US3886413A - Presence sensing and self-checking control system - Google Patents

Presence sensing and self-checking control system Download PDF

Info

Publication number
US3886413A
US3886413A US327384A US32738473A US3886413A US 3886413 A US3886413 A US 3886413A US 327384 A US327384 A US 327384A US 32738473 A US32738473 A US 32738473A US 3886413 A US3886413 A US 3886413A
Authority
US
United States
Prior art keywords
signal
output
controller
self
control circuit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US327384A
Inventor
Frederick J T Dow
Dudley B Hartung
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xenex Corp
Original Assignee
Xenex Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xenex Corp filed Critical Xenex Corp
Priority to US327384A priority Critical patent/US3886413A/en
Priority to CH82474A priority patent/CH588127A5/xx
Priority to DE2403058A priority patent/DE2403058A1/en
Priority to CA191,073A priority patent/CA1005873A/en
Priority to FR7402764A priority patent/FR2215629B1/fr
Priority to GB409974A priority patent/GB1461441A/en
Application granted granted Critical
Publication of US3886413A publication Critical patent/US3886413A/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01VGEOPHYSICS; GRAVITATIONAL MEASUREMENTS; DETECTING MASSES OR OBJECTS; TAGS
    • G01V3/00Electric or magnetic prospecting or detecting; Measuring magnetic field characteristics of the earth, e.g. declination, deviation
    • G01V3/08Electric or magnetic prospecting or detecting; Measuring magnetic field characteristics of the earth, e.g. declination, deviation operating with magnetic or electric fields produced or modified by objects or geological structures or by detecting devices
    • G01V3/088Electric or magnetic prospecting or detecting; Measuring magnetic field characteristics of the earth, e.g. declination, deviation operating with magnetic or electric fields produced or modified by objects or geological structures or by detecting devices operating with electric fields
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16PSAFETY DEVICES IN GENERAL; SAFETY DEVICES FOR PRESSES
    • F16P3/00Safety devices acting in conjunction with the control or operation of a machine; Control arrangements requiring the simultaneous use of two or more parts of the body
    • F16P3/12Safety devices acting in conjunction with the control or operation of a machine; Control arrangements requiring the simultaneous use of two or more parts of the body with means, e.g. feelers, which in case of the presence of a body part of a person in or near the danger zone influence the control or operation of the machine
    • F16P3/14Safety devices acting in conjunction with the control or operation of a machine; Control arrangements requiring the simultaneous use of two or more parts of the body with means, e.g. feelers, which in case of the presence of a body part of a person in or near the danger zone influence the control or operation of the machine the means being photocells or other devices sensitive without mechanical contact
    • F16P3/148Safety devices acting in conjunction with the control or operation of a machine; Control arrangements requiring the simultaneous use of two or more parts of the body with means, e.g. feelers, which in case of the presence of a body part of a person in or near the danger zone influence the control or operation of the machine the means being photocells or other devices sensitive without mechanical contact using capacitive technology

