The present invention relates to a safety switching apparatus for switching-on or switching-off a technical installation and, in particular, to a new approach for processing a clocked input signal fed to such a safety switching apparatus.
An exemplary safety switching apparatus in terms of the present invention is the applicant's safety switching device marketed under the brand name PNOZ® X2, which is described in an operating manual numbered 19 238-01.
More generally, safety switching apparatuses in terms of the present invention are typically used for failsafely switching-off hazardous machines or installations if necessary for the protection of humans. The safety switching apparatuses usually monitor notification signals from emergency stop buttons, safety door switches, light barriers, light grids and other safety-related notification devices. They are able to interrupt, in response to said notification signals, a current supply path to the monitored machine or installation. As can easily be seen, it is very important that the safety function is always guaranteed and that faults in the region of the safety switching apparatus are either overcome and/or detected early. Therefore, safety switching apparatuses are usually designed to be redundant and/or have self-test functions. At least in the case of high demands on safety, the notification signals to the safety switching apparatus are likewise implemented redundantly.
The failsafety which can be achieved by redundancy is lost, however, if a short-circuit occurs in the connection lines between the notification device and the safety switching apparatus. One possibility for preventing a short-circuit is laying the individual connection lines separately. However, this would lead to a confusing and complex cabling between the individual notification devices and the safety switching apparatus and can often not be technically realized, either. Consequently, the redundant connection lines are generally routed through different wires of a multi-core cable. However, this requires the safety switching apparatus to have a separate measure for short-circuit detection.
Essentially two methods for short-circuit detection are known from the prior art. The first method operates with static potentials on the connection lines, which trip a fuse in the event of the two lines being short-circuited. Methods of this kind are known, for example, from DE 44 23 704 C1 or from DE 197 58 332 B4. What is disadvantageous in the case of these methods is that they are substantially dependent on a temperature-dependent fuse, the trip point of which cannot be precisely determined owing to the temperature dependence. This was one of the reasons for which another method using dynamic signals on the connection lines was developed.
In the case of the dynamic methods, differently clocked signals are used on the connection lines to the notification device. As a result, the signals on the separated notification lines differ from one another and a short-circuit can be detected. By way of example, reference is made to DE 100 33 073 A1, DE 197 02 009 C2 and DE 198 05 722 A1. What is disadvantageous in the case of dynamic methods, however, is that the notification signals must first be checked regarding the occurrence of a short-circuit. In other words, in a first step a signal evaluation must occur, wherein the received input signal is usually compared with an expected value. Only after this evaluation can a signal for the outputs be generated by the safety apparatus, said signal leading to switching-off the technical installation, if appropriate.
The afore-mentioned signal evaluation is becoming more and more complicated due to the ongoing reduction of the input currents, by means of which the power loss at the inputs is intended to be reduced. Owing to the reduction of the input currents, power consumption of the control systems is indeed advantageously minimized; however, the lower input currents result in an input being more susceptible to disturbances, as a result of which, in particular, problems may arise in the evaluation of the afore-mentioned dynamic signals. These can be counteracted using additional filters but at a cost to the reaction time of the apparatus.
Disturbances at the inputs occur, in particular, if a notification device, for example a contact switch, is not activated for extended periods and is therefore connected via an “open” line to the safety switching apparatus. In this connection, “open” means that the line is only connected on one side to a defined potential. Open lines are particularly susceptible to disturbance since a signal can be transmitted on the open line, by way of example by a capacitive coupling to a parallel line or by induction in an electromagnetic field. Said disturbance signals increase the error rate when reading the inputs.