This application is a continuation of copending international patent application PCT/EP01/11436 filed on Oct. 4, 2001 designating the U.S. and published in German language, which PCT application claims priority from German patent application DE 100 53 820.7, filed on Oct. 30, 2000.
The present invention relates to an electronic safety switching device having at least a first and a second signal processing channel and to a corresponding method of switching off an industrial machine. The first and second signal processing channels can be supplied with input signals for signal processing, and they provide processed output signals. The invention particularly relates to such a device and method, wherein the first and second signal processing channel process the input signals redundantly with respect to each other, and wherein the first and second signal processing channels each are constructed using integrated semiconductor structures.
Safety switching devices of this type are primarily used in the industrial sector in order to carry out shutdown operations on machines, plants and other installations in a failsafe manner. In this connection, the term xe2x80x9cfailsafexe2x80x9d means that the switching device meets standardized requirements regarding failsafety, in particular the requirements of safety category 3 of the European Standard EN 954-1 or higher. Devices of this type are used, for example, to stop a machine plant, such as a press or an automatically operating robot, as a reaction to the operation of an emergency off pushbutton or the opening of a protective door, or to transfer the installation in another way into a nonhazardous state. Likewise, it is generally necessary to switch off a machine or machine plant at least partly to carry out maintenance or commissioning work. Since a malfunction or failure of the safety switching device would result in an immediate hazard to human personnel in such a situation, very high requirements are placed on safety switching devices with regard to their failsafe nature. As a rule, safety switching devices may therefore be used in the industrial sector only after appropriate approval by a responsible inspecting authority, for example professional associations or governmental authorities.
One measure of achieving the required failsafe nature is to construct the safety switching device redundantly with a plurality of channels, the at least two signal processing channels monitoring each other. If a fault occurs in one of the signal processing channels, the second signal processing channel should be capable of recognizing this and arranging for a nonhazardous state for persons in the area of the machine plant. During this procedure, particular attention must be placed on possible fault causes which influence a plurality of the redundant signal processing channels in the same way, since otherwise the requisite failsafe nature is not ensured (what is known as common cause faults).
A procedure which is often practised during the approval of safety switching devices by the responsible inspecting authorities is that the designer or manufacturer of the safety switching device has to present a thoroughgoing and detailed consideration of faults, in which every conceivable fault is covered. In this document, it is necessary to prove that the safety switching device can bring about a nonhazardous state for persons in a reliable manner even when the respective fault occurs. A consideration of this type is very complicated, in particular in the case of complex safety switching devices having numerous functions, which has a detrimental effect on the costs of the development and manufacture. Added to this is the fact that this fault assessment has to be repeated even in the case of slight changes to the construction or in the structure of the safety switching device since, for example, new fault sources can be produced merely as a result of a physically different arrangement of intrinsically identical components.
In view of this, it is an object of the present invention to specify a safety switching device of the type mentioned at the beginning in which the effort to demonstrate the failsafe nature is reduced.
It is another object of the invention to provide a safety switching device and method that can be implemented at lower cost.
According to one aspect of the invention, these objects are achieved by the first and the second signal processing channel being arranged monolithically on a common semiconductor substrate, the semiconductor structures of each signal processing channel being spaced apart physically by a multiple of their width from the semiconductor structures of every other signal processing channel.
Thus, a safety switching device is proposed in which the mutually redundant signal processing channels are arranged jointly in one semiconductor chip for the first time. In this case, it is not ruled out that each of the signal processing channels will further be supplemented with the aid of external components, for example for setting time constants, depending on the type and the functionality of the safety switching device. However, the advantages of the invention have a greater effect the fewer additional external components are needed.
As a result of the common arrangement of the redundant signal processing channels, the entire structure of the safety switching device can be defined, during the design and development of the semiconductor chip, in a form which can subsequently no longer be changed. As a result of this, the error consideration required for the approval by the inspecting authorities only has to be carried out once, namely during the development of the semiconductor chip. Subsequent checks can be restricted to checking in quantitative terms compliance with the specifications defined during the development of the semiconductor chip, in particular compliance with envisaged physical dimensions and materials used. Checks of this type can be carried out substantially more simply than the complicated prior art fault assessments.
