This disclosure relates to a safety switching device for switching on and safely switching off an electrical load.
Safety switching devices are generally used in the industrial field in order to switch on and safely off electrically driven machines, such as for example a press or a milling machine. Safety switching devices are consequently devices that achieve safety-related functions in control technology and reduce the risk of a threat by a machine to an acceptable level. Safety-related functions are for example emergency off/emergency stop functions, protective door functions or also the standstill monitoring of a drive. In general, a safety switching device monitors a specific function, wherein by interconnecting with further safety switching devices it is possible to ensure that an entire machine or installation is being monitored.
Safety switching devices differ primarily in their technical design. DE 199 54 460 A1 for example describes a classical safety switching device on the basis of contact-based relay technique. In this case, one or multiple safety relays are used in order to switch off an electrical load in an emergency situation for example by switching off the power to said electrical load. The control circuit of the safety relay is for example connected to a potential by an emergency off switch and the working contacts are closed in the normal operation. If the emergency off switch is actuated, the working contacts are opened. It is possible using the working contacts of the relays, said contacts generally being connected in series, to control directly or indirectly a power supply to the monitored machine or installation.
In addition to the classical safety switching devices, safety switching devices are being increasingly used that comprise an electronic evaluation system. The electronic evaluation system can receive and evaluate input signals from different signal transmitters and can also be used to detect faults. These safety switching devices comprise on the output side contact-based potential-free outputs, purely electronic semiconductor outputs or a combination of the two. A fully electronic safety switching device is disclosed for example in DE 100 11 211 B4.
Irrespective of their technical design, all safety switching devices must be designed in such a manner that—when wired correctly—neither a fault in the device nor an external fault caused by a sensor or actuator leads to a loss of the safety-related function. For this purpose, safety switching devices are generally designed with two channels in a redundant manner so that despite a fault in one channel the safety-related function can be safeguarded by a second channel. However, in the case of a two channel structure, so-called common cause failures, which are faults resulting from a common cause, still occur. It is thus possible for example in the case of classical safety switching devices that two relay contacts become welded and consequently both channels become ineffective. This would lead to a complete loss of the safety-related function.
One measure for minimizing the risk of common cause failures is to increase the redundancy. For example, safety switching devices are known that are embodied with three or more channels and this way reduce the effects of common cause failures. Likewise, circuitry solutions are known, which allow different loadings of the switching elements and thereby prevent a simultaneous failure. For instance, DE 199 54 460 A1 describes a safety switching device that is based on relay technique in which the redundant switching relay comprises different nominal switching capabilities. By this measure, the relays switch at different points in time as a result of their construction and as a consequence thereof, in the normal operating mode, at least one switching element is not switched under load. Consequently, the one switching element is exposed to a different, in particular lower loading, as a result of which the probability of a simultaneous failure can be reduced.
The above mentioned approaches for reducing common cause failures are however generally expensive and associated with considerably outlay. In particular, the addition of further redundancy disproportionately increases the production costs in the case of simple safety switching devices. Furthermore, the further redundancy only reduces the probability of a common cause failure. It does not exclude such a failure.
It is known from the prior art to equip electrical devices with fuses that trip in the event of an overcurrent. Known overcurrent protection devices that are also described as OCP (=over current protection) are fusible links, electrical fuses or electromechanical circuit breakers.
With respect to safety switching devices, an overcurrent protection device is known from DE 10 2013 101 050 A1. DE 10 2013 101 050 A1 discloses inter alia a power supply unit that in the event of an overcurrent short-circuits the power supply to a device having a ground connection. Such a circuitry is generally also described as a “crowbar” circuit. The short circuit leads to a power increase in the power supply, as a result of which a fusible link that lies in series in the power supply trips and the power supply is disconnected. As a result, the safety switching device is physically separated from the power supply so that it can no longer pose a danger. However, such a “disconnection” of the power supply also leads to any control over the safety switching device being lost. In particular, once the safety device has tripped, the safety switching device is no longer able to perform any diagnostic function, in other words the safety switching is no longer able to report its own failure to a higher-ranking controller, nor can a higher-ranking controller directly enquire a reason for the failure from the switching device. This is in particular problematic with respect to a complex installation having a multiplicity of safety switching devices.
Further overcurrent protection devices that are based on an electromechanical principle are known for example in the automotive industry. For instance, DE 41 10 240 C1 and EP 0 725 412 A2 disclose safety devices for protecting a main current path in a motor vehicle. Likewise, a current path is monitored here in order to detect an overcurrent and in the event that a specific current strength is exceeded, the current path is physically capped by a separating element. Due to the high currents that occur when the main current path is short circuited, it is proposed to provide in addition to an electromechanical actuator inter alia also a separating element that is provided with a detonator and can break a main current line rapidly and reliably. The separator and a corresponding sensor for determining the current in the main current path are provided as close to the battery of the vehicle as possible so that in the event of a fault the entire onboard power supply can be preferably disconnected. However, it is also a disadvantage in the case of these protective devices that once the main current path has been disconnected, the safety device is itself no longer able to perform any diagnostic function.