EP2782112B1 - Monitoring and control system comprising a safety switch and method for operating a safety switch - Google Patents

Monitoring and control system comprising a safety switch and method for operating a safety switch Download PDF

Info

Publication number
EP2782112B1
EP2782112B1 EP13305355.3A EP13305355A EP2782112B1 EP 2782112 B1 EP2782112 B1 EP 2782112B1 EP 13305355 A EP13305355 A EP 13305355A EP 2782112 B1 EP2782112 B1 EP 2782112B1
Authority
EP
European Patent Office
Prior art keywords
relays
group
switching contacts
sets
contacts
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP13305355.3A
Other languages
German (de)
French (fr)
Other versions
EP2782112A1 (en
Inventor
Achilles Papageorgiou
Stephan Colle
Frédéric Janssens
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alstom Transport Technologies SAS
Original Assignee
Alstom Transport Technologies SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alstom Transport Technologies SAS filed Critical Alstom Transport Technologies SAS
Priority to DK13305355.3T priority Critical patent/DK2782112T3/en
Priority to EP13305355.3A priority patent/EP2782112B1/en
Publication of EP2782112A1 publication Critical patent/EP2782112A1/en
Application granted granted Critical
Publication of EP2782112B1 publication Critical patent/EP2782112B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/002Monitoring or fail-safe circuits
    • H01H47/004Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
    • H01H47/005Safety control circuits therefor, e.g. chain of relays mutually monitoring each other

