Safety circuit for fail-safe shutdown of a dangerous system

Abstract

A safety circuit for fail-safe shutdown of a dangerous technical system with a plurality of disconnectable system component groups comprises a plurality of safety switching devices electrically connected to one another in series to form a closed-loop monitoring circuit in which electric monitoring current flows through the safety switching devices. Each of the safety switching devices includes: a fail-safe control unit that detects and evaluates information about a current operating state of any system component group assigned to it; and a current flow adjuster that changes the current flow within the monitoring circuit to interrupt the monitoring circuit in response to detection of a safety command by the safety switching device. The fail-safe control units generate a shutdown signal in response to an interruption of the current flow within the monitoring circuit, which causes the fail-safe shutdown of any of the system component group not already shut down.

Claims

1. A safety circuit for fail-safe shutdown of a dangerous technical system with a plurality of disconnectable system component groups, comprising: a plurality of safety switching devices electrically connected to one another in series to form a communication connection and a closed-loop monitoring circuit in which electric monitoring current flows through the safety switching devices, each of the safety switching devices including: a fail-safe control unit to which at least one of the system component groups is assigned, the fail-safe control unit being configured to detect and evaluate information about a current operating state of the at least one of the system component groups; and a current flow adjuster configured to change the current flow within the monitoring circuit to interrupt the monitoring circuit in response to detection of a safety command by the safety switching device, wherein the fail-safe control unit of each of the safety switching devices is configured to generate a shutdown signal in response to an interruption of the current flow within the monitoring circuit, the shutdown signal causing the fail-safe shutdown of any one of the system component groups not already shut down, wherein each of the safety switching devices further comprises: a measuring device connected to the fail-safe control unit and configured to monitor the electric monitoring current within the monitoring circuit and to provide a first input signal to the fail-safe control unit for the monitoring circuit and measurement of the monitoring current, and to provide a second input signal upon the interruption of the monitoring circuit, and a safety switching element coupled to an output of the fail-safe control unit and to an assigned system component group, the safety switching element being configured to shut down the assigned system component group upon receipt of the shutdown signal from the fail-safe control unit, and wherein the fail-safe control unit is configured to generate an input signal that causes a closing of the safety switching element in response to the first input signal and to generate the shutdown signal that causes an opening of the safety switching element in response to the second input signal.

2. The safety circuit of claim 1, wherein the current flow adjuster comprises a switching device configured to selectively close or interrupt the monitoring circuit.

3. The safety circuit of claim 1, wherein the current flow adjuster comprises a field effect transistor or a relay.

4. The safety circuit of claim 1, wherein a first of the safety switching devices further comprises a continuous current source configured to generate a continuous current.

5. The safety circuit of claim 1, wherein a first of the safety switching devices further comprises a continuous voltage source configured to generate a continuous voltage.

6. The safety circuit of claim 1, wherein respective current flow adjusters of the plurality of safety switching devices are connected in series.

7. The safety circuit of claim 5, wherein: the first of the safety switching devices further comprises a voltage pulse generator connected to the continuous voltage source, the voltage pulse generator being configured to generate defined voltage pulses; and each of the safety switching devices further comprises a voltage pulse evaluator configured to detect and evaluate the voltage pulses.

8. A safety circuit for fail-safe shutdown of a dangerous technical system with a plurality of disconnectable system component groups, comprising: a plurality of safety switching devices electrically connected to one another in series to form a communication connection and a closed-loop monitoring circuit in which electric monitoring current flows through the safety switching devices, each of the safety switching devices including: a fail-safe control unit to which at least one of the system component groups is assigned, the fail-safe control unit being configured to detect and evaluate information about a current operating state of the at least one of the system component groups; and a current flow adjuster configured to change the current flow within the monitoring circuit to interrupt the monitoring circuit in response to detection of a safety command by the safety switching device, wherein the fail-safe control unit of each of the safety switching devices is configured to generate a shutdown signal in response to an interruption of the current flow within the monitoring circuit, the shutdown signal causing the fail-safe shutdown of any one of the system component groups not already shut down, wherein each of the safety switching devices further comprises: a measuring device connected to the fail-safe control unit and configured to monitor the electric monitoring current within the monitoring circuit and to provide a first input signal to the fail-safe control unit for the monitoring circuit and measurement of the monitoring current, and to provide a second input signal upon the interruption of the monitoring circuit, and wherein the measuring device comprises at least one resistor and an evaluation unit connected to the at least one resistor, the evaluation unit being configured to determine an electrical voltage drop across the at least one resistor and to generate the first or second input signal based on a magnitude of the voltage drop.

