+

US20030074608A1 - Security system - Google Patents

Security system Download PDF

Info

Publication number
US20030074608A1
US20030074608A1 US10/251,254 US25125402A US2003074608A1 US 20030074608 A1 US20030074608 A1 US 20030074608A1 US 25125402 A US25125402 A US 25125402A US 2003074608 A1 US2003074608 A1 US 2003074608A1
Authority
US
United States
Prior art keywords
control unit
output terminal
control
output
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/251,254
Inventor
Mats Linger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US10/316,793 priority Critical patent/US7096380B2/en
Publication of US20030074608A1 publication Critical patent/US20030074608A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1633Error detection by comparing the output of redundant processing systems using mutual exchange of the output between the redundant processing components
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems

Definitions

  • the object of the system is to enable safety functions in machinery, which i.a. comply with the requirement of the Machinery Directive 98/37/EG Appendix 1, 1.2.7—“A fault in the logic of the control circuit as well as damage to the control circuit must not lead to dangerous situations”.
  • the system shall also comply with harmonized standard EN 954-1, category 4.
  • Safety related components in the control system of category 4 shall be constructed so that:
  • the individual fault is detected at or before the next time the safety function is demanded, e.g. immediately, at start, at the end of a work cycle.
  • Category 4 implies that a random (stochastic) fault in the system should not lead to a safety function being left out, and the fault should be detected within one on-/off cycle for the safety function.
  • a fault corresponds to a particular safety function, e.g. an input or output
  • the output is disconnected for the actual safety function. Remaining outputs, which are not affected by the fault, continue to function.
  • European patent application EP 748 762 relates to a safety system for flow control, in which two processors are arranged which control the flow. Each processor runs its own programme, in the form of different “firmweare”, and controls its own relay. If one of the relays is not controlled in the correct way, the processor linked to that relay ceases its control.
  • the invention provides a programmable safety system intended to be used for safety functions in which a fault in one control circuit does not lead to non-occurrence of a safety function, which system comprises monitoring functions containing at least two control units, input terminals separately coupled to both the control units, whereby each control unit executes its own instruction set, and continuously compares a result from the execution with each other. At least one control unit can access the input and output terminal status of a second control unit and/or a number of flags and the control units are arranged to monitor the result of each executed instruction set and to control that the results of the executions are substantially the same.
  • the system according to the invention complies with the requirements of category 4 according to harmonized standard EN 954-1 or the requirement of the Machinery Directive 98/37/EG appendix 1, 1.2.7.
  • the input terminals are continuously read with a certain frequency, and a filter time is assumed such that a decision is made based on the majority of the three latest readings, i.e. two readings after a change.
  • Some of the input terminals have pull up or pull down resistors which are soft ware-controlled, so as to selectively be able to receive NPN- or PNP sensors.
  • the system comprises a charging generator where the output voltage is generated by a capacitor which is continuously charged and discharged by transistors.
  • the transistors are each controlled by a respective control unit and conduct alternately so that the capacitor is firstly charged by means of the first transistor opening to plus; thereafter a discharge occurs by means of the first transistor closing and the second transistor opens to zero volts.
  • the charging generator demands that the control units are active, which implies immediate interruption of the power supply to the output terminal if a control unit ceases to execute instructions in a correct way. To obtain a more even output voltage, two charging generators are coupled in parallel with each other.
  • each control unit controls its own relay via separate transistors and both the transistors are made of different technology. Moreover, the relays have forced contacts, monitored by the control units. Hence, a switching contact is coupled back to the control unit in each forced relay for controlling that it has fallen, and, if the control unit only receives an answer from one of the two relays duplicating each other, the unit tries to activate and fell the malfunctioning relay again.
  • the fall time is monitored at the output terminal, which can also be used for detecting an external short circuit to another foreign voltage.
  • the output terminal is prevented from resuming, and a fault is indicated.
  • the output terminals are dynamic, which operate input terminals to generate a unique pulse train, which implies that short circuits between channels coupled to different dynamic output terminals can be detected.
  • Every control unit in a network is identified by means of an identity carrier and the identifier is an externally mounted circuit which stores a unique number and constitutes a part of the electric installation/the location where the unit is physically mounted.
  • a unit is arranged to read the number of the identifier and thereby determine its own identity.
  • the correct identity is maintained in case of change of a unit.
  • the units are coupled together via a data bus and have access to the input-, output status and/or a number of flags of one another's.
  • the bus is preferably a CAN bus.
  • the system is connected to light barriers, of which the transmitters are operated by one dynamic output terminal each, that the receivers are coupled to one input terminal each, that the input terminals are provided with output transistors via which cables returning from the receiver to the input terminal have voltage applied thereto, whereby the system performs a test sequence with assistance therefrom which can distinguish a short circuit between the output terminal cables of the receivers from lighting.
  • the invention also relates to a method in a programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to failure of a safety function which system comprises monitored functions consisting of at least two control units, input terminals separately coupled to both the control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with one another.
  • the method comprises making accessible at least one input- and/or output terminal status of a control unit and/or a number of flags to another control unit and arranging the control units for monitoring the result of one instruction set each and to control that the results of the executions are substantially equivalent. Said result of the executions is provided in the form of status for input- and/or output terminals and/or a number of flags.