Definitions

  • the present invention concerns a monitoring and control system comprising a safety switch and a controller. Further, the present invention relates to a method for operating a safety switch.
  • DE 10 2005 048 601 B3 discloses a device having two microcontrollers to determine measuring quantities that are representative for partial impedances of a position indicator, respectively.
  • the microcontrollers include two outputs that are connected with two connectors of the indicators, respectively, where the outputs are alternately assigned with a high potential or a low potential.
  • the controllers include inputs that are connected with adjustable pickups of the indicator.
  • a switching unit is provided to separate the indicator from the outputs of the controllers.
  • WO 96/41358 A1 discloses a power disconnect switch which employs a plurality of high current relays which are simultaneously activated by the application of a control signal to an attached control terminal.
  • US 6,738,246 concerns a combination of a microrelay switch switching off small overcurrents, and a short-circuit current limiter, for example a fuse link, a PTC thermistor or a power breaker, for limiting or switching of large overcurrents.
  • a short-circuit current limiter for example a fuse link, a PTC thermistor or a power breaker, for limiting or switching of large overcurrents.
  • EP 0 094 045 A2 concerns a contact arrangement for a relay.
  • a safety switch for switching a plurality of safety critical loads was based on normal relays and includes a voltage measurement device for providing information, whether a voltage at the output of the switch was present.
  • safety critical loads should be switched with switches complying with the European norm EN 50 205 type A.
  • safety switches for safety critical loads may comprise two relays, which are connected in series. Each relay comprises at least two sets of contact for switching a first line and a second line. Further these relays comprise a read back contact detecting the state of each of the relays. These relays are normally guided relays, in which the means for moving the contacts are connected.
  • Object of the invention is to provide the monitoring and control system comprising a safety switch which provides a minimum predefined air gap with a high reliability.
  • a monitoring and control system comprising:
  • the method may include one or more of the following features: the safety switch is a safety switch comprised in the monitoring and control system according to an embodiment disclosed herein.
  • FIG. 1 shows a monitoring and control system 1 according to an embodiment of the invention.
  • the monitoring and control system 1 is provided for the control of safety critical loads 3, for example for signalling lamps or traffic lights, in particular for a railway.
  • safety critical loads for example for signalling lamps or traffic lights, in particular for a railway.
  • the safety critical load has to be controlled whether there is a defect in the switch or in the load itself.
  • the monitoring and control system 1 detects whether a load is present, whether it is switched off or on or has a defect and, in particular how much energy it consumes.
  • control and monitoring system 1 may detect whether a lamp 3 exists, whether the lamp is switched on or off, or whether it is has a defect.
  • the monitoring and control system 1 comprises a safety switch 5 having an input side with a first and a second terminal 7a, 7b and an output side with a first and second output terminal 9a, 9b.
  • the first input terminal 7a of the safety switch 5 is connected to a first input power line 11a and the second input terminal 7b is connected to a second input power line 11b, for example of a power grid.
  • the first and second input power lines 11a, 11b provides a current of for example 110 V direct current (DC) or 230 volt alternating current (AC) to the safety switch 5, because the safety critical loads 3 need such a current.
  • DC direct current
  • AC 230 volt alternating current
  • the output terminals 9a, 9b are connected respectively with a first line 13a and a second line 13b to a plurality of load switches 100, 200, ... , and 800.
  • the monitoring and control system 1 includes eight load switches. However, in other embodiments, the monitoring and control system may comprise more or less switches.
  • the plurality of load switches 100, 200, ... , 800 are connected electrically in parallel via a first line 13a and a second line 13b to the output side 9 of the safety switch 3.
  • Each load switch 100, 200, ... , 800 is associated with a respective safety critical load 3, for example a signalling lamp.
  • a respective safety critical load for example a signalling lamp.
  • one safety critical load may comprise more than one signalling lamp.
  • the load switches 100, 200, ... , 800 may be replaced by another device for regulating an output current and/or output voltage, for example a pulse width modulation circuit.
  • the safety critical load 3 may be dimmed.
  • the load switches 100, 200, ... , 800 comprise each two input terminals, namely a first input terminal 102a, 202a, ... , 802a and second input terminals 102b, 202b, ... , 802b.
  • the first input terminals 102a, 202a, ... , 802a are connected to the first line 13a and the second input terminals 102b, 202b, ... , 802b are connected to the second line 13b.
  • the load switches 100, 200, ... , 800 have an output side with respectively a first output terminal 104a, 204a, ... , 804a and a second output terminal 104b, 204b, ... , 804b.
  • the output terminals are connected respectively to the safety critical load 3.
  • monitoring and control system 1 includes a controller 900 which is connected to the safety switch 5 and each of the load switches 100, 200, ... , 800 to monitor individually the state of each of the safety critical loads 3, and to control the load switches 100, 200, ... , 800 and the safety switch 5.
  • Each load switch 100, 200, ..., 800 comprises a first switch 106a, 206a, ..., 806a for switching the line between the first input terminal 102a, 202a, ... , 802a and the first output terminal 104a, 204a, ..., 802a. Further, the load switches 100, 200 , ..., 800 comprise a second switch 106b, 206b, ..., 806b for switching a second line between the second input terminal 102b, 202b, ..., 802b and the second output terminal 104b, 204b, ..., 804b.
  • the respective safety critical load 3 is provided with a current.
  • the first switch 106a, 206a, ..., 806a is a semi-conductor switch, for example a MOS switch.
  • a semi-conductor switch permits a high frequency switching, for example for a blinking light.
  • the second switch 106b, 206b, ..., 806b is a relay switch.
  • the relay switch permits switching high loads.
  • both the first and the second switch 106a, 106b, 206a, 206b, ..., 806a, 806b are relay switches.
  • the load switches 100, 200, ..., 800 have, in an embodiment, not a security function, for example a minimum air gap, so that, in case of a malfunction of one of the load switches 100, 200, ..., 800 is detected, the controller 900 is adapted to release the safety switch 5. This may reduce the complexity of the load switches 100, 200, 800. Thus, in such an embodiment, the space and costs for each load switch 100, 200, 800 is reduced.
  • the load switches 100, 200, ..., 800 include a voltmeter or an ampere meter for detecting the voltage and/or current at their output terminals 104a, 104b, 204a, 204b, ..., 804a, 804b.
  • the controller 900 is adapted to release the safety switch 5 in case a fault is detected on the circuit board on which the switches and/or the controller is arranged and/or outside the circuit board.
  • FIG. 2 shows schematically the general architecture of the safety switch 5.
  • the safety switch 5 and the controller 900 comprise two channels, namely a first channel CH1 and a second channel CH2.
  • the safety switch 5 comprises a first group of relays 1000 associated with the first channel CH1 and a second group of relays 1100 associated with the second channel CH2.
  • the safety switch may comprise more than two groups of relays, for example three or more groups associated with a respective channel.
  • the number of groups of relays depends on the combined minimum air gap to be provided between the first input terminal 7a and the first output terminal 9a and the combined minimum air gap between the second input terminal 7a and second output terminal 9b.
  • the combined minimum air gap to be provided is dependent on the voltage to be switched and is defined by a European Norm EN50205 type A.
  • the first group of relays 1000 comprises a first relay 1010 and a second relay 1080.
  • the second group of relays 1100 comprises a first relay 1110 and a second relay 1180.
  • Each relay 1010, 1080, 1110, 1180 has a first set of switching contacts 1012, 1082, 1112, 1182 a second set of switching contacts 1014, 1084, 1114, 1184, a set of read back contacts 1016, 1086, 1116, 1186, and an actuator 1018, 1088, 1118, 1188 for moving the contacts of the respective relay, for example a coil.
  • the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are provided to switch the power supply to the safety critical loads and/or the load switches 100, 200, ..., 800.
  • the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are normally opened contacts.
  • the read back contacts 1016, 1086, 1116, 1186 are normally closed contacts.
  • the relays 1010, 1080, 1110, 1180 of the safety switch 5 are guided contact relays.
  • these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the associated normally opened contacts, namely the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are opened with a minimal air gap of a predetermined width.
  • the first sets of switching contacts 1012, 1082, 1112, 1182 are connected electrically in parallel. Further, within each group of relays 1000, 1100, the second sets of switching contacts 1014, 1084, 1114, 1184 are connected in parallel.
  • the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and the first sets of switching contacts 1112, 1182 of the second group of relays 1100 are connected electrically in series. Further, for the same reasons, the second sets of switching contacts 1014, 1084 of the first group of relays 1000 and the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are also contacted electrically in series.
  • a current between the first input terminal 7a and the first output terminal 9a must traverse at least one of the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and at least one of the first sets of switching contacts 1112, 1182 of the second group of relays 1100.
  • a current traversing the safety switch 5 between the second input terminal 7b and the second output terminal 9b traverses at least one of the second sets of switching contacts 1014, 1082 of the first group of relays 1000 and at least one of the second sets of switching contact 1114, 1182 of the second group of relays 1100.
  • the first sets of switching contacts 1012, 1082 of the first group of relays 1000 comprise each two subsets of contacts 1020, 1022; 1090, 1092 connected in series.
  • the subsets of contacts 1020, 1022; 1090, 1092 are opened and closed simultaneously, in particular simultaneously with the second set of switching contacts 1014, 1084 of the same relay.
  • a relay 1010, 1080 may comprise three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1020, 1022; 1090, 1092 by connecting them in series.
  • the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are formed by respectively two subsets of contacts 1120, 1122; 1190, 1192 connected in series.
  • the subsets of contacts 1120, 1122; 1190, 1192 are opened and closed simultaneously, in particular simultaneously with the first set of switching contacts 1112, 1182 of the same relay.
  • a relay 1110, 1180 may comprise three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1120, 1122; 1190, 1192 by connecting them in series.
  • these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the sets of switching contacts and the subsets of contacts 1020, 1022, 1014, 1090, 1092, 1084, 1112, 1120, 1122, 11182, 1190, 1192 (i.e. the physical sets of contacts) are opened respectively with a minimal air gap of a predetermined width, for example of 0.5 mm according to the European norm EN50205.
  • FIG. 3 shows schematically the controller 900.
  • the controller includes two channels, namely a first channel CH1 mainly responsible for switching the relays of the same channel, i.e. the first group of relays 1000, and a second channel CH2 mainly responsible for switching the relays of the same channel, i.e. the second group of relays 1100.
  • the controller 900 comprises a first processor 1005 and a second processor 1105 which operate independently from each other.
  • the first processor 1005 is associated with the first channel CH1 and the second processor 1105 is associated with the second channel CH2.
  • the first processor 1005 is adapted to generally actuate the first and the second relays 1010, 1080 of the first group of relays 1000 and the second processor 1105 is provided to control the first and second relays 1110, 1180 of the second group of relays 1100.
  • the controller 900 comprises a first programmable logic device (PLD) 1007 and a second PLD 1107.
  • PLD programmable logic device
  • the first PLD 1007 is associated with the first channel CH1 or the first group of relays 1000 and the second PLD 1107 is associated with the second channel CH2 or the second group of relays 1100.
  • each channel CH1, CH2 comprises in this embodiment two subcontrollers as intelligent devices, namely one processor 1005, 1105 and one PLD 1007, 1107.
  • the PLDs 1007, 1107 are respectively a field programmable gate array (FPGA). In other embodiments, the PLDs 1007, 1107 are respectively realized as a programmable logic array, programmable array logic, a generic array logic, or a complex programmable logic device.
  • FPGA field programmable gate array
  • the first PLD 1007 is connected to the first processor 1005 and the second PLD 1107 is connected to the second processor 1105.
  • first processor 1005 and the second processor 1105 connected to each other via a link 902 are adapted to control and/or monitor each other.
  • the subcontrollers associated with different channels CH1, CH2 monitor each other.
  • the processors 1005, 1105 are adapted to exchange security keys.
  • the first and/or the second processor 1005, 1105 are adapted to send the result of the exchange of keys to the respective PLD 1007, 1107.
  • control means for example voltmeters and/or ampere meters for determining the output current and voltages of the safety switch 5 and the load switches 100, 200, ... , 800 are also connected to the processors 1005, 1105.
  • Each of the processors 1005, 1105 is adapted to release each of the relays 1010, 1080, 1110, 1180 of the safety switch.
  • Each read back contacts 1016, 1086, 1116, 1186 of the relays 1010, 1080, 1110, 1180 of the safety switch 5, is electrically connected to the processors 1005, 1105 via a respective branch circuit 1024, 1094, 1124, 1194.
  • the branch circuits are adapted to provide independently to each of the processors 1005, 1105 the state of the of the read back contacts 1016, 1086, 1116, 1186, in particular whether the respective read back contact 1016, 1086, 1116, 1186 is closed or open.
  • the branch circuit will be described in more detail with respect to figure 5 .
  • the controller includes a plurality of control circuits 1026, 1096, 1126, 1196 adapted to control the energizing of the actuator 1018, 1088, 1118, 1188 or relay coil of the respective relay 1010, 1080, 1110, 1180 depending on the instructions of the processors 1005, 1105 and the PLDs 1007, 1107.
  • Each control circuit 1026, 1096, 1126, 1196 is associated with a respective actuator 1018, 1088, 1118, 1188 of a relay 1010, 1080, 1110, 1180.
  • the number of control circuits corresponds to the number of relays of the safety switch 5.
  • the first control circuit 1026 is associated with the first relay 1010 and the second control circuit 1096 is associated with the second relay 1080 of the first group of relays 1000 or the first channel
  • the third control circuit 1126 is associated with the first relay 1110 and the fourth control circuit 1196 is associated with the second relay 1180 of the second group of relays 1100 or the second channel
  • figure 4 shows in more detail the control circuit 1026 adapted to control the energizing of the actuator 1018 of the first relay 1010 of the first group of relays 1000.
  • the actuator 1018 is activated or deactivated in response of switching signals of the first processor 1005.
