EP1264097A1 - Device for reliably generating signals - Google Patents
Device for reliably generating signalsInfo
- Publication number
- EP1264097A1 EP1264097A1 EP01913641A EP01913641A EP1264097A1 EP 1264097 A1 EP1264097 A1 EP 1264097A1 EP 01913641 A EP01913641 A EP 01913641A EP 01913641 A EP01913641 A EP 01913641A EP 1264097 A1 EP1264097 A1 EP 1264097A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- control
- control signal
- signal
- switching means
- emergency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01H—ELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
- H01H27/00—Switches operated by a removable member, e.g. key, plug or plate; Switches operated by setting members according to a single predetermined combination out of several possible settings
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02N—STARTING OF COMBUSTION ENGINES; STARTING AIDS FOR SUCH ENGINES, NOT OTHERWISE PROVIDED FOR
- F02N11/00—Starting of engines by means of electric motors
- F02N11/08—Circuits or control means specially adapted for starting of engines
- F02N11/087—Details of the switching means in starting circuits, e.g. relays or electronic switches
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02P—IGNITION, OTHER THAN COMPRESSION IGNITION, FOR INTERNAL-COMBUSTION ENGINES; TESTING OF IGNITION TIMING IN COMPRESSION-IGNITION ENGINES
- F02P1/00—Installations having electric ignition energy generated by magneto- or dynamo- electric generators without subsequent storage
- F02P1/08—Layout of circuits
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02P—IGNITION, OTHER THAN COMPRESSION IGNITION, FOR INTERNAL-COMBUSTION ENGINES; TESTING OF IGNITION TIMING IN COMPRESSION-IGNITION ENGINES
- F02P3/00—Other installations
- F02P3/02—Other installations having inductive energy storage, e.g. arrangements of induction coils
- F02P3/04—Layout of circuits
- F02P3/0407—Opening or closing the primary coil circuit with electronic switching means
- F02P3/0435—Opening or closing the primary coil circuit with electronic switching means with semiconductor devices
- F02P3/0442—Opening or closing the primary coil circuit with electronic switching means with semiconductor devices using digital techniques
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02P—IGNITION, OTHER THAN COMPRESSION IGNITION, FOR INTERNAL-COMBUSTION ENGINES; TESTING OF IGNITION TIMING IN COMPRESSION-IGNITION ENGINES
- F02P3/00—Other installations
- F02P3/06—Other installations having capacitive energy storage
- F02P3/08—Layout of circuits
- F02P3/0807—Closing the discharge circuit of the storage capacitor with electronic switching means
- F02P3/0838—Closing the discharge circuit of the storage capacitor with electronic switching means with semiconductor devices
- F02P3/0846—Closing the discharge circuit of the storage capacitor with electronic switching means with semiconductor devices using digital techniques
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D41/00—Electrical control of supply of combustible mixture or its constituents
- F02D41/20—Output circuits, e.g. for controlling currents in command coils
- F02D2041/2068—Output circuits, e.g. for controlling currents in command coils characterised by the circuit design or special circuit elements
- F02D2041/2072—Bridge circuits, i.e. the load being placed in the diagonal of a bridge to be controlled in both directions
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02N—STARTING OF COMBUSTION ENGINES; STARTING AIDS FOR SUCH ENGINES, NOT OTHERWISE PROVIDED FOR
- F02N11/00—Starting of engines by means of electric motors
- F02N11/08—Circuits or control means specially adapted for starting of engines
- F02N11/0803—Circuits or control means specially adapted for starting of engines characterised by means for initiating engine start or stop
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02N—STARTING OF COMBUSTION ENGINES; STARTING AIDS FOR SUCH ENGINES, NOT OTHERWISE PROVIDED FOR
- F02N11/00—Starting of engines by means of electric motors
- F02N11/10—Safety devices
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01H—ELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
- H01H9/00—Details of switching devices, not covered by groups H01H1/00 - H01H7/00
- H01H2009/0083—Details of switching devices, not covered by groups H01H1/00 - H01H7/00 using redundant components, e.g. two pressure tubes for pressure switch
Definitions
- the invention is based on a device for secure signal generation according to the type of the independent claims.
- safety-critical signals are switched directly to the signal sink, such as terminal control signals from the ignition starter switch.
- the signal sink such as terminal control signals from the ignition starter switch.
- a safety-critical signal is to be generated by a microcontroller, it must be ensured that its safety-critical output signal does not change to an incorrect state when a single fault occurs in a component in the system or can no longer be switched from one state to another state.
- the device for secure signal generation comprises a control means, the one Control signal is supplied. Depending on the control signal, the control means generates a control signal for controlling a load.
- emergency running means are provided which generate the control signal instead of the control means in an emergency mode.
- the redundant generation of the control signal increases the safety of the overall arrangement, since in the event of a fault in the control means, the emergency running means are still available to generate the control signal in an emergency mode. Correct control is thus ensured, in particular in the case of safety-critical signals, such as the terminal control signal for an ignition starter switch. If errors occur in a component in the system, the control signal does not change to an incorrect state and can also be switched to another state.
- the control signal is preferably also fed to the emergency running means, which generate the control signal from this control signal in emergency operation.
- control means for activating the emergency running means are provided, which activate the emergency running means when an error in the control means has been detected. Switching to emergency operation and the associated control by the emergency running agent is only in an emergency. In normal operation, however, the control means continues to generate the control signal. This can reduce the complexity of the emergency means, since in normal operation the control means covers the usually more complex functionality.
- FIGS. 1 to 3 show block diagrams of several exemplary embodiments of the device according to the invention for safe signal generation.
- a control means 10 and an emergency running means 30 is a
- the control means 10 generates an output signal 13 which is fed to the emergency operation switching means 32.
- a trigger signal 18 provided by the control means 10 is processed by a monitoring means 20.
- the control means 10 also generates an emergency operation control signal 15 for the emergency running means 30.
- the emergency running means 30 also receives a monitoring output signal 22 generated by a monitoring means 20.
- the emergency running means 30 generates an emergency operation output signal 34 and an emergency operation control signal 36
- the emergency operation switching means 32 can be changed in its switch position. In one switch position, the emergency operation switching means 32 forwards the output signal 13 of the control means 10 as a control signal 14 to a switching means 16. In the other switch position, the emergency operation switching means 32 forwards the output signal 13 of the control means 10 as a control signal 14 to a switching means 16. In the other switch position, the emergency operation switching means 32 forwards the output signal 13 of the control means 10 as a control signal 14 to a switching means 16. In the other
- the emergency operation switching means 32 forwards the emergency operation output signal 34 of the emergency operation means 30 to the switching means 16 as a control signal 14.
- a safety-relevant component can be activated or deactivated.
- control means 12 are supplied with the control signal 12 and a reset signal 24, which is generated by the monitoring means 20.
- the control means 10 in turn outputs the output signal 13 to the emergency operation switching means 32, the trigger signal 18 to the monitoring means 20 and the emergency operation control signal 15 to the emergency operation means 30.
- the emergency running means 30 emits the emergency running signal 34 and the emergency running control signal 36 to the emergency running switching means 32, the output signal of which is supplied to the switching means 16 for control purposes as the control signal 14.
- a second control means 40 is provided, which via a
- Communication line 44 exchanges data with the control means 10.
- An emergency operation control signal 42 of the second control means 40 is output to the emergency operation means 30.
- a first control signal 54 reaches both a first inverter 51 and a first switching means 58.
