructions take place in the preferred implementation examples without the final unit, i.e. the final unit is not included in the processing and evaluation of input data and tax instructions. The functions of the final unit and E/A unit are therefore clearly separated and independent of each other.
However, the termination unit monitors the coupled E/A unit by means of its specific verification data that the coupled E/A unit only executes tax instructions that are actually assigned to the coupled E/A unit. This monitoring is the essential purpose of the coupling. Therefore, the termination unit is coupled to the input data and instructions to the E/A unit apart from the input data and instructions and runs the input data and instructions through the preferred examples completely at the termination unit.
The new A/B unit does not guarantee that the E/A unit is error-free and performs the tax commands of the tax unit at the right time. However, the A/B unit can guarantee that the E/A unit does not execute false tax commands, such as tax commands addressed to another E/A unit and received erroneously due to a fault in the address field of the data telegram. This ensures that errors are excluded that otherwise would have to be excluded by means of a fault-tolerant communication network. In other words, the new A/B unit allows the use of a standard communication network, which by itself does not guarantee error-free transmission of data telegrams.
The new device and the new method have the advantage that they can be implemented without a proprietary, fault-safe communication network. Therefore, the new device and the new method include a communication network which, taken separately, does not meet the fault safety in accordance with SIL 2 as per IEC 61508, category 3 as per EN 954 or similar requirements. As a result, the local E/A unit can be trained to connect to an arbitrary, non-fault-safe communication network with a standard interface. Advantageously, the E/A unit is unchannelled trained, and it processes the input data and control commands accordingly unchannelled. The new device and the new method can thus be implemented significantly cheaper than the device and the method according to the above-mentioned DE 10 2007 039 154 A1. The above task is completely solved.
优选实施方式中,控制单元被构造为:对于由控制单元接收到的包含有控制单元的控制命令的数据电报,通过响应电报来确认;该响应电报表明实际执行了控制命令;优选地,该响应电报还包含由终止单元提供的进一步验证数据,使得控制单元能够进行冗余验证实际响应电报的来源。
In this arrangement, each tax unit receives an execution confirmation from the E/A unit for every data telegram sent to it, so that the tax unit can independently monitor whether the E/A unit actually executed a tax instruction. Based on the additional verification data in the response telegram, the tax unit can further monitor whether the response telegram is from the "right" E/A unit, not from another E/A unit connected to the communication network. Therefore, this arrangement has another error detection mechanism that utilizes the new response unit.
In a further embodiment, the E/A unit comprises a network interface for connection to the communication network and a local data interface, to which the termination unit is connected to receive verification data. In particular preferred embodiments, the local data interface is a serial standard interface, particularly an RS 485 interface, an RS 422 or an RS 232 interface.
This layout enables a very simple and cost-effective coupling of the local discharge unit and the E/A unit. All data telegrams from the communication network that are addressed to the E/A unit have to pass the network interface station first. Only after the network interface station the data in the data telegram are split and especially the forwarding of the verification data to the discharge unit takes place. As an alternative to this, the discharge unit could listen to the data telegrams at the network interface station in other layouts, but this is not always possible on all communication networks and network interface stations.
In a further embodiment, the E/A unit comprises a number of connections to the connection of the actors, wherein the deactivation unit is trained to deactivate the connections depending on the verification data. In a particularly preferred embodiment of this arrangement, the deactivation unit is trained to at least partially switch off the E/A unit, thereby preventing the transmission of signals to the actors. In a further embodiment, the deactivation unit is trained to deactivate also the connections to the connection of the sensors and, in particular, to switch them off, thereby preventing the generation and transmission of a genuine answer telegram or a telegram expected by the control unit in the E/A unit.
这种布置允许以简单和经济的方式可靠地使E/A单元失效,其结果是,一旦通信中出现不确定状态,常规控制流程立即中断。
在进一步的实现中,断流单元被分开地排列在E/A单元旁。
In this arrangement, the termination unit has its own equipment housing, which is arranged separately from the E/A unit. The termination unit and the E/A unit can also be arranged in this arrangement in a common switch cabinet or the like. Nevertheless, the termination unit in this arrangement is a separate device, which is coupled to the E/A unit via a cable, for example via a serial data cable, so that both the housing of the termination unit and the housing of the E/A unit each have a corresponding connector or a corresponding plug. The arrangement allows a very cost-effective and universal implementation, since the termination unit can be easily connected to almost any E/A unit. Therefore, the new arrangement and the new method are not only in relation to the communication network, but also in relation to the local E/A unit largely manufacturer and system independent.
