[go: up one dir, main page]

HK1242047B - Safety switching device for fail-safe disconnecting of an electrical load - Google Patents

Safety switching device for fail-safe disconnecting of an electrical load Download PDF

Info

Publication number
HK1242047B
HK1242047B HK18101401.1A HK18101401A HK1242047B HK 1242047 B HK1242047 B HK 1242047B HK 18101401 A HK18101401 A HK 18101401A HK 1242047 B HK1242047 B HK 1242047B
Authority
HK
Hong Kong
Prior art keywords
relay
contacts
safety
relay contacts
relay coil
Prior art date
Application number
HK18101401.1A
Other languages
German (de)
French (fr)
Chinese (zh)
Other versions
HK1242047A1 (en
Inventor
Juergen Pullmann
Christoph Zinser
Antonino Spataro
Marco Giger
Hans Schwenkel
Roland Rupp
Original Assignee
皮尔茨公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 皮尔茨公司 filed Critical 皮尔茨公司
Publication of HK1242047A1 publication Critical patent/HK1242047A1/en
Publication of HK1242047B publication Critical patent/HK1242047B/en

Links

Description

The present invention relates to a safety switch device for fault-safe disconnection of an electrical load, having an input section for receiving at least one safety-relevant input signal, a logic section for processing the at least one safety-relevant input signal, and an output section comprising a relay coil as well as a first relay contact, a second relay contact, a third relay contact, and a fourth relay contact, wherein the first and the second relay contacts are arranged electrically in series with each other, wherein the third and the fourth relay contacts are arranged electrically in series with each other, wherein the first and the third relay contacts are mechanically coupled to form a first group of forced-guided relay contacts, wherein the second and the fourth relay contacts are mechanically coupled to form a second group of forced-guided relay contacts, and wherein the logic section redundantly controls the first group of forced-guided relay contacts and the second group of forced-guided relay contacts to either allow a current flow to the electrical load or to safely interrupt it depending on the at least one safety-relevant input signal.
Such a safety switch device is, for example, known from DE 10 2005 048 601 B3.
Safety switch devices in the sense of the present invention are typically used to safely shut down an automated technical system from which a danger to human life and health may arise during operation, or to otherwise bring it into a safe idle state. "Safe" in this context means that the shutdown of the hazardous system must itself be guaranteed even if a fault occurs in the safety-relevant components of the system, including the safety switch device, for example due to the failure of a component or damage to a cable. Therefore, safety switch devices are subject to special requirements, which are defined especially in the relevant standards for machine safety (ISO 13849, IEC 61508, etc.). Since these standards define different requirements depending on the level of hazard, safety switch devices in the sense of the present invention shall, in the following, mainly be those devices that ensure single-fault safety in the sense of SIL3 according to IEC 61508 and/or PL e according to ISO 13849 when safely shutting down an electrically operated machine.
The aforementioned DE 10 2005 048 601 B3 discloses such a safety control device having a logic section with two microcontrollers. The two microcontrollers can communicate with each other via a data connection to compare their data and monitor each other. The two microcontrollers process input signals redundantly, which can, for example, originate from an emergency stop button, a safety door or a light curtain. On the output side, each microcontroller controls an electromechanical safety relay with a number of mechanically coupled and thus positively guided relay contacts. A closing contact of one relay is connected in series with a closing contact of the other relay, so that the redundantly operating microcontrollers can switch off a power supply path to an electric machine via two paths, i.e., in a two-channel manner. In addition, each relay has a positively guided opening contact, which is always open when the mechanically coupled closing contacts are closed. The opening contacts of the two safety relays are also connected in series with each other and form a current path through which a monitoring signal is fed back to the redundant microcontrollers. The microcontrollers can check the opened contact position of the closing contacts based on the monitoring signal, thereby detecting in particular sticking, welding or similar of closing contacts at an early stage before a hazardous electric machine is switched on.
The use of two separate electromechanical safety relays, each having a number of mechanically coupled normally open and normally closed contacts, is the well-established method for implementing safety switchgear in the sense of the present invention, as shown, for example, by a publication by the authors Eberhard Kirsch, Jürgen Steinhäuser and Friedrich Plappert titled "Safety Relays - Elementary Relays with Forced-guided Contacts; Particular Characteristics and Their Benefits". This publication is provided by ZVEI - Central Association of the Electrical and Electronic Industry e.V., 60528 Frankfurt, at the address www.schaltrelais.de/download/sicherheitsrelais.pdf and, according to the source information given there, dates from 2006.
Another overview of the use of safety relays to ensure so-called functional safety in automated systems can be found in the publication "From Europe to the World! Functional Safety Becomes the Guiding Principle," published by ZVEI in November 2014 and also available at the internet address www.schaltrelais.de.
In addition, safety switch devices have been available for about 15 years, which use semiconductor switching elements instead of forced-guided (electromagnetic) relays for safe disconnection of an electrical load. An example of such a safety switch device is described in EP 1 262 021 B1. However, safety switch devices with electromechanical safety relays still offer advantages for certain applications, as they, for example, do not require a common reference potential with the load to be switched off, and therefore will also be needed for numerous applications in the future.
The use of two electromechanical safety relays, each with a variety of mechanically rigidly coupled closing and opening contacts, is a major cost factor in type-approved safety switchgear with free potential outputs. The costs for the safety relays account for a significant portion of the total manufacturing costs for a safety switchgear.
Against this background, it is an object of the present invention to provide a safety switch of the aforementioned type that allows for a reduction in manufacturing costs.
According to one aspect of the present invention, this object is achieved by a safety switch device of the type mentioned above, wherein the relay coil is electromagnetically coupled with the first group of forced-guided relay contacts and with the second group of forced-guided relay contacts, so that the logic section can simultaneously control the first relay contact, the second relay contact, the third relay contact, and the fourth relay contact via one relay coil, wherein the first and third relay contacts can move separately from the second and fourth relay contacts.
Thus, the new safety switch device uses an electromechanical relay arrangement in which the redundant (electrically connected in series to each other) contacts are actuated for the two-channel interruption of the current path toward the electrical load by a common magnetic field generated by a single relay coil. The single relay coil is traversed by a common control current, which the logic section can switch on or off and/or adjust in terms of current strength. Therefore, in at least the preferred embodiments, the logic section can control the aforementioned relay contacts with a single control current. Preferably, the common control current flows entirely through one relay coil and generates the common magnetic field that actuates all forced-guided and redundant relay contacts. The single relay coil has a winding body with two terminals, preferably exactly two electrical terminals for supplying and removing the control current. However, in principle, another terminal on the relay coil is also conceivable, such as a center tap.