  • the PLD 1007 and the second processor 1105 associated with the other or second group of relays 1100 are adapted to deenergize the actuator 1018 and thus to release the first relay 1010 in case a malfunction is detected.
  • An output 1028 of the PLD 1007 is connected to a charge pump 1030.
  • the PLD 1007 is adapted to provide a watch dog signal to an input 1032 of the charge pump 1030.
  • the watch dog signal is typically a first high frequency signal 1034 during the normal functioning of the PLD. For example, for each or a specific number of clock signals, the first high frequency signal 1034 may change its state, for example from high to low or vice versa.
  • the PLD is adapted to stop emitting the first high frequency signal 1034 or watch dog signal to the charge pump 1030. Instead a static signal is applied to the input 1032 of the charge pump 1030.
  • the signals may have another form and instead of the charge pump another device may be used.
  • the signal at the output 1036 of the charge pump 1030 depends on the signal applied to the input 1032 of the charge pump 1030. For example, in case a high frequency signal is applied to the input 1032, the charge pump 1030 accumulates the energy of the incoming signal and the voltage of the output signal raises up to a specific value. In case a constant or zero volt signal is applied to the input 1032, the voltage of the output signal fall down to zero volt. In other words, in case a constant signal is applied to the input 1032, the charge pump 1030 will discharge.
  • the output 1036 of the charge pump 1030 is connected to a first transistor 1038, in particular to the gate 1040 or the basis of the first transistor 1038.
  • the first transistor is a MOSFET.
  • the first transistor 1038 may be another type of transistor, for example a bipolar transistor.
  • Source and drain 1042, 1044 of the transistor 1038, or emitter and collector in case of a bipolar transistor, are connected in series between the positive power 1046 and the first terminal 1048 of the actuator 1018 of the first relay 1010.
  • a current may flow between the positive power 1046 and the first terminal 1048 of the actuator 1018.
  • the charge pump 1030 need more than one impulsion to provide a signal at his output 1036 that is sufficient to activate the transistor 1038.
  • the second terminal 1050 of the actuator 1018 and the collector and emitter 1052, 1054 of a second transistor 1056 are connected in series with a negative power or ground 1058.
  • the second transistor 1056 is a bi-polar transistor.
  • other types of transistors may be used, for example MOSFETs.
  • a current may flow between the second terminal 1050 of the actuator 1018 and the negative power 1058.
  • control circuit 1026 shown in figure 4 includes an AND gate 1062.
  • the output 1064 of the AND gate 1062 is connected to the base 1060 of the second transistor 1056.
  • a first output 1066a of the first processor 1005 is connected to an input 1068 of a second charge pump 1070.
  • the second charge pump 1070 functions similar like the first charge pump 1030.
  • the output 1072 of the second charge pump 1070 is connected to a first input 1074a of the AND gate 1062.
  • the first output 1066a of the first processor 1005 is adapted to generate a high frequency signal 1076, for example a rectangular wave signal or another alternating signal.
  • the first output 1066a may be a General Purpose Input Output (GPIO) of the processor.
  • the first processor 1005 is adapted to provide the high frequency signal 1076 at his first output 1066a during normal functioning. In case of a failure of the processor 1005, for example if the processor hangs up, the first output 1066a will emit a static signal, so that the charge pump 1070 will discharge.
  • the second high frequency 1034 signal may change its state, for example from high to low or vice versa.
  • the signals may have another form and instead of the charge pump another device may be used.
  • the processor 1005 has a second output 1066b which is connected directly to a second input 1074b of the AND gate 1062.
  • the second output 1066b may be a General Purpose Input Output (GPIO) of the processor.
  • the processor 1005 is adapted to apply to the second output 1066b the command to activate and deactivate or release the respective relay 1010 of the first group 1000 of relays.
  • the processor 1005 may be adapted to deactivate or release the relays depending on the result of a failure detected in one of the load switches 100, 200, ..., 800 or the loads 3.
  • a third output 1166c of the second processor 1105 is directly connected to the third input 1074c of the AND gate 1105.
  • the third output 1166c may be a General Purpose Input Output (GPIO) of the processor.
  • the second processor 1105 associated with the second group of relays 1100, is adapted to provide direct command to inhibit the activation of the actuator 1018 of the relay 1010 of the first group of relays 1000. In other words, in case the second processor 1105 detects a failure of the first processor 1005, the second processor 1105 is adapted to release the relays 1010, 1080 of the first group of relays 1000.
  • the control circuit 1026 is adapted to activate the actuator 1018 of the first relay 1010 only when the PLD 1007, the first processor 1005 and the second processor 1105 provides the respective signals to the first charge pump 1030, the second charge pump 1070 and the AND gate 1062. This is in particular the case, if positive signals are applied to the inputs 1074a, 1074b, 1074c of the AND gate 1062.
  • the actuator 1018 can only be activated using a signal at the second output 1066b of the first processor, when the PLD 1007 emits the high frequency signal 1034, the first output 1066a of the first processor 1005 emits the high frequency signal 1076 and the second processor 1105 emits a signal, such that a positive signal is applied to the third input 1074c of the AND gate 1062.
  • the combination of the signals may be provided differently.
  • the outputs 1036, 1072 of the first charge pump 1030 and the second charge pump 1070 may be combined with a second AND gate.
  • the activation or release of the actuator 1018 of a relay 1010 reacts faster to the second output 1066b of the first processor 1005 and to the third output 1166c of the second processor 1105 than to the output 1028 of the PLD 1007 providing the signal to the charge pump 1030 or to the first output 1066a of the first processor 1005 providing the signal 1076 to the charge pump 1070, because the charge pumps 1030, 1070 need some moments to discharge, when their respective input signals are constant.
  • control circuit 1026 of figure 4 has been described with respect to the actuator 1018 of the first relay 1010 of the first group of relays 1000 corresponding to the first channel.
  • Corresponding control circuits 1096, 1126, 1196 are provided for the actuators 1088, 1118, 1188 of the second relay 1080 of the first group of relays and the first and second relays 1110, 1180 of the second group of relays 1100 corresponding to the second channel.
  • control circuit 1126 for activating the actuator of the first relay 1110 of the second group of relays 1100 instead of the signals of the first PLD 1007, an output of the second PLD 1107 is connected to the first charge pump, a first output of the second processor 1105 is connected to the second charge pump, a second output of the second processor 1105 is directly connected to the AND gate, and the third output 1066c of the first processor 1005 is connected directly to the AND gate.
  • the control circuits 1096, 1196 are similarly connected to the first and second processors 1005, 1105 and first or second PLDs 1007, 1107.
  • Figure 5 shows details of the branch circuit 1024 for the connection of the read back contact 1016 of the first relay 1010 of the first group of relays 1000 to both processors 1005, 1105.
  • the subcontrollers here the first and second processors 1005, 1105, of both channels CH1 and CH2 are provided with the state of the read back contact 1016.
  • the branch circuits 1094, 1124, 1194 are identical to the branch circuit 1024 to connect the respective read back contacts 1086, 1116, 1186 to a respective input of the first processor 1005 and the second processor 1105 of the controller 900.
  • the state of the relays 1010 are verified and controlled by the read back contacts 1016, which are normally closed contacts.
  • the read back contacts 1016 have a first contact 1078a directly connected to a power source, for example a five volt power source.
  • the second contact 1078b is connected respectively in parallel to an input terminal of the first processor 1005 and an input terminal of the second processor 1105.
  • the connection between the second contact 1078b and the input terminals of the processors 1005, 1105 is performed respectively via a voltage divider associated with each processor to convert the voltage of the power source into the voltage compatible with the input terminals of the processors 1005, 1105.
  • the first voltage divider is formed by resistance R3 and resistance R4, and the second voltage divider is formed by resistance R2 and resistance R5.
  • a resistance R1 connected to the ground GND between the second read back terminal 1078b and the voltage dividers.
  • the resistance R1 has a resistance value being much smaller than resistance values of R4 and R5.
  • the resistance values of R4 and R5 are about 10 kOhms.
  • the PLDs 1007, 1107 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provides the high frequency alternating signals 1034 to the respective charge pumps 1030, so that the transistors 1038 enables that the positive power 1046 is provided to the first terminals 1048 of the actuators 1018, 1088, 1118, 1188 of the relays 1010, 1080, 1110, 1180.
  • the first output terminals 1066a of the processors 1005, 1105 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provide the respective alternating high frequency signals 1076 to the charge pumps 1070.
  • the charge pump 1070 provides a respective voltage (or positive value) to the first input 1074a of the AND gate 1062. Further, a positive signal is applied to the third input 1074c of the AND gate 1062 coming from the third terminal 1166c of the processor 1005, 1105 associated with the other group of relays 1000, 1100.
  • the actuator 1018, 1088, 1118, 1188 of the respective relay is activated, and when the signal on the second output terminal 1066b is disabled, the respective coil of the relay is deactivated and the relay moves back into the release state.
  • Both processors 1005, 1105 perform a regular exchange of keys which is then sent to the PLD 1007, 1107.
  • the PLD disables its output 1028 and provides a constant signal instead of the alternating signal 1034 to the respective charge pumps 1030. Consequently, the actuator 1018, 1088, 1118, 1188 or coil of the respective relays 1010, 1080, 1118, 1188 cannot be activated any more or is released, because the signal at the output 1036 of the charge pump 1030 applied to the gate 1040 of the transistor 1038 is 'deactivated'.
  • the first transistor 1038 is in a blocking state. For example, if the first PLD 1007 does not receive the correct key, both relays 1010, 1080 of the first group of relays 1000 which are associated with the first PLD 1007 are released.
  • a regular test with the wrong key is performed. Then, the respective PLD 1007, 1107 receiving the wrong key releases the associated relays 1010, 1080, 1110, 1180.
  • one processor 1005, 1105 detects that the other processor 1005, 1105 of the same controller 900, but of another channel CH1, CH2, is not working correctly, he deactivates his output signals at the third output terminals 1066c, 1166c connected to the third input 1074c of the AND gates 1062 of the control circuits 1026, 1096, 1126, 1196 and both relays of the other channel CH1, CH2, which are associated with the other processor are released.
  • the second processor 1105 of the second channel CH2 detects that the first processor 1005 of the first channel CH1 does not work properly, the second processor 1105 commands that his third output terminals 1166c connected to control circuits 1026, 1096 of the first channel CH1, so that the output of the AND gate 1105 is negative so that the second transistor 1056 is in a blocking state. Then, the respective relays 1010, 1080 of the first group of relays 1000 or the first channel CH1 are released.
  • the first output 1066a connected to the control circuits 1026, 1096, 1126, 1196 does not create any more an alternating high frequency signal 1076, so that the output 1072 of the charge pump 1070 falls after a few moments below a specific value so that the output 1064 of the AND gate 1062 commands the second transistor 1056 to be in the blocking state.
  • Figure 6 shows a flowchart for testing the safety switch 5. For testing the safety switch 5, one relay after the other is released, whereas the other relays remain in their active state.
  • a first step 1200 the first relay 1010 of the first group 1000 is released, for example by the first processor 1005, and the other relays 1080, 1110, 1180 remain in the active or activated state.
  • the current bypasses the switching contacts 1012, 1014, 1020, 1022 of the first relay by the switching contacts 1082, 1084, 1090, 1092 of the second relay 1080 of the first group 1000.
  • the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1016 of the relay 1010 are closed.
  • a second step 1202 the first relay 1010 of the first group 1000 is again activated and the second relay 1080 of the first group 1000 is released whereas both relays 1110 and 1180 of the second group 1100 remain in their active state.
  • the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1086 of the relay 1080 are closed.
  • a third step 1204 the second relay 1080 of the first group 1000 is again activated and the first relay 1110 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1116 of the relay 1110 are closed.
  • a fourth step 1206 the first relay 1110 of the second group 1100 is again activated and the second relay 1180 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1186 of the relay 1180 are closed.
  • the different relays 1010, 1080, 1110, 1180 may be also tested one after the other in another arbitrary sequence.
  • the read back contacts 1016, 1086 of the stuck relay remain open even if the first processor 1005 commands the release of the relays 1010, 1080.
  • the switching contacts may stick together if the switching contacts are molten together due to an excessive current.
  • the first and/or the second processor 1005, 1105 detect that the read back contacts 1016, 1086 are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1010, 1080 of the first group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1110, 1180 of the second group of relays 1100 or the second channel CH2. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.
  • the read back contacts 1116, 1186 of the stuck relay remain open even if the second processor 1105 commands the release of the relays 1110, 1180.
  • the first and/or the second processor 1005, 1105 detect that the read back contacts 1116, 1186 of the stuck relay are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1110, 1180 of the second group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1010, 1080 of the first group of relays 1000 of the first channel CH1. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.
  • the safety switch 5 provides an architecture which is driven by a 2oo2 system (two out of two).
  • a 2oo2 system two out of two.
  • both channels CH1, CH2 including respectively a group of relays 1000, 1100 which are controlled by respectively a processor 1005, 1105 must be in accordance.
  • the activation of a relay needs the active signals of at least three intelligent devices, namely one PLD and the two processors (3oo3, three out of three).
  • the safety switch When all relays are released, the safety switch provides the maximal air gap across the switching contacts.
  • the switching contacts 1014, 1084, 1112, 1182 and subcontacts 1020, 1022, 1090, 1092, 1120, 1122, 1190, 1192 provides a minimum air gap of 0.5 mm
  • the complete (maximal) air gap will be 1.5 mm between the first input terminal 7a and the first output terminal 9a or the second input terminal 7a and the second output terminal 9b.
  • the safety switch assures a safety minimal distance of 1.5 mm across the contacts, when the safety switch is released in order to handle voltages of 230V alternating current. Further, the maximum switching direct current voltage is higher than in prior solutions thanks to three normally open contacts connected in series.