- a fourth switching means 64 is controlled with the output signal of the first inverter 51.
- a second control signal 56 is supplied to both a second switching means 60 and a second inverter 52.
- the output signal of the second inverter 52 is used as a control signal for the third switching means 62.
- the first switching means 58 and the third switching means 62 are connected in series, as are the second switching means 60 and the fourth switching means 64.
- the first switching means 58 and the third switching means 62 are connected in parallel with the second and fourth switching means 60, 64 which are in series.
- the common potentials of the third and fourth switching means 62, 64 are connected (by way of example) to ground, and the common potentials of the first and second switching means 58, 60 (example) are connected to the load 50.
- a feedback line 66 is provided to detect the signal with which the load 50 is controlled.
- the exemplary embodiment according to FIG. 1 is used, for example, for the safe signal generation for an ignition starter switch in a motor vehicle.
- the corresponding signal of the desired ignition state is sent as a control signal 12 to both the control means 10 and the emergency running means 30.
- the control means 10 processes the incoming control signal 12 with the aid of further information, if necessary.
- An automatic start / stop is implemented in the control means 10, for example, which determines the ignition (as an example for a load 50) when certain
- control means 10 therefore generates an output signal 13 as a function of the control signal 12, with which the switching means 16 is controlled in normal operation, for example for activating or deactivating the ignition.
- the switching means 16 Since the ignition is a safety-critical function, the switching means 16 must also be controlled correctly if the control means 10 does not work properly.
- the emergency running means 30 with the associated emergency running switching means 32 is provided. In the event of a fault in the control means 10, the emergency running means 30 controls the emergency running switching means 32 in such a way that the emergency running switching means 32 no longer does this
- Output signal 13 of the control means 10 is looped through as the control signal 14 for the switching means 16, but rather the emergency operation output signal 34.
- the emergency operation output signal 34 is the corresponding state of the control signal 12.
- the control signal 12 is simply referred to as the emergency operation means 30
- Emergency running output signal 34 looped through.
- additional logic could also be integrated in the emergency running means 30, which depends on the control signal 12 certain conditions into the emergency running output signal 34.
- the emergency switch-on means 32 is then switched over as a control signal for forwarding the emergency running output signal 34 if a faulty operation of the control means 10 has been detected.
- the emergency running function of the emergency running means 30 can either activate the control means 10 itself or the monitoring means 20.
- a self-diagnosis function is integrated in the control means 10 in order to monitor its own functionality. If the control means 10 detects its own fault, it sends a corresponding message via the emergency operation control signal 15 to the emergency operation means 30 to activate the emergency operation function, as already described above.
- Monitoring means 20 is provided for additional or alternative monitoring of control means 10. This is, for example, a so-called watchdog.
- the control means 10 emits a trigger signal 18 to the monitoring means 20.
- the monitoring means 20 checks the incoming trigger signal 18 whether it matches an expected trigger signal. For example, a frequency deviation of the trigger signal 18 could be used as a criterion for an error.
- the monitoring means 20 detects a significant deviation of the trigger signal 18 from the expected
- a second monitoring means of the control means 10 is a second one
- Control means 40 are provided. Based on the bidirectional communication, if necessary, via the
- Communication line 44 is routed between the first control means 10 and the second control means 40, the second control means 40 monitors the functionality of the
- Control means 10 For this purpose, for example, the second control means 40 could send test signals to the control means 10, which sends back corresponding response signals. On the basis of the incoming response signals, the second control means 40 determines whether the control means 10 is still functioning properly. Should the incoming response of the control means 10 differ from the expected one, the second control means 40 concludes that the operation is faulty and activates the emergency operation stored in the emergency operation means 30 via the emergency operation control signal 42. The emergency operation corresponds to that described in embodiment 1. Reference is made to the corresponding explanations. The second control means 40 essentially takes over the function of the monitoring means 20 of the first exemplary embodiment. So that's it
- Monitoring means 20 freed from these tasks and can take over the so-called watchdog function. Again, the monitoring means 20 monitors the trigger signal 18 for significant, unexpected deviations. Should such occur, the monitoring means 20 sends a corresponding reset signal 24 to the control means 10. The control means 10 is restarted. The second control means 40 recognizes this reset and then activates the emergency operation function of the emergency operation means 30 at the latest. As in the exemplary embodiment according to FIG. 1, the control means can 10 itself activate the emergency running function of the emergency running means 30. This could be the case if the control means 10 itself recognizes that it is working incorrectly and / or if it detects an error in the second control means 40. Alternatively, the emergency running function of the emergency running means 30 could be triggered by the monitoring means 20 after a predeterminable number of reset signals 24. The so-called watchdog function of the monitoring means 20 would be retained.
- the switching means 16 could have a structure as shown in FIG. 3.
- the control means 10 would generate two signals, the first and the second control signal 54, 56 instead of only one output signal 13. Just one of the two
- Control signals 54, 56 would have to be fail-safe (as described above).
- the non-fail-safe control signal only has to assume a defined state in the event of an error.
- the control means 10 receives and processes the signal tapped from the return line 66.
- a third switching means 62 is also connected in series with the first switching means 58. If this does not open more example, the first switching means 58 so could the desired Huaweisi 'gnal done yet by opening the third switch means 62nd However, if the first switching means 58 could no longer be closed, the desired initial state could be achieved by closing the second and fourth switching means 60, 64.
- the first and second control signals 54, 56 In the basic state, that is to say when the load 50 is switched off, the first and second control signals 54, 56 have a logic zero state. In cooperation with the two inverters 51, 52, the third and fourth switching means 62, 64 are closed. Since the first and second switching means 58, 60 remain open, the load 50 is deactivated.
- the control means 10 If the load 50 is to be switched on, as a change in the control signal 12 indicates, the control means 10 generates a second control signal 56 with the level logic one. The second switching means 60 is thereby closed. The right path of the switching means 16 is now turned on and thus the load 50 is switched on. In parallel to this, the control means 10 detects the state of the load 50 via the return line 66. When the switching means 16 operates properly, a level of the second control signal 56 of logic one also leads to an energization of the load 50.
- control means 10 recognizes the desired
- Activation of the load 50 has no desired effect, it changes to an emergency mode.
- the left path of the switching means 16 is activated by changing the first control signal 54 to logic one.
- the first switch 58 is closed and the load 50 is thereby switched on.
Landscapes
- Engineering & Computer Science (AREA)
- Chemical & Material Sciences (AREA)
- Combustion & Propulsion (AREA)
- Mechanical Engineering (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Safety Devices In Control Systems (AREA)
- Looms (AREA)
- Control Of Electric Motors In General (AREA)
Abstract
The invention relates to a device for reliably generating signals which comprises a control means (10) to which a control signal (12) is fed. The control means (10) generates, according to the control signal (12), a drive signal (13, 14) for driving a load (50). Emergency running means (30, 32) are provided which generate, during emergency operation, the drive signal (34, 14) according to the control signal (12).