Surprisingly, it has been shown that it is possible to control two mechanically separated and separately movable contact groups, which are electrically redundant to each other, using a common magnetic field generated by a coil common to all relay contacts. In principle, this common magnetic field can be generated by several control currents that only add up in the relay coil and thus generate the common magnetic field.
Unlike conventional safety switching devices, the new safety switching device requires only a single relay coil, thereby reducing manufacturing costs because producing relay coils is relatively expensive. Preferably, the single relay coil has a large number of windings surrounding a common core or yoke, which is especially made of ferrite. Thus, the single relay coil generates a magnetic field that actuates all specified relay contacts simultaneously when the windings of the single relay coil are traversed by the control current. However, this magnetic field actuates two mechanically decoupled contact groups that are thus relatively movable with respect to each other, which is why the new safety switching device has two separate disconnection paths despite the single common relay coil.
In the preferred embodiments, the new safety switch device has only a single relay component, which provides all required relay contacts and one relay coil under a common dust cover, that is, in a single component housing. The manufacturing cost for this single relay component is in a similar order of magnitude as the manufacturing cost for one of the two safety relays previously required. However, since only one such relay component is needed in the new safety switch device according to the preferred embodiments, a significant cost saving compared to conventional safety switch devices is possible. Moreover, the wiring effort during the assembly of the new safety switch device is also reduced, because only a single relay component needs to be mounted on a circuit board.
The electromagnetic coupling between one relay coil and the two mechanically separated, relatively movable contact groups can be achieved via one or more flap armatures, rotating armatures, or similar components. Flip-bolt relays typically have a pivoted rocking lever, which is preloaded by the spring tension of the relay contacts into a resting position, and which is moved into an operating position by the magnetic field generated by the control current in the relay coil. The flap armature can be formed or coupled with a sliding bar, and the sliding bar moves all coupled (forced-guided) relay contacts against the spring tension into their respective operating positions. When the control current and thus the magnetic field disappear, the relay contacts return to their resting position due to the spring tension.
A suitable relay for the new safety switchgear can generally have a common armature that actuates both groups of forced-guided relay contacts. The common armature can, for example, operate two separate, movable sliders that move against each other. However, advantageously, the relay arrangement in the new safety switchgear has two armatures, with each armature actuating one group of forced-guided relay contacts, because this allows better mechanical decoupling between the two groups of relay contacts.
Rotary contactors have an armature that is rotatably mounted between two yoke ends and can be rotated into an operating position by the magnetic field of the relay coil. In some embodiments, the new safety switch device may include a rotary contactor, wherein the mechanically decoupled contact groups are both actuated by a single armature. However, advantageously, the new safety switch device has a relay with two armatures, which are arranged on a common axis of rotation in preferred embodiments. Each armature actuates only one contact group, thereby achieving better mechanical decoupling between the contact groups even in this case.
In the preferred embodiments, the relay coil of the new safety switchgear is a coil wound uniformly on the core, i.e., with a constant winding pitch. In some embodiments, however, the relay coil may have two or more separately located winding sections on a single core, with each winding section being assigned to a group of forced-guided relay contacts, in order to achieve better isolation between the contact groups. Even in this case, the relay coil is advantageously traversed by a common control current.
The new safety switch device thus has a relay coil, via which two redundant contact groups are actuated, each of the two contact groups having at least two mechanically interlocked relay contacts, and wherein one of the mechanically interlocked relay contacts of one contact group is electrically connected in series with one of the mechanically interlocked relay contacts of the other contact group. A control current in one relay coil generates a magnetic field, enabling two mechanically decoupled and thus separately movable contact groups to be actuated together. In this case, a relay contact of the first contact group and another relay contact of the second contact group are arranged in series with each other to form a current path that can be interrupted in a dual-channel manner by the logic section via one relay coil.
Thus, the new safety switch device is functionally and connection-compatible with type-appropriate safety switch devices that use two separate safety relays. However, manufacturing costs are reduced because only one relay coil is now required. Therefore, the above-mentioned object is fully achieved.
In a preferred embodiment, the safety switching device has a first and a second switching element, which are electrically arranged in series with the relay coil and coupled to the logic unit, such that the logic unit can interrupt the control current through the relay coil using the first and/or the second switching element. In the preferred embodiments, the first and the second switching elements are semiconductor switching elements, in particular field-effect transistors. In principle, the first and/or the second switching element could also be other semiconductor switching elements, such as bipolar transistors, or additional relay contacts.
This configuration enables a simple two-channel interruption of the control current for the relay contacts, thus providing a fail-safe shutdown path in a cost-effective manner, even when only a single relay coil is used to actuate the redundant relay contacts. Since the output side of a safety switchgear is particularly critical for fail-safe shutdown, omitting a fully two-channel implementation of the output section in a safety switchgear represents an extremely unusual measure for such a device. Surprisingly, it has been shown that the required one-fault safety can also be achieved with only a single relay coil in the output section of the safety switchgear. The two-channel interruption of the control current using two switching elements arranged in series with the relay coil is a particularly simple and practical realization.
In a further embodiment, the logic section has a first evaluation channel and a second evaluation channel, wherein the first and second evaluation channels each redundantly control the first and second switching elements, respectively.
In this configuration, each of the two redundant switching elements is again redundantly controlled individually, which results in a particularly reliable and therefore advantageous implementation to ensure the desired level of fault tolerance in the new safety switch device.
