The invention relates to a safety disconnect system of the type which has multiple disconnect levels.
Every technical device having a power supply which results in a risk of injury while fulfilling its operational object must be capable of being transferred into a safer state as quickly as possible, using an emergency switching device. The risk of injury can occur directly or indirectly as a risk for the personnel involved with the technical device, or for other parties. Emergency switching devices can accordingly be designed differently, specifically such that they must be operated deliberately by the personnel at risk themselves or by other parties. For example, emergency switching devices can be in the form of mushroom-headed buttons, panic switches, or emergency-off switches. Alternatively, emergency switching devices can be configured such that they are operated automatically in the event of danger by the resulting body movement of the person at risk. For example, such emergency switching devices can be in the form of emergency pull cords, light barriers and the like, or by monitoring elements of the machines themselves, such as overpressure valves and/or speed-monitoring devices.
Thus, each of the machines are allocated one dedicated disconnect circuit on which at least the emergency switching device can act such that the machine is immediately disconnected. In this context, the term "dedicated disconnect circuit" is intended to mean any type of machine-internal controller which can be acted on manually from the exterior, or by remote control, in order to disconnect the machine. Such a disconnection must at least cause the machine or its dangerous parts to be stopped. As soon as this has been effected, the power supply to its drive must be interrupted. In accordance with international safety guidelines, this has to be done by positively-guided mechanical contacts. The influence of the disconnect circuit allocated to each machine is limited to the associated machine itself at the machine disconnect level. Adjacent machines are stopped when necessary, but not disconnected.
The simultaneous disconnection of adjacent or other machines is carried out at the area disconnect level. At this level, groups of physically or technically associated machines can be isolated from the power supply immediately, or machines or groups of physically or technically associated machines can be electrically stopped (braked) and subsequently isolated from the power supply. The term "associated machines" in this case means machines in an installation which are designed to interact. For this purpose, in the prior art, the machine disconnect level and the area disconnect level which is hierarchically superior thereto are hardwired in a mistomer-specific manner. At the machine disconnect level, every machine has already been provided with its own dedicated disconnect circuit by its manufacturer.
Until now, there has been no standard for groups of such machines which allows them to be combined at the area disconnect level. New hardwiring is necessary on each occasion for this purpose. Such hardwiring must be produced on site and must be specially accepted, after being completed, by the safety officer, the authorities or the like.
In order to make it possible to easily disconnect not only machines or machine parts in the event of danger, but groups of the machines or machine parts which form a common danger area as a result of physical or technical association, the common danger area must initially be determined by means of a danger analysis. Subsequently, all the machines or the machine parts which form part of the area in an installation area combined to form a disconnect group, by means of hard wiring which must be specially made. Within the groups, there are in turn machines which must be disconnected immediately and machines which are connected to rotating masses and must be disconnected with a delay after braking. This further complicates the wiring.
A further disadvantage of prior art arrangements is that it is also necessary to modify the entire wiring in the event of any modification of the machine installation, for example resulting from the addition of extra machines. Furthermore, in the prior art arrangements this wiring is naturally very costly since dozens of emergency switching devices or emergency-off buttons, which are distributed in a machine installation, must be connected in series in accordance with the safety regulations in order that all the associated machines in a group are switched such that they are isolated from the voltage in the event of one emergency switching device or one emergency-off button being operated. The regulations demand positively-guided mechanical contacts for this isolation from voltage.
Additionally, in the prior art in the industrial area in a machine installation, separate control, monitoring and power lines are allocated to every machine, for reliable monitoring and control. This results in complicated cabling, which is difficult to maintain and is difficult to repair in the event of a defect. It is known (for example, from DE 37 06 325 C2) for the individual installation parts to be connected in parallel to a bus and for connection modules to be allocated to the individual installation parts for this purpose, with a host computer transmitting addressed telegrams via the bus to the individual connection modules. Examples of such installations are crane installations, production lines, rolling mills, production lines for further processing of printed products, and etc. In such an arrangement, the individual connection modules can be changed into the emergency-stopping state from the exterior by means of the host computer, by means of the individual connection modules themselves or, for example, by means of emergency switches as well, by causing switching contactors of motors, transportation devices etc. to trip. Every input circuit of the connection modules, including the bus connection, is for this purpose passed via voltage-resistant optocouplers. Furthermore, leakage paths and air gaps are maintained in the connection modules, in accordance with the respective regulations. In the case of this known control and data network, the combination of the connection modules into groups is, however, in any event carried out in software terms in the host computer. Thus, to this extent, it is not possible to conform with the requirement that the safety disconnection of a group be carried out completely via positively-guided mechanical contacts.
Control systems for fully automated printing machines are known from the German magazine "Der Polygraph" [The Polygraph], 17/1986, pages 16144-16150. In such control systems, a control installation is split into three levels, a production management level as the superior level, a management status level as the group management level of individual machine controllers, and the controller level, with the machine controller at the individual management level. Such a control installation would also not be directly suitable for safety disconnection, since the production units are coordinated via programmable controllers while the safety requirements demand positively-guided mechanical contacts. A safety disconnect system by means of individual hard wiring would therefore also have to be integrated into such a control installation. Such an arrangement would have the disadvantages described above.
Admittedly, the use of programmable control technology leads to the achievement of the maximum operating safety as a result of contact-free technology (cf. CH prospectus: WIFAG, Das zukunftsorientierte Steuerungssystem [The future-oriented control system], 3/86, pages 1-12, especially page 3). This, however, leads to further difficulties in the construction of a safety disconnect system which is fundamentally required, since, as mentioned, the safety regulations demand positively-guided mechanical contacts.
Admittedly, efforts have already been made to provide safety circuits in order to increase the operating safety in large rolling-mill installations (cf. BBC-Nachrichten [BBC News], Issue 2/3, Year 58, 1976, pages 92-97, especially page 95). However, only emergency-off switching loops using active-n technology, automatic stopping circuit breakers and position controllers of 2-channel design having non-equivalence monitoring, as well as 3-channel speed control having two out-of-three monitoring for a roll-stand drive having three motors are cited as exemplary uses of this. Further, it is proposed that, in the event of the power of a drive being split between a plurality of individually supplied motors, the control loops and regulation loops be linked to one another at an acceptable additional cost. Thus, in the event of one supply failing, the non-defective part of the drive can continue to operate temporarily at an increased load, or the installation can be stopped, at least in a manner such that it is still controlled. The problems which are caused by individually designed and hardwired safety disconnect systems and, in particular, in the event of modifications being carried out in the machine installation which is provided with the safety disconnect system are not dealt with in this case and can also not be solved using the measures specified.
Additionally, it is known (for example, from DE 39 00 733 C2) for a leakage and rotational-movement monitoring device to be designed such that overall monitoring which builds on the basic apparatus and is capable of expansion is possible with normal or enhanced safety without having to specify individual machine manufacturers. At the same time, the device is designed for individual leakage and rotational-movement monitoring devices to be connected mechanically in series so that every monitoring measurement system of every monitoring unit is able to trip the power supply unit and to stop the machine overall. However, for this purpose, in addition to a basic apparatus which comprises a power supply unit and a monitoring unit, a number of monitoring units corresponding to the complexity of the machine must, however, are added per machine or machine installation to be monitored. Thus, the otherwise necessary wiring cost is in this case replaced by a cost for monitoring units.
Therefore, it is an object of the present invention to improve a safety disconnect system of the type specified which has multiple disconnect levels such that areas which comprise machines or groups of associated machines can be combined while conforming to the safety requirements or, in their structure, can be modified or supplemented and disconnected, in a simple manner and with a very low wiring cost.