1. Patent Search
  2. Details

Control System Method for Controlling an Apparatus or Installation

20230259095 · 2023-08-17

    Inventors

    Cpc classification

    International classification

    Abstract

    A control system for controlling an apparatus or installation, wherein at least one first safety function controls the apparatus or installation, where the control system includes a first safety-oriented control device that is configured to perform the at least one first safety function, where the first safety-oriented control device is also configured as a first safety-oriented control application that is implemented in a cloud, and where the first safety oriented control application and the apparatus or installation are communicatively coupled via a first safety-oriented communication connection.

    Claims

    1.-14. (canceled)

    15. A control system for controlling an apparatus or installation, at least one first safety function being provided with respect to controlling the apparatus or installation, the control system comprising: a first safety-oriented control device configured to execute at least one first safety function; wherein the first safety-oriented control device is configured as a first safety-oriented control application implemented in a cloud; and wherein the first safety-oriented control application and the apparatus or installation are communicatively coupled via a first safety-oriented communication connection.

    16. The control system as claimed in claim 15, further comprising: a second safety-oriented control device configured to execute at least one of (i) the at least one first safety function and (ii) at least one second safety function; wherein the second safety-oriented control device and the apparatus or installation are communicatively coupled via a second safety-oriented communication connection.

    17. The control system as claimed in claim 16, wherein one of (i) the second safety-oriented control device for executing at least one of the at least one first safety function and the second safety function is configured as a second safety-oriented control application implemented in the cloud, and (ii) the second safety-oriented control device for executing at least one of the at least one first safety function and the second safety function is configured as a structurally separate electronic safety-oriented control device.

    18. The control system as claimed in claim 16, wherein the second safety-oriented control device is configured to execute the at least one first safety function; and wherein the first and second safety-oriented control device are configured to execute the at least one first safety function in parallel.

    19. The control system as claimed in claim 17, wherein the second safety-oriented control device is configured to execute the at least one first safety function; and wherein the first and second safety-oriented control device are configured to execute the at least one first safety function in parallel.

    20. The control system as claimed in claim 18, wherein the first and second safety-oriented control device are configured such that after parallel execution of the at least one first safety function by the first and second safety-oriented control device, a result of a respective execution of the at least one first safety function is each present and a fault measure is then initiated if the results differ.

    21. The control system as claimed in claim 20, wherein the fault measure comprises adoption of a safe state by the apparatus or installation.

    22. The control system as claimed in claim 18, wherein in cases of erroneous executions of the at least one first safety function by one safety-oriented control device of the first and second safety-oriented control devices, a result of the execution of the at least one first safety function by another of the first and second safety-oriented control devices is utilized to control the apparatus or installation.

    23. The control system as claimed in claim 15, wherein at least one of (i) execution of the at least one first safety function by the first safety-oriented control application and (ii) execution of at least one of the at least one first and second safety function by the second safety-oriented control device is implemented utilizing a “coded processing” method.

    24. The control system as claimed in claim 23, wherein at least one of (i) the execution of the at least one first safety function by the first safety-oriented control application and (ii) the execution of at least one of the at least one first and second safety function by the second safety-oriented control device is implemented utilizing a “diversified encoding” method utilizing the coded processing.

    25. The control system as claimed in claim 15, further comprising: at least one operating function is for controlling the apparatus or installation; and a further control device for executing the at least one operating function, said further control device being communicatively coupled to the apparatus or installation.

    26. The control system as claimed in claim 25, wherein the further control device for executing the at least one operating function is configured as one of (i) a second control application implemented in the cloud and a structurally separate electronic control device.

    27. A method for operating a control system for controlling an apparatus or installation, at least one first safety function being provided with respect to controlling the apparatus or installation, the control system comprising a first safety-oriented control device configured to execute at least one first safety function, the first safety-oriented control device being configured as a first safety-oriented control application implemented in a cloud and the first safety-oriented control application and the apparatus or installation being communicatively coupled via a first safety-oriented communication connection, the method comprising: transmitting installation information via the first safety-oriented communication connection from the apparatus or installation to the first safety-oriented control application in the cloud; executing the at least one safety function by the first safety-oriented control application utilizing the installation information; and transmitting control information for the apparatus or installation from the first safety-oriented control application via the first safety-oriented communication connection to the apparatus or installation.

