The present invention relates to an emergency-stop circuit, which is an integral part of the typical industrial machine. More particularly, this invention relates to a centralized switching system and method for an emergency stop circuit.
In industrial equipment, the traditional emergency-stop circuit consists of a xe2x80x9cself-latchingxe2x80x9d relay that contains a number of closed (kill) switches which are connected in series, and when any one of the switches is opened, the relay is de-energized. Power is restored when all kill switches are closed, and a xe2x80x9cmotors-onxe2x80x9d momentary switch (e.g., push-button switch) manually closes the contacts of the relay. The relay contacts are the last link in the serial chain of switches that energizes the coil of the relay. It is self-latching in the sense that when the motors-on switch is released, the contacts are in the coil energizing circuit that keep them closed in the first place. The coil energizing circuit is referred to herein as the emergency-stop circuit.
A robust, traditional circuit may have many kill switches in the emergency-stop circuit. These switches are typically distributed all over the machine. For example, lever-type switches are installed on door panels, so that power is killed (i.e., shut off) when one of the doors opens. This is referred to as the normally open configuration (NO), which means that the switch must be tripped to conduct. This kind of kill switch is the first to be defeated in practice. It is often taped or strapped closed so that a door may remain open during operation of the machine. (A common purpose for the defeat is debugging by a maintenance technician.) When there are several doors defeated in this manner located throughout a large machine, the probability is higher than desirable for a maintenance technician to inadvertently leave a switch defeated and return the machine to what will be unsafe use. Also, the cycle of taping/strapping and removal thereof causes wear and tear on the lever-type switch for which it was not designed.
Other types of kill switches used in the industry include over-travel switches. These switches normally operate in the closed configuration (NC), which means that tripping of the switch opens the circuit. These switches include lever-type, magnetic, infrared, or the like. To defeat over-travel switches, the switches are temporarily removed, terminals jumpered, mounting screws loosened, and brackets are slid out of the way. This also creates opportunity for mistakenly leaving kill switches defeated (or misaligned) throughout the machine when it is returned to service.
Another example of a kill switch is an air pressure switch sensing an air line that delivers required air to an air bearing spindle. In a demonstrating test, or debug mode, the machine may be run without the spindle running (no air supplied or air temporarily unavailable). This requires the jumpering of the kill switch during such time. Afterwards, forgetting to re-enable the switch allows running of the spindle without air, which leads to hardware damage.
Evidently, safe use of the traditional emergency-stop circuit requires experience and diligence on the part of the maintenance technician who attempts to temporarily bypass sections of the circuit in order to test or debug the system. Oversight due to distribution of the switches over numerous parts of the machine/device can cause him to forget to re-enable a kill switch before returning equipment back to duty.
Additionally, in order to test and debug, the technician must also disable certain devices whose power is controlled by the emergency-stop circuit. There is no straightforward, universal way to do this other than disconnecting the power to the device. This may be easy in some cases or not possible, very cumbersome, or unsafe in others.
A final consideration for these testing and debugging methods is the time required for a technician to trace through a machine in order to determine where to disable a kill switch or where to disconnect power to a device. Additionally, managerial time may be spent generating documentation in order to aid the technician""s task. This becomes apparent when one considers a factory floor that possesses a vast array of one-of-a-kind machines, all of which utilize some variant of the traditional emergency-stop circuit. Here, hypothetically, each circuit possesses essentially the same topology but utilizes different components that are located in different places and connected by a slightly different wiring scheme.
In spite of this, implementation of traditional emergency-stop circuits that are intrinsically xe2x80x9csafexe2x80x9d is certainly feasible and has been done for many years. There are reasons for the apparent success. It is a simple circuit, even though it is distributed throughout the machine. It well established. There are few components. But these are also the reasons why the circuit has not matured.
Typically, experienced engineers are reluctant to add new parts and kill switches to the circuit in an effort to xe2x80x9ckeep it simple.xe2x80x9d In developing prototypes or one-of-a-kind machines, important kill switches such as a watchdog circuit and a computer ready are often omitted. Also, some kill switches having solid state outputs (e.g. NPN) do not fit into the serially connected topology. Each requires an extra part, such as an intermediate electro-mechanical relay, whose contacts are in the kill switch chain, and whose coil is controlled by the solid state output. Because of this, sensors employing solid state outputs are avoided, and their less reliable mechanical counterparts are used instead.