Description
Vorrichtung zur sicheren SignalerzeugungDevice for safe signal generation
Stand der TechnikState of the art
Die Erfindung geht aus von einer Vorrichtung zur sicheren Signalerzeugung nach der Gattung der unabhängigen Ansprüche. Sicherheitskritische Signale werden in heutigen Systemen direkt auf die Signalsenke geschaltet wie beispielsweise Klemmensteuerungssignale des Zündanlassschalters. Soll jedoch ein sicherheitskritisches Signal durch einen Mikrocontroller erzeugt werden, uss sichergestellt werden, dass dessen sicherheitskritisches Ausganssignal beim Auftreten eines Einfachfehlers einer Komponente im System nicht in einen falschen Zustand wechselt oder nicht mehr von dem einen Zustand in einen anderen Zustand umgeschaltet werden kann.The invention is based on a device for secure signal generation according to the type of the independent claims. In today's systems, safety-critical signals are switched directly to the signal sink, such as terminal control signals from the ignition starter switch. However, if a safety-critical signal is to be generated by a microcontroller, it must be ensured that its safety-critical output signal does not change to an incorrect state when a single fault occurs in a component in the system or can no longer be switched from one state to another state.
Es ist daher Aufgabe der Erfindung, die Sicherheit der Signalbereitstellung durch einen Mikrocontroller zu erhöhen. Diese Aufgabe wird gelöst durch die Merkmale der unabhängigen Ansprüche.It is therefore an object of the invention to increase the security of the signal provision by a microcontroller. This object is achieved by the features of the independent claims.
Vorteile der ErfindungAdvantages of the invention
Die erfindungsge ässe Vorrichtung zur sicheren Signalerzeugung umfasst ein Steuermittel, dem ein
Steuersignal zugeführt ist. Das Steuermittel erzeugt in Abhängigkeit von dem Steuersignal ein Ansteuersignal zur Ansteuerung einer Last. Erfindungsgemäss sind Notlaufmittel vorgesehen, die in einem Notbetrieb anstelle des Steuermittels das Ansteuersignal erzeugen. Durch die redundante Generierung des Ansteuersignais erhöht sich die Sicherheit der Gesamtanordnung, da im Falle einer Störung des Steuermittels immer noch die Notlaufmittel zur Verfügung stehen, um das Ansteuersignal in einem Notbetrieb zu erzeugen. Insbesondere bei sicherheitskritischen Signalen wie beispielsweise dem Klemmensteuersignal für einen Zündanlassschalter ist damit eine korrekte Ansteuerung gewährleistet. Bei Auftreten von Fehlern einer Komponente im System wechselt das Ansteuersignal nicht in einen falschen Zustand und kann auch in einen anderen Zustand umgeschaltet werden. Hierzu ist vorzugsweise auch den Notlaufmitteln das Steuersignal zuzuführen, die im Notbetrieb aus diesem Steuersignal das Ansteuersignal generieren.The device for secure signal generation according to the invention comprises a control means, the one Control signal is supplied. Depending on the control signal, the control means generates a control signal for controlling a load. According to the invention, emergency running means are provided which generate the control signal instead of the control means in an emergency mode. The redundant generation of the control signal increases the safety of the overall arrangement, since in the event of a fault in the control means, the emergency running means are still available to generate the control signal in an emergency mode. Correct control is thus ensured, in particular in the case of safety-critical signals, such as the terminal control signal for an ignition starter switch. If errors occur in a component in the system, the control signal does not change to an incorrect state and can also be switched to another state. For this purpose, the control signal is preferably also fed to the emergency running means, which generate the control signal from this control signal in emergency operation.
In einer zweckmäßigen Weiterbildung sind Ansteuermittel zur Aktivierung der Notlaufmittel vorgesehen, die die Notlaufmittel dann aktivieren, wenn ein Fehler des Steuermittels erkannt wurde. Nur im Notfall wird auf Notbetrieb und der zugehörigen Ansteuerung durch das Notlaufmittel umgeschaltet. Im Normalbetrieb erzeugt jedoch weiterhin das Steuermittel das Ansteuersignal. Dadurch lässt sich die Komplexität der Notlaufmittel reduzieren, da im Normalbetrieb das Steuermittel die gewönlich komplexere Funktionalität abdeckt.In an expedient development, control means for activating the emergency running means are provided, which activate the emergency running means when an error in the control means has been detected. Switching to emergency operation and the associated control by the emergency running agent is only in an emergency. In normal operation, however, the control means continues to generate the control signal. This can reduce the complexity of the emergency means, since in normal operation the control means covers the usually more complex functionality.
Weitere zweckmässige Weiterbildungen
aus weiteren abhängigen Ansprüchen und aus der Beschreibung.Further appropriate further training from further dependent claims and from the description.
Zeichnung
Die Ausführungsbeispiele der Erfindung sind in der Zeichnung dargestellt und werden im Folgenden näher beschrieben.drawing The exemplary embodiments of the invention are shown in the drawing and are described in more detail below.
Es zeigen die Figuren 1 bis 3 Blockschaltbilder mehrerer Ausführungsbeispiele der erfindungsgemässen Vorrichtung zur sicheren Signalerzeugung.FIGS. 1 to 3 show block diagrams of several exemplary embodiments of the device according to the invention for safe signal generation.
Beschreibung der AusführungsbeispieleDescription of the embodiments
Einem Steuermittel 10 und einem Notlaufmittel 30 ist einA control means 10 and an emergency running means 30 is a
Steuersignal 12 zugeführt. Das Steuermittel 10 erzeugt ein Ausgangssignal 13, das dem Notlaufschaltmittel 32 zugeführt wird. Ein von dem Steuermittel 10 bereitgestelltes Triggersignal 18 wird von einem Überwachungsmittel 20 verarbeitet. Das Steuermittel 10 erzeugt weiterhin ein Notlaufansteuersignal 15 für das Notlaufmittel 30. Das Notlaufmittel 30 erhält ausserdem ein von einem Überwachungsmittel 20 erzeugtes Überwachungsausgangssignal 22. Das Notlaufmittel 30 erzeugt ein Notlaufausgangssignal 34 und ein NotlaufSteuersignal 36. Über dasControl signal 12 supplied. The control means 10 generates an output signal 13 which is fed to the emergency operation switching means 32. A trigger signal 18 provided by the control means 10 is processed by a monitoring means 20. The control means 10 also generates an emergency operation control signal 15 for the emergency running means 30. The emergency running means 30 also receives a monitoring output signal 22 generated by a monitoring means 20. The emergency running means 30 generates an emergency operation output signal 34 and an emergency operation control signal 36
NotlaufSteuersignal 36 lässt sich das Notlaufschaltmittel 32 in seiner Schalterstellung verändern. In der einen Schalterstellung leitet das Notlaufschaltmittel 32 das Ausgangssignal 13 des Steuermittels 10 als Ansteuersignal 14 an ein Schaltmittel 16 weiter. In der anderenEmergency operation control signal 36, the emergency operation switching means 32 can be changed in its switch position. In one switch position, the emergency operation switching means 32 forwards the output signal 13 of the control means 10 as a control signal 14 to a switching means 16. In the other
Schalterstellung leitet das Notlaufschaltmittel 32 das Notlaufausgangssignal 34 des Notlaufmittels 30 als Ansteuersignal 14 an das Schaltmittel 16 weiter. Mit dem durch das Ansteuersignal 14 geschalteten Schaltmittel 16 lässt sich eine sicherheitsrelevante Komponente aktivieren bzw. deaktivieren.Switch position, the emergency operation switching means 32 forwards the emergency operation output signal 34 of the emergency operation means 30 to the switching means 16 as a control signal 14. With the switching means 16 switched by the control signal 14, a safety-relevant component can be activated or deactivated.
Bei dem Ausführungsbeispiel gemäß Figur 2 sind dem Steuermittel 10 das Steuersignal 12 und ein Reset-Signal 24, das von dem Überwachungsmittel 20 erzeugt wird, zugeführt.
