A known creep and rotation monitoring system in protective arrangements with normal or enhanced safety of this type (DE-OS 38 37 218), defines three different functional modes in the safety monitoring system, so as thereby to correspond to the various safety aspects of a target system. These three functional modes are defined so that:
A stationary monitoring system is implemented as a special mode with no motion, with the operating state of the target system corresponding to an open hazard zone (safety hood or safety screen open); PA1 Further, a stationary monitoring system can be realized as a special mode with motion, again with an open hazard zone and with manual request for permission for limited creep of the target system; and lastly PA1 A rotation monitoring system is implemented as the normal mode with the hazard zone closed, with limited rotation of the target system permitted within predefined limits.
In this context, monitoring of the operating states and rotary motions is subject to an absolute functional safety system corresponding in each case to double monitoring in a device, with the result that if faults occur, drive energy is always cut off.
It is possible in this context to sense the rotation of a shaft by means of two different encoder systems, with both of the signals obtained by means of corresponding rotation sensors being delivered to corresponding inputs of the monitoring circuit in the form of square-wave pulses, so that the rotation signals can be processed by two measurement systems operating independently of each other, and can be redundantly analyzed in terms of their limited values.
It is also possible, by suitably timing the measurement systems by means of the prepared rotation signal, to realize reliable monitoring of the operability of the measurement systems and the encoders themselves. If one of the encoders fails and if a measurement system is faulty, the device responds to the malfunction status that it has detected by immediately shutting off drive energy.
Further safety aspects of the known arrangements consist in the fact that in the event of a malfunction, drive energy is shut off by means of two safety output relays that operate independently, with the additional possibility of determining the operability of the safety output relays without shutting off drive energy, in connection with various test modes that are implemented by the measurement or monitoring systems. For example, it is possible to initiate deactivation of the driver stage for the safety output relays, whose consequently dead status is reported to a downstream control electronic system. If the same signals are present in both circuits, such a test mode will then be mutually automatically acknowledged; deactivation of the safety output relay systems can then occur without shutting off drive energy, since special capacitor storage circuits are provided, which are activated within the release time.
It is a generally known practice to associate protective circuits with operating machinery of various types, especially automatic machinery, and in any event to design the machinery's control system so that the operating motion of the machine is halted as immediately as possible if a situation hazardous to the operator is present. This also includes machinery that cannot even be started, i.e. put into operation, unless a safety hood is closed or the operator actuates certain controls with both hands. Unlike these known protective arrangements, complex process-controlled production machines, for example CNC (=computerized numerical control) systems and industrial robots, present particularly stringent industrial safety requirements, for example when operators are in the hazard area of the machine in a special operating mode.
For example a hardware-based safety shutoff system for machinery is known, which operates in connection with the system controller and guarantees a safe condition in certain operating modes. Disadvantages can occur here as well, however, such as unnecessary charging time for power components, positioning losses due to data errors, and the like, so that further attempts at a solution are required here.
The invention is therefore based, proceeding from the creep and rotation monitoring arrangement of the aforesaid type, on the object of configuring a safety monitoring arrangement capable of meeting all safety requirements in such a way that even complex machines, especially known semi-automatic or automatic machines, in which more than one drive group requiring monitoring is always present, can be incorporated into a simply designed total monitoring system that can be expanded depending on requirements and drive systems.