The present invention relates to a safety circuit assembly for switching on or off a hazardous system in a failsafe manner, and to an evaluating device and to a signaling device for such a safety circuit assembly.
A safety circuit assembly in terms of the present invention is a circuit arrangement having at least two components which interact for safeguarding the hazardous operation of a technical system, i.e. in order to especially avoid accidents which endanger the health or the life of persons in the area of the system. One component is an evaluating device which is sometimes termed as a safety relay or a safety controller. The evaluating device is typically designed for interrupting a power supply path to one or more actuators of the system such as contactors, magnetic valves or electromotive drives in a failsafe manner in order to bring the system into a non-hazardous state. In the case of large systems, this function of the evaluating device can be restricted to parts or areas of the system or various areas of a large system may be safeguarded separately by means of a number of evaluating devices. It is of importance that the evaluating devices guarantee a safe system state even when faults occur, for instance when electronic components fail, a wire connection is damaged or another fault event occurs. Therefore, the evaluating devices are typically constructed with multi-channel redundancy and they have integrated monitoring functions in order to detect potential faults and switch the system off in time, if necessary. Suitable evaluating devices can be programmable safety controllers in which the user can determine the individual control functions rather freely, but also simpler safety relays having a range of functions largely determined by the manufacturer. The evaluating devices are typically failsafe in terms of Category 3 or higher of European Standard EN 954-1, or failsafe in terms of SIL 2 of international Standard IEC 61508 or in terms of comparable requirements.
The evaluating device monitors the operating state of what is called signaling devices or sensors. The terms “signaling devices” and “sensors” are being used synonymously in the text which follows. A signaling device delivers input signals which are evaluated by the evaluating device and may be combined with other input signals from other signaling devices in order to switch the actuators of the system on or off in dependence thereon. In many cases, the signaling devices deliver quite simple binary information, for instance whether a protective mechanical door is closed or not, whether an emergency-off button is pressed or not, whether a light barrier is interrupted or not. In Moreover, signaling devices/sensors may deliver analog measurement values, for instance the temperature of a boiler or the rotational speed of a drive. The evaluating device of the safety circuit assembly usually releases the operation of the system only when a non-hazardous operation can be assumed from the signals from the signaling devices/sensors. However, there are also cases in which safeguarding measures are deliberately disabled, for example in order to set up a machine operation while the protective door is open. In these cases, a special enabling switch is frequently used which must be operated by the machine operator. Such an enabling switch is also a safety-related signaling device, the operation of which, however, as a rule, leads to the switching-on and not to the switching-off of the system.
In a large system, there can be a plurality of signaling devices/sensors which deliver safety-related input signals to the evaluating device. The individual signaling devices/sensors can be spatially distant from the evaluating device which leads to a high installation expenditure. In the case of line connections which extend outside of a switchgear cabinet closed during machine operation or outside of pinch-proof tubes, cross-connection shorts which may occur as a result of line damages must be detected by the evaluating device. Connecting lines between signaling devices/sensors and evaluating devices of a safety circuit assembly are therefore frequently multiple-redundant which further increases the installation expenditure.
DE 10 2004 020 997 A1 describes a safety circuit assembly in which a plurality of signaling devices are connected in series to a failsafe evaluating device. The evaluating device produces two enable signals which are fed through the series of signaling devices and back to the evaluating device by means of redundant lines. If a signaling device of the series interrupts at least one of the redundant enable signals, this is detected in the evaluating device and a power supply path to the system is interrupted. Clever implementation of the signaling devices also enables diagnostic information to be transmitted to the evaluating device by means of the safety lines. The known circuit assembly therefore provides for a relatively cost-effective configuration having flexible diagnostic capabilities. However, the practical implementation requires at least four separate wire lines in order to transmit the redundant enable signals from the evaluating device to the signaling devices and back again to the evaluating device. Since the signaling devices in DE 10 2004 020 997 A1 use electronic components, which require an operating voltage, two further wires are typically needed in order to supply the operating voltage and operating ground to the signaling devices. Such an implementation is therefore still expensive, in spite of the advantages already achieved, especially when large distances have to be bridged between individual signaling devices and the evaluating device. When controlling ski lifts, for instance, distances of several kilometers between a signaling device and the evaluating device may exist and it is desirable in such cases to use existing lines; as a rule, however, there are not enough line wires available for an implementation according to DE 10 2004 020 997 A1. But also in other production and/or conveyor systems, such as at airports or in large factories, there may be large distances between the signaling devices and an evaluating device.
