Monitoring and control system comprising a safety switch and method for operating a safety switch

(19)

(11)

EP 2 782 112 A1

(12)	EUROPEAN PATENT APPLICATION

(43)	Date of publication:
	24.09.2014 Bulletin 2014/39

(21)	Application number: 13305355.3

(22)	Date of filing: 22.03.2013

(51)

International Patent Classification (IPC):

H01H 47/00^(2006.01)

(84)	Designated Contracting States:
	AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
	Designated Extension States:
	BA ME

(71)	Applicant: ALSTOM Transport SA
	92300 Levallois-Perret (FR)

(72)	Inventors:
	Papageorgiou, Achilles 1480 Tubize (BE) Colle, Stephan 1400 Nivelles (BE) Janssens, Frédéric 1640 Sint Genesius Rode (BE)

(74)	Representative: Blot, Philippe Robert Emile
	Cabinet Lavoix 2, place d'Estienne d'Orves 75441 Paris Cedex 09 75441 Paris Cedex 09 (FR)


	Remarks:
	Amended claims in accordance with Rule 137(2) EPC.

(54)	Monitoring and control system comprising a safety switch and method for operating a safety switch

(57) The present invention concerns a monitoring and control system (1) comprising: a safety switch (5) including: a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply, a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3), and at least two groups of relays (1000, 1100), wherein each group comprises at least two relays (1010, 1080; 1110, 1180) having respectively a first set of switching contacts (1012, 1082; 1112, 1182) and a second set of switching contacts (1014, 1084; 1114, 1184), the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator (1018, 1088; 1118, 1188), wherein the first sets of switching contacts (1012, 1082; 1112, 1182) of the at least two relays (1010, 1080; 1110, 1180) of a group are connected electrically in parallel and the second sets of switching contacts (1014, 1084; 1114, 1184) of the at least two relays of a group (1000, 1100) are connected electrically in parallel, the first sets of switching contacts (1012, 1082) of a first group (1000) being connected electrically in series with the first sets of switching contacts (1112, 1182) of a second group (1100), the second sets of switching contacts (1014, 1084) of the first group (1000) being connected electrically in series with the second sets (1114, 1184) of switching contacts of the second group (1100), wherein the first sets of switching contacts (1012, 1082) of the first group (1000) are connected to the first input terminal (7a) and the second sets of switching contacts (1014, 1084) of the first group (1000) are connected to the second input terminal (7b), wherein the first sets of switching contacts (1112, 1182) of the second group (1100) being connected to the first output terminal (9a) and the second sets of switching contacts (1114, 1184) of the second group (1100) being connected to the second output terminal (9b); and wherein the monitoring and control system further comprises a controller (900) for controlling the relays of the at least two groups (1000, 1100).. Further, the invention concerns a method for operating a safety switch.

Description

[0001] The present invention concerns a monitoring and control system comprising a safety switch and a controller. Further, the present invention relates to a method for operating a safety switch.

[0002] In previous solutions, a safety switch for switching a plurality of safety critical loads was based on normal relays and includes a voltage measurement device for providing information, whether a voltage at the output of the switch was present. Typically, safety critical loads should be switched with switches complying with the European norm EN 50 205 type A.

[0003] For example, safety switches for safety critical loads may comprise two relays, which are connected in series. Each relay comprises at least two sets of contact for switching a first line and a second line. Further these relays comprise a read back contact detecting the state of each of the relays. These relays are normally guided relays, in which the means for moving the contacts are connected.

[0004] Object of the invention is to provide the monitoring and control system comprising a safety switch which provides a minimum predefined air gap with a high reliability.

[0005] In the light of above, a monitoring and control system is provided comprising:

a safety switch including:

a first input terminal and a second input terminal adapted to be connected to a power supply,

a first output terminal and a second output terminal adapted to be connected at least one load, and

at least two groups of relays, wherein each group comprises at least two relays having respectively a first set of switching contacts and a second set of switching contacts, the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator, wherein the first sets of switching contacts of the at least two relays of a group are connected electrically in parallel and the second sets of switching contacts of the at least two relays of a group are connected electrically in parallel,

the first sets of switching contacts of a first group being connected electrically in series with the first sets of switching contacts of a second group, the second sets of switching contacts of the first group being connected electrically in series with the second sets of switching contacts of the second group, wherein

the first sets of switching contacts of the first group are connected to the first input terminal and the second sets of switching contacts of the first group are connected to the second input terminal, wherein the first sets of switching contacts of the second group being connected to the first output terminal and the second sets of switching contacts of the second group being connected to the second output terminal; and wherein the monitoring and control system further includes a controller for controlling the relays of the at least two groups.

[0006] Embodiments of the monitoring and control system may have one or more of the following features:

