CN112187847A - Method and apparatus for monitoring a device - Google Patents
Method and apparatus for monitoring a device Download PDFInfo
- Publication number
- CN112187847A CN112187847A CN202010633480.0A CN202010633480A CN112187847A CN 112187847 A CN112187847 A CN 112187847A CN 202010633480 A CN202010633480 A CN 202010633480A CN 112187847 A CN112187847 A CN 112187847A
- Authority
- CN
- China
- Prior art keywords
- operating state
- communication interface
- unit
- critical
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000012544 monitoring process Methods 0.000 title claims abstract description 14
- 230000005540 biological transmission Effects 0.000 claims abstract description 103
- 238000004891 communication Methods 0.000 claims abstract description 56
- 238000011156 evaluation Methods 0.000 claims abstract description 37
- 230000004069 differentiation Effects 0.000 claims description 3
- 230000007274 generation of a signal involved in cell-cell signaling Effects 0.000 claims description 2
- 230000004913 activation Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 238000009529 body temperature measurement Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000002238 attenuated effect Effects 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000002028 premature Effects 0.000 description 1
- 238000004804 winding Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q9/00—Arrangements in telecontrol or telemetry systems for selectively calling a substation from a main station, in which substation desired apparatus is selected for applying a control signal thereto or for obtaining measured values therefrom
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G08—SIGNALLING
- G08C—TRANSMISSION SYSTEMS FOR MEASURED VALUES, CONTROL OR SIMILAR SIGNALS
- G08C19/00—Electric signal transmission systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2209/00—Arrangements in telecontrol or telemetry systems
- H04Q2209/40—Arrangements in telecontrol or telemetry systems using a wireless architecture
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Arrangements For Transmission Of Measured Signals (AREA)
- Selective Calling Equipment (AREA)
Abstract
The invention relates to a method and a device for monitoring a system, wherein a at least one safety-relevant parameter of the system is measured, b the safety-relevant parameter is analyzed in a first evaluation unit for compliance with at least one predetermined limit value, c the first evaluation unit is arranged on the transmitting side of the communication interface, and a triggering unit is arranged on the receiving side of the communication interface, and a data transmission takes place between the transmitting side and the receiving side, and wherein furthermore d a distinction is made between three operating states (normal operation, first critical operating state and second critical operating state), wherein e.at least information about the operating state is transmitted during the data transmission, and f.a second evaluation unit connected to the triggering unit is arranged on the receiving side of the communication interface, which evaluation unit evaluates the information about the operating state independently of one another in a first evaluation channel and a second evaluation channel, g. wherein the triggering unit is activated when the first operating state or the second operating state is present, in order to bring the device into the safe state.
Description
Technical Field
The invention relates to a method and an arrangement for monitoring a device, wherein security-relevant information is transmitted via a communication interface.
Background
From the standpoint of danger to people and the environment, equipment (e.g., equipment in areas at risk of explosion) is often monitored by electronic protection circuits. These protection circuits should bring the device into a safe state when a predefined hazard is detected. Here, the reliability of these protection circuits and the secure processing of security-related information are particularly important.
A protection concept for temperature monitoring is described in EP 1967831B 1, in which a measuring circuit (temperature measurement), a measured value analysis, and an actuator which is intended to bring a monitored device into a safe state when a safety-relevant hazard (excessive temperature) is detected are compactly arranged in a device.
In certain application cases, the spatial separation of the measuring unit from the actuator (trigger unit) is technically meaningful or necessary. Therefore, machines designed specifically for use in areas at risk of explosion, for example, must be monitored for excessively high temperatures that can ignite. The monitoring is regarded as being safety-related and must function particularly reliably in accordance with safety requirements. An actuator, which is usually formed by an electrical switching element (relay; contactor), should switch off the machine when a potentially ignitable, excessively high temperature is detected, but cannot be placed with the machine in an explosion-hazard area by itself or only with high effort, since any switching sparks of the actuator may form an ignition source by itself. In this case, the safety-relevant temperature information must then be transmitted via the communication interface to the actuator, which is arranged in a region that is safe and spatially separate from the machine. In this case, high safety requirements apply or high reliability for the transmission of temperature information is required.
