The invention relates to a monitored control arrangement for an apparatus whose output power is monitored to avoid safety-endangering effects.
For a number of technical apparatuses the risk of a dangerous state is accepted under certain conditions, for example in machining and processing plant, flame monitoring systems, controls for lifting gear, remote action systems for gas and pipelines, radio remote controls for cranes according to ZH1/547 Richtlinien fur Funkfernsteuerung von Kranen and in particular electromedicinal apparatuses according VDE 0750/DIN IEC 601 Sicherheit elektromedizinischer Gerate, allgemeine Festlegungen--which corresponds to International Standard IEC 601-1,1 issued 1977. The measure of the extent of this risk is the number of faults which in combination can result in a dangerous state. For electromedicinal apparatuses the case of a first fault is the subject of particular requirements and tests, in particular the failure of a protection or monitoring system, as a result of which an immediate danger to the safety of a patient can arise.
For this reason electrical and mechanical provisions are made by which a fault endangering the functionability of one or more safety means and which cannot be excluded by mechanical provisions or assumed for elimination of the fault manifests itself in operation inhibition. If a single fault does not manifest itself and then results in a dangerous state in combination with a second independent fault, the operation inhibition must also take place.
For apparatuses of this safety class the electrical provisions against danger due to a first fault or against a first fault which has remained undetected in combination with a second independent fault can be implemented by a special apparatus structure:
It is known to make the output power of an apparatus whose undesired change, in particular by exceeding limit values, would result in danger, secure against single faults in accordance with the above definition in that said output power is maintained by a control or regulating circuit and said regulating or control circuit has associated therewith a monitoring system. When a undesired change of the output power occurs the monitoring system gives an alarm and at the same time returns the output power to a safe range or switches it off completely. An apparatus constructed in this manner is secure against a first fault in the regulating or control system because said fault is detected by the monitoring system. If however, a first fault occurs in the monitoring system and remains undetected in conjunction with a second fault in the control or regulating system it could result in a dangerous output power. Thus, for example with electromedicinal apparatuses of this structure the condition applies that the direct function of the monitoring or supervisory system must be checked automatically at least at the start of an operating phase. Thus, apart from the regulating or control system and the monitoring system another system must be provided for the initial automatic self-test.
It is known in apparatus structures of the aforementioned type to use microcomputers in that the functions either of the control system and/or the monitoring system are carried out completely or partially by a microcomputer. A disadvantage is that the failure direction of a microcomputer can in no way be predicted and consequently extensive conventional circuits are additionally necessary which continuously and/or initially check the correct mode of operation of the microcomputer. In addition, the discovery certainty of said conventional circuits is restricted. Increasing the chance of discovering faults when monitoring more complex relationships involves a considerable increase in the expenditure on conventional switching and circuit means.
Thus, with the aforementioned use of a microcomputer the safety risk is still relatively high in spite of the monitoring and also a high expenditure on circuitry and production costs in involved.
In the German Technical Journal "Der Elektroniker", no. 10, 1975, volume 14, page 6 to 9, problems of self-monitoring and the safety in drives with variable speed are generally discussed. In the speed-controlled drive explained in this publication a desired value/actual value comparison of the speed of rotation is continuously carried out. If the desired value differs beyond predetermined limits from the actual value an alarm is initiated. To avoid alarm initiations with brief load surges in front of the alarm output a time delay is provided which allows the alarm signal to appear at the output only when the alarm condition has obtained for a predetermined minimum duration.
However, a disadvantage with the drive known from this publication is that no tests are provided for the monitoring circuit before operation is started.
DE-OS No. 2,841,220 discloses a method of testing the function of a control system according to which a test device is connected between a control apparatus with self-monitoring circuit and the drive to be monitored. In the control system known therefrom for an antiskid or antiblocking system for motor vehicles after starting of the vehicle the antiblocking system is checked for any faults which may be present by a self-monitoring circuit integrated in the control apparatus in accordance with an internal test program. With an additionally connectable test device faults in the antiblocking circuit can be simulated so that it can be determined whether the self-monitoring of the antiblocking system is functioning satisfactorily. A disadvantage is that the self-monitoring circuit is obviously a complex circuit with which an internal test program is processed so that it is to be assumed that a microcomputer is used. It is very difficult with a conventional circuit to check a microcomputer-controlled circuit.
Furthermore, DE-OS No. 3,306,897 corresponding to U.S. Pat. No. 4,333,119 to Schoenmeyr discloses a monitored control arrangement for an engine with generator. This control arrangement comprises a control circuit, a monitoring circuit and a test circuit for an initial test for checking the monitoring circuit. However, the test circuit consists of a switch with which a fault condition can be triggered by hand. Consequently, more extensive and more complex testing of the monitoring circuit are not possible in the prior art known from this publication.