at least one set of switching contacts of the first or second set of switching contacts of the relays comprises two subsets of switching contacts connected electrically in series, wherein in particular the first sets of switching contacts of the relays of the first group and the second sets of switching contacts of the relays of the second group comprise two subsets of switching contacts connected in series;
the sets of switching contacts comprise two subsets of switching contacts and/or the number of group of relays depend on the voltage to be switched;
at least one, in particular all, of the relays comprise at least one set of read back contacts;
the first and second sets of switching contacts and, in particular the subsets of contacts, are normally open contacts and/or the sets of read back contacts are normally closed contacts, wherein in particular the relays are guided relays, so that when the normally closed contacts are closed, the normally open contacts provide a predetermined minimal distance between their contacts;
the monitoring and control system comprises at least two channels, wherein one group of relays of the at least two groups of relays is associated with each channel, wherein the controller comprises a plurality of subcontrollers, each channel comprising at least one, in particular two or more, of the plurality of subcontrollers, wherein for each channel:
at least one first subcontroller, in particular a processor, of said channel being adapted to command the actuators of the relays associated with said channel and the actuators of the relays associated with at least one other channel;
the at least one first subcontroller of a first channel is adapted to monitor the functioning of at least one first subcontroller associated with another channel, wherein the at least one first subcontroller of said other channel is adapted to command the actuators of the relays associated with the first channel, wherein the at least one first subcontroller of the first channel is adapted to release the relays of said other channel when a failure of the at least one first subcontroller of said other channel is detected by the at least one first subcontroller.
at least one channel, in particular all channels comprise at least one second subcontroller of the plurality of subcontrollers, in particular in form of a programmable logic devices, wherein each second subcontroller is connected to at least one first subcontroller of the same channel and adapted to monitor the functioning of said at least one first subcontroller.
the monitoring and control system comprises a plurality of control circuits, wherein each control circuit is connected to relay for controlling an activation and/or release of said relay and is comprised by the respective channel, wherein for at least one, in particular each control circuit:
said control circuit is connected to at least one output of at least one first subcontroller of the same channel, to at least one output of at least one first subcontroller of another channel, and, in particular, to at least one output of the at least one second subcontroller of the same channel, wherein the control circuit is adapted to activate and/or release the relay associated with the control circuit based on the outputs of the connected first subcontrollers and, in particular, the output of the connected second subcontrollers;
the at least one first subcontroller is adapted to provide a first signal, for example a regularly alternating signal, in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of the outputs connected to the control circuit and/or the at least one second subcontroller is adapted to provide a first signal, for example regularly alternating signal, in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of its outputs connected to the control circuit, wherein, upon reception of the second signal from the at least one first subcontroller and/or the at least one second subcontroller, the control circuit releases the associated relay;
each control circuit is adapted to activate the associated relay only in case the signals provided by two subcontrollers, for example the first and second subcontrollers, of at least two different channels, and, in particular, the signal provided by the at least one second subcontroller of the same channel, allows or command an activation of said relay;
the read back contacts of each relay are read by at least two first subcontrollers of two different channels, comprising at least one first subcontroller of the channel to which the respective relay is associated; and/or
the safety switch comprises two group of relays comprising respectively two relays, wherein each channel comprises a group of relays.

[0007] Further, a method for operating a safety switch is provided, the safety switch comprising a first input terminal and a second input terminal adapted to be connected to a power supply; a first output terminal and a second output terminal adapted to be connected at least one load; and at least two groups of relays, wherein each group comprises at least two relays having respectively a first set of switching contacts and a second set of switching contacts, the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator, wherein the first sets of switching contacts of the at least two relays of a group are connected electrically in parallel and the second sets of switching contacts of the at least two relays of a group are connected electrically in parallel, the first sets of switching contacts of a first group being connected electrically in series with the first sets of switching contacts of a second group, the second sets of switching contacts of the first group being connected electrically in series with the second sets of switching contacts of the second group, wherein the first sets of switching contacts of the first group are connected to the first input terminal and the second sets of switching contacts of the first group being connected to the second input terminal, wherein the first sets of switching contacts of the second group being connected to the first output terminal and the second sets of switching contacts of the second group are connected to the second output terminal; wherein the method further comprises: sequentially opening the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays are closed.

[0008] According to embodiments, the method may include one or more of the following features:

the safety switch is a safety switch comprised in the monitoring and control system according to an embodiment disclosed herein.

[0009] So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be read by reference to the embodiments. The accompanying drawings relate to embodiment of the invention and are briefly described in the following:

figure 1 shows schematically a monitoring system for monitoring a plurality of safety critical loads comprising a safety switch according to the invention;
figure 2 shows schematically the arrangement of relays of the safety switch according to the invention;
figure 3 shows schematically the controller of the safety switch according to the invention;
figure 4 shows schematically the activation circuit for activating the actuator of a relay of the safety switch;
figure 5 discloses schematically the connection of a read back contact to controllers of the safety switch via a branch circuit; and
figure 6 shows schematically a flow chart for testing a safety switch.

[0010] Figure 1 shows a monitoring and control system 1 according to an embodiment of the invention. The monitoring and control system 1 is provided for the control of safety critical loads 3, for example for signalling lamps or traffic lights, in particular for a railway. In such a system the safety critical load has to be controlled whether there is a defect in the switch or in the load itself. The monitoring and control system 1 detects whether a load is present, whether it is switched off or on or has a defect and, in particular how much energy it consumes.

[0011] For example such a control and monitoring system 1 may detect whether a lamp 3 exists, whether the lamp is switched on or off, or whether it is has a defect.

[0012] In the embodiment, the monitoring and control system 1 comprises a safety switch 5 having an input side with a first and a second terminal 7a, 7b and an output side with a first and second output terminal 9a, 9b. The first input terminal 7a of the safety switch 5 is connected to a first input power line 11 a and the second input terminal 7b is connected to a second input power line 11 b, for example of a power grid.

[0013] The first and second input power lines 11a, 11 b provides a current of for example 110 V direct current (DC) or 230 volt alternating current (AC) to the safety switch 5, because the safety critical loads 3 need such a current.

[0014] The output terminals 9a, 9b are connected respectively with a first line 13a and a second line 13b to a plurality of load switches 100, 200, ... , and 800. In the present embodiment, the monitoring and control system 1 includes eight load switches. However, in other embodiments, the monitoring and control system may comprise more or less switches.

[0015] The plurality of load switches 100, 200, ... , 800 are connected electrically in parallel via a first line 13a and a second line 13b to the output side 9 of the safety switch 3.

[0016] Each load switch 100, 200, ... , 800 is associated with a respective safety critical load 3, for example a signalling lamp. In another embodiment, one safety critical load may comprise more than one signalling lamp.

[0017] In further embodiments, the load switches 100, 200, ... , 800 may be replaced by another device for regulating an output current and/or output voltage, for example a pulse width modulation circuit. In such a case, the safety critical load 3 may be dimmed.

[0018] The load switches 100, 200, ... , 800 comprise each two input terminals, namely a first input terminal 102a, 202a, ... , 802a and second input terminals 102b, 202b, ... , 802b. The first input terminals 102a, 202a, ... , 802a are connected to the first line 13a and the second input terminals 102b, 202b, ... , 802b are connected to the second line 13b. The load switches 100, 200, ... , 800 have an output side with respectively a first output terminal 104a, 204a, ... , 804a and a second output terminal 104b, 204b, ... , 804b. The output terminals are connected respectively to the safety critical load 3.

[0019] Further the monitoring and control system 1 includes a controller 900 which is connected to the safety switch 5 and each of the load switches 100, 200, ... , 800 to monitor individually the state of each of the safety critical loads 3, and to control the load switches 100, 200, ... , 800 and the safety switch 5.