Even in the industrial 4.0 era, the transmission of security-related information via a communication interface is no longer contemplated. Thus, high security requirements also apply to the entire processing chain of measurement units, signal generation, communication interfaces, information transmission, information reception and analysis, and execution of security-related tasks. The implementation of these security requirements typically requires a high expenditure, with increased complexity (which is often necessary for the direct implementation of the security requirements) and also increased confusion (which then becomes a further source of problems).
Disclosure of Invention
The object of the present invention is therefore to provide a simple and clear security concept for a monitoring device, with which security-relevant information is transmitted via a communication interface.
According to the invention, this object is achieved by the features of claims 1 and 11.
The method for monitoring a device according to the invention is characterized in that:
a. at least one safety-related parameter of the device is measured,
b. the safety-relevant parameter is analyzed in a first analysis unit for compliance with at least one predetermined limit value,
c. the first evaluation unit is arranged on the transmitting side of the communication interface and the triggering unit is arranged on the receiving side of the communication interface and performs a data transmission between the transmitting side and the receiving side, and wherein furthermore
d. A distinction is made between three operating states (i.e. normal operation, first critical operating state and second critical operating state), wherein
d1. The normal operation is characterized in that the at least one measured safety-relevant parameter complies with the at least one predetermined limit value, and that there is no technical fault which prevents an effective data transmission via the communication interface,
d2. the first critical operating state is characterized in that the measured safety-relevant parameter exceeds the at least one predetermined limit value and that there is no technical fault which prevents an effective data transmission via the communication interface,
d3. the second critical operating state is characterized by the presence of a technical fault that prevents an effective data transmission via the communication interface, and wherein
e. At least information about the operating state is transmitted during the data transmission, an
f. A second evaluation unit, which is connected to the triggering unit and which evaluates the information about the operating state independently of one another in the first evaluation channel and in the second evaluation channel, is provided on the receiving side of the communication interface,
g. wherein the triggering unit is activated when the first operating state or the second operating state is present, in order to bring the device into the safe state.
The device according to the invention for carrying out the above method comprises at least:
a. at least one measuring unit for measuring a safety-related parameter of the device,
b. a first analysis unit for analyzing the measured safety-relevant parameter for compliance with at least one predetermined limit value,
c. a triggering unit to cause the device to enter a safe state,
d. an operating state determination unit for determining an operating state of the device, wherein a distinction is made between three operating states (i.e. normal operation, a first critical operating state and a second critical operating state), wherein
d1. The normal operation is characterized in that the at least one measured safety-relevant parameter complies with the at least one predetermined limit value, and that there is no technical fault which prevents an effective data transmission via the communication interface,
d2. the first critical operating state is characterized in that the measured safety-relevant parameter exceeds the at least one predetermined limit value and that there is no technical fault which prevents an effective data transmission via the communication interface,
d3. the second critical operating state is characterized by the presence of technical faults which prevent an effective data transmission via the communication interface,
e. a communication interface for data transmission of the operating state between a transmitting side and a receiving side, wherein the first analysis unit and the operating state determination unit are arranged on the transmitting side of the communication interface and the triggering unit is arranged on the receiving side of the communication interface, and
f. a second evaluation unit, which is connected to the triggering unit on the receiving side of the communication interface and has a first evaluation channel and a second redundant evaluation channel, is used for monitoring the operating state and for controlling the triggering device (9) when the first operating state or the second operating state is present.
Although conventionally only information about measured parameters or trigger signals derived therefrom are transmitted, it is now also considered according to the invention whether technical faults are present which prevent an effective data transmission via the communication interface. For example, if the transmission link is interrupted due to an unexpected interruption of the used USB cable, data transmission will no longer be possible and therefore an effective status detection of the device based on the measurement value transmission is not possible. According to the invention, a second critical operating state exists in this case.
Furthermore, it is conceivable, for example, that the signal level is significantly reduced due to hardware errors on the transmitting side of the communication interface, so that an analysis of the transmitted data on the receiving side of the communication interface can no longer be ensured. According to the invention, each possible error state of the communication interface and the transmission link which prevents effective data transmission is regarded as a transmission form for the second critical operation.
Other embodiments of the invention are the subject matter of the dependent claims, wherein the features specified in the dependent claims can also be combined with one another.
