EP1629513B1 - Control device for safety-critical components and corresponding method - Google Patents

Control device for safety-critical components and corresponding method Download PDF

Info

Publication number
EP1629513B1
EP1629513B1 EP04726963A EP04726963A EP1629513B1 EP 1629513 B1 EP1629513 B1 EP 1629513B1 EP 04726963 A EP04726963 A EP 04726963A EP 04726963 A EP04726963 A EP 04726963A EP 1629513 B1 EP1629513 B1 EP 1629513B1
Authority
EP
European Patent Office
Prior art keywords
switch
control device
master
safety
slave
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP04726963A
Other languages
German (de)
French (fr)
Other versions
EP1629513A1 (en
Inventor
Klaus Behringer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to EP04726963A priority Critical patent/EP1629513B1/en
Publication of EP1629513A1 publication Critical patent/EP1629513A1/en
Application granted granted Critical
Publication of EP1629513B1 publication Critical patent/EP1629513B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/002Monitoring or fail-safe circuits
    • H01H47/004Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/002Monitoring or fail-safe circuits
    • H01H47/004Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
    • H01H47/005Safety control circuits therefor, e.g. chain of relays mutually monitoring each other

Definitions

  • the present invention relates to a drive device for controlling or regulating a safety-critical component having a switching device which has a first switch and a second switch connected in series with the first switch for switching the safety-critical component, a first control device for receiving an input signal and outputting a first Drive signal and a second control device for receiving the input signal and output a second drive signal. Moreover, the present invention relates to a corresponding method for controlling or regulating a safety-critical component.
  • a drive device which, in view of the hardware redundancy requirement, has two switches connected in series, each of which is electrically connected to a separate ⁇ controller via a relay driver.
  • the ⁇ Controller are each electrically connected to an input with an emergency stop switch coupled and equally trained side by side.
  • the switches are each controllable via the associated ⁇ Controller. Depending on a required shutdown of a safety-critical component, the switches are controlled.
  • a safety device in which a sensor device with two evaluation devices is electrically connected. Each evaluation unit is electrically connected to an output with a trained as an auxiliary contact switch. In the signal path between an evaluation and an auxiliary contactor, a timer is arranged with which the delayed shutdown of a downstream main circuit can be performed on the auxiliary contactor.
  • Controller with identical firmware can be used.
  • a "master-slave principle" is used. This means that one of the controllers is for a short time the master and the other the slave. The two controllers exchange this status after a specified time.
  • One of the controllers is commonly used to drive certain switches of, for example, a load circuit of an electric machine, whereas the other controller is used to monitor the switching states of these switches and, in turn, drives other switches from other components.
  • the controller which is in master mode, reads in all inputs and determines the output states of the switches to which it is connected or assigned to it. Important states such as requirements are synchronized with the slave and internal tests are performed.
  • the object of the present invention is therefore to propose a control device and a corresponding method for controlling or regulating a safety-critical component with an average shortened reaction time.
  • a drive device for controlling or regulating a safety-critical component with a switching device which has a first switch and a second switch connected in series with the first switch for switching the safety-critical component to a first control device for receiving a safety switch Input signal and output of a first drive signal and a second control device for receiving the input signal and outputting a second drive signal, wherein the first switch of the switching device from the first control device and the second switch of the switching device are controlled by the second control device.
  • the first and second switches are controlled with a time delay to each other.
  • the first and second control devices operate according to the master-slave principle, resulting in a defined time offset.
  • a method according to claim 7 for controlling a safety-critical component by providing a switching device having a first switch and a second switch connected in series with the first switch for switching the safety-critical component, providing a first control device that cooperates with a second control means connected to the second switch, receiving an input signal and outputting a first drive signal from the first control means to the first switch of the switching means on the basis of the input signal, based on the input signal a second one Drive signal is output from the second control device to the second switch of the switching device.
  • the invention is based on the idea that the output should be switched off, regardless of which of the switches is first deactivated.
  • a positive side effect of this time-shifted switching is that a simultaneous welding of the two switches, z. B. Sagittarius, can be excluded.
  • the EMERGENCY STOP function is thus still guaranteed after the welding of one of the contacts of the switches.
  • the time-delayed switching off of the switches also has the advantage that approximately equal lifetimes are to be expected for both switches. This is because, statistically speaking, each switch is turned off as frequently in the de-energized as in the energized state.
  • the first and second switches in the switching device are each realized by a relay or a contactor.
  • the first and second switches can also be designed as semiconductor switches or comprise an optocoupler.
  • the time offset is due to the amount of time that the master takes to notify the slave of an event.
  • an electric machine is equipped with a load circuit with the aforementioned drive device according to the invention.
  • the drive device be used in particular for the safety shutdown or emergency stop control.
  • two contactors S1 and S2 connected in series serve to switch a load circuit, not shown, of an electric machine via the terminals K1 and K2.
  • To control the two contactors S1 and S2 serve two control devices or controllers C1 and C2.
  • the output signals of the controllers C1 and C2 are converted by respective output units Y1 and Y2 into corresponding movements of the contactors S1 and S2.
  • From an input unit X which may be implemented, for example, as an emergency stop switch, the two controllers C1 and C2 receive their input signal. This input signal is interrogated at the input X from the controllers C1 and C2 by respective clock signals T1 and T2.
  • the EMERGENCY STOP switch is pressed at input X.
  • the controller C1 reads the input X.
  • the output unit Y1 is turned off at time t1. Since the controller C2 was not active at the time t0, it must first be informed by the controller C1 by pressing the EMERGENCY STOP switch to switch off the output unit Y2. Therefore, the reaction time is corresponding longer and the output unit Y2 is switched off only at the time t2.
  • the drive device according to the invention in a safety device for example, the model series 3TK2845 of the applicant, with two potential-free relay outputs, which are connected in series, are used.
  • the response time of the master is to an emergency stop request up to 8 ms.
  • the time to transmit the emergency request from the master to the slave can be up to 15 ms.
  • the fall time of the relay in the present example is a maximum of 12 ms.
  • the reaction time would be at most 8 ms + 12 ms 20 ms, since each controller C1, C2 switches one of the relays or one of the contactors S1, S2 and thus to switch off the load circuit, the transmission of the emergency Request to the slave is no longer necessary. This meets the requirements for very time-critical applications.
  • the activation of the relays or contactors S1, S2 of the circuit device connected in the form of a logical AND connection according to the invention allows the devices used hitherto to continue to be used without requiring any changes in hardware or firmware for a safety shutdown.

