Electrical computers and digital data processing systems: input/ – Intrasystem connection – Bus access regulation
Reexamination Certificate
2001-12-21
2003-03-11
Dharia, Rupal (Department: 2181)
Electrical computers and digital data processing systems: input/
Intrasystem connection
Bus access regulation
C709S227000, C700S003000, C710S107000, C714S047300, C370S216000
Reexamination Certificate
active
06532508
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to a control system for controlling safety-critical processes, having a first control unit for controlling safety-critical processes and at least one signal unit linked to the safety-critical processes via I/O channels, and further having a field bus connecting the first control unit and the signal unit, and a bus master for controlling communication on the field bus, said first control unit and said signal unit comprising safety-directed arrangements for ensuring failsafe communication among each other.
Use of field buses for data communication between separate units involved in the control of a process is sufficiently known today in control and automation technology. The term field bus is used in this connection to describe a data communication system to which, ideally, any desired units can be connected that communicate with each other via the common field bus. Communication between the units is governed by specified protocols. Such a communication system is in contrast to a point-to-point communication link between two units where other units are completely cut off from the communication between such units. Examples of known field buses are the so-called CANbus, Profibus or Interbus.
In many field buses, communication is controlled by at least one bus master that is primary to the other units connected to the field bus, designated here as stations. This has the result that no data can be sent by any station to any other station without “permission” and control of the bus master. Usually, the bus master is a standard module which implements the protocols specified for the field bus, and which is often relatively complex and, thus, considerably expensive.
Although the use of field buses offers numerous advantages, mainly with respect to the high cabling effort that would otherwise be required, it was not possible heretofore to employ field buses in practical use for controlling safety-critical processes. The reason is that due to their structure being freely accessible for any units, the degree of failsafety necessary for controlling safety-critical processes could not be guaranteed.
The term safety-critical process is understood in the present invention to describe a process which, in case of a fault, would present a risk for people and goods that may not be neglected. Ideally, it must be 100% guaranteed for any safety-critical process that the process will be transferred to a safe state in case a fault should occur. Such safety-critical process may also be partial processes of larger, higher-level overall processes. Examples for safety-critical processes are chemical processes, where it is an absolute necessity to keep critical parameters within predetermined limits, or complex machine controls, such as the control of a hydraulic press or of an entire production line. In the case of a hydraulic press, for example, the material feeding process may be a non-safety-critical partial process, whereas the process of starting the pressing tool may be a safety-critical partial process, as part of the overall process. Other examples of (partial) safety-critical processes are the monitoring of guards, protective doors or light barriers, the control of two-hand switches or the reaction to emergency shut-down devices.
DE 197 42 716 A1 discloses a control and data transmission system, which is based on a field bus, especially the one known as Interbus, and which had for its object to integrate safety-directed modules. It was proposed to achieve this object by implementing safety-directed arrangements in both the bus master, designated as master control unit in the cited publication, and the stations. In addition to the data communication as such, the safety-directed arrangements perform safety functions that guarantee the required failsafety with respect to the control of safety-critical processes. To say it in more concrete terms, the required safety is achieved in this case mainly by making the bus master “safe” through implementing safety-directed arrangements.
However, implementing such arrangements is very laborious and costly in the development and construction of a failsafe control system, since one cannot make use of standard modules for this purpose any longer, but is required to develop the complex bus master as such.
In addition, such an approach is of disadvantage also in operation of a control system based thereon, because in the control of complex processes the safety-directed communication amounts to only 10% of the whole communication volume. The known approach leads therefore to the disadvantage that the bus master is made “safe” at high expense, although this is not necessary for 90% and more of the communication volume controlled by it.
SUMMARY OF THE INVENTION
It is an object of the present invention to provide a control system that provides failsafe communication between units involved in controlling a safety-critical process.
It is another object of the present invention to provide a control system for controlling safety-critical processes that can be build up using standard modules as bus masters.
It is another object of the present invention to provide a control system for controlling safety-critical processes having a control unit and a plurality of signal units, wherein said control unit can communicate with said signal units across a field bus without simultaneously having bus master functionality.
These objects are particularly achieved with a control system as mentioned at the outset, wherein the bus master is connected to the field bus independently of the first control unit and the plurality of signal units.
Due to the safety-directed arrangements, the first control unit is a “safe” control unit, which means that it is in a position to determine, and to correct, both internal and external faults, if necessary by interaction with other safe units. To say it in more concrete terms, this feature means that the first control unit for controlling safety-critical processes on the one hand and the bus master on the other hand are accommodated in separate modules, and they are both connected to the field bus separately. It is feasible to connect the first control unit to the field bus as a simple station, i.e. without any bus master functionality, as will be described hereafter with reference to the Interbus, by way of example. The control of the safety-critical process can then be effected largely independently of the control of any non-safety-critical processes, and also independently of the control of data communication on a common field bus.
The control unit does therefore not require any bus master functionality, and conversely the bus master can be connected to the field bus without any safety-directed arrangements. This allows the use of conventional standard bus master modules.
The invention further provides the advantage that the first control unit, and with it the safety-directed arrangements, have to be adapted only to the comparatively small volume of safety-directed data traffic, as regards their complexity and speed. The portion of non-safety-directed data traffic, which may amount to 90 % and more in a complex overall process, need not be handled via the first control unit or via the safety-directed arrangements. Accordingly, the first control unit and the safety-directed arrangements can be given a relatively simple structure.
According to an embodiment of the above-mentioned feature, the first control unit comprises an independent control program for controlling the safety-critical process.
In this connection, the term independent control program is meant to describe a control program that puts the first control unit in a position to control the safety-critical process independently of other control units. The first control unit, therefore, instead of being merely a redundant element supplementing another control unit, is in a position to control the safety-critical process independently and in a failsafe manner. The feature is especially advantageous insofar as it provides complete separ
Heckel Andreas
Rupp Roland
Wohnhaas Klaus
Cohen & Pontani, Lieberman & Pavane
Dharia Rupal
Pilz GmbH & Co.
LandOfFree
Control system for controlling safety-critical processes does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Control system for controlling safety-critical processes, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Control system for controlling safety-critical processes will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3042231