DE102015203252A1 - Safety device and method for transferring an actuator system to a safe state, actuator system and method for operating an actuator system - Google Patents

Abstract

A safety device (106) for transferring an actuator system to a safe state, wherein the actuator system includes an operating device, an actuator having a first supply port and a second supply port, at least one first supply port coupled to the first supply port, and at least one second supply port coupled to the second supply port and at least one controller arranged on one of the supply lines to control an energy flow of an operating energy required to operate the actuator, the operating device for supplying the actuator with operating energy via the first supply line to the actuator, and wherein the operating device is configured to provide an operating-side control signal for controlling the control device and a trigger signal (118) for indicating an operating state of the operating device has a communication an interface (340) adapted to receive the trigger signal (118) and providing means (342) adapted to provide, using the trigger signal (118), a safety-side control signal for controlling the controller or another controller; to transfer the actuator system to the safe state.

Description

The present invention relates to a safety device for transferring an actuator system, for example a vehicle, to a safe state, to an actuator system, to a method for transferring an actuator system into a safe state and to a method for operating an actuator system.

In order to bring a safety-relevant system into a safe state, for example in the case of a detected fault in the system, it may be necessary to put an actuator of the system in a predetermined operating state. In this context, the DE 10 2009 054 106 A1 a method for collecting data in a redundant system.

Against this background, the present invention provides an improved safety device for transitioning an actuator system to a safe state, an improved actuator system, an improved method for transitioning an actuator system to a safe state, and an improved method of operating an actuator system according to the main claims. Advantageous embodiments will become apparent from the dependent claims and the description below.

Using an additional safety device, an actuator of an actuator system can be set in a predetermined operating state, for example, upon detection of a fault within the actuator system. By offsetting the actuator in the predetermined operating state, the actuator system can be set in a safe state. In this case, depending on the embodiment, the predetermined operating state may be an inactive or an active state of the actuator. The actuator can be set in the predetermined operating state by interrupting or releasing an energy flow for supplying the actuator with an operating energy required for operating the actuator.

A corresponding actuator system comprises an operating device, an actuator with a first supply connection and a second supply connection, at least one first supply line coupled to the first supply connection, at least one second supply line coupled to the second supply connection and at least one control device. The at least one control device is arranged on one of the supply lines in order to control an energy flow of an operating energy required for operating the actuator. The operating device is connected to supply the actuator with operating energy via the first supply line to the actuator. The operating device is configured to provide an operating-side control signal for controlling the control device and a trigger signal for indicating an operating state of the operating device.

A safety device for transferring such an actuator system to a safe state has the following features:
a communication interface configured to receive the trigger signal of the operating device; and
a provision device, which is designed to provide, by using the trigger signal, a safety-side control signal for controlling the control device or another control device in order to transfer the actuator system into the safe state.

The safety-side control signal can be designed to control the corresponding control device so that the actuator is set in a predetermined operating state, by means of which the actuator system is set to the safe state. For example, the control device can be controlled using the safety-side control signal so that a supply line is interrupted and the actuator is then placed in an inactive operating state, or be controlled so that a supply line is released and the actuator is then placed in an active operating state.

The actuator system can be, for example, a system from the fields of mechanical engineering, plant engineering or vehicle construction. Thus, the actuator system may be a system used in a vehicle. A vehicle may be, for example, a land vehicle, a watercraft or an aircraft, such as a motor vehicle, a work machine, an agricultural machine, a boat, a ship, an aircraft or a helicopter. The actuator may be, for example, a drive, a motor, a machine or an actuator. The actuator may for example be designed as an electrically, hydraulically or pneumatically operable actuator. The actuator can be supplied with the operating energy via the supply lines. The actuator can be put into an active operating state by supplying the operating energy, in which the actuator can perform mechanical work. By interrupting an energy flow of the operating energy to the actuator, the actuator can be put into an inactive operating state in which the actuator can not do any mechanical work. The operating device may include a power source for providing the operating power. The energy flow of the operating energy can be controlled via the at least one control device. By the control device, the energy flow through the Supply lines are controlled, so for example throttled or blocked or released. The first supply line can be understood as a primary-side and the second supply line as a secondary-side supply line, or vice versa. A control device may be designed, for example, as a switch or as a valve. The operating device and the safety device can be designed to control one and the same control device or different control devices via the control signals provided by them. Different control devices can be arranged in the same or in different supply lines. The safety device may be configured to provide the safety-side control signal in response to a predetermined state of the trigger signal. The trigger signal may be a signal provided solely for indicating the state of the operating device from the operating device or a general communication signal of the operating device.

According to one embodiment, the provision device of the safety device may be designed to detect a failure of the trigger signal and to provide the safety-side control signal in response to the failure. For example, if the trigger signal is actively driven by the operating device, failure of the operating device results in failure of the trigger signal. This can be easily detected and used to bring the actuator system in the safe state.

For example, the provision device of the safety device can be designed to provide the safety-side control signal in order to interrupt the energy flow of the operating energy using the control device or the further control device. Thereby, providing the operating power to the actuator can be inhibited, regardless of an output of the operating-side control signal by the operating device. In this way, the actuator can be safely placed or held in an inactive operating state. This is useful in a so-called fail-safe system, in which the actuator system is transferred by deactivating the actuator in the safe state.

According to one embodiment, the safety device has a supply interface for providing further operating energy for operating the actuator. The supply interface can be coupled to a further first supply line. For this purpose, the safety device can have an energy source for providing the further operating energy. Thus, the actuator can be supplied with operating energy via the first supply line and additionally or alternatively via the further first supply line. In this way, the actuator can be supplied even in case of failure of the operating device via the safety device with the operation of the actuator required operating energy.

