The invention relates to a monitoring and control device for monitoring a technical system comprising at least one portable and/or mobile and/or immobile device, particularly a handling device that is arranged in a protective device, comprising at least one preferably central and/or decentralized control unit as well as actuators connected to it to carry out dangerous actions.
Furthermore, the invention concerns a method for the safety-related monitoring of at least one axis of a drive unit, which in particular is meant to monitor a technical system with at least one portable and/or mobile and/or immobile device with enhanced safety requirements, particularly a handling device that is arranged in a protective device, comprising at least one preferably central and/or decentralized control unit as well as actuators connected to it to carry out dangerous actions.
The invention also relates to a mechanism for the safety-related monitoring of an axis of a technical system powered by a drive unit, comprising an actual status value transmitter that is coupled with the axis, with the transmitter being connected to a two-channel drive control mechanism for evaluation purposes.
Finally, the invention concerns a method for monitoring the speed of a specific point of a handling device that can be moved, preferably of a robot flange or a tool center point (TCP) of a technical system, particularly of a handling device.
In order to design a handling device in such a way that it can be operated in the vicinity of people as well, DE 39 02 247 A1 suggests designing the actual value transmitter for status acknowledgements and control elements in a redundant fashion and providing a monitoring and safety circuit that is activated when signal deviations occur between the redundant pick-ups.
The monitoring and safety circuit responds to signal deviations between the redundant actual value transmitters; however, external safety precautions are not incorporated in the evaluation. Familiar monitoring and safety circuits also do not provide for the circuit to be able to actively intervene in the process of movements of the handling device.
From DE 296 20 592 U1 we know of a device for the safety-related monitoring of a machine axis that is equipped with a separate processor and actual value recording system as well as an error discovery system through signal comparison testing and compulsory dynamization. The device is equipped with two separate actual value recording systems, which direct their respective actual values to separate processors. The processors compare the actual values with the upper and lower limits.
From the state of the art, we know that for the monitoring and controlling of a braking device for driving mechanisms of a handling device an operatorxe2x80x94in the case of a closed braking devicexe2x80x94feeds electric current to a driving mechanism to generate a torque and checks visually whether the driving mechanism moves even in the case of a closed braking device. This procedure is not precise and must be conducted separately for each axis.
From the state of the art, we also do not know yet how to monitor the process of movement of a defined point in the Cartesian space with regard to position and speed.
The invention at issue faces, among other things, the problem of making a safety circuit available for the monitoring of processes of movements of a technical system that can be used in a flexible manner and enhances the safety of the technical system.
Furthermore, the invention is based on the problem of further developing a method and a device for the safety-related monitoring of an axis with a drive unit in such a way that the realization of a single-channel actual value recording sensory mechanism for enhanced safety-related requirements is made possible.
Additionally, the invention is based on the problem of further developing a method for controlling and monitoring a braking device in such a way that automatic monitoring or verification is enabled in a simple manner.
The invention is also based on the problem of monitoring the process of movement of a defined point of a device of the technical system in the Cartesian space.
In order to resolve the primary problem, it is being suggested
to connect the monitoring and control device with sensors and/or actuators, evaluating, processing and controlling their respective status,
to connect the monitoring and control device with the control unit and have it transmitxe2x80x94in accordance with the status of the sensors and/or actuatorsxe2x80x94at least one release signal to the control unit in order to enable at least one operation in the technical system,
to have the monitoring and control device monitor the execution of this at least one operation and
to create another signal in case of errors, moving the system into a safe status.
The monitoring and control device is designed in such a way that it can additionally be integrated into commercially available central and/or decentralized numerical controls in order to monitor dangerous operations of a technical system, particularly three dimensional dangerous movements, in a safety-related manner or manner that protects the operator(s). In case of a defective execution of the operations, a signal is generated to transfer the system into a safe condition.
