BR112019010161B1 - SAFETY KEY WITH DIFFERENTIATED CPUS TO CONTROL SECURITY ACCESS TO MACHINE OR INDUSTRIAL SYSTEM - Google Patents

Abstract

A security switch with differentiated CPUs for controlling a security access to a machine or industrial system comprises a switching device (2) adapted to be associated with a fixed part of an access to be controlled and having switching means adapted to be connected operatively to one or more command and/or service circuits of the opening/closing system thereof, a drive device (3) associated with a movable part of the access to interact with the switching means in opening/closing the access to opening/closing of one or more circuits, control means (6) associated with the switching device (2) and adapted to receive input signals from the control and/or service circuits through the respective communication buses to verify correct operation and for controlling the switching means to send an error signal and/or interrupt the system in case of no signal or detection of non-compliance, wherein the control means (6) comprises at least one main CPU (7) operatively connected to the communication buses (9) associated with the system's security functions. The control means (6) comprises at least one auxiliary CPU (8) operatively connected solely to the (...) buses.

Description

DESCRIPTIVE REPORT Description Technical Field

[001] The present invention finds application in the field of electrical devices for industrial use and its object is particularly a security switch with different CPUs designed to protect access to a machine or industrial plant.

State of the art

[002] As is known, switches designed to protect access to machines or industrial plants, such as protective panels, barriers, security perimeters, comprise a switching device suitable for being anchored to the fixed part of the access and a switching device drive adapted to be anchored to the moving part.

[003] In a known manner, when the moving part is closed, the interaction between the switching device and the driving device is determined, making it possible to start the machine or industrial plant, unless conditions exist that require the specific intervention of a operator.

[004] On the other hand, opening the access and the consequent removal of the drive device from the switching device produces the immediate shutdown of the machine or installation in order to allow access to the machine in safe conditions.

[005] The switching device is also provided with electronic control means to verify that all safety conditions are respected and to block the machine or industrial plant in the event that one or more of the safety conditions are not respected.

[006] In particular, the control means comprise a CPU connected to the various communication buses to receive respective information about the opening or closing of access and the correct functioning of the various parts of the system, as described, for example, in document EP2850628.

[007] Document EP2748926 discloses an electronically operated key with a Tag/RFID identification system, in which the driving device communicates with the switching device by sending the latter a remote signal provided with an identification code.

[008] The CPU makes it possible to receive this code and compare it with a code stored in memory, authorizing the system to start only if the recognition is positive.

[009] The CPU also controls all communications with signal buses that handle information unrelated to safety conditions, generally providing for system shutdown even if it encounters errors in one of the functions unrelated to safety conditions.

[0010] To increase the security of the key, the control means are generally provided with two CPUs, organized according to a master/slave architecture, but which in any case perform substantially the same functions in a redundant manner.

[0011] The two CPUs communicate with each other in order to verify the correct operation of each other and to order the system to be turned off in the event of a malfunction of the other CPU.

[0012] The main disadvantage of these known solutions is precisely due to the fact that the CPU, or the two redundant CPUs, handle both functions related to safety conditions and functions not associated with safety conditions.

[0013] This aspect implies that the moment it is necessary to reconfigure one or more CPU functions not related to safety conditions, since the intervention is carried out on a component that also controls functions related to safety conditions, the legislation provides that it is necessary to carry out a new certification of components, with a consequent increase in costs and time.

Scope of the invention

[0014] The objective of the present invention is to overcome the above drawbacks, providing a security key with differentiated CPUs, which has characteristics of high efficiency and relative profitability.

[0015] A particular objective is to provide a security key with differentiated CPUs that allows functions unrelated to security conditions to be reconfigured without having to proceed with a new certification of the CPU.

[0016] Another objective is to provide a security key with differentiated CPUs that avoids having to reprogram the CPU assigned to security checks, even when modifying parameters related to functions that do not require security conditions.

[0017] These objectives, as well as others that will become more evident below, are achieved by a security key with differentiated CPUs suitable for protecting security access to a machine or industrial installation which, according to Claim 1, comprises a switching device which may be associated with a fixed part of the access to be controlled and having switching means adapted to be operatively linked to one or more control and/or service circuits of the opening/closing system thereof, a device drive associated with a movable part of the access to interact with said switching means for opening/closing the access to open/close one or more of said circuits; control means associated with said switching device and adapted to receive input signals from said control and/or service circuits through respective communication channels to verify their correct operation and to control said switching means to output an error and/or system shutdown signal in case of absence of signal or after detection of non-compliance.

