DE102006001805A1 - Safety switching device for controlling e.g. three-phase motor, has microprocessor determining whether amplitude of analog signal lies outside of operating range, where microprocessor is component of safety device for controlling of drive - Google Patents

Abstract

The device has a microprocessor (822) controlling an electric drive to be protected into a safe condition during operation of an emergency switch, protective door switch and/or two-hand switch and during a faulty operation of the switching device or the electric drive. The microprocessor is implemented to determine whether a predetermined amplitude of an analog signal to be measured lies outside of a predetermined operating range. The microprocessor is a component of a safety device that is designed for multi-channel controlling of the electric drive. Independent claims are also included for the following: (1) a three phase power output stage for controlling a three phase motor (2) a reversal switching arrangement for a three phase power output stage (3) a measuring device for measuring a periodic analog signal (4) a safety-related device e.g. electric drive, comprising a measuring device (5) a method for measuring a periodic analog signal (6) a safety device for multi-channel controlling of a safety-related device.

Description

The The invention relates to a safety device for multi-channel Controlling a safety device, in particular Part of an automation system can be.

automation equipment usually include fieldbus systems, to the actuators, sensors and supra and / or subordinate Control and monitoring devices can be turned on. An important requirement for such automation systems is that, in particular in the event of a fault, a faulty safety-related component, z. As an actuator, or even the entire automation system in a secured state can be driven. To be sure Switch off the automation system or a faulty actuator to enable It must be ensured that a defined input signal, which the Automation system should go to the safe state, always is interpreted as a switch-off signal.

For example, equipment and equipment belonging to a particular safety category uses multi-channel monitoring systems that contain independently operating subsystems, each of which can drive the equipment or individual equipment to a secured state. The multichannel or redundant monitoring systems are furthermore designed such that the subsystems can monitor the functionality of the respective other subsystem. The mutual monitoring is usually done by a bidirectional exchange of status data. Such known multi-channel monitoring systems are constructed symmetrically. This means that an input signal supplied by an input stage, which controls the operating state of a system to be monitored, is applied directly to the input of each subsystem of the monitoring system, as shown in FIG 1 is shown.

Of the present invention is based on the object, a novel Safety device for multi-channel control of a safety device, in particular an automation system to provide.

One The core idea of the invention is to be seen in that, in contrast to existing symmetrical multi-channel monitoring systems, below Also called safety device in which the from an input stage provided input signal applied directly to each subsystem is modulated, the input signal in a predetermined manner and subsequently the subsystems, hereinafter also called control means, is supplied. In particular, in the safety device according to the invention no mutual supervision of the various control devices. Instead, one acts microprocessor controlled control device as master, which the other control device, which is operated as a slave monitors.

The The above-mentioned technical problem solves the invention with the features of claim 1.

After that is a security device for multi-channel control of a safety device provided. At this point It should be noted that it is a safety-related Device for an actuator of an automation system, an executable safety technology Application and / or to act an automation system itself.

For this a first, microprocessor-controlled control device is provided, which forms a first so-called control channel. The first, microprocessor-controlled Control device has a signal generating device for generating a monitoring signal on. A second control channel has a second control device on.

The monitoring signal serves mainly to the safety device, especially the second To allow control device the proper function the first, microprocessor-controlled control device to monitor.

With the first, microprocessor-controlled device and the second Control device is connected to an input stage, which is used to modulate a Input signal with that of the first microprocessor-controlled Control device coming monitoring signal is trained. The first, microprocessor-controlled control device and / or the second controller controls in response to the modulated one Input signal the safety device when performing an error in a predetermined safe state.

advantageous Further developments are the subject of the dependent claims.

The first, microprocessor-controlled control device preferably leads safety-related programs or program parts through to the modulated input signal, for example under safety engineering To process aspects. So can the modulated input signal for example, be coded in a defined manner.

The signal generating device is designed such that it depends on the execution of at least one safety-relevant Pro gram generated by the first microprocessor-controlled controller, the monitoring signal. It should be noted at this point that the signal generating device is preferably part of a microprocessor of the first, microprocessor-controlled control device.

The first, microprocessor-controlled controller and the second Control devices are connected to an output stage. The control devices each have a means for activating or deactivating the output stage. In particular, the output stage contains at least a switching device, which may be a relay. However, you can the output stage also have a plurality of switching devices, the a gradual or gentle shutdown of a safety-related Facility enable.

The Activation / deactivation device of the first, microprocessor-controlled Control device has a ground-connectable switch, while the second control device one with a supply voltage has connectable switch. Alternatively, of course, too the first control device one with a supply voltage connectable switch and the second control device with a Have mass connectable switch. In this way, the Control devices independent control the output stage from one another to the safety-related To put device in the secure state. Depending on the circuitry Implementation of the output stage is a safety-related Device only in the operating state, if by the first control device defined ground path closed to the output stage and over the second Control means applied the supply voltage to the output stage is. The safety device can then on the Output stage can be moved to a safe state, if either the ground path is opened and / or the supply voltage is disconnected from the output stage.

Preferably is the first microprocessor-based controller for monitoring the input stage and / or the second control device formed.

The Modulation of the input signal with the monitoring signal of the first, microprocessor-controlled control device can by means of a logical Linking device, in particular an AND gate are performed. Alternatively, you can also an ordinary one Switch, also a mechanical switch can be used to monitor the signal When opening and closing to modulate the switch.

Around a malfunction of the first and / or second control device due to erroneous, uncontrolled oscillation of the monitoring signal To avoid this, the first, microprocessor-based controller must be used provide an appropriate waveform. For this purpose, the first, microprocessor-controlled Control means a modulator for modulating the monitoring signal with a signal whose frequency is higher than the frequency of the monitoring signal is. The higher frequency signal may be the clock signal of the first controller controlling the microprocessor be. In this case, the input stage is for modulating the modulated monitor signal and the input signal. The second control device In this case, it must be able to show the different spectral components in the modulated input signal to capture and evaluate. For this the second control device has a demodulator under Response to the modulated input signal coming from the input stage and that from the first, microprocessor controlled controller incoming modulated monitoring signal when an error occurs, a control signal is generated, which the safety device in the predetermined safe State controls.

For this the demodulator functions expediently as a band-stop filter. In conjunction with at least one switching device, especially a monoflop, the demodulator delivers when the frequency of the signal with higher Frequency changes by a predetermined amount, a control signal for controlling the safety equipment in the safe state.

Preferably The demodulator has a high-pass filter and a first low-pass filter on whose respective input to the output of the first, microprocessor-controlled Device is connected. A first monoflop is provided which has a reset input and a signal input connected to the Output of the high-pass filter is connected. A second low-pass filter is provided, whose input with the negated output of the first Monoflops is connected. Furthermore, a second monoflop is provided, its signal input to the output of the first low-pass filter and its reset input to the output of the second low-pass filter connected is. Furthermore, a third monoflop is provided, whose Signal input to the output of the input stage and its reset input is connected to the negated output of the second monoflop.

The first, microprocessor-controlled control device is preferably software-based, and the second control device is hardware-based, ie implemented in circuit technology. Furthermore, the second control device by a Mikroprozes be controlled.

at the input signal can be a binary process signal, which for starting up and secure switching off a safety-related Facility serves.

The Invention will be described below with reference to two embodiments explained in more detail with the accompanying drawings. Show it:

1 a simplified block diagram of a dual-channel symmetrical safety device according to the prior art,

2 2 shows a simplified block diagram of a safety device for multichannel control of a safety device according to a first embodiment of the invention,

3 the time course of the monitoring signal, which the first microprocessor-controlled control device of in 2 produced safety device shown,

4 the basic circuit structure of in 2 shown second control device,

5 an alternative safety device for multi-channel control of a safety device according to the invention,

6 the basic circuit structure of in 5 shown second control device,

7a to 7i different waveforms within the in 6 shown circuit arrangement at predetermined points during a fault-free operation,

8a to 8i different waveforms within the in 6 shown circuitry at predetermined points during a faulty operation, and

9a to 9i different waveforms within the in 6 shown circuitry at predetermined points during a faulty operation.

1 schematically shows the structure of a known system for microprocessor-controlled monitoring of a safety device (not shown). The system has an input stage 10 which provides a binary process or sensor signal as input to two independently operating subsystems 20 and 30 invests. Each subsystem may include a microprocessor and a separate power supply. Each subsystem is output side with an output stage 40 connected, for example, has a contactor or an arrangement of switching devices. By means of the output stage 40 For example, a safety-related application, not shown, can be moved to a defined, secured state. As in 1 implied, are both subsystems 20 and 30 designed so that they can monitor the functioning of the other subsystem. The mutual monitoring of the subsystems is usually done by a bidirectional exchange of status data, as indicated by the arrows in 1 is indicated. Each subsystem forms its own control channel through which the output stage 40 can be controlled separately. As a result, each channel, that is, each subsystem, can be the output stage 40 independent of the other subsystem in a state defined as safe.

An inventive multi-channel safety device for controlling safety equipment is in 2 shown. Already at this point it should be noted that under safety equipment, an automation system, individual modules of the automation system and / or safety applications in the form of software can be understood.

Similar in the 1 The arrangement shown in FIG 2 illustrated safety device 50 an entrance level 60 , a first, microprocessor-controlled control device 70 and a second control device 80 on. The output of the two control devices 70 and 80 is each with an input of an output stage 90 connected. The output stage 90 has, for example, a relay 95 on.

From a multi-channel control device 50 one speaks, since the first, microprocessor-controlled control device 70 and the second control device 80 each have their own control channel for independently controlling the relay 95 form. The first, microprocessor controlled controller 70 contains a memory programmed microprocessor 72 and a memory 74 in which the control software is stored, to which the microprocessor 72 can access. Furthermore, the microprocessor-controlled control device contains 70 an example designed as an NPN bipolar transistor switch 76 , hereinafter also referred to as switching transistor, via which the relay 95 with a ground connection 78 can be connected. About the ground connection 78 , the switching transistor 76 and a connection line 100 representing the output of the microprocessor controlled controller 70 with the input of the output stage 90 and thus with the input of the relay 95 connects, a mass path is defined. Depending on Operating state can be the microprocessor 72 via the switching transistor 76 open or close the ground path. The microprocessor 72 is designed such that it can generate a monitoring signal, also called a life signal in the following, whose time course in 3 is shown.

The microprocessor 72 preferably carries out safety-relevant programs with the signal supplied by the input stage, so that upon occurrence of a fault, the safety-related device via the output stage 90 Reliable can be driven in a secured state. As a source of error, for example, the microprocessor 72 itself, the entrance level 60 or the safety-related device come into question. That from the microprocessor 72 generated monitoring signal reflects the proper or faulty operation of the microprocessor-controlled control device 70 again.

The monitoring signal is generated, for example, by the fact that the microprocessor 72 generates a high level when the microprocessor begins to execute a safety-related program. Once the microprocessor 72 When the execution of the safety-relevant program ends, it generates a low level. In 3 is the course of the monitoring signal in the error-free state of the control device 70 shown. In the 3 drawn period T _m corresponds for example to the duration of a in the control device 80 implemented monostable multivibrator, after which the flip-flop tilts back into its stable state. Such a monostable flip-flop is as monoflop 84 in 4 shown. The time duration T _m is also referred to below as mono-time. The operation of the control device 80 will be explained in more detail below.

That from the microprocessor 72 Life signal generated is via an output of the microprocessor-controlled control device 70 to an input of the input stage 60 created. At another entrance of the entrance level 60 is the binary process signal. The process signal and the life signal, for example, an input side of an AND gate 62 fed. The AND gate 62 combines or modulates both signals and provides at its output a so-called modulated input signal for the control devices 70 and 80 , Alternatively, instead of a logical AND gate, any other suitable logical combination device or a mechanical switch may be used as the modulation device. It is crucial that at the in 2 illustrated safety device 50 the process signal modulated with the monitor signal and not that via the input stage 60 incoming process signal directly to the input of the microprocessor-controlled control device 70 and the controller 80 is created.

Furthermore, it should be noted that the control device 80 independent of the microprocessor-controlled controller 70 the output stage 90 can drive. For this purpose, for example, a supply voltage V _{CC is} provided, which acts via a transistor acting as a switch 82 to the relay 95 the output stage 90 can be created. It should already be noted that when the state of the switching transistors 78 and 82 a current through the relay 85 flows.

As in 4 shown, the control device 80 next to the switching transistor 82 the monoflop 84 which has a negative output labeled Q -, preferably via a resistor 88 with the control electrode of the switching transistor 82 connected is. Furthermore, the monoflop has 84 an input A on, that of the input stage 60 incoming modulated input signal is applied. Next is a series connection of a capacitor 81 and a resistance 83 provided on the switch-on in the safety device 50 a predetermined voltage potential is applied to a master reset input labeled MR that causes the monoflop to produce a high level at the Q output.

Thus, the acting as a master microprocessor-controlled control device 70 Error in the input stage 60 and in the controller 80 can recognize the output of the AND gate 62 the entrance level 60 and the output of the controller 80 each with an input of the microprocessor-controlled control device 70 connected. Since the input variables and the transfer function of the control device 80 the microprocessor-controlled control device 70 are known, can be a proper operation of the input stage 60 and the controller 80 be verified by the fed back output signals. The reference parameters of the input variables and the transfer function of the control device 80 can in memory 74 the control device 70 be filed. Should an error occur, then both the control device 80 as well as the microprocessor controlled controller 70 the output stage 90 into a safe state by either the via the switching transistor 76 and the connection line 100 formed ground path opened and / or the supply voltage by means of the switching transistor 82 the control device 80 from the relay 95 the output stage 90 is switched off.

In the realization of in 2 illustrated asymmetrical dual-channel safety vorvor direction 50 is a critical aspect in the fact that a faulty, uncontrolled oscillation of the life signal can occur, which can prevent a safe shutdown of a safety device.

A security device to solve this problem is in 5 shown. The security device 110. similar to the one in 2 shown safety device 50 an entrance level 60 in turn, a logical link, such as an AND gate 62 can have. At an entrance of the AND gate 62 is the input signal, which may be the process signal applied. Again, an output stage 90 provided, the several cooperating switching elements 95 may have, which allows a defined shutdown of the safety device. The security device 110. is in turn multi-channel, two channels in the present example, wherein a first, microprocessor-controlled control device 120 as master and a second control device 140 acts as a slave. Again, the control device 120 be considered as a software-based subsystem, while the controller 140 can be designed as a hardware-based subsystem, which in 6 is shown in more detail.

The microprocessor-controlled control device 120 again has a microprocessor 122 which can produce a low frequency monitoring or life signal. Again, the microprocessor 122 at the beginning of execution of a safety-relevant program, a rising edge and, when leaving the execution of the safety-relevant program, generate a falling edge. The time interval of successive pulses, that is, the periodicity of the monitoring signal is in turn defined by the monotone T _{m of} a monoflop. Unlike the security device 50 according to 2 This is done by the microprocessor 122 generated monitoring signal to a modulator 124 supplied to the low-frequency monitoring signal with a high-frequency modulation signal, which, for example, the clock signal of the microprocessor 122 , which may be a signal derived from the clock signal or another high-frequency signal, is modulated. In this case, the clock signal of the microprocessor 122 to a second input of the modulator 124 created. That from the modulator 124 generated modulated monitoring signal is another input of the AND gate 62 the input stage and a first input of the control device 130 fed. At the output of the AND gate 62 appears a modulated process signal, which by the microprocessor-controlled control device 120 supplied modulated monitoring signal is modulated. The modulated output of the AND gate 62 each is provided as a modulated input to an input of the microprocessor controlled controller 120 and to another input of the control device 140 created. The microprocessor 122 is in turn able to get that from the AND gate 62 monitor incoming output for a fault. In a store 126 can input variables that the input stage 60 relate, as well as the transfer function of the control device 130 be filed. The microprocessor 122 is with the control electrode, in the present example with the base of a switching transistor 128 connected via a connection line 100 the output stage 90 can connect to ground. The switching transistor 128 may be formed, for example, as a bipolar NPN-type transistor. For example, the emitter electrode of the switching transistor 128 with ground and the electric electrode of the switching transistor 128 with the input of the output stage 90 connected. Detects the microprocessor 122 an error, he can do that via the switching transistor 128 and the connection line 100 separated ground path, by a low level to the control electrode of the switching transistor 128 applies, so that the switching transistor blocks.

The output signal of the control device 140 is the input side with the microprocessor-controlled control device 120 connected. The microprocessor 122 is again implemented such that it takes into account the stored transfer function of the control device 140 a malfunction of the controller 130 can recognize. The control device 140 has a demodulator 140 on that in 6 is shown in more detail.

The output of the demodulator 130 can with the control electrode of a switching transistor 150 be connected, via the one supply voltage to the output stage 90 can be created. The demodulator 130 has a monoflop 131 on which in its function the monoflop 89 the in 4 shown control device 80 equivalent. The monoflop 131 has an input labeled A, to the one of the AND gate 62 incoming modulated input signal is applied. That from the modulator 124 supplied modulated monitoring signal is a high-pass filter 132 and a lowpass filter labeled TP2 133 fed. The output signal of the high-pass filter 132 becomes another monoflop 134 fed. The monoflop 134 has a master reset input on which a
Supply voltage V _cc via a series circuit, which is a capacitor 135 and a resistance 136 has, can be created. The negated output of the monoflop 134 goes to the input of another lowpass filter labeled TP1 137 created. The output of the low-pass filter 133 is with a first, designated A input another monoflop 138 connected during the output of the low-pass filter 137 with the master reset input of the monoflop 138 connected is.

The negative output of the monoflop designated Q - 138 is finally connected to the master reset input of the monoflop 131 connected. The negative output of the monoflop designated Q - 131 is with the control electrode, in the present example with the base of the switching transistor 150 connected.

The in the 7a to 7i Curves shown are input and output signals at predetermined observation points within the demodulator 130 , which with the numbers 1 to 7 are marked accordingly. The voltage curves occur during proper operation of the safety device 110. on. In a faulty operation of the control device 120 Voltage curves occur in the 8a to 8i respectively. 9a to 9i are shown.

Below we will see how the two work in the 2 and 5 illustrated safety devices 50 respectively 110. explained in more detail. In particular, the operation of the control device 80 according to 2 and the functioning of in 5 shown control device 140 described in more detail.

First, the operation of in 2 shown control device 80 in conjunction with the 3 and 4 explained in more detail.

Suppose that a safety-related automation system to which the safety device 50 belongs, should be put into operation. At the beginning is over the capacitor 81 and the resistance 83 a voltage potential to the master reset input MR of the monoflop 84 applied, which causes the negative output Q - of the monoflop 84 is set to a high level, whereby the switching transistor 82 is placed in the blocking state. This in turn causes the supply voltage V _cc via the switching transistor 82 not to the output stage 90 is created. This will ensure that the output stage 90 can only be put into operation when a supply voltage is applied and the completion of self-tests is completed.

After a time defined by the resistance of the resistor and the capacitance of the capacitor, the voltage potential at the master reset input of the monoflop decreases 84 , so that the output Q - by the modulated input signal applied to the input A, which from the AND gate 62 is delivered depends. Suppose that at the AND gate 62 the entrance level 60 a process signal with a high level is applied, so that when properly functioning of the control device 70 this in 3 shown monitoring signal as a modulated input signal at the input A of the monoflop 84 is applied. With the first positive edge of the modulated input signal, the output Q - of the monoflop 84 for the mono time T _{m set} to low. During this time will also be the switching transistor 82 held conductive. Kick, like this in 3 is shown, before the expiration of the monotone T _m another positive edge in the monitoring signal on, is the monoflop 84 Triggered again and the output Q - is again set to low for the mono time T _m . As long as the microprocessor 72 the microprocessor-controlled control device 70 works properly, a positive edge is generated in each case before the expiration of the monotone T _m . As long as the automation system, the control devices 70 and 80 as well as the entrance level 60 working properly, the switching transistor 82 over the monoflop 84 held in a conductive state. Proper operation means that the input signal or process signal at the input of the AND gate 62 the entrance level 60 has a high level and the modulated input signal is an alternating signal whose period is less than or equal to the mono-time T _m .

Now steps in the control device 70 or the entry level 60 an error, ensures the monoflop 84 for that the switching transistor 82 switched to the blocking state and thus the output stage 90 is separated from the supply voltage V _cc. For example, an error can also be signaled by generating a low-level process signal that causes the output of the AND gate 62 is set to zero. As a result, the monitoring signal no longer reaches the input A of the monoflop 82 , Since no positive edge appears at the input A of the monoflop within the mono time T _m , the output Q of the monoflop becomes 84 set to zero. This causes the switching transistor 82 locks and thus the supply voltage from the output stage 90 is disconnected. The automation system can now be moved to a secure state.

In addition, an error in the controller 70 occur when, for example, the microprocessor 72 due to an unpredictable error, a safety-relevant program does not start. In this case, the monitoring signal, for example, remains continuously at a low level. This, in turn, causes over a period of time longer than the mono-time T _{m of} the monoflop 84 is, no positive edge at the input A of the monoflop 84 occurs, so that the switching transistor 82 is placed in the blocking state. In a similar way the monitor signal will remain at a high level when the microprocessor 72 Although a security-relevant program has started, but this can not stop due to an unforeseen error. Again, this condition causes, over a period of time, longer than the mono-time T _{m of} the monoflop 84 is, no positive edge at the input A of the monoflop 84 occurs, so that the switching transistor 82 put in the blocking state and the output stage 90 is driven into a secure, predefined state. It should be noted at this point that depending on the realization of the control device 80 the monoflop 84 can also be triggered by falling edges.

Thanks to the asymmetrical, dual-channel safety device 50 It is possible to have an automation system or its safety components in the event of a fault, which is its cause, for example, in the input stage 60 or the safety device 70 has to go to a safe state.

An error in the controller 80 is from the controller 70 detected by the output signal of the control device 80 via the feedback line 105 to the microprocessor 72 to be led. Because the control device 70 knows the transfer function of the control device 80 in the store 74 can be deposited. Detects the controller 70 an error in the output of the controller 80 , ensures the microprocessor 72 for that the switching transistor 76 locked and thus the ground path to the output stage 90 is opened.

It should be noted that the monoflop 84 Furthermore, serves to extend the on-time of the applied modulated input signal by the mono-time T _m , so that even after switching off the input signal or process signal, the output stage 90 still controlled in a secured state can be controlled. To be able to comply with the safety conditions required for the safe shutdown of an automation system, the mono time T _{m must} not be longer than the safety shutdown time of the output stage 90 be.

Below is the operation of the in 5 illustrated asymmetric dual-channel safety device 110. in conjunction with the 6 to 9i explained in more detail.

The in 6 shown demodulator 130 the control device 140 unlike in 4 1, a low-pass and high-pass arrangement, by means of which, as it were, a digital band-stop filter is realized. With correct dimensioning of the construction components and proper functioning of the safety device 110. behaves the demodulator 130 similar to the one in 4 shown monoflop 84 , Occurs, however, in the controller 120 , for example in the microprocessor 122 If there is an error, depending on the error, the high-frequency and low-frequency part of the modulator will be affected 124 coming modulated monitoring signal shifted to higher or lower frequencies. The consequence of this is that either the high-frequency or low-frequency component of the modulated monitoring signal is due to the band blocking behavior of the demodulator 130 is locked. This causes the monoflop 131 after the expiration of the mono-time the positive output Q is set low, whereby the switching transistor 150 put in the blocking state and thus the output stage 90 is driven to a safe state. It should be noted that the control device 120 a software module which ensures that a change in the clock of the microprocessor 120 leads to a corresponding frequency shift of the life signal.

The operation of the demodulator 130 is determined by the 7 to 9i described in detail. First, the error-free operation of the control device 120 portrayed.

For error-free operation of the safety device 110. join the in 6 points of observation in the 7a to 7i shown waveforms on.

We first consider the period from T ₀ to T ₁ . Assume that until time T ₁ to the AND gate 62 no process signal is applied, as shown in 7f is shown. Thus, until the time T ₁ at the input A of the monoflop 131 no signal, as in 7g is shown. 7a schematically shows the modulated monitoring signal, which is a superposition of the clock signal of the microprocessor 122 and of in 3 is shown monitoring signal. In the illustrated curve, which already begins at time T ₀ , the period of the monitoring signal drops approximately with the mono-time T _{m of} the monoflop 131 together. That from the modulator 124 the control device 120 used as a modulation signal clock signal of the microprocessor 122 has a period of T _s , which is also in 7a is registered. At this point it should be mentioned that the capacity 135 and the resistance 136 Having series connection serves, at the switch-on of the automation system, a voltage potential to the master reset input of the monoflop 134 at the time T ₀ for a low level at the negated output Q - of the monoflop 134 like this 7i is shown.

7b shows the low frequency component the modulated monitoring signal, which at the output of the low-pass filter 133 is applied. 7c shows the high-frequency portion of the modulated monitoring signal, which at the output of the high-pass filter 132 is applied. 7i shows the at the negated output Q - of the monoflop 134 applied signal at the time T ₀ , when the modulated input signal according to 7a to the high pass filter 132 is applied, goes to zero, since positive flanks of the in 7c shown high-frequency signal component in each case before the expiration of the special mono-time of the monoflop 134 trigger this. 7d shows the at the output of the low pass filter 137 adjacent signal waveform, after a predetermined time the value of the waveform after 7i ie assumes the value zero. 7e shows the at the negated output Q - of the monoflop 138 adjacent waveform. 7h shows the signal at the output Q of the monoflop 131 ,

At time T ₁ will now be a process signal, which may also be a sensor signal, with a high level to the AND gate 62 created as in 7f shown. From this point on, the AND gate will deliver 62 this in 7g shown alternating signal. This signal contains in the present example due to system-induced low-pass characteristics no high-frequency components more. Rather, it corresponds to the monitoring signal with a period of less than or equal to T _m .

Because in normal operation at the negated output Q - of the monoflop 138 a low level according to 7e is present at the same time as the master reset input of the monoflop 131 is applied, the behavior of the modulated input signal after 7g certainly. Since the period of the modulated input signal, as I said, smaller than the mono-time T _{m of} the monoflop 131 is, is the monoflop 131 triggered regularly. Consequently, the output Q of the monoflop provides 131 a high level, as in 7h shown. This in turn means that the switching transistor 150 held in the conducting state and the output stage is energized.

Now assume the case of error that the frequency of the clock of the microprocessor 122 at time T ₂ drops. This is in 8a for the modulated monitoring signal, which at the input of the high-pass filter 132 and at the input of the low pass filter 133 is created, presented. As can be seen, the time interval of the clock pulses after the time T _{2 is} longer. Consequently, an extension of the period of the clock signal of the microprocessor draws 122 an extension of the period of the monitoring signal by itself. This fact is also in 8a shown. 8f shows that still a process signal with high level at the AND gate 62 which represents the normal operating condition of the system. 8b shows the change of the output signal at the low-pass filter 133 after the time T ₂ , after the frequency of the clock signal of the microprocessor 122 has sunk.

8c shows the change of the clock signal of the microprocessor 122 at time T ₂ . Since the time interval of consecutive positive edges in the clock signal of the microprocessor 122 at time T ₂ longer than the monoflop time of the monoflop 134 is, appears at the negated output Q - of the monoflop 134 this in 8h shown high-frequency clock signal of the microprocessor 122 , The low pass filter 137 filters the high-frequency components from the output signal at the negated output Q - of the monoflop 134 out, so that at the output of the low-pass filter 137 after the mono-time of the monoflop has expired 134 a high level is applied, as in 8d is shown. The high level is applied to the master reset input of the monoflop 138 created and ensures that at the negated output of the monoflop 138 a high level is generated in 8e is shown. Consequently, via the master reset input of the monoflop 131 produces a low level output signal as in 8g shown. This signal controls the switching transistor 150 in the locked state. As a result, the supply voltage from the output stage 90 disconnected, leaving the output stage 90 a safety device can move to a safe state.

The waveforms in the 9a to 9i occur in the event of an error in the control device 120 on, which manifests itself in an increase in the clock frequency of the microprocessor signal. 9a shows this at the input of the high pass filter 132 and at the input of the low pass filter 133 incoming modulated monitoring signal, which changes at a time T ₃ as shown. Still it is assumed that the input level 60 and the automation system itself working error-free, so that at the AND gate 62 still a process signal with a high level is applied, as in 9f is shown. 9i shows the change of the modulated input signal after the time T ₃ , which is applied to the input A of the monoflop 131 is created. 9c again shows the change of the clock signal at the output of the low-pass filter 132 at time T ₃ . This in 9c shown high-frequency input signal causes the negated output of the monoflop 134 permanently a low level is applied, the in 9h is shown. The low level is via the low pass filter 137 to the master reset input of the monoflop 138 created. The low pass filter 133 is dimensioned such that it also the low - frequency component of the faulty modulated monitoring signal, which in 9a is shown from the time T ₃ locks, as this by the voltage curve in 9b is shown. As at the entrance A of the Monoflops 138 only a constant level is present, is at the end of the monotone of the monoflop 138 the negated output is set to a high level, as shown by 9e is shown. About the master reset input MR is now the monoflop 131 reset, reducing the output of the monoflop 131 set to zero, as in 9g is shown. Again, the switching transistor 150 disabled and thus the power supply from the output stage 90 separated.

Claims (13)

Safety device for multi-channel control of a safety-related device, with a first, microprocessor-controlled control device ( 70 ; 120 ), which is a signal generating device ( 72 ; 122 ) for generating a monitoring signal, a second control device ( 80 ; 140 ), one with the first microprocessor-controlled device ( 70 ; 120 ) and the second control device ( 80 ; 140 ) connected input stage ( 60 ) for modulating an input signal with that of the first microprocessor-controlled control device ( 70 ; 120 ) is formed, wherein the first, microprocessor-controlled control device ( 70 ; 120 ) and / or the second control device ( 80 ; 140 ) in response to the modulated input signal to control the safety device when an error occurs in a predetermined safe state. Safety device according to claim 1, characterized in that the signal generating device, the monitoring signal in response to the execution of at least one safety-related program by the first, microprocessor-controlled control device ( 70 ; 120 ) generated. Safety device according to claim 1 or 2, characterized in that the first microprocessor-controlled control device ( 70 ; 120 ) and the second control device ( 80 ; 140 ) with an output stage ( 90 ) and in each case a device for activating or deactivating the output stage ( 90 ) exhibit. Safety device according to claim 3, characterized in that the activation / deactivation device of the first microprocessor-controlled control device ( 70 ; 120 ) a switch connectable to ground ( 76 ; 128 ) and the activation / deactivation device of the second control device ( 80 ; 140 ) a connectable to a supply voltage switch 82 ; 150 ) having. Safety device according to claim 3 or 4, characterized in that the output stage ( 90 ) at least one switching device ( 95 ), in particular a relay. Safety device according to one of claims 1 to 5, characterized in that the first, microprocessor-controlled control device ( 70 ; 120 ) comprises means for monitoring the input stage and / or the second control means and generating an error signal, and in that the first microprocessor-controlled control means ( 70 ; 120 ) controls the safety device in a predetermined safe state in response to the error signal. Safety device according to one of claims 1 to 6, characterized in that the input stage ( 60 ) a logical linking device ( 62 ), in particular an AND gate for modulating the input signal with the monitoring signal. Safety device according to one of claims 1 to 7, characterized in that the first, microprocessor-controlled control device ( 120 ) a modulator ( 124 ) for modulating the monitoring signal with a signal whose frequency is higher than the frequency of the monitoring signal that the input stage ( 60 ) for modulating the modulated monitoring signal with the input signal, that the second control device ( 140 ) a demodulator ( 130 ) responding in response to that of the input stage ( 60 ) modulated input signal and that from the first, microprocessor-controlled control device ( 120 ) coming modulated monitoring signal in the event of an error generates a control signal which controls the safety device in the predetermined safe state. Safety device according to claim 8, characterized in that the demodulator ( 130 ) a band-stop filter and at least one switching device ( 131 ), in particular a monoflop, which supplies a control signal for controlling the safety device in the predetermined safe state by changing the frequency of the higher frequency signal by a predetermined amount. Safety device according to claim 9, characterized in that the demodulator ( 130 ) has the following features: a high-pass filter ( 132 ) and a first low-pass filter ( 133 ) whose respective input to the output of the first microprocessor-controlled device ( 120 ), a first monoflop ( 134 ), which has a reset input and a signal input which is connected to the output of the high-pass filter, a second low-pass filter ( 137 ) whose input is connected to the negated output of the first monoflop ( 134 ), a second monoflop ( 138 ) whose signal input to the output of the first low-pass filter ( 133 ) and its reset input to the output of the second low-pass filter ( 137 ) and a third monoflop ( 131 ) whose signal input is connected to the output of the input stage ( 60 ) and its reset input with the negated output of the second monoflop ( 138 ) connected is. Safety device according to one of claims 1 to 10, characterized in that the first, microprocessor-controlled control device ( 70 ; 120 ) software-based and the second control device ( 80 ; 140 ) is hardware based. Safety device according to one of claims 1 to 11, characterized in that the input signal is a binary process signal is. Safety device according to one of claims 1 to 12, characterized in that the second control device ( 80 ; 140 ) has a microprocessor.