Note: Descriptions are shown in the official language in which they were submitted.
20~2~2~
Siemens Aktiengesellschaf~
Control and monitoring method in an electrical automation
system for a technical installation
The invention relates to a control and monitoring
method in an electrical automation system for a technical
installationl preferably a shaft installation, in which
signals are transmitted on at least two mutually indepen-
dent signal paths of the automation system and are
evaluated in a subunit.
An automation system of this type is known from
the German journal "Energie und Automation", Vol. 11
(1989); Issue 3, page~ 8 to 10. The arrangement described
therein already iunctions very reliably, but when an
automation device fails no more messages can be sent or
received by the failed automation device despite the
redundancy of the bus system. Particularly when the main
device fails or in the event of triggering errors,
control of the installation is no longer ensured.
A method for the safe operation of a redundant
control system is known from ~erman Offenlegungsschrift
3,225,455, in which a technical installation is con-
trolled by one of several computers connected in paral-
lel, and if thi~ computer malfunction~ control is
switched over to another computer.
A doubly redundant automation unit in mining is
known from the German journal "et~, Volume 10~ (1981),
Issue 18, pages 973-977, the redundant subunits of which
jointly control th~ installation. With this automation
unit, the output signals are monitored for non-
equivalence. However, the signal generators and their
outputs are not redundant, so that if the signal gener
ator fails reliable control of the installation i~ no
longer ensured.
The ob~ect of the present invention is to dis-
close a method in which all types of impermissible
operating s~ates are reliably detected and rectified as
quickly as possible despite the failure of subunits.
, .
.:
.
- 2 ~ 2 ~ 2 ~
The objPct is achieved in that ~afety-relevant
input signals ~re triggered at least twice and are
transmitted constantly on a~ least two mutually indepen-
dent signal paths ~o at leas~ two redundant subsystems of
S the autom~tion system which process the safety-relevant
input signals, and are evaluated by ~he subsystems and
converted in~o control and monitoring signals.
It i~ advantageous in this arrangement if the
safety-relevant input signals are constantly checked for
equivalence. This enables complete and/or partial fail-
ures of the subsystems to be detected in good time.
It is advantageous if the at least two subsystems
monitor one another constantly so tha~ other faults of
the at least two subsystems can be detected. The mon.itor-
ins can be performed, for examplel by cyclically checkingthe individual components of the a~ least two sub~ystems,
for example the memory units or the processors.
If one of the at least two subsystems fails, it
is advantageous if at least a limited operation can be
allowed by means of a special command, the special
command being preferably manually issued.
With ~ view to the economy of the installation,
it i8 furthexmore advantageous if only one of the at
least two subsystems processes t;he normal, non-safety-
relevant signal~. This makes it possible for the othersubsystems which process only safety-relevant data ~o
have ~mall dimensions. ~his makes the automation system
as a whole more cost effective. Moreover, an alarm
reaction time of le~s than 500 ms, usually even of around
200 m , can consequently be achieved even when the
automation system is operating at full load. Such a short
reaction time is not possible with two identical
~ubsystems each monitoring the complete installation
control, even with priority processing, for example by
means of an interrupt.
After a comparatively long standstill of th~
technical installation, it is advantageous if the in~tal-
lation start-up i.s delayed by a self-test interval of the
automation system so that the at least ~wo subsystems can
~. ~, :,.............. . .
3 ~ 9 2 6
first check each other.
For the sake of simplification and to increase
safety, it is advantageous if the safety-relevant input
signals are first forwarded to at least two redundant
5 automation subsystems or electronic terminators which
preprocess the safety-relevant input signals and are
assigned to at least two subsystems, are preprocessed in
these, and are then tran~mit~ed via an at least doubly
redundant bus system to at least two uperordinate
redundant main automation unit~ which proce~s the safety-
relevant input signals. With this arrangement the signal
paths and the bus system of the automation system can be
cyclically checked, for example by injected signals, for
line breakaga, f2ults to ground, etc.
The automation ~ystem which is favourable for
carrying out the method consists of at least two redun-
dant subsystems which proces~ the safety-rel~vant input
signals and are connected to one another via a data line
for mutual monitoring, with at least ~wo mutually inde-
pendent si~nal pa~hs ~or transmitting safety-relevant
input signals and with signal triggers for the safety-
relevant input si~nals which have at least two mutually
independent signal gen~rator~.
For reasons of cost it is advantageous if one
subsystem is designed as the main system for proces~ing
all signals and the other subsystems are designed as
subsidiary systems for processillg all safe~y-relevant
signals.
Furth~r advantage~ and details emerge from the
description of an exemplary embodiment below, in connec-
tion with the fur~her subclaims and with reference to the
drawings, in whichs
FIG 1 shows a block circuit diagram of an automation
system, and
FIG 2 shows the connection of an emergency stop switch
to the automation system.