In a further development, the termination unit is multichannel to process redundant verification data.
Such an arrangement allows for higher reliability in the processing of verification data. Furthermore, it prevents an unreliable control operation due to a wrongly received data telegram. On the other hand, this arrangement has the major advantage that the multi-channel data processing can be concentrated in the new termination unit, which facilitates the use of cost-effective, unreliable A/D units.
在进一步的阐述中,验证数据包括一个-优选独一无二的全球地址-该地址独一无二地标识输出单元。
The preferred, globally unique address can, for example, be realized by the address containing an individual, unambiguous manufacturer identification as well as a device identification number that is uniquely assigned by the manufacturer. Since the shut-off unit does not require a direct connection to the communication network and is thus independent of the communication protocol used in the communication network, the manufacturer can freely choose the unique address and, for example, protect it against duplication and other uses with cryptographic methods. Preferably, the address of the shut-off unit is used in addition to another address that identifies the E/A unit within the communication protocol. The address of the E/A unit is typically contained in the protocol part of the data telegram, while the address of the shut-off unit is transmitted in the payload part. The separate addressing of the shut-off unit independently and in addition to the address of the E/A unit allows a simple and very reliable check whether a data telegram from the control unit reaches the "correct" E/A unit. The design thus enables particularly high security against address tampering.
In a further embodiment, the tax unit is trained to transmit a multitude of data telegrams to the E/A unit at defined time intervals, where the shut-down unit is trained to monitor the time intervals and depending thereon to deactivate the E/A unit. Preferably, the shut-down unit is trained to deactivate the E/A unit if the tax unit does not transmit data telegrams to the E/A unit over a long period of time. The long period of time can, for example, be identified by the fact that no data telegrams are received over a defined number of time intervals.
In this configuration, the termination unit does not only take on the task of ensuring the correct recipients on the communication network, but also monitors the regular and timely receipt of data telegrams. In the preferred variants of this configuration, this monitoring is also performed reliably, which can be achieved through a multi-channel structure of the termination unit. This configuration has the advantage that the E/A unit is automatically deactivated when the communication link with the control unit is broken or temporarily interrupted. As a result, this configuration allows for lower requirements on the availability of the communication network. For example, this configuration facilitates the use of the Internet as a communication network. On the other hand, this configuration ensures that the E/A unit, during the "uncontrolled" time periods in which no communication takes place with the control unit, cannot influence the actors and thus cannot change the system state "unnoticed" by the control unit. Furthermore, this configuration has the advantage that the control unit can cause the deactivation of the E/A unit by interrupting the transmission of data telegrams to the E/A unit for a period of time longer than the defined time intervals. For this case, the control unit is trained to suspend the transmission of data telegrams over the mentioned period of time.
In a further embodiment, the verification data include a running number representing the sequence of data telegrams.
In this configuration, the termination unit is able to reliably detect a loss or absence of a data telegram. The configuration ensures the up-to-dateness of received data telegrams, as a "stuck" data telegram can be identified as such when it is received at a later time by the E/A unit. A confusion with a newer data telegram can be excluded based on the running number. The reliability of the new setup and the new process has been further increased.
In a further embodiment, the verification data receive a checksum that essentially characterizes the verification data themselves.
The use of checksums, particularly in the form of so-called CRC (Cyclic Redundancy Checksum) is known in connection with the transmission of data packets over a communication network. The present embodiment uses a checksum that practically only verifies the verification data itself. In other words, this checksum is independent or at least largely independent of other data contents of the data packet. The embodiment has the advantage that the terminal unit can independently calculate and check the checksum based on the forwarded verification data. It would also be theoretically possible to use a checksum calculated over the entire data packet. However, this alternative has the disadvantage that the terminal unit must be aware of all data contents of the data packet for local verification of the checksum. The preferred embodiment with a specific checksum that only refers to the part of the data packet that is of interest to the terminal unit allows for a faster and simpler monitoring of the data packets.