Landscapes

  • Safety Devices In Control Systems (AREA)
  • Keying Circuit Devices (AREA)
  • Electronic Switches (AREA)

Description

Die vorliegende Erfindung betrifft eine Ansteuervorrichtung zum Steuern oder Regeln einer sicherheitskritischen Komponente mit einer Schalteinrichtung, die einen ersten Schalter und einen zweiten, mit dem ersten in Reihe verbundenen Schalter zum Schalten der sicherheitskritischem Komponente aufweist, einer ersten Steuerungseinrichtung zur Aufnahme eines Eingangssignals und Ausgabe eines ersten Ansteuersignals und einer zweiten Steuerungseinrichtung zur Aufnahme des Eingangssignals und Ausgabe eine zweiten Ansteuersignals. Darüber hinaus betrifft die vorliegende Erfindung ein entsprechendes Verfahren zum Steuern oder Regeln einer sicherheitskritischen Komponente.The present invention relates to a drive device for controlling or regulating a safety-critical component having a switching device which has a first switch and a second switch connected in series with the first switch for switching the safety-critical component, a first control device for receiving an input signal and outputting a first Drive signal and a second control device for receiving the input signal and output a second drive signal. Moreover, the present invention relates to a corresponding method for controlling or regulating a safety-critical component.

Bei vielen sicherheitstechnischen Anwendungen wird eine sehr geringe Reaktionszeit zur Verarbeitung einer NOTAUS-Anforderung benötigt. Obwohl die heutigen modernen Sicherheitsgeräte in der Regel Mikrocontroller benutzen und deshalb interne Funktionen sehr schnell abgearbeitet werden können, müssen wegen Burst- und HF-Störungen Filteralgorithmen verwendet werden, um eine maximale Verfügbarkeit zu erzielen. Weitere Randeffekte wie die Kompensation der Kabelkapazität und dynamische Eingangsprüfung führen letztlich zu relativ langen Auswertezyklen.Many safety-related applications require a very short reaction time to process an emergency request. Although today's modern security devices typically use microcontrollers and therefore internal functions can be processed very quickly, filter algorithms must be used because of burst and RF interference to achieve maximum availability. Additional edge effects such as cable capacitance compensation and dynamic input testing ultimately lead to relatively long evaluation cycles.

Aus dem Bericht "Not-Aus-Schaltgeräte, Schutztürwächter; Announcement Pilz NSG-D-1-051-07/00, XX, XX, Juli 2000 (2000-07), Seiten 1 bis 4, XP 000961973" ist eine Ansteuervorrichtung bekannt, welche im Hinblick auf das Hardwareredundanzerfordernis zwei in Reihe geschaltete Schalter aufweist, die jeweils über eine Relaisansteuerung mit einem eigenen µController elektrisch verbunden sind. Die µController sind jeweils mit einem Eingang mit einem Not-Aus-Schalter elektrisch gekoppelt und gleichberechtigt nebeneinander ausgebildet. Die Schalter sind jeweils über den zugeordneten µController steuerbar. Abhängig von einem erforderlichen Abschalten einer sicherheitskritischen Komponente werden die Schalter gesteuert.From the report "emergency stop switchgear, safety gate guard, Announcement mushroom NSG-D-1-051-07 / 00, XX, XX, July 2000 (2000-07), pages 1 to 4, XP 000961973" a drive device is known which, in view of the hardware redundancy requirement, has two switches connected in series, each of which is electrically connected to a separate μcontroller via a relay driver. The μController are each electrically connected to an input with an emergency stop switch coupled and equally trained side by side. The switches are each controllable via the associated μController. Depending on a required shutdown of a safety-critical component, the switches are controlled.

