WO2008037495A2 - Système de bus et procédé permettant son fonctionnement - Google Patents

Système de bus et procédé permettant son fonctionnement Download PDF

Info

Publication number
WO2008037495A2
WO2008037495A2 PCT/EP2007/008474 EP2007008474W WO2008037495A2 WO 2008037495 A2 WO2008037495 A2 WO 2008037495A2 EP 2007008474 W EP2007008474 W EP 2007008474W WO 2008037495 A2 WO2008037495 A2 WO 2008037495A2
Authority
WO
WIPO (PCT)
Prior art keywords
switching state
output
switch
output switch
bus
Prior art date
Application number
PCT/EP2007/008474
Other languages
German (de)
English (en)
Other versions
WO2008037495A8 (fr
WO2008037495A3 (fr
Inventor
Matthias Hofmayer
Michael Kindermann
Original Assignee
Pepperl + Fuchs Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pepperl + Fuchs Gmbh filed Critical Pepperl + Fuchs Gmbh
Priority to EP07818554A priority Critical patent/EP2077007A2/fr
Publication of WO2008037495A2 publication Critical patent/WO2008037495A2/fr
Publication of WO2008037495A3 publication Critical patent/WO2008037495A3/fr
Publication of WO2008037495A8 publication Critical patent/WO2008037495A8/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/403Bus networks with centralised control, e.g. polling
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • H04L12/40039Details regarding the setting of the power status of a node according to activity on the bus
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24024Safety, surveillance
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24043Test memory comparing with known stored valid memory states
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24081Detect valid sequence of commands
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25017ASI actuator sensor interface, bus, network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40254Actuator Sensor Interface ASI

