Arrangement and Method for Functionally Safe Connection Identification

Abstract

Apparatus and method for functionally securely transfer data in a two-sided data exchange of safety-related data between two communication partners (A, B), wherein a mapping is defined, which assigns to a consumer ID a provider ID of the same end point in the case of each bidirectional connection, and the mapping is made known to the two end points a priori, where the mapping could consist of the one's complement or alternatively of the two's complement, and wherein the connection between the data provider and the data consumer is established as described, the data consumer receives the address identification of the data provider via an additional side channel, for example, and after the connection has been established, the identification of the data provider can be securely checked.

Claims

1.-13. (canceled)

14. A method for functionally safe connection identification for a bilateral data interchange of safety-oriented data between two communication subscribers in a communication system, safety-oriented data being interchanged via safety-oriented communication, address relationships comprising destination addresses and source addresses being planned for the safety-oriented communication, a first data consumer having a first address identifier and a first data provider being operated in a first communication subscriber, a second data provider having a third address identifier being operated, a second data consumer being additionally operated, in a second communication subscriber, a first unidirectional connection being set up between the first data consumer and the second data provider, and a second unidirectional connection being set up between the first data provider and the second data consumer, the method comprising: ascertaining, by the first communication subscriber, the third address identifier; producing an identifier in the first communication subscriber utilizing a computation rule which is applied to a unique value, said identifier being communicated to the first data consumer; transmitting, by the first data consumer, the unique value to the second data provider in a first request message; responding, by the second data provider, with a first response message containing first safety-oriented data and the third address identifier; performing a check in the first data consumer to determine whether the first response message contains the third address identifier, and, accepting the first safety-oriented data if a result of said check is positive, and otherwise rejecting the first safety-oriented data if the result of said check is negative; producing the identifier in the second communication subscriber utilizing the computation rule; and utilizing the identifier to functionally protect the second unidirectional connection between the first data provider and the second data consumer.

15. The method as claimed in claim 14, wherein the second data consumer transmits a second request message to the first data provider, the first data provider responds with a second response message containing second safety-oriented data and the identifier; and wherein a check is performed in the second data consumer to determine whether the second response message contains the identifier, and the second safety-oriented data are accepted if the result of this check is positive, the second safety-oriented data are accepted, and the second safety-oriented data are otherwise rejected if the result of this check is negative.

16. The method as claimed in claim 15, wherein the first data provider is operated with a second address identifier and said second address identifier is utilized as the unique value.

17. The method as claimed in claim 14, wherein the communication system utilized comprises one of (i) a system based on Open Platform Communication (OPC) Unified Architecture (UA) client/server mechanisms with Transmission Control Protocol/Internet Protocol (TCP/IP) communication and (ii) a system based on OPC UA Pub/Sub mechanisms with TCP/IP communication to which the mechanisms for a time-sensitive network (TSN) have been added.

18. The method as claimed in claim 15, wherein the communication system utilized comprises one of (i) a system based on Open Platform Communication (OPC) Unified Architecture (UA) client/server mechanisms with Transmission Control Protocol/Internet Protocol (TCP/IP) communication and (ii) a system based on OPC UA Pub/Sub mechanisms with TCP/IP communication to which the mechanisms for a time-sensitive network (TSN) have been added.

19. The method as claimed in claim 16, wherein the communication system utilized comprises one of (i) a system based on Open Platform Communication (OPC) Unified Architecture (UA) client/server mechanisms with Transmission Control Protocol/Internet Protocol (TCP/IP) communication and (ii) a system based on OPC UA Pub/Sub mechanisms with TCP/IP communication to which the mechanisms for a time-sensitive network (TSN) have been added.

20. The method as claimed in claim 14, wherein the third address identifier is ascertained via a side channel which is independent of the communication system or based on a configuration database utilizing position data of the first communication subscriber.

21. The method as claimed in claim 14, wherein the first communication subscriber is operated by or in an autonomous robot unit and the second communication subscriber is operated by or in a machine; and wherein the communication is set up after the robot unit approaches the machine.