Des Weiteren ist aus der deutschen Offenlegungsschrift DE 44 09 541 A1 eine sicherheitstechnische Einrichtung bekannt, bei der eine Sensorvorrichtung mit zwei Auswerteeinrichtungen elektrisch verbunden ist. Jede Auswerteeinheit ist mit einem Ausgang mit einem als Hilfsschütz ausgebildeten Schalter elektrisch verbunden. In die Signalstrecke zwischen einer Auswerteeinheit und einem Hilfsschütz ist ein Zeitglied angeordnet, mit dem das verzögerte Abschalten eines nachgeordneten Hauptstromkreises über den Hilfsschütz durchgeführt werden kann.Furthermore, from the German patent application DE 44 09 541 A1 discloses a safety device is known in which a sensor device with two evaluation devices is electrically connected. Each evaluation unit is electrically connected to an output with a trained as an auxiliary contact switch. In the signal path between an evaluation and an auxiliary contactor, a timer is arranged with which the delayed shutdown of a downstream main circuit can be performed on the auxiliary contactor.

Ein weiteres Problem stellt die Tatsache dar, dass in Sicherheitsgeräten ab der Kategorie SIL3 bezogen auf die europäische Norm IEC 615 08 immer zwei Controller aus Gründen der Hardwareredundanz und Fehlertoleranz eingesetzt werden müssen.Another problem is the fact that in safety devices of category SIL3, referring to the European standard IEC 615 08, two controllers must always be used for reasons of hardware redundancy and fault tolerance.

Seitens des Anmelders wurde dieses Problem dadurch gelöst, dass bei Sicherheitsgeräten zwei von der Hardware identische Controller mit identischer Firmware eingesetzt werden. Um systematische Fehler erkennen zu können, wird ein "Master-Slave-Prinzip" angewandt. Dies bedeutet, dass jeweils einer der Controller für kurze Zeit der Master und der andere der Slave ist. Die beiden Controller tauschen diesen Status nach einer festgelegten Zeit. Einer der Controller wird üblicherweise zum Ansteuern bestimmter Schalter beispielsweise eines Lastkreises einer elektrischen Maschine verwendet, wogegen der andere Controller zum Überwachen der Schaltzustände dieser Schalter eingesetzt wird und seinerseits andere Schalter von anderen Komponenten ansteuert.Applicants have solved this problem by providing two identical security devices Controller with identical firmware can be used. In order to detect systematic errors, a "master-slave principle" is used. This means that one of the controllers is for a short time the master and the other the slave. The two controllers exchange this status after a specified time. One of the controllers is commonly used to drive certain switches of, for example, a load circuit of an electric machine, whereas the other controller is used to monitor the switching states of these switches and, in turn, drives other switches from other components.

Derjenige Controller, der sich im Mastermodus befindet, liest sämtliche Eingänge ein und legt die Ausgangszustände der Schalter fest, mit denen er verbunden ist beziehungsweise die ihm zugeordnet sind. Wichtige Zustände wie Anforderungen werden mit dem Slave abgeglichen und interne Tests werden durchgeführt.The controller, which is in master mode, reads in all inputs and determines the output states of the switches to which it is connected or assigned to it. Important states such as requirements are synchronized with the slave and internal tests are performed.

Eine NOTAUS-Anforderung wird zunächst von dem Controller im Mastermodus registriert. Dabei besteht der Nachteil, dass diejenigen Ausgänge, die von dem Controller im Slavemodus angesteuert werden, erst dann abgeschaltet werden können, wenn die NOTAUS-Anforderung von dem Master an den Slave übermittelt worden ist. Diejenigen Ausgänge, die unmittelbar vom Master angesteuert werden, können verhältnismäßig rasch abgeschaltet werden. Somit ist die Reaktionszeit zum Abschalten der angesteuerten Komponenten abhängig davon, welcher Controller die Anforderung zuerst erhält und ob der gewünschte Ausgang auch von diesem Controller abgeschaltet werden kann.An EMERGENCY request is first registered by the controller in master mode. There is the disadvantage that those outputs which are controlled by the controller in the slave mode, can only be switched off when the emergency request has been transmitted from the master to the slave. Those outputs, which are controlled directly by the master, can be switched off relatively quickly. Thus, the response time for switching off the driven components depends on which controller first receives the request and whether the desired output can also be switched off by this controller.