Definitions

  • the invention relates to a bus system, in particular AS-Interface bus system, and a method for operating such.
  • the switching state of the door switch or the door switch (operated or unconfirmed, or open or closed) is here in many cases, especially in large industrial manufacturing plants with numerous security cells and robots therein, advantageously monitored via a common AS-Interface bus system, which at the same time can also fulfill various other tasks.
  • the door switch is usually connected to a so-called input slave, which polls the switching state of the door switch in cyclical sequence and gives up the result of the query in the form of a bit sequence on the AS-Interface bus.
  • the switching state "door is closed" corresponds to a specific bit sequence.
  • the bit sequence sent from the input slave to the AS-Interface bus changes; this then no longer outputs the original but a new bit sequence to the AS-Interface bus.
  • the power supply of the robot is usually via a power contactor or other controllable switch. Its control input is connected to the output of a so-called output slave. The data traffic on the AS-Interface bus is read from the output slave.
  • the output slave opens and closes the contactor or controllable switch by means of a control signal as a function of the data traffic on the AS-Interface bus:
  • the original bit sequence is interpreted by the output slave as "door closed” and causes the output slave to close the contactor or continue to close it to keep.
  • the new bit sequence is interpreted by the output slave as "door open” and causes the output slave to open the contactor and thereby disable the robot.
  • a bus system with slaves with secure outputs via which consumers can be switched on and off to a power supply.
  • a safety monitor installed in the bus system compares the setpoint switching states of the outputs with their actual switching states, which are fed back to the bus. All consumers are preceded by a common controllable switch, via which all consumers are connected to an electrical power supply. The safety monitor is able to compare the actual and the desired switching state and, upon detection of a deviation between actual and nominal state, the switch is controlled so that it opens, whereby all consumers are disconnected from the power supply and thus switched off.
  • a safety monitor is connected to the bus, which the Read data traffic on the AS-Interface bus.
  • the slave is programmed so that it reports back the actual switching state of its output to the AS-Interface bus.
  • the safety monitor also reads this feedback in the data traffic of the AS-Interface bus.
  • the safety switch stores the setpoint switching state of the output.
  • the safety monitor reads the feedback of the actual switching status of the slave, compares it with the setpoint switching status and in turn triggers an interruption of the power supply of all consumers if a discrepancy between the setpoint switching status and the actual switching status of the slave is detected during the comparison.
  • the disadvantage here is that in the event of a malfunction, the slave can already unintentionally switch its output, while the safety monitor has not yet finished the comparison and thus could not respond to the malfunction. In the meantime, the consumer can thus receive electricity for a short time, which can directly endanger people and is therefore highly problematic.
  • the invention is therefore based on the object to provide a bus system and a method for operating such, with which said disadvantage is overcome and which is inexpensive, with little effort on hardware, uncomplicated software and low processor performance feasible and efficient and effective eg can be used to improve occupational safety, and which should also be suitable for switching off a plurality of consumers independently with little additional effort.
  • A1 The object is achieved by a bus system with a bus, in particular AS-interface bus, to which at least one master, an output slave and a safety monitor are connected, wherein a) an output switch is connected to the output slave, which is the
  • a main switch is connected to the safety monitor which the safety monitor can open and close and which is connected in series with the output switch; c) a load is connected to a power supply via the main switch and the output switch; d) a program cycle in the master expires and the master cycles cyclically, preferably once per cycle, via the bus either a first desired switching state specifies the output slave, according to which the output switch should be in the open state, or a second desired switching state, according to which the output switch should be in the closed state, e) the output slave reads the control command, the specified switching state contained therein in a feedback code reports back to the bus, and has a timer which delays the execution of the control command for a predetermined waiting time, f) the safety monitor on the Bus reads in the feedback code and removes the specified switching state specified therein, and either makes a positive evaluation, after which the setpoint switching state reported in the feedback code is permitted, or makes a negative evaluation, according to which
  • Cycle means the program cycle running in the master. If a negative judgment is made and the skin switch is already open (for example, because it has already been opened in the previous cycle), the safety monitor leaves the main switch in the open state.
  • AJJg The object is further achieved by a method for operating a bus system, with a bus, in particular AS-Interface bus, to which at least a master, an output slave and a safety monitor are connected, wherein
  • A) is connected to the output slave an output switch, which can set the output slave in the open and in the closed switching state,
  • a main switch is connected to the safety monitor, which the safety monitor can open and close and which is connected in series with the output switch,
  • control command is read from the output slave, the target switching state contained in the control command is reported back to the bus in a feedback code, and the execution of the control command is delayed for a predetermined waiting time
  • the feedback code may be for one of the two possible desired switching states (namely, "output switch should be open” or “output switch should be closed”), in particular a zero signal or a continuous low signal or a sequence of logic zeros; that is, the feedback code may be for one of the two possible target switching states that the output slave for a certain duration no signal or a persistent for a certain time low signal or a sequence of low-to-zero or logical zeros is sent back to the bus , For example, therefore, the desired switching state "output switch should be closed” thereby be reported back from the output slave to the bus, that the corresponding feedback code is a zero signal, so no signal or a persistent for a certain time Lowsignal is sent back from the output slave to the bus , and this is interpreted by the safety monitor as feedback "Output switch should be closed”.
  • the feedback code for one of the two possible setpoint switching states can be a continuous wave; i.e.
  • the acknowledgment code for this commanded switching state may be that a continuous wave signal (e.g., high duration signal or sequence of high bits or logic ones) is sent back from the output slave to the bus for a certain duration.
  • a continuous wave signal e.g., high duration signal or sequence of high bits or logic ones
  • the target switching state "output switch should be open” thereby be reported back from the output slave to the bus, that the corresponding feedback code is a persistent for a certain time cw or a persistent for a certain time high signal, and this from the safety monitor as Feedback "Output switch should be open” is interpreted.
  • the target switching state is included in the feedback code in such a way that the safety monitor in the feedback code in the back of any reported therein desired switching state Can remove manner.
  • the desired switching states therefore need not be coded in the feedback codes, in particular not with the same bit sequences as in the control commands.
  • step F If, when performing step F), the skin switch is already open (for example, because it has already been opened in the previous cycle), the main switch is left open in step F).
  • the output switch may be part of the output slave and e.g. be integrated into these structures.
  • the timer delays the execution of the control command only when the control command is one for closing the output switch, whereas the timer does not delay the execution of the control command when the control command is one for opening the output switch.
  • AI 7 Preferably, the execution of the control command is delayed only when the control command is one for closing the output switch, and does not delay the execution of the control command when the control command is one for opening the output switch.
  • the safety monitor monitors the feedback code and uses it for the evaluation, but does not influence the output switch and its setpoint switching state.
  • the feedback code contains a statement about the SoII switching state of the output switch.
  • the safety monitor independently assesses or decides on the basis of this statement whether this setpoint switching state is permissible or not, ie the evaluation relates to the admissibility of the setpoint switching state.
  • the target switching state reported in the feedback code is evaluated. If the safety monitor considers the desired switching state to be inadmissible, ie makes a negative evaluation, it opens the main switch, so that the load is de-energized and the actual switching state of the output switch no longer arrives.
  • the execution of the control command is delayed by the output slave until the safety monitor has read in the feedback code, carried out its evaluation and if necessary has opened the main switch, so that said danger no longer exists.
  • the consumer may e.g. a robot that works in a security cell, accessible only through a single door and out
  • Safety reasons may only be entered by people when the robot is out of service, i. is switched off.
  • the consumer is disconnected from its power supply, i. switched off when either the output switch or the
