German Patent Application No. 10 2006 001805 discloses a multichannel safety device with which a safety-related unit such as an industrial robot as a component of an automation system, or the entire system, can be run into a secured state. A safe state exists, for example, when the power supply of the industrial robot or the automation system is shut off or a safety door that blocks access to the industrial robot is locked. The safety device has a control unit controlled by a microprocessor and an additional, purely hardware-based control unit. The hardware-based unit is distinguished in that it is not controlled by a microprocessor, but uses a circuitry implementation, preferably a monoflop, as a switching or control unit. A modulated input signal is fed to both control units. The modulation signal indicates whether the microprocessor-controlled control unit is operating without errors. In particular, the modulation signal indicates whether the microprocessor is correctly executing safety-relevant programs or program components. A safety-relevant program can perform a diagnostic procedure, check the power supply of the control unit, query system parameters such as the contact positions of a relay driven by the control units, query the operating state of the hardware-based control unit cyclically, and so on. If the microprocessor is not executing safety-relevant programs or program components, which can be subprograms, as specified, the modulation signal remains in a static state that corresponds to a persistent high or low level. For example, the control unit outputs a high level as the modulation signal if a safety-relevant program is not launched. A low signal can be generated by the control unit as the modulation signal if a safety-relevant program is not terminated as specified. During proper operation, the microprocessor-control unit generates a dynamic modulation signal as shown, for example, in FIG. 2. Only if a dynamic signal is present at the hardware-based control unit is a switching device triggered in such a manner that a safety-related unit such as an industrial robot, an automation system or the like can be properly operated. If a static signal is present at the hardware-based control unit, the switching device is deactivated, so that the industrial robot can be run into a secured state. Thanks to the multichannel safety device, a safety-related unit can be run into a safe state even if the microprocessor-controlled control unit operates in a faulty manner. If a monoflop is used in the hardware-based control unit, the monoflop trigger time must not be longer than the specified safety shutdown time. The microprocessor-controlled control unit can recognize faults in the hardware-based control unit, because the transfer function of the hardware-based control unit, e.g., the transfer function of the monoflop, is known to it, and in addition, the input and output signal of the hardware-based control unit are fed to it. From the transfer function and the input signal of the hardware-based control unit, the microprocessor-based control unit can calculate the expected output signal of the hardware-based control unit and then compare this to the fed-back output signal. If the two signals do not match, the microprocessor-based control unit drives the switching unit in such a manner that the safety-related unit is run into the safe state.
Automation systems generally comprise fieldbus systems, to which actuators and sensors, as well as higher-level or lower-level control and monitoring devices can be connected. An important requirement of such automation systems is that, particularly when a fault occurs, a faulty safety-related component, e.g., an actuator, or even the entire automation system, can be run into a secured state. To allow a safe shutdown of the automation system or a faulty actuator, it must be assured that a defined input signal that is intended to run the automation system into the safe state is always interpreted as a shutdown signal.
For systems and equipment that belong to a given safety category, for example, multichannel monitoring systems are used, which contain subsystems operating independently of one another, each of which can run the system or individual devices into a secured state. The multichannel or redundantly constructed monitoring systems are further configured in such a manner that the subsystems can monitor the functionality of the respective other subsystem. The mutual monitoring is generally performed by a bidirectional exchange of status data. In the known multichannel monitoring systems, each subsystem has its own microprocessor, with each subsystem able to run the system into a safe state.