DE20010739U1 - Module for the control or regulation of safety-related processes or procedures for the operation of machines or systems - Google Patents

Description

otv γ * -β * c

The module is suitable for controlling or regulating machines and systems that perform safety functions.

The module has an internal two-channel structure. Both units of the module compare their input and output variables, decisions and processes. The function is only carried out if there is mutual agreement. To meet higher safety requirements, each of the two channels is also implemented using different hardware structures (diversity). The same applies to the operating program (software) within the two processing logics. With a diverse structure, in addition to possible failures or malfunctions, errors due to incorrect or inadequate design or faulty programming are also excluded (see also DIN VVDE 0801).

The invention meets these requirements and is also designed with two channels. As can be seen in the picture (Figure 1), the system (1) contains two completely independent processing units (processing logic 1 and processing logic 2, 3, 4). They consist of either two microcomputers or similar units (e.g. FPGAs) that carry out all functions according to the processing program from the program memory (11). The program memory is loaded either via the serial interface (6) or via the connected bus system (8) with the bus connection (7) and the bus interface (5). The type of programming will be described later.

The two processing units (3,4) either process the program redundantly or check each other's functional results. In any case, each operation is only carried out if both units (3,4) are in absolute agreement that the operation is flawless and correct. To do this, they must discuss the state of the calculated function before the final processing. This data exchange can usually take place via a parallel or serial interface between the processing units (not shown).

The test of the correct function refers in particular to the output to the external peripherals (13). This signal can be used to initiate a safety function (starting a drive, lowering a cutting device, moving a valve, etc.). Since such movements can lead to injury or even death in the event of a fault, they may only be carried out with absolute safety. This safety is achieved by the redundant structure of the processing units (3,4) already presented. In practice, the circuit naturally also contains a higher-level monitoring unit (e.g. watch dog) that monitors any failure of one or both units (3,4). Furthermore, the output (13) is often supplied with an electromechanical circuit (e.g. relay), so that a safety-related shutdown is still possible in the event of a failure of the electronic control.

Likewise, all internal additional devices (such as the program memory, 11, the parameter memory, 12) are either duplicated, or they are regularly checked for correctness. _This also _{applies to} the input _of data from the

· a

·

·

external peripherals. For example, an external contact (14) can be interrogated here, which is supplied via special signal levels, which in turn contain a signal pattern. Short circuits or unauthorized connections can therefore be quickly identified.

Each of these modules receives a safety program, which is stored in the program memory (11). In addition, the parameter memory (12) contains a data set that specifies the function of the module (1) (e.g. reaction time, participant address, configuration of the entire bus system, states of other participants, etc.). If the module itself receives all input and output variables for complete processing locally from the connected peripherals (e.g. 13, 14) within a safety function, the safety function can be carried out without adding additional data. However, if additional variables are missing for complete calculation, only these are requested via the bus system (8). The other modules (9, 10) then send the desired variables and also receive all the data so that they can perform their function themselves.

This module enables both autonomous safety modules (with local safety function) and networked safety modules to be created on a bus system (8), which together contribute to a complex safety function. In the latter case, a safety network with distributed intelligence is created.

The picture (Figure 2) shows how the internal processing sequence is structured within the framework of a distributed safety function. Each module (1) receives a program that is based on the connected outputs within the module. The necessary logical function of the output (7) is stored in the program memory and carried out by the two processing units. If all the necessary input variables (for calculating the required output variable) are already available internally (via the internal input and output unit in the module, 6), the safety function can be processed independently.

If external input variables are required to fulfill the desired safety function (e.g. from modules 2 and 3), these data (5) are transmitted either cyclically or on request via the bus system (4). It goes without saying that the data transmission must also be secure so that data corruption can be ruled out.

The module (1) stores each transmitted input function in a data memory (parameter memory). Both the current content and the time (or a corresponding time value) are recorded (8,10). The time value is added as information (10) in addition to the date (8) by a clock or a timer (9).