[0020] Each load switch 100, 200, ..., 800 comprises a first switch 106a, 206a, ..., 806a for switching the line between the first input terminal 102a, 202a, ... , 802a and the first output terminal 104a, 204a, ..., 802a. Further, the load switches 100, 200 , ..., 800 comprise a second switch 106b, 206b, ..., 806b for switching a second line between the second input terminal 102b, 202b, ..., 802b and the second output terminal 104b, 204b, ..., 804b. When both switches 106a, 106b, 206a, 206b, ..., 806a, 806b of a load switch 100, 200, ..., 800 are in the closed position, the respective safety critical load 3 is provided with a current. In case that only one of the switches 106a, 106b, 206a, 206b, ..., 806a, 806b is open, no current is provided to the safety critical load 3, so that the safety critical load is switched off. In an embodiment, the first switch 106a, 206a, ..., 806a is a semi-conductor switch, for example a MOS switch. A semi-conductor switch permits a high frequency switching, for example for a blinking light. In an embodiment, which may be combined with other embodiments disclosed herein, the second switch 106b, 206b, ..., 806b is a relay switch. The relay switch permits switching high loads. In other embodiments, both the first and the second switch 106a, 106b, 206a, 206b, ..., 806a, 806b are relay switches.

[0021] The load switches 100, 200, ..., 800 have, in an embodiment, not a security function, for example a minimum air gap, so that, in case of a malfunction of one of the load switches 100, 200, ..., 800 is detected, the controller 900 is adapted to release the safety switch 5. This may reduce the complexity of the load switches 100, 200, 800. Thus, in such an embodiment, the space and costs for each load switch 100, 200, 800 is reduced. For example, to detect a malfunction, the load switches 100, 200, ..., 800 include a voltmeter or an ampere meter for detecting the voltage and/or current at their output terminals 104a, 104b, 204a, 204b, ..., 804a, 804b.

[0022] In another embodiment, the controller 900 is adapted to release the safety switch 5 in case a fault is detected on the circuit board on which the switches and/or the controller is arranged and/or outside the circuit board.

[0023] Figure 2 shows schematically the general architecture of the safety switch 5. The safety switch 5 and the controller 900 comprise two channels, namely a first channel CH1 and a second channel CH2. The safety switch 5 comprises a first group of relays 1000 associated with the first channel CH1 and a second group of relays 1100 associated with the second channel CH2.

[0024] In other embodiments, the safety switch may comprise more than two groups of relays, for example three or more groups associated with a respective channel. For example, the number of groups of relays depends on the combined minimum air gap to be provided between the first input terminal 7a and the first output terminal 9a and the combined minimum air gap between the second input terminal 7a and second output terminal 9b. The combined minimum air gap to be provided is dependent on the voltage to be switched and is defined by a European Norm EN50205 type A.

[0025] The first group of relays 1000 comprises a first relay 1010 and a second relay 1080. Correspondingly, the second group of relays 1100 comprises a first relay 1110 and a second relay 1180.

[0026] Each relay 1010, 1080, 1110, 1180 has a first set of switching contacts 1012, 1082, 1112, 1182 a second set of switching contacts 1014, 1084, 1114, 1184, a set of read back contacts 1016, 1086, 1116, 1186, and an actuator 1018, 1088, 1118, 1188 for moving the contacts of the respective relay, for example a coil. The sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are provided to switch the power supply to the safety critical loads and/or the load switches 100, 200, ..., 800.

[0027] Typically, the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are normally opened contacts. In contrast, the read back contacts 1016, 1086, 1116, 1186 are normally closed contacts.

[0028] The relays 1010, 1080, 1110, 1180 of the safety switch 5 are guided contact relays. By their mechanical architecture, these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the associated normally opened contacts, namely the sets of switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are opened with a minimal air gap of a predetermined width.

[0029] Within each group of relays 1000, 1100, the first sets of switching contacts 1012, 1082, 1112, 1182 are connected electrically in parallel. Further, within each group of relays 1000, 1100, the second sets of switching contacts 1014, 1084, 1114, 1184 are connected in parallel.

[0030] As the first group of relays 1000 and the second group of relays 1100 are connected in series, the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and the first sets of switching contacts 1112, 1182 of the second group of relays 1100 are connected electrically in series. Further, for the same reasons, the second sets of switching contacts 1014, 1084 of the first group of relays 1000 and the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are also contacted electrically in series.

[0031] Thus, a current between the first input terminal 7a and the first output terminal 9a must traverse at least one of the first sets of switching contacts 1012, 1082 of the first group of relays 1000 and at least one of the first sets of switching contacts 1112, 1182 of the second group of relays 1100. Further, a current traversing the safety switch 5 between the second input terminal 7b and the second output terminal 9b traverses at least one of the second sets of switching contacts 1014, 1082 of the first group of relays 1000 and at least one of the second sets of switching contact 1114, 1182 of the second group of relays 1100.

[0032] The first sets of switching contacts 1012, 1082 of the first group of relays 1000 comprise each two subsets of contacts 1020, 1022; 1090, 1092 connected in series. The subsets of contacts 1020, 1022; 1090, 1092 are opened and closed simultaneously, in particular simultaneously with the second set of switching contacts 1014, 1084 of the same relay. For example, in an embodiment, a relay 1010, 1080 may comprise three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1014, 1020, 1022; 1084, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1020, 1022; 1090, 1092 by connecting them in series.

[0033] Further, the second sets of switching contacts 1114, 1184 of the second group of relays 1100 are formed by respectively two subsets of contacts 1120, 1122; 1190, 1192 connected in series. The subsets of contacts 1120, 1122; 1190, 1192 are opened and closed simultaneously, in particular simultaneously with the first set of switching contacts 1112, 1182 of the same relay. For example, in an embodiment, a relay 1110, 1180 may comprise three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092, which are normally open and mechanically connected to each other so that all three sets of switching contacts 1112, 1020, 1022; 1182, 1090, 1092 open and close simultaneously, wherein two of the switching contacts form the subsets of contacts 1120, 1122; 1190, 1192 by connecting them in series.

[0034] By their mechanical architecture, these relays 1010, 1080, 1110, 1180 guarantee, when the normally closed contact in form of the read back contacts 1016, 1086, 1116, 1186 is detected as closed, that the sets of switching contacts and the subsets of contacts 1020, 1022, 1014, 1090, 1092, 1084, 1112, 1120, 1122, 11182, 1190, 1192 (i.e. the physical sets of contacts) are opened respectively with a minimal air gap of a predetermined width, for example of 0.5 mm according to the European norm EN50205.

