Method and Device for the Safe, Systematic, Exclusive Assignment of the Command Authorization of an Operator to a Controllable Technical Installation

US 20100127824A1
Filed: 04/05/2006
Published: 05/27/2010
Est. Priority Date: 04/08/2005
Status: Active Grant

First Claim

Patent Images

1-126. -126. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to methods and appropriate devices for safely, unequivocally and exclusively, temporarily assigning the command authority of an operator (1) to a controllable technical system (60) using a mobile control device (2) which is technically suitable for periodically controlling a plurality of controllable technical systems (60), which is equipped as standard with safety switch elements (38, 39) such as an emergency stop switch, ok key and operating mode selection switches and for a data coupling with the controllable technical system (60) in spite of having only normal transmission means (6) or network technologies without any particular features specific to safety function.

95 Citations

View as Search Results

250 Claims

1-126. -126. (canceled)

127. Mobile control device 2, in particular a mobile hand-held device, for influencing at least a part of a controllable technical system 60, with at least one control element for issuing control commands by an operator 1, with at least one data interface for temporarily establishing an active data connection to a safe data transmission counter station 9 assigned to the controllable technical system, with at least one standardized data transmission means without any physically safe unequivocal point-to-point assignment to the subscribers connected in between, with a first processor or detection circuit 34 for encoding information, messages or signal states in a plurality of first data telegrams with a view to transmitting them across the active data connection to the safe data transmission counter station 9, wherein the mobile control device 2 has a second processor or detection circuit 35 and a reading unit 24, and the reading unit is suitable for reading, essentially simultaneously, several electronically readable tag codes when several log-in tags 4, zone tags 68 or key tags 5 are disposed within the detection range of the reading unit, and the second processor or detection circuit 35 is configured to encode information, messages or signal states in a plurality of first data telegrams or in a plurality of second data telegrams, which first and optionally second data telegrams are intended for a transmission across the data interface via an active connection to the safe data transmission counter station 9, and the first 34 and second 35 processor or detection circuit is able to access the detected tag codes via the reading unit 24, and the first and/or optionally second data telegrams are generated, identified or sent under the influence of the detected tag codes.
- View Dependent Claims (128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167)
- - 128. Mobile control device according to claim 127, wherein the at least one data interface is configured for bi-directional data transmission.
  - 129. Mobile control device according to claim 127, wherein the at least one data interface is configured for establishing a radio data link, in particular based on the Wireless LAN (WLAN), Bluetooth or ZigBee Standard.
  - 130. Mobile control device according to claim 127, wherein the at least one data interface is configured for establishing a connection to a cabled network or to a bus system with several subscribers, in particular to an Ethernet network.
  - 131. Mobile control device according to claim 127, wherein the control device has an electrochemical or electrostatic energy storage 25, in particular an accumulator, a battery, a fuel cell or a capacitor, for at least temporarily supplying power to at least some of the electronic components.
  - 132. Mobile control device according to claim 127, wherein at least one safety switch element which can be operated by the operator is provided for issuing safety critical control commands or authorizing or preventing potentially dangerous machine operations, the operating state of the at least one safety switch element is repeatedly detected by the first 34 and second 35 processor or detection circuit and the detected operating state is encoded in the first and optionally second data telegrams.
  - 133. Mobile control device according to claim 132, wherein the at least one safety switch element is of a multiple electric circuit design, in particular a two-circuit design.
  - 134. Mobile control device according to claim 133, wherein the at least one safety switch element is provided in the form of an emergency stop switch certified to standard, alternatively as a certified machine-stop switch, an ok key or a safe operating mode selection switch.
  - 135. Mobile control device according to claim 133, wherein several safety switch elements are provided.
  - 136. Mobile control device according to claim 135, wherein several, in particular two, safety switch elements each with identical functions are provided, the operating states of each of which are detected by the first 34 and the second 35 processor or detection circuit, the detected operating states are logically linked by the first 34 and second 35 processor or detection circuit to form an overall operating state depending on the function of the safety switch elements, and the overall operating state is encoded in the first and optionally second data telegrams.
  - 137. Mobile control device according to claim 132, wherein a signal connection or a data connection is provided between the first 34 and the second 35 processor or detection circuit, by means of which information is transmitted for a cross-comparison of the respective detected operating state of the at least one safety switch element.
  - 138. Mobile control device according to claim 127, wherein the reading unit is suitable 24 for detecting several different tag codes, essentially simultaneously, from an individual log-on tag 4, zone tag 68 or key tag 5.