Mit dem geschilderten Schaltungsaufbau konnten bislang Anforderungszeiten nicht unter 45 ms erreicht werden. Durch entsprechend schnellere Hardware ließe sich die Anforderungszeit noch bis auf 35 ms reduzieren. Dies ist jedoch für kritische Anforderungen wie Pressensteuerungen nicht hinreichend.With the described circuit structure so far request times could not be achieved under 45 ms. With correspondingly faster hardware, the request time could be reduced to 35 ms. However, this is not sufficient for critical requirements such as press controls.

Die Aufgabe der vorliegenden Erfindung besteht somit darin, eine Ansteuervorrichtung und ein entsprechendes Verfahren zum Steuern oder Regeln einer sicherheitskritischen Komponente mit durchschnittlich verkürzter Reaktionszeit vorzuschlagen.The object of the present invention is therefore to propose a control device and a corresponding method for controlling or regulating a safety-critical component with an average shortened reaction time.

Erfindungsgemäß wird diese Aufgabe gelöst durch eine Ansteuervorrichtung gemäß Anspruch 1 zum Steuern oder Regeln einer sicherheitskritischen Komponente mit einer Schalteinrichtung, die einen ersten Schalter und einen zweiten, mit dem ersten in Reihe verbundenen Schalter zum Schalten der sicherheitskritischen Komponente aufweist, einer ersten Steuerungseinrichtung zur Aufnahme eines Eingangssignals und Ausgabe eines ersten Ansteuersignals und einer zweiten Steuerungseinrichtung zur Aufnahme des Eingangssignals und Ausgabe eines zweiten Ansteuersignals, wobei der erste Schalter der Schalteinrichtung von der ersten Steuerungseinrichtung und der zweite Schalter der Schalteinrichtung von der zweiten Steuereinrichtung ansteuerbar sind. Der erste und zweite Schalter werden zeitversetzt zueinander angesteuert. Ferner arbeiten die erste und zweite Steuerungseinrichtung nach dem Master-Slave-Prinzip, wodurch sich ein definierter Zeitversatz ergibt.According to the invention, this object is achieved by a drive device according to claim 1 for controlling or regulating a safety-critical component with a switching device which has a first switch and a second switch connected in series with the first switch for switching the safety-critical component to a first control device for receiving a safety switch Input signal and output of a first drive signal and a second control device for receiving the input signal and outputting a second drive signal, wherein the first switch of the switching device from the first control device and the second switch of the switching device are controlled by the second control device. The first and second switches are controlled with a time delay to each other. Furthermore, the first and second control devices operate according to the master-slave principle, resulting in a defined time offset.

Ferner wird erfindungsgemäß bereitgestellt ein Verfahren gemäß Anspruch 7 zum Steuern oder Regeln einer sicherheitskritischen Komponente durch Bereitstellen einer Schalteinrichtung, die einen ersten Schalter und einen zweiten, mit dem ersten in Reihe verbundenen Schalter zum Schalten der sicherheitskritischen Komponente aufweist, Bereitstellen einer ersten Steuerungseinrichtung, die mit dem Schalter verbunden ist, und einer zweiten Steuerungseinrichtung, die mit dem zweiten Schalter verbunden ist, Aufnehmen eines Eingangssignals und Ausgeben eines ersten Ansteuersignals von der ersten Steuerungseinrichtung an den ersten Schalter der Schalteinrichtung auf der Basis des Eingangssignals, wobei auf der Basis des Eingangssignals ein zweites Ansteuersignal von der zweiten Steuerungseinrichtung an den zweiten Schalter der Schalteinrichtung ausgegeben wird.Furthermore, according to the invention, a method according to claim 7 is provided for controlling a safety-critical component by providing a switching device having a first switch and a second switch connected in series with the first switch for switching the safety-critical component, providing a first control device that cooperates with a second control means connected to the second switch, receiving an input signal and outputting a first drive signal from the first control means to the first switch of the switching means on the basis of the input signal, based on the input signal a second one Drive signal is output from the second control device to the second switch of the switching device.

Der Erfindung liegt der Gedanke zugrunde, dass der Ausgang abgeschaltet werden soll, unabhängig davon, welcher der Schalter zuerst abgesteuert wird. Dadurch, dass nun beide Controller beziehungsweise Steuerungseinrichtungen die Reihenschaltung aus den beiden Schaltern ansteuern und somit eine UND-Verknüpfung der Ausgänge der Controller gegeben ist, wird der Ausgang an der Schalteinrichtung auf alle Fälle mit der geringeren Reaktionszeit der beiden Controller abgeschaltet.The invention is based on the idea that the output should be switched off, regardless of which of the switches is first deactivated. The fact that now both controllers or control devices to drive the series connection of the two switches and thus an AND operation of the outputs of the controller is given, the output is switched off at the switching device in all cases with the lower reaction time of the two controllers.