9. The safety circuit of claim 8, wherein each safety switching device further comprises: a memory connected to the evaluation unit of the measuring device, the memory being configured to retrievably store a first reference voltage value of a reference voltage upstream of the resistor and a second reference voltage value of a second reference voltage downstream of the resistor.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Other features and benefits of the present invention become clear based on the subsequent description of preferred embodiments with reference to the included figures. As shown in:

(2) FIG. 1 a highly simplified schematic depiction, which illustrates the basic principle of a safety circuit which is carried out according to the present invention,

(3) FIG. 2 a simplified schematic depiction of a safety circuit, which is carried out according to a first embodiment of the present invention,

(4) FIG. 3 a simplified schematic depiction of a safety circuit, which is carried out according to a second embodiment of the present invention,

(5) FIG. 4 a simplified schematic depiction of a safety circuit, which is carried out according to a third embodiment of the present invention,

(6) FIG. 5 a simplified schematic depiction of a safety circuit, which is carried out according to a fourth embodiment of the present invention.

DETAILED DESCRIPTION

(7) With reference to FIG. 1, a safety circuit 1, which is designed for fail-safe shutdown of a dangerous system 3 comprising a number n 2 of disconnectable system component groups 4a, . . . , 4n, in particular machines or robots, comprises a plurality of safety switching devices 2a, . . . , 2n. These safety switching devices 2a, . . . , 2n are preferably designed such that they comply with the requirements for classification in Category 4 (Performance Level e) of the European standard EN ISO 13849-1-2009. The number of safety switching devices 2a, . . . , 2n preferably corresponds to the number of system component groups 4a, . . . , 4n of dangerous system 3, so that each of system component groups 4a, . . . , 4n is respectively assigned to one of safety switching devices 2a, . . . , 2n. Individual safety switching devices 2a, . . . , 2n are electrically connected to one another in series with the aid of electrical connecting lines 5. Safety circuit 1 preferably has a modular and scalable structure so that the number n of safety switching devices 2a, . . . , 2n may be changed in a simple way, even retroactively. Due to the modular structure of safety circuit 1, each of safety switching devices 2a, . . . , 2n has a voltage terminal 20 for supplying a supply voltage, a ground terminal 21, an input terminal 22, and an output terminal 23.

(8) Voltage terminal 20 of first safety switching device 2a is connected to an external voltage supply device, which may supply a supply voltage, which may lie, in particular, between 20 VDC and 30 VDC, to safety circuit 1. Voltage terminal 20 of first safety switching device 2a is connected to input terminal 22 of first safety switching device 2a. Output terminal 23 of first safety switching device 2a is connected to input terminal 22 of second safety switching device 2b. Output terminal 23 of second safety switching device 2b is connected to input terminal 22 of third safety switching device 2c, and so on. Output terminal 23 of nth safety switching device 2n is connected to ground terminal 21 of nth safety switching device 2n. In this way, an electric monitoring circuit of safety circuit 1 is formed, which is closed by a common ground line of the external voltage supply device, not explicitly depicted here, and of the last (nth) safety switching device 2n.

(9) Each of safety switching devices 2a, . . . , 2n additionally comprises a measuring device 6a, . . . , 6n, by which an electric variable, for example an electric voltage or an electric current, may be measured, and current flow adjusters 7a, . . . , 7n. Current flow adjusters 7a, . . . , 7n are designed in this and all other embodiments depicted here as switching devices which may be selectively opened and closed. In a closed state of these current flow adjusters 7a, . . . , 7n, a defined monitoring current flows through the monitoring circuit. If one of current flow adjusters 7a, . . . , 7n is opened, then the monitoring circuit is opened so that a current flow is no longer present within the monitoring circuit.

(10) Each safety switching device 2a, . . . , 2n of safety circuit 1 is configured to transmit a safety command, in particular an emergency off or emergency stop message, from system component groups 4a, . . . , 4n disconnectably connected to the relevant safety switching device 2a, . . . , 2n to the remaining safety switching devices 2a, . . . , 2n of safety circuit 1, or to receive a safety command, in particular an emergency off or emergency stop message from one of the remaining safety switching devices 2a, . . . , 2n. As shall be explained below in greater detail, in the normal operating state of safety circuit 1, all current flow adjusters 7a, . . . , 7n are closed so that the presence of an electric monitoring current, which flows through safety switching devices 2a, . . . , 2n connected in series, may be detected by measuring the electric variable by integrated measuring device 6a, . . . , 6n of each safety switching device 2a, . . . , 2n.