In a further development, the data telegrams include a protocol part and a payload part, where the protocol part is specified dependent on the communication network, and where the verification data are arranged in the payload part.
The useful data part of the data telegram is largely unspecific with respect to the communication network. It is the part of the data telegram that is largely freely available to the individual network participants. Restrictions may exist, for example, depending on the network protocol used, such as the length of the useful data part. However, the content in the useful data part is not significant for the operation of the communication network or the transmission of data telegrams.
对于德文内容,协议部分包含所有为数据电报传输在通讯网络中所需的信息。
例如,应包括发件人和/或收件人信息,以识别发件人和/或收件人;类型信息,以具体化数据电文的类型;数据电文长度的信息以及其它信息。
In this arrangement, the verification data are arranged in the data packet payload in principle (preferably completely). This arrangement contributes further to making the new setup and the new procedure independent of the used communication network. With this arrangement, a more free use of existing communication structures is made possible.
In a further elaboration, the application program designates a variable first program part and an invariant second program part, wherein the first program part determines the control commands in dependence on the input data, and wherein the second program part incorporates the verification data into the data telegram.
In the preferred versions of this arrangement, the first program part is compatible with the international standard IEC 61131, i.e. the first program part can be created and modified by the user with the help of a programming language specified in IEC 61131. In contrast, the second program part is largely denied to the user's access. At least, the second program part is not freely modifiable in a IEC 61131-compatible programming language. In a particularly preferred variant, the second program part is part of the control unit's operating system or runtime environment. However, it is conceivable that the user can configure the second program part within limits, for example, to enter the worldwide unique address of the output unit.
The design has the advantage that the important part for the error safety of the new system and the new procedure, namely the integration of verification data into the data telegram, is denied to the user. Thus, program errors that could endanger the error safety of the system are more effectively prevented. On the other hand, the user can concentrate on the programming of the logic functions, which serve to generate the control commands for the actors.
应当理解,上文提到的特征和下文要说明的特征不仅适用于上文提到的组合,也适用于其他组合或单独使用,而不会脱离本发明的范围。
The embodiments of the invention are shown in the drawings and explained in more detail in the following description. Figures 1-3 show:
The embodiment shown in Fig. 1 is an example of the new arrangement in its entirety, referred to by reference number 10. The arrangement 10 is used here to control a railway facility, which is a preferred application. However, the new arrangement and the new method can also be used to control other automated facilities, particularly for facilities that execute safety-relevant control functions.
The configuration 10 comprises a control unit 12 which is generally configured as a central control unit in a railway facility. However, it may also be a decentralized control unit working in conjunction with other centralized and/or decentralized control units (not shown). In preferred embodiments, the control unit 12 is a programmable controller which is programmable in one of the programming languages specified in the international standard IEC 61131. In preferred embodiments, the control unit 12 is a fail-safeguarded (error-safe) control unit according to SIL 3 of the European standard EN 61508 or a control unit which meets comparable safety requirements. As shown in Fig. 3 with further details, the control unit 12 is multi-channel redundant in the preferred embodiments. Such a control unit is for example offered by the applicant under the designation PSS®.
装置10还具有一个或多个本地E/A单元,图1示例性地标有E/A单元14和16。控制单元12和E/A单元14,16通过通信网络18连接,并通过通信网络18交换数据电报20,22,24。通常情况下,E/A单元在空间上远离控制单元12。
Communications network 18 may be an example of a "normal" Ethernet network, a "normal" WLAN network or the Internet. In the preferred embodiments, communications network 18 is an open communications network that, by itself, does not meet the requirements of SIL 3 or comparable reliability requirements. In one embodiment, communications network 18 is a so-called Profinet network that is known to those skilled in the relevant field.
The E/A-units 14, 16 are modularly built in this embodiment. They have a head module 26 with a communication interface (see Fig. 3, reference number 92) for connection to the communication network 18. The head module 26 takes the data telegrams at the communication interface, extracts the payload data and makes these available to the further modules. In addition, the head module 26 receives payload data from the further modules of the E/A-unit and integrates this into a data telegram, which is sent as an answer telegram 24 to the control unit 12.
