The present invention relates to signaling or sensor devices for safety circuits, and in particular to mechanically operated signaling devices such as emergency off pushbuttons, guard door switches, positional switches an the like. Moreover, the invention relates to safety arrangements using such signaling devices for safely turning off hazardous installations, such as automatically operated machines, in case of dangerous situations. In addition, the invention relates to safety circuits or safety arrangements comprising a plurality of such signaling or sensor devices.
The operating cycles of modern technical installations, such as machine tools, industrial production installations and assembly lines, transport and conveyor installations, and entertainment installations like roller coasters and the like, are increasingly controlled fully automatically. An operational controller receives setpoint and process variables for the installation and uses a prescribed control program to form control signals therefrom which operate actuators in the installation. Besides control of the intended operating cycle, safety aspects, i.e. the avoidance of risk to people who are in the area of the installation, are receiving increasing attention. By way of example, installations which perform automated movements are today normally safeguarded by safety fences, light barriers, foot mats and the like. It is also common practice to equip technical installations with emergency off pushbuttons which, when operated, are supposed to trigger a shut down of the installation (or at least part of it) or to put it into a safe state in some other way. Such safety related signaling devices, which produce and provide state signals that are relevant purely for safeguarding the installation, are typically not evaluated using the “standard” operational control of the installation, but rather are supplied to a “safety controller” or in simpler cases to a “safety switching device”. For the sake of simplicity, the text below makes no further distinction between a complex safety controller and a simpler safety switching device, i.e. the term “safety controller” covers both simpler safety switching devices, as sold by the present applicant under the brand name PNOZ®, for example, and complex safety controllers, such as applicant's PLC based PSS®.
However, safety controllers differ from “standard” operational controllers because they are of an intrinsically failsafe design as a result of measures such as redundant signal processing channels, regular self-tests and the like. Although standard operational controllers might also have some fault recognition and fault avoidance measures to a certain extent, these are typically not sufficient to guarantee safe turning down of the installation under all circumstances. To distinguish from “standard” controllers and “standard” signaling devices, the present invention relates to signaling devices, safety controllers and safety circuits build which comply at least with category 3 of European Standard EN 954-1, preferably with the highest category 4, or similar safety requirements.
EP 1 363 306 A2 discloses a “safety switch”, i.e. a signaling device, for monitoring the position of safety fences, safety doors, machine cladding parts and similar safety devices. Such safety switches have a control element used to determine the opening or closing position of the safety door in a failsafe fashion. To date, such safety switches are usually of electromechanical design and the required function tests and fault monitoring operations, such as cross connection identification, are performed by or at least using the superordinate safety controller. Such safety switches therefore usually obtain approval on the basis of EN 954-1 or similar standards only in combination with the safety controller.
To allow a higher safety category for the safety switch itself, EP 1 363 306 A2 proposes to integrate safety logic into the safety switch, as is already known from light barriers, light curtains and other “intelligent” signaling devices. In the exemplary embodiments described, the proposed safety switches have two mutually redundant electronic switching elements which are actuated by a failsafe control part. The switching elements have an external enable signal looped through them which is ultimately supplied to the superordinate safety controller. The enable signal can therefore be suppressed by the control part, which signals to the safety controller that the monitored installation needs to be put into a safe state. The enable signal can also be looped through a plurality of safety switches connected in series with one another, so that each of these safety switches can suppress the enable signal.
Such a series circuit comprising signaling devices has long been implemented using electromechanical signaling devices, with the enable signal in these cases being produced by the safety controller and being looped back via the individual signaling devices' relay contacts connected in series.
The safety switch design described in EP 1 363 306 A2 allows rapid reaction by the superordinate safety controller, even if a relatively large number of signaling devices are connected in series with one another to the safety controller. On the other hand, looping through the enable signal limits the maximum spatial distribution of the signaling devices connected in series. Furthermore, from the point of view of the superordinate safety controller, the entire series is “dead” if one of the signaling devices suppresses the enable signal, whether on account of a change condition in the control element (opening the safety door or the like) or on account of an internally detected fault condition. The flexibility and performance of the safety switches described therefore do not go beyond what has already been possible for a long time with corresponding relay based signaling devices.