(11) In order to forward a safety command, in particular an emergency off or emergency stop message, which one of safety switching devices 2a, . . . , 2n has received, to the remaining safety switching devices 2a, . . . , 2n of safety circuit 1, current flow adjusters 7a, . . . , 7n of the relevant safety switching device 2a, . . . , 2n are opened. This interruption of the electric monitoring current flow within the monitoring circuit of safety circuit 1 may be detected by measuring devices 6a, . . . , 6n of the remaining safety switching devices 2a, . . . , 2n, so that these may likewise initiate, in the way described below, a safety command, in particular an emergency off or emergency stop function, in system component groups 4a, . . . , 4n connected to the relevant safety switching devices 2a, . . . , 2n.

(12) With reference to FIGS. 2 through 5, this basic operating concept of safety circuit 1, previously explained briefly, will be explained in greater detail by way of four embodiments. To keep the subsequent depiction clear, safety circuits 1 depicted in FIGS. 2 through 5 each have three safety switching devices 2a, 2b, 2c, which are electrically connected to one another in series in the previously described way. One of system component groups 4a, 4b, 4c is connected to each of these safety switching devices 2a, 2b, 2c.

(13) With reference to FIG. 2, first safety switching device 2a has, in this embodiment, a continuous current source 8, which is connected to input terminal 22 of first safety switching device 2a, and at which the supply voltage of safety circuit 1, which is preferably 24 V, is applied. Measuring devices 6a, 6b, 6c of safety switching devices 2a, 2b, 2c each comprise an electrical resistor 60 and an evaluation unit 61, which is preferably designed as a microcontroller with a first A/D input 610 and a second A/D input 611. During operation of safety circuit 1, a voltage drop U may be detected across electrical resistor 60 by first A/D input 610 and second A/D input 611 of evaluation unit 61 of one of those measuring devices 6a, 6b, 6c, and evaluated by evaluation unit 61.

(14) Current flow adjusters 7a, 7b, 7c are each designed, in this embodiment and also in the remaining embodiments which are described below, as field effect transistors (FET). Alternatively, current flow adjusters 7a, 7b, 7c may also be implemented as conventional transistors or as relays.

(15) Each of safety switching devices 2a, 2b, 2c additionally has a fail-safe control unit 9a, 9b, 9c, which is connected on the input side to evaluation unit 61 of measuring device 6a, 6b, 6c of relevant safety switching device 2a, 2b, 2c and forms an AND gate. As will be explained in greater detail below, evaluation units 61 are configured to transmit a binary input signal (U1, U2, U3=0 or U1, U2, U3=1) to respective fail-safe control unit 9a, 9b, 9c.

(16) Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c additionally has one or more inputs. Input signals from one or more sensors may be provided to relevant fail-safe control unit 9a, 9b, 9c via these inputs and said input signals may be evaluated by fail-safe control units 9a, 9b, 9c. It is thus possible that fail-safe control unit 9a, 9b, 9c of each of safety switching devices 2a, 2b, 2c may receive information about the operating state of system component groups 4a, 4b, 4c connected thereto, and/or a safety command, in particular an emergency off or emergency stop message. The results of the internal input signal processing likewise form a binary input signal (E1, E2, E3=0 or E1, E2, E3=1) for the AND gate of fail-safe control unit 9a, 9b, 9c.

(17) In addition, each of safety switching devices 2a, 2b, 2c respectively has, in the embodiments shown here, one safety switching element 10a, 10b, 10c, which is connected on the output side to fail-safe control unit 9a, 9b, 9c of relevant safety switching device 2a, 2b, 2c. Each of these safety switching elements 10a, 10b, 10c is respectively connected to a system component group 4a, 4b, 4c of dangerous system 3. By safety switching elements 10a, 10b, 10c, which are preferably designed as safety relays, system component groups 4a, 4b, 4c connected thereto may be activated and shutdown in a fail-safe way. Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c is configured to transmit a binary output signal (A1, A2, A3=0 or A1, A2, A3=1) to each safety switching element 10a, 10b, 10c. The output signals A1=0, A2=0, and A3=0 thereby respectively represent a shutdown signal for shutting down relevant safety switching element 10a, 10b, 10c. In contrast, the output signals A1=1, A2=1, and A3=1 respectively represent an activation signal for activating relevant safety switching element 10a, 10b, 10c. All safety commands of system component groups 4a, 4b, 4c of dangerous system 3 connected thereto are processed in fail-safe control units 9a, 9b, 9c so that safety switching elements 10a, 10b, 10c of safety switching devices 2a, 2b, 2c may be controlled depending on the result of the evaluations.