With the contents of the parameter memory, the processing logic (or both units) can now perform the desired function (7) and operate the connected output via the peripheral unit (6).

Since in security technology every process must be carried out with a fixed reaction time, each data (of an external module 2,3) also contains the current time of filing or sending. If it is not possible to transmit a new data to the corresponding device within the desired reaction time,

A safe state is initiated by the module (1,2,3). This usually consists of deactivating the output.

This measure ensures that a safe state is always achieved in the event of a defect in an external unit or failure of the bus system. This technology also has the advantage that only data that is not present in the units themselves is transmitted over the bus. The data rate and the associated load on the bus system (4) can therefore be kept low.

To distribute the programmable functions, a compiler is required that calculates the logical paths according to the desired output function. This creates program parts that can be downloaded into each module. The block formation and decentralization technique is already described in the IEC 1131-3 standard and can be used when programming the distributed security system presented here.

Claims (11)

1. Module ( Fig. 1: 1) for controlling or regulating safety-relevant processes or sequences for the operation of machines or systems, characterized in that the module ( Fig. 1: 1) consists of a fault-tolerant or comparable 2-channel structure ( Fig. 1: 2) which contains redundant hardware ( Fig. 1: 3, 4) and diverse software which is stored in the module ( Fig. 1: 1) so that component failures or malfunctions as well as systematic errors are detected and safely controlled, and provides input and output channels ( Fig. 1: 13) to enable the safe operation of external devices whose function or sequence is specified by a program which is located in the program memory ( Fig. 1: 11) which is connected to the module (Fig. 1: 5) via a serial interface ( Fig. 1: 6) or a local network ( Fig. 1 : 7). Fig. 1: 1) so that the module can develop both local intelligence as a programmable, self-sufficient unit and global intelligence in interaction with other similarly or identically constructed modules ( Fig. 11: 9, 10) via a suitable network ( Fig. 1: 8) or a data transmission channel. 2. Module according to claim 1, characterized in that programming is possible via standard languages which describe or represent the safe operation and function of machines or systems, and that this program is stored in a program memory ( Fig. 1: 11). 3. Module according to claims 1 and 2, characterized in that a complex safety program for a machine or system can be divided or structured in such a way that parts can be accommodated in several modules and thus the entire structure represents a complete safety system. 4. Module according to claims 1 to 3, characterized in that states, data, input and output values can be transmitted from other modules so that secure functions can be achieved even when overcoming larger distances or using numerous peripheral variables. 5. Module according to claims 1 to 4, characterized in that status and diagnostic functions are made available which are located in a parameter memory ( Fig. 1: 12) so that one is widely informed about the process or function of the machine or system. 6. Module according to claims 1 to 5, characterized in that a continuous control of the internal hardware and software is carried out so that possible errors in the connected peripherals as well as in the module itself are detected and transmitted. 7. Module according to claims 1 to 6, characterized in that the program for fulfilling the safety requirements can also be loaded subsequently or even during operation and is stored in the program memory ( Fig. 1: 11). 8. Module according to claims 1 to 7, characterized in that an internal parameter memory ( Fig. 1: 12) exists, the content of which is responsible for the function, the operation and the state of all internal variables, as well as the inputs and outputs. 9. Module according to claims 1 to 8, characterized in that the inputs and outputs can also operate wired safety devices ( Fig. 1: 14) and can provide the corresponding test patterns for error detection of wire breaks or short circuits. 10. Module according to claims 1 to 9, characterized in that the data transport ( Fig. 2: 4) of additional input and output variables of external modules is monitored by a clock ( Fig. 2: 9). This switches the module to a safe state if no response of a variable necessary for the internal function of the respective module is transmitted over a definable period of time. This provides a safety-related control of the entire network. 11. Module according to claims 1 to 10, characterized in that the data, input or output variables of external modules are transmitted via a safety-related data network or a local network ( Fig. 2: 4) with safety architecture.