The present invention relates to a method and an apparatus for detection, transmission and processing of safety-related signals having at least one detector, one transmission path and at least one signal processor.
In order to control machines in manufacturing systems in industry, in particular machine tools and robots, signals are transmitted from controllers or peripherals to a control unit. In this case, the controllers and peripherals may be either stationary or mobile units. In particular, safety-relevant signals such as EMERGENCY-OFF, EMERGENCY-STOP, START, STOP, confirmation signals, movement buttons and safety-related input signals regularly have to be reliably detected, transmitted and processed in order to ensure the safety of the operator, of the machines and of the systems. Signals which initiate movements, for example shaft movement, gripper pick-up and the like, are also related to this problem.
Conventionally, safety-related signals are therefore generally transmitted by wire. EMERGENCY-OFF, confirmation and safety-relevant input signals are detected via duplicated electromechanical switching elements. Movement buttons, START and STOP, on the other hand, are detected via simple electromechanical, electrical or electronic switching elements.
For transmission, the signals are conventionally transmitted via a bus system, a serial link or a parallel link, or else directly via wires.
EMERGENCY-OFF signals are passed via two pairs of wires to safety tripping units. On the other hand, depending on the mode, START, STOP and movement buttons are subject to different safety requirements. START, STOP and movement button signals are generally transmitted via the bus system, the serial link or the parallel link. If these signals have an associated safety function, then the signals are effective only in conjunction with confirmation buttons, which are routed to the tripping unit via wires. Such so-called confirmation buttons must in this case be operated at the same time as the movement buttons. Safety-relevant inputs are carried via their own wires.
Conventionally, the transmission itself takes place via a cable which, apart from the necessary signal lines, normally also includes supply lines for current and/or voltage for the control unit. The cable must be suitable for industrial operational conditions, which means that electrical interference, mechanical loads and chemical influences have to be considered.
Signals such as EMERGENCY-OFF and confirmation signals are electrically processed in two channels. On the other hand, START, STOP and movement buttons are processed in one channel, taking account of a confirmation signal.
The wire-based link between the control unit and the controllers or peripherals has the disadvantages, in particular, of the costs of a wire-based link, the installation complexity associated with this, as well as poorer mobility, maintenance effort for the cable, the risk of accidents linked to this, and the necessity for the already described confirmation button.
An object of the present invention is to provide a method and an apparatus for detection, transmission and processing of safety-related signals, in which the disadvantages mentioned above can be avoided.
The term safety-related signals in this case means signals in which faults or errors in the detection, transmission and evaluation can lead to loss of safety functions in the machine, system or process.
According to the present invention, this object is achieved by a method for detection, transmission and processing of safety-related signals having at least one detection means, one transmission path and at least one signal processing means, in that
safety-relevant signals are physically detected on at least two channels at the transmitter end,
the detected data are logically transmitted by at least two channels using a safety technique by radio to a receiver end, and
the received data are likewise physically processed and monitored on at least two channels at the receiver end.
A corresponding apparatus for achieving the above object according to the present invention is characterized in that
the detection means for safety-related signals are designed physically with at least two channels at a transmitter end,
a radio path which logically has at least two channels and uses a safe technology is provided with in each case one radio module at the transmitter end and receiver end, and
the signal processing means at the receiver end are likewise designed physically with at least two channels.
The present invention thus allows radio transmission of signals for controlling machines, appliances and processes, including safety-relevant signals such as EMERGENCY-OFF, EMERGENCY-STOP, START, STOP, confirmation signals, movement buttons and safety-related input signals as well as signals which initiate movement. Safe evaluation of the signals by software can also be achieved. The present invention furthermore ensures that an individual fault or error in the detection, transmission and evaluation does not lead to any loss of safety functions.
According to a first example refinement, the safety-related signals are detected by redundant signals being produced, for example by means of duplicated electromechanical, electrical or electronic input elements. Various redundant signals are detected in two channels by means of two detection modules, and this can be achieved either by hardware, or by hardware and software. The detected signals provide protection data for signal transmission from each detection module, allowing monitoring for
incorrect transmitters or incorrect receivers,
adulteration of the data,
loss of data and
repetition of data.
In this case, each detection means uses the signal data to produce additional protection data for monitoring purposes.