(18) Based on a dimensioning example, different operating states of safety circuit 1 depicted in FIG. 2 will be subsequently explained in greater detail. It shall thereby be assumed that continuous current source 8 provides an electric monitoring current I=2 mA, and that electric resistor 60 has a resistor value R=500 Ohms.

(19) State No. 1: Normal Operation

(20) In an interference-free (normal) operating state of all system component groups 4a, 4b, 4c of dangerous system 3, all safety switching devices 2a, 2b, 2c are activated. The internal evaluation of the input signals from the sensors of system component groups 4a, 4b, 4c of dangerous system 3 provides a value of E1=E2=E3=1 on the input side for the AND gate of each fail-safe control unit 9a, 9b, 9c. Fail-safe control unit 9a, 9b, 9c is also configured to open or to close current flow adjusters 7a, 7b, 7c of relevant safety switching devices 2a, 2b, 2c. This may be carried out via a binary control signal S1, S2, S3, where S1, S2, S3=1 represents a closed current flow adjusters 7a, 7b, 7c, and S1, S2, S3=0 represents an open current flow adjusters 7a, 7b, 7c.

(21) In the normal operating state of all system component groups 4a, 4b, 4c connected to safety switching devices 2a, 2b, 2c, E1=E2=E3=1 and S1=S2=S3=1 applies. This means that all current flow adjusters 7a, 7b, 7c of safety switching devices 2a, 2b, 2c, and thus also the monitoring circuit are closed so that the electric monitoring current may flow from first safety switching device 2a via second safety switching device 2b to third safety switching device 2c. There is a voltage drop U across electrical resistor 60 of each of measuring devices 6a, 6b, 6c of safety switching devices 2a, 2b, 2c, wherein U=1 V applies. Measuring devices 6a, 6b, 6c transmit an input signal U1=U2=U3=1 to fail-safe control unit 9a, 9b, 9c, which represents that the voltage drop U corresponds to the expected value in the interference-free operation of all system component groups 4a, 4b, 4c.

(22) Furthermore, because E1=E2=E3=1 and U1=U2=U3=1, all safety switching element 10a, 10b, 10c, which are preferably designed as safety relays, are closed (i.e., for the output signals which are generated by fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c, A1=A2=A3=1 applies), so that all system component groups 4a, 4b, 4c connected thereto may be supplied with their electrical operating voltage.

(23) State No. 2: Reliable Shutdown of System Component Groups

(24) If, for example, in second system component group 4b an emergency off or emergency stop button/switch is actuated, and thus safety switching element 10b of second safety switching device 2b is opened, then this emergency off or emergency stop message is also to be provided to the two remaining safety switching devices 2a, 2c of safety circuit 1, so that system component groups 4a, 4c connected thereto may likewise be simultaneously reliably shut down. The result of the internal signal processing of fail-safe control unit 9b of second safety switching device 2b then results in a value E2=0, which represents the emergency off or emergency stop message. In order to achieve a reliable shutdown of the system component groups 4a, 4c of the two remaining safety switching devices 2a, 2c, fail-safe control unit 9b of second safety switching device 2b controls current flow adjuster 7b of second safety switching device 2b such that this is opened and the electric monitoring current flow from first safety switching device 2a to third safety switching device 2c is interrupted. Current flow adjuster 7b of second safety switching device 2b thereby receives a control signal S2=0, which causes an opening of the relevant current flow adjuster 7b and leads to an interruption of the monitoring circuit of safety circuit 1.