Definitions

  • a presence sensing system provided with self-checking operation is disclosed.
  • the system is especially adapted for use in a control system for machines to ensure safe operation thereof.
  • the system comprises a presence sensing section capable of producing output signals indicative of normal, intrusion, and withdrawal conditions in the guarded zone of the machine.
  • a control system comprising a control channel and a selfchecking channel responds to the output signals of the sensing section and control the condition of a controller, which in turn is adapted to interrupt machine operation.
  • the control channel and the self-checking channel are both implemented in binary logic.
  • the system is operated under the control of timing means which causes cyclic operation with each cycle divided into separate time slots, one for a testing mode of operation and one for a condition sensing mode of operation.
  • the testing mode time slot is subdivided into plural time slots, each corresponding to a particular test of the system.
  • This invention relates to condition responsive apparatus such as presence detecting systems and, more particularly, to an improvement which provides assurance that the apparatus will not appear to be operating properly if there is in fact a malfunction therein.
  • a typical application is industrial machines such as punch presses, wherein machine operation is interrupted if the opera tors hand or another object intrudes into the area of the machine which would cause injury.
  • Such presence sensing systems have heretofore been devised which are capable of exercising some supervisory control over the machine in response to a change of objects present in the guarded zone, i.e. either an intrustion or the removal of an object.
  • condition responsive systems it is common practice to provide some form of failsafe feature and, also, some form of malfunction detection or self-checking by the system itself.
  • self-checking however, the prior art has failed to provide a system which ensures that the condition sensing is reliable at all times during operation or, alternatively, provides warning or interruption at any time when there is malfunction which would produce false response.
  • a condition responsive system is provided with self-checking means capable of ensuring that no false condition responsive operation will occur. In general, this is provided by a test mode of operation prior to each condition responsive mode of operation to ensure reliable operation before the condition responsive mode is allowed to proceed. Also, according to the invention, the system may be adapted to sense plural conditions and provide a distinctive response thereto and in such a system the selfchecking means operates to test for proper response to each of the plural conditions prior to the condition responsive mode of operation. This is accomplished by means which causes operation of the system in a cyclical manner with plural time slots in each cycle allocated to respectively different modes of operation.
  • the system is operated under the control of timing means which provides high frequency cyclical operation with each cycle divided into a test mode and a condition sensing or operate mode.
  • the timing means provides for the application of simulated condition signals during the test mode and the self-checking means determines whether the control means of the system produces a response corresponding to the simulated signal. If so, the operation proceeds to the condition responsive mode; otherwise the self-checking means is operative to arrest the operation of the system in the intermediate part of the cycle so that the control means is not allowed to function in the condition responsive mode until the malfunction has been eliminated.
  • the timing means provides plural time slots within the test mode time slot and causes the sequential application of plural simulated condition sig nals. Thus the system operation cannot proceed in the condition sensing mode unless it is functional to respond to each of the plural conditions.
  • a safety control system for machines using a presence sensing system is provided with the aforementioned selfchecking feature to assure interruption of the machine in case of a malfunction.
  • This is accomplished by pro viding a digital supervisory control system for the machine which responds to signals produced by a presence sensing subsystem.
  • the digital control system comprises a control channel and a self-checking channel which are implemented in binary logic and which coact, together with a controller, to allow machine operation only when a safe condition exists and, when there is no malfunction in the sensing section or the control section.
  • the self-checking system is provided with certain redundancy in design and, further, failsafe features are incorporated in the system.
  • FIG. 1 is a block diagram of the inventive system
  • FIG. 2a, 2b and 2c together constitute a diagram of the control system
  • FIG. 3 is a timing diagram
  • FIG. 4 is a tabular presentation representing certain operation conditions for purposes of explanation.
  • SYSTEM DESCRIPTION Referring now to the drawings, there is shown an illustrative embodiment of the invention in a safety device for machines and more particularly a presence detection device which will prevent or stop machine operation when an object such as a person's hand is ex tended into a guarded zone.
  • the sensing and control system is provided with selfchecking and failsafe arrangements in order to assure that the system is functionally operative unless it indicates otherwise and to ensure that any failure will itself initiate control measures to prevent or stop machine operation.
  • the presence or intrusion sensing section of the illustrative embodiment utilizes variations in the electrical capacitance of a sensing element to indicate the intrusion or withdrawal of an object from the guarded zone.
  • the output of the presence sensing section is applied to a control and self-checking logic section which in turn exercises some supervisory control over the machine under surveillance such as disabling it or causing an alarm to be energized.
  • a control and self-checking logic section which in turn exercises some supervisory control over the machine under surveillance such as disabling it or causing an alarm to be energized.
  • the invention may be utilized with other types of presence sensing sections which are capable of producing logic level signals indicative of normal, intrusion and withdrawal conditions.
  • the surveillance system of the invention may be applied to any desired zone to be guarded to monitor the changes such as intrusion and withdrawal of objects.
  • the selfchecking and failsafe system of the invention may be utilized with other condition responsive sensing sys tems capable of producing logic level signals indicative of two or more states or conditions of a variable quantity.
  • FIG. 1 shows an illustrative embodiment of the invention in a system specially adapted for the surveillance of a machine tool to protect an operator from injury which would result from placing his hand or other part of his body in a dangerous place on the machine.
  • the machine such as a punch press includes a table 10, having a portion adjacent the press platen (not shown) which is to be guarded for protection of the operator.
  • a sensing element or antenna 12 is disposed in spaced relation above the table 10 and is electrically insulated therefrom.
  • the sensing element may take the form of one or more metal tubes extending over the table 10 so that a measurable electrical capacitance is exhibited therebetween.
  • the table 10, as indicated, is electrically connected to ground and the antenna or sensing element 12 is electrically connected through a coaxial conductor as one leg of a capacitance bridge circuit 14.
  • the bridge circuit is made up of a pair of reference voltage dividing capacitors 16 and 18 which are connected in series between the input terminal 20 of the bridge circuit and ground.
  • the bridge circuit also comprises a test voltage divider including the capacitor 22 and the capacitance to ground of the sens ing element 12, which are connected electrically in series between the input terminal 20 and ground A trimmer capacitor 24 is connected in parallel with the ca pacitance to ground of the sensing element 12.
  • the bridge is excited by an oscillator 26 having an output suitably in the range of 100 kilohertz connected to the input terminal 20 of the bridge circuit 14.
  • the sensing element 12 will exhibit an electrical capacitance in the order of a few picofarads in a normal condition, i.e. when there is no extraneous object such as an operators hand in the zone between the element 12 and the table 10, and when all of the machine components are in proper position of the vicinity of the sensing element 12.
  • the intrusion of an operators hand into the guarded zone may cause the capacitance to ground of the sensing element 12 to change by a fraction of a picofarad or by as much as several picofarads depending upon the degree of intrusion and the sensitivity of the particular installation.
  • the capacitors 22 and 16 of the bridge circuit are of substantially equal value and suitably on the order of a few hundred picofarads in value.
  • the capacitor 18 is selected to approximately match the capacitance value of the capacitance to ground of sensing element 12 and the shunt trimmer capacitor 24. Accordingly, the bridge may be balanced by adjustment of the capacitor 24.
  • the bridge circuit 14 With the guarded zone in normal or safe condition the bridge circuit 14 is balanced by the adjustment of trimmer capacitor 24.
  • the output of the bridge circuit taken between the voltage divider terminals 28 and 30 is applied to a differential amplifier 32.
  • the bridge In the normal condition of the guarded zone the bridge will be balanced and the output voltage will be zero.
  • the bridge circuit Under intrusion conditions, Le. an object inserted in the guarded zone, the bridge circuit will be unbalanced and the output voltage applied to the differential amplifier 32 will be of one phase relative to the reference phase of the oscillator and when an object which is normally within the guarded zone is withdrawn therefrom, the bridge will be unbalanced in the opposite sense and the output voltage will be of a different phase relative to the reference phase of the oscillator.
  • the output of the differential amplifier 32 is applied to one input of a demodulator 34 which receives the output of the oscillator 26 at its reference input.
  • the demodulator 34 produces an output DC voltage of positive polarity when the input from the differential amplifier 32 is of the same phase as the oscillator voltage and produces a negative DC voltage when the input from the amplifier 32 is of op posite phase from the oscillator voltage.
  • the output of the demodulator is zero when the bridge is balanced.
  • the output of the demodulator 34 is applied to the input of a differential amplifier 36 which produces an output voltage P having a polarity and magnitude depending upon the sense and extent of variation of the capacitance to ground of the sensing element 12 and hence the direction and extent of unbalance of the bridge circuit 14.
  • the differential amplifier 32 is adapted to receive command or simulated condition signals at its offset input terminals.
  • a high command signal may be applied to one offset input terminal and a low command signal may be applied to another offset input terminal.
  • the high command signal is adapted to simulate the unbalance of the bridge circuit 14 by intrusion of an object in the guarded zone and hence the differential amplifier 32 applies an input to the demodulator 34 which produces an output voltage P of positive polarity from the differential amplifier 36.
  • the low command signal is adapted to simulate the unbalance of the bridge circuit 14 by withdrawal of an object from the guarded zone and hence the output of the differential amplifier 32 causes the demodulator 34 and the differential amplifier 36 to produce an output voltage P of negative polarity.
  • the condition signal P is applied to one input of a high detect operational amplifier 40 and to one input of a low detect operational amplifier 42.
  • the other input of the amplifier 40 is an offset bias input for sensitivity adjustment and will be discussed subsequently.
  • the other input of the amplifier 42 is also an offset bias input for adjustment of sensitivity to object withdrawal from the guarded zone as will be discussed subsequently.
  • the operational amplifiers 40 and 42 are adapted to provide logic level signals, either I or "0, depending upon the value and polarity of the condition signal P.
  • both operational amplifiers 40 and 42 When the signal P has a value of zero both operational amplifiers 40 and 42 will produce a l output; when the signal P is positive in polarity corresponding to a high value of capacitance signifying an intrusion, the operational amplifier 40 will produce an 0 output and the operational amplifier 42 will produce a l output; and when the condition signal P has a negative polarity the amplifier 40 will produce a l output and the amplifier 42 will produce an 0" output.
  • the combination of the outputs of the amplifiers 40 and 42 is capable of signifying the three distinctive conditions of the guarded zone as being normal, high (capacitance) and low (capacitance) respectively.
  • control and self-checking circuits 44 comprise a logic section 46 which accepts the logic level signals from the operational amplifiers 40 and 42.
  • the logic section 46 is supplied with clock signals from a timing section 48 and produces control or data signal for a set flip-flops 52, 54, 56, 58 and 60.
  • the flip-flops are caused to assume respective states indicative of conditions during normal operation and self-checking operation of the system, and the outputs thereof are supplied to a driver gate section 62.
  • the outputs of the driver gate section are supplied respectively to an upper relay driver 64 and a lower relay driver 66, which are adapted to control the energization of the respective relays 68 and 70.
  • the switching contacts of the relays 68 and 70 are operative to exercise supervisory control over the machine which is under surveillance by the system. Additionally, the condition of the switching contacts of the relays 68 and 70 is monitored by a relay hangup circuit 72 which has an output connected with the logic section 46.
  • control and self-checking circuits 44 will be described in greater detail subsequently; at this point a brief description of system operation will be given with reference to FIG. 1.
  • the operational amplifiers 40 and 42 will develop a digital 1" output which is applied to the logic section 46 of the control and self-checking circuits 44.
  • the timing section 48 is adapted to cause the system to operate in a cyclical manner with the system operated in three distinct modes or time slots during each cycle of operation.
  • each cycle comprises an operate mode, a high test mode and a low test mode, suitably in that order.
  • the presence sensing section is operative for the purpose of determining the condition in the guarded zone, i.e. whether the condition is normal (which would result from no change in the guarded zone), high capacitance (which might result from an intrusion into the guarded zone), or low capacitance (which might result from a withdrawal from the guarded zone).
  • the condition signal P will be of zero value or positive polarity or negative polarity corresponding to the normal, high (capacitance), or low (capacitance) conditions respectively and the operational amplifiers 40 and 42 will produce logic level signals indicative of the existing condition.
  • the logic section 46 responds to the logical input signal and controls the state of the flip-flops 52, 54, S6, 58 and 60 which in turn control the driver gates 62 and the energization of the drivers 64 and 66 and the respective relays 68 and 70.
  • control and self-checking circuits 44 are effective to hold the relays 68 and in an energized condition which through the operation of the switching contacts thereof allows the machine under surveillance to be operated, i.e. signifies a safe or noalarm condition in the guarded zone. If the condition signal P should become positive during the operate mode signifying an intrusion, the logic section 46 will cause a change of state of the flip-flops 56, 58 and 60 which through the driver gate 62 will cause both relays 68 and 70 to be deenergized to disable the machine under surveillance from operation.
  • the logic section 46 will cause the flip-flops 56, 58 and 60 to undergo a corresponding change of state and the driver gate section 62 will cause both relays 68 and 70 to be deenergized to disable the machine or indicate an unsafe or alarm condition.
  • the flip-flops 56, 58 and 60 will be returned to their normal state in readiness for the subsequent test modes.
  • the timing section 48 causes an offset low command signal to be applied to the differential amplifier 32 which is effective to simulate a low condition and thus cause the condition signal P to assume a negative polarity. Also during the low test period the timing section 48 cause the flip-flops 52 and 54 to be conditioned for responding to the output of the logic section 46 which, if operating properly, must be indicative of a low condition signal. If so, the flip-flops 52 and 54 will not change state and the driver gate section 62 and drivers 64 and 66 will be unchanged and the relays 68 and 70 will remain energized.
  • the flip-flops 52 and 54 will undergo a change of state and the driver gate section 62 will cause the relays 68 and 70 to be deenergized which disables the machine and causes an alarm.
  • a high offset command signal is applied under the control of the timing section 48 to the differential amplifier 32. Consequently the condition signal P becomes positive and logic signals corresponding thereto are applied by the operational amplifiers 40 and 42 to the input of the logic section 46. If there is no malfunction in the system the output of the logic section 46 will correspond to a high conditir in the guarded zone.
  • the flipflops 52 and 54 which are conditioned for operation by the timing section 48 will not undergo a change of state and the driver gate section 62 will allow the relays 68 and 70 to remain energized. If, however, there is a mal function, output of the logic section 46 will cause the flip-flops 52 and 54 to undergo a change of state and the driver gate section 62 will respond thereto and cause deenergization of the relays 68 and 70 to thereby stop the machine. It is to be noted that in the event during either the low test or high test mode the flip-flops 52 and 54 are caused to change state, they are locked in the changed state to hold the relays 68 and 70 deenergized until they are manually unlocked by a reset switch or the like. This ensures that the machine will be disabled and the alarm condition indicated until manual intervention is provided.
  • the relay hangup circuit 72 is connected between selected switching contacts and the logic section 46.
  • the hangup circuit 72 is adapted to cause the ma chine to be disabled in case one relay is on and the other is off. This condition might be caused by relay failure, such as sticking contacts or by failure in the logic circuits which would cause one of a set of redundant logic circuits to operate differently from the other.
  • the hangup circuit 72 is effective to hold both relays 68 and 70 deenergized until there is manual intervention as by operation of a reset switch. In the event the timing section stops working the entire system is shut down after a given time delay and manual reset is required before the machine under surveillance can be operated.
  • FIGS. 2a, 2b and 2c taken together form a composite diagram of the control and selfchecking circuits 44.
  • the interconnections of these FIGURES are indicated by the grouped conductors which, for convenience, are extened to terminals at the margin of the respective sheets.
  • the terminals on one sheet are identified by reference characters which are identical to the corresponding terminals on the adjoining sheet.
  • the operational amplifiers 40 and 42 which receive the condition signal P from the sensing section will be referred to as the high detect amplifier and the low detect amplifier respectively in accordance with the function they perform.
  • the condition signal P is applied through an input resistor 80 to one input of the amplifier.
  • a preset voltage or bias is derived from a potentiometer 82 and applied to the other input of the amplifier 40.
  • the preset voltage is suitably adjustable by the user in order to determine the sensitivity of the system to intrusion. For a given installation of a machine it is desirable to have the sensitivity as low as possible to avoid response to passing equipment while having enough sensitivity to ensure response to any undesirable intrusion into the guarded zone.
  • the amplifier 40 is a differential amplifier and compares the signal P with the preset voltage. If P is not more positive than the preset voltage a binary l is produced which is called the not-high state. If P is more positive a binary is produced and corresponds to the high state.
  • the output of the high detect amplifier 40 is applied across a voltage divider network 84 to reduce the voltage to a logic level voltage for application to the succeeding logic circuits.
  • the condition signal P is applied through the resistor 80 to one input of the low detect amplifier 42 and a preset voltage is applied by a fixed voltage divider network 86 to the other input of the amplifier 42 to establish the lower switching threshold of the system.
  • the amplifier 42 functions as a differential amplifier and compares the condition signal P with the preset voltage and produces a logical output l when the magnitude of P is not more nega tive than the magnitude of the preset voltage which is referred to as the not-low state.
  • the amplifier 42 produces a logical output which is referred to as the low state.
  • the output of the low detect amplifier 42 is applied across a voltage divider network 88 to reduce it to a logic level voltage for application to the control and self-checking circuits 44.
  • control and self-checking circuits comprise several different stages which will be referred to generally before each is described in detail.
  • the logic level signals from the operational amplifiers 40 and 42 are applied to the operation mode flipflops directly and through an operation mode gate 202. These flip-flops and other logic circuits in the system are operated under the control ofa clock 104.
  • the logic level signals from the operational amplifiers 40 and 42 are also applied to self-check mode gates 106, which in turn are connected to the self-check logic circuits 108 which have their outputs connected to the self-check flipfiops 110.
  • the outputs of the operation mode flip-flops 100 and the self-check mode flip-flops 110 are applied to driver gates 112 which in turn have their inputs connected with the driver stages 114.
  • the driver stages control energization of the contoller 116 which is adapted to exercise control over the machine under surveillance.
  • a controller monitor or hangup circuit 118 is interposed between the controller 116 and the driver gates 112.
  • a failure lockup stage 120 is connected to the outputs of the self-check mode flip-flops 110 and controls certain of the clock signals to cause the controller to operate in the event of a bad test.
  • the timing section or clock 104 comprises a voltage source of reference fre quency suitably of 60 hz and of relatively low voltage such as 12 volts.
  • the voltage source 130 is connected across a half-wave rectifier 132 which shunts the negative half-cycles to ground.
  • the positive half-cycle pulses of the rectifier 132 are applied to the input of a monostable or one-shot multivibrator 134.
  • the oneshot multivibrator turns on in response to the leading edge of the positive input pulses and produces a train of output pulses. each of which is approximately 50 microseconds duration with a pulse repetition rate of 60 pulses per second. This relationship is shown in FIG. 3 wherein the reference frequency from the source 130 is shown as waveform 136.
  • the output of the one-shot multivibrator 134 is shown as a train of timing pulses 138.
  • the timing pulses 138 are applied through a con ductor 140 to the clock input of the first flipflop 142 which produces a 0 output comprising a train of pulses 144 which have a binary 1" level and a duration T.
  • the flipflop 142 also provides a Q-not (6) output comprising a train of pulses 146 of binary 1" during the oddnumbered timing intervals of the one-shot multivibrator pulses 138.
  • the Q-not pulses 146 of the multivibrator 142 are applied to the clock input of a second flip flop 150.
  • the Q output of the flip-flop 150 is a train of operate time pulses 152 of binary l which have a pulse duration of 2T commencing with the alternate O-not pulses 146.
  • the operate time pulses 152 from the Q output are applied through a conductor 154 to the operate mode flip-flops 100, as will be described below.
  • the second flip-flop 150 also produces a Q-not output which comprises a train of test pulses 156 of binary l as shown in FIG. 3.
  • the pulses 156 are of duration of 2T and commence with alternate Q-not pulses 146 from a flip-flop 142. Accordingly, the operate pulses 152 and the test pulses 156 are of equal duration and occupy alternate time intervals.
  • the Q-not output of the flip-flop 150 is applied through a conductor 158 to one input of an AND gate 160 which has its other input connected through a conductor 162 to the Q-not output of the flip-flop 142. Accordingly, the AND gate 160 responds to the test time pulse 156 and the Q-not pulse 146, as shown in FIG.
  • the Q-not output of the flip-flop 150 is also applied to one input of an AND gate 166 which has its other input connected via conductor 168 to the output of the flip-flop 142.
  • the AND gate 166 responds to the 0 output pulses 144 of flip-flop 142 and the test time pulses 156 from the second flipflop 150. Accordingly, the AND gate 166 produces a train of high test time pulses 170 of binary 1" and of duration T during the coincidence of pulses 144 and 156.
  • the output pulses of 170 of the AND gate 166 are applied through a conductor 172 to certain inputs of the self-check logic circuits 108, as will be described presently.
  • the clock 104 establishes cyclical operation of the system with each cycle comprising an operate time pulse 152 and a test time pulse 156.
  • the operate time pulse 152 the system is caused to function in an operate mode in which it responds to the signal P from the presence sensing section previously described.
  • the test time pulse 156 the system is caused to function in a self-checking mode, as will be described later. It is noted that a complete cycle of operation, including the operate mode and the test mode, has a period of 4T where T is the period of a 60 hz reference voltage and the cyclic rate of the system is l hz.
  • the operate time pulse 152 has a duration of about 32 milliseconds and the test time pulse 156 has a duration of about 32 milliseconds. It is further observed that the test mode which is executed during the test time pulse 156 is subdivided into a low test mode during the pulse 163 and a high test mode during the pulse 170. Each of the test modes thus has a duration of T and is executed in a time interval of approximately 16 milliseconds and at a repetition rate of times per second.
  • a pair of clock AND gates 174 and 176 are provided with one input of each connected with the Q-not output of the flip-flop 150 through the conductor 158.
  • the other input of the clock AND gates 174 and 176 are connected through conductor 140 to the output of the one-shot multivibrator 134. Accordingly, as shown in FIG. 3, the AND gates 174 and 176 respond to the test time pulses 156 and the one-shot pulses 138 and each produces a train of clock pulses 178 of binary l each occurring during coincidence of the pulses 138 and 156.
  • the pulses are paired with one of each pair occurring at the beginning of the low test time pulse 163 and the other of each pair occurring at the beginning of each high test time pulse 170.
  • the train of clock pulses 178 from the AND gate 174 is applied through a conductor 180 to one of the self-check mode flip-flops 110.
  • the train of clock pulses I78 produced by the AND gate 176 is applied through a conductor 182 to the other of the self-check mode flip-flops 110.
  • the set of three bistable multivibrators of flip-flops 56, 58 and 60 respectively are connected to the outputs of the operational amplifiers 40 and 42.
  • Each of the flip-flops is provided with a data input D, a clock input C, a Q output and a Q-not (O) and in some cases a flip-flop may be provided with a reset input R.
  • the flip-flop 60 labelled as the low" flip-flop has its data input c0nnected through a conductor 196 to the output of the low detect operational amplifier 42.
  • the flipflop 58 labelled as the high" flip-flop has its data input connected through a conductor 198 to the output of the high detect operational amplifier 40.
  • the flip-flop 56 labelled high-low flip-flop is responsive to the combined outputs of the low detect amplifier 42 and the high detect amplifier 40.
  • the outputs of the high and low detect amplifiers on conductors 198 and 196 respectively are applied to the inputs of an AND gate 202, which has its output connected through a conductor 204 to the data input of the flipflop 56.
  • the operate time pulse 152 is applied to the clock inputs of each of the flip-flops 56, 58 and 60 via conductor 154 from the clock 104. Accordingly, during the operate mode each of the outputs of the flip-flops 56, 58 and 60 assume a binary state in accordance with the binary state of the data input.
  • a warning lamp in the form of a light emitting diode 206 is connected with the Q-not output of the low flip-flop 60.
  • a warning lamp in the form of light emitting diode 208 is connected with the Q not output of the high flip-flop 58.
  • a negative feedback signal is provided from the O-not output of the high flip-flop 58.
  • the Q-not output is connected through voltage divider resistors 210 and 212 to the O output of the low flip-flop 60 and the feedback conductor 214 is connected from the junction of the resistors to the preset input of the high detect amplifier 40.
  • the remaining binary signal output from the flipflops 56, 58 and 60 are for use in determining the state of the controller 116 and will be described subsequently.
  • the self-check gates 106, logic circuits 108 and flipflops are provided. It will be recalled that the selfcheck mode is initiated and terminated by clock control and more particularly as described with reference to FIGS. 20 and 2b, the clock 104 causes the self-check mode to occur during the test time pulses 156.
  • the selfcheck mode is divided into two time intervals corresponding to the low test pulses 163 and the high test pulses 170, as shown in FIG. 3.
  • the low test pulse is supplied by the clock 104 on conductor 164 to the terminal 220 (P16. 2a) and thence as shown in FIG.
  • the low test signal is applied to one offset input of the differential amplifier 32.
  • This low test signal simulates a low (capacitance) condition of the bridge circuit 14 corresponding to a withdrawal condition and consequently, through the demodulator 34 and differential amplifier 36, produces a signal P of negative polarity at the input of the detection amplifiers 40 and 42.
  • the clock 104 produces the high test pulse 170 on the conductor 172 which is applied to the terminal 222 (FIG. 2a).
  • this high test signal is applied to an offset input of the differential amplifier 32 and simulates a high (capacitance) signal from the bridge circuit 14 corresponding to an intrusion condition.
  • the differential amplifier 32, demodulator 34 and differential amplifier 36 produce a condition signal P of positive polarity which is applied to the detection amplifiers 40 and 42.
  • condition signal P of positive polarity which is applied to the detection amplifiers 40 and 42.
  • the self-check gates 106 comprise an upper NAND gate 224 and a lower NAND gate 226.
  • the NAND gate 224 has one input connected with the output of the high detect amplifier 40 and the lower NAND gate 226 has one input connected with the output of the low detect amplifier 42.
  • the other inputs of the NAND gates are connected through a conductor 228 to the O output of the highlow flip-flop 56. This connection causes the gates 224 and 226 to close after the occurrence of a high or a low signal during the operate mode but otherwise to remain open.
  • the NAND gates 224 and 226 control the inputs to the self-check logic circuits 108.
  • the self-check logic circuits 108 comprise upper logic circuits including a high test NAND gate 230, a low test NAND gate 232 and a NOR gate 234.
  • the high test NAND gate 230 has one input connected with the output ofthe NAND gate 224 and the other input con nected with the high test signal on conductor 172.
  • the low test NAND gate 232 has one input connected with the output of the lower NAND gate 226 and the other input connected with the low test signal on conductor 164.
  • the NOR gate 234 has one input connected with the output of the high test NAND gate 230 and the other input connected with the output of the low test NAND gate 232.
  • the self-check logic circuits 108 also comprise lower logic circuits includng a high test NAND gate 236, a low test NAND gate 238 and a lower NOR gate 240.
  • the high test NAND gate 236 has one input connected with the output of the NAND gate 224 and the other input connected with the high test signal on conductor 172.
  • the lower NAND gate 238 has one input connected with the output of NAND gate 226 and the other input connected with the low test signal on conductor 164.
  • the lower NOR gate 240 has one input connected with the output of the NAND gate 236 and the other input connected with the output of the NAND gate 238.
  • the self-check flip-flips 110 are connected to the outputs of the selfcheck mode logic circuits 108 and to the clock 104.
  • the self check flip-f1ops include an upper flipflop 52 and a lower flip-flop 54.
  • the upper flip-flop 52 has its data input connected with the output of the NOR gate 234 and its clock input is connected through the conductor 182 to the output of the clock AND gate 176 (FIG. 2b).
  • the Q output of the flip-flop 52 is connected through a conductor 242 to one input of a first failure lockup AND gate 244 and to one input of a secnd failure lockup AND gate 246. The remaining connections for the failure lockup AND gates 244 and 246 will be described presently.
  • the lower self-check flip-flop 54 has its data input connected with the output of the NOR gate 240 and its clock input is connected through a conductor 180 to the output of the clock AND gate 174.
  • the Q output of the flipflop 54 is connected through a conductor 248 to the other input of the failure lockup AND gate 244 and the other input of the failure lockup AND gate 246.
  • the AND gate 244 has its output connected to the output of the clock AND gate 176.
  • the output of the AND gate 246 is connected with the output of the clock AND gate 174.
  • the upper self-check flipflop 52 and the lower self-check flip-flop 54 provide logic signals at the Q outputs thereof which are effective through the drive gates 112 and the drivers 114 to determine the state of the controller 116, as will be described presently.
  • a one-shot multivibrator 260 has its input connected with the clock 104 through a conductor 262.
  • the conductor 262 is connected with the Q-not output of the second flip-flop 150 and thus the operate time pulses 152 are applied therethrough to the input of the one-shot multivibrator 260.
  • the one-shot multivibrator Upon receiving an input signal of binary l the one-shot multivibrator produces an output signal of hinary "1" and will continue to do so until the multivibrator times out, at which time the output thereof switches to binary 37 O".
  • the one-shot multivibrator 260 has a period such that it will time-out after a lapse of time which is somewhat greater than the period between leading edges of the operate time pulses 152.
  • the multivibrator 260 is desirably set to timeout at about 100 milliseconds.
  • the out put of the multivibrator 260 is connected through a conductor 264 to the clear (CLR) inputs of the flipflops 142 and 150 of the clock 104 to ensure the proper starting state.
  • the output of the multivibrator 260 is also applied through the conductor 264 to the reset 13 input (R) of the high flip-flop 58 and the low flip-flop 60 and also to the preset (P) inputs of the self-check flip-flops 52 and S4.
  • the one-shot multivibrators 260 also serves to monitor operation of the clock 104. [n the event the clock should fail in any manner which would result in loss of operate time pulses 152, the multivibrator 260 would time-out and produce a binary at its output. The manner in which this kind of failure affects the controller 116 and interrupts or prevents operation of the machine will be described subsequently.
  • a manual reset circuit comprises a manual switch 266 which is normally open between ground and the junction of voltage divider resistors 268 and 270.
  • the junction of the voltage divider resistors is normally at a positive voltage and is connected to the reset input of the one-shot multivibrator 260. Accordingly, when the switch 266 is manually closed and reopened, the reset pulse is applied to the one-shot multivibrator 260.
  • a meter circuit For the purposes of calibrating or testing the sensing section of the system, a meter circuit is provided.
  • the meter circuit comprises a series resistor 272 an ammeter 274 and a switch 276.
  • the meter circuit is connected between the output of the differential amplifier 36 (FIG. 1) and ground and hence when the switch 276 is closed the condition voltage P is connected thereacross. Accordingly, the meter 274 will indicate the polarity and magnitude of the condition voltage P for purposes of calibration and test.
  • the driver gates l 12 and drivers 114 are provided.
  • the driver gates 112 include a pair of upper driver AND gates 280 and 282 and a pair of lower driver AND gates 284 and 286.
  • the upper AND gate 280 has one input connected with the 0 output of the self-check flip-flop 52 through a conductor 288.
  • the other input of the AND gate 280 is connected through a conductor 290 and the conductor 264 to the output of the reset circuit multivibrator 260.
  • the upper AND gate 282 has one input connected through a conductor 292 to the Q output of the highlow flip-flop 56.