  • Main switch is open because output switch and main switch are connected in series.
  • the output switch is through the output slave means
  • Safety monitor controllable by means of control signals is set up so that it does not open the main switch in a negative evaluation, but closes, the waiting time is so long that in negative evaluation of the main switch is already closed before the output switch to the Execution of the control command by the Ranlave responds. If a negative evaluation is made in this variant and the skin switch is already closed (eg because it was already closed in the previous cycle), the safety monitor leaves the main switch in the closed state. In this variant, the safety monitor preferably closes the main switch only when the additional desired switching state is the closed switching state of the output switch.
  • the main switch is not opened by the safety monitor in step F), but closed instead, and the waiting time chosen so long that in negative evaluation of the main switch is already closed before the output switch on the execution of the control command by the bosslave responds.
  • the main switch is left in the closed state in step F).
  • the main switch is preferably closed by the safety monitor only when the additional set switching state is the closed switching state of the output switch.
  • the main switch is preferably closed by the safety monitor only when the additional set switching state is the closed switching state of the output switch.
  • the main switch with the output switch is not in series, but connected in parallel to it, so that the consumer is connected via the main switch as well as the output switch to the power supply, the safety monitor at negative rating does not open the main switch, but closes, and the waiting time is so long that, if the negative Main switch is already closed before the output switch responds to the execution of the control command by the output slave.
  • the safety monitor leaves the main switch in the closed state.
  • the timer delays the execution of the control command only when the control command is one for opening the output switch, and does not delay the execution of the control command when the control command is one for closing the output switch.
  • the main switch with the output switch is not connected in series, but in parallel with it, so that the load is connected both via the
  • Main switch as well as via the output switch is connected to the power supply, with the main switch from the safety monitor at negative
  • step F if the switch is already closed when performing step F) (for example, because it has already been opened in the previous cycle), the main switch is left in the closed state in step F).
  • the consumer V can thus be connected to the power supply Q in this alternative variant of the invention with the output switch AS open by closing the main switch HS.
  • This alternative variant of the invention is particularly suitable for those applications in which an unwanted shutdown of the consumer V necessarily should be avoided.
  • the consumer can be a robot V, which applies an application of paint on a car body, which process should not be interrupted under any circumstances, to ensure the proper homogeneity of the paint job.
  • a program error or a malfunction of the master or of the output slaves, which lead to an unwanted opening of the output switch, thus do not interrupt the inking process, since the interruption is detected by the safety monitor as unwanted and prevented by timely closing of the main switch. If the paint job is interrupted before it is finished, it may cause the car bodies to become unusable. With the help of this alternative variant of the invention can thus be avoided in such cases in a very simple manner considerable damage.
  • the execution of the control command is delayed only when the control command is one for opening the output switch, and does not delay the execution of the control command when the control command is one for closing the output switch.
  • the master gives the output slave the desired switching state in which the output switch is to be located. That is, the master specifies whether the output switch should be open or closed. For this purpose, the master (preferably once per cycle) sends a control command to the output slave via the bus, the control command containing the information for the output slave as to whether the output switch should be open or closed.
  • the specification as to whether the output switch should be open or closed is given by the master to the bus.
  • predetermined data may be stored in the master or a memory connected thereto, based on which the master determines the desired switching state internally.
  • the specification as to whether the output switch should be open or closed may depend, for example, on the time.
  • the specification is influenced from the outside.
  • the master can be connected to an input element, for example pushbuttons, via which inputs into the master are possible from the outside, wherein the master determines in dependence on these inputs which desired switching state he specifies for the output slave.
  • the master can have an interface to a computer or to a programmable logic controller (PLC), via which it is integrated in a higher-level process flow, and receive data via the interface, wherein the master determines depending on these data, which target switching state he pretends to the original slave.
  • PLC programmable logic controller
  • an input slave connected to the bus can also be used, to which an input switch is connected, the input slave polling cyclically, preferably in each cycle, to inquire whether the input switch is in the open or in the closed state, the query result being from the input slave cyclically, preferably in each cycle, in the form of an input code is placed on the bus.
  • an input slave connected to the bus can be used, to which an input sensor is connected, which outputs a measured value, whereby the measured value is interrogated or polled by the input slave in each cycle instead of whether the measured value is greater or less than a predetermined limit, wherein the query result from the input slave cyclically, preferably in each cycle, is placed in the form of an input code on the bus.
  • An input slave can be connected to the bus, to which an input sensor is connected, which outputs a measured value, whereby the input slave polls the measured value cyclically, preferably in each cycle, or inquires instead whether the measured value is greater or less than a predetermined one Limit value, and the input slave outputs the query result cyclically, preferably in each cycle, in the form of an input code on the bus.
  • the input sensor may be, for example, a temperature sensor, which detects the temperature of the consumer, the master for the output switch the set switching state "closed” sets as long as the input slave reports as a query result that the temperature of the consumer is below a threshold, and the target -Switching state "open" when the input slave indicates that the temperature of the load is above the limit. In this way, the consumer can be prevented from overheating.
  • the consumer may in particular be a robot.
  • the input sensor may e.g. a motion detector, which responds when a person is in the working area of the robot, the master for the output switch the set switching state "closed” determines as long as the input slave reports as a query result that the motion is not responsive, and otherwise the setpoint Switching state "open". In this way, the robot can be switched off automatically as soon as a person comes near him.
  • an input slave to which an input switch is connected may be connected to the bus, the input slave polling cyclically, preferably in each cycle, whether the input switch is in open or closed switching state, and the input slave polling result in each cycle in the form of an input code on the bus gives up.
  • the input switch may e.g. a door switch, which is located on the access door of the safety cell of a robot is closed when the door is closed and opens when the door is opened, the master for the output switch the set switching state "closed” determines as long as the input slave reports as a query result in that the access door is closed, and otherwise determines the target switching state "open". In this way, the robot can be switched off automatically as soon as someone opens the access door.
  • a door switch which is located on the access door of the safety cell of a robot is closed when the door is closed and opens when the door is opened
  • the master cyclically reads, preferably in each cycle, the input code via the bus, and determines the target switching state of the output switch depending on the content of the input code and outputs the Output this slave switching state via the bus.
  • the input code is read in via the bus and determined depending on the contents of the input code of the set switching state of the output switch and the output slave via the bus cyclically.
  • the master is connected to a computer or a programmable controller and communicates with it.
  • the master cyclically reads, preferably in each cycle, the input code via the bus and passes the contents of the input code to the computer or the programmable logic controller, wherein the computer or the programmable logic controller the desired switching state of the output switch depending on the contents of the input code and transmitted to the master, and the master sets the target switching state of the output switch to the output slave via the bus.
  • the input code is cyclically read in by the master, preferably in each cycle, via the bus, the content of the
  • Control determined in dependence on the content of the input code and transmitted to the master, and the target switching state of the output switch from the master to the output slave via the bus specified.
  • the master receives the specification as to whether the output switch should be in the open or in the closed state, from the computer system or from the programmable logic controller, ie the decision as to whether the output switch should be in the open or in the closed state, becomes not from the master itself, but from the computer or from the programmable logic controller met and output to the master, which passes this specification on the bus.