The monitoring and control device is equipped with input and output levels, to which the sensors and/or actuators are connected. Additionally, interfaces are provided in order to possibly connect the monitoring and control device with the existing central control unit via a bus.
In a preferred version, the monitoring and control device is connected to a robot control mechanism. The design ensures that the at least one actuator and/or the at least one sensor is designed as a safety device that transfers the technical system into the safe status. In particular, the actuator is designed as a drive unit with appropriate drive controls or as a contactor that connects the technical system or the drive controls with energy.
When all actuators and/or sensors are in a condition that agrees with the safety requirements, the release signal of the monitoring and control device triggers an operation such as a process of movement, which is monitored by the control and monitoring device preferably by comparing it with stored and/or specified values such as execution and/or function and/or plausibility specifications or processes of movements.
In order to be able to use the monitoring and control device in a flexible manner, the invention provides for the control unit to be connected to the at least one actuator and/or sensor and the monitoring and control device via at least one data circuit, preferably a serial bus line. In particular, the control unit and the monitoring and control device are physically designed as separate devices.
In order to ensure safe monitoring of the processes of movements, the invention""s design is such that the control unit continuously or once transmits a target status value signal to the at least one connected drive control and/or to the monitoring and control device as well as actual status value signals from the at least one drive control to the control unit, preferably both to the control unit and to the monitoring and control device, that the actual status value signals of every drive control are compared to the drive-specific values and/or value ranges that are stored in the monitoring and control device and transmitted by the control unit and that when the respective value and/or value range is left another signal is generated.
In order to achieve as high an error safety rate as possible, the drive controls and the monitoring and control device, respectively, are equipped with at least two channels in a redundant design, with the channels being connected to each other via the bus line CAN_A and another bus line CAN_B, with control signals and/or actual value information being transmitted via the bus line CAN_A and actual value information via the bus line CAN_B. For the evaluation of electromechanical safety switches or similar sensors and for the addressing of external switching devices or actuators, the monitoring and control device is equipped with a two-channel output and input level, with at least two more bus connections being provided for in order to be able to connect the monitoring and control device with a higher-ranking safety bus.
In a preferred version, the actual status values transmitted from the drive controls are declared with an identifier, with an interrupt being triggered in each microcontroller of the monitoring and control device upon receipt of this identifier and the actual status values being read within a time interval. Additionally, each value and/or value range is assigned at least one safety-related output and/or input of the monitoring and control device, with the outputs and/or inputs being connected to passive and/or active switch elements such as electromechanical safety switches and/or contactors and a relay.
In order to perform service work and to initialize the technical system, the central control unit transmits target status value information to start up defined positions such as SAFE position, SYNC position to the drive units and the monitoring and control device, with the defined positions being assigned drive-specific values that are transmitted to the monitoring and control device and compared with the measured actual status values of the drive units.
According to the invention, the technical system is not equipped with any hardware limit switches such as cams, but rather with axis-specific xe2x80x9celectronic cams.xe2x80x9d In particular, a variety of value ranges is defined with regard to one drive unit or one drive axis, with this unit or axis being monitored by the monitoring and control device in a drive-specific manner, and with each value and/or value range being assigned one or more outputs of the monitoring and control device. The values and/or value ranges can be programmed in an axis-specific manner. When exceeding a status value range, one or more outputs of the monitoring and control device are set so that the technical system can be turned off.
In the method for safety-related monitoring of at least one axis of a drive unit, the problem is resolved in the invention by recording and evaluating an actual status value signal of the at least one axis, with the actual status value signal being formed by two periodic signals that are phase-displaced towards each other, with the sum of the powers of the respective amplitude of the signals being formed and compared to a value within a value range, and with an error signal being generated if the sum is not within the specified value range.