In this case, the provision device of the safety device can be designed to provide the safety-side control signal in order to release a further energy flow of the further operating energy using the control device or the further control device. In this way, the actuator can be safely placed or held in an active operating state. This is useful in a so-called fail-operational system, in which the actuator system is transferred by activating the actuator in the safe state.

The communication interface of the safety device can be designed to provide a status signal indicating a provision of the safety-side control signal. The status signal may be provided to the operating device. In this way, the operating device can be informed about a state of the controllable by the safety device control device and thus of an operating state of the actuator. This can be important, for example, after a reset or when starting up the operating device.

The providing device can be designed to provide an additional safety-related control signal for controlling an additional control device using the trigger signal. For example, one of the controllable by the safety device controllers on the primary side and the other can be arranged on the secondary side of the actuator. In this way, the predetermined for the transfer of the actuator system in the safe state predetermined operating state of the actuator can be very safely brought about or held.

A corresponding actuator system has the following features:
an actuator having a first supply terminal, a second supply terminal, at least one first supply line coupled to the first supply terminal and at least one second supply line coupled to the second supply terminal;
at least one control device arranged on one of the supply lines for controlling an energy flow of an operating energy required to operate the actuator;
an operating device for supplying the actuator with the operating energy over the first Supply line is connected to the actuator, and is configured to provide an operating-side control signal for controlling the control device and a trigger signal for indicating an operating state of the operating device; and
a said safety device, which is designed to provide the safety-related control signal for controlling the control device or another control device in dependence on the information of the trigger signal, for example in the absence of the trigger signal, in order to transfer the actuator system into the safe state.

In this case, the control device can be designed as a switch for enabling or blocking the flow of energy through that supply line in which the switch is arranged. A switch can be operated, for example, electrically, hydraulically or pneumatically. The switch may for example be designed as a transistor or as a check valve. In this way, depending on the embodiment of the actuator system, a suitable switch can be selected.

According to one embodiment, the operating device for supplying the actuator with the operating energy via the first supply line to the first supply terminal of the actuator and be coupled via the second supply line to the second supply terminal. The control device which can be controlled by the operating device via the operating-side control signal can be arranged on the first supply line or the second supply line. The further control device which can be controlled by the safety device via the safety-side control signal can be arranged on the first supply line or the second supply line. In this case, the control device and the further control device can both be arranged on the first supply line, for example, both be arranged on the second supply line or one of the control devices can be arranged on the first supply line and the other of the control devices on the second supply line. In this way, the control devices can be suitably placed, for example, depending on the space available.

According to a further embodiment, the operating device for supplying the actuator with the operating energy via the first supply line to the first supply terminal of the actuator and the safety device for supplying the actuator with further operating energy via a further first supply line to the first supply terminal of the actuator to be coupled. The control device can be arranged on the first supply line or the second supply line and the further control device can be arranged on the further first supply line or a further second supply line coupled to the second supply connection. By using a further first and additionally or alternatively a further second supply line, which can be enabled or disabled via the further control device, the actuator can be safely placed in an active operating state.

For example, the actuator may be an actuator operable with electrical, hydraulic or pneumatic operating energy. Thus, the described approach can be used in different fields of application.

A method for transferring a named actuator system to a safe state comprises the following steps:
Receiving the trigger signal via a communication interface;
Processing the information of the trigger signal within the security device; and
Providing a safety-side control signal for controlling the control device or another control device using the information of the trigger signal to bring the actuator system in the safe state.

The steps of the method can advantageously be implemented by means of a named safety device.

A method of operating such an actuator system comprises the following steps:
Providing an operating-side control signal for controlling the control device using the operating device;
Providing a trigger signal for indicating an operating state of the operating device using the operating device; and
Carrying out the steps of said method for transferring said actuator system to a safe state in order to provide a safety-related control signal for controlling the control device or another control device after the processing by the safety device, for example, of a missing trigger signal, in order to bring the actuator system into the safe state.

Said device may be an electrical device which processes electrical signals, for example sensor signals, and outputs control signals in dependence thereon. The device may have one or more suitable interfaces, which may be formed in hardware and / or software. In a hardware embodiment, the interfaces may for example be part of an integrated circuit in which functions of the Device are implemented. The interfaces may also be their own integrated circuits or at least partially consist of discrete components. In a software training, the interfaces may be software modules that are present, for example, on a microcontroller in addition to other software modules.

A computer program product with program code which can be stored on a machine-readable carrier such as a semiconductor memory, a hard disk memory or an optical memory and is used to carry out the method according to one of the embodiments described above if the program is installed on a computer or a device is also of advantage is performed.

The invention will be described by way of example with reference to the accompanying drawings. Show it:

1 an actuator system according to an embodiment of the present invention;

2 an actuator system according to an embodiment of the present invention;

3 a safety device for an actuator system according to an embodiment of the present invention;

4 to 6 Actuator systems according to an embodiment of the present invention;

7 to 8th Actuator systems according to an embodiment of the present invention;

9 a flowchart of a method for transferring an actuator system in a safe state; and

10 a flowchart of a method for operating an actuator system; and

11 a vehicle with an actuator system according to an embodiment of the present invention.

In the following description of preferred embodiments of the present invention, the same or similar reference numerals are used for the elements shown in the various figures and similarly acting, wherein a repeated description of these elements is omitted.

1 shows an actuator system 100 according to an embodiment of the present invention. The actuator system 100 has an operating device 102 , an actor 104 and a security device 106 on. Using the safety device 106 can the actuator system 100 be transferred to a safe state. This in 1 shown actuator system 100 For example, it can be implemented as a fail-safe system.

