The invention relates to a modular safety switching system and a safety switching method, as set forth in the preambles of claims 1 and 21, respectively.
In situations when a hazard signal is present, an associated safety switching system must react flawlessly and in a predetermined way. A typical safety engineering application is to protect a dangerous machine, such as a press or a milling machine, and shut it off immediately when operating personnel approach it in an unauthorized manner. Sensors, for example a light barrier or a light grating, are used to detect such approaches. If the sensor detects a hazard, a downstream circuit must generate a shut-off signal in an absolutely reliable way.
In practice a single sensor does not just monitor a single machine. It is typically necessary to monitor a series of hazardous sources. In that case a commensurate number of associated sensors must be configured to define a switching event and to take appropriate measures to eliminate the hazards. In the simplest case it might suffice to react to every switching event with an OR operation. In the case of a machine protected by a light grid behind a protected door which also has an emergency shut-off switch, both the opening of the door and the interruption of the light grid or the actuation of the emergency shut-off switch will trigger a safety measure. However, such a design is not adapted to deal with more complex scenarios.
DE 100 200 75 C2 discloses one conventional possibility for configuring a safety switching device. This device provides a series of input and output modules. Each input module receives data from a sensor, and each output module can actuate an actuator, which switches off the hazardous source. The correct association of sensors to an actuator is based on the positions of the modules arranged in a series and unequivocally determines the associated output module. Thus, these positions define the switching rules. With a selection of modules, it can be determined which sensors are connected to an actuator according to the switching rules. This procedure eliminates the need for programming, but is not adapted to solve complex safety control problems. Therefore, this approach is limited to a narrow range of applications for simple machines.
In a further development of the conventional configuration the modules are connected to a control module, which includes an association table. All of the modules are connected to one another with a bus. Then logic links for deciding whether an actuator shall or shall not be switched occur in the control module. The drawback with this approach is the needed running time for the data communications. As the complexity increases, more and more computing time is needed just for communicating via the restricted data bus.
Such systems have limited utility for time critical applications. In addition, they have to be configured with a high degree of technical complexity and require costly, powerful microcontrollers. Even if the problem of the response time for a specific application can be solved, the solution involves an additional expense or it might be impossible to add an output module to the series of modules.
It is also known in modular safety control systems to communicate the status information of the inputs, the outputs and the logic results to the outside. For this, gateways can be used to couple the series of modules to the external electronics with a field bus or another bus. The status information serves to monitor the functionality of the sensors or to make the sensor data available to the downstream electronics for further evaluations. Here, too, there is the problem that the gateways access the process mapping information of a control module, which fails when the capacity of the control module no longer suffices.