Landscapes

  • Safety Devices In Control Systems (AREA)

Description

  • The present invention concerns a monitoring and control system comprising a safety switch and a controller. Further, the present invention relates to a method for operating a safety switch.
  • DE 10 2005 048 601 B3 discloses a device having two microcontrollers to determine measuring quantities that are representative for partial impedances of a position indicator, respectively. The microcontrollers include two outputs that are connected with two connectors of the indicators, respectively, where the outputs are alternately assigned with a high potential or a low potential. The controllers include inputs that are connected with adjustable pickups of the indicator. A switching unit is provided to separate the indicator from the outputs of the controllers.
  • WO 96/41358 A1 discloses a power disconnect switch which employs a plurality of high current relays which are simultaneously activated by the application of a control signal to an attached control terminal.
  • US 6,738,246 concerns a combination of a microrelay switch switching off small overcurrents, and a short-circuit current limiter, for example a fuse link, a PTC thermistor or a power breaker, for limiting or switching of large overcurrents.
  • EP 0 094 045 A2 concerns a contact arrangement for a relay.
  • In previous solutions, a safety switch for switching a plurality of safety critical loads was based on normal relays and includes a voltage measurement device for providing information, whether a voltage at the output of the switch was present. Typically, safety critical loads should be switched with switches complying with the European norm EN 50 205 type A.
  • For example, safety switches for safety critical loads may comprise two relays, which are connected in series. Each relay comprises at least two sets of contact for switching a first line and a second line. Further these relays comprise a read back contact detecting the state of each of the relays. These relays are normally guided relays, in which the means for moving the contacts are connected.
  • Object of the invention is to provide the monitoring and control system comprising a safety switch which provides a minimum predefined air gap with a high reliability.
  • In the light of above, a monitoring and control system is provided comprising:
    • a safety switch including:
      • a first input terminal and a second input terminal adapted to be connected to a power supply,
      • a first output terminal and a second output terminal adapted to be connected at least one load, and
      • at least two groups of relays, wherein each group comprises at least two relays having respectively a first set of switching contacts and a second set of switching contacts, the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator, wherein the first sets of switching contacts of the at least two relays of a group are connected electrically in parallel and the second sets of switching contacts of the at least two relays of a group are connected electrically in parallel,
      • the first sets of switching contacts of a first group being connected electrically in series with the first sets of switching contacts of a second group, the second sets of switching contacts of the first group being connected electrically in series with the second sets of switching contacts of the second group, wherein
    • the first sets of switching contacts of the first group are connected to the first input terminal and the second sets of switching contacts of the first group are connected to the second input terminal, wherein the first sets of switching contacts of the second group being connected to the first output terminal and the second sets of switching contacts of the second group being connected to the second output terminal; and wherein the monitoring and control system further includes a controller for controlling the relays of the at least two groups, wherein the safety switch is adapted to sequentially open the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays remain closed.
  • Embodiments of the monitoring and control system may have one or more of the following features:
    • at least one set of switching contacts of the first or second set of switching contacts of the relays comprises two subsets of switching contacts connected electrically in series, wherein in particular the first sets of switching contacts of the relays of the first group and the second sets of switching contacts of the relays of the second group comprise two subsets of switching contacts connected in series;
    • the sets of switching contacts comprise two subsets of switching contacts and/or the number of group of relays depend on the voltage to be switched;
    • at least one, in particular all, of the relays comprise at least one set of read back contacts;
    • the first and second sets of switching contacts and, in particular the subsets of contacts, are normally open contacts and/or the sets of read back contacts are normally closed contacts, wherein in particular the relays are guided relays, so that when the normally closed contacts are closed, the normally open contacts provide a predetermined minimal distance between their contacts;
    • the monitoring and control system comprises at least two channels, wherein one group of relays of the at least two groups of relays is associated with each channel, wherein the controller comprises a plurality of subcontrollers, each channel comprising at least one, in particular two or more, of the plurality of subcontrollers, wherein for each channel:
      at least one first subcontroller, in particular a processor, of said channel being adapted to command the actuators of the relays associated with said channel and the actuators of the relays associated with at least one other channel;
    • the at least one first subcontroller of a first channel is adapted to monitor the functioning of at least one first subcontroller associated with another channel, wherein the at least one first subcontroller of said other channel is adapted to command the actuators of the relays associated with the first channel, wherein the at least one first subcontroller of the first channel is adapted to release the relays of said other channel when a failure of the at least one first subcontroller of said other channel is detected by the at least one first subcontroller.
    • at least one channel, in particular all channels comprise at least one second subcontroller of the plurality of subcontrollers, in particular in form of a programmable logic devices, wherein each second subcontroller is connected to at least one first subcontroller of the same channel and adapted to monitor the functioning of said at least one first subcontroller.
    • the monitoring and control system comprises a plurality of control circuits, wherein each control circuit is connected to relay for controlling an activation and/or release of said relay and is comprised by the respective channel, wherein for at least one, in particular each control circuit:
      said control circuit is connected to at least one output of at least one first subcontroller of the same channel, to at least one output of at least one first subcontroller of another channel, and, in particular, to at least one output of the at least one second subcontroller of the same channel, wherein the control circuit is adapted to activate and/or release the relay associated with the control circuit based on the outputs of the connected first subcontrollers and, in particular, the output of the connected second subcontrollers;
    • the at least one first subcontroller is adapted to provide a first signal, for example a regularly alternating signal, in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of the outputs connected to the control circuit and/or the at least one second subcontroller is adapted to provide a first signal, for example regularly alternating signal, in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of its outputs connected to the control circuit, wherein, upon reception of the second signal from the at least one first subcontroller and/or the at least one second subcontroller, the control circuit releases the associated relay;
    • each control circuit is adapted to activate the associated relay only in case the signals provided by two subcontrollers, for example the first and second subcontrollers, of at least two different channels, and, in particular, the signal provided by the at least one second subcontroller of the same channel, allows or command an activation of said relay;
    • the read back contacts of each relay are read by at least two first subcontrollers of two different channels, comprising at least one first subcontroller of the channel to which the respective relay is associated; and/or
    • the safety switch comprises two group of relays comprising respectively two relays, wherein each channel comprises a group of relays.
    Further, a method for operating a safety switch is provided, the safety switch comprising a first input terminal and a second input terminal adapted to be connected to a power supply; a first output terminal and a second output terminal adapted to be connected at least one load; and at least two groups of relays, wherein each group comprises at least two relays having respectively a first set of switching contacts and a second set of switching contacts, the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator, wherein the first sets of switching contacts of the at least two relays of a group are connected electrically in parallel and the second sets of switching contacts of the at least two relays of a group are connected electrically in parallel, the first sets of switching contacts of a first group being connected electrically in series with the first sets of switching contacts of a second group, the second sets of switching contacts of the first group being connected electrically in series with the second sets of switching contacts of the second group, wherein the first sets of switching contacts of the first group are connected to the first input terminal and the second sets of switching contacts of the first group being connected to the second input terminal, wherein the first sets of switching contacts of the second group being connected to the first output terminal and the second sets of switching contacts of the second group are connected to the second output terminal; wherein the method further comprises: sequentially opening the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays are closed.
  • According to embodiments, the method may include one or more of the following features:
    the safety switch is a safety switch comprised in the monitoring and control system according to an embodiment disclosed herein.
  • So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be read by reference to the embodiments. The accompanying drawings relate to embodiment of the invention and are briefly described in the following:
    • figure 1 shows schematically a monitoring system for monitoring a plurality of safety critical loads comprising a safety switch according to the invention;
    • figure 2 shows schematically the arrangement of relays of the safety switch according to the invention;
    • figure 3 shows schematically the controller of the safety switch according to the invention;
    • figure 4 shows schematically the activation circuit for activating the actuator of a relay of the safety switch;
    • figure 5 discloses schematically the connection of a read back contact to controllers of the safety switch via a branch circuit; and
    • figure 6 shows schematically a flow chart for testing a safety switch.
  • Figure 1 shows a monitoring and control system 1 according to an embodiment of the invention. The monitoring and control system 1 is provided for the control of safety critical loads 3, for example for signalling lamps or traffic lights, in particular for a railway. In such a system the safety critical load has to be controlled whether there is a defect in the switch or in the load itself. The monitoring and control system 1 detects whether a load is present, whether it is switched off or on or has a defect and, in particular how much energy it consumes.
  • For example such a control and monitoring system 1 may detect whether a lamp 3 exists, whether the lamp is switched on or off, or whether it is has a defect.
  • In the embodiment, the monitoring and control system 1 comprises a safety switch 5 having an input side with a first and a second terminal 7a, 7b and an output side with a first and second output terminal 9a, 9b. The first input terminal 7a of the safety switch 5 is connected to a first input power line 11a and the second input terminal 7b is connected to a second input power line 11b, for example of a power grid.
  • The first and second input power lines 11a, 11b provides a current of for example 110 V direct current (DC) or 230 volt alternating current (AC) to the safety switch 5, because the safety critical loads 3 need such a current.
  • The output terminals 9a, 9b are connected respectively with a first line 13a and a second line 13b to a plurality of load switches 100, 200, ... , and 800. In the present embodiment, the monitoring and control system 1 includes eight load switches. However, in other embodiments, the monitoring and control system may comprise more or less switches.
  • The plurality of load switches 100, 200, ... , 800 are connected electrically in parallel via a first line 13a and a second line 13b to the output side 9 of the safety switch 3.
  • Each load switch 100, 200, ... , 800 is associated with a respective safety critical load 3, for example a signalling lamp. In another embodiment, one safety critical load may comprise more than one signalling lamp.
  • In further embodiments, the load switches 100, 200, ... , 800 may be replaced by another device for regulating an output current and/or output voltage, for example a pulse width modulation circuit. In such a case, the safety critical load 3 may be dimmed.
  • The load switches 100, 200, ... , 800 comprise each two input terminals, namely a first input terminal 102a, 202a, ... , 802a and second input terminals 102b, 202b, ... , 802b. The first input terminals 102a, 202a, ... , 802a are connected to the first line 13a and the second input terminals 102b, 202b, ... , 802b are connected to the second line 13b. The load switches 100, 200, ... , 800 have an output side with respectively a first output terminal 104a, 204a, ... , 804a and a second output terminal 104b, 204b, ... , 804b. The output terminals are connected respectively to the safety critical load 3.
  • Further the monitoring and control system 1 includes a controller 900 which is connected to the safety switch 5 and each of the load switches 100, 200, ... , 800 to monitor individually the state of each of the safety critical loads 3, and to control the load switches 100, 200, ... , 800 and the safety switch 5.
