1. Field of the Invention
The invention relates to a controller for the safety power line of a heat engineering installation as more particularly described herein.
2. The Prior Art
For heat engineering installations, in particular plants for generating steam or hot water, it is desired to operate such installations automatically, i.e. without the continuous presence of operating and supervisory personnel. According to the current regulations, e.g. xe2x80x9cTechnische Regel fxc3xcr Dampfkesselxe2x80x9d (xe2x80x9cTRDxe2x80x9d 604) [Technical Regulation for Steam Boilers], an operation without continuous supervision requires special devices that reliably prevent dangerous operating conditions from occurring.
For example, fill level limiting devices, which switch off the heating system of the boiler if the fill level falls below a lower limit value, are required in order to prevent overheating of the steam boiler to a degree endangering the safety of the installation. For this purpose, fill level sensors monitor the fill level of the steam boiler for values falling below the limit value. Controllers are connected to the fill level sensors. On the output side, the controllers have two safety relays connected in series. The safety relays are arranged in the safety power line of the heating system of the steam boiler. As long as the lower limit value is exceeded, the controller switches the two safety relays to passage. The safety power line is thus closed and the heating of the steam boiler is released. However, if the value falls below the lower limit value of the fill level, the fill level sensor supplies the controller with another, different signal, whereupon the controller reverses the safety relays and in this way breaks the safety power line. The heating of the steam boiler is then interrupted.
The same type of safety requirement, namely that the safety power line has to be interrupted when a preset limit value is reached, may have to be satisfied also for other physical operating parameters of heat engineering plants. For example, such physical operating parameters include the maximally permissible fill level, the maximally permissible operating pressure, the maximally permissible operating temperature, or the maximally permissible electrical conductivity of the liquid of the boiler.
The safety devices employed for meeting the requirements have to be fail-safe. Sensors and controllers have to be designed for this purpose in the form of self-monitoring equipment. The mechanical part of the sensors as well as the electrical part of the sensors and the switching devices therefore have to be automatically tested at preset time intervals for their functionality. If such tests find that a malfunction exists, the safety power line will become interrupted and thus, for example, the heating system of the steam boiler will shut down. So as to assure that the safety relays employed are fail-safe, their mechanical useful life is therefore expected to satisfy very high requirements, for example 300,000 switching operations.
During a normal operation without malfunctions, the safety relays remain for a very long time in one and the same position. Under certain circumstances, this may cause the contacts of the safety relays to fuse with each other in position. If a malfunction were to occur, the safety relay so affected would not break the safety power line in spite of the corresponding setting signal of the controller. Since two safety relays are connected in series, such a malfunction of one of the relays would not pose a safety risk. However, the malfunction would remain undetected. If the same defect, however, were to occur also in the second safety relay, this would lead to a critical operating condition.
The invention is concerned with the problem of providing a controller of the type specified above whose safety relays are monitored for safety-relevant operating parameters.
The problem is solved according to the invention by a controller wherein a shunt line is connected in parallel with a first safety relay which connects the safety power line of a heat engineering installation upstream of the first safety relay with a connecting line between two series-connected safety relays for the connection of the safety power line. A shunt line is connected in parallel with the second safety relay which connects the safety power line downstream of the second safety relay with the connecting line between the two safety relays. Test switching elements are provided in the shunt lines which break the shunt lines outside of the scheduled test times. The safety relays are designed in the form of changing relays or change-over switching devices with an idle position and an operating position. Each safety relay has an idle contact, an operating contact, and a base contact, whereby the base contact and the idle contact are electrically connected to each other in the idle position, and the base contact and the operating contact are electrically connected to each other in the operating position.
The controlling device has test means for testing the switching capability of the safety relays at preset test times, wherein the shunt line associated in each case with the safety relay to be tested is closed by way of the test switching elements; the safety relay is reversed to the idle position; the electrical voltage is monitored on the idle contact of the tested safety relay; and an error signal is issued if voltage is missing on the idle contact.
The switching capability of the safety relays is tested by the controller at preset time intervals. The controller tests whether the safety relays, when receiving the corresponding setting signals, reverse from their operating position closing the safety power line, to the idle position breaking the safety power line. The safety power line is in fact interrupted when needed only if this has been safely ascertained. The electrical voltage on the idle contact of the safety relay to be tested supplies information as to whether the safety relay has assumed the idle position. Any non-reversing, and thus a malfunction, is detected and can be eliminated. Since the shunt line of the safety relay to be tested is closed during the test, the safety power line remains closed during this time. The operation of the plant is therefore not interrupted during the test.
Further developments of the invention are discussed below.
If the operating parameter to be monitored reaches its preset limit value, the safety relays are reversed and thereby assume their idle position. In one embodiment, the safety relays are connected to each other at their base contacts, whereas the safety power line is connected to the operating contacts. With these features, no electrically conducting connection then exists between their idle contacts and the safety power line. A reliable interruption of the safety power line is thus assured. No special requirements during the test need be satisfied in monitoring the voltages on the idle contacts of the safety relays.