  • the master can thus e.g. forward the input code supplied by the input slave to the computer or the programmable logic controller; There, then, the definition of the desired switching state depending on the content of the input code can be done.
  • the output slave Even in the case of such influences of the master from the outside by the computer or the programmable logic controller, the output slave always receives the default on the desired switching state of the output switch via the bus directly from the master; it is always this, which sets the output slave the desired switching state. This applies in particular even if the determination of the desired switching state is not performed by the master itself, but e.g. through the computer or through the PLC. In such cases, the master gives the output slave a set switching state set outside the mast.
  • the decision as to whether the main switch should be open or closed is made independently by the safety monitor. This decision is the result of the evaluation.
  • data may be stored in the security monitor which the security monitor compares to or otherwise relates to the feedback code so that the security monitor makes the decision using the stored data and the read-in feedback code.
  • the safety monitor for the evaluation in addition to the feedback code pulls the input code supplied by the input slave and checks independently of the latter in which switching state the output switch is to be located.
  • the safety monitor reads cyclically, preferably in each cycle, independently the input code and puts in Depending on its content, either a first additional target switching state, according to which the output switch should be in the open state, or a second additional target switching state fixed, according to which the output switch should be in the closed state, the safety monitor the The reference switching state taken from the feedback code compares with the additional target switching state, and performs the negative evaluation, if this comparison does not match.
  • the safety monitor preferably reads the input code cyclically, preferably in each cycle, and determines either a first additional desired switching state depending on its content, according to which the output switch should be in the open state, or a second addition -Soll switching state is determined, according to which the
  • Output switch is to be in the closed state, the setpoint switching state taken from the feedback code is compared with the additional target switching state, and the negative evaluation is made if this comparison no
  • the safety monitor thus independently of the master also independently defines a switching state for the output switch designated here as an additional desired switching state, but additional nominal switching state only serves to control only a role within the safety monitor, not to the bus passes and the output switch or its switching state is not affected.
  • the additional target switching state merely serves as a basis for comparison with the target switching state indicated by the feedback code; Based on the result of the comparison, the evaluation is made as to whether the desired switching state specified by the feedback code is deemed permissible or inadmissible.
  • the safety monitor only carries out the negative evaluation under the condition that the additional setpoint switching state is the open switching state of the output switch.
  • A25 Preference is given to the negative valuation of Safety monitor only made under the condition that the additional set switching state is the open switching state of the output switch.
  • the safety monitor performs the negative evaluation only under the condition that the additional target switching state is the closed switching state of the output switch.
  • the negative evaluation of the safety monitor is made only on the condition that the additional target switching state is the closed switching state of the output switch.
  • the access door of a security cell with a robot operating therein is monitored by means of a door switch.
  • the switching state of the door switch is contained in the input code.
  • the safety monitor is always informed independently whether the access door is open or closed. Based on this information, the safety monitor makes the evaluation:
  • An input code with the information "access door closed” in this example means that the robot may be switched on and a closed one
  • the output slave by control command the closed switching state as a target switching state before; the output slave will then, upon proper function, receive this desired switching state
  • an input code with the information "access door open” in this example means that the robot must be switched off and a closed one Output switch is therefore inadmissible. If there is no malfunction, the master must now specify to the output slave by means of a control command the open switching state as the desired switching state; The output slave must then report the receipt of this set switching state "Output switch should be open” in the feedback code back to the bus.
  • a feedback code with the opposite information "output switch should be closed” would therefore be an indicator of a malfunction in this situation and would therefore trigger according to the invention a negative rating by the safety monitor; The main switch would be opened for safety's sake so that the robot is switched off.
  • the safety monitor also carries out the negative evaluation if it determines that it can not or can not unambiguously extract the setpoint switching state from the acknowledgment code, or if it determines that it does not have the additional setpoint switching state or can not clearly set.
  • the negative evaluation is also carried out by the safety monitor if it determines that it can not clearly or unequivocally take the target switching state from the feedback code, or if it does not make the additional desired switching state unclear can set.
  • the malfunction can e.g. be caused by a defect of the master or the output slave; According to the invention, the malfunction can not lead to the consumer being switched on unintentionally or remaining switched on.
  • the safety monitor only carries out the negative evaluation under the condition that the additional set switching state is the open switching state of the output switch.
  • the negative rating of the safety monitor is preferred only under the condition that the additional target switching state is the open switching state of the output switch.
  • the timer delays the execution of the control command only when the control command is one for closing the output switch, whereas the timer does not delay the execution of the control command when the control command is one for opening the output switch.
  • the execution of the control command is delayed only when the control command is one for closing the output switch, whereas the execution of the control command is not delayed when the control command is one for opening the output switch.
  • the check as to whether the control command is such as to close or to open the output switch can be carried out in particular in the output slave itself.
  • the master only transmits a control command containing the information about the setpoint switching state to the output slave when the switching state of the output switch is to change.
  • A28 According to a deviating from the previously discussed variants of the method variant is transmitted from the master only the information about the desired switching state containing control command to the output slave when the switching state of the output switch is to change. If the desired switching state should remain unchanged with respect to the previous cycle, the same information about the desired switching state is therefore not sent to the output slave in these variants again.
  • the safety monitor does not need to be connected directly to the bus, but can be connected to the bus via the master.
  • Safety monitor does not necessarily have to be a separate component; rather, it can be part of the master, or safety monitor and master can be combined into a single component. ⁇ 29 In terms of procedure, as
  • the output slave is able to detect the actual switching state of the output switch and to return the open switching state of the output switch to the bus both in the feedback code and when the target switching state of the output switch is the opened switching state when the actual switching state of the output switch is the opened switching state, and / or to report the closed switching state of the output switch both in the acknowledgment code on the bus, when the target switching state of the output switch is the closed switching state, as well as when Actual switching state of the output switch is the closed switching state.
  • the actual switching state of the output switch is detected by the output slave and the open switching state of the output switch is reported back to the bus both in the feedback code when the SoII switching state of the output switch is the opened switching state, and then when the actual Switching state of the output switch is the open switching state, and / or the closed switching state of the output switch both reported back in the feedback code on the bus when the target switching state of the output switch is the closed switching state, as well as when the actual switching state of Output switch is the closed switching state.
  • the invention is suitable for cost-effective implementation of so-called "safe" outputs of an AS-Interface bus, ie switching outputs, which are backed by an additional, independently operating control against malfunction, and therefore can be particularly advantageous for improving safety at work and to reduce the risk of accidents eg when operating robots, drives or valves are used.
  • the additional control is performed by the safety monitor.
  • the output slave therefore need not be able to monitor its own function by means of expensive internal control procedures or additional hardware. Therefore, the output slave does not require elaborate parameterization for implementing the teaching according to the invention. This can be the hardware cost, the Software effort, the labor cost and thus the cost of realizing "safe" outputs are significantly reduced.