[0035] Figure 3 shows schematically the controller 900. As indicated above, the controller includes two channels, namely a first channel CH1 mainly responsible for switching the relays of the same channel, i.e. the first group of relays 1000, and a second channel CH2 mainly responsible for switching the relays of the same channel, i.e. the second group of relays 1100.

[0036] Only a part of the electrical connections between the devices are shown in figure 3. The controller 900 comprises a first processor 1005 and a second processor 1105 which operate independently from each other. For example, the first processor 1005 is associated with the first channel CH1 and the second processor 1105 is associated with the second channel CH2. In particular, the first processor 1005 is adapted to generally actuate the first and the second relays 1010, 1080 of the first group of relays 1000 and the second processor 1105 is provided to control the first and second relays 1110, 1180 of the second group of relays 1100.

[0037] Further, the controller 900 comprises a first programmable logic device (PLD) 1007 and a second PLD 1107. For example, the first PLD 1007 is associated with the first channel CH1 or the first group of relays 1000 and the second PLD 1107 is associated with the second channel CH2 or the second group of relays 1100. In other words, each channel CH1, CH2 comprises in this embodiment two subcontrollers as intelligent devices, namely one processor 1005, 1105 and one PLD 1007, 1107.

[0038] In an embodiment, the PLDs 1007, 1107 are respectively a field programmable gate array (FPGA). In other embodiments, the PLDs 1007, 1107 are respectively realized as a programmable logic array, programmable array logic, a generic array logic, or a complex programmable logic device.

[0039] The first PLD 1007 is connected to the first processor 1005 and the second PLD 1107 is connected to the second processor 1105.

[0040] Further, the first processor 1005 and the second processor 1105 connected to each other via a link 902 are adapted to control and/or monitor each other. In other words, the subcontrollers associated with different channels CH1, CH2 monitor each other. In an embodiment, the processors 1005, 1105 are adapted to exchange security keys. Further, the first and/or the second processor 1005, 1105 are adapted to send the result of the exchange of keys to the respective PLD 1007, 1107.

[0041] In an embodiment, which may be combined with other embodiments disclosed herein, as already described here-above, control means, for example voltmeters and/or ampere meters for determining the output current and voltages of the safety switch 5 and the load switches 100, 200, ... , 800 are also connected to the processors 1005, 1105. Each of the processors 1005, 1105 is adapted to release each of the relays 1010, 1080, 1110, 1180 of the safety switch.

[0042] Each read back contacts 1016, 1086, 1116, 1186 of the relays 1010, 1080, 1110, 1180 of the safety switch 5, is electrically connected to the processors 1005, 1105 via a respective branch circuit 1024, 1094, 1124, 1194. The branch circuits are adapted to provide independently to each of the processors 1005, 1105 the state of the of the read back contacts 1016, 1086, 1116, 1186, in particular whether the respective read back contact 1016, 1086, 1116, 1186 is closed or open. The branch circuit will be described in more detail with respect to figure 5.

[0043] Further, the controller includes a plurality of control circuits 1026, 1096, 1126, 1196 adapted to control the energizing of the actuator 1018, 1088, 1118, 1188 or relay coil of the respective relay 1010, 1080, 1110, 1180 depending on the instructions of the processors 1005, 1105 and the PLDs 1007, 1107. Each control circuit 1026, 1096, 1126, 1196 is associated with a respective actuator 1018, 1088, 1118, 1188 of a relay 1010, 1080, 1110, 1180. The number of control circuits corresponds to the number of relays of the safety switch 5. Thus, for example, the first control circuit 1026 is associated with the first relay 1010 and the second control circuit 1096 is associated with the second relay 1080 of the first group of relays 1000 or the first channel, and the third control circuit 1126 is associated with the first relay 1110 and the fourth control circuit 1196 is associated with the second relay 1180 of the second group of relays 1100 or the second channel

[0044] In figure 4 shows in more detail the control circuit 1026 adapted to control the energizing of the actuator 1018 of the first relay 1010 of the first group of relays 1000.

[0045] Generally, the actuator 1018 is activated or deactivated in response of switching signals of the first processor 1005. However, the PLD 1007 and the second processor 1105 associated with the other or second group of relays 1100 are adapted to deenergize the actuator 1018 and thus to release the first relay 1010 in case a malfunction is detected.

[0046] An output 1028 of the PLD 1007 is connected to a charge pump 1030. In particular, the PLD 1007 is adapted to provide a watch dog signal to an input 1032 of the charge pump 1030. The watch dog signal is typically a first high frequency signal 1034 during the normal functioning of the PLD. For example, for each or a specific number of clock signals, the first high frequency signal 1034 may change its state, for example from high to low or vice versa.

[0047] In case of a failure of the PLD 1007 or in case of a failure detected by the PLD 1007, the PLD is adapted to stop emitting the first high frequency signal 1034 or watch dog signal to the charge pump 1030. Instead a static signal is applied to the input 1032 of the charge pump 1030. In other embodiments, the signals may have another form and instead of the charge pump another device may be used.

[0048] The signal at the output 1036 of the charge pump 1030 depends on the signal applied to the input 1032 of the charge pump 1030. For example, in case a high frequency signal is applied to the input 1032, the charge pump 1030 accumulates the energy of the incoming signal and the voltage of the output signal raises up to a specific value. In case a constant or zero volt signal is applied to the input 1032, the voltage of the output signal fall down to zero volt. In other words, in case a constant signal is applied to the input 1032, the charge pump 1030 will discharge.

[0049] The output 1036 of the charge pump 1030 is connected to a first transistor 1038, in particular to the gate 1040 or the basis of the first transistor 1038. In an embodiment, the first transistor is a MOSFET. In other embodiments, the first transistor 1038 may be another type of transistor, for example a bipolar transistor.

[0050] Source and drain 1042, 1044 of the transistor 1038, or emitter and collector in case of a bipolar transistor, are connected in series between the positive power 1046 and the first terminal 1048 of the actuator 1018 of the first relay 1010.