  • the other input of the AND gate 282 is connected through a conductor 294 to the output of the controller monitor or hangup circuit 118, which will be described subsequently.
  • the lower AND gate 284 has one input connected through a conductor 296 to the Q output of the selfcheck mode flip-flop 54.
  • the other input of the AND gate 284 is connected through a conductor 298 and conductor 294 to the output of the controller monitor or relay hangup circuit 118, which will be described later.
  • the lower AND gate 286 has one input connected through a conductor 302 to the Q output of the high flip-flop 58.
  • the other input of the AND gate 286 is connected through a conductor 304 to the Q output of the low flip-flop 60.
  • the dri er gates 112 control the energization of the drivers 114 which. as will be seen subsequently, control the energiration of the controller 116.
  • the drivers 114 comprise an upper driver transistor 310 and a lower driver transistor 312.
  • the upper driver transistor 310 has its base connected with an input circuit which includes voltage divider resistors 316, 318 and 320 which are serially connected between a source of positive voltage and ground. The base is connected to the junction 322 of the voltage divider resistors and the outputs of the upper AND gates 280 and 282 are connected to the junction 324 of the divider resistors 316 and 318.
  • the base of the transistor 310 is held at positive voltage so long as both AND gates 280 and 282 have an output signal of binary l", but the base of transistor 310 is at ground voltage when either of the AND gates is switched to binary
  • the lower drivr transistor 312 has its base connected with an input circuit including voltage divider resistors 326, 328 and 330. The base is connected to the junction 332 of the voltage divider resistors and the outputs of the lower AND gates 284 and 286 are connected to the junction 334 of the divider resistors 326 and 328. Accordingly, the base of transistor 312 is at a positive voltage when the output signals of both AND gates 284 and 286 are at binary l but the base voltage is at ground when the output of either of the AND circuits is at binary 0".
  • the output circuit of the driver transistor 310 extending between the collector and emitter is connected to the input of the controller 116 through a resistor 336.
  • the output circuit of the transistor 312 extending between its collector and emitter is connected to another input of the controller 116 through a resistor 338.
  • the controller 116 will be described subsequently.
  • the controller 116 comprises a pair of control relays 350 and 352.
  • the relay 350 comprises an energizing winding 354 which is connected across a voltage source through the output circuit of the driver transistor 310.
  • a diode 356 is connected across the winding 354 to short circuit the inductive switching voltages from the winding and thus protect the transistors in the circuit.
  • the relay 350 comprises a pair of single pole double-throw switches 358 and 360.
  • the relay 352 comprises an energizing winding 362 which is connected across the voltage source through the output circuit of the driver transistor 312.
  • a protective diode 364 is connected across the winding 362.
  • the relay 352 also includes a pair of single pole doublethrow switches 366 and 368.
  • the switches 358 and 366 are utilized as control switches for the purpose of energizng or deenergizing control circuits in the machine under surveillance.
  • the controller is provided with a set of normally open output terminals 370 and a set of normally closed output terminals 372.
  • the normal condition of the relays 350 and 352 is the condition in which both relays are energized by the drivers 310 and 312. With both relays energized the switches are in the condition shown in the drawing and when the relays are deenergized the respective switches move to the opposite position.
  • the normally open terminals 370 may be connected in se ries with an alarm circuit of the machine which will remain deenergized so long as the relays remain in the normal condition. Switching of the relays from the normal condition, however, would have the effect of energizing the alarm and deenergizing the clutch to disable the machine.
  • Self-checking of the relays 350 and 352 is provided by utilization of the switches 360 and 368 of the respective relays 350 and 352.
  • the switches thereof When both of the relays are operating correctly the switches thereof will always be in the same relative positions, i.e. the armatures and hence movable contacts of both will either be in the upper position or in the lower position. If they are out of step", i.e. with armatures in opposite positions, the reason will be either that one relay has failed or that one of the redundant logic circuits described above is not working like the other. In either case, there is a failure condition and the relays 350 and 352 should both be shut down or deenergized and locked up in that condition until being manually reset.
  • the controller monitor or hangup circuit 118 is provided in the circuit between the switches 360 and 368 and selected inputs of the driver gates 112.
  • This monitor circuit comprises a transistor 380 which has its output circuit between collector and emitter connected through a resistor 382 and across a supply voltage source.
  • the input of the transistor between base and emitter includes a pair of voltage dividing resistors 384 and 386 in series with a timing capacitor 388.
  • the upper terminal of the resistor 384 is connected to the positive terminal of a regulated voltage source and the lower terminal of the capacitor 388 is connected to the negative terminal of an unregulated voltage source. Both sources having a common reference potential.
  • the junction of resistors 384 and 386 is connected directly to the base of the transistor 380.
  • the junction of the resistor 386 and capacitor 388 is connected through a pair of diodes 390 and 392 in parallel in the manner of a diode OR circuit.
  • the cathode of diode 390 is connected through a conductor 394 to the lower switch contact of the switch 360 and the cathode of diode 392 is connected through a conductor 396 to the upper contact of the switch 368.
  • the movable contacts of the switches 360 and 368 are directly connected together.
  • the upper contact of switch 360 and the lower contact of switch 368 are also connected together and are connected through a conductor 398 to the negative terminal of a voltage source which has its positive terminal connected to ground.
  • the controller monitor or hangup circuit 118 further comprises the connection of the output ofthe transistor 380 to a failure flip-flop 402. More specifically, the re sistor 404 is connected across the emitter and collector of the transistor 380 and in series with the resistor 382 across the voltage source. The junction of the resistors 382 and 404 is connected through a conductor 406 to the inverted set input of the failure flip-flop 402. The reset input of the flip-flop 402 is connected through the conductor 264 to the output of the one-shot multivibrator 260. When the flip-flop 402 is reset with a binary l the Q output thereof is binary l and is supplied through a conductor 294, as previously described, to one input of the AND gates 282 and 284.
  • the flip-flop 402 produces a binary O at its Q-not output.
  • the inverted set input of the flip-flop 402 receives a binary 0 the flip-flop changes state and the Q output goes to binary 0" and the Q-not output goes to binary 1".
  • the Q-not output is connected across a signal lamp which takes the form of a light emitting diode 408 to signify the occurrence of a failure.
  • a first signal lamp 412 is connected between the upper contact of switch 368 and ground.
  • the green signal lamp 412 is lighted.
  • a second signal lamp 414 is connected between the lower contact of switch 360 and ground.
  • the relay monitor or hangup circuit 118 When the condition signal P from the differential amplifier 36 is zero, indicating a normal condition, as detected by the sensing section, the relays 350 and 352 of the controller 116 will both be energized (assuming no system failure) and the switches will be in the upper position as shown. In this condition the diode 392 is connected through conductor 396 to the switch 368 and thence through the switch 360 and conductor 398 to the negative terminal of the voltage source which has its other terminal returned to ground. Consequently, the diode 392 is biased in the forward direction and the capacitor 388 is discharged so that the voltage at the base of the transistor 380 is insufficient to switch the transistor on.
  • both relays 350 and 352 When the sensor section produces a condition signal P, which is of positive value, indicating an intrusion into the guarded zone, both relays 350 and 352 will be deenergized (assuming no system failures). Similarly, in the event of a low (capacitance) condition in the guarded zone which produces a condition signal P of negative value, the relays 350 and 352 will both be deenergized (assuming no system failures). Thus with either a high or a low condition signal the switches of the relays 354 and 362 will all be in the lower position. In this condition the diode 390 will be connected through the conductor 394, the switch 360, switch 368 and conductor 398 to the negative terminal of the voltage source.
  • the diode 390 is biased in the forward direction and the capacitor 388 is discharged therethrough so that the transistor 380 is maintained in the off condition.
  • transistor 380 off the voltage at the collector thereof and on the conductor 406 is at binary l and consequently the state of the failure flipflop 402 remains unchanged, i.e. the Q output is binary l and the Q-not output if binary In this condition of the switches in the controller the signal lamp 414 is connected through the switch 360, the switch 368 and the conductor 398 to the negative terminal of the voltage source and thus the red signal lamp is energized.
  • Presence Sensing Section has been described adequately under the heading Presence Sensing Section and General Description of Operation. Suffice it to say at this point that the condition signal P at the output of the differential amplifier 36 is of zero value when the guarded zone is in normal condition, is of negative value when an object is withdrawn from the guarded zone, and is of positive value when an object intrudes into the guarded zone.
  • the condition signal P should be of negative value and when a high test command signal is applied to the am plifier 32 under clock control, the condition signal P should be of positive value.
  • the condition signal P is applied to the inputs of the high detect and low detect amplifiers 40 and 42 respectively which provide logic signals, either binary l" or binary 0, depending upon the value and polarity of the condition signal P.
  • FIG. 4 shows in tabular form the logic signals from the high and low detect amplifiers for the five different conditions in the presence sensing section.
  • the first column identifies the conditions by number and the first three conditions correspond to the operate mode of the system, while the fourth and fifth conditions correspond to the test mode of the system. In the first condition the condition signal P is of zero value and hence the state of the high detect amplifier is not high" and the state of the low detect amplifier is not low".
  • condition signal P is of negative value coresponding to withdrawal of an object from the guarded zone.
  • the high detect amplifier is in a not high state and the output thereof is binary 1
  • the low detect amplifier is in a low state and the output thereof is at binary 0.
  • condition signal P is of positive value and the output of the high detect and low detect amplifiers is just the opposite of that for the condition number 2.
  • condition number 4 which is the low test mode, the condition signal P is of negative value and the output of the high and low detect amplifiers is the same as condition number 2.
  • Condition number 5 is the high test mode and the condition signal P should have a positive value and the high and low detect amplifiers should have the same state and outputs as condition number 3.
  • the table of FIG. 4 sets forth the outputs of the high and low detect amplifiers for the five different conditions only when the system is operating properly, i.e. there are no system failures.
  • the control and self-checking section 44 is operative to detect a failure in the presence sensing section which causes outputs from the high and low detect amlifiers different from those indicated in the table of FIG. 4 for the same input condition.
  • the control and self-checking section is capable of detecting malfunction in the control and self-checking circuits themselves which would cause the controller 116 to respond erroneously to a given set of outputs from the high and low detect amplifiers 40 and 42.
  • Each box contains a one or a zero correspondingly respectively to binary 1" and binary A given box at the output of one stage in the system shows the logic state of that stage which exists when the box in the corresponding position in the row for any other stage has a logic state as indicated by the binary l or 0" con tained therein.
  • the notation uses five different boxes which. when taken in succession from left to right. correspond to the five different conditions shown in the table of FIG. 4.
  • the state" boxes for the various stages are identified with the output thereof by lead lines and the use of separate reference characters on the state boxes is avoided.
  • condition number 1 This condition represents 21 normal condition of the presence sensing section, i.e. the bridge is balanced and the condition signal P is of zero value.
  • the high detect amplifier 40 produces an output of binary 1" (leftmost box) and the low detect amplifier 42 produces an output of binary l (leftmost box).
  • Reference to the timing dia gram of FIG. 3 shows that the operate mode during which condition number 1 occurs, extends throughout the time interval of one of the operate pulses 152. From the Q output of the flip-flop 150 in the clock 104 the operate pulses are applied over a conductor 154 to the clock inputs of the operate mode flip-flops 56, S8 and 60.
  • the output of the high detect amplifier 40 is applied to one input of the upper NAND gate 224 and the output of the low detect amplifier 42 is applied to one input of the lower NAND gate 226.
  • the other input of each of the gates 224 and 226 is connected through a conductor 228 to the Q output of the highlow flipflop 56.
  • the O output of this flip-flop is in a state determined by the output of the AND gate 202 which has its inputs connected respectively to the outputs cf the high and low detect amplifiers 40 and 42.
  • the output of the AND gate 202 is a binary l and this is applied to the data input of the flip-flop 56 and causes its Q output to be a binary 1".
  • the output states of the upper and lower NAND gates 224 and 226 are caused to be binary 0, as indi cated in the leftmost squares of the state boxes thereof.
  • These NAND gates 224 and 226 constitute the selfcheck gates 106 which in turn control the states of the self-check logic circuits 108 and the self-check mode flip-flops 110, which may be termed the self-check channel.
  • the self-check channel just mentioned is ineffective to influence the condition of the controller 116, assuming that the self-check channel itself does not malfunction.
  • the other inputs of the high test NAND gates 230 and 236 are connected through conductor 172 to the high test AND gate of the clock 104, which has a binary 0 output during the operate mode.
  • the clock signals on the NAND gates 230, 232, 236 and 238 binary 0" and thus the outputs will all be binary l as shown in the first of the state boxes corresponding thereto. Consequently the NOR circuit 234 which receives the output of the NAND circuits 230 and 232 will produce an output of binary 0".
  • the NOR circuit 240 will produce an output of binary
  • the NOR circuit 234 is connected with the data input of the flip-flop 52 and the output of NOR circuit 240 is connected with the data input of the flip-flop 54.
  • the state of the flip-flops 52 and 54 was preset by the binary l signal on conductor 264 from the output of the one-shot multivibrator 260 when the system was first energized.
  • the binary 0" signals at the data inputs of the flip-flops 52 and 54 will be ineffective to change the state of the flip-flops and the Q outputs thereof are at binary 1", as shown by the respective state boxes.
  • the input to the upper drive gate 280 on conductor 288 is binary l and the input to the lower drive gate 284 on conductor 296 is binary l
  • the other input to the upper drive gate 280 is also a binary l which is the reset signal on conductor 264 which is derived from the one-shot multivibrator 260.
  • the output of the upper drive gate 280 is a binary l
  • the other input to the lower drive gate 284 is a binary l in the form of the 0 output of the failure flipflop 402. This Q output is maintained as a binary l so long as there is no failure as signified by the relays 350 and 352 being out of step.
  • the lower drive gate 284 produces a binary 1" output while the upper drive gate 280 produces a binary 1" output as mentioned above.
  • the self-checking channel up to the point of upper drive gate 280 and lower drive gate 284 will always produce a binary l output at the input to the drivers 310 and 312 during the operate mode condition number 1, assuming there is no malfunction in the self-check channel itself.
  • the state of the drivers 310 and 312 and the controller 116 during the operate mode condition number i will be determined by the state of the operate mode flip-flops 56, 58 and 60 and the upper drive gate 282 and the lower drive gate 286 which will be termed the control channel.
  • the output of the high detect amplifier 40 is binary 1" which is applied through conductor 198 to the data input of the high flip'flop 58. Consequently, the O-not output of the flip-flop S8 is binary 0 and the Q output thereof is binary l
  • the 6 output is fed back through conductor 214 to the input of the high detect amplifier 40 to help hold the output at binary l and thus stabilize the switching thereof.
  • the output of the low detect amplifier 42 is a binary 1 which is applied through a conductor 196 to the data input of the low flip-flop 60.
  • This causes the Q-not output of the flip-flop 60 to be binary 0" and the Q output to be binary l
  • both high flip-flop 58 and low flipflop 60 have binary 1" outputs which are applied through conductors 302 and 304 to the respective inputs of the lower driver gate 286, (see FIG. 2c). This causes the AND gate 286 to produce a binary 1 output.
  • the outputs of the high detect amplifier 40 and the low detect amplifier 42 are applied to the respective inputs of the high-low AND gate 202 and since both are binary l the output of the AND gate is a binary 1".
  • This output is applied to the data input of the high-low flip-flop 56 which, as mentioned above, causes its Q output to produce a binary 1".
  • This binary l" is applied through conductor 292 to one input of the upper driver gate 282 (see FlG. 2c).
  • the other input of the driver gate 282 is a binary l from the failure flip-flop 402.
  • the upper driver gate 282 and the lower driver gate 286 in the control channel both produce binary l output for condition number 1, and as previously described, the upper driver gate 280 and the lower driver gate 284 in the self-check channel produce a binary 1 output for condition number 1, assuming there are no malfunctions in either channel.
  • condition number 1 both driver transistors 310 and 312 and the relays 350 and 352 are energized causing the respective switches thereof to be held in the positions shown in FIG. 2c.
  • the circuit between output terminals 370 is open and the circuit between the normally closed output tenninals 372 is closed.
  • the diode 392 in the hangup circuit 118 is conductive and the transistor 380 is turned off and the failure flip-flop 402 remains unaffected and its Q output produces a binary l
  • the signal lamp 412 is lighted signifying a safe condition.
  • condition number 2 ie a low (capacitance) condition which may be produced by withdrawal of an object from the guarded zone.
  • the output of the high detect amplifier 40 is binary l and the output of the low detect amplifier 42 is a binary It is observed that these outputs are both applied to the respective inputs of the high-low gate 202 which produces a binary 0 output.
  • This output is applied to the data input of the high-low flip-flop 56 and the Q output thereof is binary 0.
  • the Q output of flip-flop 56 is supplied through a conductor 228 to one input of the self-check upper NAND gate 224 and the self-check lower NAND gate 226.
  • the binary 1 output thereof is applied through a conductor 198 to the data input of the high flip-flop 58. This causes the Q-not output thereof to remain at binary 0 and the Q output thereof remains at binary 1.
  • This Q output is applied to one input of the lower driver gate 286 through conductor 302.
  • the low detect amplifier in condition number 2 produces a binary 0" output which is applied through a conductor 196 to the data input of the low flip-flop 60.
  • the Q'not output thereof is switched to binary l and the low signal lamp 206 is lighted.
  • the Q output of the low flip-flop 60 is switched to binary 0 and applied through conductor 304 to the other input of the lower driver gate 286.
  • the highlow flip-flop 56 receives a binary 0" at its data input and the Q output is switched to binary 0".
  • This output signal is applied through a conductor 292 to one input of the upper driver gate 282.
  • the other input of driver gate 282 is a binary l taken from the 0 output of the failure flip-flop 402. Consequently, the output of the upper driver gate 282 is binary 0" and the driver transistor 310 is switched off. Consequently the relay 350 is deenergized. With both relays 350 and 352 deenergized the respective switches thereof are all in the lower position, as a result the normally open circuit between the terminals 370 is closed and the normally closed circuit between the terminals 372 is opened.
  • the diode 390 is conductive and the transistor 380 is turned off and the failure flip-flop 402 maintains the 0 output at binary l Furthermore, in this condition of the relays the signal lamp 414 is lighted to signify a hazardous condition.
  • the controller with the system in condition number 2 is effective to disable the machine and/or energize an alarm signifying the hazardous condition resulting from a low (capacitance) condition in the presence sensing section.
  • condition signal P will have a positive value.
  • the high detect amplifier will produce a binary 0" and the low detect amplifier will produce a binary 1".
  • condition number 3 the self-check channel from the self-check gates 224 and 226 through the upper driver gate 280 and lower driver gate 284 will be in the same logical states as for condition number 2.
  • condition number 3 will change the logical states of the control channel by changing the state of the high flip-flop 58 and the low flip-flop 60.
  • the high-low flipflop 56 will remain in the same condition as in the previous state number 2.
  • condition number 3 the upper driver gate 282 will produce a binary 0" output and the lower driver gate 286 will produce a binary 0" output and both driver transistors 310 and 312 will be turned off as in condition number 2.
  • Both relays 350 and 352 will be deenergized and the normally open circuit between terminals 370 will be closed and the normally closed circuit between terminals 372 will be opened.
  • the signal lamp 414 will be energized and the hangup circuit 118 will be in the same state as in condition number 2.
  • condition number 3 corresponding to an intrusion or high (capacitances) will be effective to disable the machine.
  • the operate mode ie the time slot or duration of the operate pulses 152 from the Q output of the flip-flop 150 and the clock 104.
  • the test mode portion of the cycle which extends for the duration of the pulses 156, produced by the Q-not output of the flip-flop 150 in the clock 104.
  • the test mode is divided into a low test time slot during pulses 163 and a high test time slot during pulses 170, which occur in that time sequence.
  • condition signal P of negative value results from a command signal produced by the AND circuit 160 of the clock 104.
  • the command signal is also the low test tim ing signal supplied through the conductor 164 to the terminal 220 (see FIG. As shown in FIG. 1 the low test terminal 220 is applied to an input of a differential amplifier 32 and as previously described, simulates a presence sensing signal which produces a condition signal P of negative value. Consequently, as indicated in the table of FIG. 4, the high detect amplifier produces a binary l output and the low detect amplifier produces a binary 0" output.
  • the Q outputs of the flipflops 52 and 54 are both maintained at binary l as indicated in the state boxes at position number 4, and accordingly the upper driver gate 280 and the lower driver gate 284 maintain a binary 1 output.
  • the high detect amplifier and low detect amplifier outputs are the same for the low test mode. as in the case of the operate mode with low capacitance (condition number 2).
  • the state of the operate mode flip-flops 56, 58 and 60 will be the same as in condition number 1 since no operate mode clock pulse is produced on conductor 154. Therefore.
  • the upper driver gate 282 and the lower driver gate 286 will be in the same state for condition number 4, ie. the low test mode as for condition number 1 ofthe operate mode. Consequently, the con" ditions tfdriver transistors 310 and 312, relays 350 and 352, and the controller 116 will be the same as that described for condition number 1, and the hangup circuit 118 will also be the same.
  • the presence sensing section will be in condition number 5, as depicted in the table of FIG. 4.
  • This mode occurs during the high test pulse 170, which is produced by the AND gate 166 of the clock 104.
  • the high test timing pulse is applied through a conductor 172 to the terminal 222 (see FIG. 2a).
  • the terminal 222 in turn is connected to one out put of the differential amplifier 32 (see FIG. 1).
  • This timing signal is also a command signal for the differential amplifier to effectively simulate a high (capacitance) or intrusion signal. Consequently, it produces a condition signal P having a positive value.
  • the high detect amplifier produces a binary "0" output and the low detect amplifier produces a binary l output.
  • the state boxes at position number 5 in the selfcheck channel show the states of the respective stages.
  • the condition of the flip-flops 58 and 60 is the same as that of condition number 4 and the high-low flip-flop S6 is in the same condition as that of condition number 4.
  • the controller 116 and the hangup circuit 118 are in the same condition as described with reference to condition number 4.
  • any number of malfunctions may occur in either the presence detection section or the control and selfcheck section and the self-checking section will be effective to operate the controller 116 so as to disable the machine and lock the controller in such condition until a manual reset switch 266 is operated.
  • a typical failure which may occur is the grounding of the output of the differential amplifier 36 so that the condition signal P is zero at all times. If this should occur during the high test portion of the cycle the oper ation of the circuits would be as follows. During the high test portion of the cycle the states of the various stages will differ from those states indicated in the state boxes in position number 5 because of the malfunction. The low detect amplifier will produce a binary l output and the high detect amplifier will also produce a binary l output. Consequently the high-low gate 202 will produce a binary 1" which is applied to the data input of the high-low flip-flop 56 and the Q output thereof will be a binary l which is applied to inputs of the upper and lower NAND gates 224 and 226 respectively.
  • the outputs of the high and low detect amplifiers are also applied to the inputs of the upper and lower NAND gates and accordingly the outputs of the gates 224 and 226 are both binary 0" respectively.
  • the high test t1m1ng pulses 170 are applied to the inputs of the NAND gate 230 and the NAND gate 236. Consequently these NAND gates both have the outputs of binary 1".
  • the NAND gates 232 and 238 both receive respective inputs of binary 0 from the NAND gate 226. They also receive binary 0" inputs from the conductor 164 which is connected with the low time AND gate in the clock. As a result the NAND gates 232 and 238 both produce a binary l output.
  • the occurrence of a failure condition not only causes the controller to be deenergized during the test portion of the cycle, but it also causes the controller to be locked in that condition to prevent machine operation until the failure condition is cleared and the manual reset switch 266 is operated.
  • This lockup feature is provided by connecting the 0 output of the flip-flop 52 through the conductor 242 to one input of the failure lockup AND gate 244 and to one input of the failure lockup AND gate 246.
  • the Q output of flipflop 54 is applied through the conductor 248 to the other input of the failure lockup AND gate 244 and to the other input of the failure lockup AND gate 246.
  • the AND gate 244 produces a binary 0 output and the clock AND gate 176 is disabled thereby and the clock pulses 178 from clock 176 are terminated and the flip-flop 52 is locked in the state with a binary 0 at its Q output.
  • the AND gate 246 produces a binary 0" output and the clock AND gate 174 is disabled terminating the clock pulses supplied on conductor 180 to flip-flop 54 and thus the flip-flop 54 is locked in the state with a binary 0" at its 0 output.
  • the machine With the self-checking flip-flops 52 and S4 locked in the off condition and the controller thus held deenergized, the machine is held thereby in a disabled condition until the failure condition is eliminated. Then upon actuation of the manual reset switch 266 the one-shot multivibrator 260 will produce a reset pulse on conduc tor 264, which is applied to all of the flip-flop stages and causes the flip-flops 52 and 54 through the preset inputs to be switched to produce a binary l at their respective Q outputs.
  • a failure condition is indicated.
  • the failure condition will be either a relay malfunction or a failure of one redundant logic circuit to work like the other.
  • the relay hangup circuit 118 responds thereto and transistor 380 is turned on and a binary 0 pulse is applied through a conductor 406 to the inverting set input of the failure flip-flop 402. This switches the flip-flop so that the Q output thereof produces a binary 0" which is applied to one input of the upper driver gate 282 and the lower driver gate 284. Consequently, both driver transistors 310 and 312 are switched off and both relays are deenergized.
  • the Q-not output of flip-flop 402 is switched to a binary 1" and the failure lamp 408 is energized.
  • the flip-flop 402 will remain in the failure indicating state until the failure condition is eliminated and the manual reset switch 266 is actuated to reset the flipflop 402.
  • the system is operative to detect a change such as the intrusion or withdrawal of an object in the guarded zone and to disable machine operation so long as the condition exists. For example, if the machine operator places his hand in the guarded zone the machine operation is stopped but will be restored as soon as the operators hand is removed. In the event of a malfunction in the system the self-checking channel thereof is effective to detect the same and to disable operation of the machine. Failure detection results in lockup of the controller so that the machine operation cannot be restored until the failure is remedied and the manual reset switch is actuated. Operation of the system is cyclical with each cycle comprising an operate portion and a test portion.
  • the system is adapted to detect the condition of the guarded zone and if it is normal the controller is not actuated. If there is an intrusion into the guarded zone or a withdrawal therefrom the controller operates to disable the machine as mentioned above.
  • the test portion of the cycle is divided into a high test mode and a low test mode, during which high and low command or simulation signals respectively are injected into the system. If the response of the system differs from what it should be with the known condition signals, a failure is indicated and the controller is actuated to disable the machine.
  • a presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control cir cuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also including a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the control circuit is operative to produce a predetermined signal at the selected point in the control circuit during
  • control circuit includes first and second control channels, the first channel being connected between the sensing means and a first relay means, the second con trol channel being connected between the sensing means and a second relay means, said controller com prising said first and second relay means, said first and second channels being redundantly related to each other for causing said first and second relay means to be actuated and deactuated together in response to a signal from the sensing means, monitor means connected with said first and second relay means and hav ing an output producing a logic level voltage state indicative of malfunction in one of said channels, said gate means having said another input connected with the output of said monitor means.
  • monitor means connected with said controller and having an output which produces, in the absence ofa malfunction of said controller, a first logic level voltage state indicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said controller, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said con troller.
  • monitor means connected with said timing means and having an output which produces, in the absence ofa malfunction of said timing means, a first logic level voltage state in dicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said timing means, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said timing means.
  • a presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also including a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the control circuit is operative to produce a predetermined signal at the selected point in the control circuit during the occurrence
  • said controller includes at least one normally energized relay means, said control circuit being adapted to connect the relay means to a power supply to deactuate the controller whereby the controller is actuated in the event of failure of the power supply.
  • lockup means connected with said logic means and being operative to hold said controller in actuated condition when said logic means determines that said predetermined signal is not produced by said simulated intrusion signal.
  • said logic means includes at least one self-check bistable element which assumes one state in response to said simulated intrusion signal in the absence ofa malfunction, said bistable element having an output connected with said controller and being ineffective to cause actuation thereof in said one state and effective to cause actuation in the other state, and lockup means connected with said self-check bistable element and being operative in response to the other state for holding it in said other state thereby holding said controller in the actuated condition.
  • the invention as defined in claim 8 including a manually operated reset circuit connected with the self-check bistable element for resetting the same to its other state.
  • timing means causes switching of the first and second disabling means at a rate such that the control circuit is disabled for less time during each cycle of operation than that required for the occurrence of a predeter mined degree of intrusion.
  • timing means causes switching of the first and second disabling means such that the control circuit and the logic means are alternately disabled for substantially equal time intervals, the frequency of alternation being at least several times per second.
  • a safety system for controlling a machine the system being of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means being adapted to produce a reference signal when said zone is in a normal condition, an intrusion signal when an object intrudes into said zone and a withdrawal signal when an object is withdrawn from said zone, and control means connected with said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to either an intrusion signal or a withdrawal signal to cause actuation of said controller and responsive to a reference signal to cause deactuation of said controller, the improvement comprising; self-checking means including timing means, command signal means adapted to produce a simulated intrusion signal and a simulated withdrawal signal and being connected with an input of said control circuit, said selfchecking means also including logic means having an input connected with a selected point of the control circuit, said logic means having an output connected with said controller for causing actuation thereof,
  • said logic means includes an intrusion signal test channel and a withdrawl signal test channel, said timing means being connected with said intrusion signal test channel for enabling operation thereof during the simulated intrusion signal, said timing means also being connected with said withdrawal signal test channel for enabling operation thereof during the simulated withdrawal signal.
  • said logic means includes first and second self-checking bistable elements, the first bistable element being adapted to assume one state in response to a simulated intrusion signal in the absence of a malfunction, the first bistable element having its input operatively connected with the output of both of said test channels and having its out put connected with said controller, said first bistable elements being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state, the second bistable element being adapted to assume one state in response to a sim ulated withdrawal signal in the absence of a malfunction, the second bistable element having its input operatively connected with the output of both of said test channels and having its output connected with said controller, said second bistable element being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state.