  • the output or the individual outputs are not actively enabled by the safety monitor, but only monitored.
  • the outputs of the output module are preferably operationally switched by the controller via the output data bits of the AS-Interface 1 Cs (this is the interface of the slave for communication with the bus). If all outputs are switched off, the output slave preferably sends back a secure code sequence, which is monitored by the safety monitor. If the outputs are switched on or defective, the secure code sequence is preferably switched off or falsified by a secure monitoring circuit. If the safety monitor receives a constant 0x0 from the output slave, it preferably assumes that one or more outputs are switched on.
  • the monitor switches off according to a preferred variant, i. it switches off the auxiliary power from which the output slave supplies the outputs.
  • the output slave still delays switching on the outputs after disabling the code sequence according to a preferred variant of the invention until the safety monitor can switch off the auxiliary voltage in the event of a fault.
  • the outputs are de-energized before they can switch.
  • a further output slave to the bus, which is connected to a further output switch, via which a further consumer is connected to a power supply.
  • the other output slave also receives control commands from the master, with an information contained therein about the desired switching state of the other output switch.
  • the further output slave also reports this information back in a feedback code to the bus.
  • the feedback codes may include identifiers that respectively identify the output slave from which the feedback code originates.
  • the safety monitor also reads the feedback code of the other output slaves on the bus and this takes the specified therein switching state, and either makes a positive assessment, after which in This feedback code reported set switching state is allowed, or makes a negative assessment, according to which the reported in this feedback code set switching state is inadmissible, and in negative evaluation, the main switch opens (or closes) and thus the consumer together with the disconnects further loads from the power supply (or to the power supply), wherein the other output slave has a timer which delays the execution of the sent from the master to the other Ausgsngsslave control command for a predetermined waiting time, which is chosen so long that at negative rating of the main switch is already open or closed before the further output switch responds to the execution of this control command by the other output slave.
  • This principle can be fully applied to more than two output slaves.
  • the safety monitor can in particular be set up in such a way that it is not only able to control the main switch but, independently of this, also a further main switch, which is connected in series instead of the main switch with the further output switch.
  • the feedback code of the further output slaves can also be monitored in the manner according to the invention by means of the safety monitor in this case: the feedback code originating from the further output slave is likewise read by the safety monitor.
  • the safety monitor rates these Information and opens (or closes) the other main switch at negative rating, and thus switches off the further consumer (or on) with a negative rating, wherein the other output slave has a timer, which the execution of the master from the master to the other output slave delayed control command for a predetermined waiting time, which is selected so long that in negative evaluation of the other main switch is already open or closed, before the other output switch responds to the execution of this control command by the other output slave.
  • Another safety monitor can be used to control the other main switch.
  • the return code originating from the further output slave is in this case of the other
  • Both safety monitors can work completely independently of each other, whereby the further output slave has a timer, which the
  • Delayed control command for a predetermined waiting time which is selected so long that in negative evaluation of the other main switch is already open or closed, before the other output switch responds to the execution of this control command by the other output slave.
  • FIG. 1 is a block diagram of a preferred embodiment of a bus system according to the invention, comprising a master, a safety monitor, at least one input slave and at least one output slave which controls an output switch via which a load is connected to a power supply
  • Figure 2 is a block diagram of an embodiment of a bus system according to the invention, which differs from that of Figure 1 in that the safety monitor is part of the master
  • Figure 3 is a block diagram of another preferred embodiment of a bus system according to the invention, which from that of Figure 1 by another Distinguishes output, which controls an output switch, via which another consumer is connected to the power supply
  • Figure 4 is a block diagram of another preferred embodiment of erfindungsge 5, a block diagram of an output slave and an output switch connected thereto according to an embodiment of the invention
  • FIG. 1 is a block diagram of a preferred embodiment of a bus system according to the invention, comprising a master, a safety monitor, at least one input slave and at least one output slave which controls an output switch via which
  • Figure 6 is a block diagram of an output slave and an output switch connected thereto according to another embodiment of the invention
  • Figure 7 is a block diagram of an output slave and an output switch connected thereto according to another embodiment of the invention.
  • Figure 1 shows schematically as a block diagram of an AS-Interface bus system according to the invention, with an AS-Interface bus B to which a master M, an output slave A and a safety monitor SiM are connected.
  • an output switch AS is connected, which can set the output slave A via a control line SL1 in the open and in the closed switching state.
  • a main switch HS Connected to the safety monitor SiM is a main switch HS, which the safety monitor SiM can open and close via a control line SL2 and which is connected in series with the output switch AS.
  • a consumer V about the main switch HS and thus connected in series output switch AS is a consumer V, which is a robot in the present example, connected by lines L1, L2 to a power supply Q. The consumer or robot V can therefore be disconnected both by opening the output switch AS as well as by opening the main switch HS of the power supply Q and thus turned off.
  • An input slave E to which an input switch ES is connected via lines L3.L4, is also connected to the bus B, the input slave E querying in each cycle whether the input switch ES is in the open or in the closed switching state.
  • the input switch ES is in this example a door switch ES, which opens as soon as the access door ZT is opened to a safety cell SiZ. When the access door ZT is closed, the input switch ES is closed.
  • the e.g. Security cell SiZ formed in a cage-like manner with lattice walls encloses on all sides a space in which the robot V is located and which is accessible only through the access door ZT.
  • the safety cell SiZ is used to prevent people from accidentally getting into the working area of the robot V and thereby endanger themselves.
  • a program cycle is running.
  • the master M is connected via a bidirectional communication link K to a programmable logic controller PLC.
  • the master M reads in the input code E sent via the bus B input code and passes its contents via the communication link K to the programmable logic controller PLC. This evaluates the contents of the input code and defines a desired switching state of the output switch AS as a function of this content:
  • the programmable logic controller SPS decides that the robot V may be in operation, ie the output switch AS is to be closed for the purpose of supplying power to the robot V.
  • the programmable logic controller PLC sets in this case, therefore, as the target switching state for the output switch the closed switching state.
  • the programmable logic controller PLC decides that the robot V must not be in operation, ie the output switch AS is to be opened for the purpose of interrupting the power supply for the robot V.
  • the programmable logic controller PLC sets in this case, therefore, as the target switching state for the output switch AS the open switching state.
  • the programmable logic controller PLC After the programmable logic controller PLC has set the desired switching state of the output switch AS, it transmits this via the communication link K to the master M.
  • This is the target switching state in a directed to the output slave A control command on the bus B, whereby the master M prescribes the desired switching state of the output switch AS to the output slave A.
  • the master M is the output slave A thus per cycle by control command via the bus B either a first target switching state before, according to which the output switch AS is to be in the open state, or a second SoII switching state ago, according to which the output switch AS should be in the closed state.
  • the output slave A reads in the control command and reports the setpoint switching state contained therein in a feedback code on the bus B in order to enable the safety monitor SiM to control the setpoint state contained in the feedback code.
  • the output slave A has a timer Z, which delays the execution of the control command (open the output switch AS or close the output switch AS) for a predetermined waiting time T.
  • the safety monitor SiM automatically reads in the feedback code via bus B and removes the setpoint switching status specified therein.
  • the safety monitor SiM also reads the input code and determines depending on its content either as an additional set switching state for the output switch AS that this should be in the open state, or as an additional set switching state for the Output switch AS that this should be in the closed state.
  • the safety monitor SiM decides that the robot V may be in operation, ie the output switch AS should be closed, and in this case, therefore, sets the closed as an additional nominal switching state for the output switch AS Switching state fixed.