Das Steuermittel 10 gibt wiederum das Ausgangssignal 13 an das Notlaufschaltmittel 32, das Triggersignal 18 an das Überwachungsmittel 20 sowie das Notlaufansteuersignal 15 an das Notlaufmittel 30 ab. Wie bereits im Zusammenhang mit dem Ausführungsbeispiel gemäß Figur 1 beschrieben, gibt das Notlaufmittel 30 das Notlaufsignal 34 und das Notlaufsteuersignal 36 an das Notlaufschaltmittel 32 ab, dessen Ausgangssignal als Ansteuersignal 14 dem Schaltmittel 16 zur Ansteuerung zugeführt wird. Es ist ein zweites Steuermittel 40 vorgesehen, das über eineIn the exemplary embodiment according to FIG. 2, the control means 12 are supplied with the control signal 12 and a reset signal 24, which is generated by the monitoring means 20. The control means 10 in turn outputs the output signal 13 to the emergency operation switching means 32, the trigger signal 18 to the monitoring means 20 and the emergency operation control signal 15 to the emergency operation means 30. As already described in connection with the exemplary embodiment according to FIG. 1, the emergency running means 30 emits the emergency running signal 34 and the emergency running control signal 36 to the emergency running switching means 32, the output signal of which is supplied to the switching means 16 for control purposes as the control signal 14. A second control means 40 is provided, which via a
Kommunikationsleitung 44 Daten austauscht mit dem Steuermittel 10. Ein Notlaufansteuersignal 42 des zweiten Steuermittels 40 wird an das Notlaufmittel 30 abgegeben.Communication line 44 exchanges data with the control means 10. An emergency operation control signal 42 of the second control means 40 is output to the emergency operation means 30.
Im Ausführungsbeispiel gemäß Figur 3 gelangt ein erstes Ansteuersignal 54 sowohl an einen ersten Inverter 51 als auch an ein erstes Schaltmittel 58. Mit dem Ausgangssignal des ersten Inverters 51 wird ein viertes Schaltmittel 64 gesteuert. Ein zweites Ansteuersignal 56 wird sowohl einem zweiten Schaltmittel 60 als auch einem zweiten Inverter 52 zugeführt. Das Ausgangssignal des zweiten Inverters 52 dient für das dritte Schaltmittel 62 als Ansteuersignal. Das erste Schaltmittel 58 und das dritte Schaltmittel 62 sind in Serie geschaltet ebenfalls wie das zweite Schaltmittel 60 und das vierte Schaltmittel 64. Das erste Schaltmittel 58 und das dritte Schaltmittel 62 sind parallel verschaltet zu den in Serie liegenden zweiten und vierten Schaltmitteln 60, 64. Die gemeinsamen Potentiale des dritten und vierten Schaltmittels 62, 64 sind (beispielhaft) mit Masse, die gemeinsamen Potentiale des ersten und zweiten Schaltmittels 58, 60 (besipielhaft) mit der Last 50 verbunden. Zur Erfassung des Signals, mit dem die Last 50 angesteuert wird, ist eine Rückführleitung 66 vorgesehen.
Das Ausführungsbeispiel gemäß Figur 1 wird beispielsweise für die sichere Signalerzeugung für einen Zündanlassschalter in einem Kraftfahrzeug verwendet. Das entsprechende Signal des gewünschten Zündungszustands gelangt als Steuersignal 12 sowohl an das Steuermittel 10 als auch an das Notlaufmittel 30. Das Steuermittel 10 verarbeitet das eingehende Steuersignal 12 gegebenenfalls unter Zuhilfenahme weiterer Informationen. In dem Steuermittel 10 ist beispielsweise eine Start/Stop-Automatik realisiert, die die Zündung (als Beispiel für eine Last 50) bei Vorliegen bestimmterIn the exemplary embodiment according to FIG. 3, a first control signal 54 reaches both a first inverter 51 and a first switching means 58. A fourth switching means 64 is controlled with the output signal of the first inverter 51. A second control signal 56 is supplied to both a second switching means 60 and a second inverter 52. The output signal of the second inverter 52 is used as a control signal for the third switching means 62. The first switching means 58 and the third switching means 62 are connected in series, as are the second switching means 60 and the fourth switching means 64. The first switching means 58 and the third switching means 62 are connected in parallel with the second and fourth switching means 60, 64 which are in series. The common potentials of the third and fourth switching means 62, 64 are connected (by way of example) to ground, and the common potentials of the first and second switching means 58, 60 (example) are connected to the load 50. A feedback line 66 is provided to detect the signal with which the load 50 is controlled. The exemplary embodiment according to FIG. 1 is used, for example, for the safe signal generation for an ignition starter switch in a motor vehicle. The corresponding signal of the desired ignition state is sent as a control signal 12 to both the control means 10 and the emergency running means 30. The control means 10 processes the incoming control signal 12 with the aid of further information, if necessary. An automatic start / stop is implemented in the control means 10, for example, which determines the ignition (as an example for a load 50) when certain
Bedingungen automatisch deaktiviert oder aktiviert. Das Steuermittel 10 erzeugt deshalb in Abhängigkeit von dem Steuersignal 12 ein Ausgangssignal 13, mit dem im Normalbetrieb das Schaltmittel 16 angesteuert wird beispielsweise zur Aktivierung bzw. Deaktivierung der Zündung .Conditions automatically deactivated or activated. The control means 10 therefore generates an output signal 13 as a function of the control signal 12, with which the switching means 16 is controlled in normal operation, for example for activating or deactivating the ignition.
Da es sich bei der Zündung um eine sicherheitskritische Funktion handelt, muss das Schaltmittel 16 auch dann korrekt angesteuert werden, wenn das Steuermittel 10 nicht ordnungsgemäss arbeitet. Hierzu ist erfindungsgemäß das Notlaufmittel 30 mit zugehörigem Notlaufschaltmittel 32 vorgesehen. Im Fehlerfall des Steuermittels 10 steuert das Notlaufmittel 30 das Notlaufschaltmittel 32 in der Weise an, dass das Notlaufschaltmittel 32 nicht mehr dasSince the ignition is a safety-critical function, the switching means 16 must also be controlled correctly if the control means 10 does not work properly. For this purpose, the emergency running means 30 with the associated emergency running switching means 32 is provided. In the event of a fault in the control means 10, the emergency running means 30 controls the emergency running switching means 32 in such a way that the emergency running switching means 32 no longer does this
Ausgangssignal 13 des Steuermittels 10 als Ansteuersignal 14 für das Schaltmittel 16 durchschleift, sondern das Notlaufausgangssignal 34. Bei dem Notlaufausgangssignal 34 handelt es sich um den entsprechenden Zustand des Steuersignals 12. Im einfachsten Fall wird das Steuersignal 12 über das Notlaufmittel 30 einfach alsOutput signal 13 of the control means 10 is looped through as the control signal 14 for the switching means 16, but rather the emergency operation output signal 34. The emergency operation output signal 34 is the corresponding state of the control signal 12. In the simplest case, the control signal 12 is simply referred to as the emergency operation means 30
Notlaufausgangssignal 34 durchgeschleift. Es könnte jedoch in dem Notlaufmittel 30 auch eine zusätzliche Logik integriert sein, die das Steuersignal 12 in Abhängigkeit
bestimmter Bedingungen in das Notlaufausgangssignal 34 umsetzt.Emergency running output signal 34 looped through. However, additional logic could also be integrated in the emergency running means 30, which depends on the control signal 12 certain conditions into the emergency running output signal 34.