Abstract

A presence sensing system provided with self-checking operation is disclosed. The system is especially adapted for use in a control system for machines to ensure safe operation thereof. The system comprises a presence sensing section capable of producing output signals indicative of normal, intrusion, and withdrawal conditions in the guarded zone of the machine. A control system comprising a control channel and a self-checking channel responds to the output signals of the sensing section and control the condition of a controller, which in turn is adapted to interrupt machine operation. The control channel and the self-checking channel are both implemented in binary logic. The system is operated under the control of timing means which causes cyclic operation with each cycle divided into separate time slots, one for a testing mode of operation and one for a condition sensing mode of operation. The testing mode time slot is subdivided into plural time slots, each corresponding to a particular test of the system.

Description

Dow et al.
PRESENCE SENSING AND SELF-CHECKING CONTROL SYSTEM [75] Inventors: Frederick J. T. Dow, Wolfeboro Falls, N.H.; Dudley B. Hartung, Somerville, Mass.
[73] Assignee: Xenex Corporation, Woburn, Mass.
[22] Filed: Jan. 29, I973 [21] Appl, No.: 327,384
[52] [1.8. CI 317/123; 3l7/DlG. 2; 340/248 R; 340/258 C; 340/411 [51] Int. Cl. H0lh 47/00 {58] Field of Search 3l7/DIG. 1, DIG. 2, 146; 340/258 B, 258 C, 411, 248 R; 307/117 [56] References Cited UNITED STATES PATENTS 3,543,260 11/1970 Engh 340/258 B 3,680,069 7/1972 Newmann et a1 340/41 1 3,737,744 6/1973 Bader, Jr. 317/D1G. 2 3,764,860 10/1973 Scheda 317/146 1 1 May 27, 1975 Primary E.raminerJ. D. Miller Assistant Examiner- Harry E. Moose, Jr. Attorney, Agent, or Firm-Reising, Ethington & Perry [57] ABSTRACT A presence sensing system provided with self-checking operation is disclosed. The system is especially adapted for use in a control system for machines to ensure safe operation thereof. The system comprises a presence sensing section capable of producing output signals indicative of normal, intrusion, and withdrawal conditions in the guarded zone of the machine. A control system comprising a control channel and a selfchecking channel responds to the output signals of the sensing section and control the condition of a controller, which in turn is adapted to interrupt machine operation. The control channel and the self-checking channel are both implemented in binary logic. The system is operated under the control of timing means which causes cyclic operation with each cycle divided into separate time slots, one for a testing mode of operation and one for a condition sensing mode of operation. The testing mode time slot is subdivided into plural time slots, each corresponding to a particular test of the system.
14 Claims, 6 Drawing Figures 7 g LM 0w AMP W FF i A 1 t W FF a DRIVER 56 I LOGIC I FF DRIVLR C GATES l 5 r r r f l D 7/) i TlMlNC DRFVEP 1 l r f .1
EA ENTEU W Z SHEET PATENIEUWN 1515 3.888413 REF.
I-SHOT I 5T 44 a FF,Q I I P I I ST FF Q 0 I./{?6 I L;:@ 5
| 2 FRO. 0 I OPERATE I /5Z I 2 m m HIGH I m LOW V W I L TEST I/FJ CLOCK [I PRESENCE SENSING AND SELF-CHECKING CONTROL SYSTEM This invention relates to condition responsive apparatus such as presence detecting systems and, more particularly, to an improvement which provides assurance that the apparatus will not appear to be operating properly if there is in fact a malfunction therein.
BACKGROUND OF THE INVENTION In certain forms of condition responsive systems such as those adapted for detecting the presence of objects, reliability in operation is of great importance. However, absolute reliability cannot be achieved in practice and, therefore, it becomes important to provide means responsive to a malfunction to provide a suitable warning or interruption of the system operation. It'would be especially desirable to provide warning or interruption when the malfunction is of the kind which produces false condition responsive signals or the failure of the system to produce condition responsive signals while it appears that the system is operating properly. A partic ular example of such a need is presence sensing systems which are adapted for use on machines to provide a warning or interruption of machine operation when a dangerous operating condition exists. A typical application is industrial machines such as punch presses, wherein machine operation is interrupted if the opera tors hand or another object intrudes into the area of the machine which would cause injury. Such presence sensing systems have heretofore been devised which are capable of exercising some supervisory control over the machine in response to a change of objects present in the guarded zone, i.e. either an intrustion or the removal of an object.
In the prior art condition responsive systems it is common practice to provide some form of failsafe feature and, also, some form of malfunction detection or self-checking by the system itself. As to self-checking, however, the prior art has failed to provide a system which ensures that the condition sensing is reliable at all times during operation or, alternatively, provides warning or interruption at any time when there is malfunction which would produce false response.
SUMMARY OF THE INVENTION In accordance with this invention, a condition responsive system is provided with self-checking means capable of ensuring that no false condition responsive operation will occur. In general, this is provided by a test mode of operation prior to each condition responsive mode of operation to ensure reliable operation before the condition responsive mode is allowed to proceed. Also, according to the invention, the system may be adapted to sense plural conditions and provide a distinctive response thereto and in such a system the selfchecking means operates to test for proper response to each of the plural conditions prior to the condition responsive mode of operation. This is accomplished by means which causes operation of the system in a cyclical manner with plural time slots in each cycle allocated to respectively different modes of operation. Basically, the system is operated under the control of timing means which provides high frequency cyclical operation with each cycle divided into a test mode and a condition sensing or operate mode. The timing means provides for the application of simulated condition signals during the test mode and the self-checking means determines whether the control means of the system produces a response corresponding to the simulated signal. If so, the operation proceeds to the condition responsive mode; otherwise the self-checking means is operative to arrest the operation of the system in the intermediate part of the cycle so that the control means is not allowed to function in the condition responsive mode until the malfunction has been eliminated. Where the system is adapted to respond to plural distinctive conditions, the timing means provides plural time slots within the test mode time slot and causes the sequential application of plural simulated condition sig nals. Thus the system operation cannot proceed in the condition sensing mode unless it is functional to respond to each of the plural conditions.
Further, in accordance with the invention, a safety control system for machines using a presence sensing system is provided with the aforementioned selfchecking feature to assure interruption of the machine in case of a malfunction. This is accomplished by pro viding a digital supervisory control system for the machine which responds to signals produced by a presence sensing subsystem. The digital control system comprises a control channel and a self-checking channel which are implemented in binary logic and which coact, together with a controller, to allow machine operation only when a safe condition exists and, when there is no malfunction in the sensing section or the control section. To provide the highest degree of reliability the self-checking system is provided with certain redundancy in design and, further, failsafe features are incorporated in the system.
A more complete understanding of this invention may be obtained from the detailed description that follows, taken with the accompanying drawings in which:
FIG. 1 is a block diagram of the inventive system;
FIG. 2a, 2b and 2c together constitute a diagram of the control system;
FIG. 3 is a timing diagram; and,
FIG. 4 is a tabular presentation representing certain operation conditions for purposes of explanation.
SYSTEM DESCRIPTION Referring now to the drawings, there is shown an illustrative embodiment of the invention in a safety device for machines and more particularly a presence detection device which will prevent or stop machine operation when an object such as a person's hand is ex tended into a guarded zone. As discussed above, the sensing and control system is provided with selfchecking and failsafe arrangements in order to assure that the system is functionally operative unless it indicates otherwise and to ensure that any failure will itself initiate control measures to prevent or stop machine operation. The presence or intrusion sensing section of the illustrative embodiment utilizes variations in the electrical capacitance of a sensing element to indicate the intrusion or withdrawal of an object from the guarded zone. In general, the output of the presence sensing section is applied to a control and self-checking logic section which in turn exercises some supervisory control over the machine under surveillance such as disabling it or causing an alarm to be energized. It will be appreciated as the description proceeds that the invention may be utilized with other types of presence sensing sections which are capable of producing logic level signals indicative of normal, intrusion and withdrawal conditions. Further, it will be appreciated that the surveillance system of the invention may be applied to any desired zone to be guarded to monitor the changes such as intrusion and withdrawal of objects. Furthermore, it will be appreciated that the selfchecking and failsafe system of the invention may be utilized with other condition responsive sensing sys tems capable of producing logic level signals indicative of two or more states or conditions of a variable quantity.
FIG. 1 shows an illustrative embodiment of the invention in a system specially adapted for the surveillance of a machine tool to protect an operator from injury which would result from placing his hand or other part of his body in a dangerous place on the machine. The machine, such as a punch press includes a table 10, having a portion adjacent the press platen (not shown) which is to be guarded for protection of the operator.
PRESENCE SENSING SECTION A sensing element or antenna 12 is disposed in spaced relation above the table 10 and is electrically insulated therefrom. Suitably, the sensing element may take the form of one or more metal tubes extending over the table 10 so that a measurable electrical capacitance is exhibited therebetween. The table 10, as indicated, is electrically connected to ground and the antenna or sensing element 12 is electrically connected through a coaxial conductor as one leg of a capacitance bridge circuit 14. The bridge circuit is made up of a pair of reference voltage dividing capacitors 16 and 18 which are connected in series between the input terminal 20 of the bridge circuit and ground. The bridge circuit also comprises a test voltage divider including the capacitor 22 and the capacitance to ground of the sens ing element 12, which are connected electrically in series between the input terminal 20 and ground A trimmer capacitor 24 is connected in parallel with the ca pacitance to ground of the sensing element 12. The bridge is excited by an oscillator 26 having an output suitably in the range of 100 kilohertz connected to the input terminal 20 of the bridge circuit 14. In a typical installation the sensing element 12 will exhibit an electrical capacitance in the order of a few picofarads in a normal condition, i.e. when there is no extraneous object such as an operators hand in the zone between the element 12 and the table 10, and when all of the machine components are in proper position of the vicinity of the sensing element 12. However, the intrusion of an operators hand into the guarded zone may cause the capacitance to ground of the sensing element 12 to change by a fraction of a picofarad or by as much as several picofarads depending upon the degree of intrusion and the sensitivity of the particular installation. The capacitors 22 and 16 of the bridge circuit are of substantially equal value and suitably on the order of a few hundred picofarads in value. The capacitor 18 is selected to approximately match the capacitance value of the capacitance to ground of sensing element 12 and the shunt trimmer capacitor 24. Accordingly, the bridge may be balanced by adjustment of the capacitor 24.
With the guarded zone in normal or safe condition the bridge circuit 14 is balanced by the adjustment of trimmer capacitor 24. The output of the bridge circuit taken between the voltage divider terminals 28 and 30 is applied to a differential amplifier 32. In the normal condition of the guarded zone the bridge will be balanced and the output voltage will be zero. Under intrusion conditions, Le. an object inserted in the guarded zone, the bridge circuit will be unbalanced and the output voltage applied to the differential amplifier 32 will be of one phase relative to the reference phase of the oscillator and when an object which is normally within the guarded zone is withdrawn therefrom, the bridge will be unbalanced in the opposite sense and the output voltage will be of a different phase relative to the reference phase of the oscillator. The output of the differential amplifier 32 is applied to one input of a demodulator 34 which receives the output of the oscillator 26 at its reference input. The demodulator 34 produces an output DC voltage of positive polarity when the input from the differential amplifier 32 is of the same phase as the oscillator voltage and produces a negative DC voltage when the input from the amplifier 32 is of op posite phase from the oscillator voltage. The output of the demodulator is zero when the bridge is balanced. The output of the demodulator 34 is applied to the input of a differential amplifier 36 which produces an output voltage P having a polarity and magnitude depending upon the sense and extent of variation of the capacitance to ground of the sensing element 12 and hence the direction and extent of unbalance of the bridge circuit 14.
For the purpose of affording self-checking operation for the system the differential amplifier 32 is adapted to receive command or simulated condition signals at its offset input terminals. A high command signal may be applied to one offset input terminal and a low command signal may be applied to another offset input terminal. The high command signal is adapted to simulate the unbalance of the bridge circuit 14 by intrusion of an object in the guarded zone and hence the differential amplifier 32 applies an input to the demodulator 34 which produces an output voltage P of positive polarity from the differential amplifier 36. The low command signal is adapted to simulate the unbalance of the bridge circuit 14 by withdrawal of an object from the guarded zone and hence the output of the differential amplifier 32 causes the demodulator 34 and the differential amplifier 36 to produce an output voltage P of negative polarity.
The condition signal P is applied to one input of a high detect operational amplifier 40 and to one input of a low detect operational amplifier 42. The other input of the amplifier 40 is an offset bias input for sensitivity adjustment and will be discussed subsequently. The other input of the amplifier 42 is also an offset bias input for adjustment of sensitivity to object withdrawal from the guarded zone as will be discussed subsequently. The operational amplifiers 40 and 42 are adapted to provide logic level signals, either I or "0, depending upon the value and polarity of the condition signal P. When the signal P has a value of zero both operational amplifiers 40 and 42 will produce a l output; when the signal P is positive in polarity corresponding to a high value of capacitance signifying an intrusion, the operational amplifier 40 will produce an 0 output and the operational amplifier 42 will produce a l output; and when the condition signal P has a negative polarity the amplifier 40 will produce a l output and the amplifier 42 will produce an 0" output. Thus the combination of the outputs of the amplifiers 40 and 42 is capable of signifying the three distinctive conditions of the guarded zone as being normal, high (capacitance) and low (capacitance) respectively.
CONTROL AND SELF-CHECKING SECTION As shown generally in FIG. 1 the logic level outputs of the operational amplifiers 40 and 42 are processed by the control and self-checking circuits 44. These circuits are represented in FIG. 1 in functional block diagram and will be described in detail subsequently. In general, the control and self-checking circuits 44 comprise a logic section 46 which accepts the logic level signals from the operational amplifiers 40 and 42. The logic section 46 is supplied with clock signals from a timing section 48 and produces control or data signal for a set flip- flops 52, 54, 56, 58 and 60. The flip-flops are caused to assume respective states indicative of conditions during normal operation and self-checking operation of the system, and the outputs thereof are supplied to a driver gate section 62. The outputs of the driver gate section are supplied respectively to an upper relay driver 64 and a lower relay driver 66, which are adapted to control the energization of the respective relays 68 and 70. The switching contacts of the relays 68 and 70 are operative to exercise supervisory control over the machine which is under surveillance by the system. Additionally, the condition of the switching contacts of the relays 68 and 70 is monitored by a relay hangup circuit 72 which has an output connected with the logic section 46.
GENERAL DESCRIPTION OF OPERATION The control and self-checking circuits 44 will be described in greater detail subsequently; at this point a brief description of system operation will be given with reference to FIG. 1. In the normal condition of the guarded zone in the vicinity of the sensing element 12 and the table the capacitance therebetween will be of such value that the bridge circuit 14 is balanced, and the condition signal P will be of zero value. Accordingly, the operational amplifiers 40 and 42 will develop a digital 1" output which is applied to the logic section 46 of the control and self-checking circuits 44. The timing section 48 is adapted to cause the system to operate in a cyclical manner with the system operated in three distinct modes or time slots during each cycle of operation. In particular, each cycle comprises an operate mode, a high test mode and a low test mode, suitably in that order. During the operate mode of each cycle the presence sensing section is operative for the purpose of determining the condition in the guarded zone, i.e. whether the condition is normal (which would result from no change in the guarded zone), high capacitance (which might result from an intrusion into the guarded zone), or low capacitance (which might result from a withdrawal from the guarded zone). During the operation mode of each cycle the condition signal P will be of zero value or positive polarity or negative polarity corresponding to the normal, high (capacitance), or low (capacitance) conditions respectively and the operational amplifiers 40 and 42 will produce logic level signals indicative of the existing condition. During the operation mode the logic section 46 responds to the logical input signal and controls the state of the flip-flops 52, 54, S6, 58 and 60 which in turn control the driver gates 62 and the energization of the drivers 64 and 66 and the respective relays 68 and 70.
During the operate mode with a normal condition in the guarded zone the control and self-checking circuits 44 are effective to hold the relays 68 and in an energized condition which through the operation of the switching contacts thereof allows the machine under surveillance to be operated, i.e. signifies a safe or noalarm condition in the guarded zone. If the condition signal P should become positive during the operate mode signifying an intrusion, the logic section 46 will cause a change of state of the flip- flops 56, 58 and 60 which through the driver gate 62 will cause both relays 68 and 70 to be deenergized to disable the machine under surveillance from operation. Similarly, if the condition signal P becomes negative the logic section 46 will cause the flip- flops 56, 58 and 60 to undergo a corresponding change of state and the driver gate section 62 will cause both relays 68 and 70 to be deenergized to disable the machine or indicate an unsafe or alarm condition. When the time period of the operate mode is ended the flip- flops 56, 58 and 60 will be returned to their normal state in readiness for the subsequent test modes.
During the low test mode the timing section 48 causes an offset low command signal to be applied to the differential amplifier 32 which is effective to simulate a low condition and thus cause the condition signal P to assume a negative polarity. Also during the low test period the timing section 48 cause the flip-flops 52 and 54 to be conditioned for responding to the output of the logic section 46 which, if operating properly, must be indicative of a low condition signal. If so, the flip-flops 52 and 54 will not change state and the driver gate section 62 and drivers 64 and 66 will be unchanged and the relays 68 and 70 will remain energized. However if there is malfunction in the system and the logic section 46 fails to produce an output cor responding to a low condition signal, the flip-flops 52 and 54 will undergo a change of state and the driver gate section 62 will cause the relays 68 and 70 to be deenergized which disables the machine and causes an alarm. In a similar manner during the high test mode, a high offset command signal is applied under the control of the timing section 48 to the differential amplifier 32. Consequently the condition signal P becomes positive and logic signals corresponding thereto are applied by the operational amplifiers 40 and 42 to the input of the logic section 46. If there is no malfunction in the system the output of the logic section 46 will correspond to a high conditir in the guarded zone. The flipflops 52 and 54 which are conditioned for operation by the timing section 48 will not undergo a change of state and the driver gate section 62 will allow the relays 68 and 70 to remain energized. If, however, there is a mal function, output of the logic section 46 will cause the flip-flops 52 and 54 to undergo a change of state and the driver gate section 62 will respond thereto and cause deenergization of the relays 68 and 70 to thereby stop the machine. It is to be noted that in the event during either the low test or high test mode the flip-flops 52 and 54 are caused to change state, they are locked in the changed state to hold the relays 68 and 70 deenergized until they are manually unlocked by a reset switch or the like. This ensures that the machine will be disabled and the alarm condition indicated until manual intervention is provided.
In order to check the relays 68 and 70 for proper operation the relay hangup circuit 72 is connected between selected switching contacts and the logic section 46. The hangup circuit 72 is adapted to cause the ma chine to be disabled in case one relay is on and the other is off. This condition might be caused by relay failure, such as sticking contacts or by failure in the logic circuits which would cause one of a set of redundant logic circuits to operate differently from the other. The hangup circuit 72 is effective to hold both relays 68 and 70 deenergized until there is manual intervention as by operation of a reset switch. In the event the timing section stops working the entire system is shut down after a given time delay and manual reset is required before the machine under surveillance can be operated.
DETAILED DESCRIPTION OF CIRCUITS.
A detailed description of the control and self checking circuits 44 will now be given with reference to FIGS. 2a 2b. 2c and FIG. 3. It is noted that FIGS. 2a, 2b and 2c taken together form a composite diagram of the control and selfchecking circuits 44. The interconnections of these FIGURES are indicated by the grouped conductors which, for convenience, are extened to terminals at the margin of the respective sheets. The terminals on one sheet are identified by reference characters which are identical to the corresponding terminals on the adjoining sheet.
CONDITION DETECTORS.
Referring now to FIG. 2a, the operational amplifiers 40 and 42 which receive the condition signal P from the sensing section will be referred to as the high detect amplifier and the low detect amplifier respectively in accordance with the function they perform. Referring first to the high detect amplifier 40. the condition signal P is applied through an input resistor 80 to one input of the amplifier. A preset voltage or bias is derived from a potentiometer 82 and applied to the other input of the amplifier 40. The preset voltage is suitably adjustable by the user in order to determine the sensitivity of the system to intrusion. For a given installation of a machine it is desirable to have the sensitivity as low as possible to avoid response to passing equipment while having enough sensitivity to ensure response to any undesirable intrusion into the guarded zone. The amplifier 40 is a differential amplifier and compares the signal P with the preset voltage. If P is not more positive than the preset voltage a binary l is produced which is called the not-high state. If P is more positive a binary is produced and corresponds to the high state. The output of the high detect amplifier 40 is applied across a voltage divider network 84 to reduce the voltage to a logic level voltage for application to the succeeding logic circuits. In a similar manner the condition signal P is applied through the resistor 80 to one input of the low detect amplifier 42 and a preset voltage is applied by a fixed voltage divider network 86 to the other input of the amplifier 42 to establish the lower switching threshold of the system. The amplifier 42 functions as a differential amplifier and compares the condition signal P with the preset voltage and produces a logical output l when the magnitude of P is not more nega tive than the magnitude of the preset voltage which is referred to as the not-low state. When the input voltage to the amplifier 42 from the condition signal P is more negative than the preset voltage from the divider 86. the amplifier 42 produces a logical output which is referred to as the low state. The output of the low detect amplifier 42 is applied across a voltage divider network 88 to reduce it to a logic level voltage for application to the control and self-checking circuits 44.
GENERAL DESCRIPTION OF THE CONTROL AND SELF-CHECKING CIRCUITS.
Referring now to FIGS. 2a, 2b and 2c taken together. the control and self-checking circuits comprise several different stages which will be referred to generally before each is described in detail. The logic level signals from the operational amplifiers 40 and 42 are applied to the operation mode flipflops directly and through an operation mode gate 202. These flip-flops and other logic circuits in the system are operated under the control ofa clock 104. The logic level signals from the operational amplifiers 40 and 42 are also applied to self-check mode gates 106, which in turn are connected to the self-check logic circuits 108 which have their outputs connected to the self-check flipfiops 110. The outputs of the operation mode flip-flops 100 and the self-check mode flip-flops 110 are applied to driver gates 112 which in turn have their inputs connected with the driver stages 114. The driver stages control energization of the contoller 116 which is adapted to exercise control over the machine under surveillance. A controller monitor or hangup circuit 118 is interposed between the controller 116 and the driver gates 112. A failure lockup stage 120 is connected to the outputs of the self-check mode flip-flops 110 and controls certain of the clock signals to cause the controller to operate in the event of a bad test.
CLOCK AND TIMING DIAGRAM.
Referring now to FIG. 2b, the timing section or clock 104 comprises a voltage source of reference fre quency suitably of 60 hz and of relatively low voltage such as 12 volts. The voltage source 130 is connected across a half-wave rectifier 132 which shunts the negative half-cycles to ground. The positive half-cycle pulses of the rectifier 132 are applied to the input of a monostable or one-shot multivibrator 134. The oneshot multivibrator turns on in response to the leading edge of the positive input pulses and produces a train of output pulses. each of which is approximately 50 microseconds duration with a pulse repetition rate of 60 pulses per second. This relationship is shown in FIG. 3 wherein the reference frequency from the source 130 is shown as waveform 136. The output of the one-shot multivibrator 134 is shown as a train of timing pulses 138. The timing pulses 138 are applied through a con ductor 140 to the clock input of the first flipflop 142 which produces a 0 output comprising a train of pulses 144 which have a binary 1" level and a duration T. During the odd-numbered timing intervals between the pulses 138 of the one-shot multivibrator 134 the flipflop 142 also provides a Q-not (6) output comprising a train of pulses 146 of binary 1" during the oddnumbered timing intervals of the one-shot multivibrator pulses 138. The Q-not pulses 146 of the multivibrator 142 are applied to the clock input of a second flip flop 150. The Q output of the flip-flop 150 is a train of operate time pulses 152 of binary l which have a pulse duration of 2T commencing with the alternate O-not pulses 146. The operate time pulses 152 from the Q output are applied through a conductor 154 to the operate mode flip-flops 100, as will be described below.
The second flip-flop 150 also produces a Q-not output which comprises a train of test pulses 156 of binary l as shown in FIG. 3. The pulses 156 are of duration of 2T and commence with alternate Q-not pulses 146 from a flip-flop 142. Accordingly, the operate pulses 152 and the test pulses 156 are of equal duration and occupy alternate time intervals. The Q-not output of the flip-flop 150 is applied through a conductor 158 to one input of an AND gate 160 which has its other input connected through a conductor 162 to the Q-not output of the flip-flop 142. Accordingly, the AND gate 160 responds to the test time pulse 156 and the Q-not pulse 146, as shown in FIG. 3, to produce a train of low test time pulse 163 of binary 1 having a duration of T during the coincidence of pulses 146 and 156. The low test time pulses 163 are applied by the AND gate 160 through a conductor 164 to the input of certain of the self-checking logic circuits 108 as will be described subsequently.
The Q-not output of the flip-flop 150 is also applied to one input of an AND gate 166 which has its other input connected via conductor 168 to the output of the flip-flop 142. As shown in FIG. 3, the AND gate 166 responds to the 0 output pulses 144 of flip-flop 142 and the test time pulses 156 from the second flipflop 150. Accordingly, the AND gate 166 produces a train of high test time pulses 170 of binary 1" and of duration T during the coincidence of pulses 144 and 156. The output pulses of 170 of the AND gate 166 are applied through a conductor 172 to certain inputs of the self-check logic circuits 108, as will be described presently.
From inspection of FIG. 3, it is apparent that the clock 104 establishes cyclical operation of the system with each cycle comprising an operate time pulse 152 and a test time pulse 156. During the operate time pulse 152 the system is caused to function in an operate mode in which it responds to the signal P from the presence sensing section previously described. During the test time pulse 156 the system is caused to function in a self-checking mode, as will be described later. It is noted that a complete cycle of operation, including the operate mode and the test mode, has a period of 4T where T is the period of a 60 hz reference voltage and the cyclic rate of the system is l hz. Thus the operate time pulse 152 has a duration of about 32 milliseconds and the test time pulse 156 has a duration of about 32 milliseconds. It is further observed that the test mode which is executed during the test time pulse 156 is subdivided into a low test mode during the pulse 163 and a high test mode during the pulse 170. Each of the test modes thus has a duration of T and is executed in a time interval of approximately 16 milliseconds and at a repetition rate of times per second.
