Many safety applications require a very short reaction time for processing of an EMERGENCY-OFF demand. Although present-day modern safety appliances generally use microcontrollers and internal functions can therefore be processed very quickly, filter algorithms have to be used, because of burst and RF interference, in order to achieve the maximum availability. Further boundary effects such as compensation for the cable capacity and dynamic input testing in the end lead to relatively long evaluation times.
A drive apparatus which has two series-connected switches in order to satisfy the hardware redundancy requirement, with the switches each being electrically connected to their own microcontroller via a relay drive, is known from the report “Not-Aus-Schaltgeräte, Schutztürwächter [Emergency-off switching devices, guard door monitors] Announcement Pilz NSG-D-1-051-07/00, XX, XX, July 2000 (2000-07), pages 1 to 4, XP 000961973”. One input of each of the microcontrollers is electrically connected to an emergency-off switch, and they are formed alongside one another, with equal authority. The switches can each be controlled via the associated microcontroller. The switches are controlled as a function of the need to switch off a safety-critical component.
Furthermore, a safety device in which a sensor apparatus is electrically connected to two evaluation devices is known from German Laid Open Specification DE 44 09 541 A1. One output of each evaluation unit is electrically connected to a switch which is in the form of an auxiliary contactor. A timer is arranged in the signal path between one evaluation unit and one auxiliary contactor, by which timer it is possible to switch off a downstream main circuit via the auxiliary contactor, with a delay.
A further problem is represented by the fact that, in safety appliances from Category SIL3 with respect to the European IEC Standard 615 08, two controllers must always be used for hardware redundancy and fault tolerance reasons.
The applicant has solved this problem, in the case of safety appliances, by using two controllers with identical hardware and identical firmware for safety appliances. A “master/slave principle” is used in order to make it possible to identify systematic faults. Thus, one of the controllers is in each case the master for a short time, while the other is the slave. The two controllers interchange this status after a defined time. One of the controllers is normally used to drive specific switches, for example in a load circuit on an electrical machine while, in contrast, the other controller is used to monitor the switching states of these switches, and itself drives other switches of other components.
That controller which is in the master mode reads all of the inputs and defines the output states of the switches to which it is connected or which are allocated to it. Important states such as demands are matched with the slave, and internal tests are carried out.
An EMERGENCY-OFF demand is first of all registered by the controller in the master mode. One disadvantage in this case is that those outputs which are driven by the controller in the slave mode cannot be switched off until the EMERGENCY-OFF demand has been transmitted from the master to the slave. Those outputs which are driven directly by the master can be switched off relatively quickly. The reaction time for switching off the driven components is thus dependent on which controller receives the demand first of all, and whether the desired output can also be switched off by this controller.
Demand times of less than 45 milliseconds have not been possible to achieve until now with the described circuit design. Correspondingly faster hardware would allow the demand time to be reduced down to 35 milliseconds. However, this is not sufficient for critical demands such as press controls.