  - 139. Mobile control device according to claim 138, wherein the reading unit 24 is configured for detecting several security codes, in particular a first security code and a second security code different from it, and the first processor or detection circuit 34 and the second processor or detection circuit 35 each use different security codes for encoding the data telegrams.
  - 140. Mobile control device according to claim 127, wherein the reading unit 24 has no or only restricted means for buffering read data, which under no circumstances enable full storage of the complete data set provided with check data contained in a tag code.
  - 141. Mobile control device according to claim 127, wherein the memory 36 in which the read security code can be stored for access is provided in the form of a volatile memory and when the control device is switched off, any security codes stored are deleted so that they can not be recovered.
  - 142. Mobile control device according to claim 127, wherein the reading unit 24 has a directional detection characteristic.
  - 143. Mobile control device according to claim 127, wherein the reading unit 24 is provided in the form of a transponder-receiver system.
  - 144. Mobile control device according to claim 127, wherein the reading unit 24 is provided in the form of a barcode reader.
  - 145. Mobile control device according to claim 127, wherein the reading unit 24 is provided in the form of a receiver for pulsed or modulated light, in particular infrared light.
  - 146. Mobile control device according to claim 127, wherein the reading unit 24 signals if there is a drop below a minimum distance to a key tag 5, log-on tag 4 or zone tag 68 in the detection range or provides appropriate information about distance.
  - 147. Mobile control device according to claim 127, wherein the reading unit 24 signals if a maximum distance from a key tag 5, log-on tag 4 or zone tag 68 in the detection range is exceeded or provides appropriate information about the distance.
  - 148. Mobile control device according to claim 127, wherein the first 34 and the second 35 processor or detection circuit are able to access the reading unit 24 independently of one another.
  - 149. Mobile control device according to claim 127, wherein the first 34 and the second 35 processor or detection circuit are differently configured and are optionally configured to operate different assigned software means or programmed logic links.
  - 150. Mobile control device according to claim 127, wherein at least one output means is provided, in particular in the form of a display 26 with graphics capability.
  - 151. Mobile control device according to claim 127, wherein at least one analog input means or one operating in an analog manner, as it were, is provided, in particular in the form of a touch screen 27, joystick 29, hand wheel 30 or potentiometer.
  - 152. Log-on tag, zone tag or key tag for use in combination with a mobile control device 2 according to claim 127, wherein it contains at least one permanently assigned tag code 64 which can be electronically detected by the reading unit 24 disposed in the control device 2.
  - 153. Log-on tag, zone tag or key tag according to claim 152, wherein a non-volatile memory 61 is provided, in which the at least one permanently assigned tag code 64 is stored so that it can be accessed.
  - 154. Log-on tag, zone tag or key tag according to claim 152, wherein a transmitter device is provided for wirelessly transmitting short data sequences across short transmission distances to a reading unit disposed in the immediate vicinity.
  - 155. Log-on tag, zone tag or key tag according to claim 152, wherein it is provided in the form of a passive RF transponder or a SAW transponder.
  - 156. Log-on tag, zone tag or key tag according to claim 152, wherein it is provided in the form of an active RF transponder.
  - 157. Log-on tag, zone tag or key tag according to claim 152, wherein it is provided in the form of an active infrared transmitter tag.
  - 158. Log-on tag, zone tag or key tag according to claim 156, wherein in addition to the permanently assigned tag code 64, information relating to time or sequence information is transmitted.
  - 159. Log-on tag, zone tag or key tag according to claim 152, wherein the at least one permanently assigned tag code is applied so that it can be optically scanned.
  - 160. Log-on tag, zone tag or key tag according to claim 159, wherein the at least one tag code is a bar code.
  - 161. Log-on tag, zone tag or key tag according to claim 152, wherein the tag code contains additional check information by means of which correct and complete detection of the tag code can be checked in readiness for transmitting data.
  - 162. Key tag according to claim 152, wherein a fixing means, in particular a fixing ring or a fixing clip is provided, which can be used to prevent detachment.
  - 163. Key tag according to claim 152, wherein print or text or a visually perceptible mark, in particular a signature or a photographic image, is applied which enables conclusions to be drawn about the person to whom the key tag has been assigned.
  - 164. Log-on tag or zone tag according to claim 152, wherein a fixing means is provided, which permits a permanent spatial assignment to a controllable technical system 60 or a specific part of this system.
  - 165. Log-on tag or zone tag according to claim 164, wherein if the fixing means is released, destruction of or a modification to the log-on tag or zone tag causes further electronic detection of the stored security and/or zone code to be prevented.
  - 166. Log-on tag or zone tag according to claim 152, wherein print, text or a visually perceptible code is applied, which enables conclusions to be drawn about the controllable technical system 60 or the part of it assigned to the log-on tag 4 or zone tag 68, in particular the assigned security cell 14 of this system.
  - 167. Log-on tag or zone tag according to claim 152, wherein a hard-wired data or signal connection between the log-on tag 4 or zone tag 68 and a safe data transmission counter station 9 assigned to it is provided, by means of which at least one electronically detectable tag code 64 can be transmitted from the data transmission station to the log-on tag 4 or zone tag 68.

