Patent Application
20230088423
This patent application claims priority to German Patent Application No. 202021105053.5, filed on Sep. 20, 2021, which is incorporated herein in its entirety by reference.
The present disclosure relates to a control system with a safe Human Machine Interface (safe HMI), in particular with a safe input, for control systems of functional safety in factory and process automation.
Control systems are used to control processes and/or plant components, for example to control a machine. Control systems comprise at least one control device and at least one human-machine interface (HMI). For at least some types of machines, processes, or plant components, a control system may be required to control safety-critical and non-safety-critical processes and/or plant components. Control devices for controlling safety critical and non-safety critical processes and/or plant components are known. For example, EP 2504739 B1 shows such a control device for controlling safety-critical and non-safety-critical processes and/or plant components. For at least some types of machines, processes or plant components, a safe human-machine interface (safe HMI), in particular a safe input, may be useful and/or required.
There may be a desire to provide a control system for controlling processes and/or plant components with safe Human Machine Interface (safe HMI), in particular safe input. In particular, there may be a desire to provide a control system for controlling safety-critical and non-safety critical processes and/or plant components with safe Human Machine Interface (safe HMI), in particular safe input.
One aspect of the present disclosure relates to a control system configured for fail-safe input, visualization and/or communication for controlling a machine. The control system comprises a human-machine interface (HMI). The HMI has a display device for displaying at least one symbol; the symbol displayed or shown by the display device may include, for example, letters, numbers, graphics, buttons, etc. Further, the HMI comprises an optical input device configured to detect, from the display device, at least a portion of the symbol. Further, the control system comprises a redundant communication system configured to send the symbol; further, the control system comprises a control device. The control device is configured to control processes and/or plant components, and to send the symbol and a check sequence to the HMI, in particular the display device, to receive the symbol and the check sequence from the HMI, the display device, check at least the check sequence, and, if the check sequence is correctly received, generate a redundant encoding of the symbol and send the redundantly encoded symbol over a redundant network.
Alternatively or additionally, the control system with safe HMI comprises a control unit which has a first, non-safety-related control unit for controlling non-safety-related processes with or without a fieldbus connection, none or at least one communication module with a fieldbus connection, and a second, safety-related control unit for controlling safety-related processes (safety control with safe communication, as a separate module or as part of a non-safety-related control system), an internal input/output bus for connecting input/output modules (safe and non-safe modules), an internal coupler bus for connecting communication modules and other modules such as safety control with safe communication, at least one safe HMI, and/or none or at least one standard HMI.
An exchange of programs and/or data between the safe control unit 52 and the non-safe control unit 51 may be supported by a predefined interface, such as a dual-port random access memory (RAM). The non-safe control unit 51 can be set up to forward safety telegrams from the safe control unit 52 with safe communication, e.g. via an internal coupler bus and an internal input/output bus to communication modules, if these are connected in the given system setup, or to safety input/output modules using the “black channel” communication principle (see e.g. PROFIsafe).
The safe HMI supports safe communication and may be set up to safely visualize various graphical objects and to provide the status information of these objects to the control unit 50-1, and here in particular to the safe control unit 52 (safety controller of the control system) using safe communication via the fieldbus. In addition, safe commands, for example via the touch screen and associated graphical elements, can be safely monitored by the safe HMI. The commands selected via the touch screen can be securely transmitted via the secure communication to the control unit 50-1, and in particular here to the secure control unit 52 (safety control of the control system). The graphical representation on the screen of the safe man-machine interface, which must be displayed to the operators, can be provided in the control system in a similar way as is the case with non-safe man-machine interfaces, e.g. by Ethernet-based communication via the fieldbus. The safe human-machine interface can be set up to safely monitor the visualized graphical content to be displayed to operators by its internal means, e.g., by a safe, pre-stored graphical object representation in the flash memory of the safe man-machine interface.
The control system 10 further comprises a further input device 32, for example a keyboard. The further input device 32 is redundantly connected to a control device 50. The control device 50 comprises a redundant internal communication system 42. This may be, for example, an internal coupler bus, e.g. for connecting communication modules and other modules such as safety control with secure communication. Furthermore, the control unit 50 comprises a memory 55. A portion of the memory 55 may comprise a binary representation of one or more irrational constants, e.g., a binary representation of it, e, and/or other constants, which may be used, for example, as a basis for generating the test sequence 70.
The control device 50 controls the display device 20 via an interface 25, which transmits the contents of the display on the display device 20 and the test sequence 70. The control device 50 receives signals from the input device 30 via an interface 35. These can be optical signals, but also other signals, such as a “click” with which a button—such as “OK”—can be actuated. The interfaces 25 and 35 are shown to be unidirectional; however, these can also be designed to be bidirectional. In this regard, the control device 50 may connect the various components of the control system 10 in such a way that the output of the control system 10 may be operationally safe (fail-safe). For this purpose, the one control unit 50 can be set up to send the symbol 60 and a test sequence 70 to the display device 20. The symbol 60 and the test sequence 70 are received by the display device 20. The checking sequence 70 is verified, and, if the checking sequence 70 is correctly received, a redundant encoding of the symbol 60 is generated and sent over a redundant network 45.