  • FIG. 1 schematically shows an embodiment of a system according to the invention
  • FIG. 2 schematically shows a so-called “charging pump” in the system according to the invention
  • FIG. 3 schematically shows a part of the system according to the invention
  • FIG. 4 schematically shows different types of output terminals in the system according to the invention
  • FIG. 5 schematically shows input terminals in the system according to the invention
  • FIG. 6 schematically shows different connection strips, in the system according to the invention.
  • FIG. 7 schematically shows a part of the system according to the invention.
  • FIGS. 8 and 9 schematically show different types of output terminals.
  • FIG. 1 schematically shows the system according to the invention. The various components in the system according to the invention are described in the following.
  • the input terminals are continuously read by a certain frequency.
  • the filter time is constituted by a decision being made based on the majority of the three latest readings, i.e. two readings after a change. There is a possibility to decrease or increase the filter time.
  • Some of the inputs have software-controlled pull-up or pull-down resistors in order to be able to selectively receive NPN- or PNP-sensors.
  • the charging pump is a construction in which the output voltage is generated by a capacitor which is continuously charged and discharged by two transistors.
  • the two transistors which are controlled by one processor each, alternately conduct so that the capacitor is firstly charged by means of the first transistor opening to plus. Thereafter, discharge occurs by means of the first transistor closing and the second transistor opening to zero volts.
  • the capacitor “sucks” current from the output terminal, and thereby the negative voltage on the output terminal occurs.
  • the charging pump Due to the fact that the charging pump demands that the processors are active, the charging pump operates as a so-called “watchdog”, which effectively immediately interrupts the energy supply to the output terminal if a processor stops executing the programme in the correct way.
  • two charging pumps can be coupled in parallel with each other. These two charging pumps work alternately, which implies that when the capacitor in one of the charging pumps is charged, the capacitor in the second charging pump is discharged. This construction is defined as a double charging pump.
  • Each processor controls one relay each via separate transistors.
  • the both transistors are made of different technology.
  • the relays have forced contacts and are monitored by the processors.
  • the software supervises the fall time of the relays.
  • the voltage is generated to the relay windings of a charging pump.
  • the processors have a further possibility to fell the relays, in addition to both the transistors controlling the relays directly.
  • a switching contact in each forced relay is coupled back to the processor for monitoring whether it has fallen. If the processor only receives a response from one of the two relays which duplicate each other, the processor tries to conduct and fell the malfunctioning relay again.
  • Temporary faults in the controlling circuit on account of oxide on the contacts or the like do not necessarily imply generation of an alarm and stoppage.
  • Each output terminal is operated by a double charging pump. Since the construction has diodes working as freewheel diodes and provide an extended fall time in case of inductive loads to the output terminal, the output terminal is complemented with an additional transistor in series with the output terminal. The transistor is monitored by an input terminal to one of the microprocessors. The transistor is controlled by the other processor.
  • the input terminal to the processor controlling the fall time can also be used for detecting an external short circuit to another foreign voltage.
  • the fall time supervision for any of the charging pump output terminals can be chosen. When the fall time supervision for an output terminal is released, the output terminal is prevented from returning and the fault is indicated.
  • Actuating the resetting button can reset the fault.
  • Actuating a resetting button can reset the fault.
  • the output terminals are intended for indication and as dynamic output terminals.
  • Dynamic output terminals are output terminals operating input terminals.
  • the three first output terminals IQ 10 -IQ 12 can be used as dynamic output terminals.
  • the dynamic output terminals yield a unique pulse train making it possible to detect short circuits between channels coupled to different dynamic output terminals.
  • the identifier is an externally mounted circuit storing a unique number and constitutes a part of the electric installation/the location where the unit is physically mounted.
  • a unit can read the number of the identifier and thereby determine its own identity. In case of change of a unit, the correct identity is maintained.
  • the identity of every unit is important in a network coupling for being able to number the I/O in the system.
  • the denomination denotes both in which unit there is an input terminal as well as the input terminal number of the input terminal within the unit.
  • the system also prevents mixing-up units with different programmes by means of the user programme being able to be locked to only work together with the correct identifier.
  • the units coupled to the bus obtain access to each other's input terminal status and output terminal status a number of flags.
  • the other units consider the I/O as logical zeroes.
  • the system can also cope with light barriers, where there are traditionally problems with interference from transmitters of other light barriers.
  • the transmitters of the light barriers are operated by one dynamic output terminal each.
  • the receivers are coupled to one output terminal each. Due to the fact that the input terminals are provided with output terminal transistors, it is possible to apply return voltage to the cable from the receiver to the input.
  • the system can, with assistance from this, perform a test sequence, which can distinguish short-circuiting between the output cables of the receivers from excess lighting. Excess lighting is defined as a transmitter of a light barrier system illuminating two receivers simultaneously.
  • the solution is based on a so called two processor solution, where both the processors should arrive at the same result when executing the application programme as well as having “the same opinion” regarding its input- and output terminal status. All the processors communicate with each other via the Can bus, also the sister processors between themselves. Hereinafter, the processor and the sister processor are called the processor A and the processor B, respectively.
  • Data for input and output terminals is stored in a RAM memory.