In order to provide clock pulses to the self-check mode flip-flops 110 a pair of clock AND gates 174 and 176 are provided with one input of each connected with the Q-not output of the flip-flop 150 through the conductor 158. The other input of the clock AND gates 174 and 176 are connected through conductor 140 to the output of the one-shot multivibrator 134. Accordingly, as shown in FIG. 3, the AND gates 174 and 176 respond to the test time pulses 156 and the one-shot pulses 138 and each produces a train of clock pulses 178 of binary l each occurring during coincidence of the pulses 138 and 156. It is noted that in the train of clock pulses 178 the pulses are paired with one of each pair occurring at the beginning of the low test time pulse 163 and the other of each pair occurring at the beginning of each high test time pulse 170. The train of clock pulses 178 from the AND gate 174 is applied through a conductor 180 to one of the self-check mode flip-flops 110. Similarly, the train of clock pulses I78 produced by the AND gate 176 is applied through a conductor 182 to the other of the self-check mode flip-flops 110. The manner in which the timing signals produced by the clock 104 are utilized will be discussed further in connection with the operation of the system.
OPERATE MODE FLIP-FLOPS.
For the purpose of providing logic signals to the controller 116 during the operate mode, the set of three bistable multivibrators of flip- flops 56, 58 and 60 respectively are connected to the outputs of the operational amplifiers 40 and 42. Each of the flip-flops is provided with a data input D, a clock input C, a Q output and a Q-not (O) and in some cases a flip-flop may be provided with a reset input R. The flip-flop 60 labelled as the low" flip-flop has its data input c0nnected through a conductor 196 to the output of the low detect operational amplifier 42. Similarly. the flipflop 58 labelled as the high" flip-flop has its data input connected through a conductor 198 to the output of the high detect operational amplifier 40. The flip-flop 56 labelled high-low flip-flop is responsive to the combined outputs of the low detect amplifier 42 and the high detect amplifier 40. For this purpose the outputs of the high and low detect amplifiers on conductors 198 and 196 respectively are applied to the inputs of an AND gate 202, which has its output connected through a conductor 204 to the data input of the flipflop 56. During the operate mode of each cycle the operate time pulse 152 is applied to the clock inputs of each of the flip- flops 56, 58 and 60 via conductor 154 from the clock 104. Accordingly, during the operate mode each of the outputs of the flip- flops 56, 58 and 60 assume a binary state in accordance with the binary state of the data input. In order to indicate the occur rence ofa low or negative input signal P a warning lamp in the form of a light emitting diode 206 is connected with the Q-not output of the low flip-flop 60. Similarly, in order to indicate the occurrence of a positive or high input signal P a warning lamp in the form of light emitting diode 208 is connected with the Q not output of the high flip-flop 58. Additionally, in order to stabilize the switching due to a positive signal P which exceeds the preset threshold of the high detect amplifier 40, a negative feedback signal is provided from the O-not output of the high flip-flop 58. The Q-not output is connected through voltage divider resistors 210 and 212 to the O output of the low flip-flop 60 and the feedback conductor 214 is connected from the junction of the resistors to the preset input of the high detect amplifier 40. The remaining binary signal output from the flipflops 56, 58 and 60 are for use in determining the state of the controller 116 and will be described subsequently.
SELF-CHECK MODE LOGIC AND FLIP-FLOPS.
For the purpose of providing logic signals during the self-check mode to test the operability of the circuits beyond the sensing element 12 and the bridge circuit 14, the self-check gates 106, logic circuits 108 and flipflops are provided. It will be recalled that the selfcheck mode is initiated and terminated by clock control and more particularly as described with reference to FIGS. 20 and 2b, the clock 104 causes the self-check mode to occur during the test time pulses 156. The selfcheck mode is divided into two time intervals corresponding to the low test pulses 163 and the high test pulses 170, as shown in FIG. 3. During the low test mode the low test pulse is supplied by the clock 104 on conductor 164 to the terminal 220 (P16. 2a) and thence as shown in FIG. 1 the low test signal is applied to one offset input of the differential amplifier 32. This low test signal simulates a low (capacitance) condition of the bridge circuit 14 corresponding to a withdrawal condition and consequently, through the demodulator 34 and differential amplifier 36, produces a signal P of negative polarity at the input of the detection amplifiers 40 and 42. Similarly, during the high test mode the clock 104 produces the high test pulse 170 on the conductor 172 which is applied to the terminal 222 (FIG. 2a). As shown in FIG. 1, this high test signal is applied to an offset input of the differential amplifier 32 and simulates a high (capacitance) signal from the bridge circuit 14 corresponding to an intrusion condition. Ac cordingly, the differential amplifier 32, demodulator 34 and differential amplifier 36 produce a condition signal P of positive polarity which is applied to the detection amplifiers 40 and 42. Thus, during the self-check mode low test and high test signals are applied successively to the amplifier 32 and the detection amplifiers 40 and 42 produce the logic signals which correspond to the occurrence of withdrawal and intrusion respectively in the guarded zone.
For the purpose of performing the self-checking mode of operation the outputs of the detection amplifiers 40 and 42 are applied through self-check gates 106 to self-check logic circuits 108, which in turn control the state of self-check flip-flops 110. The self-check gates 106 comprise an upper NAND gate 224 and a lower NAND gate 226.The NAND gate 224 has one input connected with the output of the high detect amplifier 40 and the lower NAND gate 226 has one input connected with the output of the low detect amplifier 42. The other inputs of the NAND gates are connected through a conductor 228 to the O output of the highlow flip-flop 56. This connection causes the gates 224 and 226 to close after the occurrence of a high or a low signal during the operate mode but otherwise to remain open. As mentioned above, the NAND gates 224 and 226 control the inputs to the self-check logic circuits 108.
The self-check logic circuits 108 comprise upper logic circuits including a high test NAND gate 230, a low test NAND gate 232 and a NOR gate 234. The high test NAND gate 230 has one input connected with the output ofthe NAND gate 224 and the other input con nected with the high test signal on conductor 172. The low test NAND gate 232 has one input connected with the output of the lower NAND gate 226 and the other input connected with the low test signal on conductor 164. The NOR gate 234 has one input connected with the output of the high test NAND gate 230 and the other input connected with the output of the low test NAND gate 232.
The self-check logic circuits 108 also comprise lower logic circuits includng a high test NAND gate 236, a low test NAND gate 238 and a lower NOR gate 240. The high test NAND gate 236 has one input connected with the output of the NAND gate 224 and the other input connected with the high test signal on conductor 172. The lower NAND gate 238 has one input connected with the output of NAND gate 226 and the other input connected with the low test signal on conductor 164. The lower NOR gate 240 has one input connected with the output of the NAND gate 236 and the other input connected with the output of the NAND gate 238.
For the purpose of providing logic signals to the controller 116 during the self-check mode, the self-check flip-flips 110 are connected to the outputs of the selfcheck mode logic circuits 108 and to the clock 104. The self check flip-f1ops include an upper flipflop 52 and a lower flip-flop 54. The upper flip-flop 52 has its data input connected with the output of the NOR gate 234 and its clock input is connected through the conductor 182 to the output of the clock AND gate 176 (FIG. 2b). The Q output of the flip-flop 52 is connected through a conductor 242 to one input of a first failure lockup AND gate 244 and to one input of a secnd failure lockup AND gate 246. The remaining connections for the failure lockup AND gates 244 and 246 will be described presently.
The lower self-check flip-flop 54 has its data input connected with the output of the NOR gate 240 and its clock input is connected through a conductor 180 to the output of the clock AND gate 174. The Q output of the flipflop 54 is connected through a conductor 248 to the other input of the failure lockup AND gate 244 and the other input of the failure lockup AND gate 246. The AND gate 244 has its output connected to the output of the clock AND gate 176. Similarly. the output of the AND gate 246 is connected with the output of the clock AND gate 174. The upper self-check flipflop 52 and the lower self-check flip-flop 54 provide logic signals at the Q outputs thereof which are effective through the drive gates 112 and the drivers 114 to determine the state of the controller 116, as will be described presently.
TEST AND RESET CIRCUITS In order to make certain that the various logic circuits, including the flip-flops and gates are initially switched to the right state, a one-shot multivibrator 260 has its input connected with the clock 104 through a conductor 262. In particular, the conductor 262 is connected with the Q-not output of the second flip-flop 150 and thus the operate time pulses 152 are applied therethrough to the input of the one-shot multivibrator 260. Upon receiving an input signal of binary l the one-shot multivibrator produces an output signal of hinary "1" and will continue to do so until the multivibrator times out, at which time the output thereof switches to binary 37 O". The one-shot multivibrator 260 has a period such that it will time-out after a lapse of time which is somewhat greater than the period between leading edges of the operate time pulses 152. In the example described herein. where the operate time pulses 152 and test time pulses 156 are each of a duration of about 32 milliseconds, the multivibrator 260 is desirably set to timeout at about 100 milliseconds. The out put of the multivibrator 260 is connected through a conductor 264 to the clear (CLR) inputs of the flipflops 142 and 150 of the clock 104 to ensure the proper starting state. The output of the multivibrator 260 is also applied through the conductor 264 to the reset 13 input (R) of the high flip-flop 58 and the low flip-flop 60 and also to the preset (P) inputs of the self-check flip-flops 52 and S4.
The one-shot multivibrators 260 also serves to monitor operation of the clock 104. [n the event the clock should fail in any manner which would result in loss of operate time pulses 152, the multivibrator 260 would time-out and produce a binary at its output. The manner in which this kind of failure affects the controller 116 and interrupts or prevents operation of the machine will be described subsequently.
To provide for manual resetting of the one-shot multivibrator 260 and hence the related flip-flops and gates, a manual reset circuit is provided. The reset circuit comprises a manual switch 266 which is normally open between ground and the junction of voltage divider resistors 268 and 270. The junction of the voltage divider resistors is normally at a positive voltage and is connected to the reset input of the one-shot multivibrator 260. Accordingly, when the switch 266 is manually closed and reopened, the reset pulse is applied to the one-shot multivibrator 260.
For the purposes of calibrating or testing the sensing section of the system, a meter circuit is provided. The meter circuit comprises a series resistor 272 an ammeter 274 and a switch 276. The meter circuit is connected between the output of the differential amplifier 36 (FIG. 1) and ground and hence when the switch 276 is closed the condition voltage P is connected thereacross. Accordingly, the meter 274 will indicate the polarity and magnitude of the condition voltage P for purposes of calibration and test.
DRIVER GATES AND DRIVERS.
In order to operate the controller 116 in accordance with the state of the logic circuits, the driver gates l 12 and drivers 114 are provided. The driver gates 112 include a pair of upper driver AND gates 280 and 282 and a pair of lower driver AND gates 284 and 286. The upper AND gate 280 has one input connected with the 0 output of the self-check flip-flop 52 through a conductor 288. The other input of the AND gate 280 is connected through a conductor 290 and the conductor 264 to the output of the reset circuit multivibrator 260. The upper AND gate 282 has one input connected through a conductor 292 to the Q output of the highlow flip-flop 56. The other input of the AND gate 282 is connected through a conductor 294 to the output of the controller monitor or hangup circuit 118, which will be described subsequently.
The lower AND gate 284 has one input connected through a conductor 296 to the Q output of the selfcheck mode flip-flop 54. The other input of the AND gate 284 is connected through a conductor 298 and conductor 294 to the output of the controller monitor or relay hangup circuit 118, which will be described later. The lower AND gate 286 has one input connected through a conductor 302 to the Q output of the high flip-flop 58. The other input of the AND gate 286 is connected through a conductor 304 to the Q output of the low flip-flop 60.
The dri er gates 112 control the energization of the drivers 114 which. as will be seen subsequently, control the energiration of the controller 116. The drivers 114 comprise an upper driver transistor 310 and a lower driver transistor 312. The upper driver transistor 310 has its base connected with an input circuit which includes voltage divider resistors 316, 318 and 320 which are serially connected between a source of positive voltage and ground. The base is connected to the junction 322 of the voltage divider resistors and the outputs of the upper AND gates 280 and 282 are connected to the junction 324 of the divider resistors 316 and 318. Accordingly, the base of the transistor 310 is held at positive voltage so long as both AND gates 280 and 282 have an output signal of binary l", but the base of transistor 310 is at ground voltage when either of the AND gates is switched to binary Similarly, the lower drivr transistor 312 has its base connected with an input circuit including voltage divider resistors 326, 328 and 330. The base is connected to the junction 332 of the voltage divider resistors and the outputs of the lower AND gates 284 and 286 are connected to the junction 334 of the divider resistors 326 and 328. Accordingly, the base of transistor 312 is at a positive voltage when the output signals of both AND gates 284 and 286 are at binary l but the base voltage is at ground when the output of either of the AND circuits is at binary 0".
The output circuit of the driver transistor 310 extending between the collector and emitter is connected to the input of the controller 116 through a resistor 336. Similarly, the output circuit of the transistor 312 extending between its collector and emitter is connected to another input of the controller 116 through a resistor 338. The controller 116 will be described subsequently.
THE CONTROLLER Referring now to FIG. 2c, the controller 116 will be described. The controller as previously mentioned is adapted to respond to logic signals from the control and self-check section and exercise supervisory control for the purpose of ensuring safe operation of the machine under surveillance. The controller 116 comprises a pair of control relays 350 and 352. The relay 350 comprises an energizing winding 354 which is connected across a voltage source through the output circuit of the driver transistor 310. A diode 356 is connected across the winding 354 to short circuit the inductive switching voltages from the winding and thus protect the transistors in the circuit. The relay 350 comprises a pair of single pole double-throw switches 358 and 360. Similarly, the relay 352 comprises an energizing winding 362 which is connected across the voltage source through the output circuit of the driver transistor 312. A protective diode 364 is connected across the winding 362. The relay 352 also includes a pair of single pole doublethrow switches 366 and 368.
The switches 358 and 366 are utilized as control switches for the purpose of energizng or deenergizing control circuits in the machine under surveillance. In order to adapt the controller for performing such functions on a given machine, the controller is provided with a set of normally open output terminals 370 and a set of normally closed output terminals 372. in order to provide for failsafe operation the normal condition of the relays 350 and 352 is the condition in which both relays are energized by the drivers 310 and 312. With both relays energized the switches are in the condition shown in the drawing and when the relays are deenergized the respective switches move to the opposite position. As will be seen subsequently, if there should there should be a failure in the control and self-check section or if there should be a power failure to the relays, one or both of them would be deenergized and would drop out of the normal condition and cause the controller to disable the machine. With the relays in the normal condition the switches 358 and 360 provide an open circuit at the normally open terminals 370. Also in the normal condition the switches 358 and 366 provide a closed circuit between the normally closed terminals 372. (It will be understood that, a given machine installation in the normally closed terminals 372, for exaple, may be connected in series with the energizing circuit of the power clutch of the machine, thus permitting machine operation when the relays 350 and 352 are in the normal condition. In such an installation the normally open terminals 370 may be connected in se ries with an alarm circuit of the machine which will remain deenergized so long as the relays remain in the normal condition. Switching of the relays from the normal condition, however, would have the effect of energizing the alarm and deenergizing the clutch to disable the machine.)
Self-checking of the relays 350 and 352 is provided by utilization of the switches 360 and 368 of the respective relays 350 and 352. When both of the relays are operating correctly the switches thereof will always be in the same relative positions, i.e. the armatures and hence movable contacts of both will either be in the upper position or in the lower position. If they are out of step", i.e. with armatures in opposite positions, the reason will be either that one relay has failed or that one of the redundant logic circuits described above is not working like the other. In either case, there is a failure condition and the relays 350 and 352 should both be shut down or deenergized and locked up in that condition until being manually reset.
For this purpose the controller monitor or hangup circuit 118 is provided in the circuit between the switches 360 and 368 and selected inputs of the driver gates 112. This monitor circuit comprises a transistor 380 which has its output circuit between collector and emitter connected through a resistor 382 and across a supply voltage source. The input of the transistor between base and emitter includes a pair of voltage dividing resistors 384 and 386 in series with a timing capacitor 388. The upper terminal of the resistor 384 is connected to the positive terminal of a regulated voltage source and the lower terminal of the capacitor 388 is connected to the negative terminal of an unregulated voltage source. Both sources having a common reference potential. The junction of resistors 384 and 386 is connected directly to the base of the transistor 380. The junction of the resistor 386 and capacitor 388 is connected through a pair of diodes 390 and 392 in parallel in the manner of a diode OR circuit. Note that the cathode of diode 390 is connected through a conductor 394 to the lower switch contact of the switch 360 and the cathode of diode 392 is connected through a conductor 396 to the upper contact of the switch 368. The movable contacts of the switches 360 and 368 are directly connected together. The upper contact of switch 360 and the lower contact of switch 368 are also connected together and are connected through a conductor 398 to the negative terminal of a voltage source which has its positive terminal connected to ground.
The controller monitor or hangup circuit 118 further comprises the connection of the output ofthe transistor 380 to a failure flip-flop 402. More specifically, the re sistor 404 is connected across the emitter and collector of the transistor 380 and in series with the resistor 382 across the voltage source. The junction of the resistors 382 and 404 is connected through a conductor 406 to the inverted set input of the failure flip-flop 402. The reset input of the flip-flop 402 is connected through the conductor 264 to the output of the one-shot multivibrator 260. When the flip-flop 402 is reset with a binary l the Q output thereof is binary l and is supplied through a conductor 294, as previously described, to one input of the AND gates 282 and 284. In this condition the flip-flop 402 produces a binary O at its Q-not output. When, however, the inverted set input of the flip-flop 402 receives a binary 0 the flip-flop changes state and the Q output goes to binary 0" and the Q-not output goes to binary 1". The Q-not output is connected across a signal lamp which takes the form of a light emitting diode 408 to signify the occurrence of a failure.
in order to provide a visual indication of the state of the controller, a first signal lamp 412, suitably green, is connected between the upper contact of switch 368 and ground. Thus when the controller is in its normal or safe condition, the green signal lamp 412 is lighted. Similarly, a second signal lamp 414, suitably red, is connected between the lower contact of switch 360 and ground. Thus when the relays of the controller 116 are deenergized and the switches 360 and 368 engage the lower contacts, the red signal lamp 414 is energized signifying the existence of a hazardous condition as detected by the sensing section. Thus the machine is dis abled by the controller or the alarm is energized. As will be seen subsequently, when neither the signal lamp 412 nor signal 414 is lighted, the relays 350 and 352 have fallen out of step and a failure in the system is signified.
At this point the operation of the relay monitor or hangup circuit 118 will be described. When the condition signal P from the differential amplifier 36 is zero, indicating a normal condition, as detected by the sensing section, the relays 350 and 352 of the controller 116 will both be energized (assuming no system failure) and the switches will be in the upper position as shown. In this condition the diode 392 is connected through conductor 396 to the switch 368 and thence through the switch 360 and conductor 398 to the negative terminal of the voltage source which has its other terminal returned to ground. Consequently, the diode 392 is biased in the forward direction and the capacitor 388 is discharged so that the voltage at the base of the transistor 380 is insufficient to switch the transistor on. In this condition with transistor 380 off the logic level voltage at the collector of the transistor and on the concluctor 406 is binary 1". The binary 1 "applied to the inverted set input of the flip-flop 402 is ineffective to change its state and hence the Q output remains at binary l and the Q-not output remains at binary 0". In this condition the green signal lamp 412 is connected through the switch 368, switch 360 and the conductor 398 to the negative terminal of the voltage source and the signal lamp is energized, indicating a safe condition.
When the sensor section produces a condition signal P, which is of positive value, indicating an intrusion into the guarded zone, both relays 350 and 352 will be deenergized (assuming no system failures). Similarly, in the event of a low (capacitance) condition in the guarded zone which produces a condition signal P of negative value, the relays 350 and 352 will both be deenergized (assuming no system failures). Thus with either a high or a low condition signal the switches of the relays 354 and 362 will all be in the lower position. In this condition the diode 390 will be connected through the conductor 394, the switch 360, switch 368 and conductor 398 to the negative terminal of the voltage source. Consequently, the diode 390 is biased in the forward direction and the capacitor 388 is discharged therethrough so that the transistor 380 is maintained in the off condition. With transistor 380 off the voltage at the collector thereof and on the conductor 406 is at binary l and consequently the state of the failure flipflop 402 remains unchanged, i.e. the Q output is binary l and the Q-not output if binary In this condition of the switches in the controller the signal lamp 414 is connected through the switch 360, the switch 368 and the conductor 398 to the negative terminal of the voltage source and thus the red signal lamp is energized.
Whenever the armature of one of the relays 350 and 352 is in an upper position and the other is in a lower position, a system failure is signified as previously noted With the relay armatures and switches in this condition neither diode 390 nor diode 392 is connected to the negative terminal of the voltage source and hence the capacitor 388 is charged through the resistors 384 and 386. After a suitable time delay to allow for differences in the normal response times of the relays the voltage at the base of the transistor 380 becomes sufficiently positive to turn the transistor on. With the transistor 380 turned on the voltage at the col lector is binary 0" and is applied through the conductor 406 to the inverted set input of the flip-flop 402. This causes the flip-flop 402 to change state and hence the Q output becomes binary 0" and the Q-not output becomes binary 1". The Q output of binary O on conductor 294 is applied to the input of the AND gates 282 and 284. Ths will cause the driver transistors 310 and 312 to both turn off and the relays 350 and 352 will both be deenergized. This locks the controller 116 in a condition which disables the machine. It is noted that in this condition neither the signal lamp 412 nor the signal lamp 414 is connected with the voltage source and both lamps are deenergized. When a failure occurs as just described, the controller 116 will be locked in the disable condition by reason of the Q output of binary 0 from the failure flip-flop 402 until the flip-flop is reset by manual actuation of the reset circuit. In this failure condition the Q-not output energizes the signal lamp 408 to indicate the failure condition.
SYSTEM OPERATION.
The operation of the inventive presence sensing and self-checking control system will now be described with reference to the drawings. It is observed that the operation of certain of the subsystems has already been described and accordingly such description will not be repeated.
The operation of the presence sensing section has been described adequately under the heading Presence Sensing Section and General Description of Operation". Suffice it to say at this point that the condition signal P at the output of the differential amplifier 36 is of zero value when the guarded zone is in normal condition, is of negative value when an object is withdrawn from the guarded zone, and is of positive value when an object intrudes into the guarded zone. When a low test signal is applied to the differential amplifier 32 under clock control as previously described, the condition signal P should be of negative value and when a high test command signal is applied to the am plifier 32 under clock control, the condition signal P should be of positive value. The condition signal P is applied to the inputs of the high detect and low detect amplifiers 40 and 42 respectively which provide logic signals, either binary l" or binary 0, depending upon the value and polarity of the condition signal P. For convenience of describing the operation, FIG. 4 shows in tabular form the logic signals from the high and low detect amplifiers for the five different conditions in the presence sensing section. The first column identifies the conditions by number and the first three conditions correspond to the operate mode of the system, while the fourth and fifth conditions correspond to the test mode of the system. In the first condition the condition signal P is of zero value and hence the state of the high detect amplifier is not high" and the state of the low detect amplifier is not low". In this condition both high and low detect amplifiers produce an output of binary l In the second condition of the operate mode the condition signal P is of negative value coresponding to withdrawal of an object from the guarded zone. The high detect amplifier is in a not high state and the output thereof is binary 1, while the low detect amplifier is in a low state and the output thereof is at binary 0. ln condition 3 of the operate mode it is noted that the condition signal P is of positive value and the output of the high detect and low detect amplifiers is just the opposite of that for the condition number 2. In condition number 4, which is the low test mode, the condition signal P is of negative value and the output of the high and low detect amplifiers is the same as condition number 2. Condition number 5 is the high test mode and the condition signal P should have a positive value and the high and low detect amplifiers should have the same state and outputs as condition number 3. It should be noted that the table of FIG. 4 sets forth the outputs of the high and low detect amplifiers for the five different conditions only when the system is operating properly, i.e. there are no system failures. As will be discerned subsequently, the control and self-checking section 44 is operative to detect a failure in the presence sensing section which causes outputs from the high and low detect amlifiers different from those indicated in the table of FIG. 4 for the same input condition. Furthermore, the control and self-checking section is capable of detecting malfunction in the control and self-checking circuits themselves which would cause the controller 116 to respond erroneously to a given set of outputs from the high and low detect amplifiers 40 and 42.
In order to avoid needless repetition in the description of operation of the control and self-checking circuits under the various conditions, a system of notation is applied to the drawings so that the logical state of each stage is indicated for each of the five conditions of the presence sensing section, as depicted in FIG. 4. lt is to be remembered that the outputs of the high and low detect amlifiers will be as shown in FIG. 4 only if the presence sensing section operates without malfunction or failure. The system of a notation for indicating the logical state of a given logic stage comprises a row of contiguous boxes at the output of that stage. Each box contains a one or a zero correspondingly respectively to binary 1" and binary A given box at the output of one stage in the system shows the logic state of that stage which exists when the box in the corresponding position in the row for any other stage has a logic state as indicated by the binary l or 0" con tained therein. The notation uses five different boxes which. when taken in succession from left to right. correspond to the five different conditions shown in the table of FIG. 4. The state" boxes for the various stages are identified with the output thereof by lead lines and the use of separate reference characters on the state boxes is avoided.
It is to be noted that the output states of the various stages in the clock 104 can be readily ascertained by reference to the timing diagram of FIG. 3.