    28. The method for operating a control system as claimed in claim 27, wherein the control system further comprises a second safety-oriented control device configured to execute at least one of (i) the at least one first safety function and (ii) at least one second safety function and wherein the second safety-oriented control device and the apparatus or installation are communicatively coupled via a second safety-oriented communication connection, the method further comprising: transmitting installation information via the first safety-oriented communication connection from the apparatus or installation to the first safety-oriented control application in the cloud and via the second safety-oriented communication connection to the second safety-oriented control device; executing the at least one safety function by the first safety-oriented control application utilizing the installation information, a first result being generated; executing the at least one safety function by the second safety-oriented control device utilizing the installation information, a second result being generated; comparing the generated first and second results are subsequently compared; and when the generated first and second results match one of (i) transmitting control information for the apparatus or installation is transmitted from the first safety-oriented control application via the first safety-oriented communication connection to the apparatus or installation and (ii) transmitting control information for the apparatus or installation from the second safety-oriented control device via the second safety-oriented communication connection to the apparatus or installation.

    29. The method for operating a control system as claimed in claim 27, wherein the control system further comprises a second safety-oriented control device configured to execute at least one of (i) the at least one first safety function and (ii) at least one second safety function and wherein the second safety-oriented control device and the apparatus or installation are communicatively coupled via a second safety-oriented communication connection, the method further comprising: transmitting installation information via the first safety-oriented communication connection from the apparatus or installation to the first safety-oriented control application and via the second safety-oriented communication connection to the second safety-oriented control device; executing the at least one safety function by the first safety-oriented control application utilizing the installation information; executing the at least one safety function by the second safety-oriented control device utilizing the installation information; wherein, after detection of erroneous execution of the safety function in one safety-oriented control device of the first and second safety-oriented control devices, control information for the apparatus or installation is output from another safety-oriented control device of the first and second safety-oriented control devices via an associated safety-oriented communication connection.

    30. The method as claimed in claim 27, wherein the execution of at least one of (i) the safety function by the first safety-oriented control application or control device and (ii) the safety function by the second safety-oriented control device is implemented utilizing a “coded processing” method.

    31. The method as claimed in claim 30, wherein the execution of at least one of (i) the at least one first safety function by the first safety-oriented control application or control device and (ii) at least one of the at least one first and second safety function by the second safety-oriented control device is implemented utilizing a “diversified encoding” method utilizing the “coded processing”.

    32. A safety-oriented control application for the control system as claimed in claim 16, wherein, in a context of implementing a method for operating the control system to control the apparatus or installation, the safety-oriented control application compares the first and second results, and when the first and second results match, the safety-oriented control application outputs the control information for the apparatus or installation.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0166] The present invention is explained in greater detail below by way of example with reference to the accompanying figures.

    [0167] In the figures:

    [0168] FIG. 1 shows an exemplary installation controller with a safety-oriented control application in the cloud and a standard controller as hardware in accordance with the invention;

    [0169] FIG. 2 shows an exemplary installation controller with a safety-oriented control application and a standard control application in the cloud in accordance with the invention;

    [0170] FIG. 3 shows an exemplary installation controller with a first safety-oriented control application in the cloud and a safety-oriented controller and also a standard controller in each case as hardware in accordance with the invention;

    [0171] FIG. 4 shows an exemplary installation controller with a first safety-oriented control application in the cloud and a safety-oriented controller and also a standard controller in each case as hardware in accordance with the invention, where the first safety-oriented control application and the safety-oriented controller are coupled; and

    [0172] FIG. 5 is a flowchart of the method in accordance with the invention.

    DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

    [0173] FIG. 1 shows a control system 100 comprising a safety-oriented control application 200 implemented in a cloud 500. Furthermore, the control system comprises a standard PLC 300 or a standard controller 300 designed and configured as a hardware control device. The safety-oriented control application 200 is linked to an installation 400 via a corresponding safety-oriented communication connection 210 and controls in said installation safety-relevant processes via corresponding installation safety functions of the safety-oriented control application 200 by way of sensors and actuators correspondingly provided in the installation 400.