  • the part of the RAM memory in a processor handling the I/O is divided into two parts; one part for the input terminal status and one part for the output terminal status.
  • the input terminals are called I 0 . 0 . . . and so on upwards.
  • the first unit in a network handles the input terminals I 0 . 0 -I 0 . 17 , the second unit I 1 . 10 -I 1 . 17 , the third unit I 2 . 0 -I 2 . 17 and so on.
  • the RAM is divided into three parts for the input terminals:
  • Process data is data used by the application programme.
  • the division of the RAM is performed so that the address for the first input terminal in the three parts, respectively, is not an even multiple of 2. Thus, more than one bit alteration in the address word is required for pointing out IA 000 instead of IB 000 .
  • the working procedure for e.g. the processor A in the first unit is the following:
  • the processor reads the input terminals in the unit I 0 . 0 -I 0 . 17 of its own, and places the results in the memory addresses IA 000 -IA 017 , as well as sending it on the bus to remaining processors.
  • the processor continuously reads the input status of other processors from the bus, and places the data on the remaining part of IA. . . and EB. . .
  • Among the data comes data from the sister processor B, which is placed in IB 000 -IB 017 .
  • the memory areas IA. . . and IB. . . are compared, and if the content is similar, the content is copied to the memory area for the process data I 000 . . .
  • Discovered dissimilarities in the comparison lead to an alarm as well as the processor felling its own safety output terminals.
  • short duration dissimilarities are accepted, since it will occur on account of hard ware-like dissimilarities in the hardware of the both channels.
  • the output terminal status is handled in the same way as the input terminal status, the difference being that it is not the hardware which gives the change of status, but is instead the application programme which has made the decision that a certain output terminal is going high or low.
  • the application programme is the part of the software written by the user.
  • the invention is a programmable safety system intended to be used for safety functions, where it is not accepted that a fault in the control circuit leads to the safety function not being activated. To achieve this, the functions are therefore doubled and monitored.
  • the invention has two microprocessors. Every input terminal is separately coupled to both the processors, both having a memory of its own, executes one programme each and continuously compares the result with each another. Every safety output terminal is coupled to both the processors, and can therefore not work until these are in agreement that the conditions are fulfilled.
  • the invention is primarily constructed to comply with the requirement of the machinery directive for safety in control systems, and the requirements for category 4 according to harmonized standard EN 954-1. However, this does not prevent use within other areas such as processing industry, boiler plants etc, where the corresponding safety requirements are demanded.
  • the invention is accommodated in a wide enclosure, which has been fixedly snapped on a DIN-bar in a control panel or another enclosure. External conductors are connected on a screw connection block. For facilitating the work and preventing incorrect coupling in case of exchange of a unit, the connecting strips are detachable.
  • the system can be fed with 24 V DC.
  • the connection of the system for 0 V should be connected to protective ground, on one hand for electrical safety reasons, and on the other hand for detecting each faults which may otherwise disable the safety function (see EN 60 204-1, 9.1.4.).
  • the invention is provided with a varying offer of types of input- and output terminals, schematically shown in FIG. 4.
  • Each input terminal is connected to both processors, which permits coupling of safety functions of one channel as well as of two channels.
  • the input terminals can be operated by e.g. +24 V or any of the dynamic output terminals IQ 10 - 12 .
  • This category of 8 connecting strips contains 4 functions. Each connecting strip is connected to both processors as an input terminal and can thereby be used as a safety input terminal.
  • Each connecting strip also has an output transistor, which implies that the user can choose to configure the strips as output terminals, though not as safety output terminals.
  • the output terminals are intended for functions, which do not require redundancy, e.g. indicator lights, schematically shown in FIG. 7.
  • IQ 10 -IQ 12 can be configured as dynamic output terminals used for operating input terminals. Once an input terminal is configured as such, a unique pulse train is generated. Due to the fact that the input terminal is configured to only accept this pulse train as an input condition, the system can detect external short circuits. See further description.
  • IQ 16 -IQ 17 can monitor the output current when the connecting strips are used as output terminals.
  • the function is primarily intended for supervision of by-pass lamps (muting lamp) according to EN 61 496-1. In certain cases, it is appropriate to indicate that a safety arrangement is bypassed. By controlling that a current flows it is possible to supervise that the filament of the lamp is unbroken.
  • the voltage is generated to the relay windings by a charging pump. (For the function of the charging pump, see following description for transistor output terminals.)
  • the negative output voltage is due to the fact that the principle of the charging pump is applied.
  • the charging pump is a construction where the output voltage is generated by a capacitor which is continuously charged and discharged by two transistors. The two transistors alternately conduct so that the capacitor is firstly charged by means of one of the transistors opening to plus, which thereafter closes, and the second transistor opens to zero volt and is discharged. During the discharge phase, the capacitor “sucks” current from the output terminal, and the negative voltage on the output thereby occurs. Due to the fact that the construction requires all the components to work and continuously alternate the state in the correct phase, a fault in any of the involved components causes the generation of the output voltage to immediately stop.
  • An advantage of having negative voltage on the output terminal for a user is that this is not normally the voltage used in existing electric systems. Therefore the invention can discover external short circuits between the output terminal and foreign voltages, since the voltage level of the output terminal is monitored.
  • Several units can be coupled together with a CAN bus in a network.
  • the coupling is made by means of connecting the connecting strips CH and CL of each unit, respectively, via intertwined dual cabling. As soon as the coupling is performed, the units are able to read each other's I/O.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Programmable Controllers (AREA)
  • Safety Devices In Control Systems (AREA)
  • Burglar Alarm Systems (AREA)
  • Alarm Systems (AREA)

