Automation system and method for error-protected acquisition of a measured value

Abstract

A method for error-protected acquisition of a measured value in a control unit, wherein the measured value is firstly acquired with a first acquisition device and secondly with a second acquisition device and thereby a first measured value and a second measured value are made available, where in a comparison step in a safety program executing in the control unit, the first and the second measured value are compared with one another for a deviation from one another and upon reaching or exceeding a pre-determined maximum deviation, an error is identified.

Claims

1. A method for error-protected acquisition of a measured value in a control unit, the measured value being firstly acquired with a first acquisition device and secondly with a second acquisition device such that a first measured value and a second measured value are made available, during a comparison in a safety program executing in the control unit, the first and the second measured value being compared with one another for a deviation from one another and upon reaching or exceeding a pre-determined maximum deviation, an error being identified, the method comprising: parameterizing the first acquisition device for a first measurement range to be set; parameterizing the second acquisition device for a second measurement range to be set; re-parameterizing alternatingly, aided by the safety program, the measurement range for the second acquisition device in the safety program, based on information regarding how the second acquisition device is currently parameterized, such that a currently set second measurement range is known and it is therefore known in which range the second measured value must lie; and performing a plausibility check between the first measured value and the second measured value; wherein if the plausibility check result is negative, an error is also identified.

2. The method as claimed in claim 1, wherein analog-digital converters are utilized in the first and second acquisition device and an analog-digital converter in the first acquisition device provides a first integer value for the first measured value and an analog-digital converter in the second acquisition device provides a second integer value for the second measured value, to which the plausibility check is applied.

3. The method as claimed in claim 1, wherein the plausibility check is performed in a first functional component within the safety program of the control unit and the re-parameterization of the second acquisition device is performed in a second functional component; wherein the first and second measured values are transferred to the first functional component as input values and, as output values, firstly the error-protected measured value is provided and secondly a start signal is provided for the re-parameterization; and wherein the start signal is provided as an input value to the second functional component, which thereupon initiates the re-parameterization and following successful re-parameterization, the second functional component provides a feedback signal, which signal is then switched to the first functional component as an input value.

4. The method as claimed in claim 2, wherein the plausibility check is performed in a first functional component within the safety program of the control unit and the re-parameterization of the second acquisition device is performed in a second functional component; wherein the first and second measured values are transferred to the first functional component as input values and, as output values, firstly the error-protected measured value is provided and secondly a start signal is provided for the re-parameterization; and wherein the start signal is provided as an input value to the second functional component, which thereupon initiates the re-parameterization and following successful re-parameterization, the second functional component provides a feedback signal, which signal is then switched to the first functional component as an input value.

5. The method as claimed in claim 3, wherein in the first functional component, it is additionally monitored whether at least one measured value changes in a pre-determined time window and, if no change occurs, an error is also identified.

6. The method as claimed in claim 1, wherein the first and second acquisition devices are each configured to acquire a current in the range from 0 to 20 mA or in the range from 4 to 20 mA.

7. An automation system configured for error-protected acquisition of a measured value, comprising: a first acquisition device configured to acquire a first measured value; a second acquisition device configured to acquire a second measured value; and a control unit which executes a safety program provided with the safety unit, the a safety program comparing the first and the second measured values with one another for a deviation from one another and upon reaching or exceeding a pre-determined maximum deviation, identifying an error; wherein the first acquisition device is set for a first measurement range to be set and the second acquisition device is alternatingly re-parameterizable aided by the safety program in a second measurement range to be set; wherein the safety program has knowledge regarding a currently set second measurement range; wherein the safety program is further configured to perform a plausibility check between the first measured value and the second measured value; and wherein the safety program is further configured to perform the plausibility check aid by knowledge of a value range to be expected within which the second measured value must lie and is further configured, in an event of a negative plausibility check result, to also signal an error.

8. The automation system as claimed in claim 7, wherein the first and second acquisition device each include an analog-digital converter and an analog-digital converter in the first acquisition device provides a first integer value for the first measurement range and an analog-digital converter in the second acquisition device provides a second integer value for the second measurement range, and the safety program is configured to perform the plausibility check based on the first and second integer values.

9. The automation system as claimed in claim 7, wherein the safety program of the control unit comprises a first functional component which is configured to perform the plausibility check and a second functional component which is configured to perform the re-parameterization of the second acquisition device.

10. The automation system as claimed in claim 8, wherein the safety program of the control unit comprises a first functional component which is configured to perform the plausibility check and a second functional component which is configured to perform the re-parameterization of the second acquisition device.

