阅读说明：本技术 需要有意功能激活的安全系统和包括需要有意功能激活的安全系统的材料试验系统 (Security system requiring intentional functional activation and material testing system including a security system requiring intentional functional activation ) 是由 玛丽·伊丽莎白·佩珀 埃琳娜·罗斯·曼加诺 安德鲁·德沃尔夫 于 2019-11-29 设计创作，主要内容包括：公开了需要有意功能激活的安全系统和包括需要有意功能激活的安全系统的材料试验系统。一种示例材料试验系统包括：致动器,该致动器被配置为控制该材料试验系统的操作者可接近的部件；操作者界面,该操作者界面包括多个输入；以及一个或多个处理器,该一个或多个处理器被配置为：基于材料试验过程或来自该操作者界面的输入中的至少一个来控制该致动器；以及要求在预定阈值时间内接收两个或更多个输入,以允许该致动器的至少一个操作。(A security system requiring intentional functional activation and a material testing system including a security system requiring intentional functional activation are disclosed. An example material testing system includes: an actuator configured to control an operator accessible component of the material testing system; an operator interface including a plurality of inputs; and one or more processors configured to: controlling the actuator based on at least one of a material testing process or an input from the operator interface; and requiring two or more inputs to be received within a predetermined threshold time to allow at least one operation of the actuator.)

1. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

two or more inputs are required to be received within a predetermined threshold time to allow at least one operation of the actuator.

2. The material testing system of claim 1, wherein the one or more processors are configured to require the two or more inputs in order to initiate each operation of the actuator by the processor.

3. The material testing system of claim 1, wherein the one or more processors are configured to require the two or more inputs to restart the operation or start a different operation in response to a pause or stop in the operation of the actuator.

4. The material testing system of claim 1, wherein the operator interface comprises a button configured to output an unlock signal when the button is pressed, wherein the one or more processors are configured to use the unlock signal as one of the two or more inputs.

5. The material testing system of claim 1, wherein the operator accessible component comprises an automated clamp configured to clamp a material under test, wherein the actuator is configured to actuate the automated clamp, and the at least one operation comprises applying a pressure greater than a threshold via the automated clamp.

6. The material testing system of claim 5, wherein the one or more processors are configured to allow control of the actuator to apply a pressure less than the threshold via the automated clamp when less than the two or more inputs are received.

7. The material testing system of claim 1, wherein the operator accessible component comprises a beam configured to move to position or apply a force to a material under test, wherein the at least one operation comprises at least one of moving the beam or applying the force to the material under test.

8. The material testing system of claim 1, wherein the operator accessible component comprises a beam configured to move to position or apply a force to a material under test, wherein the at least one operation comprises moving the beam at least at a threshold speed.

9. The material testing system of claim 8, wherein the one or more processors are configured to allow control of the actuator to move the beam at a speed less than the threshold when less than the two or more inputs are received.

10. The material testing system of claim 1, wherein the one or more processors are configured to cease operation of the actuator during operation of the actuator in response to determining that at least one of the two or more inputs is no longer received.

11. The material testing system of claim 1, wherein the one or more processors are configured to stop operation of the actuator during operation of the actuator in response to determining that none of the two or more inputs were received.

12. The material testing system of claim 1, wherein the one or more processors are configured to continue operation of the actuator after the two or more inputs are no longer received during operation of the actuator.

13. The material testing system of claim 12, wherein the one or more processors are configured to stop operation of the actuator based on at least one of an end of the material testing process, a pause in the material testing process, or an input from the operator interface.

14. The material testing system of claim 1, wherein the one or more processors comprise:

a control processor configured to perform the control of the actuator; and

one or more safety processors configured to recognize the two or more inputs and to allow at least one operation of the actuator.

15. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs;

a camera and a video processor, the video processor configured to:

detecting an intrusion by processing an image output by a camera; and

outputting a not detected signal in response to determining that no intrusion is detected; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the undetected signal.

16. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs;

a pressure-sensitive surface configured to:

detecting the presence of pressure on the surface; and

outputting a pressure signal in response to detecting the pressure; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the undetected signal.

17. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs;

an operator detection switch configured to output a switch signal when the switch is actuated; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs comprising the switching signal.

18. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs;

a presence detector configured to:

detecting a presence of an operator within a predefined volume; and

outputting a presence signal when an operator is detected within the volume; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs comprising the presence signal.

19. A material testing system, comprising:

an actuator configured to control an operator accessible component of the material testing system;

an operator interface comprising a plurality of inputs;

a proximity sensor configured to:

monitoring whether an operator is within a predetermined proximity of the proximity switch; and

outputting a non-proximity signal when an operator is not detected within the predetermined proximity; and

one or more processors configured to:

controlling the actuator based on at least one of a material testing process or an input from the operator interface; and

requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs comprising the non-proximity signal.

Background

The present disclosure relates generally to material testing, and more particularly to security systems requiring intentional functional activation and material testing systems including security systems requiring intentional functional activation.

Universal testing machines are used to perform mechanical tests on materials or parts, such as compressive strength tests or tensile strength tests.

Disclosure of Invention

A security system requiring intentional functional activation and a material testing system including a security system requiring intentional functional activation are disclosed, substantially as illustrated by and described in connection with at least one drawing, as set forth more completely in the claims.

Drawings

These and other features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:

FIG. 1 is an example test rig for performing mechanical property tests according to aspects of the present disclosure.

FIG. 2 is a block diagram of an exemplary embodiment of the assay device of FIG. 1.

Fig. 3 is a block diagram of an example implementation of the security system of fig. 2.

Fig. 4 illustrates an example operator interface that may be used to implement the operator interfaces of fig. 1-3.

Fig. 5 illustrates another example operator interface that may be used to implement this operator interface of fig. 1-3.

Fig. 6 is a flow chart representing example machine readable instructions that may be executed by the safety system of fig. 2 and 3 to control actuation of the material testing system of fig. 1-3 in a non-limiting mode.

FIG. 7 illustrates an example material testing system including a camera and a video processor configured to provide input signals to a safety system to operate the material testing system.

FIG. 8 illustrates an example material testing system that includes a pressure sensitive surface configured to provide input signals to a safety system to operate the material testing system.

FIG. 9 illustrates an example material testing system that includes an operator detection switch configured to provide an input signal to a safety system to operate the material testing system.

FIG. 10 illustrates an example material testing system that includes a presence detector configured to provide an input signal to a safety system to operate the material testing system.

FIG. 11 illustrates an example material testing system including a proximity sensor configured to provide an input signal to a safety system to operate the material testing system.

The drawings are not necessarily to scale. Where appropriate, like or identical reference numerals are used to refer to like or identical parts.

Detailed Description

Conventional material testing systems use mitigation techniques such as configuration switches, guarding, limited force control, motion limitation and/or protection, and the like to improve operator safety. However, conventional material testing systems often do not always meet international standards. Conventional mitigation techniques require an operator to place the system in an appropriate operating mode, such as a secure interaction or trial. Many conventional safety techniques may be implemented using off-the-shelf safety components, such as Programmable Logic Controllers (PLCs) and/or relays. PLCs and relays typically add significant cost to the material testing system.

The disclosed example material testing system embeds or integrates an international standard compliant safety system within the material testing system. Because the safety system is integrated into the material testing system, the disclosed example material testing system provides safety improvements at a much lower cost than can be achieved using off-the-shelf parts, because the safety system is integrated into existing electronics, semiconductors, and/or circuit boards of the material testing system. Integration further improves reliability, thereby reducing or eliminating external wiring between purchased security components.