    [0174] Furthermore, the safety-oriented control application 200 is connected to a person protection device 420 via a further safety-oriented communication connection 220. Person safety functions are furthermore provided in the safety-oriented control application 420, and interact with corresponding sensors and actuators of the person protection device 420 for the protection of persons operating the installation 400. Such a person protection device 420 can comprise, for example, corresponding barriers, motion sensors, closing mechanisms, light barriers, and/or emergency-off pushbuttons.

    [0175] Furthermore, the safety-oriented control application 200 is connected to a corresponding environment protection device 430 via an additional safety-oriented communication connection 230. Environment safety functions are furthermore provided in the safety-oriented control application 200, and interact with corresponding sensors and actuators of the environment protection device 430 for the protection of the environment against damage resulting from malfunctions of the installation 400. Such an environment protection device 430 can comprise, for example, ventilation devices, sprinkler installations, smoke detectors, temperature sensors, and/or gas detectors.

    [0176] In this case, the installation 400, the person protection device 420 and the environment protection device 430 in interaction with the control system 100 are configured in accordance with the standard IEC 61508 for attaining functional safety.

    [0177] Non-safety-relevant functions of the installation 400 are furthermore controlled by the standard PLC 300 situated in the area of the installation 400, via installation operating functions implemented in the standard PLC 300.

    [0178] This results in an efficient control system 100 for the installation 400 and the person and environment protection devices 420, 430 in which safety-relevant control mechanisms are provided in the cloud 500, while the basic controls of the installation are effected via the standard PLC 300.

    [0179] In this case, by way of example, a coded processing method can be implemented in the safety-oriented control application 200. Alternatively, the safety-oriented property of the safety-oriented control application 200 can also be realized by way of two independently internally implemented parallel control sequences.

    [0180] FIG. 2 shows a modification of the system illustrated in FIG. 1 by virtue of the fact that instead of the standard PLC 300 formed as hardware in the context of the system illustrated in FIG. 1, a standard control application 305 is provided, which is now likewise implemented in the cloud 500. This standard control application 305 illustrated in FIG. 2 controls the non-safety-relevant functionalities of the installation 400 instead of the standard PLC 300 illustrated in FIG. 1.

    [0181] The meaning of the further reference signs illustrated in FIG. 2 corresponds to that from FIG. 1.

    [0182] FIG. 3 shows a further modification of the system illustrated in FIG. 1 by virtue of the fact that a second safety-oriented controller 250 is additionally provided, which is formed as a local hardware controller or local hardware PLC. The safety-oriented functions or safety functions of the installation 400 are controlled by the second safety-oriented controller 250 via a second safety-oriented communication connection 260, while the safety functions of the person and environment protection devices 420, 430 are furthermore controlled from the cloud by the safety-oriented control application 200.

    [0183] In this case, the second safety-oriented PLC 250 is likewise situated in the area of the installation 400.

    [0184] The meaning of the further reference signs illustrated in FIG. 3 corresponds to that of the reference signs from FIG. 1.

    [0185] The control system 100 illustrated in FIG. 3 is configured such that the installation safety functions for the safety-oriented control of the installation 400 are implemented in the local second safety-oriented control device 250, which is implemented in hardware. The person and environment safety functions are provided in the safety-oriented control application 200 implemented in the cloud 500.

    [0186] This results in more efficient safety-oriented control of the installation 400 and of the person and environment protection safety devices 420, 430 by virtue of the fact that, e.g., fast acting safety mechanisms for the installation 400 are implemented within the safety-oriented PLC 250 situated on site and safety functions for person and environment protection measures, which are possibly allowed to have, e.g., longer response times, are implemented flexibly and locally independently in the cloud 500.

    [0187] FIG. 4 illustrates a further possible embodiment of the system illustrated in FIG. 3. Here, all safety functions for controlling the installation 400 and the person and environment protection devices 420, 430 are implemented both in the safety-oriented control application 200 implemented in the cloud and in the safety-oriented local PLC 250. For this purpose, provision is made of respective safety-oriented communication connections 210, 220, 230 from the safety-oriented control application 200 in the cloud 500 to the installation 400, the person protection device 420 and the environment protection device 430. Correspondingly, provision is made of corresponding safety-oriented communication connections 260, 270, 280 from the local safety-oriented PLC 250 to the installation 400, the person protection device 420 and the environment protection device 430.