For explanatory purposes it will be assumed that with reference to FIG. 4 the presence sensing section is in condition number 1. This condition represents 21 normal condition of the presence sensing section, i.e. the bridge is balanced and the condition signal P is of zero value. As shown in FIG. 2a, the high detect amplifier 40 produces an output of binary 1" (leftmost box) and the low detect amplifier 42 produces an output of binary l (leftmost box). Reference to the timing dia gram of FIG. 3 shows that the operate mode during which condition number 1 occurs, extends throughout the time interval of one of the operate pulses 152. From the Q output of the flip-flop 150 in the clock 104 the operate pulses are applied over a conductor 154 to the clock inputs of the operate mode flip-flops 56, S8 and 60. The output of the high detect amplifier 40 is applied to one input of the upper NAND gate 224 and the output of the low detect amplifier 42 is applied to one input of the lower NAND gate 226. The other input of each of the gates 224 and 226 is connected through a conductor 228 to the Q output of the highlow flipflop 56. The O output of this flip-flop is in a state determined by the output of the AND gate 202 which has its inputs connected respectively to the outputs cf the high and low detect amplifiers 40 and 42. Thus for condition number 1 the output of the AND gate 202 is a binary l and this is applied to the data input of the flip-flop 56 and causes its Q output to be a binary 1". Consequently the output states of the upper and lower NAND gates 224 and 226 are caused to be binary 0, as indi cated in the leftmost squares of the state boxes thereof. These NAND gates 224 and 226 constitute the selfcheck gates 106 which in turn control the states of the self-check logic circuits 108 and the self-check mode flip-flops 110, which may be termed the self-check channel. During the operate mode, of which condition number 1 is a part. the self-check channel just mentioned is ineffective to influence the condition of the controller 116, assuming that the self-check channel itself does not malfunction. This can be verified by not ing that for condition number 1 the binary 0" output of the upper NAND gate 224 is applied to one input of the high test NAND gate 230 and one input of the high test NAND gate 236. Similarly, the binary 0" output of the lower NAND gate 226 is applied to one input of the low test NAND gate 232 and the low test NAND gate 238. The other inputs of the low test NAND gates 232 and 238 are connected through the conductor 164 to the low test AND gate 160 in the clock 104 which produces a binary 0" output during the operate mode. Similarly. the other inputs of the high test NAND gates 230 and 236 are connected through conductor 172 to the high test AND gate of the clock 104, which has a binary 0 output during the operate mode. Thus during the operate mode in condition number l the clock signals on the NAND gates 230, 232, 236 and 238 binary 0" and thus the outputs will all be binary l as shown in the first of the state boxes corresponding thereto. Consequently the NOR circuit 234 which receives the output of the NAND circuits 230 and 232 will produce an output of binary 0". Similarly, the NOR circuit 240 will produce an output of binary The NOR circuit 234 is connected with the data input of the flip-flop 52 and the output of NOR circuit 240 is connected with the data input of the flip-flop 54. The state of the flip-flops 52 and 54 was preset by the binary l signal on conductor 264 from the output of the one-shot multivibrator 260 when the system was first energized. Thus the binary 0" signals at the data inputs of the flip-flops 52 and 54 will be ineffective to change the state of the flip-flops and the Q outputs thereof are at binary 1", as shown by the respective state boxes. Consequently the input to the upper drive gate 280 on conductor 288 is binary l and the input to the lower drive gate 284 on conductor 296 is binary l The other input to the upper drive gate 280 is also a binary l which is the reset signal on conductor 264 which is derived from the one-shot multivibrator 260. Thus the output of the upper drive gate 280 is a binary l The other input to the lower drive gate 284 is a binary l in the form of the 0 output of the failure flipflop 402. This Q output is maintained as a binary l so long as there is no failure as signified by the relays 350 and 352 being out of step. Consequently, the lower drive gate 284 produces a binary 1" output while the upper drive gate 280 produces a binary 1" output as mentioned above. Thus under the condition being discussed it; can be appreciated that the self-checking channel up to the point of upper drive gate 280 and lower drive gate 284 will always produce a binary l output at the input to the drivers 310 and 312 during the operate mode condition number 1, assuming there is no malfunction in the self-check channel itself.
Accordingly. the state of the drivers 310 and 312 and the controller 116 during the operate mode condition number i will be determined by the state of the operate mode flip- flops 56, 58 and 60 and the upper drive gate 282 and the lower drive gate 286 which will be termed the control channel. Referring now to the control channel in condition number 1, it will be remembered that the output of the high detect amplifier 40 is binary 1" which is applied through conductor 198 to the data input of the high flip'flop 58. Consequently, the O-not output of the flip-flop S8 is binary 0 and the Q output thereof is binary l The 6 output is fed back through conductor 214 to the input of the high detect amplifier 40 to help hold the output at binary l and thus stabilize the switching thereof. Also, in condition number 1 the output of the low detect amplifier 42 is a binary 1 which is applied through a conductor 196 to the data input of the low flip-flop 60. This causes the Q-not output of the flip-flop 60 to be binary 0" and the Q output to be binary l Thus both high flip-flop 58 and low flipflop 60 have binary 1" outputs which are applied through conductors 302 and 304 to the respective inputs of the lower driver gate 286, (see FIG. 2c). This causes the AND gate 286 to produce a binary 1 output.
At the same time, in the control channel the outputs of the high detect amplifier 40 and the low detect amplifier 42 are applied to the respective inputs of the high-low AND gate 202 and since both are binary l the output of the AND gate is a binary 1". This output is applied to the data input of the high-low flip-flop 56 which, as mentioned above, causes its Q output to produce a binary 1". This binary l" is applied through conductor 292 to one input of the upper driver gate 282 (see FlG. 2c). The other input of the driver gate 282 is a binary l from the failure flip-flop 402.
Consequently, the upper driver gate 282 and the lower driver gate 286 in the control channel both produce binary l output for condition number 1, and as previously described, the upper driver gate 280 and the lower driver gate 284 in the self-check channel produce a binary 1 output for condition number 1, assuming there are no malfunctions in either channel. As a result for condition number 1 both driver transistors 310 and 312 and the relays 350 and 352 are energized causing the respective switches thereof to be held in the positions shown in FIG. 2c.
With the relays of the controller in the energized condition as shown in the drawing for condition number 1, the circuit between output terminals 370 is open and the circuit between the normally closed output tenninals 372 is closed. As previously described, for this condition, the diode 392 in the hangup circuit 118 is conductive and the transistor 380 is turned off and the failure flip-flop 402 remains unaffected and its Q output produces a binary l Also, in this condition, the signal lamp 412 is lighted signifying a safe condition.
Referring again to the table of FIG. 4, it will now be assumed that during the operate mode the presence sensing section is placed in condition number 2, ie a low (capacitance) condition which may be produced by withdrawal of an object from the guarded zone. As a result the output of the high detect amplifier 40 is binary l and the output of the low detect amplifier 42 is a binary It is observed that these outputs are both applied to the respective inputs of the high-low gate 202 which produces a binary 0 output. This output is applied to the data input of the high-low flip-flop 56 and the Q output thereof is binary 0. The Q output of flip-flop 56 is supplied through a conductor 228 to one input of the self-check upper NAND gate 224 and the self-check lower NAND gate 226. This has the effect of switching the NAND gate 224 to a binary 1 output and switching the NAND gate 226 to a binary l output. However, because of the fact that the selfcheck logic circuits 108, particularly the NAND gates 230, 232, 236 and 238, receive binary 0" signals on conductors 164 and 172 from the clock 104 during the operate mode, the outputs thereof are all binary 1". Consequently, the state of the logic circuits in the selfcheck channel from this point onward to the upper driver gate 280 and the lower driver gate 284 all remain the same, as in the preceding condition number 1. Thus it will appear that the state of the driver transistors 310 and 312 and the controller 116 will be determined by the change in state of the control channel, including the operate mode flip-flops, and the upper and lower driver gates 282 and 286.
Referring back to the high detect amplifier 40 in condition number 2, the binary 1 output thereof is applied through a conductor 198 to the data input of the high flip-flop 58. This causes the Q-not output thereof to remain at binary 0 and the Q output thereof remains at binary 1. This Q output is applied to one input of the lower driver gate 286 through conductor 302. The low detect amplifier in condition number 2 produces a binary 0" output which is applied through a conductor 196 to the data input of the low flip-flop 60. The Q'not output thereof is switched to binary l and the low signal lamp 206 is lighted. At the same time the Q output of the low flip-flop 60 is switched to binary 0 and applied through conductor 304 to the other input of the lower driver gate 286. This causes the lower driver gate 386 to produce a binary 0 output. Consequently, driver transistor 312 is turned off and the relay 352 is deenergized.
As noted previously, in condition number 2, the highlow flip-flop 56 receives a binary 0" at its data input and the Q output is switched to binary 0". This output signal is applied through a conductor 292 to one input of the upper driver gate 282. The other input of driver gate 282 is a binary l taken from the 0 output of the failure flip-flop 402. Consequently, the output of the upper driver gate 282 is binary 0" and the driver transistor 310 is switched off. Consequently the relay 350 is deenergized. With both relays 350 and 352 deenergized the respective switches thereof are all in the lower position, as a result the normally open circuit between the terminals 370 is closed and the normally closed circuit between the terminals 372 is opened. Furthermore, the diode 390 is conductive and the transistor 380 is turned off and the failure flip-flop 402 maintains the 0 output at binary l Furthermore, in this condition of the relays the signal lamp 414 is lighted to signify a hazardous condition. Thus the controller with the system in condition number 2 is effective to disable the machine and/or energize an alarm signifying the hazardous condition resulting from a low (capacitance) condition in the presence sensing section.
Assuming now that the presence sensing action is in condition number 3, as depicted in FIG. 4, which corresponds to an intrusion condition, the condition signal P will have a positive value. The high detect amplifier will produce a binary 0" and the low detect amplifier will produce a binary 1". In this condition number 3 the self-check channel from the self-check gates 224 and 226 through the upper driver gate 280 and lower driver gate 284 will be in the same logical states as for condition number 2. Thus condition number 3, however, will change the logical states of the control channel by changing the state of the high flip-flop 58 and the low flip-flop 60. The high-low flipflop 56, however, will remain in the same condition as in the previous state number 2. Therefore, in the condition number 3 the upper driver gate 282 will produce a binary 0" output and the lower driver gate 286 will produce a binary 0" output and both driver transistors 310 and 312 will be turned off as in condition number 2. Both relays 350 and 352 will be deenergized and the normally open circuit between terminals 370 will be closed and the normally closed circuit between terminals 372 will be opened. The signal lamp 414 will be energized and the hangup circuit 118 will be in the same state as in condition number 2. Thus condition number 3 corresponding to an intrusion or high (capacitances) will be effective to disable the machine.
The description of operation thus far has only been concerned with the operate mode, ie the time slot or duration of the operate pulses 152 from the Q output of the flip-flop 150 and the clock 104. Immediately following the operate mode portion of the cycle is the test mode portion of the cycle which extends for the duration of the pulses 156, produced by the Q-not output of the flip-flop 150 in the clock 104. The test mode is divided into a low test time slot during pulses 163 and a high test time slot during pulses 170, which occur in that time sequence.
During the low test mode which is represented by condition number 4. as depicted in FIG. 4, the presence sensing section produces a condition signal P of negative value. This condition signal results from a command signal produced by the AND circuit 160 of the clock 104. The command signal is also the low test tim ing signal supplied through the conductor 164 to the terminal 220 (see FIG. As shown in FIG. 1 the low test terminal 220 is applied to an input of a differential amplifier 32 and as previously described, simulates a presence sensing signal which produces a condition signal P of negative value. Consequently, as indicated in the table of FIG. 4, the high detect amplifier produces a binary l output and the low detect amplifier produces a binary 0" output. This causes the selfcheck NAND gates 224 and 226 to assume the logic states as indicated in the state boxes at position number 4. It is noted that the low test timing pulses 163 on con ductor 164 are applied to the inputs of the self-check NAND gates 232 and 238 and the NOR gates 234 and 240 are switched to the states indicated in the state boxes at position number 4. The outputs of the NOR gates 234 and 240 are applied to the data inputs of the self-check flip-flops 52 and 54 respectively. It is further noted, however. that the clock inputs of the flipflops 52 and 54 in this low test mode receive clock signals on conductors 182 and 180 respectively from the clock AND gate 176 and the clock AND gate 174 respectively. These are the clock pulses 178, as depicted in the timing diagram of FIG. 3. The Q outputs of the flipflops 52 and 54 are both maintained at binary l as indicated in the state boxes at position number 4, and accordingly the upper driver gate 280 and the lower driver gate 284 maintain a binary 1 output. The high detect amplifier and low detect amplifier outputs are the same for the low test mode. as in the case of the operate mode with low capacitance (condition number 2). The state of the operate mode flip- flops 56, 58 and 60 will be the same as in condition number 1 since no operate mode clock pulse is produced on conductor 154. Therefore. the upper driver gate 282 and the lower driver gate 286 will be in the same state for condition number 4, ie. the low test mode as for condition number 1 ofthe operate mode. Consequently, the con" ditions tfdriver transistors 310 and 312, relays 350 and 352, and the controller 116 will be the same as that described for condition number 1, and the hangup circuit 118 will also be the same.
During the high test mode the presence sensing section will be in condition number 5, as depicted in the table of FIG. 4. This mode occurs during the high test pulse 170, which is produced by the AND gate 166 of the clock 104. The high test timing pulse is applied through a conductor 172 to the terminal 222 (see FIG. 2a). The terminal 222 in turn is connected to one out put of the differential amplifier 32 (see FIG. 1). This timing signal is also a command signal for the differential amplifier to effectively simulate a high (capacitance) or intrusion signal. Consequently, it produces a condition signal P having a positive value. As shown in the table of FIGv 4 the high detect amplifier produces a binary "0" output and the low detect amplifier produces a binary l output. The state boxes at position number 5 in the selfcheck channel show the states of the respective stages. In the control channel the condition of the flip-flops 58 and 60 is the same as that of condition number 4 and the high-low flip-flop S6 is in the same condition as that of condition number 4. The controller 116 and the hangup circuit 118 are in the same condition as described with reference to condition number 4.
The low test mode and the high test mode portions of the cycle have been described on the assumption there were no malfunctions in the system. Consequently, during the test modes the analog portion of the control circuit responded in the same manner as if the presence sensing section had responded to real conditions rather than simulated conditions.
Any number of malfunctions may occur in either the presence detection section or the control and selfcheck section and the self-checking section will be effective to operate the controller 116 so as to disable the machine and lock the controller in such condition until a manual reset switch 266 is operated.
A typical failure which may occur is the grounding of the output of the differential amplifier 36 so that the condition signal P is zero at all times. If this should occur during the high test portion of the cycle the oper ation of the circuits would be as follows. During the high test portion of the cycle the states of the various stages will differ from those states indicated in the state boxes in position number 5 because of the malfunction. The low detect amplifier will produce a binary l output and the high detect amplifier will also produce a binary l output. Consequently the high-low gate 202 will produce a binary 1" which is applied to the data input of the high-low flip-flop 56 and the Q output thereof will be a binary l which is applied to inputs of the upper and lower NAND gates 224 and 226 respectively. The outputs of the high and low detect amplifiers are also applied to the inputs of the upper and lower NAND gates and accordingly the outputs of the gates 224 and 226 are both binary 0" respectively. During the high test portion of the cycle the high test t1m1ng pulses 170 are applied to the inputs of the NAND gate 230 and the NAND gate 236. Consequently these NAND gates both have the outputs of binary 1". At the same time the NAND gates 232 and 238 both receive respective inputs of binary 0 from the NAND gate 226. They also receive binary 0" inputs from the conductor 164 which is connected with the low time AND gate in the clock. As a result the NAND gates 232 and 238 both produce a binary l output. This provides a binary 1 input to the NOR gate 234 from NAND gate 230 and from NAND gate 232 and the output of the NOR gate is a binary 0. Similarly, the NAND gate 236 and the NAND gate 238 both provide a binary 1 input to the NOR gate 240 WhICh produces a binary 0" output to the data input of flip-flop 54. Thus, both flip-flops 52 and 54 receive a binary 0" at their respective data inputs under the failure condition described. At the same time flip-flop 52 receives a clock pulse 178 at its clock input on conductor 182 from the clock AND gate 176. Likewise, flip-flop 54 receives a clock pulse 178 at its clock input on conductor 180 from the clock AND gate 174. This causes both flip-flops 52 and S4 to produce a binary at the respective Q outputs. The binary 0" from flip-flop 52 is applied through a conductor 288 to the upper driver gate 280, which produces a binary 0" in response thereto. Accordingly, driver transistor 310 is turned off and upper relay 350 of the controller is deenergized. At the same time, the binary 0" from the flip-flop ,54 is applied through conductor 296 to the lower driver gate 84 which produces a binary 0" in response thereto. This causes the driver transistor 312 to turn off and the lower relay 362 in the controller is deenergized. Thus the failure condition through the operation of the self-check channel causes the controller relays to be deenergized which causes the machine operation to be stopped. At the same time the signal lamp 414 is energized, indicating a hazardous condition.
The occurrence of a failure condition not only causes the controller to be deenergized during the test portion of the cycle, but it also causes the controller to be locked in that condition to prevent machine operation until the failure condition is cleared and the manual reset switch 266 is operated. This lockup feature is provided by connecting the 0 output of the flip-flop 52 through the conductor 242 to one input of the failure lockup AND gate 244 and to one input of the failure lockup AND gate 246. Similarly, the Q output of flipflop 54 is applied through the conductor 248 to the other input of the failure lockup AND gate 244 and to the other input of the failure lockup AND gate 246. Consequently, the AND gate 244 produces a binary 0 output and the clock AND gate 176 is disabled thereby and the clock pulses 178 from clock 176 are terminated and the flip-flop 52 is locked in the state with a binary 0 at its Q output. Similarly, the AND gate 246 produces a binary 0" output and the clock AND gate 174 is disabled terminating the clock pulses supplied on conductor 180 to flip-flop 54 and thus the flip-flop 54 is locked in the state with a binary 0" at its 0 output.
With the self-checking flip-flops 52 and S4 locked in the off condition and the controller thus held deenergized, the machine is held thereby in a disabled condition until the failure condition is eliminated. Then upon actuation of the manual reset switch 266 the one-shot multivibrator 260 will produce a reset pulse on conduc tor 264, which is applied to all of the flip-flop stages and causes the flip-flops 52 and 54 through the preset inputs to be switched to produce a binary l at their respective Q outputs.
In the event of an operating machine which causes the relays 350 and 352 to get out of step, i.e. the armature of one to be up while the armature of the other is down, a failure condition is indicated. The failure condition will be either a relay malfunction or a failure of one redundant logic circuit to work like the other. With the relays out of step in this failure condition the relay hangup circuit 118 responds thereto and transistor 380 is turned on and a binary 0 pulse is applied through a conductor 406 to the inverting set input of the failure flip-flop 402. This switches the flip-flop so that the Q output thereof produces a binary 0" which is applied to one input of the upper driver gate 282 and the lower driver gate 284. Consequently, both driver transistors 310 and 312 are switched off and both relays are deenergized. The Q-not output of flip-flop 402 is switched to a binary 1" and the failure lamp 408 is energized.
The flip-flop 402 will remain in the failure indicating state until the failure condition is eliminated and the manual reset switch 266 is actuated to reset the flipflop 402.
In the event the clock 104 stops working the input to the one-shot multivibrator 260 from the flip-flop would be terminated and the one-shot will time out. When it times out the output thereof on conductor 264 switches to binary O and the flip-flops 52 and 54 change state and through the driver gates 280 and 284 the driver transistors 310 and 312 are turned off and the relays of the controller 116 are deenergized. In this condition the controller is operative to disable the ma chine until the clock failure is eliminated and the reset switch 266 is manually actuated to restart the system.
In summary, the system is operative to detect a change such as the intrusion or withdrawal of an object in the guarded zone and to disable machine operation so long as the condition exists. For example, if the machine operator places his hand in the guarded zone the machine operation is stopped but will be restored as soon as the operators hand is removed. In the event of a malfunction in the system the self-checking channel thereof is effective to detect the same and to disable operation of the machine. Failure detection results in lockup of the controller so that the machine operation cannot be restored until the failure is remedied and the manual reset switch is actuated. Operation of the system is cyclical with each cycle comprising an operate portion and a test portion. During the operate portion of the cycle the system is adapted to detect the condition of the guarded zone and if it is normal the controller is not actuated. If there is an intrusion into the guarded zone or a withdrawal therefrom the controller operates to disable the machine as mentioned above. The test portion of the cycle is divided into a high test mode and a low test mode, during which high and low command or simulation signals respectively are injected into the system. If the response of the system differs from what it should be with the known condition signals, a failure is indicated and the controller is actuated to disable the machine.
Although the description of this invention has been given with respect to a particular embodiment, it is not to be construed in a limiting sense. Many variations and modifications will now occur to those skilled in the artv For a definition of the invention reference is made to the appended claims.
The embodiments of the present invention in which an exclusive property or privilege is claimed are defined as follows:
1. A presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control cir cuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also including a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the control circuit is operative to produce a predetermined signal at the selected point in the control circuit during the occurrence of a simulated intrusion signal, said logic means including a self-check bistable element which assumes one state in response to said simulated intrusion signal, gate means having one input connected with the output of the self-check bistable element and having another input connected with a point in said self-checking means having a logic level voltage state indicative of what said one state should be in the absence of a malfunction, said gate means being con nected with said controller and being adapted to cause actuation thereof when the bistable element assumes another state in response to said simulated intrusion signal.
2. The invention as defined in claim 1 wherein said control circuit includes first and second control channels, the first channel being connected between the sensing means and a first relay means, the second con trol channel being connected between the sensing means and a second relay means, said controller com prising said first and second relay means, said first and second channels being redundantly related to each other for causing said first and second relay means to be actuated and deactuated together in response to a signal from the sensing means, monitor means connected with said first and second relay means and hav ing an output producing a logic level voltage state indicative of malfunction in one of said channels, said gate means having said another input connected with the output of said monitor means.
3. The invention defined in claim 1 including monitor means connected with said controller and having an output which produces, in the absence ofa malfunction of said controller, a first logic level voltage state indicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said controller, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said con troller.
4. The invention defined in claim 1 including monitor means connected with said timing means and having an output which produces, in the absence ofa malfunction of said timing means, a first logic level voltage state in dicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said timing means, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said timing means.
5. A presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also including a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the control circuit is operative to produce a predetermined signal at the selected point in the control circuit during the occurrence of a simulated intrusion signal, first disabling means connected with said control circuit and second disabling means connected with said logic means, said timing means being connected with said first and second disabling means for alternately disabling the control circuit and the logic means whereby self-checking and presence detection are interlaced in time at a frequency established by said timing means, said logic means having an output connected with said controller for causing actuation thereof when said logic means determines that said predetermined signal is not produced by said simulated intrusion signal.
6. The invention as defined in claim 5 wherein said controller includes at least one normally energized relay means, said control circuit being adapted to connect the relay means to a power supply to deactuate the controller whereby the controller is actuated in the event of failure of the power supply.
7. The invention as defined in claim 5 including lockup means connected with said logic means and being operative to hold said controller in actuated condition when said logic means determines that said predetermined signal is not produced by said simulated intrusion signal.
8. The invention as defined in claim 5 wherein said logic means includes at least one self-check bistable element which assumes one state in response to said simulated intrusion signal in the absence ofa malfunction, said bistable element having an output connected with said controller and being ineffective to cause actuation thereof in said one state and effective to cause actuation in the other state, and lockup means connected with said self-check bistable element and being operative in response to the other state for holding it in said other state thereby holding said controller in the actuated condition.
9. The invention as defined in claim 8 including a manually operated reset circuit connected with the self-check bistable element for resetting the same to its other state.
10. The invention as defined in claim 5 wherein said timing means causes switching of the first and second disabling means at a rate such that the control circuit is disabled for less time during each cycle of operation than that required for the occurrence of a predeter mined degree of intrusion.
11. The invention as defined in claim 5 wherein said timing means causes switching of the first and second disabling means such that the control circuit and the logic means are alternately disabled for substantially equal time intervals, the frequency of alternation being at least several times per second.
12. A safety system for controlling a machine, the system being of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means being adapted to produce a reference signal when said zone is in a normal condition, an intrusion signal when an object intrudes into said zone and a withdrawal signal when an object is withdrawn from said zone, and control means connected with said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to either an intrusion signal or a withdrawal signal to cause actuation of said controller and responsive to a reference signal to cause deactuation of said controller, the improvement comprising; self-checking means including timing means, command signal means adapted to produce a simulated intrusion signal and a simulated withdrawal signal and being connected with an input of said control circuit, said selfchecking means also including logic means having an input connected with a selected point of the control circuit, said logic means having an output connected with said controller for causing actuation thereof, first disabling means connected with said control circuit, said timing means being connected with said first disabling means for disabling a portion of the control circuit during a test interval preceding an operate interval and for enabling it to cause actuation of said controller during an operate interval, second disabling means connected with said self-check means, said timing means being connected with said second disabling means for disabling the logic means during said operate interval and for enabling the logic means during said test interval to cause actuation of said controller, said timing means also being connected with said command signal means for producing said simulated intrusion and withdrawal signals in succession during said test interval, said logic means being operative to produce an actuating signal when the control circuit is ineffective to produce predetermined signals at the selected point in response to the simulated intrusion and withdrawal signals, said controller being actuated in response to said actuating signal, and said timing means being cyclical in opera tion whereby said operate interval and test interval are successively repetitive.
13. The invention as defined in claim 12 wherein said logic means includes an intrusion signal test channel and a withdrawl signal test channel, said timing means being connected with said intrusion signal test channel for enabling operation thereof during the simulated intrusion signal, said timing means also being connected with said withdrawal signal test channel for enabling operation thereof during the simulated withdrawal signal.
14. The invention as defined in claim 13 wherein said logic means includes first and second self-checking bistable elements, the first bistable element being adapted to assume one state in response to a simulated intrusion signal in the absence of a malfunction, the first bistable element having its input operatively connected with the output of both of said test channels and having its out put connected with said controller, said first bistable elements being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state, the second bistable element being adapted to assume one state in response to a sim ulated withdrawal signal in the absence of a malfunction, the second bistable element having its input operatively connected with the output of both of said test channels and having its output connected with said controller, said second bistable element being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state.