A particular embodiment of the invention provides that each operating state is assigned at least one transmission format used for data transmission, which is characteristic of the determined operating state. In this case, a suitable choice of the transmission format can ensure that a clear distinction can be made between normal operation and two critical operating states. Each error state of the communication interface (6) which prevents effective data transmission via the communication interface (6) is assigned a transmission form for the second critical operation.
According to a further embodiment of the invention, the information about the operating state is analyzed in the second analysis unit by analyzing the transmitted transmission format. In this case, it is conceivable that, for the purpose of differentiation, the transmission form which characterizes the normal operation is differentiated from the transmission form which characterizes the first critical operating state by at least a first distinguishing characteristic and from the transmission form which characterizes the second critical operating state by at least a second distinguishing characteristic. It should thus be ensured that a clear and unambiguous separation of the normal operation from the first or second critical operating state is possible. For example, the defined DC offset may be set as the first distinguishing characteristic. Thus, a transmission form with a defined DC offset may imply normal operation, whereas a transmission form with a DC offset outside the tolerance range of the defined DC offset indicates the presence of the first critical operating state. Alternatively, the defined amplitude can also be set as the first distinguishing feature, wherein a transmission form with the defined amplitude indicates normal operation, while a transmission form with an amplitude outside the tolerance range of the defined amplitude signals the first critical operating state. The defined DC offset can in turn be used as a second distinguishing feature for delimiting normal operation from a second critical operating state. Alternatively, however, the defined amplitude, which distinguishes normal operation from the second critical operating state, can also be set again here.
The first and second distinguishing characteristics preferably have a common property which enables normal operation to be distinguished from both the first and second critical operating states. However, within the scope of the invention, it is also conceivable that the first distinguishing feature and the second distinguishing feature are identical, since in many application scenarios it is only important on the receiving side whether there is normal operation or one of the two critical operating states, since the activation of the trigger unit takes place in both the first critical operating state and the second critical operating state.
In a further embodiment of the invention, during normal operation and/or during data transmission in the first critical operating state, information about the measured safety-relevant parameter and/or further operating data is transmitted in addition to the information about the operating state. This has the advantage that, in normal operation, information is obtained on the receiving side of the communication interface about the position of the measured safety-relevant parameter relative to its limit value. Thus, countermeasures can be taken as early as possible, if necessary, for example by operating the device with a correspondingly reduced power. In contrast, if the first critical operating state is present, the cause of the error can be defined more precisely and in detail from the transmitted information about the measured safety-relevant parameter, in particular when measuring and analyzing different safety-relevant parameters.
Furthermore, it is naturally conceivable that other operating data are also transmitted for the purpose of information and diagnosis, which do not negatively influence the evaluation of the transmitted operating state on the receiving side.
Furthermore, the first analysis channel and the second analysis channel are preferably connected to the triggering unit in such a way that the triggering unit is activated when at least one of the two analysis channels generates a triggering signal. This may be done, for example, via an or gate. In order to further improve the analysis and to ensure a higher safety, the two analysis channels are configured differently, so that the first analysis channel can be based on software-controlled operating principles and the analysis in the second analysis channel can be based on hardware-controlled operating principles. However, both evaluation channels are designed such that they can detect the transmitted operating state, wherein the first evaluation channel, in addition to the operating state, also evaluates the safety-relevant parameters transmitted if necessary, while the second evaluation channel only detects whether one of the two critical operating states is present.
Drawings
Further advantages and design configurations of the invention are further elucidated on the basis of the following description and the accompanying drawing.
