[go: up one dir, main page]

HK1099122C - Safety swtich for a fail-safe circuit - Google Patents

Safety swtich for a fail-safe circuit

Info

Publication number
HK1099122C
HK1099122C HK07106494.1A HK07106494A HK1099122C HK 1099122 C HK1099122 C HK 1099122C HK 07106494 A HK07106494 A HK 07106494A HK 1099122 C HK1099122 C HK 1099122C
Authority
HK
Hong Kong
Prior art keywords
safety
safety switch
control part
switch
input
Prior art date
Application number
HK07106494.1A
Other languages
German (de)
French (fr)
Chinese (zh)
Other versions
HK1099122B (en
HK1099122A1 (en
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE102004020997A external-priority patent/DE102004020997A1/en
Application filed filed Critical
Publication of HK1099122A1 publication Critical patent/HK1099122A1/en
Publication of HK1099122B publication Critical patent/HK1099122B/en
Publication of HK1099122C publication Critical patent/HK1099122C/en

Links

Description

The present invention relates to a safety switch device for a safety circuit, with a control unit for processing an input signal and at least one switch element having at least one active and one inactive switch state, where the control unit is trained to control the switch element to produce an input-dependent output signal at an output, and with a diagnostic functionality for detecting a malfunction, where the control unit is trained to control the switch element to the inactive state when a malfunction is detected.
The invention also relates to a safety circuit for the safe failure of a hazardous system, with a variety of such safety switching devices and a superior safety control designed to interrupt a power supply path to the system.
Such a safety switch and a corresponding safety circuit are known from EP 1 363 306 A2.
Err1:Expecting ',' delimiter: line 1 column 1113 (char 1112)
However, safety switching devices within the meaning of the present invention are not only signalling devices, but also so-called safety switching devices and even safety controls, i.e. also such devices which evaluate the input signals of signalling devices.
Security-related alarm devices/sensors, as well as security controls/security switches, must be built to ensure that the intended safety function is always fulfilled. Therefore, intelligent sensors, such as light barriers or light grids, are usually built to be self-defeating, so that they meet the categories 3 or even 4 of the European standard EN 954-1 or comparable safety requirements. Simple alarm devices, such as emergency shut-off keys, safety door switches, two-hand switches, etc., are usually also reliable, but they have no practical help or only limited intelligence.
The aforementioned EP 1 363 306 A2 reveals a safety switch with its own diagnostic functionality, in particular the safety switch described is capable of monitoring the function of the switching elements used by reading back its output signals.
The document also describes a safety circuit in which several such safety switches are connected in series to a higher safety control, whereby a release signal is transmitted through the switching elements of each safety switch to the higher safety control.
However, in the safety circuit described, it is not possible for the individual safety switches (signalling devices) to communicate the results of their diagnosis to the safety control, which ensures a rapid shutdown of the monitored system, but does not allow a conclusion as to the cause of the shutdown.
Err1:Expecting ',' delimiter: line 1 column 310 (char 309)
In this context, the present invention is intended to describe a safety switch device of the type described at the outset which allows the cost-effective construction of a safety switch with comprehensive diagnostic capabilities.
This task is solved by a safety switch device of the type mentioned at the beginning, in which the control unit is also trained to generate a data telegram at the output (44, 46), depending on the detected malfunction.
A corresponding safety circuit shall therefore include a safety control trained to receive and process the data telegrams of the safety switchgear.
The present invention is based on the idea of transmitting the diagnostic information of a safety switchgear to the existing safety wires, which the safety switchgear uses to transmit a shutdown command to the master controller. A fieldbus connection or additional diagnostic wires can be saved. This is possible without further delay, unlike all previous approaches, since the existing safety wires (the safety exits) are not functional after the shutdown of a monitored system until the re-commissioning of the assumption.
The arrangement of the invention saves connections to the individual devices and allows the construction of a safety circuit with comprehensive diagnostic functionality but with low wiring demand.
The new safety switchgear thus enables a cost-effective and flexible setup of a safety switchgear with comprehensive diagnostic functionality, without the effort and cost of additional communication lines.
In a preferred design of the invention, the control is trained to generate the data telegram by means of at least one switch.
Alternatively, the control unit for generating the data telegram could also control an additional switch element connected to the output line, but using the existing switch element saves additional costs and reduces the installation space required.