11. The automation system as claimed claim 7, wherein the control unit comprises an industrial automation control system configured for functional safety; and wherein the first acquisition device and the second acquisition device are respectively configured as an industrial analog assembly.

12. The automation system as claimed claim 8, wherein the control unit comprises an industrial automation control system configured for functional safety; and wherein the first acquisition device and the second acquisition device are respectively configured as an industrial analog assembly.

13. The automation system as claimed claim 9, wherein the control unit comprises an industrial automation control system configured for functional safety; and wherein the first acquisition device and the second acquisition device are respectively configured as an industrial analog assembly.

14. The automation system as claimed in claim 11, further comprises an industrial assembly configured for functional safety and connected to a backplane bus to which the industrial analog assemblies are also connected such that monitoring of the backplane bus is realized; and wherein the industrial assembly configured for functional safety is further configured to generate a quality signal which permits conclusions to be drawn regarding errors at the backplane bus.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The drawings show an exemplary embodiment, in which:

(2) FIG. 1 is a hardware structure of the automation system in accordance with the invention;

(3) FIG. 2 is a concept of the functional components used, for example in an engineering system in accordance with the invention;

(4) FIG. 3 is a first functional component with inputs and outputs in accordance with the invention;

(5) FIG. 4 is a second functional component with inputs and outputs in accordance with the invention;

(6) FIG. 5 is a graphical representation of integer values provided at different parameterizations; and

(7) FIG. 6 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

(8) FIG. 1 shows an automation system 100 with a control unit (F-CPU) and a de-centrally arranged assembly arrangement that comprises a first acquisition device 11 (standard assembly), a second acquisition device 12 (standard assembly), an additional industrial assembly 13 (F-assembly) configured for functional safety, an interface module 14 and a server module 15.

(9) For redundant acquisition of a measured value, the first acquisition device 11 is connected to a first measuring transducer 17 and the second acquisition device 12 is connected to a second measuring transducer 18. The two measuring transducers 17, 18 each acquire the same physical process variable. The decentralized assembly periphery system with the assemblies 11, 12, 13, 14, 15 is mechanically arranged in a backplane bus system.

(10) The control unit 10 is connected via a field bus 16, for example, with PROFI-Safe technology such that this field bus 16 is also configured for functional safety, to the interface module 14. A safety program 19 runs in the control unit 10.

(11) In FIG. 2, the concept and the interconnection of the first functional component 21 and of the second functional component 22 are shown. The functional components 21, 22 run in the safety program 19 of the control unit 10. The first functional component 21 is configured perform out the plausibility check. The second functional component 22 is configured to perform a re-parameterization of the second acquisition device 12. In accordance with the method, the functional components 21, 22 are therefore configured, with the aid of the safety program, to re-parameterize a measurement range M2 for the second acquisition device 12 alternatingly and herein in the safety program 19, based on the information regarding how the second acquisition device 12 is currently parameterized and thus the currently set second measurement range M2 is known and it is therefore known in which range the second measured value AI2 must lie, a plausibility check is performed between the first measured value AI1 and the second measured value AI2. For this purpose, the first functional component 21 comprises on its input side an input analogin1 for the first measured value AI1 and an input analogin2 for the second measured value AI2. As an output value, the first functional component 21 provides an error-protected measured value A0 analogOut. The plausibility check is thus performed in the first functional component 21 and the re-parameterization of the second acquisition device 12 is performed with the second functional component 22. The first and second measured values AI1, AI2 are passed as input values to the first functional component 21 and, as the output value, the second functional component 21 provides the error-protected measured value A0. The second functional component 21 additionally generates a start signal S for the re-parameterization. The start signal S is fed as an input signal to the second functional component 22, which then initiates the re-parameterization and, following completed re-parameterization, provides a feedback signal CD to the second functional component 22. The feedback signal CD is itself fed as an input to the first functional component 21 changeDone.

(12) FIG. 3 shows the first functional component 21 in detail with all its inputs and outputs. Essentially, the first measured value AI1 and the second measured value AI2 are fed to the corresponding inputs Analog in 1 and Analog in 2. The first functional component 21 provides a safe measured value A0 Analog out.