168. Safe data transmission counter station to provide a safe, temporary coupling of a mobile control device 2 to at least the safety loop of a controllable technical system 60 for data transmission purposes and optionally to the controller of the technical system, with a first data interface for establishing an active data connection to a mobile control device with at least one data transmission medium without any interconnected, physically secured unequivocal point-to-point assignment of the subscribers with one or more safety interfaces for connecting the data transmission counter station to the safety loop of the technical system 60, with a first processor or monitoring circuit 48 for receiving a plurality of first data telegrams across the first data interface and a second processor or monitoring circuit 49 for simultaneously receiving a plurality of first data telegrams and/or optionally for receiving a plurality of second data telegrams across the first data interface, wherein the first 48 and second 49 processor or monitoring circuit are respectively provided with an accessible memory in which at least one registered permissible security code is stored, which security code is assigned to a log-on tag 4 or zone tag 68 spatially assigned to the controllable technical system 60 or which is assigned to a key tag 5 allocated to an operator 1, which first 48 and second 49 processor or monitoring circuit respectively check the received first and optionally second data telegrams independently of one another to establish the unequivocal code on the basis of a tag code assigned to the stored permissible security code and once the code is established, the information or messages of the received data telegrams are evaluated and the signal states or data for the safety loop are fed into the safety loop depending on the information or messages ascertained.
- View Dependent Claims (169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183)
- - 169. Safe data transmission counter station according to claim 168, wherein the accessible memories are at least partially provided in the form of non-volatile memories 45 in which at least one registered permissible security code is permanently or virtually permanently stored.
  - 170. Safe data transmission counter station according to claim 168, wherein a second data interface 47 is provided for establishing a data connection to the functional controller 10 of the technical system 60.
  - 171. Safe data transmission counter station according to claim 170, wherein the second data interface 47 is configured to establish an unequivocal and safe point-to-point data connection with the controller 10 of the technical system 60.
  - 172. Safe data transmission counter station according to claim 168, wherein the data transmission counter station can be structurally combined with the functional controller 10 of the technical system 60, in particular can be inserted in the housing of the controller or mounted on the housing of the controller as a module.
  - 173. Safe data transmission counter station according to claim 168, wherein the data transmission counter station is structurally and functionally directly integrated in the functional controller 10 of the technical system 60.
  - 174. Safe data transmission counter station according to claim 168, wherein the data transmission counter station is structurally and functionally combined with a radio counter station 3.
  - 175. Safe data transmission counter station according to claim 168, wherein the data transmission counter station is structurally and functionally combined with a log-on tag 4.
  - 176. Safe data transmission counter station according to claim 168, wherein the security interface for connecting into the safety loop of the technical system has a contact arrangement based on multiple circuits for feeding in an ok key signal state, an emergency off or stop signal state and/or an operating mode signal state.
  - 177. Safe data transmission counter station according to claim 169, wherein the security interface for connecting into the safety loop has signal outputs which can be powered instead of or in addition to the contact arrangement based on multiple circuits.
  - 178. Safe data transmission counter station according to claim 168, wherein the security interface for connecting into the safety loop of the technical system is designed to be connected to a safety bus.
  - 179. Safe data transmission counter station according to claim 168, wherein a signal connection or data connection is provided between the first 48 and second 49 processor or monitoring circuit by means of which information for a cross-comparison of the evaluated information or messages from the first and optionally second data telegrams can be exchanged.
  - 180. Safe data transmission counter station according to claim 168, wherein the first 48 and second 49 processor or monitoring circuit are differently configured and optionally assigned software means or programmed logic links are also differently configured.
  - 181. Safe data transmission counter station according to claim 168, wherein the first 48 and second 49 processor or monitoring circuit are able to signal to the security interface a non-safe state, in particular the absence of authorization or a triggered emergency off or machine stop state, totally independently of the other respective processor or monitoring circuit.
  - 182. Safe data transmission counter station according to claim 168, wherein the first data interface is provided in the form of a radio interface 46, in particular a Bluetooth interface, WLAN interface or ZigBee interface.
  - 183. Safe data transmission counter station according to claim 168, wherein when the safe data transmission counter station is in the switched off or powerless state, a non-operated ok key, an operated emergency stop switch or stop switch or an invalid operating mode selection is signaled for the connected safety loop.

