The invention relates to a monitoring system for monitoring safety-relevant processes.
A field bus is a known industrial communication system, used for data transfer systems, which connects numerous linked field devices, such as sensors, control elements, and/or actuators to a control device, wherein the devices which provide the actual connection to the bus are referred to as “bus users.”
For a number of applications, the deterministics, i.e., the predetermination and immutability in the transfer of process data, are more important than the actual transfer speed itself. For example, field buses having users connected thereto are known, in which process data are cyclically transferred via a shared transmission channel for transferring process data between individual users, and thus for transmitting and receiving process data, in particular process input data, process output data, and control data. For this purpose, during predetermined data cycles it is common for a user which functions as a master to read protocol-specific data from field devices which are connected to slave users, and during each subsequent data cycle to write to field devices which are connected to slave users.
In many system applications, the data to be transferred are also safety-relevant data, at least in part, so that data transfer errors must be recognized as soon as possible, and upon recognition of an error a timely response must be made; for example, a field device, user, or (sub)system must be converted to a safe state. For transfer of safety-relevant data via a bus, essentially six error classes must be considered: repetition, loss, insertion, incorrect sequence, deletion, and delay of safety-relevant data. The transfer of these data must therefore be secure.
To ensure secure transfer of data, in particular safety-relevant process data, at least in such a way that the listed error classes may also be recognized when they are present, it is basically common practice to supplement the transferred data with additional control data, for example time stamps, user information, and/or check information such as cycle redundancy checks (CRCs). However, a major disadvantage is that the overhead to be transferred greatly increases compared to the user data to be transferred, thus reducing the protocol efficiency. This weakness is particularly serious when the number or frequency of safety-relevant user data items per user which must be transferred is low. Another disadvantage of previously known monitoring systems for safety-related data is that, in order to implement user-specific processes having safety-oriented outputs, at least two microcontrollers or complex hardware circuits are always necessary for processing complex protocol tasks.
The object of the present invention is to provide a concept by means of which the complexity of hardware, software, and qualification, and therefore the manufacturing costs, for field devices having safety-related outputs may be reduced.
The invention is based on the finding that the processing functions of an output module which controls an actuator having a risk potential may have a single-channel design, and may also be monitored by a separate monitoring module, for example a safety master module. If the monitoring module identifies a deviation from expected behavior or an irregularity in the processing operation, it is able to convert the entire system, which may comprise multiple output modules, for example multiple safety output modules, to a safe state. The output module(s) may be converted to the safe state, for example, independently of the particular processing unit, using an auxiliary channel which allows feedthrough of the monitoring module, and which is therefore referred to below as a “feedthrough device.”
Thus, the safety function is distributed over the monitoring module (safety master) and the output module (safety output module). The safety master is assisted by the simple, inexpensive switch-off mechanism of the feedthrough device. In addition, it is advantageous for the functionality of the inventive concept to integrate the output enable pulse into the bus protocol, for example. By using a decentralized microprocessor it is also possible to integrate the control information for the monoflop, which enables or switches off an output of the output module or a suitable output device. The control information may, for example, be modulated into the data signal at specified times, thus allowing efficient control of the feedthrough device.
According to one aspect, the invention relates to a monitoring system having an output module for generating a control signal in response to an input signal, a monitoring module for generating the input signal for the output module, an output device for outputting an output signal in response to the control signal, and a feedthrough device for preventing or halting outputting of the output signal, wherein the monitoring module is designed to instruct the feedthrough device to prevent or halt outputting of the output signal when there is a deviation between the control signal and a control signal which is expected on the basis of the input signal.
According to one embodiment, the output module is designed to transmit the control signal to the monitoring module, wherein the monitoring module is designed to receive the control signal, and to transmit a feedthrough signal to the feedthrough device when there is a deviation.
According to one embodiment, the monitoring module and the output module or the feedthrough device are designed to communicate via a communication network, in particular via a communication bus.
According to one embodiment, the monitoring module is designed to generate an enabling signal and to transmit it to the output module if the control signal corresponds to the expected control signal, wherein the enabling signal indicates the enabling of the output signal.
According to one embodiment, the feedthrough device is situated in the monitoring module or in the output module.