In a further configuration, the first switching element is arranged upstream and the second switching element is arranged downstream of the relay coil.
This design is particularly advantageous because it provides two different shutdown paths on a single relay coil. On one hand, a shutdown in case of a short circuit of the relay coil to the supply voltage of the safety switch device is possible via the second switching element located downstream. Conversely, a current through the relay coil can also be interrupted via the first switching element even if the ground potential of the safety switch device is directly applied to the relay coil due to a fault. Therefore, this design enables a particularly high degree of fault safety in a very simple and cost-effective manner.
In a further embodiment, the logic section is designed to determine a current control current through the relay coil and, in particular, to measure it. Preferably, the logic section is capable of determining the control current through the relay coil using at least one analog-to-digital converter, i.e., the logic section detects at least one digital numerical value representing the control current through the relay coil. In preferred embodiments, the logic section is configured to determine the control current through the relay coil in a two-channel or redundant manner.
This design enables real-time monitoring of the control current by the relay coil, thereby contributing advantageously to a particularly high level of fault safety. Furthermore, a redundant, dual-channel determination of the control current using two analog-to-digital converters is beneficial because it allows the proper functioning of each analog-to-digital converter to be monitored through a plausibility comparison.
In a further embodiment, the safety switch device has a shunt resistor arranged downstream of the first and second switching elements. Preferably, the shunt resistor is also arranged downstream of the relay coil.
This design allows for a simple and cost-effective determination of the current flowing through the relay coil. In some preferred embodiments, the shunt resistor has an electrical resistance in the range between 1 ohm and 10 ohms, particularly 3 ohms and up to a maximum of 100 ohms, because a low resistance value minimizes the heat generated in the safety switch for current measurement.
In a further configuration, the logic section is designed to regulate the control current through the relay coil to a defined current value.
This configuration is extremely unusual for the output control current of a safety switchgear with relay contacts, since in principle a safety switchgear only needs to distinguish between two states: "load is energized" or "load is switched off." The control current regulation in the safety switchgear allows for a reduction of the operating temperature of the safety switchgear, thereby contributing to an additional increase in functional safety.
In some embodiments, the logic section is designed to regulate the control current through the relay coil to the rated holding current value for the relay contacts. This has the advantage that a reliable closing of the relay contacts is ensured even at minimum operating temperature of the safety switch device, even when the supply voltage fluctuates within the range of the technical system, which can occur, for example, with large production machines equipped with powerful motors. In some advantageous configurations, the logic section is designed to control at least one of the aforementioned switching elements using pulse width modulation (PWM) in order to regulate the control current through the relay coil to the defined current value. Preferably, the logic section controls the second switching element, located downstream in the current flow, using pulse width modulation, which is particularly advantageous when the control current through the relay coil is measured within the area of the second, downstream switching element.
In a further embodiment, the logic section is designed to detect a temporary voltage across the relay coil, and to interrupt the control current through the relay coil depending on this.
In this configuration, the new safety switching device has a voltage monitoring, particularly a overvoltage monitoring, at the relay coil. Preferably, the new safety switching device has the voltage monitoring in addition to the already described measurement or control of the control current. The combination of both monitoring functions enables a particularly high level of fault safety and is cost-effective due to the use of a single relay coil.
In a further embodiment, the relay coil and the first, second, third, and fourth relay contacts are arranged in a common component housing, which is designed for mounting on a printed circuit board. In particularly preferred embodiments, a total of 6, 8, or even 10 relay contacts are arranged in the common component housing, forming two contact groups each comprising 3, 4, or 5 force-guided relay contacts.
In this configuration, one relay coil and the aforementioned relay contacts are components of a relay component that can be used instead of the two safety relays previously employed. The component housing encloses the relay coil, at least one armature, and the relay contacts, and has soldering and/or plug-in contacts on its outer side, enabling mounting on a printed circuit board during a conventional assembly process. Thus, the relay coil and the stated relay contacts form a new type of safety relay, which allows for a particularly cost-effective manufacturing of the new safety switchgear.
In a further embodiment, the first and second relay contacts are each designed as closing contacts, and the third and fourth relay contacts are each designed as opening contacts.
In this configuration, the safety switch device has, in each disconnection path, at least one forced-guided open contact that enables monitoring of the closing contacts before switching on an electrical load. The forced-guided coupling between the closing and opening contacts in each disconnection path allows for a long-established, reliable monitoring of the main contacts, which is also compatible with type-approved safety switch devices. Therefore, the safety switch device of this configuration can be easily used as a cost-effective replacement for older type-approved safety switch devices.
In a further embodiment, the relay coil drives at least one movable armature that is mechanically coupled with the relay contacts, and the output section includes an optical detector, in particular a light barrier, by means of which the logic section can detect at least one position of the at least one movable armature. In preferred embodiments of this configuration, the first, second, third, and fourth relay contacts are respectively closing contacts, and the output section does not require forced-opening contacts.
In this configuration, the monitoring of the working contacts is performed using an optical detector instead of the opening contacts used in conventional safety switching devices. This design allows for a smaller space requirement and a lower detector current for monitoring the closing contacts. Therefore, the safety switching device of this configuration can be realized more compactly. Furthermore, this design reduces the unwanted chattering of the relay contacts when interrupting the load current. The optical detector can advantageously monitor at least one movable armature or a push member mechanically connected to the movable armature. In embodiments where the safety switching device has an individual armature for each contact group, an optical detector advantageously monitors all movable armatures together. In some advantageous embodiments, the armatures each have a through hole, wherein the through holes of the armatures are aligned with each other when the closing contacts of the contact groups are open. In the case of a light barrier, the light can reach the light receiver only when the through holes of the armatures are at least partially aligned.