[0018] The control means comprises at least one main CPU operatively connected to the communication channels associated with the safety functions of the industrial plant and at least one auxiliary CPU operatively connected exclusively to the communication channels associated with service circuits not related to the conditions industrial plant safety.

[0019] Thanks to this combination of features, when you need to reconfigure the switch to change one or more auxiliary functions unrelated to security conditions, for example to adapt to specific user needs, you will not need to intervene with the assigned main CPU to security control.

[0020] As a result, the main CPU will not need to be reprogrammed and therefore will not need to be recertified.

[0021] At the same time, the auxiliary CPU, not being in charge of security checks, will not require certification in case of reprogramming, allowing savings in terms of costs and time.

[0022] Suitably, the auxiliary CPU may comprise a memory portion for storing data related to the operation of the monitored circuits and be associated with an accumulator connected to charging means that may be activated when the system is turned off.

[0023] Furthermore, the charging means may comprise a diode adapted to charge said accumulator with a charge sufficient for said auxiliary CPU to store the operational data in said memory part.

[0024] In this way, when the key is turned off, the auxiliary CPU will have sufficient time to backup and memorize information about the state of the controlled circuits at the time of deactivation, in order to facilitate the correct restart of the system.

[0025] The advantageous embodiments of the invention are obtained in accordance with the dependent Claims.

Brief disclosure of the drawings

[0026] Other features and advantages of the invention will become clearer in the light of the detailed description of a preferred but non-exclusive embodiment of a security key according to the invention, illustrated as a non-limiting example with the aid of the accompanying drawings in which :

[0027] FIG. 1 is a perspective view of the key to the invention;

[0028] FIG. 2 is an exploded perspective view of the switch of FIG. 1;

[0029] FIG. 3 schematically shows the control means of a switch of the invention.

Best mode of carrying out the invention

[0030] With reference to the attached figures, a preferred but not exclusive configuration of a security key according to the invention is shown, which will generally be designed to protect access to a machine or an industrial installation.

[0031] As shown in Fig. 1, the key, indicated globally by 1, will be designed to be applied, preferentially, but not exclusively, to a protection P of the barrier or movable panel of the type designed to prevent unsafe access to a machine or industrial plant in action.

[0032] In a known manner, key 1 will be designed to be applied to protection P in an access A thereof, in order to interrupt the operation of the machine or industrial plant immediately or punctually, in the case of an opening request of access A.

[0033] The access opening A can be of any type, either articulated or sliding and also with opening to the right or left, without particular limitations.

[0034] In the illustrated configuration, switch 1 is of the electronically actuated type, that is, equipped with a remote communication system between the switching part and the driving part, as described more clearly below.

[0035] However, according to an alternative configuration not shown, the switch may also be operated mechanically or electromechanically with a key actuator.

[0036] In its most essential form, the key 1 comprises a switching device 2 adapted to be anchored to a fixed part F of access A to be controlled and a driving device 3 adapted to be anchored to the movable part M of access A .

[0037] The methods of anchoring the switching device 2 and the driving device 3 to the respective parts F, M of the access A are of the known type and do not form part of the present invention, so they will not be described in greater detail below.

[0038] The switching device 2 comprises a box 4 that is housed within the switching means, not visible in the figures but with a configuration known per se, adapted to be operatively connected to one or more electrical and/or electronic circuits for power supply. and/or circuit control and/or main service and emergency circuits of the system.

[0039] The switching means can be selected from those commonly used in the sector and can also vary according to the functionality of key 1, without particular limitations.

[0040] The methods of connecting the switching means will be selected from those typical for this type of product and will also not be described in greater detail below.

[0041] The box also houses control means 6, as shown in Fig. 2, which are adapted to receive input signals from the control and/or service circuits via respective communication channels to verify the correct operation thereof. .

[0042] In this way, the control means 6 can control the switching means to send an error signal and/or provide system shutdown in the absence of a communication signal from one of the communication channels or in the case of detection of non-compliance.