Shown in the attached drawings:
figure 1 shows a block diagram of an apparatus according to the invention,
fig. 2 shows the signal profile of the transmission pattern with a defined limiting frequency as a first distinguishing characteristic in normal operation and in first critical operation,
fig. 3 shows the signal profile of a transmission pattern with a limit frequency set to zero as a first distinguishing characteristic in normal operation and in a first critical operating state,
figure 4 shows the course of the signal change in the transmission form with a defined amplitude as the first distinguishing characteristic in normal operation and in first critical operation,
figure 5 shows the signal profile in the normal operation and in the first critical operation with a defined DC offset as a first distinguishing characteristic of the transmission form,
fig. 6 shows the signal profile of the transmission pattern in normal operation and in first critical operation, a first distinguishing feature being that the data transmission takes place continuously in normal operation and with sufficient pauses in the first critical operating state,
fig. 7 shows the signal profile in normal operation and in a second critical operating state, in which the transmission mode is such that no data transmission takes place and the DC level corresponds to ground, wherein the defined limiting frequency is regarded as a second distinguishing characteristic,
fig. 8 shows the signal profile in normal operation and in a second critical operating state, in which the transmission pattern is characterized by no data transmission and a DC level at an undefined height, wherein the defined limiting frequency is regarded as a second distinguishing characteristic,
fig. 9 shows the course of the signal change in normal operation and in a second critical operating state, in which the DC offset is shifted to a different level than in normal operation, wherein the defined DC offset is regarded as a second distinguishing characteristic,
fig. 10 shows the course of the signal change in normal operation and in a second critical operating state, wherein the transmission form in the second critical operating state is characterized by a significantly reduced amplitude of the transmission signal, wherein the defined amplitude is regarded as a second distinguishing characteristic, and
fig. 11 shows an exemplary embodiment in the region of the second analysis unit.
Detailed Description
The device according to the invention for monitoring a plant (for example a cooling plant or a pump station) has a measuring unit 1, which measuring unit 1 measures at least one safety-relevant parameter of the plant via a sensor, not shown in detail. This can be, for example, the winding temperature of the electric motor. The measured safety-relevant parameter is analyzed in the first analysis unit 2 for compliance with at least one assigned limit value. In this case, it is checked in the case of a temperature measurement whether a predetermined maximum temperature value is exceeded. Furthermore, a triggering unit 9 is provided to bring the device into a safe state by, for example, switching off the device or operating the device at reduced power.
The operating state of the device is determined in the following manner:
a distinction is made between normal operation and a first critical operating state by the first evaluation unit 2 determining whether at least one safety-relevant parameter exceeds a limit value. The detection of the second critical operating state is a task on the receiving side, since in the presence of such technical faults it can no longer be assumed that the data transmission via the communication interface 6 is still valid or it is not known in which error state the communication interface is in.
Furthermore, a signal generating unit 5 is provided on the transmitting side of the communication interface 6, which signal generating unit 5 generates a data signal to be transmitted from the transmitting side to the receiving side of the communication interface, wherein the data signal has an operating state of the characteristic transmission form determined by the operating state determination unit 3. On the receiving side of the communication interface 6, in addition to the triggering unit 9, a second evaluation unit 8 is provided, which second evaluation unit 8 is provided with a first evaluation channel 80 and a second redundant evaluation channel 81 for evaluating the transmitted operating state. The first and second evaluation channels 80, 81 are connected to the triggering unit via an or gate 82 in order to activate the triggering unit if at least one of the two evaluation channels determines that the first or second critical operating state is present and generates a corresponding triggering signal 83 or 84.
The transmission link 7 between the communication interface 6 and the second evaluation unit 8 can be in particular a wired connection or can be designed as a radio connection. Depending on the application, especially in the case of explosion-hazard installations, a spatial separation of the explosion-hazard installation area from the triggering unit 9 is ensured via the transmission link 7. This is particularly necessary in the case of a triggering unit which, during triggering, may generate a switching spark which may constitute an ignition source.
Although in the exemplary embodiment shown only the measuring unit 1 is provided, it is of course possible to measure a plurality of safety-relevant and other operating parameters of the evaluation device.
In the following fig. 2 to 10 show different examples of transmission forms which can be used to transmit operating states during data transmission.
In the case of data transmission via the communication interface 6, at least information about the operating state is transmitted. However, transferring conventional data information is a fundamental task of the communication interface. Preferably, both the information about the operating state and the regular data are transmitted via a single communication interface. In a preferred embodiment, therefore, information about at least one measured safety-relevant parameter is additionally transmitted at least during normal operation and preferably also during the first critical operating state.
Fig. 2 shows a first exemplary embodiment of a signal profile of the transmission form during normal operation and in a first critical operating state. In order to distinguish these two operating states from one another, a first distinguishing characteristic is used, which is realized here by different transmission frequencies. Thus, the signal, which also contains information about the measured safety-relevant parameter, is transmitted in normal operation at a frequency above the determined limiting frequency. However, if it is determined by the operating state determination unit 3 that the measured safety-relevant parameter does not comply with the predetermined limit value and therefore a first critical operating state exists, data transmission takes place at a transmission frequency below the determined limit frequency, as can be seen from fig. 2.