(25) Then, for the current drop U across resistors 60 of measuring device 6a of first safety switching device 2a and measuring device 6c of third safety switching device 2c, U=0 V applies. This voltage drop U=0 V is detected in each case by evaluation units 61 of measuring devices 6a, 6c of first and third safety switching devices 2a, 2c. Evaluation units 61 of measuring devices 6a, 6c of first safety switching device 2a and third safety switching device 2c each generate an input signal U1=0 or U3=0 for the AND gate of fail-safe control units 9a, 9c of first and third safety switching devices 2a, 2c. Since for the input signal of fail-safe control unit 9a of first safety switching devices 2a, U1=0 applies, fail-safe control unit 9a generates an output signal A1=0, which causes a shutdown of safety switching element 10a of first safety switching device 9a. Since, in addition, for the input signal of fail-safe control unit 9c of third safety switching device 2c, U3=0 applies, fail-safe control unit 9c generates an output signal A3=0, which causes a shutdown of safety switching element 10c of first safety switching device 9c.

(26) State No. 3: Reactivation

(27) If, starting from the previously described operating state, safety switching element 10b of second safety switching device 2b is reactivated so that second system component group 4b is placed back into operation, then the internal signal processing of fail-safe control unit 9b of second safety switching device 2b provides the result E2=1. Consequently, a switching signal S2=1 is generated, which closes current flow adjuster 7b of second safety switching device 2b. Since current flow adjuster 7a of first safety switching device 2a and current flow adjuster 7c of third safety switching device 2c were not opened during the switching operation previously carried out, and thus are still located in a closed state, the electric monitoring current may again flow through the closed monitoring circuit of safety circuit 1 from first safety switching device 2a to third safety switching device 2c. Thus, a voltage drop U=1 V may be measured again at resistors 60 of all measuring devices 6a, 6b, 6c, so that fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c each receives an input signal U1=U2=U3=1 and, because E1=E2=E3=1, each provides corresponding output signals A1=A2=A3=1. The output signals A1=1 and A3=1 lead to safety switching elements 10a, 10c of first and third safety switching devices 2a, 2c being likewise closed, so that system component groups 4a, 4c of dangerous system 3 connected thereto may be likewise supplied again with an operating voltage.

(28) State No. 4: Wiring Fault

(29) If, for example, no electric monitoring current flows through safety switching devices 2a, 2b, 2c due to a wiring fault, no voltage drop U may be measured at resistors 60 of all measuring devices 6a, 6b, 6c. Thus, U=0 V applies. In this fault condition, fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c receives an input signal U1=U2=U3=0. Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c provides corresponding output signals A1=A2=A3=0, which cause an opening of safety switching elements 10a, 10b, 10c and thus a reliable shutdown of system component groups 4a, 4b, 4c connected thereto.

(30) If the measurements of the voltage drop U should result in U>1 V or 0 V<U<1 V, then a fault condition is present. Evaluation units 61 of measuring devices 6a, 6b, 6c thereby likewise generate an input signal U1=U2=U3=0, so that fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c respectively provides a corresponding output signal A1=A2=A3=0. These output signals A1=A2=A3=0 cause an opening of safety switching elements 10a, 10b, 10c and thus a reliable shutdown of system component groups 4a, 4b, 4c connected thereto.

(31) A second embodiment of safety circuit 1 will subsequently be described in greater detail with reference to FIG. 3. Unlike the first embodiment, first safety switching device 2a has a continuous voltage source 11, which continuously maintains the voltage at a predetermined value, regardless of the fluctuating supply voltage which is provided by the external voltage supply device. For example, the voltage may be maintained at a continuous value UV=15 V by the continuous voltage source 11. Resistors 60 again have a value R=500 Ohms in this embodiment.

(32) The following statements apply for the voltage drop U across respective resistor 60, measured by measuring devices 6a, 6b, 6c, and the binary input signals provided by evaluation units 61: U=1, if U=5 V U=0, if U=0 V Fault, if U>5 V or 0 V<U<5 V.

(33) Various operating states of safety circuit 1 are subsequently described again in greater detail. The operating states No. 1 through No. 4 correspond, from a technical standpoint, to those from the first embodiment, so that these are subsequently described in an abbreviated form.

(34) State No. 1: Normal Operation

(35) As in the first embodiment, in normal operation, all safety switching devices 2a, 2b, 2c and system component groups 4a, 4b, 4c connected thereto are activated. A voltage drop U=5 V may be measured across each resistor 60 of measuring devices 6a, 6b, 6c, so that, analogous to the first embodiment, U1=U2=U3=1 applies for the binary input signals U1, U2, U3. As no emergency off or emergency stop has been initiated, E1=E2=E3=1 additionally applies, so that all current flow adjusters 7a, 7b, 7c are closed. Thus, S1=S2=S3=1 applies. Furthermore, for the output signals A1, A2, A3 of fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c, A1=A2=A3=1 applies. This means that all safety switching elements 10a, 10b, 10c are closed.