Here a head module 26 is connected to a connector module 28 having a data connector 30. In preferred embodiments, the data connector 30 is a standard connector for a serial data transmission, for example an RS 485 connector, an RS 422 connector, or an RS 232 connector. A local termination unit 32 is connected to the data connector 30.
At the junction module 28 are further modules 34, 36 arranged, which provide connections for sensors and/or actuators. In the embodiment shown in Fig. 1, module 36 is connected to a relay 38, which may be energized via the A/E unit 14. In the preferred embodiments, the relay 38 is used to switch a switch or a railway signal.
Module 34 is connected to a return contact 40, which is forced connected to relay 38. Return contact 40 serves here as a sensor, which makes it possible to read back the current switch state of relay 38.
In the operation of the preparatory stage, the unit 12 controls the switch and driving signals of the railway installation with the help of the local E/A units 14, 16. The unit 12 produces a data telegram 20, 22 in regular time intervals, which contains outgoing data that represent a command for the relay 38. In Fig. 1, two such data telegrams 20, 22 are depicted. The temporal distance between the unit 12 and the E/A unit 14 in which the data telegrams 20, 22 are sent, is indicated by an arrow 42.
Every addressed E/A unit receives the datagram 20, 22 and steers the connected actors/relays 38 according to the received outgoing data. Furthermore, every E/A unit is trained here to retrieve the switching state of a steered relay 38 with the help of the return contact 40. The respective switching state is sent back to the control unit 12 as an incoming date with an answer datagram 24. In this way, the control unit 12 receives a direct feedback about the actual state of a steered relay 38. If the read switching state does not correspond to the assigned switching state, an error message is generated (not shown here) and/or a safety program is started that leads the device 10 to a safe state.
The illustration in Fig. 1 is simplified for the sake of clarity. In practice, a large number of relays 38 and/or other actors, as well as a large number of sensors, are often used, and the control unit 12 is designed to perform plausibility tests based on the large number of sensor signals. Additionally, redundant actors may be provided to transfer the apparatus 10 to a harmless state in case of a failure.
According to one aspect of the invention, the control unit 12 not only generates output- or control data for controlling the actors, but additionally also verification data which are transmitted to the E/A-unit 14 over the data telegram 20, 22. The verification data are transmitted from the E/A-unit 14 over the data interface 30 to the local termination unit 32. As explained in detail below with reference to Fig. 2 and 3, the termination unit 32 checks, in particular, with the help of the verification data, whether the received data telegram 20, 22 was also actually addressed to the receiving E/A-unit 14. If this is not the case or a communication error is detected by the termination unit 32 based on the verification data, the termination unit 32 deactivates the modules 34, 36 of the E/A-unit 14, in order to thus prevent a faulty control of the actors 38 and additionally initiates an error message to the control unit 12.
In preferred execution examples, the termination unit 32 separates the modules 34, 36 from the power supply, as shown in Fig. 3 below.
In order to allow communication with unit 12 in deactivated state as well, only modules 34 and 36 are deactivated in preferred implementation examples. These are arranged after the head module 26 and the interface module 28.
Fig. 2 shows an implementation example of data telegram 20 with further details. Data telegram 20 has – just like the further data telegrams 22, 24 – a protocol part 46, which here mainly consists of a so-called header 48 at the beginning of data telegram 20 and a checksum 50 at the end of data telegram 20. The header 48 may contain address information that identifies the sender and/or receiver of the data telegram, as this is known from Ethernet data telegrams, for example. The payload part 52 is arranged here between the header 48 and the checksum 50. According to a feature of the invention, it contains verification data 54 as well as input data 56 and control commands 58. The input data 56 and control commands 58 may also be sent alternatively in data telegram 20, depending on whether data telegram 20 is sent from the control unit 12 to the E/A unit 14 or vice versa. In other words, it is not necessarily required that input data 56 and control commands 58 are included in data telegram 20 simultaneously.
The entrance data 56 represent the current states of the sensors 40. The output data 58 represent the control commands or the desired states for the actuators 38. The verification data 54 are integrated into the telegram data 20, 22, 24 according to a feature of the invention, so that the termination unit 32 and - in the preferred embodiment examples - the control unit 12 can verify that the telegram data have been received from the "correct" E/A unit.