As described in greater detail below, the disclosed example safety systems for material testing systems include machine status indicators that visually display the status of the testing machine from the perspective of operational limitations. The disclosed example safety systems for material testing systems provide highly reliable and monitored activation mechanisms at a machine control point, which may include internal fault checking and/or power diagnostics within the material testing system. In some examples, the pneumatic clamp is provided with two-stage clamp pressure control and monitoring. The disclosed example material testing system is compatible with interlocking protection systems having redundant or different contacts. Such protection systems comply with ISO safety standards by using redundant, diverse and/or dynamic real-time monitoring. The disclosed example material testing system includes redundant beam travel limit monitoring. The material testing system shutdown circuitry of the disclosed examples complies with international safety standards including ISO 13849-1.

Additionally, conventional off-the-shelf safety relay components used with PLCs use an additional layer of firmware within the PLC to stop the motion of moving components during an emergency stop event. The disclosed example safety systems for material testing systems are configured to enable hardware (e.g., an emergency stop button) to directly shut down the power amplifier driver of the actuator(s) regardless of whether embedded firmware within the safety processor is running.

The disclosed example material testing system conforms to European mechanical Directive (ISO 13849-1 standard, which relates to the rules set forth in Safety-Related Parts of Control Systems). The following functions, as determined by system risk analysis, have been integrated into the material testing system. The safety system provides a disabled drive state for removing energy from the drive beam, a disabled drive state for removing energy from the clamping system, and a limited drive state for making operator settings. In a limited drive state, example safety systems monitor beam speed to maintain beam speed below an upper speed limit, monitor intentional manual movement (jog) of the beam, monitor reduced clamping pressure upon closure, and/or monitor intentional clamp closure.

As used herein, "cross-beam" refers to a component of a material testing system that applies a directional (axial) and/or rotational force to a sample. The material testing system may have one or more beams, and the beam(s) may be located at any suitable location and/or orientation in the material testing system.

The disabling of circuitry, actuators, and/or other hardware may be accomplished via hardware, software (including firmware), or a combination of hardware and software, and may include physical disconnection, power down, and/or software control that limits the implementation of commands to activate circuitry, actuators, and/or other hardware. Similarly, enablement of circuitry, actuators, and/or other hardware may be accomplished via hardware, software (including firmware), or a combination of hardware and software using the same mechanisms as disablement. The firmware may include stored instructions, such as security level embedded software (SRESW) and/or security level application software (SRASW).

The disclosed example material testing system further includes an unrestricted drive state that enables removal of the inspection in the restricted drive state. In some examples, the unrestricted drive state may be entered by a dual activation mechanism, wherein the material testing function is performed and the operator does not interact with the system.

The disclosed example material testing system includes indicators on each machine for different status indications, such as disabled status, set status (e.g., limited drive mode), warning status (e.g., non-limited drive mode), and test status (e.g., non-limited drive mode), to clearly indicate when an operator may interact and when a hazard exists.

The disclosed example material testing systems include one or more stop functions configured to override the initiation and/or continuation of movement of a component, such as a beam or clamp. Furthermore, one or more stopping functions may be redundantly configured via hardware such that they effectively disable the material testing system even when the software portion of the safety system is disabled. Examples of such stop functions that may be included in the disclosed system include interlocked guards and/or emergency stop switches.

Some disclosed example material testing systems include a single control point selected and implemented for activating the material testing frame and/or the clamping system. Some example systems provide power failure monitoring and/or protection to ensure that the system ceases unrestricted operation and places the material testing system in a disabled drive state when power is reestablished. In some examples, any pneumatic specimen grips are automatically de-energized in response to a power failure.

Example safety systems and material testing systems disclosed include added internal diagnostics and reporting to an operator critical errors within the system, such as equipment failures, or conflicts between redundant inputs, outputs, and/or processes. The disclosed example material testing system enables faster specimen removal and/or insertion relative to conventional material testing systems because the safety setup mode of the testing machine allows an operator to move within the test space without disabling the material testing system or requiring a protective door. The disclosed example system further improves operator safety in setting and configuring the system within the test space at least in part due to the use of a set-up condition that limits movement of the cross-beam and/or limited movement and/or force that may be applied by the clamp.

The disclosed material testing systems and safety systems may be particularly configured for use in the disclosed example configurations to achieve identified risk mitigation. The disclosed material testing system provides a significant improvement in the efficiency and pertinence of material testing over the purchase of a generic, off-the-shelf, discrete security component.

An example material testing system is disclosed that includes: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and requiring two or more inputs to be received within a predetermined threshold time to allow at least one operation of the actuator.

In some examples, the one or more processors are configured to require the two or more inputs in order to initiate each operation of the actuator by the processor. In some examples, the one or more processors are configured to require the two or more inputs to restart the operation or to start a different operation in response to a pause or cessation of operation of the actuator. In some examples, the operator interface includes a button configured to output an unlock signal when the button is pressed, wherein the one or more processors are configured to use the unlock signal as one of the two or more inputs.

In some examples, the operator accessible component includes an automated clamp configured to clamp the material under test, wherein the actuator is configured to actuate the automated clamp, and the at least one operation includes applying a pressure greater than a threshold via the automated clamp. In some examples, the one or more processors are configured to allow the control actuator to apply a pressure less than a threshold via the automated clamp when less than the two or more inputs are received. In some examples, the operator accessible component includes a beam configured to move to position or apply a force to the material under test, and the at least one operation includes at least one of moving the beam or applying a force to the material under test.

In some examples, the operator accessible component includes a beam configured to move to position or apply a force to the material under test, wherein the at least one operation includes moving the beam at least at a threshold speed. In some examples, the one or more processors are configured to allow the control actuator to move the beam at a speed less than a threshold speed when less than the two or more inputs are received. In some examples, the one or more processors are configured to, during operation of the actuator, cease operation of the actuator in response to determining that at least one of the two or more inputs is no longer received.

In some examples, the one or more processors are configured to, during operation of the actuator, cease operation of the actuator in response to determining that none of the two or more inputs were received. In some examples, the one or more processors are configured to continue operation of the actuator after the two or more inputs are no longer received during operation of the actuator. In some such examples, the one or more processors are configured to stop operation of the actuator based on at least one of an end of the material testing process, a pause in the material testing process, or an input from an operator interface.

In some example material testing systems, the one or more processors include: a control processor configured to perform control of the actuator; and one or more safety processors configured to recognize the two or more inputs and to allow at least one operation of the actuator.

Some disclosed example material testing systems include: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; a camera and a video processor, the video processor configured to: detecting an intrusion by processing an image output by a camera; and outputting a not detected signal in response to determining that no intrusion is detected; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and requiring receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the undetected signal.

Some disclosed material testing systems include: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; a pressure-sensitive surface configured to: detecting the presence of pressure on the surface; and outputting a pressure signal in response to detecting the pressure; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and requiring receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the undetected signal.

Some disclosed material testing systems include: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; an operator detection switch configured to output a switch signal when the switch is actuated; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and two or more inputs need to be received to allow at least one operation of the actuator, at least one of the two or more inputs comprising the switching signal.

Some disclosed material testing systems include: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; a presence detector configured to: detecting a presence of an operator within a predefined volume; and outputting a presence signal when an operator is detected within the volume; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and requiring the receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the presence signal.