In a further design, the new safety switch has at least two mutually redundant switching elements that are redundantly controllable by the control unit.
The use of redundant switching elements is sufficiently well known in the field of safety technology as such. However, within the scope of the present invention, the use of redundant switching elements not only increases functional reliability but also availability. Thus, even if one of the switching elements is no longer able to perform switching functions due to a functional failure (overlapping in semiconductor switching elements, contact welding in relays, etc.), the new safety switching device can nevertheless transfer all diagnostic information via the redundant channel. Although the absence of any diagnostic data would indicate the failure of the original switching elements, the present design nevertheless allows for an even more extensive diagnosis without significantly overestimating the cost and cost of the switching elements.
In another design, the control is trained to control the switch element by pulse to produce a pulsed data telegram.
The use of pulsed data telegrams is technically very simple to implement. It also offers the possibility of transmitting large amounts of data with serial protocols over a few lines.
In a further design, the control unit is trained to insert an address into the data telegram.
This makes it possible for any signalling device, and more generally any safety switch, to communicate its identity to the higher control, making a detailed diagnosis of the entire safety circuit even easier and more targeted.
In a further design, the new safety-belt device shall have at least one input for an external release signal, which shall be the input signal.
This design is particularly advantageous for serial transmission of diagnostic data from one safety-control unit to the next. A downstream safety-control unit can receive and output the diagnostic data from an upstream safety-control unit via the input and the downstream safety-control unit in this design has the ability to supplement and/or modify the received diagnostic data if desired, thus providing even more flexibility in the diagnostic possibilities.
In a further design, the new safety switch has an initialization mode in which the control unit generates a pulse sequence with the help of at least one switch element, which contains more pulses than a release signal fed to the input.
Err1:Expecting ',' delimiter: line 1 column 381 (char 380)
In a further design, the new safety-belt switch shall have at least one operator input which is interchangeable between a first and at least a second state, the input being the input signal.
Err1:Expecting ',' delimiter: line 1 column 594 (char 593)
It is understood that the features described above and those to be explained below are applicable not only in the respective combination but also in other combinations or alone, without leaving the scope of the present invention.
Examples of the invention are shown in the figure and are described in more detail in the following description. Figure 1a simplified representation of a system in which a detector according to the present invention is used for protection,Figure 2a schematic representation of an example of the new detector,Figure 3a safety circuit with two detectors of the type shown in Figure 2 arranged in a row, andFigure 4a time-lapse diagram of the signal sequences for initiating a safety circuit according to Figure 3.
In Figure 1, a plant covered by the invention is referred to as a whole by reference number 10.
Appendix 10 contains a robot 12 whose automated movements would be dangerous to a person (not shown here) who would be in the range of motion of robot 12. Therefore, the range of motion of robot 12 as it is known is secured by a guard door 14 and guardrails. At guard door 14 an operator 16 is attached. On a fixed frame, on which guard door 14 is in the closed state, there is a safety switch 18, a general, so a reporting device according to the present invention. The safety switch 18 is connected by several wires to a safety control 20 . The safety control 20 controls the output power 22, 24, two contacts of which can be used to supply the robot 26 12 with power.
Appendix 10 is illustrated in a simplified manner. As is known to the experts concerned, the safety door 14 is usually equipped in practice with at least two safety switches 18 and corresponding operators 16, one of the safety switches being often hidden to make it more difficult to manipulate. In addition, such a system often contains additional indicators, such as emergency shut-off buttons or other safety door switches (not shown here).
The safety control 20 may be a safety switch in a simple scenario, as offered by the applicant under the name PNOZĀ®. However, if numerous safety-related signalling devices are required to protect the appliance 10, it is advantageous to use a more complex safety control such as the safety controls sold by the applicant under the name PSSĀ®. At least in the latter case, the safety control 20 usually has a fieldbus connection and additional interfaces to communicate with the control unit not shown here and/or to communicate with a parent mainframe.