22. The method as claimed in claim 16, wherein if a maximum numerical value of the second address identifier exceeds a word length available in a protocol that is used, then the first data consumer splits the second address identifier into parts and transmits the parts to the second data provider utilizing partial request messages, and said second data provider assembles the parts and ascertains the second address identifier; and wherein after the second address identifier is definite, the second data consumer transmits a final request message and said final request message is in turn answered with the second response message containing the second safety-oriented data and the second address identifier.

23. An arrangement comprising: a first communication subscriber and a second communication subscriber which interchange data via a communication system, the first communication subscriber including a first data consumer having a first address identifier and a first data provider having a second address identifier, the second communication subscriber including a second data provider having a third address identifier and a second data consumer; means configured to set up a first unidirectional connection between the first data consumer and the second data provider and to set up a second unidirectional connection between the first data provider and the second data consumer; wherein the first communication subscriber is configured to ascertain the third address identifier; wherein the first communication subscriber includes a mapping unit configured to utilize a computation rule, which is applied to a unique value, to produce an identifier; wherein the mapping unit is configured to forward the identifier to the first data consumer; wherein the first data consumer is configured to transmit the unique value to the second data provider in a first request message; wherein the second data provider is configured to respond to the first request message with a first response message containing first safety-oriented data and the third address identifier, safety-oriented data being interchanged via safety-oriented communication and address relationships comprising destination addresses and source addresses are firmly planned for the safety-oriented communication; wherein the first data consumer additionally includes checking means configured to check whether the first response message contains the third address identifier, the checking means being configured to declare the first safety-oriented data to be valid if the result of this check is positive, and to otherwise to reject declare the first safety-oriented data if the result of this check is negative; wherein the second communication subscriber includes a reverse mapping unit configured to utilize the computation rule to recover the identifier from the unique value and to transfer said identifier to the second data consumer; and wherein the first data provider and the second data consumer are configured to utilize the identifier which is currently known to the first data provider and the second data consumer on both sides to functionally protect the second unidirectional connection between the first data provider and the second data consumer.

24. The arrangement as claimed in claim 23, wherein the second data consumer is configured to transmit a second request message to the first data provider; wherein the first data provider is configured to respond with a second response message containing second safety-oriented data and the identifier; and wherein the second data consumer includes cross-checking means configured to check whether the second response message contains the identifier, and configured to accept the second safety-oriented data if a result of the check is positive, and to otherwise reject the second safety-oriented data if the result of the check is negative.

25. The arrangement as claimed in claim 23, wherein the communication system comprises one of (i) a system configured as a controller-controller communication system based on Open Platform Communication (OPC) Unified Architecture (UA) client/server mechanisms with Transmission Control Protocol/Internet Protocol (TCP/IP) communication and (ii) a system based on OPC UA Pub/Sub mechanisms with TCP/IP communication to which the mechanisms for a time-sensitive network (TSN) have been added.

26. The arrangement as claimed in claim 24, wherein the communication system (KS) comprises one of (i) a system configured as a controller-controller communication system based on Open Platform Communication (OPC) Unified Architecture (UA) client/server mechanisms with Transmission Control Protocol/Internet Protocol (TCP/IP) communication and (ii) a system based on OPC UA Pub/Sub mechanisms with TCP/IP communication to which the mechanisms for a time-sensitive network (TSN) have been added.

27. The arrangement as claimed in claim 23, wherein the arrangement includes a side channel which is independent of the communication system and which is configured to provide the third address identifier for the first data consumer.

28. The arrangement as claimed in claim 24, wherein the arrangement includes a side channel which is independent of the communication system and which is configured to provide the third address identifier for the first data consumer.

29. The arrangement as claimed in claim 25, wherein the arrangement includes a side channel which is independent of the communication system and which is configured to provide the third address identifier for the first data consumer.