[0043] In Fig. 3 a preferred, but not exclusive, configuration of the control means 6 is schematically shown, from which it can be seen that the control means comprises a main CPU 7 operatively connected to the communication channels associated with the functions of the industrial plant and an auxiliary CPU 8 operatively connected exclusively to the communication channels associated with service circuits not related to the safety conditions of the industrial plant.

[0044] In particular, the main processor 7 will be connected to the communication channels 9 that transmit information about the correct closure of access A, to the communication channels used to send information about the correct operation of the switching means and any possible means of lock/unlock, as specified in more detail below and for the control channels of safety outputs 10, 11.

[0045] In turn, the auxiliary CPU 8 is associated with communication channels 12 adapted to carry information relating to the operation of secondary devices, such as signal lights 13 and other auxiliary devices 14, whose possible malfunction could not compromise the operation safety of the industrial plant.

[0046] Suitably, the main CPU 7 will not be connected to communication channels associated with functions that are not secure, so that there is no need for reprogramming it and, at the same time, the secondary CPU 8 will not be associated with security functions. security, but exclusively insecure functions, so that, in the event of reprogramming, it will not need to be certified again.

[0047] The auxiliary CPU 8 in any case will be connected to the main CPU 7 to send information to it related to the monitored service circuits.

[0048] Furthermore, the main processor 7 may be designed to control the switching means to perform system shutdown upon sending by the auxiliary CPU 8 of an error signal, so as to increase the overall security level of the switch 1 .

[0049] For safety reasons, the control means 6 comprises two main CPUs 7, 15 which are at least partially redundant in their respective safety functions and organized according to a master/slave architecture.

[0050] Generally, the auxiliary CPU 8 will only be connected to the main processor 7 with the master function.

[0051] The two main CPUs 7, 15 are connected to the system control circuits through respective communication channels 9, 10, 11 for independent verification of the system's safety conditions.

[0052] Furthermore, the two main CPUs 7, 15 are mutually connected for mutual control of correct operation.

[0053] The connection and dialogue methods between the two main CPUs 7, 15 and the same with the switching means are not indicative of the scope of the present invention and, therefore, will not be described in detail.

[0054] Indicatively, the two main CPUs 7, 15 can operate in a similar way to that described in the aforementioned document EP2748926.

[0055] According to the configuration of the figures, the preferred, but not exclusive, actuation device 3 is adapted to interact with the switching means in opening/closing access A to open/close one or more circuits of the machine or plant. installation.

[0056] In particular, the switch 1 is of the electronically actuated type, that is, the interaction between the actuating device 3 and the switching means will be controlled by an electronic signal transmitted to the switching means by the actuating device 3 when the latter is at a minimum distance predetermined by the switching device 2 in such a way that access A can be considered closed and in safe conditions.

[0057] For this purpose, the switching device 2 houses a receiver 16, for example, an RFID-type antenna, inserted inside the box 4 and designed to receive a remote control signal, or a presence signal, transmitted by a transmitter or transponder, not visible, since it is housed in the driving device 3, when the latter is at the minimum distance detectable by the switching device 2.

[0058] In particular, the transponder will be provided with an identification code label that will be received by the receiver 16 and will be recognized by the main CPU 7 to allow the machine or system to start.

[0059] Code recognition can be univocal or generic, depending on whether you want to make a key with a high or low level of coding.

[0060] The coded signal thus detected will be sent to the main CPU 7 for comparison with a code stored therein and to authorize the start of the system in case of recognition of the received identification code and its correspondence with the stored code.

[0061] The slave CPU 15 will instead perform an analysis of the clock signal coming from the receiver 16.

[0062] Typically, for this type of key, the housing 4 will also house an unlocking mechanism 17 adapted to move from an access blocking position A to a releasing position which corresponds to the opening of the switching means, allowing the opening access A only when the switching means are open.

[0063] In particular, the unlocking mechanism 17 comprises an unlocking pin 18 adapted to move between the two locking and releasing positions and which is associated with an electromagnet 19 controlled by the same main CPUs 7, 15 upon receipt of the access opening sign A.

[0064] According to a particular variant, an emergency control may also be provided, such as a mushroom button, a key selector or similar control adapted to mechanically intervene in the unlocking mechanism to promote translation of the pin into position. release.

[0065] Each main CPU 7, 15 will comprise a communication channel 20 adapted to send to the auxiliary CPU 8 a signal relating to the condition of turning on or off the system.