The actor 104 indicates a first supply connection 108 in the following, as the primary-side supply connection 108 is designated and a second supply connection 110 in the following, as a secondary-side supply connection 110 referred to as. A primary-side supply line 112 is with the primary-side supply connection 108 and a secondary side supply line 114 is with the secondary side supply connection 110 connected. To the actor 104 to put into an active operating state, operating power over the supply lines 112 . 114 to the actor 104 provided. A corresponding energy flow 116 at an actuator in active operating state 104 is in 1 shown. To provide the operating power, the operating device 102 have a suitable energy source or a connection to a corresponding energy source, such as in 2 is shown.

The operating device 102 is designed to be a trigger signal 118 issue. The security device 106 is designed to receive the trigger signal 118 to recieve. The security device 106 is further configured to be based on the trigger signal 118 to determine if the operating device 102 is in a faultless condition in which the operating device 102 the actor 104 operate properly, or whether the operating device 102 is in a faulty condition in which a proper operation of the actuator 104 through the operating device 102 is not guaranteed.

To control the flow of energy 116 through the actor 104 and thus for controlling the operating state of the actuator 104 indicates the actuator system 100 at least one control device 120 on, on one of the supply lines 112 . 114 is arranged. According to the in 1 shown embodiment is a control device 120 on the primary-side supply line 112 and another control device 122 also on the primary-side supply line 112 arranged.

The operating device 102 is configured to control the control device 120 an operating control signal 124 to the controller 120 provide. The control device 120 is configured to be responsive to receipt of the operating control signal 124 a size of the energy flow 116 through the primary-side supply line 112 to control, for example, too interrupt or release. For example, the control device 120 be formed to the primary-side supply line 112 in response to receipt of the operating control signal 124 or in response to a receipt of the first signal state having operating-side control signal 124 to lock. Accordingly, the control device 120 be formed to the primary-side supply line 112 release when the control device 120 the operating control signal 124 not or with a second signal state.

If the operating device 102 is in a faultless state, can operate the actuator 104 solely by the operating device 102 via the control device 120 to be controlled. In this case, the further control device 122 be controlled so that the further control device 122 the energy flow 116 not blocked.

For transferring the actuator system 100 in a safe condition is the safety device 106 designed to be a safety-related control signal 126 to the further control device 122 provide to the further control device 122 so that the energy flow 116 from the further control device 112 locked or throttled. To a need of transferring the actuator system 100 to recognize the safe state is the safety device 106 trained to the trigger signal 118 evaluate. Depending on a result of the evaluation of the trigger signal 118 and depending on an embodiment of the further control device 122 is the safety device 106 trained to the safety-side control signal 126 output or not output, or output with a first signal state or a second signal state. For example, the security device 106 be formed to the safety-side control signal 126 output when the trigger signal 118 is not received or with a predetermined signal information.

The further control device 122 is configured to be responsive to receipt of the safety-side control signal 126 the energy flow 216 through the primary-side supply line 112 to control, for example, interrupt or release. For example, the further control device 122 be configured to respond to a reception of the safety-side control signal 126 the primary-side supply line 112 to lock, and be trained to the primary-side supply line 112 release when the safety device 106 the safety-side control signal 126 not or with a changed signal state to the further control device 122 provides.

Thus, the energy flow 116 through the actor 104 both by a suitable driving of the control device 120 through the operating device 102 , as well as by a suitable driving of the further control device 122 through the security device 106 interrupted and the actor 104 thus be put into an inactive state in which the actuator 104 for example, does not provide mechanical energy. In particular, the actuator 104 also solely by driving the other control device 122 through the security device 106 be put in the inactive state. By the actor 104 is put into the inactive state becomes the actuator system 100 transferred to the safe state.

Not with the actor 104 connected connection of the secondary supply line 114 can be open to the operating device 102 be recycled or, for example, connected to an energy sink. A power supply device for providing the operating power for operating the actuator 104 can be completely or partially from the operating device 102 includes his. Such a power supply device may be, for example, a power supply for providing electrical energy or a pump for providing hydraulic or pneumatic energy.

Alternatively to the in 1 In the embodiment shown, the control devices 120 . 122 both in the secondary supply line 114 be arranged, or on both supply lines 112 . 114 be distributed.

According to one embodiment, only one control device, for example the control device 120 be provided, which can be controlled both by the operating control signal and by the safety-side control signal. Be in the controller 120 both control signals simultaneously to control the actuator 104 needed, it is a fail-safe system.

2 shows an actuator system 100 according to an embodiment of the present invention. This in 2 shown actuator system 100 may for example be realized as a fail-operational system.

The actuator system 100 corresponds to the in 1 shown actuator system, with the difference that another primary-side supply line 212 is provided, over which the safety device 106 with the primary-side connection 108 of actuator 104 connected is. The further control device 122 is on the other primary-side supply line 212 arranged.

As already on the basis of 1 described, the actuator system 100 using the safety device 106 be transferred to a safe state. According to this embodiment, the actuator 104 in an active operating state to the actuator system 100 to transfer to the safe state. This is the safety device 106 trained to over the other primary-side supply line 212 further operating energy for operating the actuator 104 to the actor 104 provide, if the further control device 122 by the safety-related control signal 126 is controlled so that the further control device 122 another energy flow 216 the further operating energy through the other primary-side supply line 212 releases.

Thus, an energy flow 116 . 216 through the actor 104 both by a suitable driving of the control device 120 through the operating device 102 , as well as by a suitable driving of the further control device 122 through the security device 106 released and the actuator 104 thus be put into an active state. In the active state, the actuator 104 For example, provide mechanical energy. In particular, the actuator 104 also solely by driving the other control device 122 through the security device 106 be put into the active state. By the actor 104 is put into the active state, the actuator system 100 transferred to the safe state.

According to one embodiment, the operating device 102 an operating power supply device 230 to provide the energy flow 116 and the security device 106 a safety-side power supply device 232 for providing the further energy flow 216 on. The power supply facilities 230 . 232 can be self-sufficient operable from each other or be fed, for example, from a common energy reservoir.