Essentially, there is a mindset among skilled engineers concerning the altering of the traditional circuit""s topology. Typically, the skilled engineer begins a new project assuming that he will use the traditional circuit. Valuable time is spent on other areas and is not devoted to re-engineering the architecture for the traditional circuit or evaluating its expanded role in the project. In fact, it is not obvious to the skilled engineer to change the traditional circuit in any way in order to add functionality that can be safely incorporated within it. Such functionality, if implemented, is therefore left to be distributed throughout the remainder of the system, intermingled with unsafe subsystems such as the computer.
When implemented, for example, secondary outputs, such as amplifier xe2x80x9cenablexe2x80x9d or xe2x80x9cinhibitxe2x80x9d signals, are not usually incorporated into an emergency-stop circuit. If driven at all, a software program running on a computer having optically isolated digital outputs usually drives them. Furthermore, other feedback signals, such as xe2x80x9cstatusxe2x80x9d or xe2x80x9cfaultxe2x80x9d signals, are not used in emergency-stop circuits as kill inputs. This is generally because each signal is in a non-conducting state when the circuit is killed, which prevents the traditional circuit from restarting. If used at all, these feedback signals are likewise connected to the computer for the purposes of monitoring.
Designing in this way fosters subtle system-wide shortcomings, which can permit potentially unsafe or undesirable operation. Resulting failures or odd performance is not attributed to the emergency-stop circuit, since its simple circuitry and lack of substantial functionality are not directly responsible. Consequently, effort is typically not expended to evaluate its functionality.
One of the shortcomings becomes apparent when the traditional system enters into a power-loss period, which generally begins when the emergency-stop circuit is killed and ends when all residual power has been dissipated. During this brief period (e.g., 2 sec.), uncontrolled motion of motors can occur for some designs, because the motors are not being controlled, yet they are still technically powered by residual power in the system. In order to suppress this, designers have used the computer-controlled secondary outputs (enable, inhibit) in conjunction with the emergency-stop circuit to simultaneously cut power and disable the connected devices. This works in most cases, but is tedious to design, not flexible, and application specific. One case when this design fails is when the building power fails, which causes the computer to also cease functioning. Here the inhibit signal may not get to the device, which again creates an environment for briefly uncontrolled motion.
Most of the examples found in existing technology are concerned with passive monitoring of the emergency-stop circuit. This approach is useful in determining which kill input was responsible for stopping the circuit, but it does not provide any configuration options for startup or power-loss periods. The following patents, each of which is incorporated herein by reference, demonstrate this approach: U.S. Pat. No. 4,263,647 to Merrell, et al., entitled xe2x80x9cFault Monitor for Numerical Control Systemxe2x80x9d; U.S. Pat. No. 5,451,879 to Moore, entitled xe2x80x9cElectromechanical Relay Monitoring System with Status Clockingxe2x80x9d; U.S. Pat. No. 4,616,216 to Meirow, et al., entitled xe2x80x9cEmergency Stop Monitorxe2x80x9d; and U.S. Pat. No. 5,263,570 to Stonemark, entitled xe2x80x9cConveyor Belt Emergency Stop Indicator Light System.xe2x80x9d Configuration options do exist in the above noted patents but only in the form of providing cascaded inputs and outputs so that multiple groups of sensors may be monitored. Other patents of interest include the following: U.S. Pat. No. 4,912,384 to Kinoshita, et al., entitled xe2x80x9cEmergency Stop Control Circuitxe2x80x9d discloses the traditional active portion of the emergency-stop circuit; U.S. Pat. No. 5,319,306 to Schuyler entitled xe2x80x9cPortable Electrical Line Tester Using Audible Tones to Indicate Voltagexe2x80x9d discloses circuits that provide audio status in the form of line testers, where the leads are brought into contact after the line is energized to check it.
Traditional approaches to supplying power to motors during a power-loss period (period beginning with the loss of AC motor power and ending with either the total loss of all stored DC motor power or the loss of regulation of any associated logic power supply, whichever comes first) have focused on coarse (non-servo) control or decelerating motors to full stop. However, no approach exists that relates to fields employing emergency-stop circuitry.