(36) State No. 2: Reliable Shutdown of System Component Groups

(37) If, for example, an emergency off button/switch of second system component group 4b is actuated and safety switching element 10b of second safety switching device 2b is opened, then the internal signal processing in fail-safe control unit 9b leads to the result E2=0. This causes a shutdown signal S2=0 to be provided to current flow adjuster 7b of second safety switching device 2b by fail-safe control unit 9b. Current flow adjuster 7b of second safety switching device 2b is opened so that the monitoring current flow within the electric monitoring circuit of safety circuit 1 is interrupted from first safety switching device 2a to third safety switching device 2c.

(38) For the current drop U across resistors 60 of measuring devices 6a, 6c of first safety switching device 2a and third safety switching device 2c, U=0 V applies. Consequently, fail-safe control unit 9a of first safety switching device 2a receives an input signal U1=0, and for its part generates an output signal A1=0, which leads to an opening of safety switching element 10a of first safety switching device 2a. Analogously, fail-safe control unit 9c of third safety switching device 2c receives an input signal U3=0, and generates an output signal A3=0, which leads to an opening of safety switching element 10c of third safety switching device 2c.

(39) State No. 3: Reactivation of the System Component Groups

(40) If, starting from the previously described operating state, safety switching element 10b of second safety switching device 2b is reactivated so that second system component group 4b is placed back into operation, then the internal signal processing of fail-safe control unit 9b of second safety switching device 2b provides the result E2=1. Consequently, fail-safe control unit 9b of second safety switching device 2b generates a switching signal S2=1, which closes current flow adjuster 7b of second safety switching device 2b again. Since current flow adjuster 7a of first safety switching device 2a and current flow adjuster 7c of third safety switching device 2c were not opened during the previous shutdown process, and thus are still located in a closed state, the electric monitoring current may again flow, after closing current flow adjuster 7b of second safety switching device 2b, from first safety switching device 2a to third safety switching device 2c. Thus, a voltage drop U=5 V may be measured at resistors 60 of all measuring devices 6a, 6b, 6c, so that fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c receives an input signal U1=U2=U3=1 and, because E1=E2=E3, each provides corresponding output signals A1=A2=A3=1. The output signals A1=1 and A3=1 lead to safety switching elements 10a, 10c of first and third safety circuit 2a, 2c being likewise closed, so that system component groups 4a, 4c of dangerous system 3 connected thereto may be supplied again with their operating voltage.

(41) State No. 4: Wiring Fault

(42) If, for example, no electric monitoring current flows through safety switching devices 2a, 2b, 2c due to a wiring fault, no voltage drop U may be measured at resistors 60 of all measuring devices 6a, 6b, 6c. Thus, U=0 V applies. In this fault condition, fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c receives an input signal U1=U2=U3=0. Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c provides corresponding output signals A1=A2=A3=0, which cause an opening of safety switching elements 10a, 10b, 10c and thus a reliable shutdown of system component groups 4a, 4b, 4c connected thereto.

(43) State No. 5: Fault Condition: 0 V Voltage at Output Terminal 23 of Second Safety Switching Device 2b and/or at Input Terminal 22 of Third Safety Switching Device 2c

(44) If a voltage U=0 is present at output terminal 23 of second safety switching device 2b and/or at input terminal 22 of third safety switching device 2c, then a voltage drop U=7.5 V is detected by measuring devices 6 in first safety switching device 2a and in second safety switching device 2b respectively. Evaluation units 61 of first and second safety switching devices 2a, 2b generate an input signal U1=0 and U2=0, which is provided to fail-safe control unit 9a, 9b of first and second safety switching devices 2a, 2b so that output signals A1=0 and A2=0 may be generated, which cause an opening of safety switching elements 10a, 10b of first and second safety switching devices 2a, 2b. In addition, a fault message is transmitted.

(45) In third safety switching device 2c, a value of U=0 V results for the voltage drop across resistor 60. This leads to an input signal U3=0 for fail-safe control unit 9c of third safety switching device 2c, which generates an output signal A3=0, which causes an opening of safety switching element 10c of third safety switching device 2c.