[0051] When a sufficient voltage is provided to the gate 1040 of the first transistor 1038, a current may flow between the positive power 1046 and the first terminal 1048 of the actuator 1018. Typically, the charge pump 1030 need more than one impulsion to provide a signal at his output 1036 that is sufficient to activate the transistor 1038.

[0052] The second terminal 1050 of the actuator 1018 and the collector and emitter 1052, 1054 of a second transistor 1056 are connected in series with a negative power or ground 1058. In the embodiment of figure 4, the second transistor 1056 is a bi-polar transistor. However, in other embodiments also other types of transistors may be used, for example MOSFETs.

[0053] When a sufficient voltage is provided to a base 1060 of the second transistor 1056, a current may flow between the second terminal 1050 of the actuator 1018 and the negative power 1058.

[0054] Further, the control circuit 1026 shown in figure 4 includes an AND gate 1062. The output 1064 of the AND gate 1062 is connected to the base 1060 of the second transistor 1056.

[0055] A first output 1066a of the first processor 1005 is connected to an input 1068 of a second charge pump 1070. In an embodiment, the second charge pump 1070 functions similar like the first charge pump 1030. The output 1072 of the second charge pump 1070 is connected to a first input 1074a of the AND gate 1062.

[0056] The first output 1066a of the first processor 1005 is adapted to generate a high frequency signal 1076, for example a rectangular wave signal or another alternating signal. For example, the first output 1066a may be a General Purpose Input Output (GPIO) of the processor. The first processor 1005 is adapted to provide the high frequency signal 1076 at his first output 1066a during normal functioning. In case of a failure of the processor 1005, for example if the processor hangs up, the first output 1066a will emit a static signal, so that the charge pump 1070 will discharge. For example, for each or a specific number of clock signals, the second high frequency 1034 signal may change its state, for example from high to low or vice versa.

[0057] In other embodiments, the signals may have another form and instead of the charge pump another device may be used.

[0058] The processor 1005 has a second output 1066b which is connected directly to a second input 1074b of the AND gate 1062. For example, the second output 1066b may be a General Purpose Input Output (GPIO) of the processor. The processor 1005 is adapted to apply to the second output 1066b the command to activate and deactivate or release the respective relay 1010 of the first group 1000 of relays. For example, the processor 1005 may be adapted to deactivate or release the relays depending on the result of a failure detected in one of the load switches 100, 200, ..., 800 or the loads 3.

[0059] A third output 1166c of the second processor 1105 is directly connected to the third input 1074c of the AND gate 1105. For example, the third output 1166c may be a General Purpose Input Output (GPIO) of the processor. The second processor 1105, associated with the second group of relays 1100, is adapted to provide direct command to inhibit the activation of the actuator 1018 of the relay 1010 of the first group of relays 1000. In other words, in case the second processor 1105 detects a failure of the first processor 1005, the second processor 1105 is adapted to release the relays 1010, 1080 of the first group of relays 1000.

[0060] The control circuit 1026 is adapted to activate the actuator 1018 of the first relay 1010 only when the PLD 1007, the first processor 1005 and the second processor 1105 provides the respective signals to the first charge pump 1030, the second charge pump 1070 and the AND gate 1062. This is in particular the case, if positive signals are applied to the inputs 1074a, 1074b, 1074c of the AND gate 1062. In other words, the actuator 1018 can only be activated using a signal at the second output 1066b of the first processor, when the PLD 1007 emits the high frequency signal 1034, the first output 1066a of the first processor 1005 emits the high frequency signal 1076 and the second processor 1105 emits a signal, such that a positive signal is applied to the third input 1074c of the AND gate 1062.

[0061] In other embodiments, the combination of the signals may be provided differently. For example, the outputs 1036, 1072 of the first charge pump 1030 and the second charge pump 1070 may be combined with a second AND gate.

[0062] Typically, the activation or release of the actuator 1018 of a relay 1010 reacts faster to the second output 1066b of the first processor 1005 and to the third output 1166c of the second processor 1105 than to the output 1028 of the PLD 1007 providing the signal to the charge pump 1030 or to the first output 1 066a of the first processor 1005 providing the signal 1076 to the charge pump 1070, because the charge pumps 1030, 1070 need some moments to discharge, when their respective input signals are constant.

[0063] The control circuit 1026 of figure 4 has been described with respect to the actuator 1018 of the first relay 1010 of the first group of relays 1000 corresponding to the first channel.

[0064] Corresponding control circuits 1096, 1126, 1196 are provided for the actuators 1088, 1118, 1188 of the second relay 1080 of the first group of relays and the first and second relays 1110, 1180 of the second group of relays 1100 corresponding to the second channel.

[0065] For example for the control circuit 1126 for activating the actuator of the first relay 1110 of the second group of relays 1100, instead of the signals of the first PLD 1007, an output of the second PLD 1107 is connected to the first charge pump, a first output of the second processor 1105 is connected to the second charge pump, a second output of the second processor 1105 is directly connected to the AND gate, and the third output 1066c of the first processor 1005 is connected directly to the AND gate. The control circuits 1096, 1196 are similarly connected to the first and second processors 1005, 1105 and first or second PLDs 1007, 1107.

[0066] Figure 5 shows details of the branch circuit 1024 for the connection of the read back contact 1016 of the first relay 1010 of the first group of relays 1000 to both processors 1005, 1105. Thus, the subcontrollers, here the first and second processors 1005, 1105, of both channels CH1 and CH2 are provided with the state of the read back contact 1016. The branch circuits 1094, 1124, 1194 are identical to the branch circuit 1024 to connect the respective read back contacts 1086, 1116, 1186 to a respective input of the first processor 1005 and the second processor 1105 of the controller 900.

[0067] The state of the relays 1010 are verified and controlled by the read back contacts 1016, which are normally closed contacts. The read back contacts 1016 have a first contact 1078a directly connected to a power source, for example a five volt power source. The second contact 1078b is connected respectively in parallel to an input terminal of the first processor 1005 and an input terminal of the second processor 1105. The connection between the second contact 1078b and the input terminals of the processors 1005, 1105 is performed respectively via a voltage divider associated with each processor to convert the voltage of the power source into the voltage compatible with the input terminals of the processors 1005, 1105. The first voltage divider is formed by resistance R3 and resistance R4, and the second voltage divider is formed by resistance R2 and resistance R5. Further, a resistance R1 connected to the ground GND between the second read back terminal 1078b and the voltage dividers. The resistance R1 has a resistance value being much smaller than resistance values of R4 and R5. In an embodiment, the resistance values of R4 and R5 are about 10 kOhms. Thus, the state of a single read back contact is provided independently to both processors 1005, 1105. In other words, the information of one read back contact is shared between both processors 1005, 1105. A coupling between the two different lines to the processors 1005, 1105 is avoided by selecting the appropriate resistance values as discussed here-above. The resistances are provided according to the resistor technology of the European norm EN 50129.