3 shows a safety device 106 according to an embodiment of the present invention. The security device 106 can be used to design a system consisting of an operating device and an actuator, as determined by the 1 and 2 are shown to put in a safe state.

The security device 106 has a communication interface 340 and a provisioning device 342 on. The communication interface 340 is designed to be a trigger signal 118 to receive and the trigger signal 118 or one of the trigger signal 118 transmitted trigger information to the providing device 342 provide. The provisioning device 342 is designed to operate using the trigger signal 118 or the trigger information, a control signal 126 for controlling a control device, for example, in the 1 and 2 to provide shown further control devices. The control signal 126 is according to this embodiment via an output interface 344 output.

According to one embodiment, the safety device 106 an optional supply interface 348 on. The supply interface 348 is designed to provide further operating energy, for example, as another energy flow 216 to provide to the actuator. To provide the further operating energy, the safety device 106 an optional safety-side power supply device 232 have, which may optionally be designed redundant. Using the further operating energy, the actuator can also be set or held in an active operating state, if no operating energy can be provided to the actuator or provided by an operating device which is provided for the normal operation of the actuator, for example because an error at the Operating device is present.

According to one embodiment, the communication interface 340 designed to be a status signal 350 issue. The status signal 350 for example, by the provisioning device 342 be provided to indicate that the safety-side control signal 126 is issued and thus the system is transferred to the safe state or held. Alternatively, the status signal 350 be provided to indicate that the security device 106 is operational.

According to one embodiment, the providing device 342 is designed to be using the trigger signal 118 an additional safety-related control signal 352 to provide for controlling an additional controller. The additional safety-related control signal 352 can also via the output interface 344 be issued.

The 4 to 8th show different embodiments of an actuator system according to embodiments of the present invention. Based on the figures, a redundant actuator activation and a redundant actuator deactivation by an additional security participant 106 described. The security participant 106 corresponds to the safety device described with reference to the preceding figures 106 ,

The approach described can be used as a supplement or as an alternative to a communication watchdog-based approach. Such a communication watchdog can be installed in an existing system to control the safe state of the existing system by affecting the electrical supply to the actuator 104 driving participant, for example, the operating device shown in the preceding figures 102 , to reach. Alternatively to influencing the actuator 104 via the communication watchdog, the actuator can 104 be driven directly according to the approach described to achieve the safe state.

The approach described can be used to bring about a safe state in a safety-relevant system. The safety-relevant system consists of a legacy system 102 For example, the operating device shown in the preceding figures 102 , and the actor 104 , also called output device. Depending on the system, the safe state can be achieved by switching on or off the outputs of the old system 102 , in turn, the actor 104 be switched on or off, or by the approach already described with reference to the preceding figures.

Switching on the actuator 104 to transfer the system 100 in the secure state is preferably used in so-called fail-operational systems. This is where the system becomes 100 by activating at least one actuator 104 transferred to the safe state.

Switch off the actuator 104 is used in fail-safe systems. This is where the system becomes 100 by deactivating at least one actuator 104 transferred to the safe state.

The described approach is also suitable if the legacy system 102 has no or only partial facilities to bring about the safe state. Also, the described approach can be used to existing, safety-related systems 100 into a new context or to adapt to changing framework conditions, such as new safety standards with higher requirements or new areas of application. Subsequent hardware changes to the existing system 100 are often very expensive, complex and only for the particular system 100 applicable. Such systems 100 can be beneficial to the security participant 106 be supplemented to implement the described approach.

The described approach enables a solution for the transfer of the actuator system 100 in a safe condition, which is reusable, inexpensive and technically less complex and directly to one or more actuators 104 acts to ensure the safe state of the safety-relevant overall system 100 bring about.

The solution is based on the security participant 106 , which represents an additional component, which in the overall system 100 is integrated.

As functions of the security participant 106 instructs the security participant 106 a function of monitoring communication between old device 102 and security participants 106 and a function of direct access from the security agent 106 on the actor 104 and, depending on whether it is a fail-safe or a fail-operational system, the activation or deactivation of the actuator 104 ,

The security participant 106 may be carried out according to different embodiments in the vehicle area to such an extent that a use of a vehicle available in a participant, such as a driver control unit, an I / O expansion module or a vehicle control computer, as security participants 106 is used. Alternatively, a cultivation of a separate participant, responsible for the task of the security participant 106 is installed in the vehicle, are used.

The security participant 106 is by a participant 102 of the system to be protected 100 via an interface, for example the in 3 shown communication interface 340 , triggered. This interface can be a serial or parallel interface or a bus system, eg a vehicle CAN or a transmission CAN. Intermittent or implausible triggering becomes the system to be monitored 100 from the security participant 106 transferred to the safe state. It is distinguished whether the security participant 106 the actor 104 activated or deactivated.

The communication between the operating device 102 and the security device 106 can be designed as follows:
The operating device 102 and the security device 106 are connected to each other via a communication interface, hereinafter also referred to as triggers. This can be a bidirectional trigger or a unidirectional trigger.

In a bi-directional trigger, the communication is from the operating device 102 to the security device 106 , and the other way around. This also allows the operating device 102 above the status of the security device 106 be informed and react accordingly if necessary.

In a unidirectional trigger, the communication is from the operating device 102 to the security device 106 , Cancels the communication from the operating device 102 to the security device 106 together or does not match the defined behavior, so is the safety device 106 formed according to an embodiment to the overall system 100 to transfer to the safe state.

Based on 4 to 6 are hereinafter referred actuator systems 100 according to embodiments of the present invention, in which a deactivation of the actuator 104 he follows.