(46) State No. 6: Fault Condition: 24 V Voltage at Output Terminal 23 of Second Safety Switching Device 2b and/or at Input Terminal 22 of Third Safety Switching Device 2c

(47) If a voltage U=24 V is applied at output terminal 23 of second safety switching device 2b and/or at input terminal 22 of third safety switching device 2c, then a voltage drop U=4.5 V is detected by measuring devices 6 in first safety switching device 2a and in second safety switching device 2b respectively. Evaluation units 61 of measuring devices 6a, 6b of first and second safety switching devices 2a, 2b generate an input signal U1=0 and U2=0, which is provided to fail-safe control unit 9a, 9b of first and second safety switching devices 2a, 2b so that output signals A1=0 and A2=0 are generated, which cause an opening of safety switching elements 10a, 10b of first and second safety switching devices 2a, 2b. In addition, a fault message is transmitted. Within third safety switching device 2c, a value of U=24 V results for the voltage drop across resistor 60. This leads to an input signal U3=0 for fail-safe control unit 9c of third safety switching device 2c, which generates an output signal A3=0, which causes an opening of safety switching element 10c of third safety switching device 2c. In addition, a fault message is transmitted.

(48) A third embodiment of safety circuit 1 will subsequently be described in greater detail with reference to FIG. 4. This embodiment differs from the second embodiment in that each of safety switching devices 2a, 2b, 2c additionally has memories 12a, 12b, 12c which are connected to evaluation unit 61 of measuring device 6a, 6b, 6c of relevant safety switching device 2a, 2b, 2c. Two reference voltage values U.sub.ref,1 and U.sub.ref,2 may be retrievably stored within memories 12a, 12b, 12c for each safety switching device 2a, 2b, 2c. A first reference voltage value U.sub.ref,1 specifies the magnitude of the voltage upstream of resistor 60 of measuring device 6a, 6b, 6c of each safety switching device 2a, 2b, 2c. A second reference voltage value U.sub.ref,2 specifies the magnitude of the voltage downstream of resistor 60 of measuring device 6a, 6b, 6c of relevant safety switching device 2a, 2b, 2c. The two reference voltage values U.sub.ref,1 and U.sub.ref,2 of all safety switching devices 2a, 2b, 2c may be initialized (learned) during commissioning of safety circuit 1 and respectively retrievably stored in memories 12a, 12b, 12c of safety switching devices 2a, 2b, 2c.

(49) The operating states No. 1 through no. 4 correspond to those of the second embodiment, so that these will not be addressed again here.

(50) State No. 5: Fault Condition: 0 V voltage or 24 V voltage at output terminal 23 of second safety switching device 2b and/or at input terminal 22 of third safety switching device 2c

(51) If, for example, a voltage U=0 V is present at output terminal 23 of second safety switching device 2b and/or at input terminal 22 of third safety switching device 2c (operating state no. 5 of the third embodiment), or a voltage U=24 V is applied (operating state no. 6 of the third embodiment), then deviations of the actual voltages from reference voltage values U.sub.ref,1 and U.sub.ref,2, retrievably stored in memories 12a, 12b, 12c, occur in all safety switching devices 2a, 2b, 2c upstream and/or downstream of resistor 60 of each measuring device 6a, 6b, 6c. These deviations cause evaluation units 61 of measuring devices 6a, 6b, 6c to generate corresponding input signals U1=U2=U3=0, which are provided to fail-safe control unit 9a, 9b, 9c of relevant safety switching device 2a, 2b, 2c. Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c generates an output signal A1=A2=A3=0. These output signals A1, A2, A3 cause safety switching elements 10a, 10b, 10c of safety switching devices 2a, 2b, 2c to be opened.

(52) A fourth embodiment of safety circuit 1 will subsequently be described in greater detail with reference to FIG. 5. This embodiment differs from the third embodiment in that the first safety switching device 2a additionally has a voltage pulse generator 14. Furthermore, each of safety switching devices 2a, 2b, 2c comprises a voltage pulse evaluator 13a, 13b, 13c, which are configured to detect and evaluate voltage pulses generated by voltage pulse generator 14, which may be, in particular, 0 V voltage pulses.