Abstract

The present invention relates to a programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to a safety function being disabled, which system comprises monitoring functions containing at least two control units, input terminals separately coupled to both control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with each other. At least one control unit can access the in and output terminal status of a second control unit and/or a number of flags, and the control units are arranged to monitor the result of respectively executed instruction sets and control that the results of the executions are substantially equivalent.

Description

    TECHNICAL FIELD OF THE INVENTION
  • The object of the system is to enable safety functions in machinery, which i.a. comply with the requirement of the Machinery Directive 98/37/EG [0001] Appendix 1, 1.2.7—“A fault in the logic of the control circuit as well as damage to the control circuit must not lead to dangerous situations”. The system shall also comply with harmonized standard EN 954-1, category 4.
    • BACKGROUND OF THE INVENTION
  • The requirement for [0002] category 4 is found under section 6.2.5 in the EM 954-1 regulations. The main requirement is:
  • Safety related components in the control system of [0003] category 4 shall be constructed so that:
  • an individual fault in any of these safety related components does not lead to loss of the safety function, and [0004]
  • the individual fault is detected at or before the next time the safety function is demanded, e.g. immediately, at start, at the end of a work cycle. [0005]
  • If this is not possible, accumulation of faults shall not lead to loss of the safety function. [0006] Category 4 implies that a random (stochastic) fault in the system should not lead to a safety function being left out, and the fault should be detected within one on-/off cycle for the safety function.
  • If the system can determine that a fault corresponds to a particular safety function, e.g. an input or output, the output is disconnected for the actual safety function. Remaining outputs, which are not affected by the fault, continue to function. [0007]
  • European patent application EP 748 762 relates to a safety system for flow control, in which two processors are arranged which control the flow. Each processor runs its own programme, in the form of different “firmweare”, and controls its own relay. If one of the relays is not controlled in the correct way, the processor linked to that relay ceases its control. [0008]
    • BRIEF DESCRIPTION OF THE INVENTION
  • For obtaining the objectives stated above, the invention provides a programmable safety system intended to be used for safety functions in which a fault in one control circuit does not lead to non-occurrence of a safety function, which system comprises monitoring functions containing at least two control units, input terminals separately coupled to both the control units, whereby each control unit executes its own instruction set, and continuously compares a result from the execution with each other. At least one control unit can access the input and output terminal status of a second control unit and/or a number of flags and the control units are arranged to monitor the result of each executed instruction set and to control that the results of the executions are substantially the same. [0009]
  • Thus, the system according to the invention complies with the requirements of [0010] category 4 according to harmonized standard EN 954-1 or the requirement of the Machinery Directive 98/37/EG appendix 1, 1.2.7.
  • Preferably, the input terminals are continuously read with a certain frequency, and a filter time is assumed such that a decision is made based on the majority of the three latest readings, i.e. two readings after a change. Some of the input terminals have pull up or pull down resistors which are soft ware-controlled, so as to selectively be able to receive NPN- or PNP sensors. [0011]
  • Moreover, the system comprises a charging generator where the output voltage is generated by a capacitor which is continuously charged and discharged by transistors. [0012]
  • The transistors are each controlled by a respective control unit and conduct alternately so that the capacitor is firstly charged by means of the first transistor opening to plus; thereafter a discharge occurs by means of the first transistor closing and the second transistor opens to zero volts. The charging generator demands that the control units are active, which implies immediate interruption of the power supply to the output terminal if a control unit ceases to execute instructions in a correct way. To obtain a more even output voltage, two charging generators are coupled in parallel with each other. [0013]
  • In a most preferred embodiment each control unit controls its own relay via separate transistors and both the transistors are made of different technology. Moreover, the relays have forced contacts, monitored by the control units. Hence, a switching contact is coupled back to the control unit in each forced relay for controlling that it has fallen, and, if the control unit only receives an answer from one of the two relays duplicating each other, the unit tries to activate and fell the malfunctioning relay again. [0014]
  • Preferably, the fall time is monitored at the output terminal, which can also be used for detecting an external short circuit to another foreign voltage. When the control detects a short circuit to a foreign voltage, the output terminal is prevented from resuming, and a fault is indicated. The output terminals are dynamic, which operate input terminals to generate a unique pulse train, which implies that short circuits between channels coupled to different dynamic output terminals can be detected. [0015]
  • Every control unit in a network is identified by means of an identity carrier and the identifier is an externally mounted circuit which stores a unique number and constitutes a part of the electric installation/the location where the unit is physically mounted. Thus, a unit is arranged to read the number of the identifier and thereby determine its own identity. Thus, the correct identity is maintained in case of change of a unit. [0016]
  • Preferably, the units are coupled together via a data bus and have access to the input-, output status and/or a number of flags of one another's. When a unit losses contact with the bus communication, other units consider its I/O as logic zeroes. The bus is preferably a CAN bus. [0017]
  • Moreover, the system is connected to light barriers, of which the transmitters are operated by one dynamic output terminal each, that the receivers are coupled to one input terminal each, that the input terminals are provided with output transistors via which cables returning from the receiver to the input terminal have voltage applied thereto, whereby the system performs a test sequence with assistance therefrom which can distinguish a short circuit between the output terminal cables of the receivers from lighting. [0018]
  • The invention also relates to a method in a programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to failure of a safety function which system comprises monitored functions consisting of at least two control units, input terminals separately coupled to both the control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with one another. The method comprises making accessible at least one input- and/or output terminal status of a control unit and/or a number of flags to another control unit and arranging the control units for monitoring the result of one instruction set each and to control that the results of the executions are substantially equivalent. Said result of the executions is provided in the form of status for input- and/or output terminals and/or a number of flags.[0019]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the following, the invention will be further described in a non-limiting way with reference to the accompanying drawings in which: [0020]
  • FIG. 1 schematically shows an embodiment of a system according to the invention, [0021]
  • FIG. 2 schematically shows a so-called “charging pump” in the system according to the invention, [0022]
  • FIG. 3 schematically shows a part of the system according to the invention, [0023]
  • FIG. 4 schematically shows different types of output terminals in the system according to the invention, [0024]
  • FIG. 5 schematically shows input terminals in the system according to the invention, [0025]
  • FIG. 6 schematically shows different connection strips, in the system according to the invention, [0026]
  • FIG. 7 schematically shows a part of the system according to the invention, and [0027]
  • FIGS. 8 and 9 schematically show different types of output terminals.[0028]
    • DETAILED DESCRIPTION OF THE INVENTION
  • FIG. 1 schematically shows the system according to the invention. The various components in the system according to the invention are described in the following. [0029]