184. Log-on procedure for safely and temporarily assigning the command authority of a user to a control device, wherein the user 1 is allocated a key tag 5 which is provided with an electronically readable code in the form of a user code and optionally other user-related information, and during a log-on procedure the user code and the optional additional user-related information is detected by means of a reading unit 24 provided in the control device 2, the detected user code is checked to ascertain its validity and/or the right to authorize functions of the control device for which rights are required is checked, and when the validity and/or right has been established, the functions for which rights are required are released and the read user code is registered in the control device 2 as an active user code, and information about the spatial distance of the read key tag 5 provided by the reading unit 24 is evaluated and a read user code is evaluated as being invalid or lacking the right to authorize functions for which rights are required if the detected distance exceeds a given maximum distance 8.
- View Dependent Claims (185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 248)
- - 185. Log-on procedure according to claim 184, wherein the information or codes read from the key are detected by several, in particular two, processors or detection circuits independently of one another and evaluated or checked, and the existence of a condition is not deemed to be satisfied unless it can be established as having been satisfied by all the processors or detection circuits involved.
  - 186. Log-on procedure according to claim 184, wherein the functions for which a right is required include at least the function of a safety switch element, in particular an ok key.
  - 187. Log-on procedure according to claim 184, wherein once the validity of the user code has been established, at least the actively registered user code is held in a memory of the control device 2 so that it can be accessed.
  - 188. Log-on procedure according to claim 187, wherein the actively registered user code is held in a non-volatile memory of the control device 2 so that it can be accessed.
  - 189. Log-on procedure according to claim 184, wherein the log-on procedure is only run if no active user code has been registered in the control device 2 previously.
  - 190. Log-on procedure according to claim 184, wherein after a defined period has elapsed during which no control actions have been undertaken from the control device 2 or registered by it, the authorization of at least some of the functions for which rights are required expires and are not authorized again until the user code of the key tag 5 corresponding to the registered active user code is successfully read in again.
  - 191. Log-on procedure according to claim 184, wherein once the active user code has been registered, reading attempts to detect the user code in the key tag 5 corresponding to the registered active user code are undertaken at brief intervals and if this user code can not be detected for a specifically defined period, the authorization for at least some of the functions for which rights are required expires and is not released again until the user code has been successfully detected again.
  - 192. Log-on procedure according to claim 184, wherein information provided by the reading unit about the spatial distance of the read key tag 5 is evaluated and a read user code is evaluated as being invalid or lacking the right to authorize functions for which rights are required if the detected distance is less than a given minimum distance.
  - 193. Log-on procedure according to claim 184, wherein information provided by the reading unit about the spatial distance of several key tags 5 simultaneously disposed within the detection range of the reading unit 24 is evaluated, and only the data and codes of the key tag 5 disposed at the shortest distance from the reading unit 24 continue to be processed.
  - 194. Log-on procedure according to claim 184, wherein, during the log-on procedure, the user code read from the key tag 5 is transmitted across a data network to a central server 65, after which additional user information, in particular the username, security information for verifying a password entry or authorization data about user-selective authorization of control functions, is transmitted from the server to the control device 2, where it is optionally stored.
  - 195. Log-on procedure according to claim 184, wherein, during the log-on procedure, additional user information read from the key tag 5, in particular the user name, security information for verifying a password entry or authorization data about user-selective authorization of control functions, is transmitted to the control device 2, where it is optionally stored.
  - 196. Log-on procedure according to claim 184, wherein, during the log-on procedure, the operator inputs a password or a PIN code by means of an input means provided on the control device 2, the user input is checked for admissibility using security information at least temporarily stored in the control device 2 and a release of the functions requiring rights and/or registration of the active user code does not proceed unless the user input is found to be admissible.
  - 197. Log-on procedure according to claim 184, wherein the extent of authorization for functions requiring rights is determined at least partially by the individual authorization data assigned to the user information.
  - 198. Log-on procedure according claim 184, wherein, whilst a registered active user code exists, information about the assigned operator 1 or about the assigned key tag 5 is constantly output to an output means 26 of the control device 2 or can be retrieved from it if necessary.
  - 199. Log-on procedure according to claim 184, wherein the log-on procedure is initiated by a manual command input by the operator 1 from the control device 2.
  - 200. Log-on procedure according to claim 184, wherein the log-on procedure is automatically initiated as soon as a key tag 5 is moved within the detection range of the reading unit 24.
  - 201. Log-on procedure according to claim 184, wherein, in addition or as an alternative, an option of logging on without a key tag 5 is also provided but only for releasing those functions which do not have any safety-relevant effect on the controllable technical system 60, in particular functions which are used exclusively to observe the operating mode.
  - 248. Log-on procedure for safely assigning the command authority of an operator of a mobile control device 2 to at least a safety loop of a controllable technical system 60 and optionally to a controller 10 of the technical system, with an interconnected data transmission means, in particular a bus system or a network without a physically secured unequivocal point-to-point assignment of the message sources and message sinks, and an interconnected safe data transmission counter station 9 which is permanently connected to the safety loop, wherein a safe assignment of the command authority of the operator 1 to the mobile control device 2 is established on the basis of a log-on procedure according to claim 184 and a safe active data connection is established from the mobile control device 2 to the safety loop of the controllable technical system 60 on the basis of a log-on procedure for safely establishing a temporary active data connection of a mobile control device 2 to at least one safety loop of a controllable technical system 60 and optionally to a controller 10 of a technical system 60, with an interconnected data transmission means, in particular a bus system or a network with no physically secured unequivocal point-to-point assignment of the message sources and message sinks, and with an interconnected safe data transmission counter station which is permanently connected to the safety loop, wherein at least one electronically detectable security code of a log-on tag 4 moved into the immediate vicinity of the controllable technical system is detected by a first processor or detection circuit 34 and by a second processor or detection circuit 35 of the mobile control device 2 by means of a reading unit 24 with a locally limited detection range provided in the mobile control device, the at least one detected security code is registered in the mobile control device 2 as an active security code and is stored in a memory so that it can be accessed.