If no information of the measured safety-relevant parameter needs to be transmitted in the case of the first critical operating state, the data transmission in the first critical operating state can also be stopped, for example, simply, as shown in the exemplary embodiment according to fig. 3.
Although in the exemplary embodiment of fig. 2 the first distinguishing feature of the transmission form between the transmission form in normal operation and the transmission form in the first critical operating state is realized by different transmission frequencies, the exemplary embodiment of fig. 4 shows a transmission form in which the transmission takes place with a significantly reduced amplitude in the case of the first critical operating state.
Fig. 5 shows a further alternative in which the signals are transmitted with different DC offset voltages in normal operation and in the first critical operating state. Therefore, used in normal operationDC offset voltage U1And in the first critical operating state, higher than U is usedZDC offset voltage U of2。
Finally, fig. 6 also shows a final embodiment as to how the transmission form in normal operation can be distinguished from the transmission form in the first critical operating state. In this case, continuous data transmission takes place in normal operation, while in the case of the first critical operating state the data transmission is interrupted by a sufficient pause.
Of course, other differentiation criteria are also conceivable within the scope of the invention, in particular combinations of the illustrated examples may also be used.
Different examples of different transmission forms for illustrating the normal operating state and the second critical operating state are described below with reference to fig. 7 to 10.
In the exemplary embodiment according to fig. 7, the cancellation of the data transmission is shown as a second critical operating state. In the exemplary embodiment according to fig. 3, this error state is selected in a targeted manner as a transmission form for the first critical operating state. The same distinguishing features are therefore used between normal operation and the first critical operating state and between normal operation and the second critical operating state. This is sufficient in particular for situations in which no information on the measured safety-relevant parameter needs to be transmitted and the first and second critical operating states lead to the activation of the triggering unit in the same way.
However, it is often helpful to the receiving side if a distinction can be made between a first critical operating state and a second critical operating state. Thus, for the first critical operating state, the DC level can be shifted to a defined level different from ground according to the embodiment in fig. 5, in order to thus be distinguished from an error state of the second critical operating state of the communication interface 6 according to the embodiment in fig. 7. In this case, all 3 operating states can be analyzed differently on the receiving side using their transmission forms characterizing the respective operating state: the transmission patterns in fig. 5 for the normal operating state and the first critical operating state and the transmission patterns in fig. 7 for the second critical operating state, respectively. The first distinguishing feature with a defined DC offset and the second distinguishing feature with a defined limiting frequency according to the embodiment in fig. 5 have a common characteristic: data signals in a defined DC offset range and in a defined frequency range.
The exemplary embodiments according to fig. 9 and 10 show further error states of the second critical operating state, which can likewise be selected in the exemplary embodiments according to fig. 5 and 4 in a targeted manner as corresponding transmission forms for the first critical operating state if the same distinguishing features between normal operation and the first critical operating state and between normal operation and the second critical operating state are to be expected. If the second evaluation unit is only actually checked for the presence of normal operation or one of the two critical operating states, in which case the triggering unit is activated both in the case of the first critical operating state and in the case of the second critical operating state, there is no need to distinguish the two critical operating states from one another by different transmission forms.
Conceivable embodiments for the second analysis unit 8 are further elucidated below with respect to fig. 11. In order to ensure increased analysis reliability, the first analysis channel 80 is designed as a software-controlled implementation and has, for example, a microcontroller which analyzes the data signals to be transmitted from the communication interface 6 via the transmission link 7. In addition to the evaluation of the transmitted operating state, it is of course also possible to evaluate information about the measured safety-relevant parameters in the first evaluation channel in order to influence the operation of the device if necessary. Thus, for example, the power of the device can be reduced in the event of a determination of a sharply increased temperature in order to prevent premature activation of the trigger device. If it is determined in the microcontroller that the first or second critical operating state is present, a trigger signal 83 is generated, which triggers the activation of the trigger unit via the or gate 82.