[0068] In the following, we will explain the functioning of the control mechanism. During a normal functioning, i.e. functioning without a failure, of the safety switch 5, the PLDs 1007, 1107 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provides the high frequency alternating signals 1034 to the respective charge pumps 1030, so that the transistors 1038 enables that the positive power 1046 is provided to the first terminals 1048 of the actuators 1018, 1088, 1118, 1188 of the relays 1010, 1080, 1110, 1180. Further the first output terminals 1066a of the processors 1005, 1105 associated with the group of relays 1000, 1100 to which the relay to activated belongs to provide the respective alternating high frequency signals 1076 to the charge pumps 1070. Then, the charge pump 1070 provides a respective voltage (or positive value) to the first input 1074a of the AND gate 1062. Further, a positive signal is applied to the third input 1074c of the AND gate 1062 coming from the third terminal 1166c of the processor 1005, 1105 associated with the other group of relays 1000, 1100.

[0069] Thus, upon the signal on the second output terminal 1066b of the processor associated with the group of relays 1000, 1100 to which the relay to activated belongs to, the actuator 1018, 1088, 1118, 1188 of the respective relay is activated, and when the signal on the second output terminal 1066b is disabled, the respective coil of the relay is deactivated and the relay moves back into the release state.

[0070] Both processors 1005, 1105 perform a regular exchange of keys which is then sent to the PLD 1007, 1107. In case the PLD does not receive the correct key, the PLD disables its output 1028 and provides a constant signal instead of the alternating signal 1034 to the respective charge pumps 1030. Consequently, the actuator 1018, 1088, 1118, 1188 or coil of the respective relays 1010, 1080, 1118, 1188 cannot be activated any more or is released, because the signal at the output 1036 of the charge pump 1030 applied to the gate 1040 of the transistor 1038 is 'deactivated'. Then, the first transistor 1038 is in a blocking state. For example, if the first PLD 1007 does not receive the correct key, both relays 1010, 1080 of the first group of relays 1000 which are associated with the first PLD 1007 are released.

[0071] In an embodiment, which may be combined with other embodiments disclosed herein, a regular test with the wrong key is performed. Then, the respective PLD 1007, 1107 receiving the wrong key releases the associated relays 1010, 1080, 1110, 1180.

[0072] In another embodiment, if one processor 1005, 1105 detects that the other processor 1005, 1105 of the same controller 900, but of another channel CH1, CH2, is not working correctly, he deactivates his output signals at the third output terminals 1066c, 1166c connected to the third input 1074c of the AND gates 1062 of the control circuits 1026, 1096, 1126, 1196 and both relays of the other channel CH1, CH2, which are associated with the other processor are released. For example, in case the second processor 1105 of the second channel CH2 detects that the first processor 1005 of the first channel CH1 does not work properly, the second processor 1105 commands that his third output terminals 1166c connected to control circuits 1026, 1096 of the first channel CH1, so that the output of the AND gate 1105 is negative so that the second transistor 1056 is in a blocking state. Then, the respective relays 1010, 1080 of the first group of relays 1000 or the first channel CH1 are released.

[0073] In an alternative embodiment, in case the processor 1005, 1105 hangs or stops working, the first output 1066a connected to the control circuits 1026, 1096, 1126, 1196 does not create any more an alternating high frequency signal 1076, so that the output 1072 of the charge pump 1070 falls after a few moments below a specific value so that the output 1064 of the AND gate 1062 commands the second transistor 1056 to be in the blocking state.

[0074] For testing the safety switch 5 all relays 1010, 1080, 1110, 1180 are first in their active state which means that the respective actuators or coils 1018, 1088, 1118, 1188 are activated and all switching contacts 1012, 1014, 1082, 1084, 1112, 1114, 1182, 1184 are closed. This is also called the normal mode in the table 1. Thus, at the output terminals 9a, 9b a voltage corresponding to the voltage at the input terminals 7a, 7b is applied.

Table 1

	Relay 1010	Relay 1080	Relay 1110	Relay 1180	Output
Mode
Normal	Active	Active	Active	Active	Active
Test Relay 1010	Released	Active	Active	Active	Active
Test Relay 1080	Active	Released	Active	Active	Active
Test Relay 1110	Active	Active	Released	Active	Active
Test Relay 1180	Active	Active	Active	Released	Active

[0075] Figure 6 shows a flowchart for testing the safety switch 5. For testing the safety switch 5, one relay after the other is released, whereas the other relays remain in their active state.

[0076] In a first step 1200, the first relay 1010 of the first group 1000 is released, for example by the first processor 1005, and the other relays 1080, 1110, 1180 remain in the active or activated state. In such a case, the current bypasses the switching contacts 1012, 1014, 1020, 1022 of the first relay by the switching contacts 1082, 1084, 1090, 1092 of the second relay 1080 of the first group 1000. At the same time, the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1016 of the relay 1010 are closed.

[0077] In a second step 1202, the first relay 1010 of the first group 1000 is again activated and the second relay 1080 of the first group 1000 is released whereas both relays 1110 and 1180 of the second group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the first processor 1005 verifies that the read back contacts 1086 of the relay 1080 are closed.

[0078] In a third step 1204, the second relay 1080 of the first group 1000 is again activated and the first relay 1110 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1116 of the relay 1110 are closed.

[0079] In a fourth step 1206, the first relay 1110 of the second group 1100 is again activated and the second relay 1180 of the second group 1100 is released whereas both relays 1010 and 1080 of the first group 1100 remain in their active state. Again, the output voltage is monitored at the output terminals 9a, 9b and the second processor 1105 verifies that the read back contacts 1186 of the relay 1180 are closed.

