The present invention relates to a safety circuit arrangement for connection or failsafe disconnection of a hazardous installation, and to a new type of signaling device used in such a safety circuit arrangement.
A safety circuit arrangement in terms of the present invention is a circuit arrangement with at least two components, which interact so as to protect against hazardous operation of a technical installation, i.e. so as to avoid accidents which endanger the health or the life of people in the vicinity of the installation. One component is a control device (or controller), which is specifically designed to interrupt, in failsafe fashion, a power supply path to the installation in order to bring the installation into a non-hazardous, deenergized state. In the case of relatively large installations, this function of the control device can be limited to parts or regions of the installation, and different regions of a relatively large installation can be controlled separately by a plurality of control devices. It is important that the control devices ensure a safe operating state of the installation even when faults occur, for example when electronic components fail, a cable connection is damaged or another fault event occurs. Therefore, the control devices are usually constructed with multiple-channel redundancy and have internal monitoring functions in order to identify individual faults early and to avoid an accumulation of faults. Suitable control devices may be programmable safety controllers or simpler safety switching devices with a substantially predefined functional range. Typically, the control devices have single-fault safety in terms of European Standard EN 954-1 category 3 or higher, in terms of SIL 2 of International Standard IEC 61508 or in terms of comparable specifications.
The control devices monitor the operating state of so-called signaling devices or sensors. The signaling devices/sensors generate input signals for the control device, which input signals are evaluated by the control device and logically interconnected, if appropriate, in order to connect or disconnect actuators of the installation, such as an electric drive or a solenoid valve for example, depending on said signals. In many cases, the signaling devices generate very simple binary information, for example regarding whether a mechanical protective door is closed or not, whether an emergency stop button has been actuated or not, whether a light barrier has been interrupted or not. However, signaling devices/sensors may also generate analogue values, such as the temperature of a boiler or the rotational speed of a drive, for example. Generally, the control device of the safety circuit arrangement only enables operation of the installation when it can be assumed, on the basis of the signals from the signaling devices/sensors, that there is non-hazardous operation. However, there are also cases in which protective measures are intentionally overridden, for example in order to allow a machine setup operating mode while the protective door is open. In these cases, a special enable button is often used which needs to be actuated by the operator in such a case. Such an enable button is a safety-relevant signaling device.
In a large installation, there may be a plurality of signaling devices/sensors which supply safety-relevant input signals to the safety controller. The individual signaling devices/sensors can be located far away from one another, which results in considerable set-up effort. In the case of cable connections which run outside of a closed switchgear cabinet or outside of pinch-proof tubes, cross-connections which can occur as a result of damage need to be detected by the safety controller. Therefore, the connecting lines between signaling devices/sensors and control devices of a safety circuit arrangement often have redundancy, which additionally increases the complexity.
DE 10 2004 020 997 A1 discloses a safety circuit arrangement, wherein a plurality of signaling devices are connected in series to a failsafe control device. The control device generates two redundant enable signals, which are fed back to the control device via two redundant lines through the series of signaling devices. If a signaling device in the series interrupts at least one of the redundant enable signals, this is detected in the control device and the power supply path to the installation is interrupted. Due to a smart implementation of the signaling devices, it is also possible to transmit diagnosis information to the control device via said safety lines. The known circuit arrangement therefore enables a relatively inexpensive design with flexible diagnosis possibilities. However, the practical implementation requires at least four separate lines or line cores for feeding the enable signals from the control device to the signaling devices and back again. Since the signaling devices use electronic components which require an operating voltage for passing on the redundant enable signals, typically two further lines or core pairs are required for supplying the operating voltage and corresponding ground potential to the signaling devices. Such an implementation is therefore still complex, despite the already achieved advantages, in particular when it is necessary to bridge large distances between individual signaling devices and the control device. When controlling ski lifts, for example, there may be distances of several kilometers between a signaling device and the control device and in such cases it is desirable to use already existing lines, although there are generally not sufficient line cores available for an implementation according to DE 10 2004 020 997 A1.
DE 199 11 698 A1 discloses another safety circuit arrangement with a control device and a plurality of signaling devices, which are connected in series with one another to the control device. Each signaling device has a normally-closed contact and is coupled to a code signal generator, which supplies a characteristic code signal to the control device when the contact has been opened. For the practical implementation, at least three line cores are required. Nevertheless, a cross-connection between the line at the enable signal output of the control device and the line at the enable signal input of the control device cannot readily be detected, with the result that further redundant signal lines may be required for a higher safety category.
DE 100 11 211 A1 discloses a further safety circuit arrangement with signaling devices and a failsafe control device. The signaling devices are connected to the control device either in single-channel fashion via one connecting line or two-channel fashion via two redundant connecting lines. The single-channel connection does not per se provide any failsafety and is only proposed for a start button, which in such cases is typically arranged close to the hazardous installation. One exemplary embodiment describes the fact that two different clock signals are fed from the failsafe control device back to the control device via redundant contacts of an emergency stop button as enable signals.
DE 102 16 226 A1 discloses a safety circuit arrangement with a plurality of signaling devices and control devices, with the control devices being connected in series so as to form a hierarchical control system with different disconnection groups. In exemplary embodiments, the control devices are coupled via a single-channel connecting line, via which a switching signal with a static signal component and a dynamic signal component relative to a defined potential is transmitted. The embodiment further requires a common ground for the connected control devices. Moreover, each connected control device requires an operating voltage, which likewise needs to be supplied so that the actual number of lines is even higher.
DE 103 48 884 A1 discloses a signaling device with an actuating element, which can be moved between a first position and at least one second position. A detector element for detecting the position of the actuating element comprises a transponder with individual transponder identification and a read unit for the transponder identification. The signaling device has a signal input for supplying a test signal, with the aid of which the reading of the transponder identification can be suppressed for test purposes. In addition, connections for a supply voltage, ground and a signal output are required, via which the signaling device can transmit the information from the detector elements to a failsafe control device. In order to connect the signaling device to a control device, therefore, at least four lines are required in total.
A further signaling device is known from DE 100 23 199 A1. In a rest position of the signaling device, a switching element is open. In a specific actuating position, the switching element is closed. Details relating to the connection of the signaling device to a failsafe control device are not described.
In addition, a field bus system called ASI (Actuator-Sensor-Interface) bus is known to those skilled in the art, said ASI bus system can be implemented with a special two-core cable and is used for interconnecting sensors and actuators in the field plane of an automated installation. An ASI bus master in this case transmits requests to the sensors connected to the ASI bus at repeated time intervals. Said sensors then transmit their sensor state to the ASI bus master. This system requires only two line cores. However, specific interface modules which are capable of implementing the bus protocol are required. For a safety circuit arrangement of the type mentioned at the outset, both the control device and the signaling device need to have an ASI bus-compatible interface module, which is too complex and expensive for some applications.
Finally, DE 43 33 358 A1 discloses an unsafe circuit arrangement, wherein both an operating voltage and a control signal are transmitted from a control device to a solenoid valve, i.e. to an actuator, via a two-core connecting line.