For deactivating the actuator 104 is in the drive path of the actuator 104 For example, in the supply lines 112 . 114 , a control device 122 built in the form of an interruption device, as already described with reference to the preceding figures. This can for example be done electrically by a switch or pneumatically / hydraulically by a valve or mechanically / electromechanically.

The deactivation of the actuator 104 can be realized via a primary-side shutdown, a secondary-side shutdown and a primary and secondary side shutdown.

4 shows actuator system 100 according to an embodiment of the present invention. For the transfer of the actuator system 100 The actuator is in a safe state 104 deactivated, that is put into an inactive state. The deactivation of the actuator 104 is using a security device 106 and another control device 122 implemented via a secondary-side shutdown.

In the case of a secondary-side shutdown, one is used for the operation of the actuator 104 necessary return to the actuator 104 so manipulated that the actor 104 is deactivated. In this case, for example, an electrical return, for example, a ground supply, interrupted. In the case of a pneumatic return a vent is released or released in a hydraulic system, a bypass.

According to the in 1 shown embodiment, the in 4 shown actuator system an operating device 102 in the form of a legacy system, the actor 104 , a safety device 106 in the form of a security participant 106 and a control device 120 and another control device 122 on. The old system 100 is via a primary-side supply line 112 with the actor 104 and a secondary supply line 114 with the actor 104 connected. To operate the actor 104 takes place starting from the operating device 114 an energy flow 116 over the supply lines 112 . 114 and the actor 104 back to the operating device 114 ,

The operating device 102 and the security device 106 are over a data connection 418 , here a bidirectional data connection, connected to each other for a bidirectional trigger. The operating device 102 is trained to over the data connection 418 a trigger signal 118 to the safety device 106 transferred to. The security device 106 is trained to over the data connection 418 a status signal 350 to the operating device 102 transferred to.

This allows bidirectional triggering between the operating device 102 in the form of the old system and the safety device 106 in the form of the security participant. The operating device 102 and the security device 106 are independently capable of acting on the secondary side of the actuator 104 the actor 104 to disable.

According to this embodiment, the control device 120 and the further control device 122 in series in the secondary supply line 114 arranged. For driving the control device 120 about one of the operating device 102 provided operational control signal 124 is the operating device 102 via a control line 424 with a control input of the control device 120 connected. For driving the further control device 122 about one of the safety device 106 provided safety-side control signal 126 is the safety device 106 via a control line 426 with a control input of the further control device 122 connected.

According to this embodiment, the control devices 120 . 122 ever realized as a switch. In the in 4 shown state of the actuator system 100 are the control devices 120 . 122 open, so no energy flow through the actuator 104 can be done and the actor 104 is in a deactivated operating state. Is the facility located 102 in a faultless condition, so are the controllers 120 . 122 closed and the actor 104 in an active operating state. Is by an evaluation of the trigger signal 118 from the safety device 106 a faulty condition of the operating device 102 Suppose so is the safety device 106 trained to be the actor 104 independent of a switching state of the control device 120 over the further control device 122 to disable.

5 shows actuator system 100 according to an embodiment of the present invention. For the transfer of the actuator system 100 The actuator is in a safe state 104 deactivated, that is put into an inactive state. The deactivation of the actuator 104 is using a security device 106 and another control device 122 implemented via a primary-side shutdown.

In the case of a primary-side shutdown, the one for the operation of the actuator 104 necessary supply of the actuator 104 , in the flow direction of the energy flow 116 seen, in front of the actor 104 interrupted. The supply can, for example, via the supply line 112 take place in the form of an electrical supply line, a pneumatic supply line or a hydraulic supply line. Using the example of an electrical supply, the power supply is interrupted.

This in 5 shown actuator system 100 corresponds to the basis of 4 described actuator system, with the difference that the further control device 122 in the primary-side supply line 112 is arranged.

The operating device 102 and the security device 106 are via a bidirectional data connection 418 connected with each other. The operating device 102 is designed to be over the bidirectional data connection 418 a trigger signal 118 to the safety device 106 transferred to. The security device 106 is designed to be over the bidirectional data connection 418 a status signal 350 to the operating device 102 transferred to.

This allows bidirectional triggering between the operating device 102 in the form of the old system and the safety device 106 in the form of the security participant. The deactivation of the actuator 104 through the operating device 102 takes place on the secondary side and through the safety device 106 the primary side. The operating device 102 and the security device 106 are independently capable of the actuator 104 to disable.

According to this embodiment, the control devices 120 . 122 as based on 4 described, each realized as a normally open (normally open) and shown in an open switching state. The control devices 120 . 122 Alternatively, however, they can also be realized as normally closed (normally closed).

6 shows an actuator system 100 according to an embodiment of the present invention. For the transfer of the actuator system 100 The actuator is in a safe state 104 deactivated, that is put into an inactive state. The deactivation of the actuator 104 is using a security device 106 , another control device 122 and an additional additional control device 622 implemented via a primary-side and a secondary-side shutdown.

For a primary and secondary shutdown, the actuator 104 To increase the reliability of an interruption device are simply or redundantly switched off, so a combination of primary and secondary side shutdown can be performed.

This in 6 shown actuator system 100 corresponds to the basis of 4 described actuator system, with the difference that in addition the additional additional control device 622 in the primary-side supply line 112 is arranged. The security device 106 is designed to correspond to the safety-side control signal 126 an additional safety-related control signal 352 via another control line 626 to a control input of the additional further control device 622 issue.

As another difference to that in 4 embodiment shown are the operating device 102 and the security device 106 via a data connection 418 , here a unidirectional data connection, interconnected. The operating device 102 is trained to over the data connection 418 a trigger signal 118 to the safety device 106 transferred to.

This allows unidirectional triggering between the operating device 102 in the form of the old system and the safety device 106 in the form of the security participant. The operating device 102 is trained to be the actor 104 deactivate on the secondary side. The security device 106 is trained to be the actor 104 regardless of the operating device 102 Disable on the primary and secondary sides. In case of failure of the operating device 102 is the actor 104 disabled. The failure of the operating device may be a complete or incomplete failure.