According to a further example refinement of the present invention, the transmission is carried out using a transmission module, in each case one transmission and reception module, and one receiver module. The transmission and reception modules as well as the radio modules are each formed from different components. The radio transmission takes place using digital technology. Major parts of the signal processing for the transmission can be implemented in software. The transmission module receives the signal data, and the associated protection data, from both detection modules, cyclically. The data in both channels are then transmitted jointly, by radio. The received data in the two channels are separated again by the receiver module. In order to process the data and to carry out the monitoring function, the data are then passed on to the respective evaluation and monitoring module for channel 1 and channel 2.
According to a further example refinement of the present invention, the signals are likewise monitored and processed in two channels, in particular on two separate processors, such as signal processors. The data are monitored in each channel on the basis of the following criteria:
incorrect sender or incorrect receiver,
adulteration of the data during transmission,
loss of data,
repetition of data and
interruption of the data.
A time criterion is monitored in each channel, as a consequence of which safety-relevant functions are, as a rule, initiated after a predetermined time period after detection of the signals. This is ensured according to the present invention by the signals always being transmitted after a predetermined time period for processing.
The serviceability of an EMERGENCY-OFF and STOP input element as well as the associated operation of the respective detection module are monitored in each channel by positive dynamic activation means.
After evaluation, faults and errors in each channel are detected by comparison of the evaluation results.
The reactions to be initiated after detection of a fault or error depend on various factors, such as the respective application, the respective safety policy, the respective machine, controller or system.
Furthermore, any protection methods can also be carried out, if required, by radio transmission independently of the described monitoring.
The processing leads to the execution of the control function to be initiated by input signals. The execution of the control function may likewise be carried out on two channels, depending on the safety requirement. The two-channel detection, safe transmission and two-channel monitoring and processing make it possible to dispense with an additional confirmation signalxe2x80x94for example a confirmation button provided the downstream control functions are carried out using a safe technique.
According to a further example refinement of the present invention, a redundant value for data protection is also added to and transmitted with the signal data and protection data. In addition to monitoring by cross-comparison of data in the two channels, the safety of the transmission can be further increased by checking the plausibility of this redundant value for data protection.
According to a further example refinement of the method and of the apparatus according to the present invention, a further improvement in safety is achieved by additionally providing each data packet with a counter value, which is produced at the transmitter end, in which case the counter value is incremented or decremented for each data packet to be transmitted, and the redundant value for data protection is formed via signal data, protection data and the counter value.
According to a further example refinement of the method and of the apparatus according to the present invention, the data are transmitted particularly efficiently by radio in that
at the transmitter end, each data packet is separated into an implicit and an explicit data element, with the implicit data element comprising those data which are known at the receiver end, and
in order to minimize the volume of data to be transmitted, only the explicit element of the data packet is transmitted by radio, and
at the receiver end, the data packet is reconstructed from the known information and the received explicit element.
The present invention may be used particularly advantageously in conjunction with industrial processing machines or manufacturing systems, in particular numerically controlled machine tools or robots.
In this case, in addition to a refinement using a two-channel technique, an implementation is, of course, also likewise possible with more than two channels according to the teaching of the present invention.
The formation of a safe radio data link according to the present invention can be achieved particularly advantageously by a method which is distinguished by a receiver registering with the transmitter, in that
communication addresses for the transmitter end and receiver end are uniquely defined for each channel,
a radio link is produced between the transmitter and the receiver,
the communication addresses are transmitted to the receiver in the form of a data packet, with the registration process being terminated,
if a predetermined time window is exceeded or
any loss or repetition of data occurs, or
a cross-comparison leads to detection of a fault or error, or
the redundant value for data protection is identified as not being plausible.
The use of the radio system for transmission of safety-related signals for controlling, inter alia, machines according to the present invention thus results in the following advantages:
no costs for wire-based connection,
reduced installation complexity for stationary appliances, since no wire-based connection need be installed,
for portable appliances, greater mobility, no weight loading from a cable, no risk of accidents from a cable, no maintenance effort for a cable, and no complexity for confirmation buttons.
The present invention thus allows the radio technique to be used for transmission of EMERGENCY-OFF, START, STOP and movement and confirmation signals via radio. There is no need for any additional protection for START and movement signals by means of confirmation signalsxe2x80x94in particular confirmation buttons, provided the control functions satisfy appropriate safety requirements.