  • Input Terminals [0030]
  • All input terminals are redundant. A single input terminal provides stop according to [0031] category 4, EN 954-1.
  • The input terminals are continuously read by a certain frequency. The filter time is constituted by a decision being made based on the majority of the three latest readings, i.e. two readings after a change. There is a possibility to decrease or increase the filter time. [0032]
  • Some of the inputs have software-controlled pull-up or pull-down resistors in order to be able to selectively receive NPN- or PNP-sensors. [0033]
  • Charging Pump [0034]
  • “The charging pump”, schematically shown in FIG. 2, is a construction in which the output voltage is generated by a capacitor which is continuously charged and discharged by two transistors. The two transistors, which are controlled by one processor each, alternately conduct so that the capacitor is firstly charged by means of the first transistor opening to plus. Thereafter, discharge occurs by means of the first transistor closing and the second transistor opening to zero volts. During the discharge phase, the capacitor “sucks” current from the output terminal, and thereby the negative voltage on the output terminal occurs. [0035]
  • Due to the fact that the charging pump demands that the processors are active, the charging pump operates as a so-called “watchdog”, which effectively immediately interrupts the energy supply to the output terminal if a processor stops executing the programme in the correct way. [0036]
  • For obtaining a more regular output voltage, two charging pumps can be coupled in parallel with each other. These two charging pumps work alternately, which implies that when the capacitor in one of the charging pumps is charged, the capacitor in the second charging pump is discharged. This construction is defined as a double charging pump. [0037]
  • Relay Output Terminals [0038]
  • Each processor controls one relay each via separate transistors. For obtaining diversity, the both transistors are made of different technology. The relays have forced contacts and are monitored by the processors. [0039]
  • The software supervises the fall time of the relays. [0040]
  • For additional safety, the voltage is generated to the relay windings of a charging pump. In this manner, the processors have a further possibility to fell the relays, in addition to both the transistors controlling the relays directly. [0041]
  • A switching contact in each forced relay is coupled back to the processor for monitoring whether it has fallen. If the processor only receives a response from one of the two relays which duplicate each other, the processor tries to conduct and fell the malfunctioning relay again. Temporary faults in the controlling circuit on account of oxide on the contacts or the like do not necessarily imply generation of an alarm and stoppage. [0042]
  • Charging Pump Outlet Terminals [0043]
  • Each output terminal is operated by a double charging pump. Since the construction has diodes working as freewheel diodes and provide an extended fall time in case of inductive loads to the output terminal, the output terminal is complemented with an additional transistor in series with the output terminal. The transistor is monitored by an input terminal to one of the microprocessors. The transistor is controlled by the other processor. [0044]
  • The input terminal to the processor controlling the fall time can also be used for detecting an external short circuit to another foreign voltage. [0045]
  • Fall Time Supervision for Charging Pump Output Terminals [0046]
  • In the application program, the fall time supervision for any of the charging pump output terminals can be chosen. When the fall time supervision for an output terminal is released, the output terminal is prevented from returning and the fault is indicated. [0047]
  • Actuating the resetting button can reset the fault. [0048]
  • Short Circuit to a Foreign Voltage, Charging Pump Output Terminal [0049]
  • When the supervision detects short-circuit to a foreign voltage, the output terminal is prevented from returning and the fault is indicated. [0050]
  • Actuating a resetting button can reset the fault. [0051]
  • Transistor Output Terminals No Safety [0052]
  • The output terminals are intended for indication and as dynamic output terminals. Dynamic output terminals are output terminals operating input terminals. The three first output terminals IQ[0053] 10-IQ12 can be used as dynamic output terminals. The dynamic output terminals yield a unique pulse train making it possible to detect short circuits between channels coupled to different dynamic output terminals.
  • Two of the output terminals are monitored for current for complying with the requirement of supervision of indicator lamps for bypassing according to EN 61 496-1. [0054]
  • Identifiers [0055]
  • For identifying each unit in a network there is an identity carrier which is connected to a particular connecting strip. The identifier is an externally mounted circuit storing a unique number and constitutes a part of the electric installation/the location where the unit is physically mounted. A unit can read the number of the identifier and thereby determine its own identity. In case of change of a unit, the correct identity is maintained. The identity of every unit is important in a network coupling for being able to number the I/O in the system. When for instance an input terminal is used as a condition in the application programme, the denomination denotes both in which unit there is an input terminal as well as the input terminal number of the input terminal within the unit. [0056]
  • The system also prevents mixing-up units with different programmes by means of the user programme being able to be locked to only work together with the correct identifier. [0057]
  • CAN Bus External Communication [0058]
  • The units coupled to the bus obtain access to each other's input terminal status and output terminal status a number of flags. When a unit losses contact with the bus communication, the other units consider the I/O as logical zeroes. [0059]
  • Excess Light on Light Barriers [0060]
  • The system can also cope with light barriers, where there are traditionally problems with interference from transmitters of other light barriers. The transmitters of the light barriers are operated by one dynamic output terminal each. The receivers are coupled to one output terminal each. Due to the fact that the input terminals are provided with output terminal transistors, it is possible to apply return voltage to the cable from the receiver to the input. The system can, with assistance from this, perform a test sequence, which can distinguish short-circuiting between the output cables of the receivers from excess lighting. Excess lighting is defined as a transmitter of a light barrier system illuminating two receivers simultaneously. [0061]
  • Transmission of programmes between the target system (safety system) and the programme developing system occurs wirelessly via an opto link. [0062]
  • The Handling of Input Terminals and Output Terminals [0063]
  • The solution is based on a so called two processor solution, where both the processors should arrive at the same result when executing the application programme as well as having “the same opinion” regarding its input- and output terminal status. All the processors communicate with each other via the Can bus, also the sister processors between themselves. Hereinafter, the processor and the sister processor are called the processor A and the processor B, respectively. [0064]
  • Data for input and output terminals is stored in a RAM memory. The part of the RAM memory in a processor handling the I/O is divided into two parts; one part for the input terminal status and one part for the output terminal status. [0065]
  • The Handling of Input Terminals/Input Terminal Status [0066]
  • The input terminals are called I[0067] 0.0 . . . and so on upwards. The first unit in a network handles the input terminals I0.0-I0.17, the second unit I1.10-I1.17, the third unit I2.0-I2.17 and so on.
  • The RAM is divided into three parts for the input terminals: [0068]
  • IA[0069] 000. . .—data acquired by the A-processors,
  • IB[0070] 000. . .—data acquired by the B-processors and
  • one for process data I[0071] 000. . .
  • Process data is data used by the application programme. The division of the RAM is performed so that the address for the first input terminal in the three parts, respectively, is not an even multiple of 2. Thus, more than one bit alteration in the address word is required for pointing out IA[0072] 000 instead of IB000.
  • The working procedure for e.g. the processor A in the first unit is the following: [0073]