According to this embodiment, the control devices 120 . 122 . 622 as based on 4 described, each realized as a switch and shown in an open switching state. Is via the trigger signal 118 from the safety device 106 a faulty condition of the operating device 102 Suppose so is the safety device 106 trained to be the actor 104 independent of a switching state of the control device 120 over the further control device 122 and additionally or alternatively via the additional additional control device 622 to disable.

Based on 7 to 8th are hereinafter referred actuator systems 100 according to embodiments of the present invention, in which an activation of the actuator 104 he follows.

For the activation of the actuator 104 is in the drive path of the actuator 104 a control device 122 installed in the form of a switch-on. This can for example be realized electrically by a switch or pneumatically / hydraulically by a valve or mechanically / electromechanically.

Activation of the actuator 104 can be done via a primary-side activation, a secondary-side activation or a primary and secondary activation.

7 shows an actuator system 100 according to an embodiment of the present invention. For the transfer of the actuator system 100 The actuator is in a safe state 104 activated, so put into an active state. The redundant activation of the actuator 104 is using a security device 106 and another control device 122 implemented via a primary-side switch-on.

In the case of a primary-side activation, the supply of the actuator necessary for operation becomes 104 in front of the actor 104 regardless of the operating device 102 switched on. This is sufficient if the actuator 104 not on the secondary side by the operating device 102 can be disabled. The supply of the actuator 104 can via a supply line 112 , For example, an electrical supply line, a pneumatic supply line or a hydraulic supply line done. The example of an electrical supply, the activation of the actuator 104 that have both the operating device 104 as well as through the security device 102 can be performed, for example, be ensured by a parallel circuit through which the operating power to operate the actuator 104 is provided in the form of a supply voltage.

According to the in 2 shown embodiment, the in 7 shown actuator system 100 an operating device 102 Here, for example, in the form of a legacy system, the actuator 104 , a safety device 106 , here for example in the form of a security participant 106 , as well as a control device 120 and another control device 122 on. The operating device 102 is via a primary-side supply line 112 with a primary-side supply connection of the actuator 104 connected. The security device 106 is via another primary-side supply line 212 with the primary-side supply connection of the actuator 104 connected. A secondary-side supply connection of the actuator 104 is connected according to this embodiment with an energy sink, here a ground potential.

The operating device 102 and the security device 106 are over a data connection 418 , here a unidirectional data connection, connected to each other for a unidirectional trigger. The operating device 102 is trained to over the data connection 418 a trigger signal 118 to the safety device 106 transferred to.

This allows unidirectional triggering of the operating device 102 to the security device 106 , The operating device 102 is trained to be the actor 104 on the primary page to enable and disable. On the secondary side, the actuator 104 not be disabled. The security device 106 can the actor 104 regardless of the operating device 102 activate on the primary page.

According to this embodiment, the control device 120 and the further control device 122 parallel in a primary-side energy supply of the actuator 104 arranged. For driving the control device 120 about one of the operating device 102 provided operational control signal 124 is the operating device 102 via a control line 424 with a control input of the control device 120 connected. For driving the further control device 122 about one of the safety device 106 provided safety-side control signal 126 is the safety device 106 via a control line 426 with a control input of the further control device 122 connected.

According to this embodiment, the control devices 120 . 122 ever realized as a switch. In the in 7 shown state of the actuator system 100 are the control devices 120 . 122 open, so no energy flow through the actuator 104 can be done and the actor 104 is in a deactivated operating state. Is the facility located 102 in a faultless state, so can operation of the actuator 104 completely from the facility 102 be performed. In this case, the actuator 104 be placed in both the active and inactive operating state, if the other control device 122 an energy flow through the other primary-side supply line 212 prevented. Is via the trigger signal 118 from the safety device 106 a faulty condition of the operating device 102 Suppose so is the safety device 106 trained to be the actor 104 independent of a switching state of the control device 120 over the further control device 122 to activate the actuator system 100 to transfer to the safe state.

According to the in 7 shown embodiment, a secondary-side activation can be realized. This is one for the operation of the actuator 104 necessary return to the actuator 104 so manipulated that the actor 104 is activated. This is sufficient if the actuator 104 not on the primary side by the operating device 102 can be disabled. In this case, for example, an electrical return (ground supply) is switched by a parallel circuit, blocked in the case of a pneumatic return a vent or blocked in a hydraulic system, a bypass.

This in 8th shown actuator system 100 corresponds to the basis of 7 described actuator system, with the difference that the actuator 104 on the secondary side via a secondary supply line 114 and another secondary side supply line 814 connected to the energy sink. At the secondary side supply line 114 is another one of the operating device 102 controllable control device 822 arranged. This is the operating device 102 designed to correspond to the operating-side control signal 124 another operating control signal 824 via another control line 826 to a control input of the further control device 822 issue. At the other secondary supply line 814 is an additional additional control device 622 is arranged. The security device 106 is designed to correspond to the safety-side control signal 126 an additional safety-related control signal 352 via another control line 626 to a control input of the additional further control device 622 to spend an energy flow through the actuator 104 to enable.

This allows unidirectional triggering between the operating device 102 in the form of the old system and the safety device 106 in the form of the security participant. To activate the actuator 104 through the operating device 102 it is necessary to close the primary and secondary sides. The security device 106 can be parallel to the operating device 102 the actor 104 Activate primary and secondary side and thus independent of the operating device 102 the actor 104 activate.

In the primary and secondary side activation, the operating device 102 the actor 104 Disable primary as well as secondary. In this case it is necessary that the safety device 106 one from the operating device 102 Independent primary and secondary activation dominates the overall system 100 to be able to transfer to the safe state.