In the preferred embodiment shown in Fig. 2, the safety switch 18 is two-channel redundant, so that the safety switch 18 has two redundant microcontrollers 30, 32 that monitor each other, represented by a double arrow between the microcontrollers.
References 34, 36 and 34 refer to two electronic switching elements, which are shown here as field-effect transistors, but alternatively bipolar transistors or other electronic switching elements may be used.
The control port (gate) of the switch element 34 is connected to the microcontroller 30. The input port 38 (source) is connected to a line 40 to which an operating voltage UB is connected during the operation of the safety switch 18. The output port 42 (drain) is connected to a port 44 at which the safety switch 18 can be wired externally.
The second switch element 36 is connected to the microcontroller 32 at its control port (gate) and its input 38 is also located over the line 40 at operating voltage UB.
Its output 42 is connected to a second output 46 of the safety switch 18.
The signals at the outputs 42 of the switches 34, 36 are back-linked to the microcontrollers 30, 32 via two voltage dividers 48, 50 allowing the microcontrollers 30, 32 to monitor the respective switching status of the switches 34, 36.
In the preferred embodiment shown here, operator 16 is a transponder with a signal generating circuit 54 and a transmitting and receiving reel 56. An individual coding 58 is stored in the signal generating circuit 54. The chip 52 also has a transmitting and receiving reel (shown here only as a symbol) which it sends a request signal through. As soon as the transponder 16 is in the vicinity of the input part 52 (protection door is closed), the signal generating reel 54 is activated. From 16 to 32 the transmitter sends the received signal 58 Codes to the microcontroller and the signal 58 Codes are returned to the receiver.
In contrast, if the guard door 14 is open, operator 16 is outside the transmission and reception range of the input part 52, as shown in Fig. 2 at position 16'. In this case, there is no communication between operator 16 and the input part 52. The microcontrollers 30, 32 therefore do not receive any coding, which is interpreted as an open guard door 14. If a second guard switch or at least a second operator (not shown) is present, a defect of operator 16 or of the input part 52 can also be detected. The use of transponders for monitoring guard doors is known in the field of security technology, for example from EP 0 568 567 B 961.
In other embodiments, the input part 52 may be designed for other types of operator. The operator may also be integrated into the safety switch 18. For example, the safety switch 18 may be an emergency shut-off button and the operator is the button's pusher. In other embodiments, the input part 52 may include inductive, capacitive, optical or other sensors to determine the current position of a mechanically moving operator. In addition, the invention can also be applied in principle to light barriers and other indicators that distinguish between at least two states.
On the input side, the safety switch 18 has three connectors 60, 62, 64, each of which is designed as a safety input and is connected redundantly to the two microcontrollers 30, 32.
In Figure 3 a safety circuit containing two of the safety switches 18 described is referred to as a whole by reference number 80.
The safety switch 18a is connected at its connections 60, 62 to the outputs of the safety control 20; preferably these are so-called clock outputs of the safety control 20 to which two clock signals of different frequency are attached, so that a cross-lock detection is possible both in the safety switch 18a and (by reverse reading, not shown here) in the safety control 20; in addition, the safety switch 18a is connected at connections 66, 68 with operating voltage UB. On the mass side or output side, the connections 44, 46 of the safety switch 18a are connected to the connections 60, 62 of the next safety switch 18b. The two switches 18a, 18b are therefore arranged in a row in the safety switch.
The two output signals of the safety-belt 18b, i.e. the signals attached to its connections 44, 46 are safety-belt inputs to the safety-belt 20.
The safety control 20 is initially connected between the power supply 26 and a drive 82 to be switched off, e.g. a control unit of the robot 12. In addition, it is shown schematically that the safety control 20 is connected via a fieldbus 84 to an operating control 86 for the robot 12 and/or a higher-level controller. The operators belonging to the safety switches 18a, 18b are not shown in Figure 3 for the sake of clarity.
The operation of safety circuit 80 is as follows:
After operation, the safety control 20 generates two clock signals 88, 90 at its output, which are fed to the safety switch 18a as release signals. The microcontrollers 30, 32 of the safety switch 18a monitor the current condition of the operator concerned by means of the input part 52, if the operator is in the area of the input part 52 and receives the release signals 88, 90, the microcontrollers 30, 32 generate two output signals, which are replicated by the switching elements 34, 36 of the switch. However, they could also be distinguished from the release signals 88, 90 by their frequency, for example. The dual safety switch 18 receives the release signals from the input part 92, and in turn, if the safety switch 94 is switched on, the release function is also modified.