  • The processor reads the input terminals in the unit I[0074] 0.0-I0.17 of its own, and places the results in the memory addresses IA000-IA017, as well as sending it on the bus to remaining processors. The processor continuously reads the input status of other processors from the bus, and places the data on the remaining part of IA. . . and EB. . . Among the data comes data from the sister processor B, which is placed in IB000-IB017. Thereafter the memory areas IA. . . and IB. . . are compared, and if the content is similar, the content is copied to the memory area for the process data I000. . . Discovered dissimilarities in the comparison lead to an alarm as well as the processor felling its own safety output terminals. However, short duration dissimilarities are accepted, since it will occur on account of hard ware-like dissimilarities in the hardware of the both channels.
  • The Handling of Output Terminals/Output Terminal Status [0075]
  • The output terminal status is handled in the same way as the input terminal status, the difference being that it is not the hardware which gives the change of status, but is instead the application programme which has made the decision that a certain output terminal is going high or low. The application programme is the part of the software written by the user. [0076]
  • In a corresponding way as for the input terminal status, there are memory areas QA[0077] 000. . . , QB000 . . . , and Q000 for process data. . .The difference in computer processing is that each unit's process data is updated by the application programme of each processor, respectively. Thereafter the process data is copied to its location in QA. . ./QB. . . for comparison as well as being sent out on the bus.
  • The invention is a programmable safety system intended to be used for safety functions, where it is not accepted that a fault in the control circuit leads to the safety function not being activated. To achieve this, the functions are therefore doubled and monitored. In comparison to a conventional PLC-system, consequently, the invention has two microprocessors. Every input terminal is separately coupled to both the processors, both having a memory of its own, executes one programme each and continuously compares the result with each another. Every safety output terminal is coupled to both the processors, and can therefore not work until these are in agreement that the conditions are fulfilled. [0078]
  • The invention is primarily constructed to comply with the requirement of the machinery directive for safety in control systems, and the requirements for [0079] category 4 according to harmonized standard EN 954-1. However, this does not prevent use within other areas such as processing industry, boiler plants etc, where the corresponding safety requirements are demanded.
  • The invention is accommodated in a wide enclosure, which has been fixedly snapped on a DIN-bar in a control panel or another enclosure. External conductors are connected on a screw connection block. For facilitating the work and preventing incorrect coupling in case of exchange of a unit, the connecting strips are detachable. [0080]
  • Electrical Connection [0081]
  • The system, schematically shown in FIG. 3, can be fed with 24 V DC. The connection of the system for 0 V should be connected to protective ground, on one hand for electrical safety reasons, and on the other hand for detecting each faults which may otherwise disable the safety function (see EN 60 204-1, 9.1.4.). [0082]
  • Inputs and Outputs [0083]
  • To be as comprehensive as possible, the invention is provided with a varying offer of types of input- and output terminals, schematically shown in FIG. 4. [0084]
  • I[0085] 0-I7 Digital Safety Input Terminals
  • Each input terminal, schematically shown in FIG. 5, is connected to both processors, which permits coupling of safety functions of one channel as well as of two channels. The input terminals can be operated by e.g. +24 V or any of the dynamic output terminals IQ[0086] 10-12.
  • IQ[0087] 10-17 Digital Safety Input Terminals, Digital Output Terminals (Not Safety)
  • This category of 8 connecting strips, schematically shown in FIG. 6, contains 4 functions. Each connecting strip is connected to both processors as an input terminal and can thereby be used as a safety input terminal. [0088]
  • Each connecting strip also has an output transistor, which implies that the user can choose to configure the strips as output terminals, though not as safety output terminals. The output terminals are intended for functions, which do not require redundancy, e.g. indicator lights, schematically shown in FIG. 7. [0089]
  • IQ[0090] 10-IQ12 can be configured as dynamic output terminals used for operating input terminals. Once an input terminal is configured as such, a unique pulse train is generated. Due to the fact that the input terminal is configured to only accept this pulse train as an input condition, the system can detect external short circuits. See further description.
  • IQ[0091] 16-IQ17 can monitor the output current when the connecting strips are used as output terminals. The function is primarily intended for supervision of by-pass lamps (muting lamp) according to EN 61 496-1. In certain cases, it is appropriate to indicate that a safety arrangement is bypassed. By controlling that a current flows it is possible to supervise that the filament of the lamp is unbroken.
  • Q[0092] 0-Q1 Safety Output Terminals Relay
  • Potential free relay output terminals, where every output terminal is separately redundant by doubling two relay contacts in series, controlled by each processor. Irrespective of the risk for external short circuits in e.g. cabling, one single output terminal can be used for controlling a safety function. [0093]
  • In addition to the relays being controlled by separate transistors, the voltage is generated to the relay windings by a charging pump. (For the function of the charging pump, see following description for transistor output terminals.) [0094]
  • Q[0095] 2-Q3 Safety Output Terminals Transistor
  • Digital safety output terminals, where every output terminal is separately redundant, and thereby can alone control a safety function, see FIGS. 8 and 9. The output voltage is nominally approx. −24 V. [0096]
  • The negative output voltage is due to the fact that the principle of the charging pump is applied. The charging pump is a construction where the output voltage is generated by a capacitor which is continuously charged and discharged by two transistors. The two transistors alternately conduct so that the capacitor is firstly charged by means of one of the transistors opening to plus, which thereafter closes, and the second transistor opens to zero volt and is discharged. During the discharge phase, the capacitor “sucks” current from the output terminal, and the negative voltage on the output thereby occurs. Due to the fact that the construction requires all the components to work and continuously alternate the state in the correct phase, a fault in any of the involved components causes the generation of the output voltage to immediately stop. [0097]
  • An advantage of having negative voltage on the output terminal for a user, is that this is not normally the voltage used in existing electric systems. Therefore the invention can discover external short circuits between the output terminal and foreign voltages, since the voltage level of the output terminal is monitored. [0098]
  • Bus Communication [0099]
  • Several units, according to the invention, can be coupled together with a CAN bus in a network. The coupling is made by means of connecting the connecting strips CH and CL of each unit, respectively, via intertwined dual cabling. As soon as the coupling is performed, the units are able to read each other's I/O. [0100]
  • In case of network coupling, the principle is that each unit executes its own programme and thereby lives an independent life. Interruption on the bus leads to the I/O in a unit to which contact is lost, being considered as put to 0 by the other units, though the programme execution proceeds. Thus, it is the programme of the user which determines the consequence of an interruption. For instance, if an input terminal put to 1 in another unit constitutes conditions for drawing an output terminal, the output terminal will fall, while another output terminal which only has its own I/O as conditions, will not be affected by the interruption. [0101]
  • The development of user programmes is performed by a PC computer. The communication between the PC and the PLC system occurs wirelessly via IR port. In addition to down- and up loadings of programmes there is a monitor function, whereby the PC computer can read the actual status for the input terminals, output terminals and the auxiliary memories. [0102]
  • The number of units, components, signals, signal levels, etc according to the preceding description are given as examples, and can be varied with consideration to application, requirements, etc. [0103]