[0066] According to another aspect of the invention, the auxiliary CPU 8 comprises a memory part 21 for storing data relating to the operation of the monitored circuits.

[0067] Furthermore, the auxiliary CPU will also be associated with an accumulator 22 connected to charging means 23 that can be activated when the system is turned off.

[0068] By way of example, the accumulator 22 may be a capacitor, while the charging means 23 may include a diode capable of charging the accumulator 22 with a charge sufficient for the auxiliary CPU 8 to perform a backup of the operational data within the part of memory 21 after receiving the shutdown signal.

[0069] From the above, it is clear that the key according to the invention achieves the intended objectives and in particular that of avoiding having to subject the CPU assigned to security checks to a new certification even after reprogramming related to functions not related to security.

[0070] The key according to the invention is susceptible to numerous modifications and variations, all of them within the inventive concept expressed in the attached Claims. All details can be replaced by other technically equivalent elements and materials can be different according to requirements, without departing from the scope of protection of the present invention.

[0071] Although the key has been described with particular reference to the attached figures, the reference numbers used in the Descriptive Report and Claims are used to enhance the intelligence of the invention and do not constitute any limitation to the claimed scope of protection.

Claims (10)

1. Security Key with Differentiated CPUs, to control security access to a machine or industrial system, comprising: - a switching device (2) adapted to be associated with a fixed part of an access to be controlled and with adapted switching means to be operatively connected to one or more control and/or service circuits of the system for opening/closing the same; - a drive device (3) associated with a movable part of the access to interact with said switching means in opening/closing the access for opening/closing one or more of said circuits; - control means (6) associated with said switching device (2) and adapted to receive input signals from said control and/or service circuits through respective communication buses to verify correct operation and to control said means switching to send an error signal and/or interrupt the system in case of absence of signal or detection of non-compliance; - m that said control means (6) comprises at least one main CPU (7) operatively connected with the communication buses (9) associated with the security functions of the system; characterized in that said control means (6) comprise at least one auxiliary CPU (8) operatively connected solely to the communication buses (12) associated with the service circuits and/or service devices not related to the security conditions of the system, at least one main CPU (7) being disconnected from communication channels associated with non-secure functions. 2. Security Key with Differentiated CPUs, according to Claim 1, characterized in that said auxiliary CPU (8) is connected to said main CPU (7) to send it information related to service circuits and/or devices monitored service. 3. Security Switch with Differentiated CPUs, according to Claim 2, characterized in that said main CPU (7) is adapted to control said switching means to operate the system interrupt after sending an error signal by the said auxiliary CPU (8). 4. Security Switch with Differentiated CPUs, according to any of the previous Claims, characterized in that said auxiliary CPU (8) comprises a memory part (21) for storing data relating to the operation of the monitored circuits and/or devices. 5. Security Switch with Differentiated CPUs, according to Claim 4, characterized in that said auxiliary CPU (8) is associated with an accumulator (22) connected to charging means (23) activated by said control means (6 ) after system shutdown. 6. Security Switch with Differentiated CPUs, according to Claim 5, characterized in that said charging means (23) comprise a diode adapted to charge said accumulator (22) with a charge sufficient for said auxiliary CPU (8 ) to operate a backup in said memory part (21). 7. Security Switch with Differentiated CPUs, according to any of the previous Claims, characterized in that said control means (6) comprise two main CPUs (7, 15) redundant with each other in their respective security functions and mutually connected to mutually control their correct operation, said main CPUs (7, 15) being organized according to a master/slave scheme. 8. Security Switch with Differentiated CPUs, according to Claim 7, characterized in that each of said main CPUs (7, 15) is connected to the system control circuits through respective communication buses for independent verification of conditions of security. 9. Security Switch with Differentiated CPUs, according to any of the previous Claims, characterized in that said actuation device (3) comprises actuation means adapted to interact remotely with said switching means at the time of opening/closing the access (A) for opening/closing one or more of said circuits. 10. Security Key with Differentiated CPUs, according to Claim 9, characterized in that said operating device (3) comprises a transmitter or transponder adapted to send an identification code to said switching means, the latter being connected to a receiver or antenna (16) adapted to receive said signal and send said identification code to the master main CPU (7) for comparison with a code stored therein, said master main CPU (7) being adapted to authorize the system starts after recognizing the aforementioned identification code.