The second evaluation channel 81 is designed as a hardware-controlled implementation and preferably contains simple and robust circuit technology which is only designed to detect the transmitted operating state in order to subsequently generate a trigger signal 84 in the event of detection of one of the two critical operating states. At the placeIn the illustrated embodiment, the second analysis channel 81 has a high-pass filter 81a and a frequency monitoring circuit 81 b. For transmission forms (according to fig. 5 and 9) with a defined DC offset as first and second distinguishing feature, the high-pass filter 81a may connect the voltage limiter V1 with the terminal voltage UZAnd (4) integration. Terminal voltage UZGreater than DC offset voltage U for normal operation1Yet less than the DC offset voltage U for the first critical operation (fig. 5)2And is likewise smaller than the possible DC offset voltage U in the error state for the second critical operation (fig. 9)2. The frequency monitoring circuit 81b monitors the signal passing through the high-pass filter 81a using the principle of the electrostatic current evaluated. Accordingly, the operation of the monitored device is only switched on if the data transmission on the communication interface 6 has a transmission form which is assigned to normal operation. In the exemplary embodiment according to fig. 2, the transmission mode of normal operation is a continuous data transmission at a frequency above the limit frequency of the high-pass filter 61 a. The transmission signal having a lower frequency, which does not correspond to the transmission form of normal operation, is attenuated or blocked by the high-pass filter 81a, so that the frequency monitoring circuit 81b generates a trigger signal 84 for activating the trigger unit 9.
The trigger signals 83 and 84 of the two analysis channels 80, 81 are or-linked to activate the trigger unit 9 in the presence of at least one of the two trigger signals 83, 84. To this end, in the or gate 82, the first trigger signal 83 via the transistor Q3 is linked with the second trigger signal 84 via the transistor Q4 as follows to form an output signal via the trigger unit 9:
at Q3Cut-offOr Q4Cut-offThe trigger unit is activated.
Claims (14)
1. A method for monitoring a device, wherein
a. Measuring at least one safety-related parameter of the device,
b. the measured safety-relevant parameter is analyzed in a first analysis unit for compliance with at least one predetermined limit value,
c. the first evaluation unit (2) is arranged on a transmitting side of a communication interface (6) and a triggering unit is arranged on a receiving side of the communication interface (6) and performs a data transmission between the transmitting side and the receiving side, and wherein furthermore
d. A distinction is made between three operating states, namely normal operation, a first critical operating state and a second critical operating state, wherein
d1. The normal operation is characterized in that the at least one measured safety-related parameter meets the at least one predetermined limit value and there is no technical fault that prevents an effective data transmission via the communication interface (6),
d2. the first critical operating state is characterized in that the measured safety-relevant parameter exceeds the at least one predetermined limit value and there is no technical fault which prevents an effective data transmission via the communication interface (6), and
d3. the second critical operating state is characterized by the presence of a technical fault that prevents effective data transmission via the communication interface (6), and wherein
e. At least information about the operating state is transmitted during data transmission, an
f. On the receiving side of the communication interface (6), a second evaluation unit (8) is provided, which is connected to the triggering unit and which evaluates the information about the operating state independently of one another in a first and a second evaluation channel (80, 81),
g. wherein the trigger unit (9) is activated when the first or second operating state is present, in order to bring the device into a safe state.
2. Method according to claim 1, characterized in that at least one transmission format used in the data transmission is assigned to each operating state, which transmission format characterizes the determined operating state.
3. Method according to claim 1, characterized in that each error state of the communication interface (6) which prevents a valid data transmission via the communication interface (6) is assigned a transmission form for the second critical operation.
4. Method according to claim 2, characterized in that the analysis of the information about the operating state is carried out in the second analysis unit (8) by analyzing the transmission form.
5. Method according to claim 2, characterized in that for the purpose of differentiation, the transmission form characterizing the normal operation is differentiated from the transmission form characterizing the first critical operating state by at least a first differentiating characteristic and from the transmission form characterizing the second critical operating state by at least a second differentiating characteristic.
6. The method according to claim 3, characterized in that the first and second distinguishing features have a common characteristic which enables distinguishing the normal operation from both the first and the second critical operating state.
7. The method of claim 3, wherein the first distinguishing characteristic and the second distinguishing characteristic are the same.
8. Method according to claim 1, characterized in that the first and second analysis channels (80, 81) are connected to the trigger unit (9) in such a way that the trigger unit (9) is activated when at least one of the two analysis channels (80, 81) generates a trigger signal (83, 84).