  • the safety monitor SiM decides that the robot V must not be in operation, ie the output switch AS should be open, and puts in it Case therefore as an additional target switching state for the output switch AS the open switching state.
  • the determination of the additional set switching state depends only on the content of the input code and is therefore completely independent of the setpoint switching state.
  • the safety monitor SiM after having set the additional target switching state, compares it with the reference switching state taken from the acknowledgment code, and, if this comparison results in a correspondence between the setpoint switching state and supplementary setpoint switching state positive rating, according to which the target switching state reported in the feedback code is allowed, or otherwise a negative rating, according to which the target switching state reported in the feedback code is inadmissible.
  • a negative rating is e.g. if the output switch AS is to be open according to the setpoint switching state and at the same time according to the additional setpoint switching state, or vice versa.
  • the safety monitor SiM preferably also carries out the negative evaluation if it can not or can not unambiguously extract the desired switching state from the feedback code, or if it can not or can not unambiguously set the additional desired switching state. According to a sub-variant, the safety monitor SiM only carries out the negative evaluation under the condition that the additional desired switching state is the open switching state of the output switch AS.
  • the safety monitor SiM closes the main switch HS, or leaves it, if it is already closed, in the closed state.
  • the safety monitor opens the main switch and thus disconnects the load from the power supply Q, or leaves it in the open state, if already open.
  • the waiting time T is according to the invention so long dimensioned that in negative evaluation of the main switch HS is already open before the output switch AS responds to the execution of the control command through the output slave A, so before the output switch AS can close unintentionally.
  • the switching state of the input switch (closed or open) for further improving the safety depends not only on whether the access door is open or closed, but also by the output signal of a sensor, which, for example, an infrared sensor or motion detector and is responsive to the presence of a person in the security cell.
  • the input switch opens both when the access door is opened and when the sensor responds; in both cases the robot is switched off.
  • the switching state of the input switch does not depend on whether the access door is open or closed, but only on the output signal of such a sensor.
  • the input switch only opens when the sensor responds; in a case of the robot is switched off.
  • the senor is connected via its own slave to the bus B and reports the presence of a person via the bus B to the programmable logic controller PLC.
  • This always sets the open state as the target switching state of the output switch AS, when the sensor reports the presence of a person in the security cell on the bus B, regardless of whether the input switch ES is open or closed.
  • the programmable logic controller likewise always sets the open state as the setpoint switching state of the output switch AS, regardless of whether the sensor reports the presence of a person in the safety cell or not.
  • the safety monitor SiM reads the messages from the sensor and always sets the open state as additional target switching state of the output switch AS, either when the sensor reports the presence of a person in the security cell on the bus B or the input switch ES is open.
  • the target switching state and the additional target switching state of Output switch AS are each set by means of a complex logic, which links the information on the bus B messages or switching states of multiple sensors and / or switches together.
  • Figure 2 shows a block diagram of an embodiment of a bus system according to the invention, which differs from that of Figure 1 only in that the safety monitor SiM is part of the master M.
  • Figure 3 shows a block diagram of another preferred embodiment of a bus system according to the invention, which differs from that of Figure 1 by another connected to the bus B output slave A1, which controls an output switch AS1, via the lines L5, L6 another consumer V1 on the power supply Q is connected.
  • L6 branches off line L2.
  • the line L5 branches off between the main switch HS and the output switch AS from the line L1.
  • the output slave A1 can set the output switch AS1 via a control line SL3 in the open and in the closed switching state.
  • the output switch AS1 is interposed in the line L5 and thus as well as the output switch AS connected in series with the main switch HS.
  • the consumer V1 is in this example also a robot V1 in a safety cell SiZL The consumer or robot V1 can be disconnected both by opening the output switch AS1 and by opening the main switch HS of the power supply Q and thus turned off.
  • the functional sequence within the bus system of FIG. 3 includes the functional sequence of the bus system of FIG. 1, but goes beyond that:
  • an input slave E1 is connected to the bus B, to which an input switch ES1 is connected via lines L7.L8, wherein the input slave E1 polls in each cycle whether the input switch ES1 is in the opened or in the closed switching state ,
  • the input switch ES1 is in the present example, a door switch ES1, which opens as soon as the access door ZT 1 to the safety cell SiZ1 is opened. When the access door ZT 1 is closed, the input switch ES1 is closed.
  • the query result as to whether the door switch ES1 is open or closed outputs the input slave E1 to the bus B every cycle in the form of an input code.
  • the master M also reads in the input code E1 sent over the bus B input code and also passes its content via the communication link K to the programmable logic controller PLC. It also evaluates the content of the input code E1 from the input slave E1 and determines a desired switching state of the output switch AS1 as a function of this content:
  • the programmable logic controller SPS decides that the robot V1 must be in operation, ie the output switch AS1 is to be closed for the purpose of supplying power to the robot V.
  • the programmable logic controller PLC sets in this case, therefore, as the target switching state for the output switch the closed switching state.
  • the programmable logic controller SPS decides that the robot V must not be in operation, ie the output switch AS1 is to be opened for the purpose of interrupting the power supply for the robot V1.
  • the programmable logic controller PLC sets in this case, therefore, as the target switching state for the output switch AS1 the open switching state.
  • the programmable logic controller PLC After the programmable logic controller PLC has set the desired switching state of the output switch AS1, it transmits this via the communication link K to the master M.
  • This is the target switching state in a directed to the output slave A1 control command on the bus B, whereby the master M prescribes the desired switching state of the output switch AS1 to the output slave A1.
  • the master M thus gives the output slave A1 per cycle via the bus B either a first desired switching state, according to which the output switch AS1 should be in the open state, or a second desired switching state, according to which the output switch AS1 should be in the closed state.
  • the output slave A1 reads in the control command and reports the setpoint switching state contained therein to the bus B in a feedback code in order to enable the safety monitor SiM to control the SoII switching state contained in the feedback code.
  • the output slave A1 has a timer Z1 which delays the execution of the control command (open the output switch AS1 or close the output switch AS1) for a predetermined second waiting time.
  • the safety monitor SiM automatically reads in the feedback code via bus B and removes the setpoint switching status specified therein.
  • the safety monitor SiM also reads the input code E1 from the input code and, depending on its content, determines either as an additional set switching state for the output switch AS1 that it should be in the open state or as an additional setpoint Switching state for the output switch AS1, which should be in the closed state.
  • the safety monitor SiM decides that the robot V1 must be in operation, ie the output switch AS1 is to be closed, and in this case, then sets the closed position as additional set switching state for the output switch AS1 Switching state fixed.
  • the safety monitor SiM decides that the robot V1 must not be in operation, ie the output switch AS1 should be open, and puts in In this case, therefore, as the additional target switching state for the output switch AS1 the open switching state fixed.
  • the safety monitor SiM compares this additional target switching state with the target switching state reported back by the output slave AS1, and if this comparison gives a match, makes a positive evaluation or otherwise a negative evaluation.
  • the second waiting time is according to the invention so long dimensioned that in negative evaluation of the main switch HS is already open before the output switch AS1 responds to the execution of the control command through the output slave A1, so before the output switch AS1 can close unintentionally.
  • the safety monitor SiM performs two evaluations per cycle, one of which concerns the permissibility of the setpoint switching state for the output switch AS and the other the permissibility of the setpoint switching state for the output switch AS1.
  • the main switch HS is closed by the safety monitor SiM only or left in the closed state, if both ratings have turned out positive, ie both the comparison between the returned from the output slave AS set switching state for the output switch AS and the additional target switching state for the output switch AS to a positive rating - as well as the comparison between the fed back from the AS1 AS1 output switching state for the output switch AS1 and the additional target switching state for the output switch AS1 have led to a positive rating. If only one of the ratings fails, the safety monitor SiM opens the main switch HS, or leaves it in the open state, if it is already open. This procedure can be extended completely to even more output slaves with additional output switches.