According to one embodiment, the feedthrough device is situated in the output module, wherein the monitoring module is designed to transmit a feedthrough signal to the feedthrough device to prevent outputting of the output signal, and the feedthrough device is designed to prevent or halt outputting of the output signal in response to the feedthrough signal.
According to one embodiment, the monitoring module is designed to compare the control signal to the expected control signal in order to test the control signal for the presence of the deviation.
According to one embodiment, the output device includes, for example, a relay or an analogous output stage having a data path for receiving the control signal, and a power supply path for supplying the output device with electrical power, wherein the feedthrough device is designed to act to prevent outputting of the output signal on the data path or on the power supply path. The analogous output stage may be designed, for example, for a range between 4 mA and 20 mA, the output current of which is less than 3 mA in the event of an error.
According to one embodiment, the feedthrough device includes a monostable flip-flop, in particular a flip-flop or a monoflop, wherein the output device has a data path and a power supply path, and an output of the flip-flop is linked, in particular via an output transistor, to the data path or to the power supply path in order to act on the data path or the power supply path, in particular in response to a feedthrough signal which may be applied at an input of the flip-flop.
According to one embodiment, the feedthrough device is designed to convert the output device to a blocking mode in response to a feedthrough signal, in particular to switch off the output device, or interrupt the output thereof, or interrupt the data path or control signal path thereof, or disconnect the power supply thereof.
According to one embodiment, the output module includes a microcontroller which is provided to receive the input signal and to generate the control signal.
According to one embodiment, the monitoring module and the output module are separate modules.
The invention relates to a method for monitoring an output module using a monitoring module, wherein a control signal is generated by the output module in response to an input signal, and the input signal for the output module is generated by the monitoring module, wherein an output signal is output in response to the control signal, and outputting of the output signal is prevented by a feedthrough device when there is a deviation between the control signal and a control signal which is expected on the basis of the input signal. Further steps of the method for monitoring the output module result directly from the functionality of the monitoring module according to the invention.
Further exemplary embodiments of the invention are explained in greater detail with reference to the accompanying drawings, which show the following:
Reference is first made to
Five bus users connected to a bus 600 are shown. A first bus user is a monitoring module 100, for example a safety-related master, which is also referred to below as a safety master, and which in the present example at the same time is also the bus master, although this is not mandatory within the scope of the invention. In general, this may involve a given, appropriately specified safety user. A second bus user is a safety-related slave output user 200, also referred to below as an output module or safety output slave, and a third bus user is a safety-related slave input user 300, also referred to below as a safety input slave. A fourth bus user is a nonsafety-related slave output user 400, also referred to below as an output slave, and a fifth bus user is a nonsafety-related slave input user 500, also referred to below as an input slave. Security-related users, i.e., users which process safety-relevant process data, and nonsafety-related users may thus be mixed and also positioned as desired.
With regard to the safety-related users of the system design illustrated by way of example, connected to the safety master 100 is an emergency stop switch 110, for example, the safety-relevant input information of which user 100 redundantly receives via two inputs 121 and 122, and, in a manner specific to the protocol, first processes same via two redundant processing channels 131 and 132 before the signal is coupled to bus 600. A motor 210, for example, is connected to the safety output slave 200, wherein, after decoupling of the signal from bus 600, in a manner specific to the protocol, user 200 first carries out processing via two redundant processing channels 231 and 232 and sends the safety-relevant output information to the motor 210 via an output 220. Connected to the safety input slave 300 are a safety door 311 and a rotational speed sensor 312, for example, the safety-relevant input information of which user 300 redundantly receives via two inputs 321 and 322, and, in a manner specific to the protocol, processes same via a processing channel 330 before the signal is coupled to bus 600.
A safety-related function is generally implemented by using redundant processing, for example by means of two separate channels on the hardware side, wherein the particular interface 140, 240, 340, 440, or 540 of a user for bus 600 is generally implemented only as a single channel. In addition to reducing the required space and the cost, it is also possible to operate with twice the number of users on the bus, in particular with regard to bus load, current consumption, and capacitance. Errors caused by the bus coupling, for example those based on line drivers or galvanic insulation, may typically be recognized by the line protocol used. However, the processing unit of the safety-related users does not necessarily have to have a dual-channel design on the hardware side; in many cases it is sufficient for the software to have a dual-channel design.