Claims (14)

1. A presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also includIng a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the control circuit is operative to produce a predetermined signal at the selected point in the control circuit during the occurrence of a simulated intrusion signal, said logic means including a self-check bistable element which assumes one state in response to said simulated intrusion signal, gate means having one input connected with the output of the self-check bistable element and having another input connected with a point in said self-checking means having a logic level voltage state indicative of what said one state should be in the absence of a malfunction, said gate means being connected with said controller and being adapted to cause actuation thereof when the bistable element assumes another state in response to said simulated intrusion signal.
2. The invention as defined in claim 1 wherein said control circuit includes first and second control channels, the first channel being connected between the sensing means and a first relay means, the second control channel being connected between the sensing means and a second relay means, said controller comprising said first and second relay means, said first and second channels being redundantly related to each other for causing said first and second relay means to be actuated and deactuated together in response to a signal from the sensing means, monitor means connected with said first and second relay means and having an output producing a logic level voltage state indicative of malfunction in one of said channels, said gate means having said another input connected with the output of said monitor means.
3. The invention defined in claim 1 including monitor means connected with said controller and having an output which produces, in the absence of a malfunction of said controller, a first logic level voltage state indicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said controller, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said controller.
4. The invention defined in claim 1 including monitor means connected with said timing means and having an output which produces, in the absence of a malfunction of said timing means, a first logic level voltage state indicative of the state that said self-check bistable element should assume in the absence of a malfunction of said control circuit and which produces, in case of a malfunction of said timing means, a second logic level voltage whereby said controller is actuated in response to a malfunction in either said control circuit or said timing means.
5. A presence detection system of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means having an output adapted to produce a reference signal when said zone is in a normal condition and an intrusion signal when an object intrudes into said zone, and control means having an input connected with the output of said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to an intrusion signal to cause actuation of said controller and responsive to a reference signal to cause deactuation thereof, the improvement comprising; self-checking means including timing means, command signal means cyclically operated by the timing means and connected with an input of said control circuit for periodically applying a simulated intrusion signal thereto, said self-checking means also including a logic means having an input connected with a selected point of the control circuit to determine whether a simulated intrusion signal applied to the cOntrol circuit is operative to produce a predetermined signal at the selected point in the control circuit during the occurrence of a simulated intrusion signal, first disabling means connected with said control circuit and second disabling means connected with said logic means, said timing means being connected with said first and second disabling means for alternately disabling the control circuit and the logic means whereby self-checking and presence detection are interlaced in time at a frequency established by said timing means, said logic means having an output connected with said controller for causing actuation thereof when said logic means determines that said predetermined signal is not produced by said simulated intrusion signal.
6. The invention as defined in claim 5 wherein said controller includes at least one normally energized relay means, said control circuit being adapted to connect the relay means to a power supply to deactuate the controller whereby the controller is actuated in the event of failure of the power supply.
7. The invention as defined in claim 5 including lock-up means connected with said logic means and being operative to hold said controller in actuated condition when said logic means determines that said predetermined signal is not produced by said simulated intrusion signal.
8. The invention as defined in claim 5 wherein said logic means includes at least one self-check bistable element which assumes one state in response to said simulated intrusion signal in the absence of a malfunction, said bistable element having an output connected with said controller and being ineffective to cause actuation thereof in said one state and effective to cause actuation in the other state, and lock-up means connected with said self-check bistable element and being operative in response to the other state for holding it in said other state thereby holding said controller in the actuated condition.
9. The invention as defined in claim 8 including a manually operated reset circuit connected with the self-check bistable element for resetting the same to its other state.
10. The invention as defined in claim 5 wherein said timing means causes switching of the first and second disabling means at a rate such that the control circuit is disabled for less time during each cycle of operation than that required for the occurrence of a predetermined degree of intrusion.
11. The invention as defined in claim 5 wherein said timing means causes switching of the first and second disabling means such that the control circuit and the logic means are alternately disabled for substantially equal time intervals, the frequency of alternation being at least several times per second.
12. A safety system for controlling a machine, the system being of the type comprising sensing means including a sensing element adapted to be disposed adjacent a zone to be monitored and including electrical signal producing means connected with said element, said sensing means being adapted to produce a reference signal when said zone is in a normal condition, an intrusion signal when an object intrudes into said zone and a withdrawal signal when an object is withdrawn from said zone, and control means connected with said sensing means, said control means including a control circuit and a controller connected thereto, said control circuit being responsive to either an intrusion signal or a withdrawal signal to cause actuation of said controller and responsive to a reference signal to cause deactuation of said controller, the improvement comprising; self-checking means including timing means, command signal means adapted to produce a simulated intrusion signal and a simulated withdrawal signal and being connected with an input of said control circuit, said self-checking means also including logic means having an input connected with a selected point of the control circuit, said logic means having an output connected with said controller for causing actuation thereof, fIrst disabling means connected with said control circuit, said timing means being connected with said first disabling means for disabling a portion of the control circuit during a test interval preceding an operate interval and for enabling it to cause actuation of said controller during an operate interval, second disabling means connected with said self-check means, said timing means being connected with said second disabling means for disabling the logic means during said operate interval and for enabling the logic means during said test interval to cause actuation of said controller, said timing means also being connected with said command signal means for producing said simulated intrusion and withdrawal signals in succession during said test interval, said logic means being operative to produce an actuating signal when the control circuit is ineffective to produce predetermined signals at the selected point in response to the simulated intrusion and withdrawal signals, said controller being actuated in response to said actuating signal, and said timing means being cyclical in operation whereby said operate interval and test interval are successively repetitive.
13. The invention as defined in claim 12 wherein said logic means includes an intrusion signal test channel and a withdrawl signal test channel, said timing means being connected with said intrusion signal test channel for enabling operation thereof during the simulated intrusion signal, said timing means also being connected with said withdrawal signal test channel for enabling operation thereof during the simulated withdrawal signal.
14. The invention as defined in claim 13 wherein said logic means includes first and second self-checking bistable elements, the first bistable element being adapted to assume one state in response to a simulated intrusion signal in the absence of a malfunction, the first bistable element having its input operatively connected with the output of both of said test channels and having its output connected with said controller, said first bistable elements being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state, the second bistable element being adapted to assume one state in response to a simulated withdrawal signal in the absence of a malfunction, the second bistable element having its input operatively connected with the output of both of said test channels and having its output connected with said controller, said second bistable element being ineffective to cause actuation of said controller in said one state and effective to cause actuation in the other state.
US327384A 1973-01-29 1973-01-29 Presence sensing and self-checking control system Expired - Lifetime US3886413A (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US327384A US3886413A (en) 1973-01-29 1973-01-29 Presence sensing and self-checking control system
CH82474A CH588127A5 (en) 1973-01-29 1974-01-22
DE2403058A DE2403058A1 (en) 1973-01-29 1974-01-23 PRESENCE CHECK AND SELF-CHECK CONTROL SYSTEM
CA191,073A CA1005873A (en) 1973-01-29 1974-01-28 Presence sensing and self checking control system
FR7402764A FR2215629B1 (en) 1973-01-29 1974-01-28
GB409974A GB1461441A (en) 1973-01-29 1974-01-29 Condition responsive apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US327384A US3886413A (en) 1973-01-29 1973-01-29 Presence sensing and self-checking control system