  • Each load switch 100, 200, ..., 800 comprises a first switch 106a, 206a, ..., 806a for switching the line between the first input terminal 102a, 202a, ... , 802a and the first output terminal 104a, 204a, ..., 802a. Further, the load switches 100, 200 , ..., 800 comprise a second switch 106b, 206b, ..., 806b for switching a second line between the second input terminal 102b, 202b, ..., 802b and the second output terminal 104b, 204b, ..., 804b. When both switches 106a, 106b, 206a, 206b, ..., 806a, 806b of a load switch 100, 200, ..., 800 are in the closed position, the respective safety critical load 3 is provided with a current. In case that only one of the switches 106a, 106b, 206a, 206b, ..., 806a, 806b is open, no current is provided to the safety critical load 3, so that the safety critical load is switched off. In an embodiment, the first switch 106a, 206a, ..., 806a is a semi-conductor switch, for example a MOS switch. A semi-conductor switch permits a high frequency switching, for example for a blinking light. In an embodiment, which may be combined with other embodiments disclosed herein, the second switch 106b, 206b, ..., 806b is a relay switch. The relay switch permits switching high loads. In other embodiments, both the first and the second switch 106a, 106b, 206a, 206b, ..., 806a, 806b are relay switches.
  • The load switches 100, 200, ..., 800 have, in an embodiment, not a security function, for example a minimum air gap, so that, in case of a malfunction of one of the load switches 100, 200, ..., 800 is detected, the controller 900 is adapted to release the safety switch 5. This may reduce the complexity of the load switches 100, 200, 800. Thus, in such an embodiment, the space and costs for each load switch 100, 200, 800 is reduced. For example, to detect a malfunction, the load switches 100, 200, ..., 800 include a voltmeter or an ampere meter for detecting the voltage and/or current at their output terminals 104a, 104b, 204a, 204b, ..., 804a, 804b.
  • In another embodiment, the controller 900 is adapted to release the safety switch 5 in case a fault is detected on the circuit board on which the switches and/or the controller is arranged and/or outside the circuit board.
  • Figure 2 shows schematically the general architecture of the safety switch 5. The safety switch 5 and the controller 900 comprise two channels, namely a first channel CH1 and a second channel CH2. The safety switch 5 comprises a first group of relays 1000 associated with the first channel CH1 and a second group of relays 1100 associated with the second channel CH2.
  • In other embodiments, the safety switch may comprise more than two groups of relays, for example three or more groups associated with a respective channel. For example, the number of groups of relays depends on the combined minimum air gap to be provided between the first input terminal 7a and the first output terminal 9a and the combined minimum air gap between the second input terminal 7a and second output terminal 9b. The combined minimum air gap to be provided is dependent on the voltage to be switched and is defined by a European Norm EN50205 type A.
  • The first group of relays 1000 comprises a first relay 1010 and a second relay 1080. Correspondingly, the second group of relays 1100 comprises a first relay 1110 and a second relay 1180.
  • Each relay 1010, 1080, 1110, 1180 has a first set of switching contacts 1012, 1082, 1112, 1182 a second set of switching contacts 1014, 1084, 1114, 1184, a set of read back contacts 1016, 1086, 1116, 1186, and an actuator 1018, 1088, 1118, 1188 for moving the contacts of the respective relay, for example a coil. The sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are provided to switch the power supply to the safety critical loads and/or the load switches 100, 200, ..., 800.
  • Typically, the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are normally opened contacts. In contrast, the read back contacts 1016, 1086, 1116, 1186 are normally closed contacts.
  • The relays 1010, 1080, 1110, 1180 of the safety switch 5 are guided contact relays. By their mechanical architecture, these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the associated normally opened contacts, namely the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are opened with a minimal air gap of a predetermined width.
  • Within each group of relays 1000, 1100, the first sets of switching contacts 1012, 1082, 1112, 1182 are connected electrically in parallel. Further, within each group of relays 1000, 1100, the second sets of switching contacts 1014, 1084, 1114, 1184 are connected in parallel.
  • As the first group of relays 1000 and the second group of relays 1100 are connected in series, the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and the first sets of switching contacts 1112, 1182 of the second group of relays 1100 are connected electrically in series. Further, for the same reasons, the second sets of switching contacts 1014, 1084 of the first group of relays 1000 and the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are also contacted electrically in series.
  • Thus, a current between the first input terminal 7a and the first output terminal 9a must traverse at least one of the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and at least one of the first sets of switching contacts 1112, 1182 of the second group of relays 1100. Further, a current traversing the safety switch 5 between the second input terminal 7b and the second output terminal 9b traverses at least one of the second sets of switching contacts 1014, 1082 of the first group of relays 1000 and at least one of the second sets of switching contact 1114, 1182 of the second group of relays 1100.
  • The first sets of switching contacts 1012, 1082 of the first group of relays 1000 comprise each two subsets of contacts 1020, 1022; 1090, 1092 connected in series. The subsets of contacts 1020, 1022; 1090, 1092 are opened and closed simultaneously, in particular simultaneously with the second set of switching contacts 1014, 1084 of the same relay. For example, in an embodiment, a relay 1010, 1080 may comprise three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1020, 1022; 1090, 1092 by connecting them in series.
  • Further, the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are formed by respectively two subsets of contacts 1120, 1122; 1190, 1192 connected in series. The subsets of contacts 1120, 1122; 1190, 1192 are opened and closed simultaneously, in particular simultaneously with the first set of switching contacts 1112, 1182 of the same relay. For example, in an embodiment, a relay 1110, 1180 may comprise three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1120, 1122; 1190, 1192 by connecting them in series.
  • By their mechanical architecture, these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the sets of switching contacts and the subsets of contacts 1020, 1022, 1014, 1090, 1092, 1084, 1112, 1120, 1122, 11182, 1190, 1192 (i.e. the physical sets of contacts) are opened respectively with a minimal air gap of a predetermined width, for example of 0.5 mm according to the European norm EN50205.
  • Figure 3 shows schematically the controller 900. As indicated above, the controller includes two channels, namely a first channel CH1 mainly responsible for switching the relays of the same channel, i.e. the first group of relays 1000, and a second channel CH2 mainly responsible for switching the relays of the same channel, i.e. the second group of relays 1100.
  • Only a part of the electrical connections between the devices are shown in figure 3. The controller 900 comprises a first processor 1005 and a second processor 1105 which operate independently from each other. For example, the first processor 1005 is associated with the first channel CH1 and the second processor 1105 is associated with the second channel CH2. In particular, the first processor 1005 is adapted to generally actuate the first and the second relays 1010, 1080 of the first group of relays 1000 and the second processor 1105 is provided to control the first and second relays 1110, 1180 of the second group of relays 1100.
  • Further, the controller 900 comprises a first programmable logic device (PLD) 1007 and a second PLD 1107. For example, the first PLD 1007 is associated with the first channel CH1 or the first group of relays 1000 and the second PLD 1107 is associated with the second channel CH2 or the second group of relays 1100. In other words, each channel CH1, CH2 comprises in this embodiment two subcontrollers as intelligent devices, namely one processor 1005, 1105 and one PLD 1007, 1107.
  • In an embodiment, the PLDs 1007, 1107 are respectively a field programmable gate array (FPGA). In other embodiments, the PLDs 1007, 1107 are respectively realized as a programmable logic array, programmable array logic, a generic array logic, or a complex programmable logic device.
  • The first PLD 1007 is connected to the first processor 1005 and the second PLD 1107 is connected to the second processor 1105.
  • Further, the first processor 1005 and the second processor 1105 connected to each other via a link 902 are adapted to control and/or monitor each other. In other words, the subcontrollers associated with different channels CH1, CH2 monitor each other. In an embodiment, the processors 1005, 1105 are adapted to exchange security keys. Further, the first and/or the second processor 1005, 1105 are adapted to send the result of the exchange of keys to the respective PLD 1007, 1107.
  • In an embodiment, which may be combined with other embodiments disclosed herein, as already described here-above, control means, for example voltmeters and/or ampere meters for determining the output current and voltages of the safety switch 5 and the load switches 100, 200, ... , 800 are also connected to the processors 1005, 1105. Each of the processors 1005, 1105 is adapted to release each of the relays 1010, 1080, 1110, 1180 of the safety switch.
  • Each read back contacts 1016, 1086, 1116, 1186 of the relays 1010, 1080, 1110, 1180 of the safety switch 5, is electrically connected to the processors 1005, 1105 via a respective branch circuit 1024, 1094, 1124, 1194. The branch circuits are adapted to provide independently to each of the processors 1005, 1105 the state of the of the read back contacts 1016, 1086, 1116, 1186, in particular whether the respective read back contact 1016, 1086, 1116, 1186 is closed or open. The branch circuit will be described in more detail with respect to figure 5.
  • Further, the controller includes a plurality of control circuits 1026, 1096, 1126, 1196 adapted to control the energizing of the actuator 1018, 1088, 1118, 1188 or relay coil of the respective relay 1010, 1080, 1110, 1180 depending on the instructions of the processors 1005, 1105 and the PLDs 1007, 1107. Each control circuit 1026, 1096, 1126, 1196 is associated with a respective actuator 1018, 1088, 1118, 1188 of a relay 1010, 1080, 1110, 1180. The number of control circuits corresponds to the number of relays of the safety switch 5. Thus, for example, the first control circuit 1026 is associated with the first relay 1010 and the second control circuit 1096 is associated with the second relay 1080 of the first group of relays 1000 or the first channel, and the third control circuit 1126 is associated with the first relay 1110 and the fourth control circuit 1196 is associated with the second relay 1180 of the second group of relays 1100 or the second channel
  • In figure 4 shows in more detail the control circuit 1026 adapted to control the energizing of the actuator 1018 of the first relay 1010 of the first group of relays 1000.
  • Generally, the actuator 1018 is activated or deactivated in response of switching signals of the first processor 1005. However, the PLD 1007 and the second processor 1105 associated with the other or second group of relays 1100 are adapted to deenergize the actuator 1018 and thus to release the first relay 1010 in case a malfunction is detected.
  • An output 1028 of the PLD 1007 is connected to a charge pump 1030. In particular, the PLD 1007 is adapted to provide a watch dog signal to an input 1032 of the charge pump 1030. The watch dog signal is typically a first high frequency signal 1034 during the normal functioning of the PLD. For example, for each or a specific number of clock signals, the first high frequency signal 1034 may change its state, for example from high to low or vice versa.
  • In case of a failure of the PLD 1007 or in case of a failure detected by the PLD 1007, the PLD is adapted to stop emitting the first high frequency signal 1034 or watch dog signal to the charge pump 1030. Instead a static signal is applied to the input 1032 of the charge pump 1030. In other embodiments, the signals may have another form and instead of the charge pump another device may be used.
  • The signal at the output 1036 of the charge pump 1030 depends on the signal applied to the input 1032 of the charge pump 1030. For example, in case a high frequency signal is applied to the input 1032, the charge pump 1030 accumulates the energy of the incoming signal and the voltage of the output signal raises up to a specific value. In case a constant or zero volt signal is applied to the input 1032, the voltage of the output signal fall down to zero volt. In other words, in case a constant signal is applied to the input 1032, the charge pump 1030 will discharge.
  • The output 1036 of the charge pump 1030 is connected to a first transistor 1038, in particular to the gate 1040 or the basis of the first transistor 1038. In an embodiment, the first transistor is a MOSFET. In other embodiments, the first transistor 1038 may be another type of transistor, for example a bipolar transistor.
  • Source and drain 1042, 1044 of the transistor 1038, or emitter and collector in case of a bipolar transistor, are connected in series between the positive power 1046 and the first terminal 1048 of the actuator 1018 of the first relay 1010.
  • When a sufficient voltage is provided to the gate 1040 of the first transistor 1038, a current may flow between the positive power 1046 and the first terminal 1048 of the actuator 1018. Typically, the charge pump 1030 need more than one impulsion to provide a signal at his output 1036 that is sufficient to activate the transistor 1038.
  • The second terminal 1050 of the actuator 1018 and the collector and emitter 1052, 1054 of a second transistor 1056 are connected in series with a negative power or ground 1058. In the embodiment of figure 4, the second transistor 1056 is a bi-polar transistor. However, in other embodiments also other types of transistors may be used, for example MOSFETs.
  • When a sufficient voltage is provided to a base 1060 of the second transistor 1056, a current may flow between the second terminal 1050 of the actuator 1018 and the negative power 1058.
  • Further, the control circuit 1026 shown in figure 4 includes an AND gate 1062. The output 1064 of the AND gate 1062 is connected to the base 1060 of the second transistor 1056.
  • A first output 1066a of the first processor 1005 is connected to an input 1068 of a second charge pump 1070. In an embodiment, the second charge pump 1070 functions similar like the first charge pump 1030. The output 1072 of the second charge pump 1070 is connected to a first input 1074a of the AND gate 1062.
  • The first output 1066a of the first processor 1005 is adapted to generate a high frequency signal 1076, for example a rectangular wave signal or another alternating signal. For example, the first output 1066a may be a General Purpose Input Output (GPIO) of the processor. The first processor 1005 is adapted to provide the high frequency signal 1076 at his first output 1066a during normal functioning. In case of a failure of the processor 1005, for example if the processor hangs up, the first output 1066a will emit a static signal, so that the charge pump 1070 will discharge. For example, for each or a specific number of clock signals, the second high frequency 1034 signal may change its state, for example from high to low or vice versa.
  • In other embodiments, the signals may have another form and instead of the charge pump another device may be used.