Das Notaufschaltmittel 32 wird dann zum Weiterleiten des Notlaufausgangssignals 34 als Ansteuersignal umgeschaltet, wenn ein fehlerhafter Betrieb des Steuermittels 10 erkannt wurde. Die Notlauffunktion des Notlaufmittels 30 können entweder das Steuermittel 10 selbst oder das Überwachungsmittel 20 aktivieren. In dem Steuermittel 10 ist hierzu eine Eigendiagnosefunktion integriert, um die eigene Funktionsfähigkeit zu überwachen. Erkennt das Steuermittel 10 einen eigenen Fehlerfall, schickt es eine entsprechende Meldung über das Notlaufansteuersignal 15 an das Notlaufmittel 30 zur Aktivierung der Notlauffunktion wie oben bereits beschrieben. Zur zusätzlichen oder alternativen Überwachung des Steuermittels 10 ist das Überwachungmittel 20 vorgesehen. Hierbei handelt es sich beispielsweise um einen sogenannten Watchdog. Das Steuermittel 10 gibt ein Triggersignal 18 an das Überwachungsmittel 20 ab. Das Überwachungsmittel 20 überprüft das eingehende Triggersignal 18, ob es mit einem erwarteten Triggersignal übereinstimmt. Als Kriterium für einen Fehlerfall könnte beispielsweise eine Frequenzabweichung des Triggersignals 18 herangezogen werden. Erkennt das Überwachungsmittel 20 eine signifikante Abweichung des Triggersignals 18 vom erwartetenThe emergency switch-on means 32 is then switched over as a control signal for forwarding the emergency running output signal 34 if a faulty operation of the control means 10 has been detected. The emergency running function of the emergency running means 30 can either activate the control means 10 itself or the monitoring means 20. For this purpose, a self-diagnosis function is integrated in the control means 10 in order to monitor its own functionality. If the control means 10 detects its own fault, it sends a corresponding message via the emergency operation control signal 15 to the emergency operation means 30 to activate the emergency operation function, as already described above. Monitoring means 20 is provided for additional or alternative monitoring of control means 10. This is, for example, a so-called watchdog. The control means 10 emits a trigger signal 18 to the monitoring means 20. The monitoring means 20 checks the incoming trigger signal 18 whether it matches an expected trigger signal. For example, a frequency deviation of the trigger signal 18 could be used as a criterion for an error. The monitoring means 20 detects a significant deviation of the trigger signal 18 from the expected
Normalzustand, schliesst es auf ein defektes Steuermittel 10 und aktiviert mit einem entsprechenden Überwachungsausgangssignal 22 die Notlauffunktion des Notlaufmittels 30. Das Notlaufmittel 30 bewirkt über das Notlaufsteuersignal 36 die Durchschleifung desNormal state, it concludes a defective control means 10 and activates the emergency running function of the emergency running means 30 with a corresponding monitoring output signal 22. The emergency running means 30 effects the looping through of the emergency running control signal 36
Notlaufausgangssignals 34 als Ansteuersignal 14 für das Schaltmittel 16, wie oben bereits beschrieben. Das Überwachungsmittel 20 veranlasst jedoch bei dem Ausführungsbeispiel gemäß Figur 1 keinen Reset des
Steuermittels 10, es steuert lediglich die Notlauffunktion des Notlaufmittels 30.Emergency running output signal 34 as control signal 14 for the switching means 16, as already described above. However, the monitoring means 20 does not cause a reset of the Control means 10, it only controls the emergency running function of the emergency running means 30.
Bei dem Ausführungsbeispiel gemäß Figur 2 ist als weiteres Überwachungsmittel des Steuermittels 10 ein zweitesIn the exemplary embodiment according to FIG. 2, a second monitoring means of the control means 10 is a second one
Steuermittel 40 vorgesehen. Anhand der gegebenenfalls bidirektionalen Kommunikation, die über dieControl means 40 are provided. Based on the bidirectional communication, if necessary, via the
Kommunikationsleitung 44 zwischen dem ersten Steuermittel 10 und dem zweiten Steuermittel 40 geführt wird, überwacht das zweite Steuermittel 40 die Funktionsfähigkeit desCommunication line 44 is routed between the first control means 10 and the second control means 40, the second control means 40 monitors the functionality of the
Steuermittels 10. Hierzu könnte beispielsweise das zweite Steuermittel 40 Testsignale an das Steuermittel 10 senden, das entsprechende Antwortsignale zurücksendet. Anhand der eingehenden Antwortsignale stellt das zweite Steuermittel 40 fest, ob das Steuermittel 10 noch ordnungsgemäß funktioniert. Sollte die eingehende Antwort des Steuermittels 10 von der erwarteten abweichen, schliesst das zweite Steuermittel 40 auf einen fehlerhaften Betrieb und aktiviert über das Notlaufansteuersignal 42 den in dem Notlaufmittel 30 hinterlegten Notbetrieb. Der Notbetrieb stimmt überein mit dem bei Ausführungsbeispiel 1 beschriebenen. Es wird auf die entsprechenden Ausführungen verwiesen. Das zweite Steuermittel 40 übernimmt im Wesentlichen die Funktion des Überwachungsmittels 20 des ersten Ausführungsbeispiels. Somit ist dasControl means 10. For this purpose, for example, the second control means 40 could send test signals to the control means 10, which sends back corresponding response signals. On the basis of the incoming response signals, the second control means 40 determines whether the control means 10 is still functioning properly. Should the incoming response of the control means 10 differ from the expected one, the second control means 40 concludes that the operation is faulty and activates the emergency operation stored in the emergency operation means 30 via the emergency operation control signal 42. The emergency operation corresponds to that described in embodiment 1. Reference is made to the corresponding explanations. The second control means 40 essentially takes over the function of the monitoring means 20 of the first exemplary embodiment. So that's it
Überwachungsmittel 20 gemäß Figur 2 von diesen Aufgaben befreit und kann die sogenannte Watchdog-Funktion übernehmen. Wiederum überwacht das Überwachungsmittel 20 das Triggersignal 18 auf signifikante, unerwartete Abweichungen. Sollte es zu solchen kommen, schickt das Überwachungsmittel 20 ein entsprechendes Reset-Signal 24 an das Steuermittel 10. Das Steuermittel 10 wird neu hochgefahren. Diesen Reset erkennt das zweite Steuermittel 40 und aktiviert spätestens dann die Notlauffunktion des Notlaufmittels 30. Wie auch in dem Ausführungsbeispiel gemäß Figur 1 kann das Steuermittel
10 selbst die Notlauffunktion des Notlaufmittels 30 aktivieren. Dies könnte dann der Fall sein, wenn das Steuermittel 10 selbst erkennt, dass es fehlerhaft arbeitet und/oder wenn es einen Fehler des zweiten Steuermittels 40 detektiert. Alternativ könnte die Notlauffunktion des Notlaufmittels 30 nach einer vorgebbaren Anzahl von Resetsignalen 24 durch das Überwachungsmittel 20 ausgelöst werden. Die sogenannte Watchdog-Funktion des Überwachungsmittels 20 bliebe hierbei erhalten.Monitoring means 20 according to Figure 2 freed from these tasks and can take over the so-called watchdog function. Again, the monitoring means 20 monitors the trigger signal 18 for significant, unexpected deviations. Should such occur, the monitoring means 20 sends a corresponding reset signal 24 to the control means 10. The control means 10 is restarted. The second control means 40 recognizes this reset and then activates the emergency operation function of the emergency operation means 30 at the latest. As in the exemplary embodiment according to FIG. 1, the control means can 10 itself activate the emergency running function of the emergency running means 30. This could be the case if the control means 10 itself recognizes that it is working incorrectly and / or if it detects an error in the second control means 40. Alternatively, the emergency running function of the emergency running means 30 could be triggered by the monitoring means 20 after a predeterminable number of reset signals 24. The so-called watchdog function of the monitoring means 20 would be retained.
