Safety switch with differentiated CPU

Abstract

A safety switch with differentiated CPUs comprises a switching device (2) associated with a fixed part of an access to be controlled and having switching means connected to one or more circuits of the system for the opening/closing thereof, a driving device (3) associated to a movable part of the access to interact with the switching means for opening/closing of one or more circuits, control means (6) associated with the switching device (2) and adapted to receive input signals from the circuits through respective communication buses for sending an error signal and/or for stopping the system in case of no signal or detection of non-compliance, wherein the control means (6) comprise a main CPU (7) connected with the communication buses (9) associated with safety functions and at least one auxiliary CPU (8) connected solely to the communication buses (12) associated with circuits and/or devices not related to safety conditions.

Claims

1. A safety switch with differentiated central processing units (CPUs) for controlling a security access of a machine or industrial system, comprising: a switching device adapted to be associated with a fixed part of an access to be controlled and having switching means adapted to be operatively connected to one or more control and/or service circuits of the system for the opening/closing thereof; a driving device associated to a movable part of the access to interact with said switching means at the opening/closing of the access for opening/closing of one or more of said circuits; and control means associated with said switching device and adapted to receive input signals from said control and/or service circuits through respective communication buses to verify the proper operation and to control said switching means for sending an error signal and/or for stopping the system in case of no signal or detection of non-compliance, wherein said control means comprise at least a main CPU operatively connected with the communication buses associated with the safety functions of the system, wherein said control means comprise at least one auxiliary CPU operatively connected solely to the communication buses associated with service circuits and/or service devices not related to safety functions related to safety conditions of the system, wherein said control means comprise two main CPUs at least partially redundant therebetween in their respective safety functions and mutually connected for mutually controlling of their correct operation, said main CPUs being organized according to a master/slave scheme, wherein said two main CPUs are connected to the control circuits of the system by means of respective communication channels for the independent check of the safety conditions of the system and are mutually connected for mutual control of correct operation, and wherein said at least one auxiliary CPU is connected only to the main CPU with the master function.

2. The safety switch as claimed in claim 1, wherein said auxiliary CPU is connected to said main CPU with the master function to send thereto information related to the monitored service circuits and/or service devices.

3. The safety switch as claimed in claim 2, wherein said main CPU with the master function is adapted to control said switching means to operate the stop of the system following the sending of an error signal by said auxiliary CPU.

4. The safety switch as claimed in claim 1, wherein said auxiliary CPU comprises a memory portion for storing data relating to the operation of the monitored circuits and/or devices.

5. The safety switch as claimed in claim 4, wherein said auxiliary CPU is associated to an accumulator connected to charging means activated by said control means upon the switching off of the system.

6. The safety switch as claimed in claim 5, where said charging means comprise a diode adapted to charge said accumulator with a charge sufficient for said auxiliary CPU to operate a backup in said memory portion.

7. The safety switch as claimed in claim 1, wherein said driving device comprises drive means adapted to remotely interact with said switching means at the time of the opening/closing of the access (A) for the opening/closing of one or more of said circuits.

8. The safety switch as claimed in claim 7, wherein said operating device comprises a transmitter or transponder adapted to send an identification code to said switching means, these latter being connected to a receiver or antenna adapted to receive said signal and to send said identification code to said main CPU with the master function for comparison with a code stored thereinto, said main CPU with the master function being adapted to authorize the starting of the system upon recognition of said identification code.

Description

BRIEF DISCLOSURE OF THE DRAWINGS

(1) Further features and advantages of the invention will become clearer in the light of the detailed description of a preferred but not exclusive embodiment of a safety switch according to the invention, illustrated as a non-limiting example with the aid of the attached drawings wherein:

(2) FIG. 1 is a perspective view of the switch of the invention;

(3) FIG. 2 is an exploded perspective view of the switch of FIG. 1;

(4) FIG. 3 schematically shows the control means of a switch of the invention.