In a further embodiment, the logic section is designed to adjust the control current depending on at least one anchor position.
In this configuration, the logic section adjusts the control current through the relay coil considering the current armature position, which the logic section can detect in some embodiments using an optical sensor. In other embodiments, the logic section is designed to determine the current armature position from the measured current value and/or the temporal change of the measured current value. Advantageously, the logic section increases the control current through the relay coil when an unexpected drop in the contactor contacts is detected, for example, due to strong mechanical vibrations. This design allows for a higher availability of the monitored system in a simple and cost-effective manner by avoiding or at least reducing false tripping.
In a further embodiment, the optical detector includes a light emitter and a light receiver arranged outside the common housing of the relay component, and the optical detector further includes an optical waveguide that extends from the light emitter and/or the light receiver to the at least one movable armature.
In this configuration, the light emitter and the light receiver are arranged outside the component housing, for example, mounted on the outside of the relay component's base, thus protecting them from contamination and heat caused by contact arcing. The service life of the new safety relay is advantageously increased.
It goes without saying that the aforementioned features and the features to be explained below can not only be used in the respective stated combination, but also in other combinations or individually, without leaving the scope of the present invention.
Embodiments of the invention are shown in the drawings and will be described in more detail in the following description. They show: Fig. 1: a schematic representation of an embodiment of the new safety switchgear in connection with a robot, which poses a danger to people during operation, Fig. 2: the safety switchgear from Fig. 1 according to a preferred embodiment with some details, Fig. 3: further details of the safety switchgear from Fig. 2, and Fig. 4: a preferred embodiment of a relay component that accommodates one relay coil and two redundant, respectively force-guided contact groups.
In Fig. 1, a device is indicated as a whole with the reference numeral 10, which comprises an embodiment of the new safety switchgear.
The device 10 here includes a robot 12 whose movements may pose a danger to people present in the robot's work area. The robot 12 is shown here as an example of a technical system to be secured. Instead of a robot 12, the new safety switch unit can also be used to secure other systems, particularly systems that fall under the definition of EU Directive 2006/42/EC (Machine Directive). In general, the new safety switch unit is used for fail-safe disconnection of an electrical load, which can be, for example, an electric drive, a contactor and/or a solenoid valve in such a system.
To prevent an unintended person from entering the dangerous work area of robot 12, robot 12 is surrounded by a protective fence 14 with a safety door 16. The safety door 10 is equipped with a safety door switch having a door part 20 and a frame part 22. An embodiment of the new safety switch device is designated here by reference numeral 24 and connected via lines to the frame part 22 of the safety door switch 18. The safety switch device 24 can monitor using signals from the safety door switch 18 whether the safety door 16 is closed or not. In the latter case, the robot 12 should be switched off, which is ensured by means of the safety switch device 24.
On the input side, the safety switchgear 24 controls two contactors 26a, 26b. The contactors 26a, 26b each have a number of working contacts (typically closing contacts) arranged in the power supply path from a power supply 28 to the robot 12. If the safety switchgear 24 detects with the help of the safety door switch 18 that the safety door 16 is open, it controls the contactors 26a, 26b in such a way that the robot 12 is disconnected from the power supply 28.
The device 10 is shown in simplified form in Fig. 1. Usually, such a device 10 includes not only a safety door with a safety door switch 18, but also a variety of so-called monitoring devices and sensors, which detect numerous conditions of the automated system. Furthermore, the device 10 typically has an operating control unit that controls the movement operations of the robot 12 (generally: the system). The safety switching device 24 serves in addition to the operating control unit (not shown here) to secure the operation of the robot 12 to such an extent that accidents due to carelessness, component failure, etc., are avoided.
If only a few safety functions, such as the safety door monitoring and perhaps an emergency stop button, are required in a device 10, safety switching devices with a largely predefined, fixed function range are frequently used in practice, such as the monitoring of the safety door switch 18. Multiple safety functions are then realized by combining several safety switching devices. On the other hand, for complex devices, so-called safety controllers have proven effective, whose function range can be set very flexibly through programming and/or configuration of predefined function blocks. Typically, programmable and/or configurable safety controllers have semiconductor switching elements for controlling contactors 26 and/or other safety-relevant actuators. The relay technology described here is nowadays predominantly used in relatively simple safety switching devices with largely predefined function ranges. Nevertheless, the present invention is not limited to such simple safety switching devices, but can also be used equally well in complex safety controllers and/or so-called I/O modules that can be networked with a complex safety controller via a bus system. Therefore, the term "safety switching device" in the sense of the present invention also includes safety controllers and modular components of safety controllers that serve for fault-tolerant disconnection of an electrical load in the sense of the aforementioned definition. However, for simplicity, a compact safety switching device will be described below as a preferred embodiment of the invention.
According to Fig. 2, the safety control device 24 here has a housing 34 with a plurality of terminal blocks 36, 38, 40, 42, which are arranged on an exterior side of the housing 34 in a known manner, to allow connection of safety-relevant detection devices/sensors and safety-relevant actuators. In preferred embodiments, the terminal blocks are spring-loaded terminals or screw terminals, which enable a removable fastening of connecting cables.
The safety control device 24 has an input section 44 to which the input signals from the safety-relevant detectors/sensors are supplied. For example, the electrical signals from the protective door switch 18 are conducted via corresponding terminal blocks 36 to the input section 44. In addition to the protective door switch 18, emergency stop buttons 46 and a fail-safe tachometer sensor 48 are shown here.
The input section 44 receives the input signals from the detection devices/sensors 18, 46, 48 and provides these to the logic section 50 of the safety control device 24 for logical processing. The input section 44 can, for example, include filter circuits and/or level adjustment. It prepares the electrical signals from the detection devices/sensors in such a way that they can be logically processed by the logic section 50.