Ein positiver Nebeneffekt dieses zeitversetzten Schaltens ist, dass ein gleichzeitiges Verschweißen der beiden Schalter, z. B. Schütze, ausgeschlossen werden kann. Die NOTAUS-Funktion ist damit auch nach dem Verschweißen eines der Kontakte der Schalter noch gewährleistet.A positive side effect of this time-shifted switching is that a simultaneous welding of the two switches, z. B. Sagittarius, can be excluded. The EMERGENCY STOP function is thus still guaranteed after the welding of one of the contacts of the switches.

Das zeitversetzte Abschalten der Schalter hat weiterhin den Vorteil, dass für beide Schalter ungefähr gleiche Lebensdauern zu erwarten sind. Dies liegt daran, dass im statistischen Mittel jeder Schalter ebenso häufig im stromfreien wie im bestromten Zustand abgeschaltet wird.The time-delayed switching off of the switches also has the advantage that approximately equal lifetimes are to be expected for both switches. This is because, statistically speaking, each switch is turned off as frequently in the de-energized as in the energized state.

Vorzugsweise wird der erste und zweite Schalter in der Schalteinrichtung jeweils durch ein Relais oder einen Schütz realisiert. Alternativ kann der erste und zweite Schalter aber auch als Halbleiterschalter ausgelegt sein oder einen Optokoppler umfassen.Preferably, the first and second switches in the switching device are each realized by a relay or a contactor. Alternatively, however, the first and second switches can also be designed as semiconductor switches or comprise an optocoupler.

Speziell entsteht der Zeitversatz durch die Zeitdauer, die der Master benötigt, um den Slave von einem Ereignis in Kenntnis zu setzen.Specifically, the time offset is due to the amount of time that the master takes to notify the slave of an event.

Vorteilhafterweise wird eine elektrische Maschine mit einem Lastkreis mit der genannten, erfindungsgemäßen Ansteuervorrichtung ausgestattet. Dabei kann die Ansteuervorrichtung insbesondere für die Sicherheitsabschaltung beziehungsweise NOTAUS-Steuerung verwendet werden.Advantageously, an electric machine is equipped with a load circuit with the aforementioned drive device according to the invention. In this case, the drive device be used in particular for the safety shutdown or emergency stop control.

Die vorliegende Erfindung wird nun anhand der beigefügten Zeichnungen näher erläutert, in denen zeigen:

FIG 1
ein Schaltungsdiagramm einer erfindungsgemäßen Ansteuervorrichtung; und
FIG 2
ein Zeitsignaldiagramm der Ansteuervorrichtung von FIG 1.
The present invention will now be explained in more detail with reference to the accompanying drawings, in which:
FIG. 1
a circuit diagram of a drive device according to the invention; and
FIG. 2
a time signal diagram of the drive device of FIG. 1

Die nachfolgend geschilderten Ausführungsbeispiele stellen bevorzugte Ausführungsformen der vorliegenden Erfindung dar. In dem Schaltungsdiagramm gemäß FIG 1 dienen zwei Schütze S1 und S2, die in Reihe miteinander verbunden sind, zum Schalten eines nicht dargestellten Lastkreises einer elektrischen Maschine über die Klemmen K1 und K2. Zur Ansteuerung der beiden Schütze S1 und S2 dienen zwei Steuerungseinrichtungen beziehungsweise Controller C1 und C2. Die Ausgangssignale der Controller C1 und C2 werden von jeweiligen Ausgangseinheiten Y1 und Y2 in entsprechende Bewegungen der Schütze S1 und S2 umgesetzt. Von einer Eingabeeinheit X, die beispielsweise als NOTAUS-Schalter realisiert sein kann, erhalten die beiden Controller C1 und C2 ihr Eingangssignal. Dieses Eingangssignal wird am Eingang X von den Controllern C1 und C2 durch jeweilige Taktsignale T1 und T2 abgefragt.The embodiments described below represent preferred embodiments of the present invention. In the circuit diagram according to FIG. 1, two contactors S1 and S2 connected in series serve to switch a load circuit, not shown, of an electric machine via the terminals K1 and K2. To control the two contactors S1 and S2 serve two control devices or controllers C1 and C2. The output signals of the controllers C1 and C2 are converted by respective output units Y1 and Y2 into corresponding movements of the contactors S1 and S2. From an input unit X, which may be implemented, for example, as an emergency stop switch, the two controllers C1 and C2 receive their input signal. This input signal is interrogated at the input X from the controllers C1 and C2 by respective clock signals T1 and T2.