202. Log-off procedure for safely terminating a temporary safe assignment of the command authority of an operator 1 to a control device 2, wherein the user is allocated a key tag 5 which is provided with an electronically readable code in the form of a user code and optionally additional user information, and during a log-off procedure at least the user code and optionally the additional user information is detected by means of a reading unit 24 provided in the control device 2, the detected user code is checked to ascertain a match with a registered active user code and if a match is established, the registered active user code is deleted or designated as inactive and an authorization to use functions of the control device 2 for which rights are required is terminated.
- View Dependent Claims (203, 204)
- - 203. Log-off procedure according to claim 202, wherein, if the match proves negative, a special right of the operator is detected either from the key tag 5 or following a manual input of specific information about rights, and a check is run to ascertain validity, and once validity has been established the registered active user code is deleted or deemed to be registered as inactive and an authorization of specific functions of the control device 2 for which rights are required is terminated.
  - 204. Log-off procedure according to claim 202, wherein the log-off procedure is initiated by a manual command input by the operator 1 from the control device 2.

205. Log-on procedure for safely establishing a temporary active data connection of a mobile control device 2 to at least one safety loop of a controllable technical system 60 and optionally to a controller 10 of a technical system 60, with an interconnected data transmission means, in particular a bus system or a network with no physically secured unequivocal point-to-point assignment of the message sources and message sinks, and with an interconnected safe data transmission counter station which is permanently connected to the safety loop, wherein at least one electronically detectable security code of a log-on tag 4 moved into the immediate vicinity of the controllable technical system is detected by a first processor or detection circuit 34 and by a second processor or detection circuit 35 of the mobile control device 2 by means of a reading unit 24 with a locally limited detection range provided in the mobile control device, the at least one detected security code is registered in the mobile control device 2 as an active security code and is stored in a memory so that it can be accessed.
- View Dependent Claims (206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226)
- - 206. Log-on procedure according to claim 205, wherein the log-on procedure is not run unless no active security code has been registered previously.
  - 207. Log-on procedure according to claim 205, wherein at least one connection identification code is determined or generated, the at least one connection identification code is registered in the mobile control device 2 as an active connection identification code and stored in a memory of the mobile control device so that it can be accessed, the at least one connection identification code together with the at least one registered security code and optionally with additional data is transmitted in a data telegram to the safe data transmission counter station 9, the at least one connection identification code is registered in the data transmission counter station as an active connection identification code and is stored in a memory of the data transmission counter station so that it can be accessed.
  - 208. Log-on procedure according to claim 207, wherein the log-on procedure is not run unless no active connection identification code has been registered in the memory of the mobile control device 2 previously.
  - 209. Log-on procedure according to claim 207, wherein the registration of an active connection identification code in the data transmission counter station is only possible if no active connection identification code has been previously registered in the memory of the data transmission counter station.
  - 210. Log-on procedure according to claim 205, wherein position-related information is read in addition from the log-on tag 4 by the mobile control device 2 and it is optionally transmitted to the safe data transmission counter station 9 and/or to the controller 10 connected to it for data transmission purposes, and different control and/or display functions are released or made available on the mobile control device 2 or at the safe data transmission counter station 9 or at the controller 10 depending on the position-related information.
  - 211. Log-on procedure according to claim 205, wherein zone-related information is read in addition from the log-on tag 4 by the mobile control device 2, which identifies an operating range assigned to the log-on tag 4, this zone-related information is stored in the mobile control device 2 and/or at the safe data transmission counter station 9 and/or the functional controller 10 of the controllable technical system 60 connected to it for data transmission purposes so that it can be accessed.