If the safety switch 18a detects the opening of the safety door assigned to it, i.e. if the operator assigned changes his state, the microcontrollers 30 and 32 open the switches 34 and 36. The subsequent safety switch 18b therefore no longer receives the re-created release signals. This is detected by the microcontrollers in the safety switch 18b and is reported to the safety controller 20 by switching off the switches 34, 36 and the latter can then turn off the drive 82.
Similarly, when the safety switch 18a detects a malfunction, such as a cross-connection at the input or output terminals, a leakage of one of the switching elements 34, 36 or any other malfunction, the signal flow occurs. After a short waiting period stored in the microcontrollers of all the safety switches and the safety control, the safety switch 18a generates a data telegram on at least one of its 96 output lines by closing and reopening at least one of the switching elements 34, 36 pulsed. The subsequent safety switch 18b initiates this data frame and can also provide the data frame 20 in the same way to the control. If necessary, it also integrates further information into the safety data frame 96.
In one embodiment, the data telegram 96 is implemented as an asynchronous serial interface, i.e. it starts with a defined start bit and ends with a defined stop bit. In between, there is an arbitrary or specified number of data bits. In another embodiment, each data telegram 96 contains a specified number of pulses with defined pulse duration. The meaning of each individual pulse depends on the protocol established between the safety switches 18 and the safety control 20.
In the same way, the safety switch 18b generates its own data telegram 96 when it detects a malfunction in turn.
In one embodiment, the data telegrams of the security switches 18a, 18b contain address information that identifies the security switch that wishes to report information to the security controller 20 in a preferred embodiment. The address may be assigned to the security switches 18a, 18b in various ways. For example, each security switch 18a, 18b may have a multi-level address dial (not shown here) where the assigned address is set. In another embodiment, the security switches 18a, 18b each use the codes 58 of the operators assigned to them as addresses.
In another embodiment, the sequentially switched safety switches 18a, 18b are assigned an address in an initialization mode after the safety circuit 80 is activated.
The first safety switch 18 receives a single pulse after the operation of the operating voltage UB at its E 60 high and at its input 62 high. Once it detects this pulse, it generates the next 60 pulses (current-high) at its output at 44 (B 106). After its operation, two additional pulses are generated at its output. The T 46 is used to detect whether the T 108 signal is received at its output.
The second safety switch 18b receives the signals 106, 108 at its inputs 60, 62 and reproduces them at its outputs 44, 46. It adds another single pulse to the individual pulses 108 it receives at the junction 62. The outputs of the second safety switch 18b therefore contain the pulse sequences shown in reference figures 110, 112. Similarly, other safety switch devices 18c, 18d etc. (not shown in Fig. 3) would reproduce a continuous high on one signal line (see paragraph 114) and a pulse sequence on the second signal line, and each safety switch would increase the pulse sequence by one pulse.
At the end of the chain, the safety control 20 receives the signals according to reference numbers 114, 116. From the signal 114, the safety control 20 detects that the wiring of channel A is correct. From the pulse sequence 116, the safety control 20 detects that the wiring of channel B is correct. It can also determine the number of safety switches 18a, 18b, etc. arranged in a row from the number of pulses minus 1. Similarly, each safety switch 18a, 18b can recognize its address from the number of pulses received. In this way, when the safety switch 80 is turned on, an individual address can be automatically assigned to each safety switch arranged in a row. The wiring switch 80 is later changed, a new and correct address is set to the safety configuration then automatically re-established when the safety switch 80 is turned on.
The flexibility of the new signalling devices is further enhanced by the as yet unexplained input port 64 which can be used to feed an external feedback signal into the safety switch 18 allowing, for example, the safety switch 18 to control a gun with forced contacts independently, i.e. without a previously common safety switch or appropriate safety control, provided that the gun's forced opening contact is directed to the safety switch 18's feedback port 64.
In other examples, the alarm devices, such as the safety switch 18 shown, have an additional input for the start signal, which makes it possible to restart the system without the usual safety controls.
In addition, the respective function of the detectors 18 can be parameterized via the input port 64 as is known from DE 100 16 712 A1 for example.