Claims (27)

1. A programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to a safety function being disabled which system comprises monitoring functions containing at least two control units, inputs separately coupled to both the control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with each other, characterized in
that at least one control unit can access the status of the input and output terminal of a second control unit and/or a number of flags and that the control units are arranged to monitor the result of respectively executed instruction sets and to control that the results of the executions are substantially equivalent.
2. A system as claimed in claim 1, characterized in
that it complies with the requirement of category 4 according to the harmonized standard EN 954-1.
3. A system as claimed in claim 1, characterized in
that it complies with the requirement of the machinery directive 98/37/EG Appendix 1, 1.2.7.
4. A system as claimed in claim 1, characterized in
that the input terminals are continuously read at a certain frequency.
5. A system as claimed in claim 4, characterized in
that a filter time is based on a decision being made based on the majority of the three latest readings, i.e. two readings after a change.
6. A system as claimed in claim 4 or 5, characterized in
that some of the input terminals have pull-up or pull-down resistors, which are software controlled, for selectively receiving NPN- or PNP sensors.
7. A system as claimed in claim 1-6, characterized in
that the system comprises a charging generator, where the output voltage is generated by a capacitor which is continuously charged and discharged by transistors.
8. A system as claimed in claim 7, characterized in
that the transistors which are each controlled by a respective control unit alternately conduct so that the capacitor is firstly charged by means of the first transistor opening to plus, thereafter discharge occurs by means of the first transistors closing and the second transistor opening to zero volt.
9. A system as claimed in claim 8, characterized in
that the charging generator requires that the control units are active, which leads to an immediate interruption of the energy supply to the output terminal if a control unit ceases to executing instructions in a correct way.
10. A system as claimed in claim 7, characterized in
that a more even output voltage is obtained by means of two charging generators being coupled in parallel with each other.
11. A system as claimed in claim 1, characterized in
that each control unit controls a respective relay via separate transistors.
12. A system as claimed in claim 10, characterized in
that the both transistors are made of different technology.
13. A system as claimed in claim 10, characterized in
that the relays have forced contacts, monitored by the control units.
14. A system as claimed in claim 12, characterized in
that a switching contact in every forced relay is coupled back to the control unit for controlling that it has fallen, and if the control unit only receives an answer from one of two relays doubling each other, the unit tries to conduct and fell the missing relay again.
15. A system as claimed in claim 1, characterized in
that the fall time is monitored at the output terminal, which fall time also can be used for detecting external short circuit to another foreign voltage.
16. A system as claimed in claim 15, characterized in
that when the supervision detects short circuit to a foreign voltage, the output terminal is prevented from returning and a fault is indicated.
17. A system as claimed in claim 1, characterized in
that the output terminals are dynamic, which operate input terminals generating a unique pulse train, which implies that short circuits between channels coupled to different output terminals can be detected.
18. A system as claimed in claim 1, characterized in
that each unit in a network is identified by means of an identity carrier.
19. A system as claimed in claim 18, characterized in
that the identifier is an externally mounted circuit which stores a unique number and constitutes a part of the electric installation location where the unit is physically mounted.
20. A system as claimed in claim 19, characterized in
that a unit is arranged to read the number of the identifier, and thereby determine its own identity.
21. A system as claimed in claim 18, characterized in
that the correct identity is maintained in case of change of a unit.
22. A system as claimed in claim 1, characterized in
that the units are coupled together via a data buss and have access to each other's input and output terminal status and/or a number of flags.
23. A system as claimed in claim 22, characterized in
that when a unit loses contact with the bus communication, the other units consider its I/O as logical zeroes.
24. A system as claimed in claim 22, characterized in
that the bus is a CAN bus.
25. A system as claimed in claim 1, characterized in
that the system is connected to light barriers, the transmitters of which are operated by one dynamic output terminal each, that the receivers are coupled to one output terminal each, that the input terminals are provided with output transistors via which return voltage is applied to cables from the receiver to the input terminal, whereby the system thereby performs a test sequence which can distinguish short circuits between the output cables of the receivers from excess lighting.
26. A method in a programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to a safety function being disabled which system comprises monitored functions containing at least two control units, input terminals separately coupled to both control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with each other, characterized in
that at least the in- and output terminal status of a second control unit and/or a number of flags are made available for a control unit, and that the control units are arranged to supervise the result of each respectively executed instruction set and to control that the results of the executions are substantially equivalent
27. A method as claimed in claim 26, characterized in
that the result of the executions is provided in the form of status for the input terminals and/or output terminals and/or a number of flags.
US10/251,254 2000-03-20 2002-09-20 Security system Abandoned US20030074608A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/316,793 US7096380B2 (en) 2000-03-20 2002-12-11 Security system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SE0000971A SE523412C2 (en) 2000-03-20 2000-03-20 Programmable security system
SE0000971-2 2000-03-20
PCT/SE2001/000588 WO2001071916A1 (en) 2000-03-20 2001-03-20 Security system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2001/000588 Continuation WO2001071916A1 (en) 2000-03-20 2001-03-20 Security system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US10/316,793 Continuation US7096380B2 (en) 2000-03-20 2002-12-11 Security system

Publications (1)

Publication Number Publication Date
US20030074608A1 true US20030074608A1 (en) 2003-04-17

Family

ID=20278922

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/251,254 Abandoned US20030074608A1 (en) 2000-03-20 2002-09-20 Security system
US10/316,793 Expired - Lifetime US7096380B2 (en) 2000-03-20 2002-12-11 Security system

Family Applications After (1)

Application Number Title Priority Date Filing Date
US10/316,793 Expired - Lifetime US7096380B2 (en) 2000-03-20 2002-12-11 Security system

Country Status (7)

Country Link
US (2) US20030074608A1 (en)
EP (1) EP1290794B1 (en)
AT (1) ATE480047T1 (en)
AU (1) AU2001242961A1 (en)
DE (1) DE60142966D1 (en)
SE (1) SE523412C2 (en)
WO (1) WO2001071916A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7213168B2 (en) * 2003-09-16 2007-05-01 Rockwell Automation Technologies, Inc. Safety controller providing for execution of standard and safety control programs
SE529122C2 (en) 2004-09-24 2007-05-02 Jokab Safety Ab Protective device for area restriction and surveillance

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5799022A (en) * 1996-07-01 1998-08-25 Sun Microsystems, Inc. Faulty module location in a fault tolerant computer system
US5915082A (en) * 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
US6367031B1 (en) * 1998-12-17 2002-04-02 Honeywell International Inc. Critical control adaption of integrated modular architecture

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE464270B (en) * 1989-06-30 1991-03-25 Binaer Elektronik Ab Fail-safe safety device
US5367031A (en) * 1994-01-25 1994-11-22 Kansas State University Research Foundation Oxidizing resin for iodide conversion and retention
US5771178A (en) * 1995-06-12 1998-06-23 Scully Signal Company Fail-safe fluid transfer controller

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5915082A (en) * 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
US6065135A (en) * 1996-06-07 2000-05-16 Lockhead Martin Corporation Error detection and fault isolation for lockstep processor systems
US5799022A (en) * 1996-07-01 1998-08-25 Sun Microsystems, Inc. Faulty module location in a fault tolerant computer system
US6367031B1 (en) * 1998-12-17 2002-04-02 Honeywell International Inc. Critical control adaption of integrated modular architecture

Also Published As

Publication number Publication date
EP1290794A1 (en) 2003-03-12
DE60142966D1 (en) 2010-10-14
SE523412C2 (en) 2004-04-20
US20030126510A1 (en) 2003-07-03
AU2001242961A1 (en) 2001-10-03
SE0000971L (en) 2001-09-21
EP1290794B1 (en) 2010-09-01
US7096380B2 (en) 2006-08-22
SE0000971D0 (en) 2000-03-20
WO2001071916A1 (en) 2001-09-27
ATE480047T1 (en) 2010-09-15

Similar Documents

Publication Publication Date Title
US20130079902A1 (en) Multi-channel control switchover logic
US7096380B2 (en) Security system
EP2801874B1 (en) Multi-channel control switchover logic
US20240204517A1 (en) Controlling Feeder Units For Self-Restoration Of Power
CN113341334B (en) Power Failure Handling System
JP3868700B2 (en) Protective relay
KR100275578B1 (en) Elevator remote monitoring terminal with self diagnostic capability
JP2519800B2 (en) Abnormality notification device for transmission system
JP2010146363A (en) System switching system of duplex programmable controller
KR100675741B1 (en) Protection relay control system and method using mobile software
US6807514B2 (en) Apparatus for monitoring the proper operation of components of an electrical system carrying out the same or mutually corresponding actions
JP7624335B2 (en) Fire alarm systems and terminals
JP2000102164A (en) Power supply device
JPWO2008072350A1 (en) System monitoring apparatus and monitoring method using dual timer
JPH02281343A (en) Cpu operation monitor system
JP2766089B2 (en) Redundant operation power supply system
JPS61267810A (en) Deciding circuit for detection of service interruption
KR100568960B1 (en) Protection relay system and method using mobile software
KR20030057137A (en) power source abnormality alarm processing equipment
JP3107104B2 (en) Standby redundancy method
CN117335547A (en) Power supply protection system, method, electronic device and storage medium
JPS6329865B2 (en)
JPH1169608A (en) Digital protection relay device
JPH0629881A (en) Transmission line switching system
JP2001325117A (en) Stand-by duplex system information processor and its system state checking method

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载