BEST MODE OF CARRYING OUT THE INVENTION

(5) With reference to the attached figures, a preferred but non-exclusive configuration of a safety switch according to the invention is shown, which will generally be designed to guard an access to a machine or industrial plant.

(6) As shown in FIG. 1, the switch, indicated globally by 1, will be designed to be applied, in a preferred but not exclusive manner, to a protection P of the barrier or mobile panel type designed to prevent unsafe access to a machine or industrial plant in action.

(7) In a known manner, the switch 1 will be designed to be applied to the protection P at an access A thereof in order to interrupt the operation of the machine or plant in an immediate or timed manner in the event of a request to open the access A.

(8) The opening of the access A may be of any type, both hinged and sliding, and still with opening to the right or left, without particular limitations.

(9) In the illustrated configuration, the switch 1 is of the electronically actuated type, that is, provided with a remote communication system between the switching part and the driving part, as described more clearly below.

(10) However, according to an alternative configuration not shown, the switch may also be mechanically or electromechanically operated with a key actuator.

(11) In its most essential form, the switch 1 comprises a switching device 2 adapted to be anchored to a fixed part F of the access A to be controlled and a driving device 3 adapted to be anchored to the movable part M of the access A.

(12) The anchoring methods of the switching device 2 and of the driving device 3 to the respective parts F, M of the access A are of known type and do not form part of the present invention, so that they will not be described in more detail below.

(13) The switching device 2 comprises a case 4 housing inside switching means, not visible in the figures but with a configuration known per se, adapted to be operatively connected to one or more electric and/or electronic circuits for power supply and/or control the main circuit and/or service and emergency circuits of the system.

(14) The switching means may be selected from those commonly used in the sector and may also vary according to the functionality of the switch 1, without particular limitations.

(15) The methods of connection of the switching means will be selected among those typical for this type of product and will also not be described in more detail below.

(16) The case also houses control means 6, as shown in FIG. 2, which are adapted to receive input signals from the control and/or service circuits by means of respective communication channels to verify correct operation thereof.

(17) In this way, the control means 6 may control the switching means to send an error signal and/or provide for the system shutdown in the absence of a communication signal from one of the communication channels or in case of non-conformity detection.

(18) In FIG. 3 a preferred but non-exclusive configuration of the control means 6 is schematically shown, from which it can be observed that the control means comprise a main CPU 7 operatively connected to the communication channels associated with safety functions of the plant and an auxiliary CPU 8 operatively connected exclusively to the communication channels associated with service circuits not related to plant safety conditions.

(19) In particular, the main CPU 7 will be connected to the communication channels 9 that transmit information about the correct closure of access A, to the communication channels used to send information on the correct operation of the switching means and any possible means of block/unlock, as specified in more detail below, and to the control channels of the safety outputs 10, 11.

(20) In turn, the auxiliary CPU 8 is associated with the communication channels 12 adapted to transport information relating to the operation of secondary devices, such as signal lights 13 and other auxiliary devices 14, whose possible malfunction could not however jeopardize the safe operation of the plant.

(21) Appropriately, the main CPU 7 will not be connected to communication channels associated with functions that are not safety functions, so that there is no need to reprogram it, and at the same time the secondary CPU 8 will not be associated with safety functions but exclusively non-safety functions, so that in case of reprogramming it will not have to be re-certified.

(22) The auxiliary CPU 8 will in any case be connected to the main CPU 7 to send thereto information related to the monitored service circuits.

(23) In addition, the main CPU 7 may be designed to control the switching means to execute the system shutdown following the sending by the auxiliary CPU 8 of an error signal, so as to increase the overall safety level of the switch 1.

(24) For safety reasons, the control means 6 comprise two main CPUs 7, 15 which are at least partly redundant in their respective safety functions and organized according to a master/slave architecture.

(25) Generally, the auxiliary CPU 8 will be connected only to the main CPU 7 with the master function.