In a preferred embodiment, the verification data 54 includes a unique address worldwide only once, which uniquely identifies the termination unit 32. This address is represented in Fig. 2, for example, in the verification date V1.
The verifications data include a running number 54 here a running number, which is represented in Fig. 2 as V2. The running number V2 is incremented for each data telegram of a series of data telegrams to be able to verify the up-to-dateness of a received data telegram.
此外,还包括验证数据54,其中包含一个时间标记,举例来说,表示数据电报的本地发送时间。本地发送时间在图2中以V3表示。根据时间标记,接收方可以验证接收到的数据电报的时效性。
Finally, the verification data 54 include a check sum V4, which is used in addition to the check sum 50. The check sum V4 characterizes the verification data 54 in essence, i.e. it can be calculated mainly on the basis of the verification data 54. However, in principle, it is possible to include further bits in the calculation of the check sum V4 in addition to the actual verification data 54, for example, to make the bit sequence longer and thus increase the probability of error detection.
在后续的执行示例中,验证数据可以包括一个或多个位54,其表示断开命令,使得断开单元使E/A单元定向地被去激活。
Figure 2 shows a data telegram 20 sent from tax unit 12 to E/A unit 14. It contains verification data 54 sent from E/A unit to termination unit. However, the response telegrams 24 are constructed in principle in the same way. In place of verification data 54, they contain further verification data 54', produced by termination unit 32 and sent to E/A unit. The further verification data 54' also contain in the preferred embodiment the worldwide unique address V1, a running number V2, a time indication V3 and/or a check sum V4. Moreover, the verification data 54' may contain one or more bits representing the state of the termination unit, wherein the system state in particular comprises information whether the termination unit has deactivated the E/A unit or not.
图3显示了设备10的更多细节。相同的引用符号标记相同的元件。
The Steuereinheit 12 is here multi-channel redundant. In some implementation examples, it has several processors 62a, 62b, which work redundantly with each other and check each other by comparing their processing results. In addition, Steuereinheit 12 has a program memory 64 and a network interface 66 for connection to the communication network 18. In the program memory 64, a user program is stored, which in the preferred implementation examples includes a first program part 68 and a second program part 70. The first program part 68 is here a variable program part that can be changed by a user with the help of a programming tool 72. Preferably, the user can create a variable program part 68 in an IEC 61131-compliant programming language on the programming tool 72 and load it into the program memory 64. The programming tool 72 can be a conventional PC on which a suitable program for creating user programs according to IEC 61131 runs.
The second program part 70 is an invariant program part, which cannot or at least not immediately be changed by the user. In these examples, the first, variable program part defines the logical connections by which the input data of the sensors are processed to generate the output data for the actuators. On the contrary, the second program part 70 integrates the verification data 54 into the data telegram 20, 22 without the user/programmer having to pay special attention to the creation of the verification data in his program part 68. The program part 70 can be part of the control unit 12 operating system. However, it is also possible that the program part 70 is loaded as a closed module by the user into the program storage 64. In preferred examples, the user can not change the function of the invariant program part 70, but he can configure individual parameters, for example the global one-time address V1 of the E/A-units 14, 16.
Abschaltunit 32 is also multi-channel redundant in the preferred embodiment, as illustrated by two processors 74a, 74b. The Abschaltunit 32 also has a memory 76 in which the worldwide unique address 78 and an operating program (firmware) is stored. The preferred memory 76 is a non-volatile memory, for example an internal EEPROM or a replaceable hard disk, such as a chip card, SD card, CF card, etc., which can be removed from an appropriate holder.
Furthermore, the interface 82 includes here two outputs for controlling two relays 84, 86. With their help, the cutoff unit 32 can separate the modules 34, 36 from the power supply 88. In an embodiment, the power for operating the input modules 34 and output modules 36 is fed to the E/A unit via a special feeding module 90, and the cutoff unit 32 separates the feeding module 90 from the power supply 88.
此外,E/A单元14还拥有前面提到的头部模块26,其网络接口位置在图3中被标注为92。
Relais 84, 86 together with the interface 82 form an isolation section of the isolation unit 32, with the help of which the isolation unit 32 can at least partially deactivate the E/A unit 14. Instead of Relais 84, 86, other switching elements can also be used, for example, switches, transistors, etc. Furthermore, the switching elements 84, 86 can be integrated into the case 94 of the isolation unit 32.