Bus 600 then provides the shared data line for the method according to the invention and the transfer system for transmitting and receiving all data, in particular process data. Such a transfer system operates based, for example, on a local interconnect network (LIN) bus known from automotive technology, in which during certain data cycles protocol-specific data may be read out by a master from field devices connected via users, and during each subsequent data cycle may be written into the field devices at approximately 19.2 to 38 kBd.
In one method according to the invention by way of example, process input and process output data are also transferred, for example, at a fixed interval, each shifted by the time of one-half bus cycle. Thus, a transfer protocol for a cyclical transfer of process input and process output data, for example, frequently uses two different data exchange services, also referred to below as data exchange mode. In this case, a bus cycle therefore includes a data cycle based on a PD read service and a subsequent data cycle based on a PD write service.
For the transfer of process output data, for the PD write service a master transmits to the users connected to the master basically all data for the connected field devices, and then determines a cyclic redundancy check (CRC), which it also transfers. The transfer system is advantageously designed in such a way that all connected users also read all information transferred in this manner, and preferably likewise form a CRC, which they compare to the received CRC of the master, so that an error message is generated in the event of an error, and selected users or individual field devices, for example, are converted to a safe state. For transfer of the process input data, for a PD read service the master first transmits, for example, a broadcast address, followed by a function code. The other connected users then apply data from their connected field devices, i.e., in particular their process input data, bit for bit to the data line in respectively provided time slots. In one preferred design, by tracking on the data line the users are in turn able to recognize all data and once again compute a CRC.
Modules 201, 203, 205, and 207 do not necessarily have to be implemented in spatially separate designs. They may also be implemented on a printed circuit board. Instead of the bus system, a separate connection, for example over gaps, may be provided for communication.
Flip-flop 317 also includes a data input MR which is connected to a second terminal, for example a collector terminal, of a second transistor T2. On the other hand, a first terminal of transistor T2, for example an emitter terminal, is connected to ground. Data input MR may also be connected to a supply potential via a resistor R3. A gate terminal of transistor T2 is connected via a resistor R4 to a terminal of the microcontroller 319 of microcontroller switching circuit 303. An output Q of flip-flop 317 is connected via a resistor R5 to a gate terminal of a third transistor T3, whose first terminal, for example an emitter terminal, may be connected to a supply potential, and whose second terminal is connected via a resistor R6 to a further terminal of the microcontroller 319. Resistor R6 is connected to ground via a resistor R7. At the same time, the second terminal of third transistor T3 forms an output 323 of feedthrough device 305, which is connected, for example, to a power supply input of a relay 325 of output device 307. The relay 325 includes a further path 327, which may be a data path or control path, for example. The relay 325 is also coupled to a switch 329. The switch 329 bridges two contacts as a function of a relay state, it being possible to output an output signal only in the closed state of the switch.
The data path 327 of the relay 325 is connected to a second terminal of a transistor T4, for example to a collector terminal. Transistor T4 also includes a first terminal, for example an emitter terminal, which is connected to ground. An output 320 of the microcontroller 319 is connected to a gate of transistor T4. A further terminal of the microcontroller 319 is also connected via a resistor R8 to the second terminal of transistor T4.
The terminal 313 of bus driver 309 is also connected to an input terminal 331 of the microcontroller 319. On the other hand, an output terminal 333 of the microcontroller is connected to terminal 315. The microcontroller 319 receives data, for example an input signal, via input terminal 331 from a monitoring module (not illustrated in
The structure of the output module illustrated in
After a protocol frame, for example, has been correctly received and all process data channels (PDC) have passed the plausibility checks, the processing of the safety function using the received data may begin. Via transistor T4 the microcontroller 319 controls the output device 307 (output stage), which by way of example may have a relay. Resistor R8 is used for monitoring the output stage 307, and by means of the microcontroller 319 a monitoring result is posted in the next data cycle as a safety PDC. Based on the known safety functions and the input data or input signals, the monitoring module (not illustrated in
As an alternative to the illustrated relay, for example an analogous output stage may be used which is designed, for example, for a range between 4 mA and 20 mA, the output current of the output stage in the event of an error being less than 3 mA.