  - 212. Log-on procedure according to claim 205, wherein the mobile control device 2 transmits user information about a safely assigned operator, in particular a user code and information relating to rights, to the safe data transmission counter station 9 and/or to the controller 10 connected to it for data transmission purposes, where it may be optionally stored in a memory so that it can be accessed.
  - 213. Log-on procedure according to claim 212, wherein the user information transmitted to the safe data transmission counter station 9, in particular the user code, is registered in the data transmission counter station 9 as active user information and is stored in a non-volatile memory 45 so that it can be accessed.
  - 214. Log-on procedure according to claim 213, wherein the log-on procedure is only completed and the data interface assignment between the mobile control device 2 and the data transmission counter station 9 established if no active user information was registered in the data transmission counter station previously or if the user information transmitted during the log-on procedure matches the active user information already registered or if authorization data transmitted together with the user information carries a special right to terminate the preexisting registration.
  - 215. Log-on procedure according to claim 212, wherein, depending on the user information transmitted to the data transmission counter station 9, different control and/or display functions are released or made available on the mobile control device 2 or at the safe data transmission counter station 9 or at the controller 10.
  - 216. Log-on procedure according to claim 212, wherein, once the user information has been transmitted to the data transmission counter station 9 and/or to the controller 10 of the technical system 60, it is checked for validity and optionally completed using a user table or comparison or check data held locally in the data transmission counter station 9 or in the controller 10 so that it can be retrieved.
  - 217. Log-on procedure according to claim 212, wherein, once the user information has been transmitted to the data transmission counter station 9 and/or to the controller 10 of the technical system 60, it is checked for validity and optionally completed using a user data bank or comparison or check data held centrally on a server 65 so that it can be retrieved.
  - 218. Log-on procedure according to claim 212, wherein, once the user information has been transmitted to the data transmission counter station 9 and/or to the controller 10 of the technical system 60, profile data is loaded into the mobile control device 2 and/or optionally into the controller 10 by accessing data sets stored either locally or centrally in a server 65, which are assigned to the user and optionally to the technical system or the specific log-on position.
  - 219. Log-on procedure according to claim 218, wherein the assigned and loaded profile data also contains specific software components.
  - 220. Log-on procedure according to claim 205, wherein the mobile control device 2 additionally reads address or assignment information from the log-on tag 4, in particular radio addresses, channel numbers or IP addresses, and these are stored in the mobile control device 2 and used to address the data telegrams transmitted by the control device 2 to the safe data transmission counter station 9.
  - 221. Log-on procedure according to claim 205, wherein the safe data transmission counter station 9 provides information about the assigned safety loop and/or about the controllable technical system 60, this information is transmitted to the assigned mobile control device 2 and output there on an output means 26 or can be retrieved there.
  - 222. Log-on procedure according to claim 205, wherein the mobile control device 2 has an unequivocal device code, this device code is transmitted to the safe data transmission counter station 9 and is stored there as an actively registered device code so that it can be accessed.
  - 223. Log-on procedure according to claim 222, wherein the transmitted device code is stored at the safe data transmission counter station 9 in a non-volatile memory 45 so that it can be accessed.
  - 224. Log-on procedure according to claim 205, wherein synchronization information is exchanged between the mobile control device 2 and the data transmission counter station 9 in order to synchronize respective system times local to the devices.
  - 225. Log-on procedure according to claim 205, wherein the log-on procedure is not run or can not be started or completed unless the controllable technical system 60 or its controller 10 are in a safe special operating mode.
  - 226. Log-on procedure according to claim 205, wherein the controllable technical system 60 or its controller 10 is switched to a safe special operating mode on completion of the log-on procedure.