(53) Each of safety switching devices 2a, 2b, 2c again comprises memories 12a, 12b, 12c which are connected to evaluation unit 61 of measuring device 6a, 6b, 6c of relevant safety switching device 2a, 2b, 2c. Two reference voltage values, U.sub.ref,1 and U.sub.ref,2 may be retrievably stored for each safety switching device 2a, 2b, 2c within memories 12a, 12b, 12c. A first reference voltage value U.sub.ref,1 specifies the magnitude of the voltage upstream of resistor 60 of measuring device 6a, 6b, 6c of relevant safety switching device 2a, 2b, 2c. A second reference voltage value U.sub.ref,2 specifies the magnitude of the voltage downstream of resistor 60 of measuring device 6a, 6b, 6c of each safety switching device 2a, 2b, 2c. Reference voltage values U.sub.ref, 1 and U.sub.ref,2 of all safety switching devices 2a, 2b, 2c may be initialized (learned) during commissioning of safety circuit 1 and retrievably stored in memories 12a, 12b, 12c of safety switching devices 2a, 2b, 2c.

(54) If the voltage values, measured upstream or downstream of resistor 60 of measuring device 6a, 6b, 6c of safety switching devices 2a, 2b, 2c deviate from the learned and stored reference voltage values U.sub.ref,1 and U.sub.ref,2, then a fault message is generated. These deviations cause evaluation units 61 to generate corresponding input signals U1=U2=U3=0, which are provided to fail-safe control unit 9a, 9b, 9c of relevant safety switching device 2a, 2b, 2c. Fail-safe control unit 9a, 9b, 9c of each safety switching device 2a, 2b, 2c generates an output signal A1=A2=A3=0. These output signals A1, A2, A3 cause safety switching elements 10a, 10b, 10c of safety switching devices 2a, 2b, 2c to be opened. This corresponds to operating state no. 5 of the third embodiment.

(55) The operating states no. 1 through no. 4 likewise correspond to those of the third embodiment, so that these will not be addressed again here.

(56) State No. 6: Fault Condition: 5 V Voltage at Output Terminal 23 of Second Safety Switching Device 2b and/or at Input Terminal 22 of Third Safety Switching Device 2c

(57) If a voltage U=5 is applied at output terminal 23 of second safety switching device 2b and/or at input terminal 22 of third safety switching device 2c, then no voltage pulses, which may, in particular, be 0 V voltage pulses, are detected by voltage pulse evaluator 13c of third safety switching device 2c. Evaluation unit 61 of third safety switching device 2c generates a corresponding input signal U3=0 for fail-safe control unit 9c of third safety switching device 2c, which in turn generates an output signal A3=0, which causes an opening of safety switching element 10c of third safety switching device 2c. Furthermore, a switching signal S3=0 is generated, which opens current flow adjuster 7c of third safety switching device 2c. By this mechanism, the electric monitoring circuit is opened so that U=0 V applies for the voltage drop across resistors 60 of measuring device 6a, 6b of first and second safety switching devices 2a, 2b. Evaluation units 61 of measuring devices 6a, 6b of first and second safety switching devices 2a, 2b generate an input signal U1=U2=0, which is provided to fail-safe control unit 9a, 9b of relevant safety switching device 2a, 2b. Fail-safe control unit 9a of first safety switching device 2a generates an output signal A1=0, which causes an opening of safety switching element 10a of first safety switching device 2a and thus a shutdown of system component group 4a connected thereto. Analogously, fail-safe control unit 9b of second safety switching device 2b generates an output signal A2=0, which causes an opening of safety switching element 10b of second safety switching device 2b and thus a shutdown of system component group 4b connected thereto. These measures again facilitate a fail-safe shutdown of system component groups 4a, 4b, 4c of the dangerous system in a fault condition.

Safety circuit for fail-safe shutdown of a dangerous system

Assignee

Inventors

Cpc classification

Classification Explorer

G05B9/02

PHYSICS

Classification Explorer

H01H47/005

ELECTRICITY

Classification Explorer

G05B9/03

PHYSICS

Classification Explorer

H02H9/045

ELECTRICITY

Classification Explorer

H01H47/004

ELECTRICITY

International classification

Classification Explorer

H01H47/04

ELECTRICITY

Classification Explorer

H02H9/04

ELECTRICITY

Classification Explorer

G05B9/03

PHYSICS

Classification Explorer

G05B9/02

PHYSICS

Classification Explorer

H01H47/00

ELECTRICITY

Abstract

Claims

Description