Some disclosed material testing systems include: an actuator configured to control an operator accessible component of a material testing system; an operator interface including a plurality of inputs; a proximity sensor configured to: monitoring whether an operator is within a predetermined proximity of the proximity switch; and outputting a non-proximity signal when an operator is not detected within a predetermined proximity; and one or more processors configured to: controlling an actuator based on at least one of a material testing process or an input from an operator interface; and requiring receipt of two or more inputs to allow at least one operation of the actuator, at least one of the two or more inputs including the non-proximity signal.

FIG. 1 is an exemplary material testing system 100 for performing mechanical property testing. The example material testing system 100 may be, for example, a universal testing system capable of performing static mechanical testing. The material testing system 100 may perform, for example, a compression strength test, a tensile strength test, a shear strength test, a bending strength test, a flexural strength test, a tear strength test, a peel strength test (e.g., an adhesive strength), a torsional strength test, and/or any other compression and/or tensile test. Additionally or alternatively, material testing system 100 may perform dynamic testing.

The example material testing system 100 includes a test fixture 102 and a computing apparatus 104 communicatively coupled to the test fixture 102. The test fixture 102 applies a load to the material 106 being tested and measures mechanical properties of the test, such as displacement of the material 106 being tested and/or force applied to the material 106 being tested. Although the example test fixture 102 is shown as a dual column fixture, other fixtures, such as a single column test fixture, may be used.

The example computing device 104 may be used to configure the test fixture 102, control the test fixture 102, and/or receive measurement data (e.g., transducer measurements such as force and displacement) and/or test results (e.g., peak force, fracture displacement, etc.) from the test fixture 102 for processing, display, reporting, and/or any other desired purpose.

FIG. 2 is a block diagram of an example embodiment of the material testing system 100 of FIG. 1. The example material testing system 100 of FIG. 2 includes a test fixture 102 and a computing apparatus 104. Example computing device 104 may be a general purpose computer, laptop computer, tablet computer, mobile device, server, kiosk, and/or any other type of computing device.

The example computing device 104 of fig. 2 includes a processor 202. The example processor 202 may be any general purpose Central Processing Unit (CPU) from any manufacturer. In some other examples, processor 202 may include one or more special-purpose processing units, such as a RISC processor with an ARM core, a graphics processing unit, a digital signal processor, and/or a system on chip (SoC). The processor 202 executes machine-readable instructions 204, which may be stored locally at the processor (e.g., in an included cache or SoC) in random access memory 206 (or other volatile memory), in read only memory 208 (or other non-volatile memory such as FLASH memory), and/or in mass storage device 210. Example mass storage devices 210 may be hard disk drives, solid state storage drives, hybrid drives, RAID arrays, and/or any other mass data storage device.

The bus 212 supports communication between the processor 202, the RAM 206, the ROM 208, the mass storage device 210, the network interface 214, and/or the input/output interface 216.

An example network interface 214 includes hardware, firmware, and/or software to connect the computing device 104 to a communication network 218, such as the internet. For example, the network interface 214 may include wireless and/or wired communication hardware for sending and/or receiving communications in accordance with IEEE 202. X.

The example I/O interface 216 of fig. 2 includes hardware, firmware, and/or software to connect one or more input/output devices 220 to the processor 202 to provide input to the processor 202 and/or to provide output from the processor 202. For example, the I/O interface 216 may include a graphics processing unit for interfacing with a display device, a universal serial bus port for interfacing with one or more USB compatible devices, FireWire, Fieldbus, and/or any other type of interface. The example material testing system 100 includes a display device 224 (e.g., an LCD screen) coupled to the I/O interface 216. Other example I/O device(s) 220 may include: a keyboard, keypad, mouse, trackball, pointing device, microphone, audio speaker, display device, optical media drive, multi-touch screen, gesture recognition interface, magnetic media drive, and/or any other type of input and/or output device.

The example computing device 104 may access the non-transitory machine-readable media 222 via the I/O interface 216 and/or the I/O device(s) 220. Examples of the machine-readable medium 222 of FIG. 2 include: optical disks (e.g., Compact Disks (CDs), digital versatile/video disks (DVDs), blu-ray disks, etc.), magnetic media (e.g., floppy disks), portable storage media (e.g., portable flash drives, Secure Digital (SD) cards, etc.), and/or any other type of machine-readable media that may be removable and/or installable.

The example material testing system 100 of FIG. 1 further includes a test fixture 102 coupled to a computing apparatus 104. In the example of fig. 2, the test fixture 102 is coupled to a computing device via an I/O interface 216, such as via a USB port, a Thunderbolt port, a FireWire (IEEE 1394) port, and/or any other type of serial or parallel data port. In some other examples, test fixture 102 is coupled to network interface 214 and/or I/O interface 216 via a wired or wireless connection (e.g., ethernet, Wi-Fi, etc.) directly or via network 218.

The test fixture 102 of FIG. 2 includes a frame 228, a load cell 230, a displacement transducer 232, a cross-member loader 234, a material clamping device 236, a control processor 238, and a safety system 240. The frame 228 provides rigid structural support for the other components of the test fixture 102 that perform the test. Load cell 230 measures the force applied by cross-member loader 234 to the material being tested via clamp 236. The cross-member loader 234 applies a force to the material being tested, while a material clamping device 236 (also referred to as a clamp) grasps or otherwise couples the material being tested to the cross-member loader 234. The example cross-member loader 234 includes a motor 242 (or other actuator) and a cross-member 244. A beam 244 couples the material clamp 236 to the frame 228, and a motor 242 moves the beam relative to the frame to position the material clamp 236 and/or apply a force to the material being tested. Example actuators that may be used to provide force and/or motion of components of the material testing system 100 include motors, pneumatic actuators, hydraulic actuators, piezoelectric actuators, relays, and/or switches.

The example clamp 236 includes a platen, jaws, or other type of clamping device depending on the mechanical properties being tested and/or the material being tested. The clamp 236 may be manually configured, controlled through manual input, and/or automatically controlled by the control processor 238. The beam 244 and the clamp 236 are operator accessible components.

The example control processor 238 communicates with the computing device 104 to, for example, receive the trial parameters from the computing device 104 and/or report the measurements and/or other results to the computing device 104. For example, the control processor 238 may include one or more communication or I/O interfaces to enable communication with the computing device 104. Control processor 238 may control cross-member loader 234 to increase or decrease the applied force, control clamping device(s) 236 to grip or release the material being tested, and/or receive measurements from displacement transducer 232, load cell 230, and/or other transducers.

The example safety system 240 provides an additional monitoring and control layer for the test fixture 102. The safety system 240 monitors operator inputs and tests the status of the gripping apparatus 102. In the example of fig. 2, the safety system 240 limits the user's operation of the test fixture 102 so that the user can control the test fixture 102 only when the machine is in the appropriate state. In response to detecting one or more conditions, the safety system 240 will automatically place the test fixture 102 into a restricted state (e.g., a restricted set state, disabling all power and motion that may present a hazardous condition, etc.).

As discussed in more detail below, the safety system 240 selectively adds, removes, adds, and/or reduces restrictions on the operation of the material testing system based on monitoring input signals from the material testing system 100, input signals from the safety system 240, and/or control signals from the control processor 238. The safety system 240 controls the operation of the material testing system 100 by determining a state from a plurality of predetermined states in which the material testing system 100 is to be operated at any given time. Example predetermined states include one or more restricted states in which one or more operations of material testing system 100 are restricted (e.g., disabled, limited, etc.), and one or more unrestricted states in which the restriction of the restricted states is reduced and/or removed. In the example of fig. 2, a safety processor 240 is attached to and/or interrupts control of the cross-member loader 234 and/or the clamping device(s) 236 by the control processor 238. In some other examples, the safety system 240 may directly control the cross-member loader 234 and/or the clamping device(s) 236 when any applicable restrictions are imposed on the actuator.