9 shows a flowchart of a method for transferring an actuator system in a safe state according to an embodiment of the present invention. The method can be used to bring an actuator system, as described with reference to the preceding figures, in the safe state.

The method comprises a step 901 in which a trigger signal is received, a cut 902 in which the trigger signal is processed and the information of the trigger signal is evaluated and a step 903 in which, using the information of the trigger signal, a safety-related control signal for transferring the actuator system into the safe state is provided.

The steps 901 . 903 can be implemented, for example, using means of a safety device already described.

10 shows a flowchart of a method for operating an actuator system according to an embodiment of the present invention. The method can be used to operate an actuator system, as described with reference to the preceding figures, and in particular to convert it into a safe state when required.

The method comprises a step 1001 in which an operation-side control signal for controlling an operating state of an actuator is provided and a step 1003 providing a trigger signal for indicating an operating state of an operating device by which the operating-side control signal is provided. According to one embodiment, the step 1003 carried out continuously, so that even during normal operation of the operating device, the trigger signal is output to indicate the normal operation of the operating device. In a faulty operation of the operating device, the step 1003 are executed to output the trigger signal to indicate a faulty operation of the operating device. Alternatively, in faulty operation of the operating device, the step 1003 are not executed so that erroneous operation can be indicated by not providing a trigger signal. Alternatively, the step 1003 are executed only during erroneous operation of the operating device to indicate the faulty operation.

In response to receiving the information of the trigger signal by the security device, the steps of a method 900 executed to transfer the actuator system in a safe state, as shown by 9 is described. By performing the procedure 900 At least one safety-side control signal is provided, by which at least one control device is controlled so that the actuator system is transferred to the safe state.

11 shows a vehicle 1100 with an actuator system 100 according to an embodiment of the present invention. The actor 104 of the actuator system 100 is with a facility 1101 of the vehicle 100 coupled to a function of the device 1101 to control. For example, it may be in the device 1101 around a parking brake of the vehicle 100 act.

The embodiments described and shown in the figures are chosen only by way of example. Different embodiments may be combined together or in relation to individual features. Also, an embodiment can be supplemented by features of another embodiment. Furthermore, method steps according to the invention can be repeated as well as carried out in a sequence other than that described.

If an exemplary embodiment comprises a "and / or" link between a first feature and a second feature, this can be read so that the embodiment according to one embodiment, both the first feature and the second feature and according to another embodiment, either only the first Feature or only the second feature.

LIST OF REFERENCE NUMBERS

100

actuator system

102

operating device

104

actuator

108

primary-side supply connection

110

secondary-side supply connection

112

primary-side supply line

114

Secondary supply line

116

energy flow

118

trigger signal

120

control device

122

further control device

124

operating control signal

126

safety-related control signal

212

further primary-side supply line

216

further energy flow

230

operating power supply device

232

safety-side power supply device

340

Communication Interface

342

Providing device

344

Output interface

348

Supply interface

350

status signal

352

additional safety-related control signal

418

Data Connection

424

control line

426

control line

622

additional additional control device

626

control line

814

additional secondary supply line

822

further control device

824

another operating control signal

826

control line

900

Method for transferring an actuator system

901

Step of providing

902

Step of processing

903

Step of receiving

1001

Step of providing

1003

 Step of providing

1100

vehicle

1101

Facility

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102009054106 A1 [0002]

Claims (14)