DE 199 11 698 A1 discloses another safety circuit assembly having an evaluating device and a plurality of signaling devices which are connected in series to the evaluating device. Each signaling device has a normally-closed contact and is coupled to a code signal generator which, for diagnostic purposes, delivers a characteristic code signal to the evaluating device when the contact has been opened. The practical implementation needs at least three lines. A cross-connection short between the line at the enable signal output of the evaluating device and the line at the enable signal input of the evaluating device cannot be easily detected, however, so that redundant signal lines are needed for a higher safety category. If necessary, further lines for operating voltage and ground are also required.
DE 100 11 211 A1 discloses a further safety circuit assembly having signaling devices and a failsafe evaluating device. The signaling devices are connected to the evaluating device either via one connecting line in a single-channel manner or via two redundant connecting lines in two-channel manner. The single-channel connection per se does not offer failsafe protection and is only proposed for a starting key which is typically arranged close to the hazardous system. In one exemplary embodiment, it is described that two different clock signals are fed back from the failsafe evaluating device as enable signals via redundant contacts of an emergency-off button. In this case, at least four lines are needed. Here, again, further lines are typically required for supplying an operating voltage and/or ground to the signaling devices.
DE 102 16 226 A1 describes a safety circuit assembly having a number of signaling devices and evaluating devices, with two evaluating devices being connected to one another in series in order to form a control system having different shutdown groups. In exemplary embodiments, the evaluating devices are coupled via a single-channel connecting line via which a potential-related switching signal having a static signal component and a dynamic signal component is transmitted. The practical implementation still requires a common ground line for the connected evaluating devices. In addition, each evaluating device needs an operating voltage so that the actual number of lines for coupling the evaluating devices is higher than might be suggested from the term “single-channel connecting line”.
From DE 103 48 884 A1, an emergency-off button having a control element is known which can be moved between a first and at least one second position. A detector element for detecting the position of the control element comprises a transponder having an individual transponder identification and a reading unit for the transponder identification. The emergency-off button has a signal input for supplying a test signal, with the aid of which the reading-out of the transponder identification can be suppressed for test purposes. In addition, connections are needed for supply voltage, ground and a signal output by which the emergency-off button can transmit the information of the detector element to a failsafe evaluating device. Thus, at least four lines are required for connecting the emergency-off button to a conventional evaluating device.
A further signaling device is known from DE 100 23 199 A1. In an idling position of the signaling device, a switching element is opened. In a particular operating position, the switching element is closed. Details for connecting the signaling device to a failsafe evaluating device are not disclosed.
The skilled persons also know a field bus system, called ASI (Actuator-Sensor Interface) bus, which can be implemented by means of a special two-wire cable and which is used for networking sensors and actuators at the field level of an automated system. An ASI bus master polls the sensors connected to the ASI bus. These respond with their respective sensor state to the ASI bus master. Although this system manages with two line wires, it requires special interface chips which are capable of implementing the special bus protocol. For a safety circuit assembly of the type described above, both the evaluating device and the signaling device must have an ASI bus-compatible interface chip and the special connection to the ASI bus cable which is too elaborate and expensive for many simple signaling devices.
From DE 43 33 358 A1, a non-safe circuit assembly is known in which both an operating voltage and a control signal are transmitted from an evaluating device to a magnetic valve, i.e. an actuator, by means of a two-wire connecting line.