The method with enhanced safety provides for the actual status value signal of the at least one axis to be recorded in a single-channel manner and evaluated in a two-channel manner, with the actual status value signal being formed by two periodic signals that are phase-displaced towards each other, for the sum of the amplitude squares to be formed in each channel and compared to a constant value or a value within the value range, for an error signal to be generated if the sum does not correspond to the specified value or is not within the value range, and for the actual status value signal to be fed to the other two-channel monitoring and control device, which compares the sums of amplitudes squares formed in each channel of the drive control with each other and/or with the constant value or the value within the value range.
Preferably, the actual status value signal is composed of a sine- and a cos-signal, with a plausibility check of the actual value signals being conducted in each channel, thus checking whether the sum of the squares of the output amplitudes at every scanning point of time corresponds to a specified value x, with x being within the range 0.9xe2x89xa6xc3x97xe2x89xa61.1, preferably x=1=(sin xcfx86)2+(cos xcfx86)2.
As an error-avoiding and/or error-controlling measure, the invention provides for a directional signal of a target speed or status value to be generated and compared to a directional signal of the actual speed or status value in a single-channel or two-channel manner and for the values generated in a single-channel or two-channel manner to be fed to the monitoring and control device and compared to each other there.
Furthermore, the invention provides for an internal cross-comparison of the recorded actual values to be conducted between the channels, preferable between the micro-computers, and for a pulse-block to be triggered in case of an error.
When the usual energy supply is lacking for the drive units (power down mode), a standstill monitoring process is conducted, with the actual values being monitored in each channel and a xe2x80x9cmarker,xe2x80x9d which is transferred into the monitoring and control device when the usual energy supply sources have been turned back on and compared to the stored target values, being set when the actual values change beyond the set tolerance limit.
In the arrangement for the safety-related monitoring of an axis of a technical system that is driven by a drive unit, comprising an actual status value transmitter that is coupled with the axis and connected to the two-channel drive control for evaluation purposes, the problem is resolved by providing a design in which the actual status value transmitter is a single-channel item and has at least two outputs where two periodic signals that are phase-displaced towards each other can be picked up when the axis turns, in which the outputs are connected to one channel of the drive control, respectively, and in which the individual channels of the drive control are connected on the one hand with a higher-ranking central or decentralized control unit and on the other hand with a two-channel monitoring and control device in order to be able to compare the received actual value signals.
When the drive unit of a driving mechanism does not permit time value recording, the invention provides for a design in which the two-channel drive control, which is connected to the actual status value transmitter, is located as an integral part of the monitoring and control device or as self-contained unit independently from the drive unit in front of the device. In this case, the monitoring and control device can also be equipped with the drive control for actual value recording purposes. Of course the device for actual value recording can also be located in front of the monitoring and control device as a separate unit.
In a beneficial version, the actual value transmitter has the design of a resolver with two analog outputs for the actual value signals and an input for a reference signal, with the outputs, respectively, being connected to a channel of the drive control via an analog-to-digital converter and with the input for the reference signal being connected to a reference generator, which in turn is connected to the regulating unit of a channel via a control unit.
For control purposes of the actual value recording process, the analog-to-digital converter of the second channel is connected to an interrupt input of the signal processor via a first connection, and the analog-to-digital converter of the first channel is connected via a second connection with an input of a driver component, whose output is connected to an interrupt control unit of the microcontroller. The time between two received interrupt signals (EOC) is measured and a stop signal is then triggered if no interrupt signal (EOC) is detected within a certain time frame. A pulse block is also generated when the reference frequency deviates from a frequency standard.
In order to be able to control the error of a mechanical division for a single-channel drive and transmitter shaft of the resolver, the invention provides for the drive unit to be an electric drive system that is fed as an intermediate circuit, preferably as an AC servomotor.
In a method for controlling and monitoring a braking device with a nominal torque or moment (MNOM) that is allocated to a drive unit of a technical system such as a handling device, automatic monitoring/verification is enabled by measuring and storing a braking current (CB) of the drive unit that corresponds to a braking moment when the braking device is opened, by feeding the drive unit with an axis-specific current value (CTEST), which loads the braking device with a moment that is equal to or smaller than the nominal moment (MNOM) of the braking device, when the braking device is closed, and by monitoring the drive mechanism simultaneously for standstills.