[0080] During all tests, the closed state read back contacts 1016, 1086, 1116, 1186 of the respective released relay is verified. Thus, complete tests of all relays of the safety switch 5 can be performed without interrupting the power supply to the safety critical loads 3.

[0081] The different relays 1010, 1080, 1110, 1180 may be also tested one after the other in another arbitrary sequence.

[0082] In the following, we will explain the behavior of the safety switch 5 and the controller 900 in the case of a failure of a relay during the test procedure. If during the test procedure an error is detected in one of the relays, the relays of the other group of relays is released.

[0083] For example, when at least one of the switching contacts 1012, 1014, 1082, 1086 of the relays 1010, 1080 of the first group of relays 1000 stuck, the read back contacts 1016, 1086 of the stuck relay remain open even if the first processor 1005 commands the release of the relays 1010, 1080. For example, the switching contacts may stick together if the switching contacts are molten together due to an excessive current.

[0084] In the following, the first and/or the second processor 1005, 1105 detect that the read back contacts 1016, 1086 are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1010, 1080 of the first group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1110, 1180 of the second group of relays 1100 or the second channel CH2. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.

[0085] When at least one of the switching contacts 1112, 1114, 1182, 1186 of the relays 1110, 1180 of the second group of relays 1100 stuck, the read back contacts 1116, 1186 of the stuck relay remain open even if the second processor 1105 commands the release of the relays 1110, 1180.

[0086] In the following, the first and/or the second processor 1005, 1105 detect that the read back contacts 1116, 1186 of the stuck relay are still open. Thus the first and/or the second processor 1005, 1105 concludes that there is a fault of the first and/or second relay 1110, 1180 of the second group of relays 1000. Then, the first and/or the second processor 1005, 1105 release consequently the first and second relays 1010, 1080 of the first group of relays 1000 of the first channel CH1. Consequently, there is no current applied to the output terminals 9a, 9b of the safety switch 5.

[0087] Thus, the safety switch 5 provides an architecture which is driven by a 2oo2 system (two out of two). Thus, for example to activate the safety switch, both channels CH1, CH2 including respectively a group of relays 1000, 1100 which are controlled by respectively a processor 1005, 1105 must be in accordance. Further, the activation of a relay needs the active signals of at least three intelligent devices, namely one PLD and the two processors (3oo3, three out of three).

[0088] When all relays are released, the safety switch provides the maximal air gap across the switching contacts. For example, in the present case when each physical switching contact (i.e. the switching contacts 1014, 1084, 1112, 1182 and subcontacts 1020, 1022, 1090, 1092, 1120, 1122, 1190, 1192) provides a minimum air gap of 0.5 mm, the complete (maximal) air gap will be 1.5 mm between the first input terminal 7a and the first output terminal 9a or the second input terminal 7a and the second output terminal 9b.

[0089] Thus, the safety switch assures a safety minimal distance of 1.5 mm across the contacts, when the safety switch is released in order to handle voltages of 230V alternating current. Further, the maximum switching direct current voltage is higher than in prior solutions thanks to three normally open contacts connected in series.

Claims

1. Monitoring and control system (1) comprising:

a safety switch (5) including:

a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply,

a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3), and

at least two groups of relays (1000, 1100), wherein each group comprises at least two relays (1010, 1080; 1110, 1180) having respectively a first set of switching contacts (1012, 1082; 1112, 1182) and a second set of switching contacts (1014, 1084; 1114, 1184), the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator (1018, 1088; 1118, 1188), wherein the first sets of switching contacts (1012, 1082; 1112, 1182) of the at least two relays (1010, 1080; 1110, 1180) of a group are connected electrically in parallel and the second sets of switching contacts (1014, 1084; 1114, 1184) of the at least two relays of a group (1000, 1100) are connected electrically in parallel,

the first sets of switching contacts (1012, 1082) of a first group (1000) being connected electrically in series with the first sets of switching contacts (1112, 1182) of a second group (1100), the second sets of switching contacts (1014, 1084) of the first group (1000) being connected electrically in series with the second sets (1114, 1184) of switching contacts of the second group (1100), wherein

the first sets of switching contacts (1012, 1082) of the first group (1000) are connected to the first input terminal (7a) and the second sets of switching contacts (1014, 1084) of the first group (1000) are connected to the second input terminal (7b), wherein the first sets of switching contacts (1112, 1182) of the second group (1100) being connected to the first output terminal (9a) and the second sets of switching contacts (1114, 1184) of the second group (1100) being connected to the second output terminal (9b); and wherein the monitoring and control system further includes

a controller (900) for controlling the relays of the at least two groups (1000, 1100).

2. Monitoring and control system according to claim 1, wherein at least one set of switching contacts (1012, 1082; 1114, 1184) of the first or second set of switching contacts of the relays comprises two subsets of switching contacts (1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192) connected electrically in series, wherein in particular the first sets of switching contacts (1012, 1082) of the relays (1010, 1080) of the first group (1000) and the second sets of switching contacts (1114, 1184) of the relays (1110, 1180) of the second group (1100) comprise two subsets of switching contacts connected in series.

3. Monitoring and control system according to one of the preceding claims, wherein the sets of switching contacts (1012, 1082; 1114, 1184) comprise two subsets of switching contacts and/or the number of group of relays (1000, 1100) depend on the voltage to be switched.

4. Monitoring and control system according to one of the preceding claims, wherein at least one, in particular all, of the relays (1010, 1080; 1110, 1180) comprise at least one set of read back contacts (1016, 1086; 1116; 1186).

5. Monitoring and control system according to one of the preceding claims, wherein the first and second sets of switching contacts (1012, 1014, 1082, 1084; 1112, 1114, 1182, 1184) and, in particular the subsets of contacts (1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192), are normally open contacts and/or the sets of read back contacts (1016, 1086; 1116; 1186) are normally closed contacts, wherein in particular the relays (1010, 1080; 1110, 1180) are guided relays, so that when the normally closed contacts are closed, the normally open contacts (1014, 1020, 1022, 1090, 1092; 1120, 1122, 1190, 1192) provide a predetermined minimal distance between their contacts.