Other patents in this general field are also noted. For example, U.S. Pat. No. 5,278,454 to Strauss, et al. discloses an invention related to the heating, ventilation, and air conditioning field. It describes a motion control system that senses a loss of incoming power and utilizes a dedicated pre-charged circuit to act as a short duration power supply to effect gross motion of a motor to close a damper. U.S. Pat. No. 5,426,355 to Zweighaft, et al., entitled xe2x80x9cPower-Off Motor Deceleration Control Systemxe2x80x9d discloses an invention related to the tape drive industry in which a motion control system whose amplifier stores a dedicated internal PWM signal responsible for supplying open-loop deceleration commands for a given configuration of the tape drive system that is experiencing a power-loss period. U.S. Pat. No. 4,481,449 to Roda entitled xe2x80x9cPower Fail Servo Systemxe2x80x9d discloses an invention that also relates to the tape drive field which describes the use of several xe2x80x9cpower failxe2x80x9d signals that work in harmony to decelerate the motor towards full stop and uses the technique of dynamic braking to harness excess power in the storage capacitor. A signal exists in this example which monitors the logic power supply and appropriately disables (free wheels) the motor once the supply is out of regulation.
Recently, new requirements for emergency-stop circuits have emerged. For some applications, circuits are required either to be xe2x80x9ccontrol reliablexe2x80x9d or to at least possess self-monitoring functions (ANSI/RIA R15.06-1999). To ensure safety, a certain sensor for a given application may require periodic testing online. The only way to do this is to test the entire sensor channel, from the sensor all the way back to its connection in the emergency stop circuit. The test should include controlled, deliberate tripping of the sensor (e.g. a flap mechanically covers an infrared intrusion sensor) so that a valid test is characterized by cycling of the corresponding kill input back at the emergency-stop circuit. The challenge is to do this but still keep the emergency-stop circuit energized, so that useful work can continue. The emergency-stop circuit has to be smart enough to temporarily ignore the kill input while it is being tested.
The present invention solves the problems in the art by providing a centralized programmable emergency-stop circuit that controls the flow of the power necessary for a machine to move its working elements. The invention possesses various levels of programmability that facilitate use of the same circuit across a wide variety of industrial applications and designs, as well as across a wide variety of operational scenarios for the same machine.
The circuit of the present invention includes various types of custom programmable kill inputs. These inputs are signals that, subject to their programming, can kill an energized emergency-stop circuit or prevent a killed circuit from energizing (startup). A given kill input can also be programmed to be ignored totally, to kill when inactive, or to also prevent startup when inactive. A given kill input can be programmed so that it only affects the energized circuit and does not restrict startup, and consequently, it may be inactive at startup. Such a programmed kill input is referred to herein as a xe2x80x9cfalling-type,xe2x80x9d because once it does go active, it is the active-to-inactive or falling transition that kills the circuit. Additional programming for the kill inputs exists such as digital filter parameters, clock selection, and the like, as well as time-out options for the falling-type kill inputs, which require them to go active within some period after startup.
The present invention also provides programming options to specify conditions for a motors-on signal to energize the circuit and for the control of secondary outputs. While the primary output of the circuit controls the flow of bulk power to working elements, it is the secondary outputs that connect in parallel to the working elements in order to inhibit or enable them. The method of programming secondary outputs determines their behavior, i.e., whether they are disabled entirely for the session, enabled only when the circuit is energized, or enabled based on one of the kill input signals. This latter setting permits a computer to keep a device enabled during a power-loss period, so that a reactionary movement can be effected which drains residual power left in the dying system.
The present invention provides further programmability and functionality by incorporating an option to designate a chosen input signal as a xe2x80x9ctest inputxe2x80x9d. A computer uses a xe2x80x9ctest inputxe2x80x9d to notify the emergency-stop circuit that it is xe2x80x9ctestingxe2x80x9d a second input currently being used as a kill input. Proper operation will see the associated kill input cycle (active-to-inactive-to-active) within a programmable interval that begins when the test input activates. During this period, the emergency-stop circuit does not use the associated kill input in the kill or startup equations (temporarily ignores it). After the interval expires or after the kill input correctly cycles, the emergency-stop circuit returns to using the kill input in these equations.