(13) All the parameters of the second functional component are defined below:

(14) TABLE-US-00001 Data In/ Parameter type out Explanation analogIn1 INT IN Analog value S-AI1 (value with fixed 0-20 mA parameterization) Default value: 0 analogIn2 INT IN Analog value S-AI2 (value with alternating parameterization 0-20 mA and 4-20 mA) Default value: 0 tolerance DINT IN The maximum permissible tolerance between the two analog values can be input here. Due to measuring inaccuracies and rounding, this should not be kept too low. The tolerance is given in the dimensions of the measured dimension of the process value. Default value: 10 minValue DINT IN Here, the user can input the lower limit value of the process value. The unit of the minimum value corresponds to that of the process value Default value: 20 maxValue DINT IN Here, the user can input the upper limit value of the process value. The unit of the maximum value corresponds to that of the process value Default value: 150 minScale DINT IN Lower limit value to which the measured variable must be scaled. If, for example, the measurement is carried out for a measurement range of 0 . . . 300 C., a 0 must be entered here. Default value: 0 maxScale DINT IN Upper limit value to which the measured variable must be scaled. If, for example, the measurement is carried out for a measurement range of 0 . . . 300 C., a 300 must be entered here. Default value: 200 analogIn1VS BOOL IN Value status of the first standard analog module. The value status is merely additional information and is not absolutely necessary for the safety of the analog values. However, it provides a simple additional diagnosis. Default value: false analogIn2VS BOOL IN See AI1VS.fwdarw. Value status analog module 2 Default value: false qbad BOOL IN Switching the QBAD signal of an F module which must be plugged into the same ET 200SP station as both the analog modules. The F module must be plugged after the two analog modules. Default value: true subAnalogOutEn BOOL IN Specification of whether in the case of an error, replacement values or invalid values are output. 0: invalid values output 1: the replacement values specified for subAnalogOut are output Default value: false subAnalogOut DINT IN Replacement value that is output in case of an error and when subAnalogOutEn is activated. Default value: 0 valueOut BOOL IN Specification of whether the larger or the smaller analog value is available at the outlet Out. If the two process values are identical, AI1 is provided in each case. 0: The smaller process value is provided. 1: The larger process value is provided. Default value: false freezeTime TIME IN Time for the freeze watchdog. Depending upon the parameterized time, one or both analog values may remain unaltered. If the values do not change in the defined time window, an error bit is set. Default value: 1 s ack BOOL IN Acknowledgement input: In order to initiate the restarting of the component following an error, a manual acknowledgement is necessary. Default value: false enableParaChange BOOL IN On use of a plurality of FB fAnalogIn, care must be taken that only one component is currently in the re-parameterization process in each case. A faulty addressing is otherwise not reliably discovered. With the entry, the process can be briefly bypassed. Default value: true changeDone BOOL IN Information from the standard user program whether the parameter data set for the re-parameterization has been written to a measurement range of 0 . . . 20 mA. Default value: false defaultDone BOOL IN Information from the standard user program whether the parameter data set for the re-parameterization has been written to a measurement range of 4 . . . 20 mA. Default value: false timeForParaChange TIME IN Allowed time for parameter change. Default value: 2 s analogOut DINT OUT In an error-free case, the plausibility tested analog value is provided here. In the case of an error, either an invalid analog value (denoted by error = true) or a replacement value is provided. Default value: 0 diag WORD OUT Diagnosis output. The diagnosis word is composed of different error bits and gives detailed information regarding the error cause. The composition of the diagnosis word is explained in section 2.5. Default value: 16#0000 error BOOL OUT Global error bit. Set as soon as an error occurs internally. Default value: true startChangeToDefault BOOL OUT Start flag for the beginning of the re-parameterization to default values. The bit must be passed to the standard user program and starts a WRREC request. Default value: false startChange BOOL OUT Start flag for the beginning of the re-parameterization. The bit must also be transferred by means of a couple DB to the standard user program in order to trigger the WRREC request there. Default value: false paraChangeActive BOOL OUT On use of a plurality of FB fAnalogIn, a corresponding handling must be generated which guarantees that only one re-parameterization takes place in each case. The bit indicates whether a re-parameterizing cycle is currently taking place in the selected component or not. Default value: false EN BOOL IN Must not be switched - system-related input in the safety program with no function. ENO BOOL OUT Must not be switched - system-related outlet in the safety program with no function.

(15) FIG. 4 shows the second functional component 22 that performs the re-parameterization of the second acquisition device 12. For a first parameter set P1 and a second parameter set P2 (see also FIG. 2), where the first parameter set P1 (M1) is present as a data record 0 . . . 20 mA and the second parameter set P2 (M2) is present as a data record 4 . . . 20 mA. These two parameter sets P1, P2 are used by the second functional component 22 as input variables for the re-parameterization of the second acquisition device 12.

