Patent Application
20240353102
The present disclosure relates to a method for the safety-oriented control of at least one final control element of an apparatus, and a system to carry out the method.
In methods of this type, for example when used on a gas boiler, electrical safety components and final control elements such as, for example, gas valves having two relays contacts that are tripped independently from one another in order to ensure that a contact that is fused due to a defect and is therefore no longer detachable does not induce an unsafe state and, for example, gas inadvertently escapes.
A fusion or adhesion of a contact can occur, for example, if said contact trips to a short circuit or overload and the two poles of the contact consequently fuse together due to the excessively high 2.5 switching current. A high switching current can occur, inter alia, due to a backup fuse in the circuit which does not trip quickly enough.
A control system for a magnetic value having a switch to regulate the current of the magnetic valve is known from WO 2011/058159 A2.
A method for safety-oriented activation of a final control element is further known from EP 1 826 640 A1, said method being characterized in that a first and a second dynamic signal having different frequencies are generated by a microprocessor and are fed to a bandpass or high-pass filter in order to activate the final control element.
A method for activating a safety relay in an automatic firing system, in particular for use in a burner on a heating device, is further known from DE 103 21 764 A1, wherein the voltage supply for the downstream outputs of the burner components is released with the safety relay.
One disadvantage of the already known prior art is that complex electronics which incur high manufacturing costs and require complex operation must be provided in apparatuses and methods of this type.
A further disadvantage is that a defective state is identified only by activating a component, such as, for example, a gas valve, and by then shutting it down via a second shutdown path. However, if a fused, and as such unidentified, contact is already present before the activation procedure, the contact that is still functioning similarly switches to a short circuit or an overload and likewise fuses, as a result of which safe shutdown is no longer ensured and a high safety risk occurs.
The object of the present disclosure therefore to provide a facility for identifying an unsafe state of an electrical safety component to be switched, even before the activation of the component that is to be secured.
This object is achieved by way of features described in the present disclosure.
Appropriate and advantageous embodiments are indicated in the dependent claims.
The present disclosure provides a method for the safety-oriented control of at least one final control element of an apparatus, in particular at least one electrically actuated gas valve, which is switched by means of two relays connected in series, wherein the final control element is activated only if the first relay and the second relay are tripped,
The method according to the present disclosure advantageously ensures that the requirements enabling activation of the final control element are met only if no flow of current across the monitoring devices is detected. A fused contact of a relay which prevents a reliable and safe tripping of the relay and as a result represents a risk to the safe operation of the apparatus can thereby be detected and necessary measures which are required either to activate the final control element or to switch the device to a safe state can be initiated.
It is further provided that, in the event of a fault in at least one of the two relays and/or in at least one of the two monitoring devices, the apparatus, in particular the final control element, is switched to a safe state blocked for further control, preferably by closing the gas valve.
As a result, a further operation of the apparatus or, for example, an escape of flammable gas in the event of fault can advantageously be prevented.
It is further provided that information relating to the relay and/or the monitoring device in which the fault occurs is stored by means of the control device, wherein the information is stored permanently, in particular secure against power failure, preferably by means of an EEPROM storage module.
As a result, the information can be accessed quickly and reliably during the further operation of the apparatus without said information being lost, for example due to a power failure triggered by a short circuit.
It is further provided that the safe state is removed and a renewed control of the final control element is enabled by means of a reset of the control device, in particular a manual reset.
As a result, following a fault that triggers the safe state, an external intervention is required in order to restore controllability or to recommission the apparatus, and said intervention can be combined, for example, with any maintenance or repair work, tests or similar which might be necessary due to the existing fault.
It is further provided that, after the blocked state has been removed, in particular after the control device has been reset, the relay in respect of which the information relating to a fault has been stored is always tripped first.
In the case where a fused contact of one of the two relays coincides with a defect in the monitoring device corresponding to this relay, it is advantageous, for the safety-oriented operation of the apparatus, to initiate a re-activation of the final control element with the relay in which a fused contact has been detected and information has thereby been stored in the control device.
It is further provided that the two relays for activating the final control element are closed by the control device in succession, in particular with a delay of 10 ms to 500 ms, preferably a delay of around 100 ms.
It can thereby be ensured that, in the event of a fault in the first-tripped relay, the response to the fault entails the switching of the relay that is then to be tripped and an unsafe state of the apparatus can thus be prevented. The intention here, following a fault in the first-tripped relay, is to prevent the tripping of the relay that is then to be tripped.
It is further provided that the two relays for deactivating the final control element are opened by the control device in succession, in particular with a delay of 10 ms to 500 ms, preferably a delay of around 100 ms.
As a result, the relays are advantageously tripped sequentially and are opened unconditionally, whereby the final control element is closed and a safe state of the apparatus is thus established.