9. Method according to claim 1, characterized in that in the normal operation and/or in the first critical operating state, information about the measured safety-relevant parameter and/or further operating data is transmitted in addition to the information about the operating state.
10. The method according to claim 1, characterized in that the analysis in the first analysis channel (80) is based on a hardware-controlled principle of operation, whereas the analysis in the second analysis channel (81) is based on a software-controlled principle of operation.
11. An apparatus for performing the method of claim 1, the apparatus having:
a. at least one measuring unit (1) for measuring a safety-related parameter of the device,
b. a first analysis unit (2) for analyzing the measured safety-relevant parameter for compliance with at least one predetermined limit value,
c. a triggering unit (9) to bring the device into a safe state,
d. an operating state determination unit (3) for determining an operating state of the device, wherein a distinction is made between three operating states, namely a normal operation, a first critical operating state and a second critical operating state, wherein
d1. The normal operation is characterized in that the at least one measured safety-relevant parameter corresponds to the at least one predetermined limit value and there is no technical fault which prevents an effective data transmission via the communication interface (6),
d2. the first critical operating state is characterized in that the measured safety-relevant parameter exceeds the at least one predetermined limit value and there is no technical fault which prevents an effective data transmission via the communication interface (6), and
d3. the second critical operating state is characterized by the presence of a technical fault that prevents effective data transmission via the communication interface (6),
e. a communication interface (6) for transmitting operating state data between a transmitting side and a receiving side, wherein the first evaluation unit (2) and the operating state determination unit (3) are arranged on the transmitting side of the communication interface (6) and the triggering unit (9) is arranged on the receiving side of the communication interface (6), and
f. a second evaluation unit (80, 81) connected to the triggering unit (9) on the receiving side of the communication interface (6) and having a first evaluation channel and a second redundant evaluation channel, for monitoring the operating state and for controlling the triggering device (9) in the event of the presence of the first operating state or the second operating state.
12. The device according to claim 11, characterized in that the first and second analysis channels (80, 81) are connected with the trigger unit (9) via an or gate (82) to activate the trigger unit (9) when at least one of the two analysis channels (80, 81) generates a trigger signal (83, 84).
13. The device according to claim 10, characterized in that the device has a signal generation unit (5) for generating an information signal to be transmitted from the transmitting side to a receiving side of the communication interface (6), wherein the information signal has a transmission form which characterizes the determined operating state.
14. The device according to claim 11, characterized in that the first analysis channel (80) is configured as a hardware-controlled implementation and the second analysis channel (81) is configured as a software-controlled implementation.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102019117972.6A DE102019117972B4 (en) | 2019-07-03 | 2019-07-03 | Process and device for monitoring a plant |
| DE102019117972.6 | 2019-07-03 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112187847A true CN112187847A (en) | 2021-01-05 |
| CN112187847B CN112187847B (en) | 2024-04-05 |
Family
ID=73919361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010633480.0A Active CN112187847B (en) | 2019-07-03 | 2020-07-02 | Method and apparatus for monitoring a device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112187847B (en) |
| DE (1) | DE102019117972B4 (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238536A (en) * | 2005-08-02 | 2008-08-06 | 菲尼克斯电气公司 | Safety switching unit for controlling a safety device into a safe state |
| CN102860036A (en) * | 2010-04-30 | 2013-01-02 | Abb技术有限公司 | Device and method for transmitting measurement signals in spatially extensive supply networks |
| DE102015203250A1 (en) * | 2015-02-24 | 2016-08-25 | Zf Friedrichshafen Ag | Safety device and method for transferring an actuator system to a safe state, actuator system and method for operating an actuator system |
