Search

WO-2026094173-A1 - FAILSAFE CONTROL SYSTEM

WO2026094173A1WO 2026094173 A1WO2026094173 A1WO 2026094173A1WO-2026094173-A1

Abstract

A failsafe control system comprises a control circuit portion (23) including a controller (19), an actuator circuit portion (25) including a driver (17) and a monitor circuit (35), a first insulator circuit (27), and a second insulator circuit (39). The controller generates a control signal for driving actuators (11) and (13), and generates a monitor signal. The first insulator circuit translates the control signal. The second insulator circuit translates the monitor signal. The monitor circuit monitors receipt of the translated monitor signal, and outputs a stop signal to the driver if the second monitor signal is not received. The driver drives the actuator based on the translated control signal, and stops driving the actuators when the stop signal is received.

Inventors

  • SPLETT, Michael

Assignees

  • MITSUBISHI ELECTRIC CORPORATION

Dates

Publication Date
20260507
Application Date
20241030

Claims (17)

  1. A failsafe control system, comprising: a control circuit portion including a controller; an actuator circuit portion including a driver and a monitor circuit; a first insulator circuit; and a second insulator circuit, wherein the controller is configured to generate a first control signal for driving at least one actuator, and to generate a first monitor signal; wherein the first insulator circuit is configured to translate the first control signal received from the controller into a second control signal; wherein the second insulator circuit is configured to translate the first monitor signal received from the controller into a second monitor signal; wherein the monitor circuit is configured to monitor receipt of the second monitor signal from the second insulator circuit, and to output a stop signal to the driver if the second monitor signal is not received; and wherein the driver is configured to drive the at least one actuator based on the second control signal received from the first insulator circuit, and to stop driving the at least one actuator when the stop signal is received from the monitor circuit.
  2. The failsafe control system according to claim 1, wherein the first insulator circuit has an input connected to the controller to receive the first control signal, and an output connected to the driver to supply the second control signal to the driver; and wherein the first insulator circuit is free of any galvanic connection between its input and its output.
  3. The failsafe control system according to claim 2, wherein an electric resistance between the input and the output of the first insulator circuit is greater than 1 MΩ.
  4. The failsafe control system according to one of claims 1 to 3, wherein the second insulator circuit has an input connected to the controller to receive the first monitor signal, and an output connected to the monitor circuit to supply the second monitor signal to the monitor circuit; and wherein the second insulator circuit is free of any galvanic connection between its input and its output.
  5. The failsafe control system according to claim 4, wherein an electric resistance between the input and the output of the second insulator circuit is greater than 1 MΩ.
  6. The failsafe control system according to one of claims 2 to 5, wherein at least one of the first insulator circuit and the second insulator circuit is configured to use at least one of optical coupling, inductive coupling, capacitive coupling, and magnetic coupling to translate signals received at its input to signals outputted at its output.
  7. The failsafe control system according to one of claims 1 to 6, wherein the failsafe control system is free of any galvanic connection between the control circuit portion and the actuator circuit portion.
  8. The failsafe control system according to claim 7, wherein an electric resistance between the control circuit portion and the actuator circuit portion is greater than 500 kΩ.
  9. The failsafe control system according to one of claims 1 to 8, wherein the first monitor signal is an electric signal changing over time such that the signal is greater than a first signal value during repeating first time periods and the signal is smaller than a second signal value during repeating second time periods alternating with the first time periods; and wherein the first time periods and the second time periods are shorter than a predetermined time period.
  10. The failsafe control system according to claim 9, wherein the predetermined time period is shorter than 10 seconds.
  11. The failsafe control system according to one of claims 1 to 10, wherein the monitor circuit is configured to output the stop signal when the second monitor signal does not change from a predetermined first value to a predetermined second value within a predetermined time period.
  12. The failsafe control system according to one of claims 1 to 11, wherein the controller has a command input to receive control commands for controlling the at least one actuator.
  13. The failsafe control system according to one of claims 1 to 12, further comprising the at least one actuator, wherein the at least one actuator includes at least one of a motor, an electric switch, a hydraulic piston, and a light source.
  14. The failsafe control system according to one of claims 1 to 12, further comprising a machine, wherein the machine is driven by the at least one actuator; wherein the machine has an operating state in which it performs movements, and a resting state in which the machine is in a predefined resting condition; and wherein the driver is configured to drive, when it has received the stop signal, the at least one actuator such that the machine assumes the resting state.
  15. The failsafe control system according to any one of claims 1 to 14, comprising a delay circuit to perform a delay process on the second control signal such that a timing of giving a command to change the at least one actuator from a stop state to a driving state is delayed, wherein the second control signal that has undergone the delay process is input to the driver.
  16. The failsafe control system according to claim 15, wherein the delay circuit does not delay a timing of giving a command to change the at least one actuator from the driving state to the stop state.
  17. The failsafe control system according to claim 16, wherein the command to change the at least one actuator from the driving state to the stop state is given in response to receiving an operation that gives a command for emergency stop.