Example limited states include a set state and a disabled state. In the set state, the safety system 240 restrains one or more actuators (e.g., the motor 242 and/or the clamp actuator(s) 246) and controls (or allows control of) those actuators in response to operator input. Example limitations on the motor 242 and/or the cross beam 244 may include an upper speed limit and/or an upper or lower position limit of the cross beam 244 relative to the test fixture 102. Example limitations on the clamp actuator(s) 246 may include an upper pressure limit and/or an upper clamping force limit. In the disabled state, the safety system 240 restricts the actuators and the control processor 238 does not control the actuators in response to operator input (e.g., does not attempt to control the motor 242 and/or the clamp actuator(s) 246, or is prevented from controlling the motor 242 and/or the clamp actuator(s) 246 by powering down).

Example non-limiting conditions include a warning condition and a test condition. In an example warning state, the safety system 240 reduces restriction on the actuators (e.g., the motor 242 and/or the clamp actuator(s) 246) and does not control the actuator motor 242 and/or the clamp actuator(s) 246. In the warning state, control processor 238 may control the actuator(s) to perform an action, such as a high-speed jog of cross-beam 244 and/or increase the clamping force of pneumatic clamp 248, for which the operator should not physically approach cross-beam 244 and/or pneumatic clamp 248. In an example test condition, the safety system 240 reduces the restrictions on the actuators while the control processor 238 controls the actuator(s) to perform the test (e.g., according to a material testing procedure or program executed by the control processor 238).

The example material testing system 100 of FIG. 2 may further include one or more control panels 250 including a plurality of status indicators 252 and one or more mode switches 254. The mode switch 254 may include buttons, switches, and/or other input devices located on the operator control panel. For example, the mode switch 254 may include a button that controls the motor 242 to jog (e.g., position) the cross beam 244 at a particular location on the frame 228, a switch (e.g., a foot switch) that controls the clamp actuator 246 to close or open the pneumatically actuated clamp 248, a mode control button that is pressed along with another button to enable the safety system 240 to allow operation in an unrestricted state, and/or any other input device that may cause operation in an unrestricted state.

The status indicators 252 correspond to a set of predetermined states to which the safety system 240 may set the material testing system 100 (e.g., the disable, set, alert, and test states described above). As described in more detail below, the safety system 240 controls the status indicator 252 to provide an indication as to the current status of the material testing system 100 as determined by the safety system 240. Status indicators 252 may include lights, displays, audio, mechanical systems, and/or any other indication recognizable to an operator.

Fig. 3 is a block diagram of an example implementation of the security system 240 of fig. 2. As shown in fig. 3, the security system 240 includes a security processor 302.

The example secure processor 302 includes a plurality of redundant processing cores 304a, 304 b. The processing cores 304a, 304b execute the redundant instructions 306a, 306b and receive redundant inputs such that the processing cores 304a, 304b should produce substantially identical outputs during normal operation of the test fixture 102. The safety processor 302 monitors a plurality of inputs (e.g., via the redundant cores 304a, 304b) and determines a state of the material testing system 100 based on the inputs. Safety processor 302 may compare the outputs of redundant instructions 306a, 306b and control the state of material testing system 100 based on the comparison of these outputs.

The example secure processor 302 and/or the redundant processing cores 304a, 304b may be general purpose Central Processing Units (CPUs) from any manufacturer. In some other examples, the secure processor 302 and/or the redundant processing cores 304a, 304b may include one or more special-purpose processing units, such as RISC processors with ARM cores, graphics processing units, digital signal processors, and/or systems on chips (socs). The secure processor 302 and/or the redundant processing cores 304a, 304b execute machine-readable instructions (such as the redundant instructions 306a, 306b) that may be stored locally at the processor (e.g., in an included cache or SoC) in a storage device (such as a random access memory, a read-only memory, and/or a mass storage device).

The redundant processing cores 304a, 304b and redundant instructions 306a, 306b allow the security system 240 to handle redundant and/or different inputs and outputs, thereby providing a highly reliable and predictable system. Thus, although representative inputs and outputs are illustrated in FIG. 3, these inputs and/or outputs may be duplicated to support redundant processing cores 304a, 304b and redundant instructions 306a, 306 b. The redundant instructions 306a, 306b (e.g., embedded software, operating system, and generated code) executed by the secure processor 302 conform to the procedures outlined in international standards including, but not limited to, ISO 13849-1 (which relates to "safety-related parts of control systems"). Although the example secure processor 302 includes multiple redundant processing cores, in other examples, the secure processor 302 may include a single processing core or multiple non-redundant processing cores.

The safety system 240 of fig. 3 further includes an actuator disabling circuit 308 that selectively disables the power amplifier 310 from energizing the motor 242 of the beam 244. Additionally or alternatively, the actuator disable circuit 308 (or another actuator disable circuit) may disable the clamp actuator(s) 246 from providing energy to the pneumatic clamp(s) 248. Power amplifier 310 receives input power and outputs power to motor 242 to control movement of beam 244. The example actuator disable circuit 308 and power amplifier 310 may be implemented using a safe rated safe torque Shutdown (STO) high reliability servo power amplifier. Control processor 238 may control the movement of motor 242 and beam 244 via motor control signal 312 to power amplifier 310.

In response to the STO signal 314 from the safety processor 302, the actuator disable circuit 308 disables the connected actuator (e.g., motor 242). For example, the actuator disable circuit 308 may turn off all energy to the motor 242 (and/or other moving parts in the material testing system 100) in less than some defined period of time. The example actuator disable circuit 308 may provide an STO feedback signal 315 to the safety processor 302 that indicates whether the actuator disable circuit 308 is currently disabling an actuator. The safety processor 302 may compare the STO signal 314 to the STO feedback signal 315 to detect a fault.

In the example material testing system 100, travel of the moving beam 244 and any internal components is stopped after the STO signal 314 is activated, as specified by international standards. Most subsystems of the safety system 240 disclosed herein activate the actuator disable circuit 308 to safely stop the machine. Additionally, the power amplifier 310 may include a motor braking circuit 316 to decelerate the motor 242 prior to application of the STO signal 314. The motor braking circuit 316 allows the motor 242 to stop in a more controlled manner by eliminating the constant movement due to mechanical inertia after the drive power is turned off. The use of pre-disable braking reduces or minimizes the movement of the cross beam 244 after the motor 242 is de-energized. Thus, the example actuator disable circuit 308 and the motor brake circuit 316 provide a class 1 stop as defined in the IEC 60204-1 standard, which is a "mechanical electrical safety standard".

The example safety processor 302 monitors the motor 242 and/or the motor brake circuit 316 when pre-disable braking occurs to confirm that the motor 242 is braking. If the safety processor 302 determines that the motor 242 is not decelerating during braking, the safety processor 302 performs brake fault mitigation to stop braking and immediately de-energize the motor 242. By implementing brake failure mitigation for the two-phase disable sequence, the safety processor 302 may shorten the stopping distance in the event of a brake failure. Although the shortest stopping distance occurs when the pre-disable brake is active, when the pre-disable brake is not fully active, the two-phase sequence involving the inactive pre-disable brake may have a longer stopping distance than a single-phase sequence (e.g., only disconnect). A second advantage of brake fault mitigation is that the mitigation enables greater flexibility in implementing a two-stage disabling sequence, since high performance braking can be performed using a wider range of components and systems with a brake fault mitigation process that can capture faults of the brake system.