(16) The start signal S functions as a trigger for the second functional component 22. Each time the signal S is applied, with the aid of the second functional component 22, the respectively valid parameter set in the second acquisition device 12 is re-parameterized to the other alternatingly. Once re-parameterization has been accomplished, the second functional component 22 generates a feedback signal CD (changeDone) which is fed back to the first functional component 21. With the feedback signal CD, confirmation is made to the first functional component 21 for its plausibility test that the second acquisition device 12 has the now present valid parameterization.

(17) All the parameters of the second functional component are defined below.

(18) TABLE-US-00002 Parameter Data type In/out Explanation HW_ID HW_ANY IN Enter here the hardware ID of the module that is provided for the re-parameterization. In the present case, S-AI2. startChange BOOL IN Start bit from the safety program. Initiates the process of re-parameterization. startDefault BOOL IN Start bit from the safety program. Initiates the process of back-parameterization back to the original state. record_4_20mA typeRecord . . . InOut Default data set record_0_20mA typeRecord . . . InOut Re-parameterization data set defaultDone BOOL OUT Bit to the safety program. Signals the completion of the back-parameterization changeDone BOOL OUT Bit to the safety program. Signals the completion of the re-parameterization. EN/ENO Must not be connected.

(19) FIG. 5 shows a graphical representation of a first converter curve W1 and a second converter curve W2. The first and second converter curves W1, W2 are accordingly assigned to the first acquisition means 11 and the second acquisition device 12. The first converter curve W1 is shown for an analog-digital converter in the case of a converter that is configured for a parameterization from 4 to 20 mA and the second converter curve W2 is shown for a parameterization from 0 to 20 mA. The X-axis shows values in the milli-ampere range and the Y-axis shows the integer values IW1, IW2 provided by the analog-digital converters. This graphical representation of the curve shape is present in the safety program 19 and in the first functional component 21 as an expected item of knowledge. Due to the different parameterizing of the first and second acquisition devices 11, 12, it is now possible via the first value, e.g., the first integer value IW1, to provide an expectation of the second value, e.g., second integer value IW2.

(20) For example, for a measurement of a current of 4 mA for the first integer value IW1 and a parameterization of 4 to 20 mA, the value 0 is generated. Subsequently based thereon that it is known in the first functional component 21 how the second acquisition means 12 must behave, an expectation can now be set for the second integer value IW2. The second integer value IW2 must then be situated in the region of approximately 5530, otherwise an error has occurred which is revealed by a cross-comparison.

(21) The following diagnoses and methods are implemented in the functional components:

(22) Cross-Comparison

(23) The redundant reading-in of the two analog values enables the two values in the safety program to be checked as to whether they are identical. With this, different error models can be discovered and overcome.

(24) If the two values are too far apart (settable via the input parameter tolerance) or if they even differ entirely, an error bit is set and the corresponding error reaction is initiated.

(25) Monitoring for Stuck-At Errors

(26) The safety program stores the current value S-AI1n in each F-cycle and compares it in the next cycle with the current value S-AI1(n+1) there. The same is performed with the analog value S-AI2.

(27) Given that the analog values S-AI1n and S-AI1(n+1) are identical within two cycles, a timer is started. Within this time (the freeze time), the old values must differ from the current values. If this is not the case, the corresponding error action is initiated.

(28) Diverse Parameterization of the Assemblies

(29) Based on the redundant structure, it is possible to parameterize the two analog assemblies differently from one another. There are two different possibilities for amending the parameters of the analog assemblies.

(30) Amending the Parameters in the Hardware Configuration

(31) When the hardware configuration is created, different properties can be assigned to the assembly. It is possible, inter alia, to switch diagnoses on or off, to set smoothing factors or to define the measurement type.

(32) Amendment of the Parameters for Run Time (CiR=Configuration in Run)

(33) The second possibility lies in re-parameterizing the assemblies at run time. For this, the component WRREC is used that writes the corresponding data set to the assembly at run time.

(34) In the present usage example, both methods of re-parameterization are used.

(35) It is therefore possible, via the first value, to place an expectation on the second value. For a measurement of a current of 4 mA on assembly 1, an INT-value of 0 is generated. On the basis that it is known in the safety program how the assembly 2 must now behave, an expectation can be set for the value. A value of approximately 5530 should arrive because, otherwise, an error has occurred that is revealed by the cross-comparison.

(36) Limit Value Monitoring

(37) With the aid of a minimum and maximum limit, you can very easily define process limits at which, if exceeded, a dangerous state can be reached. For this purpose, the parameterized limit values can be compared with the current process values and on undershooting or overshooting, a corresponding bit is set in the diagnosis word and the error bit is set.