30. The arrangement as claimed in claim 25, further comprising: an ascertaining means configured to access a configuration database; wherein the first communication subscriber comprises the position ascertaining means configured to ascertain the position data of the first communication subscriber, the ascertaining means being configured to take the position data as a basis for utilizing the configuration database to ascertain the third address identifier.

31. The arrangement as claimed in claim 23, wherein an autonomous mobile robot unit includes the first communication subscriber and a machine includes the second communication subscriber; and wherein the robot unit is configured to approach the machine and to set up a communication.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0034] The drawing shows multiple exemplary embodiments of the invention, in which:

[0035] FIG. 1 shows a machine/robot system in accordance with the invention, where the robots set up functionally safe bidirectional connections to the machines;

[0036] FIG. 2 shows a machine/control panel system in accordance with the invention, where the control panels can set up a functionally safe bidirectional connection to the machines;

[0037] FIG. 3 shows an arrangement configured as a controller-controller communication device in accordance with the invention;

[0038] FIG. 4 shows a timing sequence for request messages between a first and a second communication partner in accordance with a first embodiment;

[0039] FIG. 5 shows a timing sequence for request messages between a first and a second communication subscriber in in accordance with a second variant embodiment;

[0040] FIG. 6 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0041] FIG. 1 shows a first machine M1, a second machine M2 and a third machine M3, which can set up functionally safe connections to a first autonomous mobile robot unit AMR1, a second autonomous mobile robot unit AMR2 and a third autonomous mobile robot unit AMR3. Here, functionally safe means in particular that the recipient can check whether the received data come from the correct transmitter, and have not been received from a different transmitter, e.g., on account of a network error or mobile radio interference. In the general case, the data transmission is performed in both directions, i.e., a bidirectional data transmission occurs here. The autonomous mobile robot units AMR1, AMR2, AMR3 are in a factory building with an extent that can be described by way of a coordinate system XYZ. According to FIG. 1, the communication system KS used is, such as a radio standard with a superimposed PROFIsafe protocol. It would also be possible to use a PROFINet standard, in which communication occurs via Ethernet, but this would require the robots to mechanically dock on the machines.

[0042] The third autonomous mobile robot AMR3 has the first communication subscriber A and the third machine M3 has the second communication subscriber B. The two communication subscribers A, B form an arrangement CCC, which is described in more detail with reference to FIG. 3.

[0043] When the third autonomous mobile robot AMR3 approaches the machine M3, it sets up a connection to the second communication subscriber B via the first communication subscriber A, and it therefore makes a first unidirectional connection UV1 and a second unidirectional connection UV2. The third autonomous mobile robot AMR3 additionally has a position ascertaining means PE that it can use to ascertain its position data X, Y, Z. Additionally, the third autonomous mobile robot AMR3 has an ascertaining means EM configured to access a configuration database KD, the ascertaining means additionally being designed to take the position data X, Y, Z as a basis for using the configuration database KD to ascertain the third address identifier ID_PG.sub.B.

[0044] FIG. 2 shows another exemplary embodiment of functionally safe connection setup between mobile devices and machines. The first machine Ml, the second machine M2 and the third machine M3 can be operated using different control panels BP1, BP2. Here, a second control panel PB2 has registered with the second machine M2 and uses a side channel SK to set up a first safe unidirectional connection UV1 and a second safe unidirectional connection UV2. The communication system KS used is a time-sensitive network TSN.

[0045] FIG. 3 shows an arrangement CCC for controller-controller communication. A first communication subscriber A sets up two unidirectional functionally safe connections UV1, UV2 to a second communication subscriber B. The first communication subscriber A has a first data consumer CI.sub.A having a first address identifier ID_CI.sub.A and a first data provider PI.sub.A having a second address identifier ID_PI.sub.A. The second communication subscriber B has a second data provider PG.sub.B having a third address identifier ID_PG.sub.B and a second data consumer CG.sub.B.

[0046] Additionally, means are present for setting up a first unidirectional functionally safe connection UV1 between the first data consumer CI.sub.A and the second data provider PG.sub.B and a second unidirectional functionally safe connection UV2 between the first data provider PI.sub.A and the second data consumer CG.sub.B.