A fault occurs in the case when the kill input fails to cycle within the prescribed interval, which signifies the sensor channel being tested is stuck active or faulty. In this case, specifically, the emergency-stop circuit kills power if the circuit is energized and prevents startup if the kill input being tested is not a falling-type. The type of kill input being tested affects the behavior of the emergency-stop circuit in a straightforward way. For example, a kill input that is a falling-type is not used in startup equations. Therefore, its testing has no effect when the circuit is not yet energized. In general, testing only has an effect in the case whenever the emergency-stop circuit actually requires the associated kill input to be active, or as it is said here, when the circuit is xe2x80x9csensitivexe2x80x9d to the actual state of the kill input.
Optionally, the test input itself can be used as a watchdog-type kill input, which requires the test input itself to become active every so often thereby requiring testing of the associated kill input at a programmable frequency. Then, in this most encompassing case, the emergency-stop circuit will prevent power flow (kill or prevent startup) when the sensor channel being tested is faulty or it is not tested often enough.
Accordingly, it is the object of the present invention to provide a programmable emergency-stop circuit that allows various options for the manner in which kill inputs affect the system and further provides options for the manner in which outputs are activated and deactivated. Included in this is the manner in which test inputs are used and associated with their respective kill inputs. Furthermore, it is an object of the invention to provide programmability to specify the manner and timing for dynamically adding a given input source to the active set of kill inputs. Included in this is the manner in which a given input source is dynamically added to the active set of test inputs and associated with a particular kill input. Finally, it is an object of the invention to employ solid-state circuitry that generally avoids software or a microprocessor, so that new functionality coupled with programmability may be safely incorporated within the emergency-stop circuit.
One important feature of the invention is its state machine, which provides a framework from which the invention operates. Defined by a set of internal signals that includes start and kill-type signals, the state machine specifies when the circuit may be energized, when it is killed, and when startup is inhibited. The internal signals are generated as a programmable function of time and input source states. Other features include audio status for startup and kill, requirements for startup that ensures desired energizing, requirements for a computer ready signal that ensures synchronization with software running on a computer, provisions for a dedicated error-code that identifies power glitches, and the safe oversight of a power-loss period during which a servo-controlled reflex action may be implemented.
The primary advantage for using the invention is that a centralized single circuit can be programmed and employed in a wide variety of machine designs. For a given machine design, for example, the circuit can be reprogrammed and thereby adapted to a different set of operational scenarios. When designing a machine or a plurality of machine/devices, the designer is able to associate any given input source with a desired kill input type that specifies how the input source affects the system. Furthermore, once operational in the field, for example, the machine will require maintenance, and to assist this, the circuit can be definitively reprogrammed from a central location so that certain inputs are temporarily but safely ignored and certain outputs are forced disabled during the maintenance operation. Finally, programmable testing ensures that a sensor channel will not exhibit latent failure, and the designer may also utilize redundancy (a second, independent sensory channel) as necessary for some critical safety function so that the act of testing a sensor channel itself does not expose an unsafe condition. The redundant channel ensures coverage while testing, so that no single fault can cause an unsafe condition.
Other advantages of the invention are related to timing, filtering, and synchronization. One such advantage is the accuracy, and hence repeatability, that can be applied to timing the motors-on button""s active period as well as to the timing of the start-up delay that prevents the immediate re-start during the DYING state of a freshly killed circuit. The use of timing and other related digital filters significantly reduces the susceptibility of the circuit to background noise. It is also an advantage from a system performance standpoint that the emergency-stop circuit causes the computer program and, thereby, the entire system to be in synchronization via several novel methods.
The invention will now be described, by way of example and not by way of limitation, with reference to the accompanying sheets of drawings and other objects, features and advantages of the invention will be apparent from this detailed disclosure and from the appended claims. All patents, patent applications, provisional applications, and publications referred to or cited herein, or from which a claim for benefit of priority has been made, are incorporated by reference in their entirety to the extent they are not inconsistent with the explicit teachings of this specification.