In the preferred embodiments, the output unit 32 is a encapsulated "stand alone" device which is separated from the E/A unit 14 by a device case 94 and is coupled to the E/A unit 14 by a cable 96. In other embodiments, the output unit 32 can be realized as a caseless plug-in card and/or as a module of the E/A unit 14. In some embodiments, the output unit 32 may have one or more further inputs to connect a fault-tolerant notification device, for example, a panic button. In these cases, the output unit 32 is designed to deactivate the coupled E/A unit 14 depending on the actuation of the fault-tolerant notification device.

Claims (15)

  1. A disconnection unit for use in an arrangement for controlling an automated system, in particular a railroad system, the arrangement comprising a programmable control unit (12) for executing a user program (68, 70) and a remote I/O unit (14) to which a number of sensors (40) and actuators (38) are connected, and with the control unit (12) and the I/O unit (14) being designed to interchange data messages (20, 22, 24) via the communication network (18) in order to transmit input data and control commands, with the disconnection unit comprising:
    a data interface (82) for connection to the remote I/O unit (14),
    a data processing part (74) for processing verification data (54) which the control unit (12) integrates into the data messages (20, 22) for the I/O unit (14) and which can be supplied via the data interface (30), and
    a disconnection part (84, 86) designed to deactivate the I/O unit (14) depending on the verification data (54),
    and wherein the disconnection unit is not included in the processing and transmission of the input data and control commands such that the functions of the disconnection unit (32) and I/O unit (14) are separated and independent of one another.
  2. An arrangement for controlling an automated system which has sensors (40) and actuators (38), in particular a railroad system, the arrangement comprising a programmable control unit (12) for executing a user program (68, 70), comprising a remote I/O unit (14) to which a number of the sensors (40) and actuators (38) are connected, comprising a remote disconnection unit (32) which is coupled to the remote I/O unit (14), and comprising a communication network (18) which connects the control unit (12) and the remote I/O unit (14), with the control unit (12) being designed to process input data from the sensors (40) using the user program (68, 70) in order to generate control commands for the actuators (38), with the control unit (12) and the I/O unit (14) being designed to interchange data messages (20, 22, 24) via the communication network (18) in order to transmit the input data and the control commands, with the control unit (12) being designed to integrate verification data (54) into the data messages (20, 22) for the I/O unit (14), and with the disconnection unit (32) being designed to deactivate the I/O unit (14) depending on the specific verification data (54), characterized in that the remote disconnection unit (32) is designed in accordance with claim 1.
  3. The arrangement of claim 2, characterized in that the I/O unit (14) is designed to acknowledge every data message (20, 22) which is received from the control unit (12) and which comprises a control command for the I/O unit (14), by means of a response message (24) which signals successful execution of the control command.
  4. The arrangement of claim 2 or 3, characterized in that the I/O unit (14) has a network interface (92) for connection to the communication network (18) and a local data interface (30), to which the disconnection unit (32) is connected in order to receive the verification data (54).
  5. The arrangement of claim 4, characterized in that the local data interface (30) is a standard serial interface.
  6. The arrangement of claim 4 or 5, characterized in that the I/O unit (14) has a number of terminals (36) for connection of the actuators (38), with the disconnection unit (32) being designed to deactivate the terminals (36) depending on the verification data (54).
  7. The arrangement of one of claims 2 to 6, characterized in that the disconnection unit (32) is arranged separately from the I/O unit (14).
  8. The arrangement of one of claims 2 to 7, characterized in that the disconnection unit (32) has a multiple channel design in order to redundantly process the verification data (54).
  9. The arrangement of one of claims 2 to 8, characterized in that the verification data (54) comprise an address (V1) that uniquely identifies the disconnection unit (32).
  10. The arrangement of one of claims 2 to 9, characterized in that the control unit (12) is designed to transmit a plurality of data messages (20, 22) to the I/O unit (14) at defined time intervals (42), with the disconnection unit (32) being designed to monitor the time intervals (42) and to deactivate the I/O unit (40) as a function thereof.
  11. The arrangement of one of claims 2 to 10, characterized in that the verification data (54) comprise a serial number (V3) that represents a predefined sequence of the data messages (20, 22).