[0047] The first communication subscriber A is configured to ascertain the third address identifier ID_PG.sub.B of the second data provider PG.sub.B. The first communication subscriber A has a mapping unit AE configured to use a computation rule f, which is applied to the second address identifier ID_PI.sub.A, to produce the first address identifier ID_CI.sub.A. Additionally, the mapping unit AE is configured to forward the second address identifier ID_PI.sub.A to the first data consumer CI.sub.A. The first data consumer CI.sub.A is configured to transmit the second address identifier ID_PI.sub.A to the second data provider PG.sub.B in a first request message RQ1. The second data provider PG.sub.B is configured to respond to the first request message RQ1 with a first response message Res1. The first response message Res1 contains first safety-oriented data F.sub.B-Data and the third address identifier ID_PG.sub.B. The first data consumer CI.sub.A has checking means PM.sub.A. These checking means PM.sub.A are configured to check whether the first response message Res1 contains the third address identifier ID_PG.sub.B. This check can be performed by the checking means PM.sub.A because the first communication subscriber A has retrieved the third address identifier ID_PG.sub.B via a side channel SK in an earlier step. Additionally, the checking means PM.sub.A is configured so as, if the result of this check is positive, to declare the first safety-oriented data FB-Data to be valid, and otherwise to reject them, as a result of which the first unidirectional connection UV1 is functionally protected.

[0048] The second communication subscriber B has a reverse mapping unit RAE configured to use the computation rule f to recover the second address identifier ID_PI.sub.A from the first address identifier ID_CI.sub.A and to transfer the second address identifier to the second data consumer CG.sub.B for a later request.

[0049] The first data provider PI.sub.A and the second data consumer CG.sub.B are now configured to use the second address identifier ID_PI.sub.A that is now known to them on both sides to functionally protect the second unidirectional connection UV2 between the first data provider PI.sub.A and the second data consumer CG.sub.B. To this end, the second data consumer CGB essentially has a cross-checking means PM.sub.B configured to check whether the second response message Rest contains the second address identifier ID_PI.sub.A and, if the result of this check is positive, then the second safety-oriented data F.sub.A-Data are accepted, and otherwise rejected.

[0050] As safety-oriented data, it would be possible, for example, for the data signal of an emergency off switch 100 to be passed on. An emergency stop command 101 is forwarded to the first communication subscriber A via the first unidirectional connection UV1 as a functionally safe datum FB-Data. Safety-oriented data could also be a ready signal 102 from a robot. These would then be forwarded from the first communication subscriber A to the second communication subscriber B via the second unidirectional connection UV2.

[0051] FIG. 4 shows a timing sequence for request messages RQ1 and response messages Res1. The right-hand side depicts the first communication subscriber A in the form of an autonomous mobile robot unit AMR3, in principle. The first communication subscriber A has the first data consumer CI.sub.A and the first data provider PI.sub.A. The method for functionally safe connection identification involves the first communication subscriber A ascertaining the third address identifier ID_PG.sub.B, for example, via a side channel SK, in a first step 1. The third address identifier ID_PG.sub.B is now known to the first communication subscriber A. In a second step 2, the computation rule f is used in the first communication subscriber A to calculate the first address identifier ID_CI.sub.A, and this first address identifier ID_CI.sub.A is transmitted to the second data provider PG.sub.B in a first request message RQ1. The second data provider PG.sub.B responds with a first response message Res1 containing first safety-oriented data FB-Data and the third address identifier ID_PG.sub.B. In a third step 3, a check is performed in the first communication subscriber A or in the first data consumer CI.sub.A to determine whether the first response message Res1 contains the third address identifier ID_PG.sub.B, and, if the result of this check is positive, then the first safety-oriented data F.sub.B-Data are accepted, and otherwise rejected.

