The invention relates to a method for operating a controlled object that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors and in each frame at least two independent data flow paths, DFPs, are executed based on the data recorded through the observation of the controlled object and its environment, and wherein a first DFP determines from the data recorded by the observation of the controlled object and its environment via complex software a model of the controlled object and the environment of the controlled object and, on the basis of this model, carries out a trajectory planning in order to create one or more possible trajectories that, under the given environmental conditions, correspond to a specified task assignment, and wherein a second DFP determines from the data recorded by the observation of the controlled object and its environment via a, preferably diversitary, complex software program a model of the controlled object and of the environment of the controlled object and, on the basis of this model, determines a safe space-time domain, SRZD, within which SRZD all safe trajectories must be located, and wherein the results of the first and the second DFP are transmitted to a deciding instance, wherein the deciding instance is realized via simple software, and wherein the deciding instance verifies whether at least one of the trajectories determined by the DFP is safe, meaning located within the SRZD that was determined by the second DFP, and wherein, in the case that these match, one of the safe trajectories determined by the first DFP is selected and wherein the deciding instance transmits the target values corresponding to the selected trajectory to an actuator control, and wherein, in the case that these do not match, it waits for the results of at least one following frame, and wherein, in the case that there is also no safe trajectory available in the following frame or the one after that, the deciding instance switches to an emergency trajectory.

A device for operating an apparatus comprising a first controller configured to be controlled by a first control signal, a second controller configured to be controlled by a second control signal, a control unit operatively connected to the first controller and the second controller, wherein the first controller and the second controller are both configured to operate the apparatus.

A programmable safety unit for monitoring and controlling safety functions of a hazardous environment, for example an environment including hazardous machines, processes, materials, and so forth and safety equipment associated with the hazardous environment. A safety unit is adapted for external mounting, and includes a programmable safety module and a connection part that are interconnectable enabling mounting/demounting and replacement of the programmable safety module and/or the connection part. The safety unit further includes at least two connections that are programmable as safe inputs and/or outputs for direct connection to at least a number of the safety functions or equipment of the hazardous environment, and for example the machines and/or processes.

A device for operating an apparatus comprising a first controller configured to be controlled by a first control signal, a second controller configured to be controlled by a second control signal, a control unit operatively connected to the first controller and the second controller, wherein the first controller and the second controller are both configured to operate the apparatus.

A method for controlling a drive having at least one converter, at least one motor and an assigned drive control, wherein a failsafe CPU is operated separately from the drive control and only processes safety-relevant information, where a number of safety functions are implemented by the failsafe CPU such that the safety-relevant functions of the drive are implemented in a simple and reliable manner.

A method for controlling an automation system having control redundancy is provided. The automation system has at least a first controller, a second controller and a plurality of field devices connected to the first and second controller via a data bus, with the first and second controller configured to cyclically control an automation process of the automation system. The method comprises cyclically controlling the automation process via the first controller, determining a malfunction of the first controller during an (n+x)-th control cycle, where the (n+x)-th control cycle is carried out x control cycles later in time than the n-th control cycle, and sending out an n-th set of output data via a second input-output unit of the second controller to the plurality of field devices in the (n+x)-th control cycle, for controlling the automation process. An automation system is configured to carry out the method.