The logic section 50 here includes two microcontrollers 52a, 52b that process the input signals redundantly with respect to each other and can monitor each other, which is symbolically represented here by a double arrow. The redundant microcontrollers 52a, 52b represent a typical implementation for a preferred embodiment of the safety switchgear 24. However, instead of microcontrollers, microprocessors with associated peripherals, FPGAs, ASICs and/or other suitable logic components could also be used. Furthermore, a combination of different logic components is conceivable in order to realize a fault-tolerant processing of the input signals. In addition, the input section 44 and/or the logic section 50 can, in principle, also be implemented using discrete components, for example by means of the so-called three-contactor circuit.
The safety switch device 24 has an output section 54 with a relay coil 56, which is redundantly controlled here by the two microcontrollers 52a and 52b. In the preferred embodiments, the relay coil 56 forms part of a safety relay that constitutes the output section 54 of the safety switch device 24 as a compact component. Therefore, in the following, reference numeral 54 is also used for the single safety relay.
The safety relay 54 comprises, in this embodiment, two armatures 58a and 58b, each of which is electromagnetically coupled with the single relay coil 56, so that a control current through the relay coil 56 can activate both armatures 58a and 58b. The armature 58a is mechanically coupled with a first group 60 of relay contacts 60.1, 60.2. The second armature 58b is mechanically coupled with a second group 62 of relay contacts 62.1, 62.2. The mechanical coupling is designed in a known manner such that the armature 58a can only activate all relay contacts 60.1, 60.2 of the first group 60 simultaneously. Similarly, the armature 58b is coupled with the relay contacts 62.1, 62.2 of the second group 62 such that all relay contacts 62.1, 62.2 of the second group can only be activated simultaneously. However, the relay contacts of the first group 60 and the relay contacts of the second group 62 are mechanically decoupled from each other, so that they can move independently of each other in principle. The simultaneous activation of all relay contacts 60.1, 60.2, 62.1, 62.2 is achieved in the preferred embodiments of the safety switchgear 24 solely by the fact that a single control current through the single relay coil 56 generates a magnetic field that actuates both the first armature 58a and the second armature 58b.
The armatures 58a, 58b can be pivot armatures as shown schematically here and described, for example, in the aforementioned publication "Safety relays - Elementary relays with forced-guided contacts." Alternatively or additionally, the armatures 58a, 58b can be rotary armatures, as are known, for example, from safety relays of the company Panasonic Electric Works Europe AG. In contrast to the representation in Fig. 2, other embodiments of the safety switching device 24 can, in principle, be realized with a single armature 58, wherein the relay contacts of the first group 60 and the relay contacts of the second group 62 are coupled separately with this single armature in this case.
As can be seen from the pictorial representation in FIG. 2, a relay contact of the first group 60 is arranged in series with a relay contact of the second group 62. The relay contacts arranged in series with each other form a current path, which the logic section 50 can interrupt in two channels to switch off the contactors 26a, 26b when opening the safety door 16.
As further illustrated in Fig. 2, the safety switch device 24 in some embodiments has a first group 60 of relay contacts and a second group 62 of relay contacts, each group including at least one closing contact 60.1, 62.1 and at least one opening contact 60.2, 62.2. The closing contacts 60.1, 62.1 arranged in series form a current path to the electrical load (here, contactor 26a), which can be interrupted by the safety switch device 24 in a two-channel manner. The opening contacts 60.2, 62.2 arranged in series form a monitoring current path through which a monitoring signal can be fed back to the input section 44 and/or the logic section 50. The monitoring signal 64 allows the logic section 50 to monitor whether the closing contacts 60.1, 62.1 are open before the load current path is closed, thereby ensuring that even if a closing contact 60.1, 62.1 becomes welded or stuck during switching under load, there is still a possibility of disconnection (single-fault safety during disconnection). In other embodiments, the safety switch device 24 may have a first group 60 of relay contacts and a second group 62 of relay contacts, which are exclusively designed as closing contacts, as explained below with reference to Fig. 3. Identical reference numerals denote the same elements as before.
As shown in Fig. 3, the relay coil 56, the armatures 58a, 58b and the relay contacts are arranged together in a component housing 66, which has soldering and/or plug-in contacts 68 on its outer side. The safety switch device 24 has, in the preferred embodiments, a single safety relay that is mounted as a compact electromechanical component on a circuit board (not shown here) via the contacts 68. The other electrical components of the safety switch device 24, such as the microcontrollers 52a, 52b, are then connected to the relay coil 56 via the conductive paths on the circuit board (not shown here).
In the illustrated embodiment, the safety switch device 24 has a first switching element 70 and a second switching element 72, each electrically arranged in series with the relay coil 56. The first switching element 70 is arranged upstream of the relay coil 56, while the second switching element 72 is arranged downstream. The series connection of both switching elements 70, 72 with the relay coil 56 is located between an operating voltage 74 and ground. In the illustrated embodiment, a shunt resistor 76 is further arranged downstream of the second switching element 72, through which practically the same control current 78 flows as through the relay coil 56 when the switching elements 70, 72 are closed. The switching elements 70, 72 are field-effect transistors here.Alternatively, other switching elements could also be used, preferably in a holding wire technique. In preferred embodiments, each microcontroller 52a, 52b (generally: each evaluation channel of the logic section 50) controls both switching elements 70, 72. For this purpose, the safety switch device 24 here has a first driver circuit 80 and a second driver circuit 82. The driver circuits 80, 82 combine the output signals of the two microcontrollers 52a, 52b using a logical AND operation and generate a control signal from them, which makes the switching elements 70, 72 conductive or non-conductive as required. Thus, each microcontroller 52a, 52b can block either of the two switching elements 70, 72 to interrupt the control current 78 through the relay coil 56.
In this embodiment, a freewheeling diode 84 is arranged in parallel with the relay coil 56, to enable a faster decay of the magnetic field induced by the control current 78 when the electrical load is switched off. On the cathode side of the diode 84, a first tap 86 is provided in this embodiment, which is supplied to each of the two microcontrollers 52a, 52b. Through the A/D converters and the tap 86, each of the microcontrollers 52a, 52b can measure the instantaneous voltage across the relay coil 56. Furthermore, the microcontrollers 52a, 52b can use the tap 86 to check whether the switching element 70 is operating correctly.
Another tap 88 is provided here between the second switching element 70 and the shunt resistor 76. The tap 88 is also supplied to an A/D converter of each of the two microcontrollers 52a, 52b. The microcontrollers 52a, 52b can measure the voltage across the shunt resistor 76 via the tap 88, which is representative of the control current 78 flowing through the relay coil 56.
Thus, it is possible, as an alternative or in addition to the above-described monitoring of the switching element 70, to monitor the switching function of the switching elements 70, 72 by having the microcontrollers 52a and 52b indirectly measure the current via the further tapping point 88. In preferred embodiments, the microcontrollers 52a, 52b are further configured to detect drift errors in the switching elements 70, 72 based on the current measurement.