  • Figure 4 shows a block diagram of another preferred embodiment of a bus system according to the invention, which differs from that of Figure 1 by an emergency stop switch N, which is connected via two lines L9.L10 to another input slave E2.
  • the input slave E2 is also connected to the bus B and polls every cycle whether the emergency stop switch N is pressed or not.
  • the inquiry result as to whether the emergency stop switch N is operated or not is given to the input slave E2 on the bus B every cycle in the form of another input code.
  • the master M reads in each cycle and this input code via the bus B and thus informed about the switching state of the emergency stop switch N, and passes the contents of this input code via the communication link K to the programmable logic controller PLC. This evaluates the content of this input code and determines depending on this content a desired switching state of the output switch AS:
  • the desired switching state of the output switch AS is not affected, i. its desired switching state continues to depend solely on the input code which the input slave E supplies.
  • the programmable logic controller PLC decides that the robot V may not be in operation, that is to say the robot
  • Output switch AS for the purpose of interrupting the power supply for the
  • Robot's V should be open.
  • the programmable logic controller PLC sets in this case, therefore, as the target switching state for the output switch AS, the open switching state, regardless of the input code, which supplies the input slave E.
  • the safety monitor SiM also reads the input code from the input slave E2. If the emergency stop switch N is not actuated, the additional setpoint switch N Switching state of the output switch AS is not affected, ie its desired switching state still depends solely on the input code, which supplies the input slave E. When pressed emergency stop switch N, however, sets the safety monitor as an additional set switching state for the output switch AS that this should be in the open state, regardless of whether the door switch ES is open or closed.
  • the remaining functional sequence of the bus system of FIG. 4 is similar to that of the bus system of FIG. 1.
  • the difference between the functional sequences of the bus systems of FIG. 1 and FIG. 4 is that in the bus system of FIG. 4 the setpoint switching state and the additional setpoint switching state of the output switch AS are determined by the switching state of the input switch E only when the emergency stop switch N is not actuated. Otherwise, only determines the switching state of the emergency stop switch N the desired switching state and the additional target switching state of the output switch AS, in this case, the target switching state and the additional target switching state of the output switch AS always the open switching state.
  • FIG. 5 shows a block diagram of an embodiment of an output slave A2 with an output switch AS2 connected thereto.
  • the output slaves A of FIGS. 1 to 4 can each be formed by an output slave A2, as shown in FIG.
  • the output switches AS of Figures 1 to 4 may each be formed by an output switch AS2, as shown in Figure 5.
  • the output switch AS2 is preferably a functionally safe switch.
  • the output slave A2 has an interface 1 (also referred to as “bus protocol module” or “AS-Interface-IC”), a control unit 2 (also referred to as “monitoring”), a code generator 3 and the timer Z already explained above (also referred to as “delay”), which is connected via the control line SL1 to the output switch AS2.
  • a line L11 leads to the timer Z; from the line L1 1 branches off a line L12, which leads to an input of the control unit 2. From the output of the control unit 2, a line L13 leads to the control input of a controllable switch STS. From the output of the code generator 3 leads a line L14 via the controllable switch STS to an input of the interface 1; Thus, the line L14 is continuous with the switch STS closed and interrupted when the switch STS is open.
  • the code generator 3 generates a specific, consecutively repeating bit code and outputs this constantly recurring on the line L14.
  • the bit code preferably contains an identifier which identifies the output slave A2.
  • the bit code reaches the interface 1 only when the switch STS is closed; when the switch STS is open, the bit code is generated by the code generator 3, but not transmitted to the interface 1.
  • the master M sends a control command to the output slave A2 via the bus B, after which the output switch AS2 is to be closed.
  • the control command is read from the interface 1.
  • the interface 1 detects the command contained in the control command 1 to close the output switch AS2, and as a result sets the line L11 to "high".
  • the timer Z is caused to send a signal to the base of the transistor T1 only after the waiting time via the control line SL1, which switches through the emitter-collector path of the transistor T1 and thus closes the output switch AS2 after the waiting time has elapsed, whereby the consumer V (eg Figure 1) is turned on.
  • SiM safety monitor SiM
  • the master M e.g., Fig. 1
  • the interface 1 detects the command contained in this control command 1 to open the output switch AS2, and as a result sets the line L11 to "low".
  • the timer Z is caused to de-energize the control line SL1, preferably without a time delay, whereby the emitter-collector path of the transistor T1 is disabled, thus opening the output switch AS2 and shutting off the load V (for example FIG.
  • FIG. 6 a block diagram is shown which differs from that of FIG. 5 in that the output slave A2 of FIG. 5 is replaced by an output slave A2 1 , the output switch AS 2 of FIG. 5 is replaced by an output switch AS 2 1 is replaced and an additional line L15 is present, which leads from the output switch AS2 1 to the output slave A2 1 .
  • the output switch AS2 1 of Figure 6 differs from the output switch AS2 of Figure 5 in that the output switch AS2 1 additionally has a feedback output RA, via which the actual switching state of the output switch AS2 '("output switch As2' is open” or "output Switch AS2 1 is closed ").
  • the output switches AS of Figures 1 to 4 may each be formed by an output switch AS2 1 , as shown in Figure 6.
  • the output switch AS2 1 is preferably a functionally safe switch.
  • the output slave A2 1 of FIG. 6 differs from the output slave A2 of FIG. 5 in that the output slave A2 'has, instead of the control unit 2, a control unit 2' which, in comparison to the control unit 2, has an additional input EZ which is connected via the line L15 to the control unit 2 ' Feedback output RA is connected and via which the control unit 2 'is able to read in the actual switching state of the output switch AS2 1 is capable.
  • the output slaves A of FIGS. 1 to 4 can each be formed by an output slave A2 ', as shown in FIG.
  • the control unit 2 is set up so that it opens the controllable switch STS, regardless of the desired switching state of the output switch AS2 1 , also via the line L13, when the output switch AS2 1 via the feedback output RA, the line L15 and the auxiliary input EZ reports that the output switch AS2 1 is closed.
  • the switch STS is opened both when the control command the desired switching state "output switch AS2 1 should be closed” is reported via the line L12, as well as when the actual state "output switch AS2 1 is closed” via the line L15 is reported.
  • the bit sequence on line 14 is blocked by the switch STS, so that the interface 1 returns a low signal to the bus B, which is interpreted and evaluated by the safety monitor ( Figure 1) in the manner explained above.
  • the actual switching state of the output limit switch is therefore taken into account in accordance with this embodiment of the invention. In this way, the load is switched off even if the set and actual switching state of the output switch contradict each other.
  • the transistor T1 is not interposed in the line L1, but controls a contactor, which is interposed in the line L1, wherein the contactor is then opened when the emitter-collector path of the Transistor T1 is disabled, and otherwise it is closed.
  • This embodiment is particularly then makes sense if the consumer V (eg Figure 1) requires a high electrical power.
  • the contactor can in turn also have a feedback output, via which it reports its actual switching state.
  • the control device may have a further additional input, which is connected via a further line to the feedback output of the contactor, wherein the control device opens the switch STS even if the feedback output of the contactor reports as its actual switching state: " Contactor is closed ".
  • control unit is additionally capable of comparing the actual switching state of the output switch AS2 1 with its desired switching state. If the output switch AS2 1 is turned on unsolicited, the control unit modifies the bit sequence of the code generator instead of instead blocking it by opening the switch STS.
  • the modified bit sequence may serve as an information to the safety monitor SiM to open the main switch HS even if the closing of the output switch were currently permitted, ie no direct safety problem would arise.
  • the comparison between the setpoint switching state and the actual switching state of the output switch is made directly by the safety monitor SiM. He must listen to the signal on line L11 on bus B. If this line reports the desired switching state "output switch should be switched off" while the switch STS is open, the safety monitor can react as described in the previous variant by opening the main switch HS.
  • the invention is industrially applicable inter alia for the purpose of occupational safety in the field of electronically controlled working and manufacturing processes and their control technology and automation, e.g. for safety-related control of robots, drives and valves, in particular for the improvement of occupational safety.
  • A, A ', A1, A2, A2' output slaves
  • T1 transistor V, V1 consumer e.g. robot