227. Operating method for safely operating a temporary active data connection from a mobile control device 2 to at least one safety loop of a controllable technical system 60 and optionally to a controller 10 of a technical system, with an interconnected data transmission means, in particular a bus system or a network without a physically secured unequivocal point-to-point assignment of the message sources and message sinks, and with an interconnected safe data transmission counter station 9 which is permanently connected to the safety loop, wherein data telegrams are generated by a first processor or detection circuit 34 and a second processor or detection circuit 35 of the mobile control device 2, these data telegrams are identified with a previously read log-on tag 4 and a security code registered in the control device 2 or with a connection code checked and registered by means of the read security code, the data telegrams are transmitted to the safe data transmission counter station, the data telegrams received in the safe data transmission counter station 9 are checked for a valid code corresponding to a security code registered in the memory of the data transmission counter station 9 and/or corresponding to a connection code checked by means of the security code and registered, and if a valid code is established, the signals or data for the safety loop are adjusted or fed into the safety loop in accordance with the data content of the data telegrams.
- View Dependent Claims (228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238)
- - 228. Operating method according to claim 227, wherein the first 34 and the second 35 processor or detection circuit, repeatedly and independently of one another, detect the switch state of a safety switch element disposed in the mobile control device 2, in particular a safety switch based on an electrical multi-circuit design, and encode it in the generated data telegrams.
  - 229. Operating method according to claim 227, wherein information or signals for a cross-comparison relating to the independently detected switch state of the safety switch element are exchanged between the first 34 and the second 35 processor or detection circuit and taken into account when setting the switch state encoded in the data telegrams.
  - 230. Operating method according to claim 227, wherein the first 34 and second 35 processor or detection circuit generate and encode the data telegrams independently of one another and these data telegrams are checked in the data transmission counter station 9 independently of one another by a respective co-operating, assigned third 48 and fourth 49 processor or monitoring circuit, and a non-safe state is signaled to the safety loop of the controllable technical system 60 as soon as one of the independently operating third 48 and fourth 49 processors or monitoring circuits establishes a state that is not safe on the basis of the checked data telegrams.
  - 231. Operating method according to claim 227, wherein information or signals for a cross-comparison relating to the safety state determined from the data telegrams are exchanged 57 between the third 48 and the fourth 49 processor or monitoring circuit and taken into account for the signals or data fed into the safety loop.
  - 232. Operating method according to claim 227, wherein, when generating the data telegrams in the mobile control device 2, additional time-related information is incorporated and this time-related information is applied as an additional check criterion when the code of the data telegrams is checked in the safe data transmission counter station 9.
  - 233. Operating method according to claim 227, wherein, when generating the data telegrams in the mobile control device 2, additional sequence information, in particular a sequential numbering, is incorporated, and this sequence information is applied as an additional check criterion when the code of the data telegrams is checked in the safe data transmission counter station 9.
  - 234. Operating method according to claim 227, wherein, when generating the data telegrams in the mobile control device 2, an unequivocal device code individually assigned to the control device is incorporated, and this device code is applied as an additional check criterion when the code of the data telegrams is checked in the safe data transmission counter station 9.
  - 235. Operating method according to claim 227, wherein, when a validly coded data telegram arrives at the safe data transmission counter station 9 with information relating to the operating status of an ok key of the mobile control device 2, a timer with a defined sequence time is restarted, and during a sequence of the timer a signal state or a data value for connecting into the safety loop is set so that a non-operated ok key is signaled.
  - 236. Operating method according to claim 227, wherein, when a validly coded data telegram arrives at the safe data transmission counter station 9 with information relating to the operating state of an emergency stop switch or a stop switch of the mobile control device 2, a timer with a defined sequence time is restarted, and during a sequence of the timer a signal state or a data value for connecting into the safety loop is set so that an operated emergency stop switch or stop switch is signaled.
  - 237. Operating method according to claim 227, wherein, when a validly coded data telegram arrives at the safe data transmission counter station 9 with information relating to the operating state of an operating mode selection switch of the mobile control device 2, a timer with a defined sequence is restarted, and during the sequence of the timer a signal state or a data value for connecting into the safety loop is set so that an invalid operating mode selection is signaled.
  - 238. Operating method according to claim 227, wherein zone tags 68 disposed within the detection range of the reading unit are continuously detected, the zone codes encoded in them are read, the zone codes are checked to ascertain whether they belong to the permissible detection range registered in the mobile control device 2 or in the safe data transmission counter station 9, and if it is established that not all the detected zone codes belong or if no zone tag can be detected, running of the safety critical control commands is prevented.