Safety device ( 106 ) for transferring an actuator system ( 100 ) in a safe state, wherein the actuator system ( 100 ) an operating device ( 102 ), an actor ( 104 ) with a first supply connection ( 108 ) and a second supply connection ( 110 ), at least one with the first supply connection ( 108 ) coupled first supply line ( 112 ) and at least one with the second supply connection ( 110 ) coupled second supply line ( 114 ) as well as at least one control device ( 120 ) located on one of the supply lines ( 112 . 114 ) is arranged to generate a flow of energy ( 116 ) one for operating the actuator ( 104 ) to control required operating energy, wherein the operating device ( 102 ) for supplying the actuator ( 104 ) with operating power via the first supply line ( 112 ) with the actuator ( 104 ), and wherein the operating device ( 102 ) is designed to provide an operating control signal ( 124 ) for controlling the control device ( 120 ) and a trigger signal ( 118 ) for displaying an operating state of the operating device ( 102 ), characterized in that the safety device ( 106 ) has the following features: a communication interface ( 340 ) which is designed to receive the trigger signal ( 118 ) to recieve; and a provisioning device ( 342 ), which is designed to use the information of the trigger signal ( 118 ) a safety-related control signal ( 126 ) for controlling the control device ( 120 ) or another control device ( 122 ) to provide the actuator system ( 100 ) into the safe state. Safety device ( 106 ) according to claim 1, characterized in that the provision device ( 342 ) is designed to prevent a failure of the trigger signal ( 118 ) and the safety-related control signal ( 126 ) in response to the failure. Safety device ( 106 ) according to one of the preceding claims, characterized in that the provision device ( 342 ) is formed to the safety-side control signal ( 126 ) to provide the energy flow ( 116 ) of the operating energy using the control device ( 120 ) or the further control device ( 122 ) to interrupt. Safety device ( 106 ) according to one of the preceding claims, characterized in that the safety device ( 106 ) a supply interface ( 348 ) for providing further operating energy for operating the actuator ( 104 ), wherein the supply interface ( 348 ) with another first supply line ( 212 ) can be coupled. Safety device ( 106 ) according to claim 4, characterized in that the provision device ( 342 ) is formed to the safety-side control signal ( 126 ) to provide another energy flow ( 126 ) of the further operating energy using the control device ( 120 ) or the further control device ( 122 ). Safety device ( 106 ) according to one of the preceding claims, characterized in that the communication interface ( 340 ) is adapted to provide a safety-related control signal ( 126 ) indicating status signal ( 350 ). Safety device ( 106 ) according to one of the preceding claims, characterized in that the provision device ( 342 ) is designed to operate using the trigger signal ( 118 ) an additional safety-related control signal ( 352 ) for controlling an additional control device ( 622 ). Actuator system ( 100 ) having the following characteristics: an actuator ( 104 ) with a first supply connection ( 108 ), a second supply connection ( 110 ), at least one with the first supply connection ( 108 ) coupled first supply line ( 112 ) and at least one with the second supply connection ( 110 ) coupled second supply line ( 114 ); at least one control device ( 120 ) connected to one of the supply lines ( 112 . 114 ) is arranged to generate a flow of energy ( 116 ) one for operating the actuator ( 104 ) to control required operating energy; an operating device ( 102 ), which are used to supply the actuator ( 104 ) with the operating energy via the first supply line ( 112 ) with the actuator ( 104 ) and is adapted to generate an operating control signal ( 124 ) for controlling the control device ( 120 ) and a trigger signal ( 118 ) for displaying an operating state of the operating device ( 102 ) to provide; and a security device ( 106 ) according to one of the preceding claims, which is designed to operate in dependence on the information of the trigger signal, for example in the absence of the trigger signal ( 118 ) the safety-side control signal ( 126 ) for controlling the control device ( 120 ) or another control device ( 122 ) to provide the actuator system ( 100 ) into the safe state. Actuator system ( 100 ) According to claim 8, characterized in that the at least one Control device ( 120 ) as a switch for enabling or blocking the flow of energy ( 116 ) through the supply line ( 112 . 114 ), in which the switch is arranged, is executed. Actuator system ( 100 ) according to claim 8 or 9, characterized in that the operating device ( 102 ) for supplying the actuator ( 104 ) with the operating energy via the first supply line ( 112 ) with the first supply connection ( 108 ) of the actuator ( 104 ) and via the second supply line ( 114 ) with the second supply connection ( 110 ), the control device ( 120 ) on the first supply line ( 112 ) or the second supply line ( 114 ) is arranged and the further control device ( 122 ) on the first supply line ( 112 ) or the second supply line ( 114 ) is arranged. Actuator system ( 100 ) according to claim 8 or 9, characterized in that the operating device ( 102 ) for supplying the actuator ( 104 ) with the operating energy via the first supply line ( 112 ) with the first supply connection ( 108 ) of the actuator ( 104 ) and the security device ( 106 ) for supplying the actuator ( 104 ) with further operating energy via a further first supply line ( 212 ) with the first supply connection ( 108 ) of the actuator ( 104 ), the control device ( 120 ) on the first supply line ( 112 ) or the second supply line ( 114 ) is arranged and the further control device ( 122 ) on the further first supply line ( 212 ) or one with the second supply connection ( 110 ) coupled another second supply line ( 814 ) is arranged. Actuator system ( 100 ) according to one of claims 8 to 11, characterized in that the actuator ( 104 ) an actuator operable with electrical, hydraulic or pneumatic operating energy ( 104 ). Procedure ( 900 ) for transferring an actuator system ( 100 ) in a safe state, wherein the actuator system ( 100 ) an operating device ( 102 ), the actuator ( 104 ) with a first supply connection ( 108 ) and a second supply connection ( 110 ), at least one with the first supply connection ( 108 ) coupled first supply line ( 112 ) and at least one with the second supply connection ( 110 ) coupled second supply line ( 114 ) as well as at least one control device ( 120 ) located on one of the supply lines ( 112 . 114 ) is arranged to generate a flow of energy ( 116 ) one for operating the actuator ( 104 ) to control required operating energy, wherein the operating device ( 102 ) for supplying the actuator ( 104 ) with operating power via the first supply line ( 112 ) with the actuator ( 104 ), and wherein the operating device ( 102 ) is designed to provide an operating control signal ( 124 ) for controlling the control device ( 120 ) and a trigger signal ( 118 ) for displaying an operating state of the operating device ( 102 ), characterized in that the method comprises the following steps: receiving ( 901 ) of the trigger signal ( 118 ) via a communication interface ( 340 ); To process ( 902 ) the information of the trigger signal within the security device; and deploy ( 903 ) a safety-related control signal ( 126 ) for controlling the control device ( 120 ) or another control device ( 122 ) using the trigger signal ( 118 ) to the actuator system ( 100 ) into the safe state. Method for operating an actuator system ( 100 ), which is an operating device ( 102 ), an actor ( 104 ) with a first supply connection ( 108 ) and a second supply connection ( 110 ), at least one with the first supply connection ( 108 ) coupled first supply line ( 112 ) and at least one with the second supply connection ( 110 ) coupled second supply line ( 114 ) as well as at least one control device ( 120 ) located on one of the supply lines ( 112 . 114 ) is arranged to generate a flow of energy ( 116 ) one for operating the actuator ( 104 ) to control required operating energy, wherein the operating device ( 102 ) for supplying the actuator ( 104 ) with operating power via the first supply line ( 112 ) with the actuator ( 104 ), characterized in that the method comprises the following steps: providing ( 1001 ) an operating control signal ( 124 ) for controlling the control device ( 120 ) using the operating device ( 102 ); Provide ( 1003 ) of a trigger signal ( 118 ) for displaying an operating state of the operating device ( 102 ) using the operating device ( 102 ); and performing the steps of the method ( 900 ) according to claim 13, in response to the information of the trigger signal ( 118 ), for example, when the trigger signal ( 118 ), by the security device ( 106 ) a safety-related control signal ( 126 ) for controlling the control device ( 120 ) or another control device ( 122 ) to provide the actuator system ( 100 ) into the safe state.

Images