(26) The two main CPUs 7, 15 are connected to the control circuits of the system by means of respective communication channels 9, 10, 11 for the independent check of the safety conditions of the system.

(27) Furthermore, the two main CPUs 7, 15 are mutually connected for mutual control of correct operation.

(28) The methods of connection and dialogue between the two main CPUs 7, 15 and of the same ones with the switching means are not indicative of the scope of the present invention and therefore will not be described in detail.

(29) In an indicative manner, the two main CPUs 7, 15 may operate in a similar manner to that described in the aforementioned EP2748926.

(30) According to the configuration of the figures, preferred but not exclusive, the driving device 3 is adapted to interact with the switching means at the opening/closing of the access A for opening/closing one or more circuits of the machine or plant.

(31) In particular, the switch 1 is of the electronically actuated type, i.e. the interaction between the driving device 3 and the switching means will be controlled by an electronic signal transmitted to the switching means by the driving device 3 when the latter is at a minimum distance predetermined by the switching device 2 such that it is possible to consider access A closed and in a safe condition.

(32) For this purpose, the switching device 2 houses a receiver 16, for example an antenna of the RFID type, inserted inside the case 4 and designed to receive a remote control signal, or a presence signal, transmitted by a transmitter or transponder, not visible since it is housed in the mobile driving device 3, when the latter is at the minimum distance detectable by the switching device 2.

(33) In particular, the transponder will be provided with a tag with identification code that will be received by the receiver 16 and be recognized by the main CPU 7 in order to allow the machine or system to start up.

(34) The recognition of the code may be univocal or generic, depending on whether you want to make a switch with a high or low level of coding.

(35) The coded signal thus detected will be sent to the main master CPU 7 for comparison with a code stored thereinto and for authorizing the start of the system in case of recognition of the received identification code and its correspondence with the stored code.

(36) The slave CPU 15 will instead carry out an analysis of the clock signal coming from the receiver 16.

(37) Typically for this kind of switch, the case 4 will also house an unlocking mechanism 17 adapted to move from a blocking position of the access A to a release position to which the opening of the switching means corresponds, allowing the opening of access A only when the switching means are open.

(38) In particular, the unlocking mechanism 17 comprises an unlocking pin 18 adapted to move between the two locking and releasing positions and which is associated with an electromagnet 19 controlled by the same main CPUs 7, 15 upon receipt of the opening signal of the access A.

(39) According to a particular variant, an emergency control may also be provided, such as a mushroom pushbutton, a key selector or similar control adapted to mechanically intervene on the unlocking mechanism to promote translation of the pin towards the release position.

(40) Each main CPU 7, 15 will comprise a communication channel 20 adapted to send to the auxiliary CPU 8 a signal relating to the condition for switching the system on or off.

(41) According to a further aspect of the invention, the auxiliary CPU 8 comprises a memory portion 21 for storing data relating to the operation of the monitored circuits.

(42) Furthermore, the auxiliary CPU will also be associated with an accumulator 22 connected to charging means 23 which can be activated when the system is turned off.

(43) By way of example, the accumulator 22 may be a condenser, while the charging means 23 may comprise a diode able to charge the accumulator 22 with a charge sufficient for the auxiliary CPU 8 to perform a backup of the operating data inside of the memory portion 21 upon reception of the switching off signal.

(44) From above, it is clear that the switch according to the invention achieves the intended objects and in particular that of avoiding having to submit the CPU assigned to the safety checks to a new certification even after reprogramming related to functions not correlated with safety.

(45) The switch according to the invention is susceptible of numerous modifications and variations, all of which are within the inventive concept expressed in the appended claims. All the details may be replaced by other technically equivalent elements, and the materials may be different according to requirements, without departing from the scope of protection of the present invention.

(46) Even though the switch has been described with particular reference to the attached figures, the reference numbers used in the description and claims are used to improve the intelligence of the invention and do not constitute any limitation to the claimed scope of protection.