(38) QBAD Monitoring

(39) The QBAD signal is to be found in the peripheral data component of the F-assembly used and to be duly connected to the component. Through the use of an F-assembly and the QBAD signal, PROFIsafe measures that bring substantial advantages with them are also used.

(40) The F-assembly passes on its process data in a PROFIsafe packet via the backplane bus to the interface module of the ET200SP. If systematic errors, such as overvoltages, were to distort data at the backplane bus, then the PROFIsafe packet would also be distorted. On the basis of the system-related mechanisms, such distortions are reliably discovered by the F-CPU. Errors at the backplane bus can thus be overcome with the aid of the F-assembly.

(41) Cyclic Re-Parameterization

(42) The cyclic re-parameterization of the second assembly is a substantial constituent of the safety concept. Herein, in a pre-set cycle, one of the two assemblies is re-parameterized.

(43) The frequency of this measure can be determined in accordance with DIN EN 61508-2, item 7.4.4.1.5.

(44) It is explained here that the diagnosis can only be attributed to the proportion of definite drop-outs if the total of the diagnosis test interval and the repair duration is smaller than the assumed MTTR. From this, the following can be concluded. According to DIN EN 61508-4, the MTTR (mean time to restoration) is given by the following points: (i) duration until recognition of a drop-out, (ii) duration until beginning of the restoration, (iii) actual repair duration, and (iv) duration until the component is put into operation.

(45) The MTTR is set, in this case, to 8 hours. This means that within this 8 hours, the error must be recognized and remedied. A repair of the analog assemblies is not possible without difficulty due to their complexity, so that a replacement assembly must be utilized.

(46) The actual repair duration is thus very low, since the exchanging of the assembly typically only takes a few minutes.

(47) Since under DIN EN 61508-2, point 7.4.4.1.5, the following applies:

(48) Diagnosis test interval+repair time <MTTR

(49) MTTR=8 hours

(50) Repair time: <<1 hour (exchange of the assembly)

(51) For the diagnosis test interval, theoretically a minimum of 7 hours is available. Based on a conservative approach, the interval of this diagnosis is set at 15 min.

(52) Coded Processing

(53) All the safety-relevant tasks are handled in the safety program of the CPU. The control units used are certified and can achieve SIL 3 or PL e. The certificates can be viewed online.

(54) Value Status of the S-AI

(55) The value status of the assembly should be evaluated and connected as described.

(56) The following must additionally be observed and is not contained in the component:

(57) Run-Through of the Whole Measurement Range

(58) In order to be able to preclude various error models, it is necessary to check within a defined interval whether the AD converter of the analog components is still functioning correctly.

(59) Setting of the test interval is the responsibility of the user. He has to decide according to various criteria how often the test is to be performed. How often is the measurement range run through in regular operation? How high are the MTBF values of the assemblies/sensors used? Can Stuck-At errors be precluded (regular assembly exchange, or similar)?

(60) A period of one year is set as the lower limit value. Thus, the entire measurement range must be run through at least 1 per year and the upper and lower limits must necessarily be tested.

(61) In the context of this measure, at the same time, the assemblies must be investigated for a possibly existing drift. For this purpose, it is possible, for example, to verify the measured value via a real known value and to perform a (then possibly required) calibration of the assembly.

(62) FIG. 6 is a flowchart of the method for error-protected acquisition of a measured value AO in a control unit 10, where the measured value AO is firstly acquired with a first acquisition device 11 and secondly with a second acquisition device 12 such that a first measured value AI1 and a second measured value AI2 are made available, where during a comparison in a safety program 19 executing in the control unit 10, the first and the second measured value AI1, AI2 are compared with one another for a deviation from one another and upon reaching or exceeding a pre-determined maximum deviation min V, max V, an error being identified.

(63) The method comprises parameterizing the first acquisition device 11 for a first measurement range M1 to be set, as indicated in step 610.

(64) Next, parameterizing the second acquisition device 12 for a second measurement range M2 to be set is parameterized, as indicated in step 620.

(65) Next, the measurement range M2 for the second acquisition device 12 in the safety program 19, based on information regarding how the second acquisition device 12 is currently parameterized, is re-parameterized alternatingly, aided by the safety program 19, such that a currently set second measurement range 12 is known and it is therefore known in which range the second measured value AI2 must lie, as indicated step 630.

(66) Next, a plausibility check between the first measured value AI1 and the second measured value AI2 is performed, as indicated in step 640. In accordance with the method of the invention, if the plausibility check result is negative, an error is also identified.

(67) Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.