This invention is concerned with a high-security electric supply circuit for tool machines control systems of machines such as tool machines and the like.
In several fields of industrial activity, machines or equipment are used where dangerous conditions can arise whenever a breakdown or malfunction develops in their control systems or circuits. Examples of such situations are, e.g.: photoelectronic barriers (light curtains) protecting presses and the like; turbine or nuclear plant control systems, metering systems for chemical plants, etc. In all such cases, sophisticated control circuits are put to duty, which incorporate techniques such as self-diagnosis and circuit redundance, particularly circuit duplication, with the intent of preventing a breakdown in the control system from causing catastrophical consequences.
Often the signals monitoring the conditions of the apparatus under control are processed in a control circuit comprising two substantially similar channels, which mostly comprise respective microprocessors jointly controlling several peripheral devices, such as relays, valves, pilot lights, etc. Such channels are designed so that they each independently provide respective monitoring signals, which must be identical at all times, so that any deviation from identity points to an internal malfunction making the control circuit unreliable for further driving the machine. Therefore, when the malfunction has once been established, the control circuit must be itself disabled and the machine must be stopped.
In order to achieve the disabling of the control circuit, it is known to provide the supply circuit itself with a device, known as "watchdog", which will receive the above monitoring signals and will continuously compare them with each other, and will turn off the supply circuit whenever the monitoring signals are unequal, so that the control system is disabled with certainty. As a watchdog device it has been proposed to use a monostable multivibrator which must be continuously retriggered in order to maintain the supply alive. Thus, a failure of the monostable circuit to retrigger immediately cuts the supply to the control voltage, with consequent drop of any relays and actuators controlled thereby.
However, such a system is not safe from trouble which might arise in the watchdog itself, say from a a short making the watchdog deliver a constantly high output.
A main object of the invention is therefore to provide an electric supply circuit which is controlled by two or more input signals, and which has a feature of inherent security, i.e. which will guarantee that the supply is turned off not only in case of unequality of its two input signals, but also in case of any internal breakdown of its own.