  12. The arrangement of one of claims 2 to 11, characterized in that the verification data (54) comprise a checksum (V4), which essentially represents the verification data (54) alone.
  13. The arrangement of one of claims 2 to 12, characterized in that the data messages (20, 22, 24) comprise a protocol part (46) and a payload data part (52), with the protocol part (46) being specified depending on the communication network (18) and with the verification data (54) being arranged in the payload data part (52).
  14. The arrangement of one of claims 2 to 13, characterized in that the user program (68, 70) has a variable first program part (68) and an invariant second program part (70), with the first program part (68) determining the control commands depending on the input data, and with the second program part (70) integrating the verification data (54) into the data messages (20, 22).
  15. A method for controlling an automated system, which has sensors (40) and actuators (38), in particular a railroad system, the method comprising the steps of
    - providing a remote I/O unit (14), to which a number of the sensors (40) and actuators (38) are connected,
    - providing a remote disconnection unit (32) in an area of the I/O unit (14) and coupling the remote disconnection unit (32) to the remote I/O unit (14),
    - providing a control unit (12) for processing input data from the sensors (40) and for generating control commands for the actuators (38),
    - interchanging data messages (20, 22, 24) between the control unit (12) and the I/O unit (14) via a communication network (18), which connects the control unit (12) and the remote I/O unit (14),
    wherein the data messages (20, 22, 24) comprise the input data and/or the control commands, and wherein the control unit (12) controls the actuators (38) depending on the input data from the sensors (40) by means of the control commands, wherein the control unit (12) integrates verification data (54) into the data messages (20, 22) for the I/O unit (14), and wherein the disconnection unit (32) deactivates the I/O unit (14) depending on the verification data (54), characterized in that the remote disconnection unit (32) is not included in the processing and transmission of the input data and control commands such that the functions of the disconnection unit (32) and I/O unit (14) are separated and independent of one another.
HK12109365.4A 2009-07-10 2010-07-09 Device and method for controlling an automated system, in particular a railway system HK1168667B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE200910033529 2009-07-10

Publications (2)

Publication Number Publication Date
HK1168667A true HK1168667A (en) 2013-01-04
HK1168667B HK1168667B (en) 2019-08-23

Family

ID=

Similar Documents

Publication Publication Date Title
US8306680B2 (en) Arrangement and method for controlling an automated system, in particular a railway system
US7289861B2 (en) Process control system with an embedded safety system
US7269465B2 (en) Control system for controlling safety-critical processes
US8335573B2 (en) Safety-oriented control system
US11487265B2 (en) Systems and methods for simultaneous control of safety-critical and non-safety-critical processes in automation systems using master-minion functionality
US11221612B2 (en) System and method of communicating data over high availability industrial control systems
US8549136B2 (en) System for operating at least one non-safety-critical and at least one safety-critical process
US9934111B2 (en) Control and data transmission system, process device, and method for redundant process control with decentralized redundancy
CN101405666A (en) Method and control and data transmission system for verifying the installation location of a secure communications component
JP6509477B2 (en) Control device and control program
CN106059874B (en) Automation device for the redundant control of bus subscribers
CN101692178A (en) Method and apparatus for interconnecting modules
JP4599013B2 (en) Method for setting safety station and safety control system using the same
US20180373213A1 (en) Fieldbus coupler and system method for configuring a failsafe module
US11927950B2 (en) System and method of communicating safety data over high availability industrial control systems
US11669076B2 (en) System and method of communicating unconnected messages over high availability industrial control systems
US11646909B2 (en) Method for data transmission in a redundantly operable communications network and coupling communication device
CN101385282B (en) Method and device for safety-related process bus connection
HK1168667A (en) Device and method for controlling an automated system, in particular a railway system
JP2007286786A (en) Monitoring controller and failure self-diagnosis method
EP3260935B1 (en) Smart taps for a single-wire industrial safety system
US11768479B2 (en) System and method for secure connections in a high availability industrial controller
EP3260936B1 (en) Single-wire industrial safety system with safety device diagnostic communication
HK1168667B (en) Device and method for controlling an automated system, in particular a railway system
JP2007026101A (en) Power control device