In another embodiment, two test switching elements are connected in series. The first test switching element is connected to the connecting line of the two safety relays via a common line part of the shunt lines. The second test switching element is designed as a changing relay or change-over switching device and selectively makes a connection between the first test switching element and the shunt line leading to upstream of the first safety relay, or between the first test switching element and the other shunt line leading to downstream of the second safety relay.
This shunt line design ensures that only one of the two shunt lines can be closed, whereas the other line is interrupted. If both safety relays are in the idle position, the safety power line is reliably interrupted. The position of the test switching elements is unimportant in this connection. Errors occurring in connection with the control of the test switching elements, for example due to a defect in the controller, cannot impair the interruption.
In another embodiment, first and second test relays are designed as changing relays or change-over switching devices with an idle position and an operating position and serve as test switching elements. Each test relay has an idle contact, an operating contact and a base contact, whereby the base contact and the idle contact are electrically connected to each other in the idle position, whereas the base contact and the operating contact are electrically connected to each other in the operating position. This arrangement offers the advantage that identical structural components can be used for the safety relays and the test switching elements, which makes it possible to reduce the variety of the components. Structurally simple, commercially available relays can be employed. No special relays are required, for example of the type with additional, forcibly guided safety contacts.
The position of the test relay connected to the connection line of both safety relays is determined with the help of an embodiment in which one test relay is connected with its base contact and its operating contact to the common part of the shunt lines.
During the test of the safety relays, the controlling device first reverses the one test relay from the idle position to the operating position, and monitors the electrical voltage on its idle contact, and issues an error signal if voltage is present.
Any error of the test relay that breaks the shunt lines or switches the lines to passage, is detected. The safety relays are tested when the associated shunt line is switched to passage. This prevents any unintentional breaking of the safety power line during the course of the test.
In another embodiment, upon completion of the test, the controlling device reverses one test relay from the operating position to the idle position. The electrical voltage is monitored on the idle contact of this test relay, and an error signal is issued if voltage is missing. This arrangement increases the fail-safe quality of the controller by testing whether the shunt line is interrupted after testing the safety relays.
In another embodiment, the idle contact of the other test relay is connected to the shunt line leading to upstream of the first safety relay and its operating contact is connected to the shunt line leading to downstream of the second safety relay, whereas its base contact is connected to the first test relay. This particularly advantageous arrangement of the other test relay serves for reversing from the one shunt line to the other.
The safety power line has to be alive for monitoring the position of the safety relays and of the first test switching element via its idle contacts. In another embodiment, in the test of the safety relays, the controlling device monitors the electrical voltage of the safety power line and carries out the test if voltage is present and temporarily suspends the test if voltage is missing. With these features, incorrect position signals are prevented, and the fail-safe quality of the controller is increased. In another embodiment, the voltage of the line part connecting the two test relays is monitored, which is especially advantageous.
As a rule, a substantial difference exists between the electrical voltage of the safety power line and the electrical voltage of the controller, at least within the operational range in which the controller carries out the control and test functions (example: safety power line 230 volts; controller 5 volts). Decoupling and thus safe electrical separation between the safety power line and the control and test range of the controller is accomplished in a simple way with the help of opto-coupling elements as voltage sensors supplying a lower signal voltage suitable for the controller if voltage is present. The opto-coupling elements may be provided for monitoring the voltage of the safety power line or for monitoring the voltage on the idle contacts of the safety relays and of the first test relay.
In another embodiment, each safety relay has an electromechanical drive and a preset response time. Switching amplifiers whose response and action time amounts to a fraction of the response time of the safety relays are provided for controlling the current supply of the drives. The controlling device has a test means testing the electrical control of the safety relays, for which test the switching amplifier of the drive of the safety relay to be tested is reversed at preset test times, and the change in voltage on the drive is monitored. The switching amplifier is reversed again upon expiration of a preset test duration, and an error signal is issued if the change in voltage is inadequate within the duration of the test, whereby the tests last a fraction of the response time of the safety relay.
Testing of the electrical control of the safety relays is the object of this arrangement. What is tested is whether the drives of the safety relays can be switched to the de-energized state. This takes place without having to reverse the safety relays, and break the safety power line for this purpose.
Another embodiment has the feature that the drives of the safety relays are connected to a voltage source with a preset voltage, on the one hand, and to a base potential on the other. A transistor is provided in connection with the base potential as the switching amplifier, the transistor being controlled by the controlling device. During the test, the transistor breaks the connection of the drive to the base potential and the rise in voltage is monitored on the drive, whereby an inadequate rise in the voltage within the duration of the test effects an error signal. A very brief test is made possible by this embodiment which is highly advantageous.
The control and test functions of the controller can be realized in a particularly advantageous manner according to an embodiment where the controlling device has a microprocessor serving as the test means for carrying out the test and for controlling purposes.