Emergency stop device

Abstract

The invention relates to an emergency stop device (10) of a system (20) having a plurality of devices (71-74) controlled by a common controller (31). The emergency stop device (10) is set up to shut down a selection from the devices (71-74).

Description

Technical Field

[0001] The present invention relates to an emergency stop device for a system having multiple devices controlled by a common controller. Background Technology

[0002] General safety integrity, i.e., measures related to the safety of electronic controllers, can be sufficiently independent to be guaranteed by the 3-level safety concept according to the ISO 26262 standard. In this case, the first level acts as the functional level, the second level acts as the safety level, monitoring the first level, and the third level ensures the integrity of the second level. Such a controller can be used, for example, to control various actuators, such as motors in vehicles, like marine motors, agricultural machinery motors, or machine tools. The motor's electrical power supply is achieved through the controller.

[0003] To enable the rapid shutdown of such motors in dangerous situations or to avoid danger, an emergency circuit breaker is installed, which interrupts the power supply to the controller. This also immediately interrupts the power supply to the motor and consequently shuts down all electrically operated equipment connected to the motor. Summary of the Invention

[0004] Emergency stop devices for systems with multiple devices controlled by a common controller are particularly useful for the controlled shutdown of motors, such as marine motors. If such a marine motor stops using a conventional emergency circuit breaker by interrupting the power supply to its controller, this causes all electrically operated equipment of the marine motor to shut down immediately. For example, if its throttle valve thus returns to its initial position, restarting the marine motor may therefore become impossible. Furthermore, if the controller is no longer supplying power, it is no longer possible to read data from individual devices. Therefore, emergency stop devices are designed to shut down only one option from the devices, where the controller is not shut down. This allows data from the devices to be read even after the emergency stop device has been operated, and thus, if necessary, to be quickly identified and corrected as needed. If power is still supplied to the individual devices during an emergency stop, the system can also be quickly restarted.

[0005] Preferably, the controller is a controller with a 3-level safety concept, particularly in accordance with the 3-level safety concept of the ISO 26262 standard. This existing safety concept can be used to implement selection functions in the first and second levels, respectively, to select from the equipment based on its operating status when operating the emergency stop device. Based on the equipment's operating status, it can be determined which equipment can be disconnected from the power supply and which must continue to be supplied with power. If the first level fails to select, the second level can also take over this function.

[0006] Since the first level, as a functional level, has the task of controlling the devices and supplying electrical power, it has control connections to the devices. These control connections are preferably established so as to also enable the shutdown of selections from the devices. Individual devices can be selectively shut down in this way, without having to establish additional electrical or data connections, as long as selections from the devices are provided in the first level, either by generating the selections themselves or by the second level when selections in the first level fail.

[0007] Furthermore, the second level is preferably connected to a third-level module having at least one shutdown connection to the device, the third-level module being configured to disable selection from the device. This shutdown connection can be used if it is not possible to send a shutdown signal via a control connection. It can also be used if the first level suffers a severe malfunction, such that it can no longer select the device itself, nor receive any selection from the second level. In this case, after a selection is generated in the second level, it can be shut down directly via the shutdown connection. Therefore, the third-level module is preferred here because the 3-level-safety concept sets up a hardware error management module (EMM) in the third level. This is advantageous for shutdown because hardware-specific functions are already implemented therein.

[0008] Furthermore, it is preferable to store the pre-defined selection from the device in the third level. If the first two levels cannot make a selection from the device, for example because they can no longer receive data about the device's operating status, then using the pre-defined selection from the device in the third level can serve as a last resort possibility, including devices that must be shut down under any circumstances to avoid danger. While using a fixed selection without assessing the operating status is less advantageous than shutting down based on the selection in the first or second level, it still always allows known harmless devices that are critical to restarting the system to remain powered on and also maintains the controller's power supply.

[0009] A particularly preferred approach is to store pre-defined selections from the device in a third-level monitoring module. In this 3-level security concept, it is housed in a hardware unit separate from the rest of the controller by the hardware and software components, and is therefore particularly well protected from damage that could affect other parts of the controller.

[0010] The third level preferably has at least one shut-off connection to the device, which is established to disable the selection in the slave device stored in the third level. This independent shut-off connection (which does not extend through the first and second levels) also provides special reliability for emergency stop in hazardous situations.

[0011] In order to keep the number of additional electrical or data connections required for the emergency stop device low, it is also preferable to guide the third-level shut-off connection partially through the common line with the second-level shut-off connection. Attached Figure Description

[0012] Embodiments of the present invention are shown in the accompanying drawings and described in more detail in the following description.

[0013] Figure 1 A system with an emergency stop device according to the prior art is shown.

[0014] Figure 2 An embodiment of the emergency stop device according to the present invention is shown. Detailed Implementation

[0015] Figure 1 A conventional emergency stop device 10, in the form of an emergency circuit breaker for shutting down system 20, is shown. System 20 has a controller 31 with hardware module 32. According to ISO 26262 standard, it has a three-level safety concept 40, 50, and 60. The power supply 33 of controller 31 has an interrupt switch 34. By operating the emergency stop device 10, this interrupt switch 34 is opened, so that controller 31 is no longer supplied with electrical power. In this embodiment, controller 31 controls the diesel engine that drives the vessel. The diesel engine has devices 71 to 74 in the form of a metering unit 71 for the diesel engine high-pressure pump, a throttle valve 72, an air valve 73 arranged in front of the throttle valve, and an injection actuator 74. Functional module 41 in the first level 40 controls these devices 71 to 74 via control line 81. Figure 1 In this context, these are simply represented as a single connection. However, in reality, four control lines 81 are configured, such that each of devices 71 to 74 is connected to a separate control line 81. The control lines 81 also supply electrical power to devices 71 to 74. Therefore, operation of the emergency stop device 10 not only causes the controller 31 and its hardware module 32 to malfunction, but also causes all devices 71 to 74 to malfunction.