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Safety Devices In Control Systems (AREA)
  • Bus Control (AREA)

Abstract

L'invention concerne un système de bus comprenant un bus auquel sont connectés au moins un maître, un esclave de sortie et un moniteur de sécurité. L'esclave de sortie commande un commutateur de sortie. Le moniteur de sécurité commande un commutateur principal qui est monté en série avec le commutateur de sortie. Un utilisateur est connecté à une source de courant via ces commutateurs. Le maître spécifie à l'esclave de sortie, par une instruction de commande, l'état de commutation de consigne. L'esclave de sortie lit l'instruction de commande et rapporte au bus l'état de commutation de consigne qu'elle contient. Grâce à un élément de temporisation, l'exécution de l'instruction de commande est retardée pour un temps d'attente prédéfini. Le moniteur de sécurité émet, soit une estimation positive, auquel cas l'état de commutation de consigne rapporté est acceptable, soit une estimation négative, auquel cas l'état de commutation de consigne rapporté est inacceptable. En cas d'estimation négative, le commutateur principal est ouvert, et l'utilisateur se trouve ainsi isolé de la source de courant. Le temps d'attente est mesuré de telle façon qu'en cas d'estimation négative, le commutateur principal soit déjà ouvert avant que le commutateur de sortie réponde à une instruction de commande.
PCT/EP2007/008474 2006-09-28 2007-09-28 Système de bus et procédé permettant son fonctionnement WO2008037495A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP07818554A EP2077007A2 (fr) 2006-09-28 2007-09-28 Système de bus et procédé permettant son fonctionnement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102006046272 2006-09-28
DE102006046272.6 2006-09-28

Publications (3)

Publication Number Publication Date
WO2008037495A2 true WO2008037495A2 (fr) 2008-04-03
WO2008037495A3 WO2008037495A3 (fr) 2008-06-26
WO2008037495A8 WO2008037495A8 (fr) 2009-11-26

Family

ID=39230562

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/008474 WO2008037495A2 (fr) 2006-09-28 2007-09-28 Système de bus et procédé permettant son fonctionnement

Country Status (2)

Country Link
EP (1) EP2077007A2 (fr)
WO (1) WO2008037495A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009156122A1 (fr) 2008-06-26 2009-12-30 Phoenix Contact Gmbh & Co. Kg Système de surveillance
WO2017174338A1 (fr) * 2016-04-08 2017-10-12 Eaton Electrical Ip Gmbh & Co. Kg Élément de bus et procédé de fonctionnement d'un élément de bus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19754769A1 (de) * 1997-11-28 1999-06-02 Siemens Ag Feldbus-System für sicherheitsgerichtete Anwendungen
DE19928984A1 (de) * 1999-06-24 2000-12-28 Leuze Electronic Gmbh & Co Bussystem mit abgesicherten Ausgängen

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19754769A1 (de) * 1997-11-28 1999-06-02 Siemens Ag Feldbus-System für sicherheitsgerichtete Anwendungen
DE19928984A1 (de) * 1999-06-24 2000-12-28 Leuze Electronic Gmbh & Co Bussystem mit abgesicherten Ausgängen

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009156122A1 (fr) 2008-06-26 2009-12-30 Phoenix Contact Gmbh & Co. Kg Système de surveillance
CN102077148A (zh) * 2008-06-26 2011-05-25 菲尼克斯电气公司 监控系统
RU2504813C2 (ru) * 2008-06-26 2014-01-20 Финикс Контакт Гмбх Унд Ко. Кг Система контроля за процессами обеспечения безопасности и способ контроля за выходным модулем
US8744805B2 (en) 2008-06-26 2014-06-03 Phoenix Contact Gmbh & Co. Kg Monitoring system
DE102008029948B4 (de) 2008-06-26 2018-08-30 Phoenix Contact Gmbh & Co. Kg Überwachungssystem
WO2017174338A1 (fr) * 2016-04-08 2017-10-12 Eaton Electrical Ip Gmbh & Co. Kg Élément de bus et procédé de fonctionnement d'un élément de bus
CN109074031A (zh) * 2016-04-08 2018-12-21 伊顿智能动力有限公司 总线节点和总线节点的操作方法
US11372796B2 (en) 2016-04-08 2022-06-28 Eaton Intelligent Power Limited Bus subscriber and method for operating a bus subscriber
CN109074031B (zh) * 2016-04-08 2022-07-22 伊顿智能动力有限公司 总线节点和总线节点的操作方法

Also Published As

Publication number Publication date
EP2077007A2 (fr) 2009-07-08
WO2008037495A8 (fr) 2009-11-26
WO2008037495A3 (fr) 2008-06-26

Similar Documents

Publication Publication Date Title
EP2017869B1 (fr) Dispositif de sécurité destiné à la commande à plusieurs canaux d'un dispositif de sécurité
DE102012103015B4 (de) Sicherheitsschaltvorrichtung mit Schaltelement im Hilfskontaktstrompfad
EP3069202B1 (fr) Commande de sécurité à entrées configurables
EP2202592B1 (fr) Dispositif de sécurité destiné à la commande à plusieurs canaux d'un dispositif de sécurité
EP1887444B1 (fr) Commande de processus
EP2422244B1 (fr) Commande de sécurité et procédé de commande d'une installation automatisée
DE10330916A1 (de) Vorrichtung und Verfahren zum automatisierten Steuern eines Betriebsablaufs bei einer technischen Anlage
EP1038354B1 (fr) Circuit servant a verifier que l'etat d'une installation est correct et/ou a reconnaitre un etat incorrect de cette installation
EP2099164B1 (fr) Dispositif de sécurité destiné à la commande sécurisée d'actionneurs raccordés
EP1748299B1 (fr) Circuit électronique, système avec un circuit électronique et procédé pour tester un circuit électronique
EP3465898B1 (fr) Démarreur progressif, procédé de fonctionnement et système de commutation
EP1672446A2 (fr) Module d'entrée/sortie sécurisé pour un controleur
EP1619565A2 (fr) Procédure et dispositif pour l'enclenchement sûr d'un système de réseau d'automatisation
EP3557598A1 (fr) Commutateur de sécurité
WO2008037495A2 (fr) Système de bus et procédé permettant son fonctionnement
EP3475966B1 (fr) Commutateur oriente vers la securite
WO2017194546A1 (fr) Ensemble de surveillance destiné à surveiller un capteur de sécurité et procédé pour surveiller un capteur de sécurité
DE3919558C2 (fr)
EP3660597B1 (fr) Dispositif pour une commutation d'un système de machine dangereuse
DE4213171A1 (de) Sicherheitsschaltung
EP3848633B1 (fr) Circuit avec protection contre les erreurs internes
EP2769273B1 (fr) Module d'extension pour un système de sécurité
EP3557338B1 (fr) Procédé de programmation d'une commande de sécurité
DE19520538C2 (de) Verfahren zur Ablaufsteuerung industrieller Prozesse
EP1119802A1 (fr) Dispositif permettant de commander et/ou de surveiller des processus industriels externes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07818554

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2007818554

Country of ref document: EP