Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2002-02-08
2004-12-14
Baderman, Scott (Department: 2114)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S044000, C714S048000, C710S100000, C700S021000
Reexamination Certificate
active
06832343
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to an apparatus for controlling safety-critical processes, in particular an apparatus having a safe control unit for controlling the safety-critical processes and having at least two safe signal units which are connected via I/O channels to the safety critical processes, with the safe control unit and the safe signal units being connected to a common fieldbus, and with the safe signal units communicating with the safe control unit, but not with one another, when the apparatus is in the control mode.
A fieldbus is a system for data communication, in which the connected units are connected to one another via a common bus-line. Two units which are connected to the fieldbus can thus communicate with one another without needing to be directly wired up to one another individually. Examples of known fieldbuses include the so-called CAN bus, the so-called Profibus and the so-called Interbus.
The use of fieldbuses has already been sufficiently well known for a long time in the field of control and automation. However, this is not true for the control of safety-critical processes in which, in practice, the units involved in the control system have been individually wired up to one another until the very recent past. This is because it was not possible for the known fieldbuses to ensure the fault protection (fault probability of less than 10
−11
) required for controlling safety-critical processes. All known fieldbuses admittedly have measures for fault protection during data transmission, but these measures are not sufficient to ensure the required fault protection. In addition, fieldbuses are open systems to which, in principle, any desired units can be connected. There is a risk in this case of a unit which has nothing whatsoever to do with a safety-critical process that is to be controlled influencing said process in an undesirable manner.
In this context, the term “safety-critical process” means a process which results in an unacceptable risk to people or material goods if a fault occurs. Thus, ideally, a safety-critical process must provide a 100% guarantee that the process will be changed to a safe state if a fault occurs. In the case of a machine system, this may include the system being switched off. In the case of a chemical production process, switching off may, however, lead to an uncontrolled reaction so that, in a case such as this, it is better to change the process to a non-critical parameter range.
Safety-critical processes may also be process elements of larger, higher-level overall processes. By way of example, in the case of a hydraulic press, the material supply may be a non-safety-critical process element, while, an the other hand, the starting up of the pressing tool is a safety-critical process element. Further examples of safety-critical processes (or process elements) are the monitoring of safety guards, protection doors or light barriers, the control of two-hand operated switches, or the monitoring and evaluation of an emergency-off switch.
The units which are involved in the control of a safety-critical process must have safety-related devices going beyond their actual function. These are used primarily for fault and functional monitoring. Units such as these generally have a redundant design, in order to guarantee that they operate safely even when a fault occurs. Units with safety-related measures such as these are referred to in the following text as safe, in contrast to “normal” units.
For the purposes of the present invention, units which have a certain amount of intelligence for controlling a process are referred to as control units. Control units such as these are frequently referred to as clients, in the specialist terminology.
These receive data and/or signals which represent state variables of the controlled processes and activate actuators, which influence the process to be controlled, as a function of this information. The intelligence is normally stored in a memory in the control units, in the form of a variable user programs. Programmable logic controls (PLC) are generally used as the control units.
In contrast, a signal unit is a module which essentially provides input and output channels (I/O channels) to which, firstly, sensors for recording process variables and, secondly, actuators can be connected. A signal unit has no intelligence in the form of a variable user programs, and it thus does not have the capability, either, to autonomously control a machine or a process. Moreover, an emergency switch-off may be carried out autonomously when a fault occurs. A signal unit is provided, per se, only to locally carry out a command received from a physically remote control unit. To do this, the signal unit may have a programs in the form of an operating system. However, the user cannot vary this programs without modifying the hardware of the signal unit. Signal units are normally referred to as servers in the specialist technology.
DE-A-197 42 716 describes an apparatus for controlling safety-critical processes, such as the monitoring of a safety guard. The known apparatus has a control unit and, for example, three signal units, which are connected to one another via a fieldbus. Both the control unit and the signal units have safety-related devices for carrying out predetermined safety functions. In an entirely general form, these are thus safe units for the purposes of the present invention.
In the known apparatus, the process to be controlled is changed to a safe state when a fault occurs. The switching signal which is used to initiate this action can be triggered firstly by the higher-level control unit or secondly in the area of that signal unit in which the fault has occurred.
However, with the known apparatus, it is impossible for a first signal unit in whose area the fault has occurred to cause other signal units which are connected to that fieldbus likewise to switch off the associated processes there, or to change these processes to a safe state. If a number of processes which are actuated via different signal units need to be changed to a safe state, it is necessary to transmit an appropriate individual control command to each of the signal units which are affected. This is because the known signal units have no intelligence which would make it possible for them to control other signal units.
The known apparatuses thus have the disadvantage that valuable time may be lost, when a fault occurs in the area of a signal unit, before safety-critical processes which are associated with other signal units can be changed to a safe state. In detail, a data interchange is in this case first of all required between the first signal unit and the higher-level control unit, followed by a further data interchange between the higher-level control unit and the further signal units which are affected. There is thus a risk with the known apparatuses of a process which is only indirectly affected by a fault not being switched off sufficiently quickly.
It is known from DE-A-197 42 716 that an entire system having a large number of process elements can be completely switched off by a single signal unit. In this case, the corresponding signal unit is used as a central switch, in particular interrupting the main power supply. In this case, although the entire system can be switched off quickly if a fault occurs, it is then impossible, however, to exclude individual process elements from this, as a function of the situation.
Until now, the apparatuses of this generic type have in each case had only one control unit. This means that the apparatus is no longer available at all when the control unit fails. However, it is desirable to be able to continue to operate an apparatus of this generic type in a flexible way even in a case such as this.
Furthermore, fieldbus systems are subject to the problem that only one unit which is connected to the fieldbus can ever transmit at one time. Collisions may thus occur when two or more units wish to transmit at the same time. In known fieldbus systems, collisions s
Rupp Roland
Schwenkel Hans
Wohnhaas Klaus
Baderman Scott
Damiano Anne L.
Harness & Dickey & Pierce P.L.C.
Pilz GmbH & Co.
LandOfFree
Apparatus for controlling safety-critical processes does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus for controlling safety-critical processes, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus for controlling safety-critical processes will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3301978