FIG 2 zeigt hierzu ein Signalverlaufsdiagramm beziehungsweise Zustandsdiagramm der einzelnen Komponenten. Zum Zeitpunkt t0 wird der NOTAUS-Schalter am Eingang X gedrückt. Zu diesem Zeitpunkt liest der Controller C1 den Eingang X. Nach einer gewissen Reaktionszeit wird die Ausgangseinheit Y1 zum Zeitpunkt t1 abgeschaltet. Da der Controller C2 zum Zeitpunkt t0 nicht aktiv war, muss er erst vom Controller C1 über das Drücken des NOTAUS-Schalters informiert werden, um die Ausgangseinheit Y2 abzuschalten. Daher beträgt die Reaktionszeit entsprechend länger und die Ausgangseinheit Y2 wird erst zum Zeitpunkt t2 abgeschaltet.2 shows a signal waveform diagram or state diagram of the individual components. At time t0, the EMERGENCY STOP switch is pressed at input X. At this time, the controller C1 reads the input X. After a certain reaction time, the output unit Y1 is turned off at time t1. Since the controller C2 was not active at the time t0, it must first be informed by the controller C1 by pressing the EMERGENCY STOP switch to switch off the output unit Y2. Therefore, the reaction time is corresponding longer and the output unit Y2 is switched off only at the time t2.

Bei einer konkreten Realisierung kann die erfindungsgemäße Ansteuervorrichtung in einem Sicherheitsgerät, beispielsweise der Modellreihe 3TK2845 des Anmelders, mit zwei potentialfreien Relaisausgängen, die in Reihe geschaltet sind, eingesetzt werden. Typischerweise beträgt die Reaktionszeit des Masters auf eine NOTAUS-Anforderung bis zum 8 ms. Die Zeit zur Übermittlung der NOTAUS-Anforderung vom Mater zum Slave kann bis zu 15 ms betragen. Die Abfallzeit des Relais beträgt im vorliegenden Beispiel maximal 12 ms. Bei der Standardbeschaltung gemäß dem Stand der Technik, bei der eine Serienschaltung von Relais lediglich mit Hilfe eines Controllers angesteuert wird, würde die Reaktionszeit bis zum 8 ms + 15 ms + 12 ms = 35 ms betragen. Bei der erfindungsgemäßen Beschaltung mit sogenanntem "kaskardiertem Ausgang" würde die Reaktionszeit höchstens 8 ms + 12 ms 20 ms betragen, da jeder Controller C1, C2 eines der Relais beziehungsweise einen der Schütze S1, S2 schaltet und damit zum Abschalten des Lastkreises die Übermittlung der NOTAUS-Anforderung an den Slave nicht mehr notwendig ist. Damit werden die Anforderungen auch an sehr zeitkritische Anwendungen erfüllt. Durch die erfindungsgemäße Ansteuerung der in Form einer logischen UND-Verknüpfung verschalteten Relais beziehungsweise Schütze S1, S2 der Schaltungseinrichtung können die bislang eingesetzten Geräte weiterhin verwendet werden, ohne dass Änderungen in Hard- oder Firmware für eine Sicherheitsabschaltung notwendig sind.In a concrete implementation, the drive device according to the invention in a safety device, for example, the model series 3TK2845 of the applicant, with two potential-free relay outputs, which are connected in series, are used. Typically, the response time of the master is to an emergency stop request up to 8 ms. The time to transmit the emergency request from the master to the slave can be up to 15 ms. The fall time of the relay in the present example is a maximum of 12 ms. In the standard circuit according to the prior art, in which a series connection of relays is controlled only by means of a controller, the response time would be up to 8 ms + 15 ms + 12 ms = 35 ms. In the circuit according to the invention with so-called "cascaded output", the reaction time would be at most 8 ms + 12 ms 20 ms, since each controller C1, C2 switches one of the relays or one of the contactors S1, S2 and thus to switch off the load circuit, the transmission of the emergency Request to the slave is no longer necessary. This meets the requirements for very time-critical applications. The activation of the relays or contactors S1, S2 of the circuit device connected in the form of a logical AND connection according to the invention allows the devices used hitherto to continue to be used without requiring any changes in hardware or firmware for a safety shutdown.