  • The processor 1005 has a second output 1066b which is connected directly to a second input 1074b of the AND gate 1062. For example, the second output 1066b may be a General Purpose Input Output (GPIO) of the processor. The processor 1005 is adapted to apply to the second output 1066b the command to activate and deactivate or release the respective relay 1010 of the first group 1000 of relays. For example, the processor 1005 may be adapted to deactivate or release the relays depending on the result of a failure detected in one of the load switches 100, 200, ..., 800 or the loads 3.
  • A third output 1166c of the second processor 1105 is directly connected to the third input 1074c of the AND gate 1105. For example, the third output 1166c may be a General Purpose Input Output (GPIO) of the processor. The second processor 1105, associated with the second group of relays 1100, is adapted to provide direct command to inhibit the activation of the actuator 1018 of the relay 1010 of the first group of relays 1000. In other words, in case the second processor 1105 detects a failure of the first processor 1005, the second processor 1105 is adapted to release the relays 1010, 1080 of the first group of relays 1000.
  • The control circuit 1026 is adapted to activate the actuator 1018 of the first relay 1010 only when the PLD 1007, the first processor 1005 and the second processor 1105 provides the respective signals to the first charge pump 1030, the second charge pump 1070 and the AND gate 1062. This is in particular the case, if positive signals are applied to the inputs 1074a, 1074b, 1074c of the AND gate 1062. In other words, the actuator 1018 can only be activated using a signal at the second output 1066b of the first processor, when the PLD 1007 emits the high frequency signal 1034, the first output 1066a of the first processor 1005 emits the high frequency signal 1076 and the second processor 1105 emits a signal, such that a positive signal is applied to the third input 1074c of the AND gate 1062.
  • In other embodiments, the combination of the signals may be provided differently. For example, the outputs 1036, 1072 of the first charge pump 1030 and the second charge pump 1070 may be combined with a second AND gate.
  • Typically, the activation or release of the actuator 1018 of a relay 1010 reacts faster to the second output 1066b of the first processor 1005 and to the third output 1166c of the second processor 1105 than to the output 1028 of the PLD 1007 providing the signal to the charge pump 1030 or to the first output 1066a of the first processor 1005 providing the signal 1076 to the charge pump 1070, because the charge pumps 1030, 1070 need some moments to discharge, when their respective input signals are constant.
  • The control circuit 1026 of figure 4 has been described with respect to the actuator 1018 of the first relay 1010 of the first group of relays 1000 corresponding to the first channel.
  • Corresponding control circuits 1096, 1126, 1196 are provided for the actuators 1088, 1118, 1188 of the second relay 1080 of the first group of relays and the first and second relays 1110, 1180 of the second group of relays 1100 corresponding to the second channel.
  • For example for the control circuit 1126 for activating the actuator of the first relay 1110 of the second group of relays 1100, instead of the signals of the first PLD 1007, an output of the second PLD 1107 is connected to the first charge pump, a first output of the second processor 1105 is connected to the second charge pump, a second output of the second processor 1105 is directly connected to the AND gate, and the third output 1066c of the first processor 1005 is connected directly to the AND gate. The control circuits 1096, 1196 are similarly connected to the first and second processors 1005, 1105 and first or second PLDs 1007, 1107.
  • Figure 5 shows details of the branch circuit 1024 for the connection of the read back contact 1016 of the first relay 1010 of the first group of relays 1000 to both processors 1005, 1105. Thus, the subcontrollers, here the first and second processors 1005, 1105, of both channels CH1 and CH2 are provided with the state of the read back contact 1016. The branch circuits 1094, 1124, 1194 are identical to the branch circuit 1024 to connect the respective read back contacts 1086, 1116, 1186 to a respective input of the first processor 1005 and the second processor 1105 of the controller 900.
  • The state of the relays 1010 are verified and controlled by the read back contacts 1016, which are normally closed contacts. The read back contacts 1016 have a first contact 1078a directly connected to a power source, for example a five volt power source. The second contact 1078b is connected respectively in parallel to an input terminal of the first processor 1005 and an input terminal of the second processor 1105. The connection between the second contact 1078b and the input terminals of the processors 1005, 1105 is performed respectively via a voltage divider associated with each processor to convert the voltage of the power source into the voltage compatible with the input terminals of the processors 1005, 1105. The first voltage divider is formed by resistance R3 and resistance R4, and the second voltage divider is formed by resistance R2 and resistance R5. Further, a resistance R1 connected to the ground GND between the second read back terminal 1078b and the voltage dividers. The resistance R1 has a resistance value being much smaller than resistance values of R4 and R5. In an embodiment, the resistance values of R4 and R5 are about 10 kOhms. Thus, the state of a single read back contact is provided independently to both processors 1005, 1105. In other words, the information of one read back contact is shared between both processors 1005, 1105. A coupling between the two different lines to the processors 1005, 1105 is avoided by selecting the appropriate resistance values as discussed here-above. The resistances are provided according to the resistor technology of the European norm EN 50129.
  • In the following, we will explain the functioning of the control mechanism. During a normal functioning, i.e. functioning without a failure, of the safety switch 5, the PLDs 1007, 1107 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provides the high frequency alternating signals 1034 to the respective charge pumps 1030, so that the transistors 1038 enables that the positive power 1046 is provided to the first terminals 1048 of the actuators 1018, 1088, 1118, 1188 of the relays 1010, 1080, 1110, 1180. Further the first output terminals 1066a of the processors 1005, 1105 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provide the respective alternating high frequency signals 1076 to the charge pumps 1070. Then, the charge pump 1070 provides a respective voltage (or positive value) to the first input 1074a of the AND gate 1062. Further, a positive signal is applied to the third input 1074c of the AND gate 1062 coming from the third terminal 1166c of the processor 1005, 1105 associated with the other group of relays 1000, 1100.
  • Thus, upon the signal on the second output terminal 1066b of the processor associated with the group of relays 1000, 1100 to which the relay to activated belongs to, the actuator 1018, 1088, 1118, 1188 of the respective relay is activated, and when the signal on the second output terminal 1066b is disabled, the respective coil of the relay is deactivated and the relay moves back into the release state.
  • Both processors 1005, 1105 perform a regular exchange of keys which is then sent to the PLD 1007, 1107. In case the PLD does not receive the correct key, the PLD disables its output 1028 and provides a constant signal instead of the alternating signal 1034 to the respective charge pumps 1030. Consequently, the actuator 1018, 1088, 1118, 1188 or coil of the respective relays 1010, 1080, 1118, 1188 cannot be activated any more or is released, because the signal at the output 1036 of the charge pump 1030 applied to the gate 1040 of the transistor 1038 is 'deactivated'. Then, the first transistor 1038 is in a blocking state. For example, if the first PLD 1007 does not receive the correct key, both relays 1010, 1080 of the first group of relays 1000 which are associated with the first PLD 1007 are released.
  • In an embodiment, which may be combined with other embodiments disclosed herein, a regular test with the wrong key is performed. Then, the respective PLD 1007, 1107 receiving the wrong key releases the associated relays 1010, 1080, 1110, 1180.
  • In another embodiment, if one processor 1005, 1105 detects that the other processor 1005, 1105 of the same controller 900, but of another channel CH1, CH2, is not working correctly, he deactivates his output signals at the third output terminals 1066c, 1166c connected to the third input 1074c of the AND gates 1062 of the control circuits 1026, 1096, 1126, 1196 and both relays of the other channel CH1, CH2, which are associated with the other processor are released. For example, in case the second processor 1105 of the second channel CH2 detects that the first processor 1005 of the first channel CH1 does not work properly, the second processor 1105 commands that his third output terminals 1166c connected to control circuits 1026, 1096 of the first channel CH1, so that the output of the AND gate 1105 is negative so that the second transistor 1056 is in a blocking state. Then, the respective relays 1010, 1080 of the first group of relays 1000 or the first channel CH1 are released.
  • In an alternative embodiment, in case the processor 1005, 1105 hangs or stops working, the first output 1066a connected to the control circuits 1026, 1096, 1126, 1196 does not create any more an alternating high frequency signal 1076, so that the output 1072 of the charge pump 1070 falls after a few moments below a specific value so that the output 1064 of the AND gate 1062 commands the second transistor 1056 to be in the blocking state.
  • For testing the safety switch 5 all relays 1010, 1080, 1110, 1180 are first in their active state which means that the respective actuators or coils 1018, 1088, 1118, 1188 are activated and all switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are closed. This is also called the normal mode in the table 1. Thus, at the output terminals 9a, 9b a voltage corresponding to the voltage at the input terminals 7a, 7b is applied. Table 1
    Relay 1010 Relay 1080 Relay 1110 Relay 1180 Output
    Mode
    Normal Active Active Active Active Active
    Test Relay
    1010 Released Active Active Active Active
    Test Relay
    1080 Active Released Active Active Active
    Test Relay
    1110 Active Active Released Active Active
    Test Relay
    1180 Active Active Active Released Active
  • Figure 6 shows a flowchart for testing the safety switch 5. For testing the safety switch 5, one relay after the other is released, whereas the other relays remain in their active state.
  • In a first step 1200, the first relay 1010 of the first group 1000 is released, for example by the first processor 1005, and the other relays 1080, 1110, 1180 remain in the active or activated state. In such a case, the current bypasses the switching contacts 1012, 1014, 1020, 1022 of the first relay by the switching contacts 1082, 1084, 1090, 1092 of the second relay 1080 of the first group 1000. At the same time, the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1016 of the relay 1010 are closed.
  • In a second step 1202, the first relay 1010 of the first group 1000 is again activated and the second relay 1080 of the first group 1000 is released whereas both relays 1110 and 1180 of the second group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1086 of the relay 1080 are closed.
  • In a third step 1204, the second relay 1080 of the first group 1000 is again activated and the first relay 1110 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1116 of the relay 1110 are closed.
  • In a fourth step 1206, the first relay 1110 of the second group 1100 is again activated and the second relay 1180 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1186 of the relay 1180 are closed.
  • During all tests, the closed state read back contacts 1016, 1086, 1116, 1186 of the respective released relay is verified. Thus, complete tests of all relays of the safety switch 5 can be performed without interrupting the power supply to the safety critical loads 3.
  • The different relays 1010, 1080, 1110, 1180 may be also tested one after the other in another arbitrary sequence.
  • In the following, we will explain the behavior of the safety switch 5 and the controller 900 in the case of a failure of a relay during the test procedure. If during the test procedure an error is detected in one of the relays, the relays of the other group of relays is released.
  • For example, when at least one of the switching contacts 1012, 1014, 1082, 1086 of the relays 1010, 1080 of the first group of relays 1000 stuck, the read back contacts 1016, 1086 of the stuck relay remain open even if the first processor 1005 commands the release of the relays 1010, 1080. For example, the switching contacts may stick together if the switching contacts are molten together due to an excessive current.
  • In the following, the first and/or the second processor 1005, 1105 detect that the read back contacts 1016, 1086 are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1010, 1080 of the first group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1110, 1180 of the second group of relays 1100 or the second channel CH2. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.
  • When at least one of the switching contacts 1112, 1114, 1182, 1186 of the relays 1110, 1180 of the second group of relays 1100 stuck, the read back contacts 1116, 1186 of the stuck relay remain open even if the second processor 1105 commands the release of the relays 1110, 1180.
  • In the following, the first and/or the second processor 1005, 1105 detect that the read back contacts 1116, 1186 of the stuck relay are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1110, 1180 of the second group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1010, 1080 of the first group of relays 1000 of the first channel CH1. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.
  • Thus, the safety switch 5 provides an architecture which is driven by a 2oo2 system (two out of two). Thus, for example to activate the safety switch, both channels CH1, CH2 including respectively a group of relays 1000, 1100 which are controlled by respectively a processor 1005, 1105 must be in accordance. Further, the activation of a relay needs the active signals of at least three intelligent devices, namely one PLD and the two processors (3oo3, three out of three).
  • When all relays are released, the safety switch provides the maximal air gap across the switching contacts. For example, in the present case when each physical switching contact (i.e. the switching contacts 1014, 1084, 1112, 1182 and subcontacts 1020, 1022, 1090, 1092, 1120, 1122, 1190, 1192) provides a minimum air gap of 0.5 mm, the complete (maximal) air gap will be 1.5 mm between the first input terminal 7a and the first output terminal 9a or the second input terminal 7a and the second output terminal 9b.
  • Thus, the safety switch assures a safety minimal distance of 1.5 mm across the contacts, when the safety switch is released in order to handle voltages of 230V alternating current. Further, the maximum switching direct current voltage is higher than in prior solutions thanks to three normally open contacts connected in series.