The example security system 240 further includes an emergency stop device 318 (e.g., a button, switch, etc.) that provides an emergency stop input signal 320 to the security processor 302. The emergency stop device 318 may be a manually operated emergency stop button, which is a supplemental safety function. The emergency stop device 318 includes two channel redundancy for signaling. The emergency stop device 318 may include an emergency stop switch 322, an emergency stop detection circuit 324, and an actuator disable circuit 326. The emergency stop device 318 may be independently controlled using hardware and embedded software of the safety processor 302. For example, in response to detecting the emergency stop input signal 320 from the emergency stop detector 324, the safety processor 302 sets the state of the material testing system 100 to a disabled state and provides the emergency stop output signal 321 to the emergency stop device 318 (e.g., to the emergency stop switch 322).

In response to the emergency stop output signal 321, the emergency stop switch 322 controls the actuator disable circuit 326 to control the actuator disable circuit 314 and/or the motor brake circuit 314 to stop the motor 242. The example actuator disable circuit 326 may have a first connection to the motor braking circuit 314 and a second redundant connection to the actuator disable circuit 308. When the actuator disable circuit 326 is triggered, the actuator disable circuit 326 activates the motor braking circuit 314, delays for a period of time to allow braking to occur, and then activates the actuator disable circuit 308 to power down the applicable actuator.

In addition to or instead of control via the safety processor 302, the emergency stop switch 322 may directly actuate the actuator disable circuit 308 within the power amplifier 310, such as through a physical interruption of the STO signal 314 between the safety processor 302 and the actuator disable circuit 308. The safety processor 302 monitors the emergency stop detection circuit 324 and acts as a redundant monitor for the hardware. The safety processor 302 outputs the STO signal 314 to control the actuator disable circuit 308 to continue to disable the motor 242 such that when the emergency stop switch 322 is released, the material testing system 100 will remain disabled (e.g., in a limited state) and user interaction is required to re-enable operation of the motor 242.

The example material testing system 100 (e.g., the test fixture 102) is compatible with an interlock protection system having redundant or different contacts. The example safety system 240 may include one or more guards 328 and guard interlocks 330 configured to provide an operator access to a physical and/or virtual barrier of the material testing system 100 when operating in an unrestricted state. For example, the guard 328 may include physical barriers that are opened and closed to control access to the volume around the air clamp 248 and/or the cross-beam 244 (and/or other moving components). Example physical barriers include guard doors that can use redundant safety switches to monitor whether a door protecting a protected volume is open or closed. Each door switch has mechanically connected normally open and normally closed contacts that may be dynamically pulsed (e.g., by guard interlock 330) and/or otherwise received as inputs. Pulsing allows for real-time plausibility diagnostic checks on the guard gate switches.

Additionally or alternatively, guard 328 may include virtual guards that monitor intrusion into the volume around air clamp 248 and/or cross-beam 244. Example virtual guards may include light curtains, proximity sensors, and/or pressure pads. Although the virtual guards do not physically block access, the virtual guards output guard signals to guard interlocks 330, which output interlock signals 332 (e.g., similar to emergency stop switches 322 discussed above) to safety processor 302 and/or actuator disable circuit 308.

The interlock 330 may trigger the actuator disable circuit 308 to de-energize the motor 242. In some examples, when the guard interlock 330 is no longer triggered, the safety processor 302 controls the re-enabling of the power amplifier 310 in a manner similar to the emergency stop switch 322 discussed above.

Additionally or alternatively, the example safety system 240 may default to a limited "set" state when an operator enters a protected volume of the material testing system 100. The set state enforces a limit on speed, pressure, or other activity, rather than disabling or powering down the actuators of the system 100.

The example security system 240 includes a plurality of status indicators 252 and a mode switch 254. The example security processor 302 monitors the mode switches 254 by, for example, dynamically pulsing the mode switches 254 to generate or obtain the mode switch input signals 338 (e.g., one or more mode switch inputs of each mode switch 254). In some examples, the mode switch 254 is a high reliability switch. The safety processor 302 may test the mode switch 254 for short circuits or other fault conditions periodically, aperiodically, in response to an event (e.g., at the start of a materials testing machine), at a predetermined schedule, and/or at any other time.

The example safety processor 302 controls the status indicator 252 to indicate to an operator the status of the material testing system 100. For example, the secure processor 302 may output an indicator signal 342 to the status indicator 252. If the status indicator 252 is a light, the output indicator signal 342 may, for example, control each light to turn on, turn off, flash, and/or any other output of the light. In some examples, the safety processor 302 determines the status of the indicator via the indicator feedback signal 340. The example indicator feedback signals 340 may indicate to the safety processor 302 that each status indicator 252 is an on, off, short, open, and/or any other state or condition of the status indicator 252. If the processor determines that one or more of the status indicators 252 are not in the commanded correct state, the safety processor 302 controls the material testing system to a restricted state, providing a notification to the operator (e.g., via the control panel 250 or other notification).

The safety system 240 includes a power supply monitor 344 to monitor the power supplies (e.g., DC and AC power supplies) that provide power to the components of the material testing system 100. Power supply monitor 344 provides one or more power supply status signals 346 to secure processor 302 and/or watchdog circuit 362 (described below) to indicate whether the monitored power supplies are within respective voltage and/or current ranges. If power supply monitor 344 determines that one or more of the power supplies are out of tolerance, safety processor 302 and/or watchdog circuit 362 may disable material testing system 100 and alert the operator.

The example security system 240 further includes one or more speed sensors 348. The example speed sensor(s) 348 may be integrated, redundant, and/or different speed monitoring sensors. Velocity sensor(s) 348 provide velocity signal(s) 350 indicative of the beam velocity to safety processor 302. Safety processor 302 monitors speed signal(s) 350 to ensure that beam 244 does not exceed an upper speed limit (e.g., beam travel limit(s) 352) determined by the current operating mode of the machine. For example, the value of the upper speed limit may depend on whether material testing system 100 is in a constrained state or an unconstrained state. In some examples, two speed sensors operating according to different principles may be used in material testing system 100 to prevent sensors 348 from suffering a common cause of failure. The safety processor 302 reads and compares the speed signal 350 of each speed sensor 348 to verify that the speed signals 350 are consistent. If one velocity sensor 348 indicates a different velocity than the other velocity sensor 350, the safety processor 302 disables the material testing system 100 (e.g., via the actuator disable circuit 308).

The example beam travel limit(s) 352 may include a travel limit that specifies a position limit of the beam 244. When the beam travel limit(s) 352 is reached, the safety processor 302 stops the movement of the beam 244. In some examples, the beam travel limit(s) 352 is a multi-step limit, wherein the number of limits that are triggered indicates how far the beam travel limit(s) 352 has been exceeded. In some examples, the first level limit is processed by the safety processor 302 to stop operation of the applicable actuator (or all actuators), such as the motor 242. As the beam 244 continues to move beyond the first level limit and reaches the second level limit (e.g., further than the first level limit by an acceptable range), the beam travel limit 352 may trigger a direct connection (e.g., a hardwired connection) with the actuator disable circuit 308 and/or the motor braking circuit 316, and/or the actuator disable circuit 326 to trigger a two-phase disable of the motor 242.