Um die Sicherheit weiter zu erhöhen, könnte das Schaltmittel 16 einen Aufbau wie in Figur 3 dargestellt aufweisen. Das Steuermittel 10 würde zwei Signale, das erste und das zweite Ansteuersignal 54, 56 anstelle lediglich eines Ausgangssignals 13 erzeugen. Nur eines der beidenIn order to further increase security, the switching means 16 could have a structure as shown in FIG. 3. The control means 10 would generate two signals, the first and the second control signal 54, 56 instead of only one output signal 13. Just one of the two
Ansteuersignale 54, 56 müsste fehlersicher (wie oben beschrieben) ausgeführt sein. Das nicht fehlersichere Ansteuersignal muss im Fehlerfall lediglich einen definierten Zustand annehmen. Ausserdem empfängt und verarbeitet das Steuermittel 10 das von der Rückführleitung 66 abgegriffene Signal. Um nun ein sicheres Öffnen des Schaltmittels 16 zu gewährleisten, ist mit dem ersten Schaltmittel 58 noch ein drittes Schaltmittel 62 in Reihe verschaltet. Sollte sich beispielsweise das erste Schaltmittel 58 nicht mehr öffnen lassen, so könnte das gewünschte Ausgangssi'gnal noch durch das Öffnen des dritten Schaltmittels 62 erfolgen. Liesse sich das erste Schaltmittel 58 jedoch nicht mehr schliessen, so könnte der gewünschte Ausgangszustand durch Schliessen des zweiten und des vierten Schaltmittels 60, 64 erreicht werden.Control signals 54, 56 would have to be fail-safe (as described above). The non-fail-safe control signal only has to assume a defined state in the event of an error. In addition, the control means 10 receives and processes the signal tapped from the return line 66. In order to ensure a safe opening of the switching means 16, a third switching means 62 is also connected in series with the first switching means 58. If this does not open more example, the first switching means 58 so could the desired Ausgangssi 'gnal done yet by opening the third switch means 62nd However, if the first switching means 58 could no longer be closed, the desired initial state could be achieved by closing the second and fourth switching means 60, 64.
Im Grundzustand, also bei ausgeschalteter Last 50, weisen erstes und zweites Ansteuersignal 54, 56 den Zustand logisch Null auf. In Zusammenwirken mit den beiden Invertern 51, 52 sind das dritte und vierte Schaltmittel 62, 64 geschlossen.
Da das erste und zweite Schaltmittel 58, 60 weiterhin geöffnet bleiben, ist die Last 50 deaktiviert.In the basic state, that is to say when the load 50 is switched off, the first and second control signals 54, 56 have a logic zero state. In cooperation with the two inverters 51, 52, the third and fourth switching means 62, 64 are closed. Since the first and second switching means 58, 60 remain open, the load 50 is deactivated.
Soll die Last 50 eingeschaltet werden, wie ein Wechsel des Steuersignals 12 anzeigt, erzeugt das Steuermittel 10 ein zweites Ansteuersignal 56 mit dem Pegel logisch Eins. Dadurch wird das zweite Schaltmittel 60 geschlossen. Der rechte Pfad des Schaltmittels 16 wird nun leitend und damit die Last 50 eingeschaltet. Parallel dazu erfasst das Steuermittel 10 über die Rückführleitung 66 den Zustand der Last 50. Bei ordnungsgemässem Betrieb des Schaltmittels 16 führt ein Pegel des zweiten Steuersignals 56 von logisch Eins auch zu einer Bestromung der Last 50.If the load 50 is to be switched on, as a change in the control signal 12 indicates, the control means 10 generates a second control signal 56 with the level logic one. The second switching means 60 is thereby closed. The right path of the switching means 16 is now turned on and thus the load 50 is switched on. In parallel to this, the control means 10 detects the state of the load 50 via the return line 66. When the switching means 16 operates properly, a level of the second control signal 56 of logic one also leads to an energization of the load 50.
Erkennt jedoch das Steuermittel 10 trotz der gewolltenHowever, the control means 10 recognizes the desired
Aktivierung der Last 50 keine gewünschte Wirkung, wechselt es in einen Notbetrieb. Um dem fehlerhaften Zustand abzuhelfen, wird über eine Veränderung des ersten Ansteuersignais 54 in logisch Eins der linke Pfad des Schaltmittels 16 aktiviert. Hierbei wird der erste Schalter 58 geschlossen und dadurch die Last 50 eingeschaltet.Activation of the load 50 has no desired effect, it changes to an emergency mode. In order to remedy the faulty state, the left path of the switching means 16 is activated by changing the first control signal 54 to logic one. The first switch 58 is closed and the load 50 is thereby switched on.
• Sollte sich das zweite Schaltmittel 60 im Normalbetrieb „Abschalten" (erstes Ansteuersignal 54 logisch Null, zweites Ansteursignal 56 logisch Null) trotz entsprechender • Should the second switching means 60 “switch off” in normal operation (first control signal 54 logic zero, second control signal 56 logic zero) despite corresponding
Ansteuerung nicht öffnen, wird dies ebenfalls über das von der Rückführleitung 66 erfasste Signal erkannt. Dann wird das erste Ansteuersignal 54 auf logisch Eins gesetzt, so dass sich das vierte Schaltmittel 64 öffnet und damit der rechte Pfad deaktiviert ist. Diese Funktionalität kann nun über das erste Ansteuersignal 54 mit entsprechender inverser Logik übernommen werden.
Do not open the control, this is also recognized by the signal detected by the return line 66. Then the first control signal 54 is set to logic one, so that the fourth switching means 64 opens and the right path is thus deactivated. This functionality can now be taken over via the first control signal 54 with corresponding inverse logic.
Claims
1. Vorrichtung zur sicheren Signalerzeugung, mit einem Steuermittel (10) , dem ein Steuersignal (12) zugeführt ist, wobei das Steuermittel (10) in Abhängigkeit von dem Steuersignal (12) ein Ansteuersignal (13, 14) erzeugt zur Ansteuerung einer Last (16, 50) , dadurch gekennzeichnet, dass Notlaufmittel (30, 32) vorgesehen sind, die in einem Notbetrieb das Ansteuersignal (34, 14) in Abhängigkeit von dem Steuersignal (12) erzeugen.1. Device for safe signal generation, with a control means (10), to which a control signal (12) is supplied, the control means (10) depending on the control signal (12) generating a control signal (13, 14) for controlling a load ( 16, 50), characterized in that emergency running means (30, 32) are provided which generate the control signal (34, 14) in an emergency mode as a function of the control signal (12).
2. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass Ansteuermittel (10, 20, 40) vorgesehen sind zur Aktivierung der Notlaufmittel (30, 32) .2. Device according to one of the preceding claims, characterized in that control means (10, 20, 40) are provided for activating the emergency running means (30, 32).
3. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass Überwachungsmittel (10, 20, 40) zur Überwachung des Steuermittels (10) vorgesehen sind.3. Device according to one of the preceding claims, characterized in that monitoring means (10, 20, 40) are provided for monitoring the control means (10).
4. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass die Überwachungsmittel (10, 20, 40) bei einem nicht ordnungsgemäßen Betrieb des Steuermittels (10) die Notlaufmittel (30, 32) zur Erzeugung des Ansteuersignais (14) aktivieren. 4. Device according to one of the preceding claims, characterized in that the monitoring means (10, 20, 40) activate the emergency running means (30, 32) for generating the control signal (14) in the event of improper operation of the control means (10).
5. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass das Notlaufmittel (30) zumindest ein Schaltmittel (32) umfasst, das die Weiterleitung des Ansteuersignais (13) des Steuermittels (10) unterbindet oder zulässt und/oder das Ausgangssignal (34) des Notlaufmittels (30) als Ansteuersignal (14) weiterleitet .5. Device according to one of the preceding claims, characterized in that the emergency running means (30) comprises at least one switching means (32) which prevents or permits the forwarding of the control signal (13) of the control means (10) and / or the output signal (34) of the emergency running means (30) as a control signal (14).
6. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass mit dem Ansteuersignal (13, 14, 34) ein Schaltmittel (16) zur Aktivierung oder Deaktivierung einer Last (50) angesteuert ist.6. Device according to one of the preceding claims, characterized in that a switching means (16) for activating or deactivating a load (50) is actuated with the actuation signal (13, 14, 34).
7. Vorrichtung zur sicheren Signalerzeugung, mit einem Steuermittel (10), dem ein Steuersignal (12) zugeführt ist, wobei das Steuermittel (10) in Abhängigkeit von dem Steuersignal (12) ein Ansteuersignal (54, 56) erzeugt zur Ansteuerung eines Schaltmittels (16) , das eine Last (50) aktiviert oder deaktiviert, dadurch gekennzeichnet, dass Erkennungsmittel (10, 66) vorgesehen sind zum Erkennen eines ordnungsgemäßen Betriebs des Schaltmittels (16) , wobei die Erkennungsmittel (10, 66) in Abhängigkeit von einem ordnungsgemäßen Betrieb des Schaltmittels (16) das Ansteuersignal (54, 56) beeinflussen.7. Device for safe signal generation, with a control means (10), to which a control signal (12) is fed, the control means (10) depending on the control signal (12) generating a control signal (54, 56) for controlling a switching means ( 16), which activates or deactivates a load (50), characterized in that detection means (10, 66) are provided for detecting correct operation of the switching means (16), the detection means (10, 66) depending on correct operation of the switching means (16) influence the control signal (54, 56).
8. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass das Schaltmittel (16) zumindest zwei parallel verschaltete Schaltmittel (58, 62; 60, 64) umfasst .8. Device according to one of the preceding claims, characterized in that the switching means (16) comprises at least two switching means (58, 62; 60, 64) connected in parallel.
9. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass das Schaltmittel (16) zumindest zwei in Reihe verschaltete Schaltmittel (58, 60; 62, 64) umfasst. 9. Device according to one of the preceding claims, characterized in that the switching means (16) comprises at least two switching means (58, 60; 62, 64) connected in series.
10. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass dem Schaltmittel (16) zumindest zwei Ansteuersignale (54, 56) zugeführt sind.10. Device according to one of the preceding claims, characterized in that the switching means (16) are supplied with at least two control signals (54, 56).
11. Vorrichtung nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass das Ausgangssignal des Schaltmittels (16) über eine Rückführleitung (66) erfasst ist von dem als Erkennungsmittel dienenden Steuermittel (10) zur Beeinflussung eines der Ansteuersignale (54, 56) . 11. Device according to one of the preceding claims, characterized in that the output signal of the switching means (16) via a return line (66) is detected by the control means (10) serving as detection means for influencing one of the control signals (54, 56).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06101384A EP1679729B1 (en) | 2000-03-09 | 2001-02-15 | Method for secure signal generation |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10011410 | 2000-03-09 | ||
DE10011410A DE10011410A1 (en) | 2000-03-09 | 2000-03-09 | Fail-safe signal generation device for safety critical signal has back-up device for generation of load driver signal in emergency operating mode |
PCT/DE2001/000565 WO2001066926A1 (en) | 2000-03-09 | 2001-02-15 | Device for reliably generating signals |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06101384A Division EP1679729B1 (en) | 2000-03-09 | 2001-02-15 | Method for secure signal generation |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1264097A1 true EP1264097A1 (en) | 2002-12-11 |
Family
ID=7634047
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06101384A Expired - Lifetime EP1679729B1 (en) | 2000-03-09 | 2001-02-15 | Method for secure signal generation |
EP01913641A Withdrawn EP1264097A1 (en) | 2000-03-09 | 2001-02-15 | Device for reliably generating signals |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06101384A Expired - Lifetime EP1679729B1 (en) | 2000-03-09 | 2001-02-15 | Method for secure signal generation |
Country Status (8)
Country | Link |
---|---|
US (1) | US20030181998A1 (en) |
EP (2) | EP1679729B1 (en) |
KR (1) | KR20020083167A (en) |
CN (1) | CN1304745C (en) |
DE (2) | DE10011410A1 (en) |
ES (1) | ES2307263T3 (en) |
MX (1) | MXPA02008720A (en) |
WO (1) | WO2001066926A1 (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10127053A1 (en) | 2001-06-02 | 2002-12-05 | Bosch Gmbh Robert | Device for controlling the energy supply of a motor vehicle |
DE10139616B4 (en) * | 2001-08-11 | 2010-12-09 | Robert Bosch Gmbh | Control circuit with redundancy function |
DE102005034911A1 (en) * | 2005-07-26 | 2007-02-01 | BSH Bosch und Siemens Hausgeräte GmbH | Method and circuit arrangement for the secure control of actuators, sensors or consumers in an electrical device containing them, in particular electrical domestic appliance |
DE102008009905A1 (en) * | 2008-02-19 | 2009-08-20 | Robert Bosch Gmbh | Method for providing an emergency function |
DE102011081184A1 (en) * | 2011-08-18 | 2013-02-21 | Siemens Aktiengesellschaft | Method for switching in an arrangement of circuit breakers and arrangement of a plurality of circuit breakers |
CN104865905B (en) * | 2014-02-21 | 2018-02-23 | 上海西门子医疗器械有限公司 | Communication control unit, communicating control method and Medical Devices |
DE102015224067A1 (en) * | 2015-12-02 | 2017-06-08 | Borgward Trademark Holdings Gmbh | Battery management system, vehicle and method for battery relay control |