Claims (15)

  1. Monitoring and control system (1) comprising:
    a safety switch (5) including:
    a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply,
    a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3), and
    at least two groups of relays (1000, 1100), wherein each group comprises at least two relays (1010, 1080; 1110, 1180) having respectively a first set of switching contacts (1012, 1082; 1112, 1182) and a second set of switching contacts (1014, 1084; 1114, 1184), the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator (1018, 1088; 1118, 1188), wherein the first sets of switching contacts (1012, 1082; 1112, 1182) of the at least two relays (1010, 1080; 1110, 1180) of a group are connected electrically in parallel and the second sets of switching contacts (1014, 1084; 1114, 1184) of the at least two relays of a group (1000, 1100) are connected electrically in parallel,
    the first sets of switching contacts (1012, 1082) of a first group (1000) being connected electrically in series with the first sets of switching contacts (1112, 1182) of a second group (1100), the second sets of switching contacts (1014, 1084) of the first group (1000) being connected electrically in series with the second sets (1114, 1184) of switching contacts of the second group (1100), wherein
    the first sets of switching contacts (1012, 1082) of the first group (1000) are connected to the first input terminal (7a) and the second sets of switching contacts (1014, 1084) of the first group (1000) are connected to the second input terminal (7b), wherein the first sets of switching contacts (1112, 1182) of the second group (1100) being connected to the first output terminal (9a) and the second sets of switching contacts (1114, 1184) of the second group (1100) being connected to the second output terminal (9b); and wherein the monitoring and control system further includes
    a controller (900) for controlling the relays of the at least two groups (1000, 1100), wherein the safety switch is adapted to sequentially open the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays remain closed.
  2. Monitoring and control system according to claim 1, wherein at least one set of switching contacts (1012, 1082; 1114, 1184) of the first or second set of switching contacts of the relays comprises two subsets of switching contacts (1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192) connected electrically in series, wherein in particular the first sets of switching contacts (1012, 1082) of the relays (1010, 1080) of the first group (1000) and the second sets of switching contacts (1114, 1184) of the relays (1110, 1180) of the second group (1100) comprise two subsets of switching contacts connected in series.
  3. Monitoring and control system according to one of the preceding claims, wherein the sets of switching contacts (1012, 1082; 1114, 1184) comprise two subsets of switching contacts and/or the number of group of relays (1000, 1100) depend on the voltage to be switched.
  4. Monitoring and control system according to one of the preceding claims, wherein at least one, in particular all, of the relays (1010, 1080; 1110, 1180) comprise at least one set of read back contacts (1016, 1086; 1116; 1186).
  5. Monitoring and control system according to one of the preceding claims, wherein the first and second sets of switching contacts (1012, 1014, 1082, 1084; 1112, 1114, 1182, 1184) and, in particular the subsets of contacts (1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192), are normally open contacts and/or the sets of read back contacts (1016, 1086; 1116; 1186) are normally closed contacts, wherein in particular the relays (1010, 1080; 1110, 1180) are guided relays, so that when the normally closed contacts are closed, the normally open contacts (1014, 1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192) provide a predetermined minimal distance between their contacts.
  6. Monitoring and control system according to any one of the preceding claims, comprising at least two channels, wherein one group of relays (1000, 1100) of the at least two groups of relays (1000, 1100) is associated with each channel (CH1, CH2), wherein the controller (900) comprises a plurality of subcontrollers (1005, 1007, 1105, 1107), each channel comprising at least one, in particular two or more, of the plurality of subcontrollers, wherein for each channel (CH1, CH2):
    at least one first subcontroller (1005, 1105), in particular a processor, of said channel being adapted to command the actuators (1018, 1088, 1118, 1188) of the relays associated with said channel and the actuators (1018, 1088, 1118, 1188) of the relays associated with at least one other channel.
  7. Monitoring and control system according to claim 6, wherein the at least one first subcontroller (1005) of a first channel (CH1) is adapted to monitor the functioning of at least one first subcontroller (1105) associated with another channel (CH2), wherein the at least one first subcontroller (1105) of said other channel is adapted to command the actuators (1018, 1088) of the relays associated with the first channel (CH1), wherein the at least one first subcontroller (1005) of the first channel (CH1) is adapted to release the relays of said other channel (CH2) when a failure of the at least one first subcontroller (1105) of said other channel is detected by the at least one first subcontroller (1005).
  8. Monitoring and control system according to claim 6 or 7, wherein at least one channel, in particular all channels comprise at least one second subcontroller (1007, 1107) of the plurality of subcontrollers, in particular in form of a programmable logic devices (1007, 1107), wherein each second subcontroller (1007, 1107) is connected to at least one first subcontroller (1005, 1105) of the same channel and adapted to monitor the functioning of said at least one first subcontroller.
  9. Monitoring and control system according to any one of the claims 6 to 8 comprising a plurality of control circuits (1026, 1096, 1126, 1196), wherein each control circuit is connected to relay (1010, 1080, 1110, 1180) for controlling an activation and/or release of said relay and is comprised by the respective channel (CH1, CH2), wherein for at least one, in particular each control circuit:
    said control circuit is connected to at least one output (1066a, 1066b) of at least one first subcontroller (1005, 1105) of the same channel, to at least one output (1066c) of at least one first subcontroller (1005, 1105) of another channel, and, in particular, to at least one output (1028) of the at least one second subcontroller (1007, 1107) of the same channel, wherein the control circuit is adapted to activate and/or release the relay associated with the control circuit based on the outputs of the connected first subcontrollers (1005, 1105) and, in particular, the output of the connected second subcontrollers (1007, 1107).
  10. Monitoring and control system according to claim 9, wherein the at least one first subcontroller (1005, 1105) is adapted to provide a first signal, for example a regularly alternating signal (1076), in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of the outputs (1066a) connected to the control circuit (1026, 1096, 1126, 1196) and/or the at least one second subcontroller (1007, 1107) is adapted to provide a first signal, for example regularly alternating signal (1034), in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of its outputs (1028) connected to the control circuit, wherein, upon reception of the second signal from the at least one first subcontroller (1005, 1105) and/or the at least one second subcontroller (1007, 1107), the control circuit releases the associated relay.
  11. Monitoring and control system according to claim 9 or 10, wherein each control circuit is adapted to activate the associated relay only in case the signals provided by two subcontrollers (1005, 1105), for example the first and second subcontrollers, of at least two different channels (CH1, CH2), and, in particular, the signal provided by the at least one second subcontroller (1007, 1107) of the same channel, allows or command an activation of said relay.
  12. Monitoring and control system according to one of the claims 6 to 11, wherein the read back contacts of each relay are read by at least two first subcontrollers (1005, 1105) of two different channels (CH1, CH2), comprising at least one first subcontroller of the channel to which the respective relay is associated.
  13. Monitoring and control system according to one of the preceding claims, wherein the safety switch comprises two group of relays comprising respectively two relays, wherein each channel comprises a group of relays.
  14. Method for operating a safety switch, the safety switch comprising a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply; a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3); and at least two groups of relays (1000, 1100), wherein each group comprises at least two relays (1010, 1080; 1110, 1180) having respectively a first set of switching contacts (1012, 1082; 1112, 1182) and a second set of switching contacts (1014, 1084; 1114, 1184), the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator (1018, 1088; 1118, 1188), wherein the first sets of switching contacts (1012, 1082; 1112, 1182) of the at least two relays (1010, 1080; 1110, 1180) of a group are connected electrically in parallel and the second sets of switching contacts (1014, 1084; 1114, 1184) of the at least two relays of a group (1000, 1100) are connected electrically in parallel, the first sets of switching contacts (1012, 1082) of a first group (1000) being connected electrically in series with the first sets of switching contacts (1112, 1182) of a second group (1100), the second sets of switching contacts (1014, 1084) of the first group (1000) being connected electrically in series with the second sets (1114, 1184) of switching contacts of the second group (1100), wherein the first sets of switching contacts (1012, 1082) of the first group (1000) are connected to the first input terminal (7a) and the second sets of switching contacts (1014, 1084) of the first group (1000) being connected to the second input terminal (7b), wherein the first sets of switching contacts (1112, 1182) of the second group (1100) being connected to the first output terminal (9b) and the second sets of switching contacts (1114, 1184) of the second group (1100) are connected to the second output terminal (9a); wherein the method further comprises: sequentially opening the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays are closed.
  15. Method according to claim 14, wherein the safety switch is a safety switch comprised in the monitoring and control system according to one of the claims 1 to 13.
EP13305355.3A 2013-03-22 2013-03-22 Monitoring and control system comprising a safety switch and method for operating a safety switch Active EP2782112B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
DK13305355.3T DK2782112T3 (en) 2013-03-22 2013-03-22 Monitoring and control system comprising a security switch and method for managing a security switch
EP13305355.3A EP2782112B1 (en) 2013-03-22 2013-03-22 Monitoring and control system comprising a safety switch and method for operating a safety switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP13305355.3A EP2782112B1 (en) 2013-03-22 2013-03-22 Monitoring and control system comprising a safety switch and method for operating a safety switch