6. Monitoring and control system according to any one of the preceding claims, comprising at least two channels, wherein one group of relays (1000, 1100) of the at least two groups of relays (1000, 1100) is associated with each channel (CH1, CH2), wherein the controller (900) comprises a plurality of subcontrollers (1005, 1007, 1105, 1107), each channel comprising at least one, in particular two or more, of the plurality of subcontrollers, wherein for each channel (CH1, CH2):

at least one first subcontroller (1005, 1105), in particular a processor, of said channel being adapted to command the actuators (1018, 1088, 1118, 1188) of the relays associated with said channel and the actuators (1018, 1088, 1118, 1188) of the relays associated with at least one other channel.

7. Monitoring and control system according to claim 6, wherein the at least one first subcontroller (1005) of a first channel (CH1) is adapted to monitor the functioning of at least one first subcontroller (1105) associated with another channel (CH2), wherein the at least one first subcontroller (1105) of said other channel is adapted to command the actuators (1018, 1088) of the relays associated with the first channel (CH1), wherein the at least one first subcontroller (1005) of the first channel (CH1) is adapted to release the relays of said other channel (CH2) when a failure of the at least one first subcontroller (1105) of said other channel is detected by the at least one first subcontroller (1005).

8. Monitoring and control system according to claim 6 or 7, wherein at least one channel, in particular all channels comprise at least one second subcontroller (1007, 1107) of the plurality of subcontrollers, in particular in form of a programmable logic devices (1007, 1107), wherein each second subcontroller (1007, 1107) is connected to at least one first subcontroller (1005, 1105) of the same channel and adapted to monitor the functioning of said at least one first subcontroller.

9. Monitoring and control system according to any one of the claims 6 to 8 comprising a plurality of control circuits (1026, 1096, 1126, 1196), wherein each control circuit is connected to relay (1010, 1080, 1110, 1180) for controlling an activation and/or release of said relay and is comprised by the respective channel (CH1, CH2), wherein for at least one, in particular each control circuit:

said control circuit is connected to at least one output (1 066a, 1066b) of at least one first subcontroller (1005, 1105) of the same channel, to at least one output (1066c) of at least one first subcontroller (1005, 1105) of another channel, and, in particular, to at least one output (1028) of the at least one second subcontroller (1007, 1107) of the same channel, wherein the control circuit is adapted to activate and/or release the relay associated with the control circuit based on the outputs of the connected first subcontrollers (1005, 1105) and, in particular, the output of the connected second subcontrollers (1007, 1107).

10. Monitoring and control system according to claim 9, wherein the at least one first subcontroller (1005, 1105) is adapted to provide a first signal, for example a regularly alternating signal (1076), in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of the outputs (1066a) connected to the control circuit (1026, 1096, 1126, 1196) and/or the at least one second subcontroller (1007, 1107) is adapted to provide a first signal, for example regularly alternating signal (1034), in case of normal functioning and a second signal, for example a constant signal, in case of a failure to at least one of its outputs (1028) connected to the control circuit, wherein, upon reception of the second signal from the at least one first subcontroller (1005, 1105) and/or the at least one second subcontroller (1007, 1107), the control circuit releases the associated relay.

11. Monitoring and control system according to claim 9 or 10, wherein each control circuit is adapted to activate the associated relay only in case the signals provided by two subcontrollers (1005, 1105), for example the first and second subcontrollers, of at least two different channels (CH1, CH2), and, in particular, the signal provided by the at least one second subcontroller (1007, 1107) of the same channel, allows or command an activation of said relay.

12. Monitoring and control system according to one of the claims 6 to 11, wherein the read back contacts of each relay are read by at least two first subcontrollers (1005, 1105) of two different channels (CH1, CH2), comprising at least one first subcontroller of the channel to which the respective relay is associated.

13. Monitoring and control system according to one of the preceding claims, wherein the safety switch comprises two group of relays comprising respectively two relays, wherein each channel comprises a group of relays.

14. Method for operating a safety switch, the safety switch comprising a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply; a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3); and at least two groups of relays (1000, 1100), wherein each group comprises at least two relays (1010, 1080; 1110, 1180) having respectively a first set of switching contacts (1012, 1082; 1112, 1182) and a second set of switching contacts (1014, 1084; 1114, 1184), the first set of switching contacts and the second set of switching contacts of each relay are actuated simultaneously by an actuator (1018, 1088; 1118, 1188), wherein the first sets of switching contacts (1012, 1082; 1112, 1182) of the at least two relays (1010, 1080; 1110, 1180) of a group are connected electrically in parallel and the second sets of switching contacts (1014, 1084; 1114, 1184) of the at least two relays of a group (1000, 1100) are connected electrically in parallel, the first sets of switching contacts (1012, 1082) of a first group (1000) being connected electrically in series with the first sets of switching contacts (1112, 1182) of a second group (1100), the second sets of switching contacts (1014, 1084) of the first group (1000) being connected electrically in series with the second sets (1114, 1184) of switching contacts of the second group (1100), wherein the first sets of switching contacts (1012, 1082) of the first group (1000) are connected to the first input terminal (7a) and the second sets of switching contacts (1014, 1084) of the first group (1000) being connected to the second input terminal (7b), wherein the first sets of switching contacts (1112, 1182) of the second group (1100) being connected to the first output terminal (9b) and the second sets of switching contacts (1114, 1184) of the second group (1100) are connected to the second output terminal (9a); wherein the method further comprises: sequentially opening the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays are closed.

15. Method according to claim 14, wherein the safety switch is a safety switch comprised in the monitoring and control system according to one of the claims 1 to 13.

Amended claims in accordance with Rule 137(2) EPC.

1. Monitoring and control system (1) comprising:

a safety switch (5) including:

a first input terminal (7a) and a second input terminal (7b) adapted to be connected to a power supply,

a first output terminal (9a) and a second output terminal (9b) adapted to be connected at least one load (3), and

a controller (900) for controlling the relays of the at least two groups (1000, 1100), wherein

the safety switch is adapted to sequentially open the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays remain closed.

wherein the control circuit is adapted to activate and/or release the relay associated with the control circuit based on the outputs of the connected first subcontrollers (1005, 1105) and, in particular, the output of the connected second subcontrollers (1007, 1107).

sequentially opening the first and second set of contacts of each of the relays, wherein the first and second sets of contacts of the other relays are closed.

15. Method according to claim 14, wherein the safety switch is a safety switch comprised in the monitoring and control system according to one of the claims 1 to 13.

Drawing

Search report

Search report