239. Log-off procedure for safely terminating a temporary active data connection from a mobile control device 2 to at least a safety loop of a controllable technical system 60 and optionally with to a controller of a technical system, with an interconnected data transmission means, in particular a bus system or a network without a physically secured unequivocal point-to-point assignment of the message sources and message sinks, and with an interconnected safe data transmission counter station 9 which is permanently connected to the safety loop, wherein a registered active connection identification code which is stored both in a memory of the mobile control device 2 and in a memory of the data transmission counter station 9 so that it can be accessed is deleted from the respective memory or designated as inactive.
- View Dependent Claims (240, 241, 242, 243, 244, 245, 246, 249)
- - 240. Log-off procedure according to claim 239, wherein a security code stored and registered in the mobile control device 2 which was read from an electronically detectable log-on tag 4 is deleted from the memory or designated as inactive.
  - 241. Log-off procedure according to claim 239, wherein active user information stored and registered in the safe data transmission counter station 9 is deleted from the memory or is designated as inactive.
  - 242. Log-off procedure according to claim 239, wherein an operating state or activation state of an emergency stop switch or stop switch of the mobile control unit 2 established immediately before is stored in a non-volatile memory 45 of the data transmission station 9 and once the mobile control device 2 has been logged off, a corresponding signal state or a corresponding data value for the safety loop of the controllable technical system 60 continues to be connected or fed into the safety loop.
  - 243. Log-off procedure according to claim 239, wherein a signal state corresponding to the operating state of an ok key of the mobile control device 2 or corresponding data value for the safety loop is connected into or fed into the safety loop as being inactive or non-operated after the log-off.
  - 244. Log-off procedure according to claim 239, wherein the log-off procedure is initiated by a manual command input by the operator 1 from the control device 2.
  - 245. Log-off procedure according to claim 239, wherein, once a defined period has elapsed in which no validly coded data telegram was received in the data transmission counter station 9 from the mobile control device 2, the log-off procedure is automatically initiated.
  - 246. Log-off procedure according to claim 239, wherein the log-off procedure is not run in full unless a log-on tag 4 is disposed within the detection range of a reading unit 24 of the mobile control device 2 and a detected security code of the log-on tag 4 matches a security code previously registered in the mobile control device 2 or in the safe data transmission counter station 9.
  - 249. Log-off procedure for safely terminating a safe assignment of the command authority of an operator 1 of a mobile control device 2 to a safety loop of a controllable technical system 60 and optionally to a controller 10 of the technical system, with an interconnected data transmission means, in particular a bus system or a network with no physically secured unequivocal point-to-point assignment of the message sources and message sinks, and an interconnected safe data transmission counter station which is permanently connected to the safety loop, wherein a safe active data connection of the mobile control device 2 to the safety loop is terminated on the basis of a log-off procedure according to claim 239 and a safe assignment of the command authority of the operator 1 to the mobile control device 2 is terminated on the basis of a log-off procedure for safely terminating a temporary safe assignment of the command authority of an operator 1 to a control device 2, wherein the user is allocated a key tag 5 which is provided with an electronically readable code in the form of a user code and optionally additional user information, and during a log-off procedure at least the user code and optionally the additional user information is detected by means of a reading unit 24 provided in the control device 2, the detected user code is checked to ascertain a match with a registered active user code and if a match is established, the registered active user code is deleted or designated as inactive and an authorization to use functions of the control device 2 for which rights are required is terminated.

247. Method of switching on with a view to safely operating a mobile control device, wherein during an initialization procedure, all memories provided as a means of holding a read security code or for holding a connection identification code are deleted or initialized with an unequivocally invalid value.

250. Recording method for recording safety-relevant information for use in a system with at least one safe mobile control device 2 and at least one safe data transmission counter station 9 with a link to the safety loop of a controllable technical system 60 and optionally to a controller 10 of the technical system, wherein data is transmitted from the mobile control device 2 and/or from the safe data transmission counter station 9 and/or from the controller 10 of the technical system to a central server 65, where it is recorded with time-related information which can be chronologically reconstructed and retrieved, which data relates to the establishment and termination of safe assignments of users to mobile control devices 2 and/or to controllable technical systems 60 and/or which data relates to the triggering of potentially safety critical control operations by the users 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KEBA AG (KLH Beteiligungs GmbH)
Original Assignee
KEBA AG (KLH Beteiligungs GmbH)
Inventors
Möschl, Manfred, Schininger, Manfred

Granted Patent

US 8,344,848 B2
Time in Patent Office

Days
Field of Search
US Class Current

340/5.650
CPC Class Codes

G05B 19/4184   characterised by fault tole...

G05B 2219/33192   Radio link, wireless

G05B 2219/33235   Redundant communication cha...

G05B 2219/36159   Detachable or portable prog...

G05B 2219/36542   Cryptography, encrypt, acce...

Y02P 90/02   Total factory control, e.g....

Method and Device for the Safe, Systematic, Exclusive Assignment of the Command Authorization of an Operator to a Controllable Technical Installation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

95 Citations

250 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Device for the Safe, Systematic, Exclusive Assignment of the Command Authorization of an Operator to a Controllable Technical Installation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

250 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links