[0016] In the 3-tier security concept, a security module 51 monitoring the functional module 41 is located in the second tier 50. For this purpose, it receives data from the functional module 41 and also sends data back to the functional module. In the third tier 60, a memory test module 61 is arranged to perform memory tests for both the second tier 50 and the third tier 60. A configuration test module 62 monitors the hardware configuration of the second tier 50 and the third tier 60. A hardware test module 63 monitors additional hardware modules of the controller 31. Data from the memory test module 61, configuration test module 62, and hardware test module 63 is collected by the PFC module (Program FlowCheck). It also exchanges data with the security module 51 in the second tier 50. A monitoring module 65 in the hardware module 32 (structurally separate from the rest of the controller 31) but forming part of the third tier 60 can send queries to the memory test module 61, configuration test module 62, hardware test module 63, and the security module 51 in the second tier 50. After collecting responses from modules 51, 61, 62, and 63 from PFC module 64, these responses can be passed to monitoring module 65, which in this way ensures the integrity of the second level 50. Furthermore, a security mechanism 66 is set up in the third level for testing hardware memory in the form of ECC (Error-Code-Correction) and EMM (Hardware-Error-Management-Module) 67.

[0017] Figure 2 An emergency stop device 10 according to an embodiment of the present invention is shown. In this embodiment, the interrupt switch 34 is omitted. Instead of sending emergency stop requests to the functional module 41 of the first level 40 and the safety module 51 of the second level 50 via two redundant lines, the emergency stop device 10 sends emergency stop requests. In the functional module 41, based on the operating status of the devices 71 to 74, it is determined which devices 71 to 74 must be shut down and which can safely continue to operate. Due to this selection, the selected devices are then shut down via control connection 81.

[0018] Since safety module 51 also receives an emergency stop request, it reproduces the selection made in functional module 41 from devices 71 to 74 and corrects any errors in selection that may have occurred in the first level 40. If error correction or sending a shutdown request via control connection 81 fails, safety module 51 instead forwards the shutdown request selected by it to EMM 67 of the third level 60 via shutdown module 52 of the second level 50. It connects to the output of control lines 81 to 84 via shutdown connection 82 in controller 31 in the form of a wire connection not present in conventional systems, and can shut down devices 71 to 74 according to the shutdown request.

[0019] If both the first level 40 and the second level 50 fail to implement an emergency stop request, this is identified by the monitoring module 65. It does not attempt to select from the devices to determine which of devices 71 to 74 should be shut down. Instead, it accesses a fixed selection stored therein for devices 71 to 74, which indicates in the form of a list which of devices 71 to 74 should be shut down if all other shutdown paths fail. In this embodiment, the list only specifies, for example, shutting down the jet driver 74. The shutdown request is sent to devices 71 to 74 via another shutdown connection 83. This is implemented as an additional wiring connection that starts from hardware module 32 and is incorporated in the controller 31 of shutdown connection 82.

[0020] The controller 31 and its hardware module 32 remain active after the emergency stop device 10 is activated. They also provide data about devices 71 to 74 and allow for a rapid restart of the entire system 20 once the emergency stop request is withdrawn.

Claims

1. An emergency stop device (10) of a system (20) having a plurality of devices (71-74) controlled by a common controller (31), characterized in that, The emergency stop device (10) is configured to shut down the selected device from the devices (71-74), wherein the controller (31) is not shut down. The controller (31) has a safety concept with three levels (40, 50, 60), and a selection function is implemented in the first level (40) and the second level (50), respectively. The selection function is set up so that when operating the emergency stop device, the device can be selected from the equipment (71-74) according to its operating status. If the first level fails to make a selection, the second level can take over this function. In the third level (60), a selection fixed in advance from the devices (71-74) is stored. If the first level (40) and the second level (50) cannot be selected from the device, then a selection that is fixedly given from the device is used in the third level (60), which includes a device that must be turned off under any circumstances to avoid danger.

2. Emergency stop device (10) according to claim 1, characterized in that The first level (40) has a control connection (81) to the devices (71-74), the control connection being established to control the devices (71-74) and disable selections from the devices (71-74).

3. The emergency stop device (10) according to claim 1 or 2, characterized in that, The second level (50) is connected to a module of the third level (60), the module having at least one shut-off connection (82) with the devices (71-74), the shut-off connection being established to shut off selection from the devices (71-74).

4. The emergency stop device (10) according to claim 3, characterized in that, The module in question is the hardware error management module (67).

5. The emergency stop device (10) according to claim 1, characterized in that, The pre-defined selections from the device are stored in the monitoring module (65).

6. The emergency stop device (10) according to claim 1 or 5, characterized in that, The third layer (60) has at least one closed connection (83) with the devices (71-74), the closed connection being established to close the selection in the slave devices (71-74) stored in the third layer (60).

7. The emergency stop device (10) according to claim 6, characterized in that, The closing connection (83) of the third level (60) is partially guided through the common line with the closing connection (82) of the second level (50).

Images