Claims (9)

  1. Drive apparatus for open-loop or closed-loop control of a safety-critical component having
    - a switching device which has a first switch (S1) and a second switch (S2), which is connected in series with the first, for switching the safety-critical component,
    - a first control device (C1) for reception of an input signal and emission of a first drive signal, and
    - a second control device (C2) for reception of the input signal and for emission of a second drive signal,
    in which case
    - the first switch (S1) in the switching device can be driven by the first control device (C1) and the second switch (S2) in the switching device can be driven by the second control device (C2),
    characterized in that
    - the first switch (S1) and the second switch (S2) are driven with a time offset with respect to one another, and the first and the second control device operate on the master/slave principle,
    - in which case the first (C1) and the second (C2) control device are alternately the master and slave for a short time, based on the master/slave principle, and the time offset is produced by the time period which the master require in order to inform the slave.
  2. Drive apparatus according to Claim 1, wherein the first and the second switch are in each case a relay or a contactor.
  3. Drive apparatus according to Claim 1, wherein the first and the second switch are in each case a semiconductor switch.
  4. Drive apparatus according to Claim 1, wherein the first and the second switch in each case comprise an optocoupler.
  5. Electrical machine having a load circuit and a drive apparatus according to one of the preceding claims.
  6. Electrical machine according to Claim 5, also having an emergency-off switch (X) for supplying the input signal.
  7. Method for open-loop or closed-loop control of a safety-critical component by:
    - provision of a switching device which has a first switch (S1) and a second switch (S2), which is connected in series with the first, for switching the safety-critical component,
    - provision of a first control device (C1), which is connected to the switch (S1), and of a second control device (C2) which is connected to the second switch (S2),
    - reception of an input signal,
    - emission of a first drive signal from the first control device (C1) to the first switch (S1) in the switching device on the basis of the input signal, and
    - emission of a second drive signal from the second control device (C2) to the second switch (S2) in the switching device on the basis of the input signal,
    characterized in that
    - the first and the second drive signal are emitted with a time offset with respect to one another, the first and the second drive signal being produced using a master/slave process as a function of the input signal, thus resulting in the defined time offset,
    - in which case the first (C1) and the second (C2) control device are alternately the master and slave for a short time, based on the master/slave principle, and the time offset is produced by the time period which the master require in order to inform the slave.
  8. Method according to Claim 7, wherein the switching device is used to switch a load circuit of an electrical machine.
  9. Method according to one of Claims 7 and 8, wherein the input signal is produced by an emergency-off switch (X).
EP04726963A 2003-06-03 2004-04-13 Control device for safety-critical components and corresponding method Expired - Lifetime EP1629513B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP04726963A EP1629513B1 (en) 2003-06-03 2004-04-13 Control device for safety-critical components and corresponding method

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP03012628A EP1484780A1 (en) 2003-06-03 2003-06-03 Drive control device for safety-critical components and corresponding method
PCT/EP2004/003874 WO2004107377A1 (en) 2003-06-03 2004-04-13 Control device for safety-critical components and corresponding method
EP04726963A EP1629513B1 (en) 2003-06-03 2004-04-13 Control device for safety-critical components and corresponding method

Publications (2)

Publication Number Publication Date
EP1629513A1 EP1629513A1 (en) 2006-03-01
EP1629513B1 true EP1629513B1 (en) 2007-02-28

Family

ID=33155147

Family Applications (2)

Application Number Title Priority Date Filing Date
EP03012628A Withdrawn EP1484780A1 (en) 2003-06-03 2003-06-03 Drive control device for safety-critical components and corresponding method
EP04726963A Expired - Lifetime EP1629513B1 (en) 2003-06-03 2004-04-13 Control device for safety-critical components and corresponding method

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP03012628A Withdrawn EP1484780A1 (en) 2003-06-03 2003-06-03 Drive control device for safety-critical components and corresponding method

Country Status (5)