In further embodiments (not shown here), the switching elements 70, 72 can both be arranged upstream of a single relay coil 56. Furthermore, in some embodiments, it is possible that one microcontroller determines the current and another microcontroller determines the voltage at the relay coil 56. The latter variant is particularly advantageous when the switching elements 70, 72 are both arranged upstream of a single relay coil 56.
In preferred embodiments, at least one of the microcontrollers 52a, 52b is designed to regulate the current 78 through the relay coil 56 to the rated holding current of the relay 54. It is particularly advantageous if the corresponding microcontroller controls the second switching element 72 using pulse width modulation in order to adjust the average current flow to the level of the rated holding current of the relay 54.
As shown in Fig. 3, the relay 54 in some embodiments has only closing contacts 60.1, 62.1. Instead of the forced-opening contacts 60.2, 62.2 shown in Fig. 2, the corresponding safety control device has an optical detector, which is designed here as a fork-shaped light barrier. The optical detector comprises a light emitter 90, for example in the form of a light-emitting diode, and a light receiver 92. In some advantageous embodiments, the light emitter 90 and the light receiver 92 are arranged outside the housing 66 of the relay 54. Inside the relay housing 66, an optical fiber 94 is arranged, which directs the light of the light emitter 90 to a specific location where the armatures 58a, 58b or the sliding elements actuated by the armatures each have a through-hole 96, which is positioned such that the light 98 can reach the light receiver 92 only when the closing contacts are open in both disconnection paths. The safety relay 54 with the optical detector can be realized more compactly than a comparable safety relay with forced-opening contacts, due to the required insulation distances, while maintaining the same number of closing contacts.
In some advantageous embodiments, the logic section 50 is designed to intentionally increase the control current 78 through the relay coil 56 when the light intensity on the light receiver 92 decreases, while the switch contacts are operationally closed, thereby preventing, for example, unintended dropping of the relay contacts in case of strong vibrations. Alternatively or in addition, in some embodiments, the logic section may be configured to determine the armature position based on the control current (in particular based on the instantaneous value of the control current and the temporal change of this instantaneous value), and to intentionally increase the control current 78 through the relay coil 56 depending on this, in order to prevent unwanted dropping of the relay contacts.
To turn off the electrical load, it is sufficient for the logic section 50 to reduce the control current 78 through the relay coil 56 to a value below the rated holding current. Preferably, the logic section 50 completely interrupts the control current 78. In this case, the closing contacts of the safety relay 54 open due to the inherent spring preloading. Since the two groups of forced-guided relay contacts are mechanically decoupled and can move separately from each other, the current path to the electrical load can still be opened even if one of the closing contacts becomes stuck due to welding, adhesion, or similar problems. Due to the monitoring of the closing contacts using the forced-guided opening contacts (Fig. 2) or using the optical detector 90, 92 (Fig. 3), the logic section 50 can detect such a component failure before the electrical load is turned on again.
Preferably, the logic section 50 is further designed to perform short shutdown tests of the switching elements 70, 72 in order to repeatedly test the shutdown capability of the switching elements 70, 72 during the continuous operation of the safety switch device 24. The duration of the shutdown tests, that is, the duration of the interruption of the control current 78, is advantageously chosen shorter than the release time of the relay 54, so that the current path to the load is not interrupted during a shutdown test due to the inertia of the relay 54. The shutdown capability of the switching elements 70, 72 can be advantageously tested using the shunt resistor 76 and the tap 88, because the control current must drop to a value close to zero when a switching element 70, 72 is opened. Due to measurement errors of the A/D converters and/or a blocking current through the semiconductor switching elements 70, 72, the measured value can also be slightly greater than zero even with properly functioning switching elements 70, 72.
In the preferred embodiments, the logic section 50 also determines the magnitude of the control current 78, while the switching elements 70, 72 are conductive. Thus, the logic section 50 can also check the functionality of the A/D converters, since in this case the A/D converters must provide different measurement values than when the control current 78 is switched off.
Figure 4 shows a preferred embodiment of a relay component with a component housing 66 that accommodates the common relay coil 56 and two redundant contact groups 60 and 62. As can be seen here, the relay coil 56 is spatially arranged between the two contact groups 60 and 62. Preferably, but not necessarily, the relay coil 56 and the relay contacts of both contact groups 60 and 62 are located in a common plane. The relay coil 56 actuates two pivoting armatures 58a, 58b that are arranged at opposite ends of the relay coil 56. In the representation of Figure 4, the armature 58a moves the relay contacts of the first contact group 60 in a first direction (here upward), while the armature 58b moves the relay contacts of the second contact group 62 in a second direction (downward). Preferably, the first direction is rotated by 180° relative to the second direction. Such a spatial arrangement is very compact and has the further advantage that the relay contacts of the two redundant contact groups are moved in opposite directions, which prevents unintentional closing of the current paths due to vibrations.
The relay component according to Fig. 4 has a total of 8 contacts, which are divided into two contact groups 60, 62. In other preferred embodiments, the relay component has 10 contacts, which are divided into two groups each containing 5 contacts. Each contact group 60, 62 here has 3 forced-guided closing contacts 60.1 or 62.1, as well as one forced-guided opening contact 60.2 or 62.2. As can be seen from Fig. 4, the lateral distance d1 of the opening contact 60.2 to the adjacent closing contact 60.1 is greater than the lateral distance d2 between two adjacent closing contacts. This is advantageous because higher currents and voltages can be switched via the closing contacts than via the opening contact of a group, without impairing the fault safety of the relay component with respect to reading back the contact position using the opening contact. Moreover, it is advantageous if each contact is arranged in its own chamber 100, in order to further increase the insulation between the contact paths.
Furthermore, it is advantageous here that the electrical connection between the respective series-connected closing contacts 60.1, 62.1 and the electrical connection between the two series-connected opening contacts 60.2, 62.2 are realized within the component housing, so that the relay component has only two terminals 102, 104 for each switched current path. In the preferred embodiment, the serial connection between two redundant contacts 60.1, 62.1 is realized by means of conductive metal parts 106.
Furthermore, all the terminals of the relay component are led out on one side of the component housing 66 in this advantageous embodiment, so that the relay component can be easily mounted and soldered into the safety switch device 24.