The output of the control system 10 is via the redundant network or communication system 40 that is set up to send the symbol 60. In this regard, the symbol 60 may also include a sequence of symbols, specific data and/or commands (e.g., from the “OK” button), and/or other information. The data sent via the communication system 40 may be cryptographically encoded.
In the embodiments described herein, the safe HMI (Human Machine Interface) supports safe communication and can be configured to safely visualize various graphical objects and provide the status information of these objects to the safety controller of the control system using safe communication via a fieldbus. In addition, safe commands, e.g., via the touchscreen and associated graphical elements, can be safely monitored by the safe HMI. The selected commands initiated via the touchscreen or other means can be safely transmitted to the safety controller via the safe communication. The graphical representation on the screen of the safe HMI, which must be displayed to the operators, can be provided by the control system in a similar way as is the case with non-safe HMIs, e.g., through Ethernet-based communication via the fieldbus. The safe man-machine interface is able to safely monitor the visualized graphical content to be displayed to the operators by its internal means, e.g., by a safe, pre-stored graphical object representation in the flash memory of the safe man-machine interface.
One aspect relates to a use of a control system as described above and/or below for safely selecting a machine or station, safely changing parameters of the machine or station, sending safe control commands, in particular for activating safety functions, and/or safely visualizing restricted safety areas.
The disclosure describes a safe HMI, in particular a functional safety HMI for a control system. A safe human-machine interface (HMI) is, for example, a control panel with a touch screen, any control panel, or an HMI device, such as a cell phone, PC, etc., capable of meeting functional safety requirements according to relevant functional safety standards by applying appropriate safety-related principles, such as an internal 1oo2 architecture (1oo2: 1 out of 2), internal memory and microprocessor tests, etc. The secure human-machine interface may include at least three key functions; other human-machine interface functions, such as a visualization of non-secure data and/or a selection of non-secure data may also be available on such human-machine interfaces, for example, by means of a fail-safe data input via input means of the HMI, e.g., touch screen, push buttons, etc., and/or fail-safe data visualization with visualization means of the HMI, e.g. LED display, etc.; and/or safe communication with a control system.
The safe HMI may be connected to the control system via a fieldbus, and may in turn include non-safe and safe control parts, both as a modular and as a compact solution, and/or communication means—e.g. separately with a dedicated communication module or on the non-safe control. Centralized and decentralized safety and non-safety I/Os (inputs/outputs) can be used both as a modular and as a compact solution, e.g. on-board non-safety and/or safety controllers. The fieldbus used to connect the safe HMI to the control system can be used not only for standard but also for safe communication, e.g. certified according to functional safety standards IEC 61784-3 and/or other standards. Safety profiles such as PROFIsafe, openSAFETY and/or FSoE (Functional Safety over EtherCAT), etc. can be used on such fieldbuses according to the “black channel” or “black channel” principle. With the aid of safe communication between the safe HMI and the safety controller in the control system, the status of operating elements of the graphical user interface, such as pushbuttons, selector switches, etc., which are visualized on the screen of the safe HMI, can be read safely on the safety controller. This may be necessary, for example, to safely monitor user actions, safety-related events, etc. In addition, secure communication between the safe HMI and the safety controller in the control system can be used to read the status of visualization elements on the safe HMI, e.g., to safely decide whether or not the correct graphical element is currently being displayed to the end user, for example, correct values of speed or position values, an activated machine mode, a selected offset value, etc.
The following exemplary machine or process safety functions can be implemented with an operationally safe input (safe HMI):
For example, the following principles and methods can be used to implement safe visualization on the safe HMI and meet the requirements of functional safety standards:
For example, the following principles and methods can be used to implement safe inputs from the safe HMI and to meet the requirements of functional safety standards:
Advantageously, this can help reduce control costs. Furthermore, more control and visualization elements can be placed on the control panel than on hardware-based control panels to increase the overall safety of the application. In addition, this solution offers easy updating of the layout of the safe HMI screen.
All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.
The use of the terms “a” and “an” and “the” and “at least one” and similar referents in the context of describing the invention (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The use of the term “at least one” followed by a list of one or more items (for example, “at least one of A and B”) is to be construed to mean one item selected from the listed items (A or B) or any combination of two or more of the listed items (A and B), unless otherwise indicated herein or clearly contradicted by context. The terms “comprising,” “having,” “including,” and “containing” are to be construed as open-ended terms (i.e., meaning “including, but not limited to,”) unless otherwise noted. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., “such as”) provided herein, is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.
Preferred embodiments of this invention are described herein, including the best mode known to the inventors for carrying out the invention. Variations of those preferred embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate, and the inventors intend for the invention to be practiced otherwise than as specifically described herein. Accordingly, this invention includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the invention unless otherwise indicated herein or otherwise clearly contradicted by context.
| Number | Date | Country | Kind |
|---|---|---|---|
| 202021105053.5 | Sep 2021 | DE | national |