| DE102015116100A1 (en) * | 2015-09-23 | 2017-03-23 | Phoenix Contact Gmbh & Co. Kg | Safety-related control system for the safe control of an actuator |
| US20170155352A1 (en) * | 2014-06-04 | 2017-06-01 | Conti Temic Microelectronic Gmbh | Apparatus For Actuating And/Or Monitoring A Brushless DC Motor |
| CN107407919A (en) * | 2015-03-04 | 2017-11-28 | Abb股份公司 | The operation method of safety control system and safety control system |
| WO2019039971A1 (en) * | 2017-08-25 | 2019-02-28 | Закрытое акционерное общество "КБ "Проминжиниринг" | Threshold control unit for working mechanism or process equipment with input signal diagnosis function |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1967831B1 (en) * | 2007-03-07 | 2012-04-18 | Kriwan Industrie-Elektronik GmbH | Temperature release device |
| DE102015001741A1 (en) * | 2015-02-11 | 2016-08-11 | Kuka Roboter Gmbh | Method and system for operating a multi-axis machine, in particular a robot |
-
2019
- 2019-07-03 DE DE102019117972.6A patent/DE102019117972B4/en active Active
-
2020
- 2020-07-02 CN CN202010633480.0A patent/CN112187847B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238536A (en) * | 2005-08-02 | 2008-08-06 | 菲尼克斯电气公司 | Safety switching unit for controlling a safety device into a safe state |
| CN102860036A (en) * | 2010-04-30 | 2013-01-02 | Abb技术有限公司 | Device and method for transmitting measurement signals in spatially extensive supply networks |
| US20170155352A1 (en) * | 2014-06-04 | 2017-06-01 | Conti Temic Microelectronic Gmbh | Apparatus For Actuating And/Or Monitoring A Brushless DC Motor |
| DE102015203250A1 (en) * | 2015-02-24 | 2016-08-25 | Zf Friedrichshafen Ag | Safety device and method for transferring an actuator system to a safe state, actuator system and method for operating an actuator system |
| CN107407919A (en) * | 2015-03-04 | 2017-11-28 | Abb股份公司 | The operation method of safety control system and safety control system |
| DE102015116100A1 (en) * | 2015-09-23 | 2017-03-23 | Phoenix Contact Gmbh & Co. Kg | Safety-related control system for the safe control of an actuator |
| WO2019039971A1 (en) * | 2017-08-25 | 2019-02-28 | Закрытое акционерное общество "КБ "Проминжиниринг" | Threshold control unit for working mechanism or process equipment with input signal diagnosis function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112187847B (en) | 2024-04-05 |
| DE102019117972A1 (en) | 2021-01-07 |
| DE102019117972B4 (en) | 2023-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105983972B (en) | Robot control system | |
| US8659254B2 (en) | Servo system, servo motor driving device, safety unit and method for controlling servo system | |
| CN109256288B (en) | Electrical switching device and method for detecting relative wear | |
| US20140312877A1 (en) | AC/DC-Sensitive Residual Current Protective Device (RCD) With Parameter Configuration | |
| JP2018014103A (en) | Portable field maintenance tool configured for multiple process control communication protocols | |
| US9367416B2 (en) | Safety circuit of an elevator, and method for identifying a functional nonconformance of a safety circuit of an elevator | |
| JP2018032390A (en) | Portable field maintenance tool configured for multiple process control communication protocols | |
| US11169491B2 (en) | Safety switch | |
| CN112187847B (en) | Method and apparatus for monitoring a device | |
| US11119156B2 (en) | Monitoring arrangement for monitoring a safety sensor and method for monitoring a safety sensor | |
| JP5837255B2 (en) | Acceleration sensor with at least one micromechanical sensor element for an occupant protection system in a vehicle | |
| EP2800118A1 (en) | Auto detection of guard locking device | |
| CN115657450B (en) | Safety control system, circuit and method for industrial robot | |
| KR101805955B1 (en) | Relay output module of PLC, and driving method thereof | |
| JPH0390869A (en) | Detection of melt-sticking of relay | |
| US10274921B2 (en) | I/O expansion for safety controller | |
| KR101067461B1 (en) | Field appliance | |
| CN107567697B (en) | Bus network terminator | |
| JP6269512B2 (en) | Electronic control unit | |
| US10746610B2 (en) | Safety circuit, a safety circuit operation method and an electrically operated motor comprising a safety circuit | |
| KR20160134551A (en) | Method for monitoring an on-board electrical system | |
| CN107834501B (en) | Apparatus and method for monitoring activity of processing unit in electrical trip unit | |
| US20230229118A1 (en) | Device and method for the control of safety apparatuses | |
| JP2019220183A (en) | Circuit arrangement for turning on and off electrical load and method for checking status of safety output part of the circuit arrangement | |
| KR101568097B1 (en) | The electronic control apparatus and method for monitoring the external monitoring device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |