Electrical transmission or interconnection systems – Personnel safety or limit control features
Reexamination Certificate
2003-04-16
2004-08-31
Deberadinis, Robert L (Department: 2836)
Electrical transmission or interconnection systems
Personnel safety or limit control features
C307S327000, C307S328000, C361S189000
Reexamination Certificate
active
06784571
ABSTRACT:
CROSS-REFERENCES TO RELATED APPLICATIONS
This application is a continuation of copending international patent application PCT/EP01/11436 filed on Oct. 4, 2001 designating the U.S. and published in German language, which PCT application claims priority from German patent application DE 100 53 820.7, filed on Oct. 30, 2000.
BACKGROUND OF THE INVENTION
The present invention relates to an electronic safety switching device having at least a first and a second signal processing channel and to a corresponding method of switching off an industrial machine. The first and second signal processing channels can be supplied with input signals for signal processing, and they provide processed output signals. The invention particularly relates to such a device and method, wherein the first and second signal processing channel process the input signals redundantly with respect to each other, and wherein the first and second signal processing channels each are constructed using integrated semiconductor structures.
Safety switching devices of this type are primarily used in the industrial sector in order to carry out shutdown operations on machines, plants and other installations in a failsafe manner. In this connection, the term “failsafe” means that the switching device meets standardized requirements regarding failsafety, in particular the requirements of safety category 3 of the European Standard EN 954-1 or higher. Devices of this type are used, for example, to stop a machine plant, such as a press or an automatically operating robot, as a reaction to the operation of an emergency off pushbutton or the opening of a protective door, or to transfer the installation in another way into a nonhazardous state. Likewise, it is generally necessary to switch off a machine or machine plant at least partly to carry out maintenance or commissioning work. Since a malfunction or failure of the safety switching device would result in an immediate hazard to human personnel in such a situation, very high requirements are placed on safety switching devices with regard to their failsafe nature. As a rule, safety switching devices may therefore be used in the industrial sector only after appropriate approval by a responsible inspecting authority, for example professional associations or governmental authorities.
One measure of achieving the required failsafe nature is to construct the safety switching device redundantly with a plurality of channels, the at least two signal processing channels monitoring each other. If a fault occurs in one of the signal processing channels, the second signal processing channel should be capable of recognizing this and arranging for a nonhazardous state for persons in the area of the machine plant. During this procedure, particular attention must be placed on possible fault causes which influence a plurality of the redundant signal processing channels in the same way, since otherwise the requisite failsafe nature is not ensured (what is known as common cause faults).
A procedure which is often practised during the approval of safety switching devices by the responsible inspecting authorities is that the designer or manufacturer of the safety switching device has to present a thoroughgoing and detailed consideration of faults, in which every conceivable fault is covered. In this document, it is necessary to prove that the safety switching device can bring about a nonhazardous state for persons in a reliable manner even when the respective fault occurs. A consideration of this type is very complicated, in particular in the case of complex safety switching devices having numerous functions, which has a detrimental effect on the costs of the development and manufacture. Added to this is the fact that this fault assessment has to be repeated even in the case of slight changes to the construction or in the structure of the safety switching device since, for example, new fault sources can be produced merely as a result of a physically different arrangement of intrinsically identical components.
SUMMARY OF THE INVENTION
In view of this, it is an object of the present invention to specify a safety switching device of the type mentioned at the beginning in which the effort to demonstrate the failsafe nature is reduced.
It is another object of the invention to provide a safety switching device and method that can be implemented at lower cost.
According to one aspect of the invention, these objects are achieved by the first and the second signal processing channel being arranged monolithically on a common semiconductor substrate, the semiconductor structures of each signal processing channel being spaced apart physically by a multiple of their width from the semiconductor structures of every other signal processing channel.
Thus, a safety switching device is proposed in which the mutually redundant signal processing channels are arranged jointly in one semiconductor chip for the first time. In this case, it is not ruled out that each of the signal processing channels will further be supplemented with the aid of external components, for example for setting time constants, depending on the type and the functionality of the safety switching device. However, the advantages of the invention have a greater effect the fewer additional external components are needed.
As a result of the common arrangement of the redundant signal processing channels, the entire structure of the safety switching device can be defined, during the design and development of the semiconductor chip, in a form which can subsequently no longer be changed. As a result of this, the error consideration required for the approval by the inspecting authorities only has to be carried out once, namely during the development of the semiconductor chip. Subsequent checks can be restricted to checking in quantitative terms compliance with the specifications defined during the development of the semiconductor chip, in particular compliance with envisaged physical dimensions and materials used. Checks of this type can be carried out substantially more simply than the complicated prior art fault assessments.
Furthermore, the new approach has the advantage that, because of the unchanging nature of the semiconductor chip after its manufacture, specific fault causes can reliably be ruled out from the beginning. For example, during a fault assessment a short circuit between two conductor tracks on the semiconductor substrate can be ruled out if the two conductor ends maintain a sufficient distance from each other. In contrast, for example, a short circuit as a result of mechanical crushing could arise in operation between two conductor cables which are insulated from each other in a conventional manner known per se.
Furthermore, the new approach has the advantage that the recognized, tried and trusted methods of carrying out a fault assessment can be applied in the same way as hitherto, which, not least, also makes acceptance by the responsible inspecting authorities easier. Because of the unchanging nature of the semiconductor chip, it is in particular possible to transfer those methods which are recognised in the fault assessment of printed circuit boards.
Furthermore, the measure according to the invention has the advantage that a semiconductor chip can be accommodated in a manner known per se and with tried and tested manufacturing methods in a dust-tight housing, which substantially minimizes fault causes arising from industrial contamination. Fault causes of this type can therefore likewise be ruled out during the fault assessment to be carried out.
Furthermore, the safety switching device according to the invention can be fabricated very efficiently in very large numbers, without additional fault causes being created in this way. Not least, the safety switching device according to the invention can be miniaturized very highly, owing to the measure proposed, which enlarges the field of use and the possible uses considerably.
In a refinement of the invention, the first and the second signal processing channel each have at least one co
Rupp Roland
Schwenkel Hans
Deberadinis Robert L
Harness & Dickey & Pierce P.L.C.
Pilz GmbH & Co.
LandOfFree
Electronic safety switching device and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Electronic safety switching device and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Electronic safety switching device and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3292631