Claims (10)

  1. A safety switch for a safety circuit, comprising a control part (30, 32) for processing an input signal (60, 62, 64; 52) and comprising at least one switching element (34, 36) having at least one active and one inactive switching state, wherein the control part (30, 32) is configured to control the switching element (34, 36) in order to generate an output signal dependent on the input signal at an output (44, 46), further comprising a diagnostic function for identifying a functional fault, wherein the control part (30, 32) is configured to transfer the switching element (34, 36) into the inactive state when a functional fault is identified, characterized in that the control part (30, 32) is further configured to generate a data message (96) at the output (44, 46), which data message is dependent on the functional fault identified.
  2. The safety switch of claim 1, characterized in that the control part (30, 32) is configured to generate the data message (96) by means of the switching element (34, 36).
  3. The safety switch of claim 1 or 2, characterized by at least two mutually redundant switching elements (34, 36) arranged for being controlled redundantly by the control part (30, 32).
  4. The safety switch of one of claims 1 to 3, characterized in that the control part (30, 32) is configured to control the switching element (34, 36) pulsewise in order to generate a pulse-shaped data message (96).
  5. The safety switch of one of claims 1 to 4, characterized in that the control part (30, 32) is configured to include an address in the data message (96).
  6. The safety switch of one of claims 1 to 5, characterized by at least one input (60, 62) for an external enable signal (88, 90) which forms the input signal.
  7. The safety switch of claim 6, characterized by an initialization mode in which the control part (30, 32) generates, by means of the at least one switching element (34, 36), a pulse sequence (108, 112, 116) which contains more pulses than an enable signal (88, 90) supplied at the input.
  8. The safety switch of one of claims 1 to 7, characterized by at least one input part (52) for an actuator (16) which is adapted to be alternated between a first state and at least one second state, wherein the input part (52) generates the input signal.
  9. A safety circuit for switching off a hazardous installation (10) in a fail safe manner, comprising a plurality of safety switches (18a, 18b) according to one of claims 1 to 7, and comprising a higher-level safety controller (20) which is configured to interrupt a power supply path (26) to the installation (10), wherein the safety controller (20) is also configured to receive and process the data messages (96) of the safety switches (18a, 18b).
  10. The safety circuit of claim 9, wherein the plurality of safety switches (18a, 18b) are connected to the safety controller (20) in series with one another.
HK07106494.1A 2004-04-19 2005-03-23 Safety swtich for a fail-safe circuit HK1099122C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102004020997.9 2004-04-19
DE102004020997A DE102004020997A1 (en) 2004-04-19 2004-04-19 Safety switching device for a safety circuit
PCT/EP2005/003079 WO2005101440A1 (en) 2004-04-19 2005-03-23 Safety switch for a fail-safe circuit

Publications (3)

Publication Number Publication Date
HK1099122A1 HK1099122A1 (en) 2007-08-03
HK1099122B HK1099122B (en) 2008-12-24
HK1099122C true HK1099122C (en) 2008-12-24

Family

ID=

Similar Documents

Publication Publication Date Title
US7656629B2 (en) Safety switch for a safety circuit
CN100545981C (en) Signaling devices for safety circuits
US7948391B2 (en) Signaling device for a safety circuit
US7130171B2 (en) Apparatus for fail-safely disconnecting an electrical load; in particular in industrial production plants
US9429271B2 (en) Safety circuit assembly for switching on or off a hazardous system in a failsafe manner
JP5728095B2 (en) A safety switchgear for failsafely stopping electrical loads
US6711713B1 (en) Method and apparatus for detection, transmission and processing of safety-related signals
US10558189B2 (en) Safety control system having configurable inputs
JP4263339B2 (en) Safety switch device
JP4836381B2 (en) Circuit arrangement for safe disconnection of equipment and safety switch device used therefor
CN100472380C (en) Method and apparatus for controlling a safety-critical process
US20160334775A1 (en) Method and system for safely switching off an electrical load
US6826433B1 (en) Failsafe data output system and automation system having the same
US6417582B1 (en) Safety switching arrangement
US8090474B2 (en) Apparatus for controlling at least one machine
CN106444355B (en) Safety switch
HK1099122C (en) Safety swtich for a fail-safe circuit
HK1099122B (en) Safety swtich for a fail-safe circuit
HK1099123B (en) Signaling device for a protective circuit
HK1189667B (en) Safety switching device for the failsafe shutdown of an electrical consumer
HK1192647B (en) Safety circuit assembly for switching a hazardous system on or off in a failsafe manner
HK1186257B (en) Sensor assembly for detecting the safe condition of an automatically operated system
HK1186257A (en) Sensor assembly for detecting the safe condition of an automatically operated system