The present invention relates to an electronic safety switching device having at least a first and a second signal processing channel.
Safety switching devices of this kind are primarily used in the industrial sector and may be encountered in almost all areas of mechanical and plant engineering. Safety switching devices carry out defined safety functions, for instance, providing a controlled and safe stopping of movement of a technical installation or monitoring the position of a moving installation. Generally, safety switching devices are configured to initiate a safe and reliable response if a fault occurs and if protected areas are breached.
There are very high demands placed on the fail-safety of such safety switching devices. Thus, safety switching devices must generally first been approved by an regulatory authority before they are allowed to be used in industrial applications. For example, in Germany, the professional associations or the TÜV (German Technical Inspection Association) carries out such approvals. Relevant standards for functional safety are, for instance, DIN EN 61508 for developing electrical, electronic, and programmable electronic (E/E/PE) systems or EN 61511 for developing technical safety systems for the processing industry. These standards define, inter alia, safety integrity levels (SILs) which are used for assessing (E/E/PE) systems in terms of reliability of their safety functions. In the context of the present disclosure, safety switching devices are those devices which satisfy at least the requirements of SIL2.
A known and frequently used measure for achieving this required fail-safety, is to configure the safety switching device redundantly with multiple channels, wherein at least two signal processing channels are monitoring each other. If a fault occurs in one of the signal processing channels, the second signal processing channel is capable of detecting said fault and effectuating a safe state for persons in the area of the machinery. Under this approach, particular attention must be given to possible causes of faults which affect multiple, or all, redundant signal processing channels in the same manner (so-called common-cause faults); otherwise, the required fail-safety cannot be ensured.
Furthermore, a frequently used approach by the relevant regulatory authorities when approving safety switching devices is to request from the designer or manufacturer of the safety switching device an exhaustive, detailed fault analysis in which any conceivable fault is recorded. It must be demonstrated therein that the safety switching device can effectuate a safe state for persons in a reliable manner, even if the respective fault occurs. Such an analysis is highly complex, in particular in the case of complex safety switching devices having numerous functions, and thus has an adverse effect on development and production. In addition, this failure analysis must be repeated even in the case of slight changes in the design or the structure of the safety switching device, since, for example, new fault sources may be created solely due to a spatially different arrangement of components which are otherwise identical.
For this reason, DE 100 53 820 A1 suggests an electronic safety switching device in which the essential components of the redundant signal processing channels are formed from integrated semiconductor circuits which are arranged on a single semiconductor chip. This so-called on-chip redundancy, in which a single integrated and invariable component is provided while maintaining the separate signal processing channels, has the advantage that the fault analysis required by the regulatory authority for the approval must be performed only once. Later checks may subsequently be limited to quantitatively checking adherence to the specifications defined during the development of the semiconductor chip, in particular adherence to intended spatial dimensions and materials used.
However, due to the particular architectural requirements which must be taken into account during the design and development of semiconductor chips having on-chip redundancy, such chips are often one-off products and are generally more expensive than common semiconductor chips having redundant structures, for example, modern multi-core processors which are used for parallel processing. Thus, in semiconductor chips which have on-chip redundancy and are used for safety-critical applications, separate physical blocks must be formed on the semiconductor substrate for each channel and for each monitoring element, for example, a watchdog, said blocks being arranged having a defined spacing from each other and thus not being able to influence one another. In addition, each channel must have its own separate inputs and outputs, which are not allowed to pass through one of the other blocks. As a result, the chip design becomes particularly complex, and the integrated circuits generally require higher-than-average area on a semiconductor substrate, thereby in turn increasing the cost of a single chip.
In addition, there are application areas which strictly forbid the use of systems having on-chip redundancy. Thus, for example, when using non-contact protective devices (electro-sensitive protective equipment or ESPE), no systems may be employed in which the signal processing units of the individual channels are arranged on one semiconductor substrate. Therefore, such protective devices cannot use known on-chip redundancy systems.