Furthermore, the new approach has the advantage that, because of the unchanging nature of the semiconductor chip after its manufacture, specific fault causes can reliably be ruled out from the beginning. For example, during a fault assessment a short circuit between two conductor tracks on the semiconductor substrate can be ruled out if the two conductor ends maintain a sufficient distance from each other. In contrast, for example, a short circuit as a result of mechanical crushing could arise in operation between two conductor cables which are insulated from each other in a conventional manner known per se.
Furthermore, the new approach has the advantage that the recognized, tried and trusted methods of carrying out a fault assessment can be applied in the same way as hitherto, which, not least, also makes acceptance by the responsible inspecting authorities easier. Because of the unchanging nature of the semiconductor chip, it is in particular possible to transfer those methods which are recognised in the fault assessment of printed circuit boards.
Furthermore, the measure according to the invention has the advantage that a semiconductor chip can be accommodated in a manner known per se and with tried and tested manufacturing methods in a dust-tight housing, which substantially minimizes fault causes arising from industrial contamination. Fault causes of this type can therefore likewise be ruled out during the fault assessment to be carried out.
Furthermore, the safety switching device according to the invention can be fabricated very efficiently in very large numbers, without additional fault causes being created in this way. Not least, the safety switching device according to the invention can be miniaturized very highly, owing to the measure proposed, which enlarges the field of use and the possible uses considerably.
In a refinement of the invention, the first and the second signal processing channel each have at least one communication interface for mutual internal data interchange.
As an alternative to this, it would also be possible to connect the redundant signal processing channels to each other externally, that is to say outside the semiconductor substrate, for mutual data interchange. In contrast, the preferred measure has the advantage that the fault assessment relating to mutual data interchange likewise has to be carried out only once during the development of the semiconductor chip. Furthermore, the internal data interchange is possible more quickly and more freely of disruptive environmental influences. Finally, fault causes during the installation of the safety switching device according to the invention are reduced.
In a further refinement, the communication interfaces of the first and second signal processing channel are connected to each other via at least two physically separated connecting lines.
This measure has the advantage that even the internal communication can be carried out in a redundant manner with multiple channels, as a result of which the failsafe nature of the safety switching device according to the invention is increased once more.
In a further refinement of the measure previously cited, the connecting lines are spaced apart physically from one another by a multiple of their width.
Owing to this measure, short circuits between the connecting lines, and associated fault causes, can reliably be ruled out.
In a further refinement of the measures previously cited, the connecting lines are designed to be feedback-free.
Freedom from feedback is preferably achieved by each connecting line containing a feedback-free driver stage. Owing to this measure, particularly good decoupling of the redundant signal processing channels is achieved, by which means the risk of total failure of the safety switching device according to the invention is once more considerably reduced.
In a further refinement, each of the signal processing channels has its own power supply connections, which are separated physically from the supply connections of the other signal processing channels.
With this measure, the individual signal processing channels become still more independent of one another, by which means the risk of faults which effect a plurality of signal processing channels in the same way is still further reduced. The failsafe nature of the safety switching device according to the invention is more reliably and even better ensured.
In a further refinement, the semiconductor structures of each signal processing channel form a physical group which, as a whole, is spaced apart from each physical group of each other signal processing channel.
In this refinement, the redundant signal processing channels in each case occupy their own physical area on the semiconductor substrate. It is possible for imaginary dividing lines to be drawn between the physical areas. The measure has the advantage that the individual signal processing channels are decoupled from one another in a physically optimum manner, which permits very high independence. In addition, the fault assessment and the development of the semiconductor chip are also noticeably simplified.
It goes without saying that the features cited above and those still to be explained below can be used not only in the respectively specified combination but also in other combinations or on their own without departing from the scope of the present invention.