In some examples, where the material testing system 100 includes an automated clamp (e.g., a pneumatic clamp, a hydraulic clamp, an electric clamp, an electromechanical clamp, an electromagnetic clamp, etc.), the safety system 240 includes a clamp controller 354 that controls the clamp actuators according to a multi-pressure clamping scheme. The multi-pressure gripping scheme reduces (e.g., minimizes, eliminates) the risk of injury to the operator when installing a material specimen into the material testing system 100 in the pneumatic gripper 248.

When safety processor 302 is in the set state to control material testing system 100, safety processor 302 provides pressure signal 356 to clamp controller 354. The clamp controller 354 controls the upper limit of the pressure that can be applied via the clamp 248 by controlling the clamp actuator(s) 246. The pressure signal 356 (which may be proportional to the specimen clamping force) is limited to allow sufficient pressure to clamp the specimen via clamp 248, but not enough pressure to cause serious injury to the operator. Conversely, when the safety processor 302 is controlling the material testing system 100 in an alert state or test state, the safety processor 202 provides the pressure signal 356 to enable the clamp controller 354 to use the higher pressure to clamp the sample during the test. The example clamp controller 354 may monitor the main system pressure (e.g., via the pressure sensor(s) 358) and/or the pressure(s) in the pneumatic clamp(s) 248 (e.g., upper and lower clamps). The clamp controller 354 feeds a pressure signal 360 to the safety processor 302 to verify that the commanded pressure is being executed.

In some examples, the clamp controller 354 is controlled by operator input using a foot pedal switch. For example, the foot pedal switch may comprise a separate switch to apply pressure and release pressure through the pneumatic clamp(s) 248. The switches may be mechanically connected switches that may be dynamically pulsed to check rationality between switches and/or to monitor potential faults (e.g., electrical faults) in the switches.

When power to the material testing system 100 is disabled, the safety processor 302 further controls the clamp controller 354 to de-energize the clamp actuator(s) 246. For example, the safety processor 302 may control the clamp actuator(s) 246 (e.g., via one or more valves, relays, etc.) to achieve pressurization when energized, but is typically depressurized for pneumatic actuators such that the pneumatic clamp(s) 248 are prevented from applying a clamping force when the material testing system 100 is not powered.

The example security system 240 further includes a watchdog circuit 362. Watchdog circuit 362 communicates with secure processor 302 periodically, aperiodically, in response to one or more events or triggers, and/or at any other time to verify operation of secure processor 302. For example, the security processor 302 may transmit a heartbeat signal or a response to a challenge from the watchdog circuit 362 to indicate to the watchdog circuit 362 that the security system 240 is operating correctly. If the watchdog circuit 362 does not receive an expected signal from the safety processor 302, the watchdog circuit 362 disables the material testing system 100 and notifies the operator.

The example safety processor 302, the example emergency stop device 322, the example guard interlock 330, the example beam travel limit(s) 352, and/or the example watchdog circuit 362 are coupled (e.g., via a hardwired connection) to the actuator disable circuit 326. When any of safety processor 302, emergency stop device 322, guard interlock 330, beam travel limit(s) 352, and/or watchdog circuit 362 determines that respective conditions are satisfied to disable material testing system 100 (e.g., activation of emergency stop switch 322, tripping of guard 328, exceeding a trigger of beam travel limit 352, and/or watchdog circuit 362), actuator disable circuit 326 is used to activate motor disable circuit 316 and actuator disable circuit 308. Safety processor 302 may determine that the status of material testing system 100 is a disabled status.

Although the example control processor 238 and the security processor 302 are shown as separate processors, in other examples, the control processor 238 and the security processor 302 may be combined into a single processor or a group of processors that are not divided into control functions and security functions. Further, the control processor 238, the secure processor 302, and/or the combined processor may include non-processing circuitry (such as analog and/or digital circuitry) to perform one or more dedicated functions.

Fig. 4 illustrates an example operator interface 400 that may be used to implement the control panel 250 of fig. 2 and 3. The operator interface 400 may be attached to the example test fixture 102, located near the text fixture, and/or remote from the test fixture 102. For example, the operator interface 400 may be implemented as a built-in operator panel or switch on the base tray of the test fixture 102.

The example operator interface 400 includes a plurality of input devices (e.g., buttons, switches, etc.) that provide input to the control processor 238 and/or the security system 240 of fig. 2 and/or 3. An example input device includes a state control button 402 that controls the transition from a restricted state (e.g., a set state) to an unrestricted state (e.g., a warning state, a trial state), and may require use of the button to perform an action involving the unrestricted state. The state control button 402 may be considered an "unlock" button or safety input that enables use of the material testing system in an unrestricted state.

Jog buttons 404, 406 control motor 242 to jog beam 244 in an upward or downward (or left and right, or direction based on any other orientation) direction (for directional beam movement) and/or in a right-hand or left-hand rotational direction (for rotational beam movement). When pressed individually, the jog buttons 404, 406 control the beam 244 to move up or down at a slow speed (e.g., as determined by the safety processor 302). When the jog buttons 404, 406 are pressed simultaneously with the state control button 402, the safety processor 302 may reduce the speed limit on the motor 242 and allow the beam 244 to jog at a higher speed. The example jog buttons 404, 406 may be used as directional inputs. In examples where the cross-beam 244 provides a rotational force or motion, the directional inputs may include rotational inputs, such as right-hand rotation and left-hand rotation.

As used herein, "simultaneously" receiving means that both inputs are activated or pressed at any given time, not necessarily both buttons are initially pressed at exactly the same time.

The start button 408 controls the control processor 238 to initiate the material test. The return button 410 controls the control processor 238 to return the cross beam 244 to a predetermined position, which may be done at low or high speed. In some examples, the secure processor 302 requires the start button 408 and/or the return button 410 to be pressed along with the state control button 402. The stop button 412 controls the control processor 238 to stop or pause the running test. An emergency stop switch 414 may be included to implement the emergency stop switch 322 of fig. 3.

The operator interface 400 further includes status indicators 416-422 to output an indication of the current status of the material testing system 100. The example status indicators 416-422 are lights that represent each status of the material testing system 100 that may be determined by the safety processor 302. In the example of fig. 4, the operator interface 400 includes a disable status indicator 416, a set status indicator 418, a warning status indicator 420, and a test status indicator 422. When the safety processor 302 determines that the material testing system 100 is in the corresponding state, each status indicator 416-422 is illuminated, and the status indicators 416-422 that do not correspond to the current state are not illuminated.

Fig. 5 illustrates another example operator interface 500 that may be used to implement this control panel 250 of fig. 2 and 3. The example operator interface 500 may be a handheld device having a limited set of input devices (e.g., buttons, switches, etc.). The operator interface 500 may be attached to the example test fixture 102, located near the text fixture, and/or remote from the test fixture 102. Operator interface 500 includes a status control button 502 (e.g., similar or identical to status control button 402 of fig. 4), jog buttons 504, 506 (e.g., similar or identical to jog buttons 404, 406), a start button 508 (e.g., similar or identical to start button 408), and a return button 510 (e.g., similar or identical to return button 410).

The operator interface 400, 500 may include custom buttons 512 or soft keys that provide programmable functionality to the operator. In some examples, the programmable function is limited by one or more of the limited states.

Fig. 6 is a flow chart representing example machine readable instructions 600 that may be executed by the safety system 240 of fig. 2 and 3 to control actuation of the material testing system 100 of fig. 1-3 in a non-limiting mode. The example instructions 600 implement a dual activation requirement in which multiple inputs are required within a timeout period to effect a transition from a constrained state to an unconstrained state.