Publications (2)

Publication Number Publication Date
EP2782112A1 EP2782112A1 (en) 2014-09-24
EP2782112B1 true EP2782112B1 (en) 2018-05-30

Family

ID=48095765

Family Applications (1)

Application Number Title Priority Date Filing Date
EP13305355.3A Active EP2782112B1 (en) 2013-03-22 2013-03-22 Monitoring and control system comprising a safety switch and method for operating a safety switch

Country Status (2)

Country Link
EP (1) EP2782112B1 (en)
DK (1) DK2782112T3 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015104211A1 (en) * 2015-03-20 2016-09-22 Pilz Gmbh & Co. Kg Safety switching device for fail-safe disconnection of an electrical load
CN110325927B (en) * 2017-03-02 2022-06-28 伟肯有限公司 Device and method for safety shutdown

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3217528C2 (en) * 1982-05-10 1986-04-03 Siemens AG, 1000 Berlin und 8000 München Contact arrangement for relays
DE4242792C2 (en) * 1992-12-17 1997-02-06 Sick Optik Elektronik Erwin Safety switch arrangement
WO1996041358A1 (en) * 1995-06-07 1996-12-19 Transportation Safety Devices, Inc. Power disconnect switch
DE19927762A1 (en) * 1999-06-17 2001-01-04 Abb Research Ltd New electrical switching device for overcurrent protection
DE102005048601B3 (en) * 2005-10-06 2007-04-05 Pilz Gmbh & Co. Kg Position indicator e.g. potentiometer, evaluating device for safety switching device, has microcontrollers finding measuring quantities representative for indicator`s partial impedances, and having outputs assigned with high/low potential
DE102006007264C5 (en) * 2006-02-10 2014-06-18 Pilz Gmbh & Co. Kg Safety switching device and method for safely switching on and off an electrical consumer
EP2383762B1 (en) * 2010-04-30 2013-09-11 Rockwell Automation Germany GmbH & Co. KG Single-channel safety output

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
DK2782112T3 (en) 2018-09-03
EP2782112A1 (en) 2014-09-24

Similar Documents

Publication Publication Date Title
CN105934810B (en) AC circuit breaker with self-testing capability
JP4191494B2 (en) Safety switch module and switching element OFF capability inspection method
DK2454747T3 (en) Initial fail-safe electromotive furniture drive
US9711309B2 (en) Relay including processor providing control and/or monitoring
US9658268B2 (en) Device for diagnosing a circuit arrangement
US20090212975A1 (en) In-Circuit Testing For Integrity Of Solid-State Switches
RU2013147635A (en) HIGH VOLTAGE BATTERY SYSTEM FOR VEHICLE
CN101925974A (en) Residual current protection switch and being used to is carried out the method for the self-test of residual current protection switch
JP2014504402A (en) A safety switchgear for failsafely stopping electrical loads
US10899579B2 (en) Elevator brake controller
US9819180B2 (en) Method for sequentially disconnecting/connecting electrical current sources from/to a common load
EP2382712A1 (en) An electronic circuit breaker and a method of providing protection switching
US8976495B2 (en) Safety relay and safety-related communication system
EP2782112B1 (en) Monitoring and control system comprising a safety switch and method for operating a safety switch
CN111937111B (en) Circuit breaker with monitoring device and method thereof
KR20190071320A (en) System and method for diagnosing relay fault
CN111937263B (en) Flexible circuit breaker
CN109572436B (en) Diagnosis system for load circuit and electric vehicle
US9559511B2 (en) Circuit assembly for error indicating
US10698038B2 (en) Multichannel ground fault tester
KR20080085736A (en) Facility and method for the automatic recognition and differentiation of single-channel or dual-channel electronc sensors connected to a dual-channel safety combination
US10263613B2 (en) Safety-oriented load switching device and method for operating a safety-oriented load switching device
US9752792B2 (en) Building ventilation system connection detection
RU2016143638A (en) The switching system of the executive bodies and the method of non-destructive testing of the operability and disconnection of the switching elements and executive bodies
KR20090112993A (en) Digital Protective Relay

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20130322

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ALSTOM TRANSPORT TECHNOLOGIES

R17P Request for examination filed (corrected)

Effective date: 20150324

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ALSTOM TRANSPORT TECHNOLOGIES

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20171222

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1004459

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180615

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602013038089

Country of ref document: DE

REG Reference to a national code

Ref country code: RO

Ref legal event code: EPE

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

Effective date: 20180828

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20180530

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180830

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180830

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1004459

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180530

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602013038089

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20190301

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 602013038089

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190322

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190331

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191001

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190331

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190322

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181001

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190322

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180930

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20130322

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180530

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230823

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: RO

Payment date: 20240319

Year of fee payment: 12

Ref country code: GB

Payment date: 20240320

Year of fee payment: 12

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: TR

Payment date: 20240315

Year of fee payment: 12

Ref country code: IT

Payment date: 20240329

Year of fee payment: 12

Ref country code: DK

Payment date: 20240326

Year of fee payment: 12

Ref country code: BE

Payment date: 20240320

Year of fee payment: 12