    [0188] In a first operating mode of the control system 100 illustrated in FIG. 4, the safety-oriented control application 200 in the cloud 500 and the local safety-oriented PLC 250 implemented in hardware are connected via a further communication connection 205. Here, the safety-oriented control application 200 and the local safety-oriented PLC 250 are configured such that in both of them the control program or the control programs for controlling the installation 400, the person protection device 420 and the environment protection device 430 are executed in parallel in both controllers 200, 250. Here, the control devices 200, 250 are configured for the cyclic processing of the control programs, in which case after each cycle the output signals respectively calculated for the installation 400, the person protection device 420 and the environment protection device 430 are compared, the calculated output signals being output to the respective installation parts 400, 420, 430 only if they match.

    [0189] In this way, a redundancy needed for the safety-oriented property of the corresponding control system 100 can be attained by the interaction of the control application 200 with the PLC 250. In this case, the controllers 200, 250 can be configured in such a way so as to define which of the two controllers then outputs the output value to the installation 400, the person protection device 420 and the environment protection device 430 if the calculated values of both controllers 200, 250 match.

    [0190] Furthermore, the controllers 200, 250 are configured such that in the case in which the values calculated by both controllers 200, 250 do not match, the installation 400, the person protection device 420 and the environment protection device 430 are brought to a corresponding safe state by one of the two controllers 200, 250, or else by both of them.

    [0191] In this first operating mode described, a corresponding functional safety of the control system 100 would already be attained just by virtue of the described redundancy of the two controllers 200, 250, which can be provided, for example, as additional safety with respect to safety measures already provided in the control application 250 and the local PLC 250, such as execution of the control program via a coded processing mechanism.

    [0192] In a second operating mode of the control system 100 illustrated in FIG. 4, the safety-oriented control application 200 and the safety-oriented local PLC 250 are likewise coupled via the communication connection 205. However, in this second operating mode, the two safety-oriented control devices 200, 250 are configured such that as a rule one of the two controllers 200, 250 performs the control of the installation 400, the person protection device 420 and the environment protection device 430, while in the other of the control devices 200, 250 the control program is executed in parallel therewith, but no output signals are output to the installation 400, the person protection device 420 and the environment protection device 430.

    [0193] If a fault then occurs in the controlling safety-oriented control device 200, 250, which fault was detected, for example, via an implemented coded processing mechanism, then this faulty control device 200, 250 communicates information or a message concerning taking over the control functionality to the other of the safety-oriented control devices 200, 250 via the communication connection 205.

    [0194] Accordingly, this other safety-oriented control device 200, 250 then takes over the control of the installation 400, the person protection device 420 and the environment protection device 430, while the control activity of the originally controlling safety-oriented control device 200, 250 is deactivated.

    [0195] With this second operating mode, for example, in particular the availability of the safety-oriented control for the installation 400, the person protection device 420 and the environment protection device 430 can be increased, which further reduces the overall probability of failure of the control system 100.

    [0196] With regard to the illustrated operating modes of the control system 100 illustrated in FIG. 4, the first operating mode can be summarized, for example, as a safety-increasing mode and the second operating mode as an availability-increasing mode of the control system 100 illustrated in FIG. 4.

    [0197] FIG. 5 is a flowchart of the method for operating a control system 100 for controlling an apparatus or installation 400, 420, 430, where at least one first safety function is provided with respect to controlling the apparatus or installation 400, 420, 430, where the control system 100 comprises a first safety-oriented control device 200 configured to execute at least one first safety function, and where the first safety-oriented control device 200 is configured as a first safety-oriented control application 200 implemented in a cloud 500 and the first safety-oriented control application 200 and the apparatus or installation 400, 420, 430 are communicatively coupled via a first safety-oriented communication connection 210, 220, 230.

    [0198] The method comprises transmitting installation information via the first safety-oriented communication connection 210, 220, 230 from the apparatus or installation 400, 420, 430 to the first safety-oriented control application 200 in the cloud 500, as indicated in step 510.

    [0199] Next, the at least one safety function is executed by the first safety-oriented control application 200 utilizing the installation information, as indicated in step 520.

    [0200] Next, control information for the apparatus or installation 400, 420, 430 is transmitted from the first safety-oriented control application 200 via the first safety-oriented communication connection 210, 220, 230 to the apparatus or installation 400, 420, 430, as indicated in step 530.

    [0201] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.