Country Link
US (1) US7304406B2 (en)
EP (2) EP1484780A1 (en)
CN (1) CN1799114A (en)
DE (1) DE502004003058D1 (en)
WO (1) WO2004107377A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004021978A1 (en) * 2004-05-04 2005-11-24 Abb Technology Ag Method and device for switching off a fault current occurring in an AC mains
EP1911058B1 (en) 2005-08-02 2008-12-03 Phoenix Contact GmbH & Co. KG Safety switching unit for controlling a safety device into a safe state
DE102007032827A1 (en) * 2006-01-12 2009-01-15 Phoenix Contact Gmbh & Co. Kg Safety device for multi-channel control of a safety device
US8102799B2 (en) 2006-10-16 2012-01-24 Assa Abloy Hospitality, Inc. Centralized wireless network for multi-room large properties
DE102006053397A1 (en) * 2006-11-10 2008-05-15 Cedes Ag Safety switching device
DE102007047293A1 (en) * 2007-10-02 2009-04-09 Georg Schlegel Gmbh & Co. Kg Switch with two contact means connected via coupling means with each other
EP2461342B1 (en) * 2010-12-06 2015-01-28 Siemens Aktiengesellschaft Error-proof switching module
FR2992485B1 (en) * 2012-06-21 2014-09-12 Sagem Defense Securite ELECTRICAL CUTTING CIRCUIT OF AN ELECTRIC POWER SUPPLY WITH RELAYS AND FUSES
FR2992486B1 (en) * 2012-06-21 2015-07-17 Sagem Defense Securite ELECTRICAL CUTTING CIRCUIT OF AN ELECTRIC POWER SUPPLY WITH TRANSISTORS AND FUSES WITH REDUNDATED LOGIC
WO2014016695A2 (en) 2012-07-27 2014-01-30 Assa Abloy Ab Presence-based credential updating
EP2878142B1 (en) 2012-07-27 2021-05-19 Assa Abloy Ab Setback controls based on out-of-room presence information
FR2999352A1 (en) * 2012-12-11 2014-06-13 Sagem Defense Securite REDUNDANCED ELECTRIC CIRCUIT FOR THE ELECTRONIC POWER SUPPLY OF AN EQUIPMENT
EP3410458B1 (en) * 2017-06-02 2019-05-22 Sick AG Modular safety relay circuit for the safe switching on and/or disconnecting of at least one machine
US20220416552A1 (en) * 2019-11-27 2022-12-29 Hitachi Astemo, Ltd. In-vehicle battery system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4665323A (en) * 1984-10-25 1987-05-12 Zenith Electronics Corporation Electronically switchable power source
DE4409541A1 (en) * 1994-03-19 1995-09-21 Leon Helma Christina Safety interlock system with redundancy for industrial machinery
DE19647668A1 (en) * 1996-11-19 1998-05-28 Bosch Gmbh Robert Slave station, master station, BUS system and method for operating a BUS system
DE19928101C2 (en) * 1999-06-19 2001-10-11 Brose Fahrzeugteile Method for controlling power windows, sunroofs and / or locks in motor vehicles
DE10009707A1 (en) * 2000-02-29 2001-09-06 Pilz Gmbh & Co Safety switch with first and second input switches which initiate electronic timers

Also Published As

Publication number Publication date
DE502004003058D1 (en) 2007-04-12
US7304406B2 (en) 2007-12-04
EP1484780A1 (en) 2004-12-08
WO2004107377A1 (en) 2004-12-09
EP1629513A1 (en) 2006-03-01
CN1799114A (en) 2006-07-05
US20060158794A1 (en) 2006-07-20

Similar Documents

Publication Publication Date Title
EP1629513B1 (en) Control device for safety-critical components and corresponding method
EP1861860B1 (en) Safety switch device for the reliable disconnection of an electrical consumer
EP1262021B2 (en) Security switching device and a system of security switching devices
EP2845072B1 (en) Switching device
EP2834826B1 (en) Safety switch device with switching element in an electric path comprising auxiliary contacts
WO2006099935A1 (en) Safety switch for the safe disconnection of an electric consumer
EP3043220B1 (en) Device and method for monitoring the function of a safety switching device
EP2045683B1 (en) Method and devices for testing redundant actuators in a safety output circuit
DE102006030448B4 (en) Safe output circuit with a single-channel peripheral connection for the output of a bus participant
DE102014019725C5 (en) Electronic switching device and electronic switching method
EP1748299A1 (en) Electronic circuit, system with an electronic circuit and method to test an electronic circuit
EP2099164A1 (en) Safety device for safe control of attached actuators
WO2011100949A1 (en) Passive safety circuit
EP3475966B1 (en) Safety-oriented switching device
DE102006030911B3 (en) Relay unit for use in electrical or in electronic circuits, devices and components, has switching arrangement, consisting of two relay coils with separate contact sets per relay coil, fault indicator coil and additional working contact
DE3933699C2 (en) Contactor safety combination
DE102004033359A1 (en) Device for the failsafe shutdown of an electrical load, in particular an electrically driven machine
EP2215533B1 (en) Control device for a safety switching apparatus with integrated monitoring of the supply voltage
EP3798176B1 (en) Method and device for monitoring an electromagnetic brake
EP3414637B1 (en) Safety switching apparatus
EP2624263B1 (en) Electrical control for electromagnets
EP1307793A2 (en) Method for operating a safety switching device and a safety switching device
EP1186085B1 (en) Electromotive drive
DE102016010777B4 (en) Drive with safety interlocking device, system and method
DE102022122527A1 (en) Relay device and safety switching device with at least one relay device

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20051124

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE FR IT SE

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

DAX Request for extension of the european patent (deleted)
RBV Designated contracting states (corrected)

Designated state(s): DE FR IT SE

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): DE FR IT SE

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: SE

Payment date: 20070405

Year of fee payment: 4

REF Corresponds to:

Ref document number: 502004003058

Country of ref document: DE

Date of ref document: 20070412

Kind code of ref document: P

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

ET Fr: translation filed
PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20071129

EUG Se: european patent has lapsed
PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20080414

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20160620

Year of fee payment: 13

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 14

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20170425

Year of fee payment: 14

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20170426

Year of fee payment: 14

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 502004003058

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171103

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180430

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180413