EP3288057A1 (en) * | 2016-08-26 | 2018-02-28 | Siemens Aktiengesellschaft | Safety-oriented switching device |
EP4116620A1 (en) * | 2021-07-09 | 2023-01-11 | Leuze electronic GmbH + Co. KG | Monitoring device and method for operating same |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0569227A1 (en) * | 1992-05-08 | 1993-11-10 | Zexel Corporation | Fuel injection control system for internal combustion engine |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4223295A (en) * | 1978-10-18 | 1980-09-16 | Nelson A. Faerber | Emergency control system for traffic signals |
ATE10035T1 (en) * | 1980-02-13 | 1984-11-15 | Werkzeugmaschinenfabrik Oerlikon-Buehrle Ag | DEVICE FOR MONITORING A WHEEL SPEED SENSOR. |
DE3130094A1 (en) * | 1981-07-30 | 1983-02-17 | Robert Bosch Gmbh, 7000 Stuttgart | EMERGENCY CONTROL SYSTEM FOR A DIESEL INTERNAL COMBUSTION ENGINE |
JPS593596A (en) * | 1982-06-30 | 1984-01-10 | 日本警備保障株式会社 | Alarm |
DE3322074A1 (en) * | 1982-07-23 | 1984-01-26 | Robert Bosch Gmbh, 7000 Stuttgart | EMERGENCY DEVICE FOR MICROCOMPUTER CONTROLLED SYSTEMS |
DE3531198A1 (en) * | 1985-08-31 | 1987-03-12 | Bosch Gmbh Robert | SAFETY AND EMERGENCY DRIVING METHOD FOR AN INTERNAL COMBUSTION ENGINE WITH AUTO-IGNITION AND DEVICE FOR CARRYING OUT IT |
DE4106257A1 (en) * | 1991-02-28 | 1992-09-03 | Pierburg Gmbh | Throttle flap controller for combustion engine air intake - incorporates redundant microprocessors with multiplex input-output diagnostic memory and watchdog logic for emergency switch operation |
DE4118558A1 (en) * | 1991-06-06 | 1992-12-10 | Bosch Gmbh Robert | SYSTEM FOR CONTROLLING AN INTERNAL COMBUSTION ENGINE |
DE4229774C2 (en) * | 1992-09-05 | 2002-06-20 | Bosch Gmbh Robert | Device for controlling an internal combustion engine |
FR2715738B1 (en) * | 1994-01-31 | 1996-04-12 | Sextant Avionique | Composite safety switch. |
JP3276859B2 (en) * | 1996-08-30 | 2002-04-22 | 株式会社東海理化電機製作所 | Motor control device |
US5949677A (en) * | 1997-01-09 | 1999-09-07 | Honeywell Inc. | Control system utilizing fault detection |
FR2761173B1 (en) * | 1997-03-19 | 1999-05-14 | Schneider Automation | PROGRAMMABLE PLC MODULE |
US6141628A (en) * | 1997-06-10 | 2000-10-31 | Amot Controls Corporation | Programmable logic controller software with embedded class logic and alarm/shutdown functionality |
US6122567A (en) * | 1997-12-02 | 2000-09-19 | Rheem Manufacturing Company | Boiler system ignition sequence detector and associated methods of protecting boiler systems |
DE19809709A1 (en) * | 1998-03-06 | 1999-09-09 | Sick Ag | Device for monitoring a protected area |
US6167329A (en) * | 1998-04-06 | 2000-12-26 | Eaton Corporation | Dual microprocessor electronic trip unit for a circuit interrupter |
US6223091B1 (en) * | 1998-05-29 | 2001-04-24 | Siemens Energy & Automation, Inc. | Alarm event generator apparatus, means and system |
US6407469B1 (en) * | 1999-11-30 | 2002-06-18 | Balboa Instruments, Inc. | Controller system for pool and/or spa |
-
2000
- 2000-03-09 DE DE10011410A patent/DE10011410A1/en not_active Withdrawn
-
2001
- 2001-02-15 DE DE50114079T patent/DE50114079D1/en not_active Expired - Lifetime
- 2001-02-15 KR KR1020027011623A patent/KR20020083167A/en not_active Application Discontinuation
- 2001-02-15 EP EP06101384A patent/EP1679729B1/en not_active Expired - Lifetime
- 2001-02-15 MX MXPA02008720A patent/MXPA02008720A/en unknown
- 2001-02-15 US US10/221,003 patent/US20030181998A1/en not_active Abandoned
- 2001-02-15 EP EP01913641A patent/EP1264097A1/en not_active Withdrawn
- 2001-02-15 WO PCT/DE2001/000565 patent/WO2001066926A1/en not_active Application Discontinuation
- 2001-02-15 ES ES06101384T patent/ES2307263T3/en not_active Expired - Lifetime
- 2001-02-15 CN CNB018061567A patent/CN1304745C/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0569227A1 (en) * | 1992-05-08 | 1993-11-10 | Zexel Corporation | Fuel injection control system for internal combustion engine |
Also Published As
Publication number | Publication date |
---|---|
MXPA02008720A (en) | 2004-05-05 |
US20030181998A1 (en) | 2003-09-25 |
EP1679729A2 (en) | 2006-07-12 |
DE10011410A1 (en) | 2001-09-20 |
KR20020083167A (en) | 2002-11-01 |
CN1304745C (en) | 2007-03-14 |
EP1679729A3 (en) | 2006-11-22 |
ES2307263T3 (en) | 2008-11-16 |
EP1679729B1 (en) | 2008-07-02 |
CN1416503A (en) | 2003-05-07 |
WO2001066926A1 (en) | 2001-09-13 |
DE50114079D1 (en) | 2008-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0547196B1 (en) | Anti-blocking system | |
EP2171549B1 (en) | Safety apparatus for the multichannel control of a safety device | |
WO1992017358A1 (en) | Circuit for a regulator | |
DE10143454B4 (en) | Device for controlling a vehicle | |
EP1254400A1 (en) | Circuit arrangement for the safe shutdown of an installation, in particular a machine installation | |
WO2001066926A1 (en) | Device for reliably generating signals | |
AT507540A1 (en) | METHOD FOR CONTROLLING A DC POWER MACHINE | |
DE4113959A1 (en) | MONITORING DEVICE | |
EP1024985B1 (en) | Circuit configuration to monitor a regulated output voltage in a motor vehicle | |
WO2006131255A2 (en) | Method for operating an electric machine and control system therefor | |
EP3475966B1 (en) | Safety-oriented switching device | |
EP1397729B1 (en) | Device for reliable signal generation | |
DE102020200203B4 (en) | Device for operating an electronic system, in particular a vehicle | |
EP2215533B1 (en) | Control device for a safety switching apparatus with integrated monitoring of the supply voltage | |
DE10252990B3 (en) | Control unit for a motor vehicle occupant safety system, especially an airbag system, has additional AND gates in addition to dual controlling computers to ensure reliable detection and resetting of a faulty computer unit | |
EP2767877B1 (en) | Control and data transmission system for transmission of safety-related data via a field bus | |
EP1446576A2 (en) | Starter device for an internal combustion engine | |
EP0508081B1 (en) | Circuit and method for monitoring a fuel-heated apparatus | |
EP2013731A1 (en) | Circuit arrangement, and method for the operation of a circuit arrangement | |
WO2019020322A1 (en) | Method for operating a control unit, and device having an associated control unit | |
WO2022268476A1 (en) | Computer-implemented method and control device for controlling a unit of an automotive system | |
DE102013113403B4 (en) | System for controlling at least one power factor | |
DE102015203252A1 (en) | Safety device and method for transferring an actuator system to a safe state, actuator system and method for operating an actuator system | |
EP4179392A1 (en) | Emergency stop device | |
EP1505503B1 (en) | Method and computer system to operate a safety installation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20021009 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
RBV | Designated contracting states (corrected) |
Designated state(s): DE ES FR GB IT SE |
|
17Q | First examination report despatched |
Effective date: 20050401 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20060302 |