Based on the invented method, the braking devices are monitored/verified automatically. When the braking devices are closed and current is fed, the drive mechanism is monitored for standstills. As soon as one axis or one drive mechanism moves, an error signal, which points to the defect of a braking device, is generated via the standstill monitoring system. In particular, this design provides the opportunity of monitoring all braking devices of a handling device simultaneously by feeding all drive mechanisms with a current value when the braking device is closed.
In a preferred version, the current value (CTEST) results from the measured braking current (CB) and an offset current (COFFSET) based on the relation
CTEST=CBxc2x1COFFSET
with COFFSET=xxe2x80xa2CN 
with 0.6xe2x89xa6xc3x97xe2x89xa61.0, preferably x=0.8
with CN being a current that generates a nominal moment corresponding to the maximum nominal moment of the braking device.
If the axis or drive mechanism that is to be checked is an axis under gravity load, then the braking device is loaded with a certain moment due to the gravity of e.g. the robot arm, which corresponds to the braking moment. For the purpose of testing the dividing device, the drive mechanism is fed a current value that generates a moment, which has an effect in addition to the moment created by gravity, in the same direction.
According to another development, the invention provides for the current value CTEST to generate a moment in the drive mechanism that amounts to 60 to 90% of the nominal moment, preferably to 80% of the nominal moment.
Furthermore, the invention includes a design for axes not subject to gravity load in which the braking device can be released via an external switching contact and addressed via an external auxiliary energy source. This operating mode is only applied in emergency situations. The higher-ranking robot control mechanism and/or the monitoring device can be turned off. In this mode, the robot mechanism can be moved manually, for example in order to release a trapped person.
In order to solve production disruptions, the invention provides for the monitoring for standstills of the remaining axes that are subject to gravity load when the braking devices of a group of axes that are not at all or only insignificantly subject to gravity load, such as head axes, are released individually. This operating mode is of advantage when e.g. after a disruption in the current source with a burnt welding wire a welding robot has become jammed in an area of the work piece that is difficult to access. In this case, the braking device can be lifted on a group of axes without gravity load in order to move the axes manually into a better position.
In a preferred version, a current supply source is added for the braking devices via an external control and monitoring device, with a drive control that is connected to the braking device generating a signal with which the braking device of an axis is opened or lifted. Apart from increased safety, this also enhances flexibility with a variety of motors or brakes that are connected.
The invention furthermore relates to a method for monitoring the speed of a moveable, device-specific point of a technical system, particularly a handling device.
In order to be able to monitor the process of movement of the defined point in the Cartesian space, the actual status value signals are recorded by the drive units, Cartesian coordinates of the point are calculated from the actual status value signals through a transformation operation, and the calculated Cartesian coordinates are compared to stored values and/or value ranges in order to generate a signal for stopping the device when the transformed Cartesian coordinates exceed the value and/or value range.
In a preferred version, verification of a safely reduced speed occurs relative to the handling device-specific point, with a difference vector being calculated by subtracting a first Cartesian coordinate set at a first scanning point in time from a second Cartesian coordinate set at a second scanning point in time, with a Cartesian speed of the point being determined via a time difference between the first and the second scanning point in time and with a signal being generated to stop the drive units when the calculated speed exceeds a specified maximum speed.
In another preferred method, a so-called brake ramp monitoring process occurs, where upon the triggering of a signal for stopping the device a starting speed of the point is determined and stored, where after a given time period the current speed is determined and compared to the starting speed and where then, when the current speed after the time period is equal to or larger than the starting speed, a signal is generated to immediately stop the device.
Further developments result from the sub-claims, which include at least in part invented versions of the inventions.