The monoflop 317 (IC 1) is retriggerable with a monoflop trigger time of 30 ms. For example, the monoflop may be triggered only when the bus signal, for at least 700 μs, for example, assumes a low-level state, referred to as “low,” represented by the output enabling 409. However, this is not ensured during a data transfer having a baud rate of at least 14,400 baud, since at least one logical “1” is forced as a result of the transfer of one stop at the end of each character. The quiescent level of the LIN bus is likewise a logical “1,” so that a longer period of bus inactivity does not result in triggering.
As a result of the “1” level on the LIN bus, transistor T1 illustrated in
Input 509 is also connected to a receiving input 513 of the microcontroller 505 and to an input 515 of the additional feedthrough device 507. The feedthrough device includes an input component 517 which is connected to an input of a flip-flop 519, for example a monoflop. An output of the flip-flop 519 is connected to a terminal of an output driver 521, for example an operational amplifier, of the additional feedthrough device 507. An output of the output driver 521 is connected to a gate of a transistor T4, whose second terminal, for example a collector terminal, forms an output 523 of the microcontroller circuit 501. On the other hand, a first terminal of transistor T4, for example a emitter terminal, is connected to ground. The second terminal of transistor T4 is connected via a resistor R8 to an input element 525, for example an input driver, of the microcontroller 505 by means of a feedback loop. An output of the input element 525 is connected to a diagnostic element 527 which is connected to flip-flop 511, as illustrated in
The additional feedthrough device 507 may be implemented as software, for example, while the feedthrough device 503 may be implemented as hardware. Further components implemented as hardware may be UART element 533 as well as input elements 517, 525 and output element 521. On the other hand, elements 527, 529, 531, 537, 519, and 538 may be implemented as software.
The main signal path of the safety function leads from UART block 533 through a protocol stack, which is implemented in the bus protocol element 531. Data exchange occurs between the bus protocol and the processing unit via two buffers 529 and 537, for example, whereby the input data of the safety function are stored in the consumer PDC buffer 537. Accordingly, the output data and status data are transferred by the producer buffer 529 to a monitoring module (not illustrated in
As illustrated in
As an alternative to the exemplary embodiment illustrated in
Number | Date | Country | Kind |
---|---|---|---|
10 2008 029 948 | Jun 2008 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2009/004516 | 6/23/2009 | WO | 00 | 2/10/2011 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2009/156122 | 12/30/2009 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
2883255 | Anderson | Apr 1959 | A |
3237164 | Evans | Feb 1966 | A |
3337773 | McKenna et al. | Aug 1967 | A |
3421069 | Minks | Jan 1969 | A |
3516072 | Wallace, Jr. | Jun 1970 | A |
3522588 | Clarke, Jr. et al. | Aug 1970 | A |
3530389 | Hogan et al. | Sep 1970 | A |
4773070 | Schumm et al. | Sep 1988 | A |
6243629 | Sugimoto et al. | Jun 2001 | B1 |
7366954 | Ueno et al. | Apr 2008 | B2 |
7636008 | Kim | Dec 2009 | B2 |
20050262404 | Ueno et al. | Nov 2005 | A1 |
20080074160 | Kim | Mar 2008 | A1 |
Number | Date | Country |
---|---|---|
19621384 | Nov 1996 | DE |
19913279 | Sep 2000 | DE |
10008434 | Sep 2001 | DE |
102004061013 | Jul 2006 | DE |
10 2006 001 805 | Jul 2007 | DE |
19860358 | Jul 2008 | DE |
1 128 241 | Aug 2001 | EP |
1703346 | Sep 2006 | EP |
1 927 914 | Jun 2008 | EP |
9305223 | Nov 1997 | JP |
2007014725 | Feb 2007 | WO |
2007124942 | Nov 2007 | WO |
2008037495 | Apr 2008 | WO |
Entry |
---|
“International Search Report and Written Opinion for International Application No. PCT/EP2009/004516 dated Oct. 6, 2009”, , Publisher: European Patent Office, Published in: DE. |
“Related German Patent Application No. 10 2008 029 948.0-32 Office Action”, Mar. 9, 2009, Publisher: Deutsches Patent- und Markenamt, Published in: DE. |
“Related Japanese Patent Application No. 2011-515190 Office Action”, Apr. 23, 2013, Publisher: JPO, Published in: JP. |
Number | Date | Country | |
---|---|---|---|
20110128046 A1 | Jun 2011 | US |