Description

FAILSAFE CONTROL SYSTEM The present disclosure relates to failsafe control systems. Control systems are used to control the operation of actuators, such as motors, magnets, hydraulic pistons and the like, wherein plural actuators can be combined with mechanical structures so that the control system can control the operation of complex apparatuses, such as machines used for manufacturing, vehicles, such as trains, and robots, for example, and other types of apparatuses. Some of the apparatuses controlled by control systems must be operated such that safety considerations are taken into account. For example, a machine may harm an operator or a user of the machine, or it may cause damage to objects located in an environment of the machine, if the machine is not properly controlled or if some fault occurs. Failsafe control systems have been developed which perform the necessary control operations while monitoring the control operation in order to detect the occurrence of faults, and which, if a fault is detected, control the actuators such that the apparatus driven by the actuators is stopped and assumes state which is regarded as a safe state potentially not harming persons or damaging objects. PTL 1 discloses and discusses various architectures of failsafe control systems. Still, the failsafe control systems known from PTL 1 show control and safety issues in certain situations, such as situations in which an overvoltage affects the control and monitoring operations. Figure 1 is a schematic diagram illustrating a failsafe control system according to an embodiment.Figure 2 is a graph of a monitor signal generated in the failsafe control system shown in figure 1.Figure 3 is a graph illustrating an example of changes in various signals associated with an occurrence of abnormal ON.Figure 4 is a block diagram illustrating a failsafe control system according to a modification.Figure 5 is a graph illustrating an example of changes in various signals associated with an occurrence of abnormal ON in the failsafe control system according to the modification.Figure 6 is a graph illustrating an example of changes in various signals in a case where the control signal changes from a value indicating ON to a value indicating OFF. Hereinafter, failsafe control systems according to embodiments will be described in detail with reference to the drawings. Figure 1 is a schematic diagram illustrating a failsafe control system 1 according to an embodiment. The failsafe control system 1 is configured to control a machine 3. In the present embodiment, the machine 3 is a hydraulic press having a frame 5 supporting a bolster plate 7 and a movable ram 9. An actuator 11 is mounted on the frame 5 to move the ram 9 towards the bolster plate 7 to deform an object 12 arranged between the ram 9 and the bolster plate 7, and an actuator 13 is provided to move the ram 9 in the opposite direction to release the object 12. In the present embodiment, the actuators 11 and 13 can be hydraulic pistons. The actuators 11 and 13 are driven by a driver 17 based on control signals generated by a controller 19. The controller 19 may be embodied by a microcomputer comprising a processor and a memory storing a program which, when executed by the processor, generates the control signals for the driver 17 such that the driver 17 controls the actuators 11 and 13 such that the machine 3 performs desired operations. The controller 19 is connected to a communication interface 21 which is connected to a network not shown in Figure 1, such as a wired network or a wireless network. In particular, the controller 19 has a command input terminal 22 connected to the communication interface 21 to receive the program to be loaded into the memory of the controller 19 and to receive commands controlling the controller 19. The controller 19 and the communication interface 21 are components of a control circuit portion 23, while the driver 17 is a component of an actuator circuit portion 25. The control circuit portion 23 and the actuator circuit portion 25 are electrically insulated from each other. The insulation between the control circuit portion 23 and the actuator circuit portion 25 is provided in order to prevent that an overvoltage which occurs for some unexpected reason at a component of the control circuit portion 23 is transmitted to the driver 17 controlling the actuators 11 and 13 of the machine 3. Due to this insulation, the driver 17 will not be damaged by the overvoltage occurring at components of the control circuit portion 23 and possibly damaging these components. The insulation between the control circuit portion 23 and the actuator circuit portion 25 can be provided such that an electric resistance between the control circuit portion 23 and the actuator circuit portion 25 is greater than 500 kΩ, greater than 5 MΩ, or greater than 50 MΩ. Moreover, the insulation can be configured such that it can withstand a high voltage, such as a voltage greater than 1 kV,