The example instructions 600 may be executable to determine a state of a material testing system from a plurality of predetermined states, impose a constraint on an actuator, and automatically set the state of the material testing system to one of the constrained states in response to completion of an action involving controlling the actuator.

At block 602, the material testing system 100 and/or one or more subsystems may be powered on. If the material testing system 100 is not powered on, block 602 repeats until the material testing system 100 is turned on. When the material testing system 100 is powered on (block 602), at block 604 the safety system 240 sets the state of the material testing system 100 to a disabled state and disables one or more actuators (e.g., motor 242, clamp actuator(s) 246). For example, the safety system 240 may default to the actuator disable circuit 308 to de-energize the motor 242.

At block 606, the secure processor 302 is initialized. For example, safety processor 302 may perform fault checking (e.g., checking for open and/or closed circuits of inputs, outputs, and/or attached devices), redundancy checking (e.g., determining that redundant inputs and/or redundant outputs are consistent), and/or other initialization processes.

At block 608, the security processor 302 determines whether any faults are detected in the security system 240 (e.g., during an initialization process). If a fault is detected (block 608), at block 610, the security processor 302 outputs a fault alert (e.g., via the control panel 250, via the computing device 104, etc.). The example instructions 600 may then end.

When a fault is not detected (block 608), at block 611, the safety processor 302 determines whether an operator input has been received to transition the material testing system 100 from the disabled state to the set state. For example, the secure processor 302 may require one or more specified inputs (e.g., pressing an unlock button) to transition from the disabled state. If an operator input has not been received (block 611), block 611 repeats while the material testing system 100 remains in the disabled mode waiting for an operator input.

Upon receiving the operator input (block 611), the safety processor 302 sets the state of the material testing system 100 to a set state at block 612. In accordance with the set state being set, the safety processor 302 enables the actuator(s) (e.g., motor 242), limits the actuator(s), and indicates the state as the set state (e.g., via the state indicator 252). In some examples, safety processor 302 controls one or more visual indicators on control panel 250 to selectively highlight corresponding operator-selectable inputs (e.g., mode switch 254) based on the state of material testing system 100 being a set state. For example, the security processor 302 may control the visual indicator to highlight inputs that the operator may use in the setup mode and not to highlight inputs that may not be used in the setup mode.

At block 614, the safety processor 302 monitors input signals (e.g., sensor signals 320, 332, 338, 346, 350), feedback signals (e.g., feedback signals 315, 340, 360), control signals (e.g., signals from the control processor 238), and/or interlock signals (e.g., the guard signal 332 from the guard interlock 330) of the safety system 240. Safety processor 302 may monitor the signal to identify, for example, an operator command and/or condition that will cause safety processor 302 to identify a change in the state of material testing system 100.

At block 616, the security processor 302 determines whether a first operator input is received. Example first operator inputs may include a mode switch 254 (e.g., an unlock key, button, or switch), a presence sensor (e.g., a proximity sensor, a pressure sensitive surface, a motion sensor, a light curtain, a mechanical guard door, camera and processing circuitry, etc.), or any other source of operator input. The first operator input may include determining the presence at a first location where the operator is inaccessible to the protected volume and the second operator input is accessible. Additionally or alternatively, the first operator input may include absence within the protected volume itself. If the first operator input has not been received (block 616), control returns to block 614 to continue monitoring.

Upon receiving the first operator input (block 616), the secure processor 302 initializes a timeout timer at block 618. The timeout timer may be a software timer, a dedicated hardware timer, or any combination of hardware and software. In some examples, the first operator input may cause the safety processor 302 to determine that the state is in an alert state and indicate that the alert state is the current state (e.g., via the state indicator 252).

At block 620, the security processor 302 determines whether a second operator input has been received. Example second operator inputs may include a mode switch 254 (e.g., an unlock key, button, or switch), a presence sensor (e.g., a proximity sensor, a pressure sensitive surface, a motion sensor, a light curtain, a mechanical guard door, camera and processing circuitry, a room entry detector, etc.), or any other operator input source. The safety processor 302 may require that the combination of the first input and the second input include both a desired operation (e.g., jog the beam 244 at a speed above a limited set speed, begin a material test, return the beam 244 to a desired position, actuate the pneumatic clamp 248 at a pressure above a threshold pressure) and an intent indication input (e.g., unlock button, absence in a protected volume, presence at a location away from a protected volume).

In some examples, the security processor 302 may require that the desired operational input and the intent indication input be received in a required order (e.g., the desired operational input precedes the intent indication input or the intent indication input precedes the desired operational input).

If a second operator input has not been received (block 620), the security processor 302 determines whether a timeout timer has expired at block 622. For example, the timeout timer may be set to expire after running for a predetermined threshold period of time during which two operator inputs must be received to indicate the operator's intent to perform an action (e.g., to avoid inadvertent actuation). If the timeout timer has not expired (block 622), control returns to block 620 to continue monitoring for the second operator input. If the timeout timer has expired (block 622), the first operator input times out and control returns to block 614 to continue monitoring.

When a second operator input is received before the timeout period expires (block 620), the safety processor 302 sets the material testing system 100 to a state corresponding to the operator input (e.g., an unrestricted state, such as a warning state or a test state) at block 624. For example, when the first and second operator inputs correspond to a start of a test (e.g., the state switch button 502 and the start button 510), the safety processor 302 may transition the material testing system 100 to an alert state and then to a test state. The safety processor 302 also reduces and/or eliminates restrictions associated with the set state to perform actions corresponding to operator inputs.

At block 626, the control processor 238 performs an action corresponding to the first and second operator inputs. For example, the control processor 238 may perform programmed material trials, control the motor 242 to jog and/or return the beam to a desired position, apply high clamping or pinching pressures, and/or any other action corresponding to an operator input. At block 628, the secure processor 302 determines whether the action is complete. This action may be completed when, for example, either the first input or the second input is no longer received, if the control processor 238 has completed the programmed material test, if the interlock is triggered. In some examples, the safety processor 302 stops operation of the actuator in response to determining that one of the two inputs is no longer received. In some other examples, the safety processor 302 allows operation of the actuator to continue while at least one of the inputs is received and stops operation of the actuator in response to determining that no two or more inputs have been received. In some examples, the safety processor 302 allows operation of the actuator to continue even when input is no longer received (e.g., for extended duration testing) and to stop operation of the actuator in response to the end of the material testing process, a pause in the material testing process, or input from an operator interface (e.g., pressing the stop button 412 of fig. 4).

If the action is not complete (block 628), control returns to block 626 to continue performing the action. When the action has been completed (block 628), control returns to block 612 to return to the set state. The secure processor 302 may then reapply the corresponding restrictions.

Fig. 7 illustrates an example material testing system 700 that includes a camera 702 and a video processor 704 configured to provide input signals to the safety system 240 to operate the material testing system 700. The example material testing system 700 includes the material testing system 100 of fig. 1-3, including the safety system 240 and the operator interface 500 of fig. 5.

The camera 702 monitors a protected volume 706 (e.g., a volume adjacent to the test fixture 102). The video processor 704 detects intrusion by processing images output by the camera 702 and outputs an undetected signal to the security system 240 in response to determining that intrusion is not detected. The security system 240 may, for example, poll input from the video processor 704 to determine a value indicative of detection or non-detection. The example safety system 240 may then use the undetected signal as the first input signal or the second input signal (e.g., in instructions 600 of fig. 6) to enable some operations of the material testing system 100. When the camera 702 and video processor 704 detect an operator or object within the volume 706, the video processor 704 ceases to provide the undetected signal (or provides a detected signal) to the safety system 240, which then disables operation of the material testing system 100. The operator interface 500 may provide additional signals to indicate which operator is desired.