In accordance with FIG 1~ the automation system
of a shaft installation consists of two main automation
units l, l~ which are connected to one another vi~ a data
2~2926
line 2. The two main automation units l, 1' have sp~cial
communication processors 3, 3' for communicating with
each other. The automation units 1, 1' and hence the
subsystems can monitor one another via the processors 3,
3'. This makes Lt possible, inter alia, for the incoming
safety-relevant input signals to be checked constantly
for equivalence.
Branching off from each of the main automation
units 1, 1' is a bus 4l 4', to which further automation
unit or electronic terminators 5 to 8, 5' to 8' are
connected in each case. In each case one automation unit
or one terminator is connected here to one of the buses
4, 4' in each case at each distribution node of the
automation system. The automation subsystems or elec-
tronic terminators 5 to 8, 5' to 8' are located in partabove ground and in part below ground, for example on the
various floor levels of a mine. The automation subsystems
or electronic terminators 5 to 8, 5' to 8' are here, ~ust
liks the main automation units 1, 1', redundant at least
with respect to the processing o the safety-relevant
signals. Power is supplied to the automation subsystems
or electronic terminators S to 8, 5' to 8' in ea~h case
in pairs by powex supply units 5" to 8".
Also connected to the ma:in automation unit 1 is
a line 9, via which the acoustic: signal generators 10,
for example horns or loudspeakers, at the various dis-
tribution node~ are activated. The signal generators 10
sexve to acknowledge commands entered via the automation
units or electronic terminators S to 8, 5' to 8', and/or
the warning, for example before starting up the hoist.
For monitoring and logging the installation
control, the main automation units 1, 1' are furthermore
connected to a printer 11 and a registration unit 12, for
example a magnetic memoxy, and, for displaying the
current operating state~ to a monitor 13. The main
automation unLts 1, 1' are furthermore connected to the
hoist console 14 for issuLng instructions.
As a result of the construction of the automation
system with buses 4, 4', the number of lines to be laid
9 2 ~
-- 5 --
i~ independent of the degree of automation of the instal-
lation or of a change in the configura~ion of the instal~
lation. In the present case, the automation system is
de~igned in such a way that the automation units 1 and
5 al50 5 to 8 process all the signals occurring, while the
automation units 1' and also 5' to 8~ monitor and process
only safety-relevant signals, for example emergency stop
requests.
FIG 2 shows a preferred circuit for detecting
safety-relevant input signal~ using the example of the
automation units 6, 6'. According to FIG 2, the two
automation uni~s 6, 6' are connected via signal paths 15,
15' to two signal generators 16, 16' of the emergency
stop switch 17. When the emergency stop switch 17 i~
activated, as indicated by arrow A, the two signal
generators 16, 16' are triggered. The automation units 6,
6' consequently detect a signal change and report an
emergency stop request to the main automation units 1, 1'
via the buse~ 4, 4'. The main automation units 1, 1'
evaluate the incoming signals in such a way that the
hoist (not illustrated) is immediately halted. The
monitoring of other safety-relevant oparations, for
example the closing of access gates to the hoisting
shaft, which is designed analogously to the emergency
stop switch 17 described, is not illustrated in FIG 2. AS
l~ng a8 only one of the automation units or el~ctronic
terminator~ 5 to 8, 5' to 8' report~ an open gat~, the
hoist is not started up. The hoist is consequently driven
depending on the evaluation re~ults of the automation
units 1, 1' in such a way that the state of the shaft
hoisting system is alway~ safe.
The signal path 15, lS~ and likewise the buses
4, 4' are cyclically checked, for example every 10
seconds, for line breakage, faults to ground, etc. The
checking may be carried out by applying a te~t signal to
the signal paths lS, 15' or the bu~e~ 4, 4' and checking
that it is received correctly.
The safety of the automation system can be
further increased in th~t the redundant automation units
- 6 - 2~ 2~
1, 1' monitor ona another and the monitoring result is
output, for example on the monitor 13 and the printer 11.
If, for instance, the automation unit 1~ detects a
failure of the automation unit 1~ this i~ indicated on
the printer 11 and the monitor 13 and the hoi~t i9
halted. It is possible, for example, to allow operation
of the shaft installation to continue only once either
both main automation units 1, 1' are functioning again,
or else to allow the operation of the shaft hoisting
installation only by the automation unit 1' by means of
a non preprogrammable special command to be entered
manually.
The functioning of the main automation units 1)
1' can be checked here, for example, by cyclically
checking ~he memory units (not illustrated) of the
automation units 1, 1' for their basic response capabil-
ity, possibly even for their memory oontents. It is also
possible to check further components of the main automa-
tion units 1, 1' cyclically, for example the processor~
(likewise not illustrated). Such self-testing of the
automation system is always carried out after a compara-
tively long standstill of the ins,tallation, preferably
before the installation is started up again, 50 that any
faults which have occurred in the msantLme can be immedi-
ately detected and reported.
A further measure for increasing operational
safety is the protection of at least the main automation
units 1, 1' again~t a power failure by means of a battery
~not illustrated).
The automation system de~cribed above can of
course also be employed for monitoring and/or controlling
other technical installations with increased s~fety
requirements.