[0052] In a fourth step 4, the computation rule f is used to likewise produce the second address identifier ID_PI.sub.A in the second communication subscriber B and to forward the second address identifier to the second data consumer CG.sub.B. The second data consumer now sends a second request message RQ2 to the first data provider PI.sub.A in a fifth step 5. The first data provider PI.sub.A responds with a second response message Res2 containing second safety-oriented data F.sub.A-Data and the second address identifier ID_PI.sub.A.

[0053] In a sixth step 6, a check is then performed to determine whether the second response message Res2 contains the second address identifier ID_PI.sub.A, and, if the result of this check is positive, then the second safety-oriented data F.sub.A-Data are accepted, and otherwise rejected.

[0054] FIG. 5 depicts an alternative timing sequence for request and response messages. This method would be employed if a maximum value of the second address identifier ID_PI.sub.A exceeds a word length available in a protocol that is used. The first data consumer CIA would then split the second address identifier ID_PI.sub.A into parts part1, part2, part3 and transmit the parts part1, part2, part3 to the second data provider PG.sub.B using partial request messages RQ11, RQ12, RQ13. The parts part1, part2, part3 are reassembled in the second data provider PG.sub.B and the second address identifier ID_PI.sub.A is ascertained.

[0055] Accordingly, the address identifier ID_PG.sub.B is again ascertained via a side channel SK in a step 1. In an alternative first step 11, a first partial request message RQ11 is used to transmit the first part part1. In an alternative second step 12, this transmission is answered with a response message Res. In an alternative third step 13, a second partial request message RQ12 is used to transmit the second part part2. In an alternative fourth step 14, a third partial request message RQ13 is used to transmit the third part part3. In an alternative fourth intermediate step 14a, the address identifier is now assembled from the three parts part1, part2, part3, and the computation rule f is applied to the assembled parts part1, part2, part3. A final request message FRQ1 is now transmitted, which is answered with a final response message FRES. This final response message FRES contains the safety-oriented data F.sub.A-Data and the second address identifier ID_PI.sub.A. Although the second address identifier ID_PI.sub.A is now an address with a long word length, the special feature of the protocol employed is that there is provision for more space in the response messages than in the request messages.

[0056] FIG. 6 is a flowchart of the method for functionally safe connection identification for a bilateral data interchange of safety-oriented data FB data, FA data between two communication subscribers A, B in a communication system KS, where safety oriented data is interchanged via safety-oriented communication, address relationships comprising destination addresses and source addresses are planned for the safety-oriented communication, a first data consumer CIA having a first address identifier ID_CIA and a first data provider PIA are operated in a first communication subscriber A, a second data provider PGB having a third address identifier ID_PGB is operated, a second data consumer CGB is additionally operated, in a second communication subscriber B, a first unidirectional connection UV1 is set up between the first data consumer CIA and the second data provider PGB, and a second unidirectional connection UV2 is set up between the first data provider PIA and the second data consumer CGB. The method comprises ascertaining, by the first communication subscriber A, the third address identifier ID_PGB, as indicated in step 610.

[0057] Next, an identifier is produced in the first communication subscriber A utilizing a computation rule f that is applied to a unique value, as indicated in step 620. Here, the identifier is communicated to the first data consumer CIA.

[0058] Next, the first data consumer CIA transmits the unique value to the second data provider PGB in a first request message RQ1, as indicated in step 630.

[0059] Next, the second data provider PGB responds with a first response message Res1) containing first safety-oriented data FB-Data and the third address identifier ID_PGB, as indicated in step 640.

[0060] Next, a check is performed in the first data consumer CIA to determine whether the first response message Res1 contains the third address identifier ID_PGB, and the first safety-oriented data FB-Data is accepted if a result of the check is positive, and otherwise rejecting the first safety-oriented data FB-Data if the result of the check is negative, as indicated in step 650.

[0061] Next, the identifier is produced in the second communication subscriber B utilizing the computation rule f, as indicated in step 660.

[0062] Next, the identifier is utilized to functionally protect the second unidirectional connection UV2 between the first data provider PIA and the second data consumer CGB, as indicated in step 670.

[0063] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.