Fig. 8 illustrates an example material testing system 800 that includes a pressure sensitive surface 802 configured to provide input signals to the safety system 240 to operate the material testing system 800. The example material testing system 800 includes the material testing system 100 of fig. 1-3, including the safety system 240 and the operator interface 500 of fig. 5.

A pressure sensitive surface 802, such as a pressure pad, detects the presence of pressure (e.g., an operator) on the surface 802. When the presence of pressure is detected, the pressure sensitive surface 802 outputs a pressure signal to the safety system 240. The pressure sensitive surface 802 may be positioned such that an operator standing on the pressure sensitive surface 802 is not within reach or cannot reach the protected volume when presence is detected. The security system 240 may, for example, poll for input from the pressure sensitive surface 802 to determine a value indicative of detection or non-detection. The example safety system 240 may then use the pressure signal as a first input signal or a second input signal (e.g., in the instructions 600 of fig. 6) to enable some operation of the material testing system 100. When the pressure sensitive surface 802 no longer detects the operator or object, the pressure sensitive surface 802 ceases to provide the detected signal (or provides an undetected signal) to the safety system 240, which then disables operation of the material testing system 100. The operator interface 500 may provide additional signals to indicate which operator is desired.

FIG. 9 illustrates an example material testing system 900 that includes an operator detection switch 902 configured to provide an input signal to the safety system 240 to operate the material testing system 900. The example material testing system 900 includes the material testing system 100 of fig. 1-3, including the safety system 240 and the operator interface 500 of fig. 5.

An operator detection switch 902, such as a disadman switch, detects the presence of an operator through the activation of the switch, wherein failure to continuously press the switch 902 automatically results in the release of the switch 902. When the switch is pressed, the operator detection switch 902 outputs a switch signal to the security system 240. The operator detection switch 902 may be positioned such that when the switch 902 is pressed, the operator pressing the switch 902 is not within reach or cannot reach the protected volume. The security system 240 may, for example, poll for input from the operator detection switch 902 to determine a value indicative of detection or non-detection. The example safety system 240 may then use the switch signal as the first input signal or the second input signal (e.g., in instructions 600 of fig. 6) to enable some operation of the material testing system 100. When the switch 902 is no longer depressed, the operator detects that the switch 902 ceases to provide a switch signal to the safety system 240 (or provides a signal indicating that the switch 902 is not activated), which then disables operation of the material testing system 100. The operator interface 500 may provide additional signals to indicate which operator is desired.

Fig. 10 illustrates an example material testing system 1000 that includes a presence detector 1002 configured to provide an input signal to the safety system 240 to operate the material testing system 1000. The example material testing system 1000 includes the material testing system 100 of fig. 1-3, including the safety system 240 and the operator interface 500 of fig. 5.

A presence detector 1002, such as a room entry detector, presence sensor, or motion sensor, detects the presence of an operator in a particular area. When the presence detector 1002 detects, the presence detector 1002 outputs a presence signal to the security system 240. The presence detector 1002 may be positioned such that when the presence detector 1002 identifies the presence of an operator, the operator is not within reach or cannot reach the protected volume. The security system 240 may, for example, poll input from the presence detector 1002 to determine a value indicative of detection or non-detection. The example safety system 240 may then use the presence signal as the first input signal or the second input signal (e.g., in instructions 600 of fig. 6) to enable some operations of the material testing system 100. When the presence detector 1002 no longer detects presence, the presence detector 1002 stops providing a presence signal (or provides a signal indicating absence) to the safety system 240, which then disables operation of the material testing system 100. The operator interface 500 may provide additional signals to indicate which operator is desired.

FIG. 11 illustrates an example material testing system 1100 that includes a proximity sensor 1102 configured to provide an input signal to the safety system 240 to operate the material testing system 1100. The example material testing system 1100 includes the material testing system 100 of fig. 1-3, including the safety system 240 and the operator interface 500 of fig. 5.

The proximity sensor 1102 monitors a protected volume 1104 (e.g., a volume adjacent the test fixture 102) and outputs a non-proximity signal to the safety system 240 in response to determining that no operator proximity is detected. The security system 240 may, for example, poll inputs from the proximity sensors 1102 to determine a value indicative of proximity or non-proximity. The example safety system 240 may then use the non-proximity signal as the first input signal or the second input signal (e.g., in instructions 600 of fig. 6) to enable some operations of the material testing system 100. When the proximity sensor 1102 detects an operator or object within the volume 1104, the proximity sensor 1102 stops providing the undetected signal (or provides a detected signal) to the safety system 240, which then disables operation of the material testing system 100. The operator interface 500 may provide additional signals to indicate which operator is desired.

The present methods and systems may be implemented in hardware, software, and/or a combination of hardware and software. The present method and/or system can be implemented in a centralized fashion in at least one computing system, or in a distributed fashion where different elements are spread across several interconnected computing systems. Any kind of computing system or other apparatus adapted for carrying out the methods described herein is suited. A typical combination of hardware and software could include a general purpose computing system with program or other code that, when being loaded and executed, controls the computing system such that it carries out the methods described herein. Another exemplary embodiment may include an application specific integrated circuit or chip. Some embodiments may include a non-transitory machine-readable (e.g., computer-readable) medium (e.g., a flash drive, an optical disk, a magnetic storage disk, etc.) having stored thereon one or more lines of code executable by a machine to cause the machine to perform a process as described herein. As used herein, the term "non-transitory machine-readable medium" is defined to include all types of machine-readable storage media and to exclude propagating signals.

As used herein, the terms "circuit" and "circuitry" refer to physical electronic components (i.e., hardware) as well as any software and/or firmware ("code") that may configure, be executed by, and/or otherwise associated with the hardware. As used herein, for example, a particular processor and memory may constitute a first "circuit" when executing a first line or lines of code and may constitute a second "circuit" when executing a second line or lines of code. As used herein, "and/or" refers to any one or more of the plurality of items in the list connected by "and/or". For example, "x and/or y" refers to any element in the three-element set { (x), (y), (x, y) }. In other words, "x and/or y" means "one or both of x and y". As another example, "x, y, and/or z" refers to any element of the seven-element set { (x), (y), (z), (x, y), (x, z), (y, z), (x, y, z) }. In other words, "x, y, and/or z" means "one or more of x, y, and z. The term "exemplary," as used herein, is intended to serve as a non-limiting example, instance, or illustration. As used herein, the terms "e.g., (e.g.)" and "e.g., (for example)" bring out one or more non-limiting examples, instances, or lists of illustrations. As used herein, circuitry is "operable" to perform a function when the circuitry includes certain hardware and code (if necessary) necessary to perform the function, regardless of whether the performance of the function is disabled or not enabled (e.g., by user-configurable settings, factory adjustments, etc.).

While the present method and/or system has been described with reference to certain embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the method and/or system. For example, the blocks and/or components of the disclosed examples may be combined, divided, rearranged, and/or otherwise modified. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the disclosure without departing from the scope thereof. Thus, the present methods and/or systems are not limited to the specific embodiments disclosed. Instead, the present method and/or system will include all embodiments falling within the scope of the appended claims, whether literally or under the doctrine of equivalents.