Claims (15)

  1. A safety switching device for fail-safely disconnecting an electrical load (26), comprising an input part (44) for receiving at least one safety-relevant input signal, comprising a logic part (50) for processing the at least one safety-relevant input signal, and comprising an output part (54) which comprises a relay coil (56) and a first relay contact (60.1), a second relay contact (62.1), a third relay contact (60.2), and a fourth relay contact (62.2), wherein the first and the second relay contacts (60.1, 62.1) are arranged electrically in series with one another, wherein the third and the fourth relay contacts (60.2, 62.2) are arranged electrically in series with one another, wherein the first and the third relay contacts (60.1, 60.2) are mechanically coupled to each other so as to form a first group (60) of positively driven relay contacts, wherein the second and the fourth relay contacts (62.1, 62.2) are mechanically coupled to each other so as to form a second group (62) of positively driven relay contacts, and wherein the logic part (50) redundantly controls the first group (60) of positively driven relay contacts and the second group (62) of positively driven relay contacts in order to selectively allow, or to interrupt in a fail-safe manner, a current flow to the electrical load (24), depending on the at least one safety-relevant input signal, characterized in that the relay coil (56) is electromagnetically coupled to the first group (60) and to the second group (62) of positively driven relay contacts in such a manner that the logic part (50) can together control the first relay contact (60.1), the second relay contact (62.1), the third relay contact (60.2), and the fourth relay contact (62.2) via said one relay coil (56), wherein the first and the third relay contacts (60.1, 60.2) can move mechanically separately from the second and the fourth relay contacts (62.1, 62.2).
  2. The safety switching device of claim 1, characterized by a first and a second switching element (70, 72) which are arranged electrically in series with the relay coil (56) and are coupled to the logic part (50) in such a manner that the logic part (50) can interrupt a control current (78) through the relay coil (56) using the first and/or the second switching element (70, 72).
  3. The safety switching device of claim 2, characterized in that the logic part (50) comprises a first evaluation channel (52a) and a second evaluation channel (52b), wherein the first and the second evaluation channels (52a, 52b) each redundantly control the first and the second switching elements (70, 72).
  4. The safety switching device of claim 2 or 3, characterized in that the first switching element (70) is situated upstream and the second switching element (72) is situated downstream from the relay coil (56).
  5. The safety switching device of one of claims 2 to 4, characterized by a shunt resistor (76) which is situated downstream from the first and the second switching elements (70, 72).
  6. The safety switching device of one of claims 1 to 5, characterized in that the logic part (50) is configured to determine an instantaneous control current (78) through the relay coil (56).
  7. The safety switching device of one of claims 1 to 6, characterized in that the logic part (50) is configured to maintain a control current (78) through the relay coil (56) at a defined current value.
  8. The safety switching device of one of claims 1 to 7, characterized in that the logic part (50) is configured to determine an instantaneous voltage at the relay coil (56), in order to interrupt, depending thereon, a control current (78) through the relay coil (56).
  9. The safety switching device of one of claims 1 to 8, characterized in that the relay coil (56) and the first, second, third, and fourth relay contacts (60.1, 60.2, 62.1, 62.2) are accommodated in a common component housing (66) which is designed to be mounted on a circuit board.
  10. The safety switching device of one of claims 1 to 9, characterized in that the first and second relay contacts (60.1, 62.1) each are designed as normally open contacts, and the third and the fourth relay contacts (60.2, 62.2) each are designed as normally closed contacts.
  11. The safety switching device of one of claims 1 to 10, characterized in that the relay coil (56) drives at least one movable armature (58) which is coupled to the relay contacts (60.1, 62.1, 60.2, 62.2), and the output part (54) comprises an optical detector (90, 92), in particular a light barrier, with the aid of which the logic part (50) can detect at least one armature position of the at least one movable armature (58).
  12. The safety switching device of claim 11, characterized in that the optical detector comprises a light transmitter (90) and a light receiver (92) which are situated outside the common component housing (66), and the optical detector further comprises an optical waveguide (94) which extends from the light transmitter (90) and/or light receiver (92) to the at least one movable armature (58).
  13. The safety switching device of one of claims 1 to 12, characterized in that the relay coil (56) drives at least one movable armature (58) which is coupled to the relay contacts (60.1, 62.1, 60.2, 62.2), and the logic part (50) is configured to adjust a control current (78) through the relay coil (56) depending on the at least one armature position.
  14. The safety switching device of one of claims 1 to 13, characterized in that the relay coil (56) is spatially situated between the first group (60) of positively driven relay contacts (60.1, 60.2) and the second group (62) of positively driven relay contacts (62.1, 62.2).
  15. A relay component for a safety switching device according to one of claims 1 to 14, comprising a relay coil (56) and a first relay contact (60.1), a second relay contact (62.1), a third relay contact (60.2), and a fourth relay contact (62.2), and comprising a component housing (66), in which the relay coil (56) and the relay contacts (60.1, 60.2, 62.1, 62.2) are accommodated, wherein the first and the second relay contacts (60.1, 62.1) are arranged electrically in series with one another, wherein the third and the fourth relay contacts (60.2, 62.2) are arranged electrically in series with one another, wherein the first and the third relay contacts (60.1, 60.2) are mechanically coupled to each other so as to form a first group (60) of positively driven relay contacts, wherein the second and the fourth relay contacts (62.1, 62.2) are mechanically coupled to each other so as to form a second group (62) of positively driven relay contacts, and wherein the relay coil (56) is electromagnetically coupled to the first group (60) of positively driven relay contacts and to the second group (62) of positively driven relay contacts in such a manner that a control current in the relay coil (56) can control the first relay contact (60.1), the second relay contact (62.1), the third relay contact (60.2), and the fourth relay contact (62.2) together, wherein the first and the third relay contacts (60.1, 60.2) can move mechanically separately from the second and the fourth relay contacts (62.1, 62.2).
HK18101401.1A 2015-03-20 2016-03-18 Safety switching device for fail-safe disconnecting of an electrical load HK1242047B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE102015104211 2015-03-20

