The present invention relates to a safety switching apparatus and method for safe disconnection of a load in an automated installation. More particularly, the invention relates to a safety switching apparatus and method for receiving and analog signals used for the control of the automated installation.
Automated installations have been increasingly used for many years. This relates to automated installations for the industrial production of goods as well as to automated installations for conveying people or goods, for example conveyor belts at airports or cable cars in skiing resorts. Automated installations are also being increasingly used in theme parks and for building automation. Safety aspects relating to the avoidance of damage or harm to people and objects are playing more and more an important role since, in principle, an automated installation represents a potential risk, either as a result of incorrect operation or as a result of a fault in the operating procedure of the installation. Typical measures for protection of automated installations include setting up protected areas by means of light barriers, light grids, guard fences, etc., and the provision of emergency-off switches which allow safe disconnection of the installation (or of a part of the installation). However, there are applications in which these measures are not suitable, for example when setting up a machine tool for a new production run. In this case, a machine operator has to check the correct supply and processing of a sample workpiece with the guard door open, and may need to intervene in the production process. Setting-up operations such as these are typically carried out at a reduced machine rotation speed, with maintaining the reduced rotation speed representing a safety-relevant process variable.
It is known for safety-relevant process variables such as these to be detected redundantly in order to ensure by means of a plausibility comparison that the process variable has been recorded correctly. A rotation speed sensor of appropriate redundant design is described, for example, in DE 199 37 737 A1. The use of redundant emergency-off switches, guard door switches or light barriers for safety reasons is also known.
These last-mentioned signaling appliances differ from rotation speed sensors and other sensors for recording analog process variables in that they produce only a two-value output signal (emergency-off switch pressed or not pressed, guard door open or closed, light barrier interrupted or not). With two-value signaling appliances such as these, it is possible that the safety-relevant output signal will not change over long time periods, for example because an emergency-off switch is not operated over a period of days or even months, and because a guard door is not opened over a period of hours or days. In order in these situations to ensure that the static signal state at the output of the two-value signaling appliance is not the consequence of a fault, for example the consequence of a line short after crushing of a cable, it is known for the output signals from two-value signaling appliances to have a clock signal applied to them (positive or forced dynamic behavior). A corresponding safety switching apparatus is described, for example, in DE 199 62 497 A1. In the case of the output signals from analog signaling appliances, such as from a rotation speed sensor, this problem does not exist, because the sensor output signal varies continuously. On the other hand, identification of one out of two possible signal states is not the issue here. Rather, the respective instantaneous value of the analog sensor signal is relevant.
When receiving a safety-relevant analog signal, it is therefore (also) necessary to ensure that the circuit components receiving the analog signal are operating correctly. This is particularly true when the analog signal is converted by an A/D converter to a digital signal, which is then supplied to a digital evaluation and control unit for evaluation. For these reasons, DE 100 35 174 A1 proposes to design the input circuit for receiving a single-channel analog signal with two redundant channels, with a test signal in each case being applied alternately to one of the channels, while the other channel is receiving the analog input signal. This makes it possible to identify functional faults in the input circuit of the safety switching apparatus at an early stage. Furthermore, the mutual testing of the redundant input channels allows continuous recording of the analog input signal. This solution has the disadvantage that it is highly complex, since two redundant input channels and a multiplexer for switching between the input signal and the test signal are required even to record a single-channel analog signal.
DE 100 37 737 A1 discloses a method and an apparatus for safe single-channel evaluation of analog sensor signals. This document proposes that two additional redundant signals be produced by addition and subtraction from the two redundant analog signals. The two analog input signals and the two redundant signals are then digitized and are transmitted to an evaluation and control unit. In one exemplary embodiment, they may be transmitted via a single-channel transmission line. This procedure has the disadvantage, however, that two redundant input signals are generally required, and the transmission of a single measured value requires repeated signal conversion (addition, subtraction and digitization).
DE 43 09 789 A1 proposes that a test signal generator be integrated in the analog sensor, in which case the test signal generator may be activated by a higher-level evaluation and control unit. This proposal has the disadvantage that no sensor signals are available while the input circuit of the safety switching apparatus is being checked. Furthermore, this proposal requires specific analog sensors with an integrated test signal generator.
DE 196 40 937 A1 proposes the testing of an A/D converter in the input circuit of a circuit for receiving an analog measurement signal by suppressing the analog measurement signal at times (by grounding it). This procedure again has the disadvantage that the analog input signal is not continuously available for evaluation.