It is further provided that a tripping under load is divided by the control device between the first and second relay in such a way that the first and the second relay have roughly the same number of tripping actions that are performed under load over the service life of the apparatus and in total.
The first and the second relay are equally loaded by means of the alternating tripping behavior under load thereby created, since they alternately switch on and switch off the load. The respective other of the two relays trips with no load, in the sense of tripping without an electrical load. This can not only have an advantageous impact on the service life of the relays and also that of the apparatus, but can also guarantee reliable operation of the apparatus.
It is further provided that a fault in the form of a fused relay contact is identified by means of the control device in that, despite a switched off relay, a signal from the monitoring device corresponding to the switched off relay is detected.
It is further provided that a fault in the form of a defective relay or a fault in the form of a defective monitoring device is identified by means of the control device in that, despite a switched on relay, a signal from the monitoring device corresponding to the switched on relay is not detected.
It is further provided that a fault in the form of a fused relay contact in combination with a defective monitoring device is identified by means of the control device in that, in the event of a change in the switching state of the relay, no change in the signal from the corresponding monitoring device is detected.
By means of these method steps, the expected functional capability of the two relays and the two respective monitoring devices can advantageously be controlled and inferences can be made in respect thereof. Conceivable faults such as the fusion of a relay contact, a defective monitoring device or a combination of the two can therefore be detected even before the activation of the final control element, and a safe control can be enabled.
It is further provided that either the first relay is operated in an external conductor of the final control element and the second relay is operated in a neutral conductor of the final control element, or that the first relay and the second relay are operated in an external conductor of the final control element, or that the first relay and the second relay are operated in a neutral conductor of the final control element.
Different circuits can therefore advantageously be enabled depending on the construction or design requirement, thereby increasing flexibility in design and production.
It is further provided that at least one monitoring device is operated by means of voltage feedback, in particular from an optocoupler, preferably from a forcibly guided double contact.
As a result, the flow of current across the corresponding relay can advantageously be measured at low cost and inferences can thereby be made quickly concerning its state, and this can be enabled in the case of an optocoupler galvanically isolated from the electrical circuit.
The present disclosure further provides a system, comprising:
Within the meaning of the present disclosure, an adhering contact is understood to mean an originally detachable contact of which the connection points or poles can no longer be detached from one another, for example due to an action of tripping to a short circuit and the high switching current associated therewith, since they are not detachably connected to one another, in particular are fused with one another.
Further details of the present disclosure are described in the drawings with reference to schematically represented exemplary embodiments.
When the apparatus, for example a gas burner, first starts, the first relay 2 trips with no load at a first time 19. After a delay, in particular of 100 ms, the second relay 10 switches on the load at the second time 20. After a certain operating time, the second relay 10 switches off the load once more at the third time 21. After a further delay, in particular of 100 ms, and at the fourth time 22, the first relay 2 then trips with no load.
The respective switching state of each relay 2, 10 is monitored by means of the corresponding optocoupler is 9, 11. Any fault can advantageously be identified by means of the delays and corresponding measures can be initiated by means of the control device 6.
With each further start of the apparatus, the switching of the load between the two relays 2 and 10 alternates with a corresponding delay. In the case of the second start shown, a second relay 10, by way of example, trips first with no load and the first relay 2 trips the load. The switching off takes place in a similar manner. The service life of the two relays can advantageously be extended as a result.
In the case of the third start shown, the first relay 2 again first trips with no load. However, at the fifth time 23, the second relay 10 this trips the loads, for example to a short circuit, as a result of which a fusion of the contact of the second relay 10 occurs and the second relay 10 can then no longer be tripped. This can be detected by means of the control device in that, despite a switch-off attempt of the second relay 10 at the sixth time 24, the feedback signal 17 from the second relay 10 is still present. However, the gas valve 3 can be safely closed by means of a tripping of the second relay 10 at the seventh time 25. If a defect occurs, for example in the second optocoupler 11, at an eighth time 26, the defect still present in the second relay 10 is detectable in that the relay in which a defect has previously been identified trips first in the event of a further start of the apparatus, rather than the first relay 2 in the normal case. In the case shown by way of example in
Although the present invention has been described with reference to preferred embodiments, workers skilled in the art will recognize that changes may be made in form and detail without departing from the spirit and scope of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2021 126 553.3 | Oct 2021 | DE | national |
This Application is a Section 371 National Stage Application of International Application No. PCT/EP2022/078468, filed Oct. 13, 2022, and published as WO 2023/062112 A1 on April 20. 2023, and claims priority to German Application No. 10 2021 126 553.3, filed Oct. 13, 2021, the contents of each are hereby incorporated by reference in their entirety.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2022/078468 | 10/13/2022 | WO |