Publications (2)

Publication Number Publication Date
HK1242047A1 HK1242047A1 (en) 2018-06-15
HK1242047B true HK1242047B (en) 2020-04-24

Family

ID=

Similar Documents

Publication Publication Date Title
US10460895B2 (en) Safety switching device for fail-safely disconnecting an electrical load
JP5728095B2 (en) A safety switchgear for failsafely stopping electrical loads
JP4384174B2 (en) Safety switching device and method for fail-safe stop of electric load
JP6289509B2 (en) Safety switchgear with safety power supply unit
JP5778268B2 (en) Safety circuit for fail-safe connection or disconnection of equipment
US8860258B2 (en) Control system
CN100545982C (en) Safety switches for safety circuits
US7672109B2 (en) Safety switching apparatus for safe disconnection of an electrical load
EP2256777B1 (en) Movable contact failure detecting device
JP5089611B2 (en) Safety switching device and method for safely opening and closing a switch
CN104412192B (en) Switching device
CN104272420B (en) Safety switching apparatus with a switching element in the auxiliary contact current path
JP4918559B2 (en) Safety switching device for fail-safe disconnection of electrical loads
US7692396B2 (en) Electromotive furniture drive
US10847963B2 (en) Safety circuit arrangement for failsafe shutdown of an electrically driven installation
HK1242047B (en) Safety switching device for fail-safe disconnecting of an electrical load
HK1242047A1 (en) Safety switching device for fail-safe disconnecting of an electrical load
CN108700858B (en) Safety switching device and safety-oriented device
HK1179406A (en) Safety circuit arrangement for the fail-safe connection or disconnection of a hazardous installation