Publications (1)

Publication Number Publication Date
US3886413A true US3886413A (en) 1975-05-27

Family

ID=23276330

Family Applications (1)

Application Number Title Priority Date Filing Date
US327384A Expired - Lifetime US3886413A (en) 1973-01-29 1973-01-29 Presence sensing and self-checking control system

Country Status (6)

Country Link
US (1) US3886413A (en)
CA (1) CA1005873A (en)
CH (1) CH588127A5 (en)
DE (1) DE2403058A1 (en)
FR (1) FR2215629B1 (en)
GB (1) GB1461441A (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3995200A (en) * 1975-06-23 1976-11-30 Stolarczyk Larry G Ground monitor and circuit breaker actuating device
US4103293A (en) * 1975-11-21 1978-07-25 Tri-Century Industries, Inc. Intrusion alarm apparatus
US4309696A (en) * 1978-06-26 1982-01-05 Kabushiki Kaisha Komatsu Seisakusho Trouble detecting unit in an optical security device
US4484119A (en) * 1983-06-28 1984-11-20 At&T Technologies, Inc. Fail-safe machine control system
US4777473A (en) * 1986-08-22 1988-10-11 Fire Burglary Instruments, Inc. Alarm system incorporating dynamic range testing
US4812674A (en) * 1985-05-20 1989-03-14 Square D Company Safety gate limit switch using Hall effect transducer
US5149921A (en) * 1991-07-10 1992-09-22 Innovation Industries, Inc. Self correcting infrared intrusion detection system
FR2703756A1 (en) * 1993-04-07 1994-10-14 Lebail Hubert Yvon Safety amplifier box for fibre-optic sensors
US5850342A (en) * 1996-09-24 1998-12-15 Nakamura; Kaoru Machine tool control system
EP0819881A3 (en) * 1991-09-05 2001-08-22 Frost Controls, Inc. Area light switch
US20020020262A1 (en) * 2000-08-14 2002-02-21 Gass Stephen F. Logic control for fast-acting safety system
US6376939B1 (en) * 1999-04-02 2002-04-23 Sumitomo Chemical Company, Limited Sensor apparatus and safety apparatus for protecting approach to machines
US6994004B2 (en) 2000-09-29 2006-02-07 Sd3, Llc Table saw with improved safety system
US7000514B2 (en) 2001-07-27 2006-02-21 Sd3, Llc Safety systems for band saws
US7077039B2 (en) 2001-11-13 2006-07-18 Sd3, Llc Detection system for power equipment
US7098800B2 (en) 2003-03-05 2006-08-29 Sd3, Llc Retraction system and motor position for use with safety systems for power equipment
US7231856B2 (en) 2001-06-13 2007-06-19 Sd3, Llc Apparatus and method for detecting dangerous conditions in power equipment
US7681479B2 (en) 2000-08-14 2010-03-23 Sd3, Llc Motion detecting system for use in a safety system for power equipment
US7707920B2 (en) 2003-12-31 2010-05-04 Sd3, Llc Table saws with safety systems
US7712403B2 (en) 2001-07-03 2010-05-11 Sd3, Llc Actuators for use in fast-acting safety systems
US7784507B2 (en) 2000-09-29 2010-08-31 Sd3, Llc Router with improved safety system
US7788999B2 (en) 1999-10-01 2010-09-07 Sd3, Llc Brake mechanism for power equipment
US7827890B2 (en) 2004-01-29 2010-11-09 Sd3, Llc Table saws with safety systems and systems to mount and index attachments
US7832314B2 (en) 2000-08-14 2010-11-16 Sd3, Llc Brake positioning system
US7836804B2 (en) 2003-08-20 2010-11-23 Sd3, Llc Woodworking machines with overmolded arbors
US7895927B2 (en) 1999-10-01 2011-03-01 Sd3, Llc Power equipment with detection and reaction systems
US7991503B2 (en) 2003-12-31 2011-08-02 Sd3, Llc Detection systems for power equipment
US8061245B2 (en) 2000-09-29 2011-11-22 Sd3, Llc Safety methods for use in power equipment
US8065943B2 (en) 2000-09-18 2011-11-29 Sd3, Llc Translation stop for use in power equipment
US8100039B2 (en) 2000-08-14 2012-01-24 Sd3, Llc Miter saw with safety system
US8459157B2 (en) 2003-12-31 2013-06-11 Sd3, Llc Brake cartridges and mounting systems for brake cartridges
US20150353282A1 (en) * 2014-06-10 2015-12-10 Amazon Technologies, Inc. Item-detecting overhead sensor for inventory system
US9724840B2 (en) 1999-10-01 2017-08-08 Sd3, Llc Safety systems for power equipment
US9824328B2 (en) 2014-06-10 2017-11-21 Amazon Technologies, Inc. Arm-detecting overhead sensor for inventory system
US9927796B2 (en) 2001-05-17 2018-03-27 Sawstop Holding Llc Band saw with improved safety system
EP3988244A4 (en) * 2019-06-19 2023-06-28 DMG Mori Co., Ltd. Machine tool and machine tool self-diagnosis method
CN116880491A (en) * 2023-07-21 2023-10-13 弥费科技(上海)股份有限公司 Anti-collision control device, system and method for AMHS (automated mechanical transmission) carrying trolley

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2283494A2 (en) * 1974-09-02 1976-03-26 Cometa Photoelectric scanning of control zone - by comparing count signals with scanning switch states to decide if scanning continues
ES8201716A1 (en) * 1979-09-10 1981-12-16 Gordon Ambler Kenneth Safety mechanism for industrial machinery.
FR2492127A1 (en) * 1980-09-26 1982-04-16 Cometa Sa ELECTRONIC SELF-CONTROL SYSTEM
DE3508298C1 (en) * 1985-03-08 1986-10-09 Bergwerksverband Gmbh, 4300 Essen Device for monitoring machines
DE3619723A1 (en) * 1986-06-12 1987-12-17 Kloeckner Moeller Elektrizit Additional controller, having contacts, for safety circuits
EP4040034B1 (en) * 2021-02-04 2023-06-07 Sick Ag Safety device and safety method for monitoring a machine
CN113112834A (en) * 2021-04-14 2021-07-13 广东古田智能科技有限公司 Traffic light system and lamp bead fault detection method thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3543260A (en) * 1968-07-24 1970-11-24 Honeywell Inc Self checking interuder and fire detector units and system
US3680069A (en) * 1969-10-17 1972-07-25 Ver Flugtechnische Werke Testing of redundant control systems
US3737744A (en) * 1971-12-30 1973-06-05 Bader Dev Corp Body detecting industrial safety system
US3764860A (en) * 1970-11-30 1973-10-09 Boekels & Co H Metal detector and checking arrangement therefor

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3543260A (en) * 1968-07-24 1970-11-24 Honeywell Inc Self checking interuder and fire detector units and system
US3680069A (en) * 1969-10-17 1972-07-25 Ver Flugtechnische Werke Testing of redundant control systems
US3764860A (en) * 1970-11-30 1973-10-09 Boekels & Co H Metal detector and checking arrangement therefor
US3737744A (en) * 1971-12-30 1973-06-05 Bader Dev Corp Body detecting industrial safety system

Cited By (62)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3995200A (en) * 1975-06-23 1976-11-30 Stolarczyk Larry G Ground monitor and circuit breaker actuating device
US4103293A (en) * 1975-11-21 1978-07-25 Tri-Century Industries, Inc. Intrusion alarm apparatus
US4309696A (en) * 1978-06-26 1982-01-05 Kabushiki Kaisha Komatsu Seisakusho Trouble detecting unit in an optical security device
US4484119A (en) * 1983-06-28 1984-11-20 At&T Technologies, Inc. Fail-safe machine control system
US4812674A (en) * 1985-05-20 1989-03-14 Square D Company Safety gate limit switch using Hall effect transducer
US4777473A (en) * 1986-08-22 1988-10-11 Fire Burglary Instruments, Inc. Alarm system incorporating dynamic range testing
US5149921A (en) * 1991-07-10 1992-09-22 Innovation Industries, Inc. Self correcting infrared intrusion detection system
EP0819881A3 (en) * 1991-09-05 2001-08-22 Frost Controls, Inc. Area light switch
FR2703756A1 (en) * 1993-04-07 1994-10-14 Lebail Hubert Yvon Safety amplifier box for fibre-optic sensors
US5850342A (en) * 1996-09-24 1998-12-15 Nakamura; Kaoru Machine tool control system
US6376939B1 (en) * 1999-04-02 2002-04-23 Sumitomo Chemical Company, Limited Sensor apparatus and safety apparatus for protecting approach to machines
US9522476B2 (en) 1999-10-01 2016-12-20 Sd3, Llc Power equipment with detection and reaction systems
US7788999B2 (en) 1999-10-01 2010-09-07 Sd3, Llc Brake mechanism for power equipment
US9969014B2 (en) 1999-10-01 2018-05-15 Sawstop Holding Llc Power equipment with detection and reaction systems
US9925683B2 (en) 1999-10-01 2018-03-27 Sawstop Holding Llc Table saws
US9724840B2 (en) 1999-10-01 2017-08-08 Sd3, Llc Safety systems for power equipment
US7895927B2 (en) 1999-10-01 2011-03-01 Sd3, Llc Power equipment with detection and reaction systems
US10335972B2 (en) 1999-10-01 2019-07-02 Sawstop Holding Llc Table Saws
US8196499B2 (en) 1999-10-01 2012-06-12 Sd3, Llc Power equipment with detection and reaction systems
US8408106B2 (en) 1999-10-01 2013-04-02 Sd3, Llc Method of operating power equipment with detection and reaction systems
US7600455B2 (en) * 2000-08-14 2009-10-13 Sd3, Llc Logic control for fast-acting safety system
US8522655B2 (en) * 2000-08-14 2013-09-03 Sd3, Llc Logic control for fast-acting safety system
US20140165801A1 (en) * 2000-08-14 2014-06-19 Sd3, Llc Logic control for fast-acting safety system
US9038515B2 (en) * 2000-08-14 2015-05-26 Sd3, Llc Logic control for fast-acting safety system
US20120260781A1 (en) * 2000-08-14 2012-10-18 Gass Stephen F Logic control for fast-acting safety system
US7832314B2 (en) 2000-08-14 2010-11-16 Sd3, Llc Brake positioning system
US7681479B2 (en) 2000-08-14 2010-03-23 Sd3, Llc Motion detecting system for use in a safety system for power equipment
US8191450B2 (en) 2000-08-14 2012-06-05 Sd3, Llc Power equipment with detection and reaction systems
US8100039B2 (en) 2000-08-14 2012-01-24 Sd3, Llc Miter saw with safety system
US7921754B2 (en) 2000-08-14 2011-04-12 Sd3, Llc Logic control for fast-acting safety system
US8151675B2 (en) 2000-08-14 2012-04-10 Sd3, Llc Logic control for fast-acting safety system
US20020020262A1 (en) * 2000-08-14 2002-02-21 Gass Stephen F. Logic control for fast-acting safety system
US8065943B2 (en) 2000-09-18 2011-11-29 Sd3, Llc Translation stop for use in power equipment
US8061245B2 (en) 2000-09-29 2011-11-22 Sd3, Llc Safety methods for use in power equipment
US7784507B2 (en) 2000-09-29 2010-08-31 Sd3, Llc Router with improved safety system
US6994004B2 (en) 2000-09-29 2006-02-07 Sd3, Llc Table saw with improved safety system
US9927796B2 (en) 2001-05-17 2018-03-27 Sawstop Holding Llc Band saw with improved safety system
US7231856B2 (en) 2001-06-13 2007-06-19 Sd3, Llc Apparatus and method for detecting dangerous conditions in power equipment
US7712403B2 (en) 2001-07-03 2010-05-11 Sd3, Llc Actuators for use in fast-acting safety systems
US7000514B2 (en) 2001-07-27 2006-02-21 Sd3, Llc Safety systems for band saws
US7077039B2 (en) 2001-11-13 2006-07-18 Sd3, Llc Detection system for power equipment
US7098800B2 (en) 2003-03-05 2006-08-29 Sd3, Llc Retraction system and motor position for use with safety systems for power equipment
US7836804B2 (en) 2003-08-20 2010-11-23 Sd3, Llc Woodworking machines with overmolded arbors
US8459157B2 (en) 2003-12-31 2013-06-11 Sd3, Llc Brake cartridges and mounting systems for brake cartridges
US7827893B2 (en) 2003-12-31 2010-11-09 Sd3, Llc Elevation mechanism for table saws
US8498732B2 (en) 2003-12-31 2013-07-30 Sd3, Llc Detection systems for power equipment
US8489223B2 (en) 2003-12-31 2013-07-16 Sd3, Llc Detection systems for power equipment
US7707920B2 (en) 2003-12-31 2010-05-04 Sd3, Llc Table saws with safety systems
US8122807B2 (en) 2003-12-31 2012-02-28 Sd3, Llc Table saws with safety systems
US8087438B2 (en) 2003-12-31 2012-01-03 Sd3, Llc Detection systems for power equipment
US7991503B2 (en) 2003-12-31 2011-08-02 Sd3, Llc Detection systems for power equipment
US9623498B2 (en) 2003-12-31 2017-04-18 Sd3, Llc Table saws
US7866239B2 (en) 2003-12-31 2011-01-11 Sd3, Llc Elevation mechanism for table saws
US7827890B2 (en) 2004-01-29 2010-11-09 Sd3, Llc Table saws with safety systems and systems to mount and index attachments
US8505424B2 (en) 2004-01-29 2013-08-13 Sd3, Llc Table saws with safety systems and systems to mount and index attachments
US10052786B2 (en) 2004-01-29 2018-08-21 Sawstop Holding Llc Table saws with safety systems and systems to mount and index attachments
US10882207B2 (en) 2004-01-29 2021-01-05 Sawstop Holding Llc Table saws with safety systems and systems to mount and index attachments
US9824328B2 (en) 2014-06-10 2017-11-21 Amazon Technologies, Inc. Arm-detecting overhead sensor for inventory system
US9580245B2 (en) * 2014-06-10 2017-02-28 Amazon Technologies, Inc. Item-detecting overhead sensor for inventory system
US20150353282A1 (en) * 2014-06-10 2015-12-10 Amazon Technologies, Inc. Item-detecting overhead sensor for inventory system
EP3988244A4 (en) * 2019-06-19 2023-06-28 DMG Mori Co., Ltd. Machine tool and machine tool self-diagnosis method
CN116880491A (en) * 2023-07-21 2023-10-13 弥费科技(上海)股份有限公司 Anti-collision control device, system and method for AMHS (automated mechanical transmission) carrying trolley

Also Published As

Publication number Publication date
GB1461441A (en) 1977-01-13
DE2403058A1 (en) 1974-08-01
CA1005873A (en) 1977-02-22
CH588127A5 (en) 1977-05-31
FR2215629A1 (en) 1974-08-23
FR2215629B1 (en) 1980-08-29

Similar Documents

Publication Publication Date Title
US3886413A (en) Presence sensing and self-checking control system
US3970846A (en) Presence detecting system with self-checking
US3805061A (en) Object detecting apparatus
US3754221A (en) Ground fault detector and method of ground fault detection
US3892954A (en) Programmable, tester for protection and safeguards logic functions
GB1137778A (en) Data processing apparatus
US4733923A (en) Movable storage unit control system
US3702474A (en) Seven state resistance sensing supervisory system
JPS6415661A (en) Trouble detector of rotary pulse generator
US3671955A (en) Lamp failure detection circuit
US2945915A (en) Operational checkout of data handling equipment
ES2007824A6 (en) Method and electrical circuit for the reliable detection of process states within freely couplable units
EP0214692B1 (en) Monitoring a conflict detector for traffic-lights
ES8306654A1 (en) Security apparatus.
US3778762A (en) Monitor for detecting conflicting traffic control signals
JPH03188600A (en) Monitor for navigation system and monitoring method
US3611364A (en) Apparatus for determining the sequence of circuit discontinuities in a sealing circuit for a power output device
US3480938A (en) Annunciator system
US3760189A (en) Motion detecting apparatus
US3571707A (en) Voltage dropout sensor
EP0050953B1 (en) Flame detection circuit
GB1361141A (en) Programme-controlled data processing systems
US3550122A (en) Dual point annunciator system
US2961489A (en) Telegraph single space or mark pulse distortion monitor
US4088900A (en) Safety circuit, especially for elevators and the like