CA2391472A1 - Fail-safe, fault-tolerant switching system for a critical device - Google Patents

Fail-safe, fault-tolerant switching system for a critical device Download PDF

Info

Publication number
CA2391472A1
CA2391472A1 CA002391472A CA2391472A CA2391472A1 CA 2391472 A1 CA2391472 A1 CA 2391472A1 CA 002391472 A CA002391472 A CA 002391472A CA 2391472 A CA2391472 A CA 2391472A CA 2391472 A1 CA2391472 A1 CA 2391472A1
Authority
CA
Canada
Prior art keywords
switching
fault
fail
safe
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002391472A
Other languages
French (fr)
Inventor
Peter Desany
Martin Batten
Thomas Harmon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Raytheon Co
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2391472A1 publication Critical patent/CA2391472A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/22Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current for supplying energising current for relay coil
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/17Using electrical or electronic regulation means to control braking
    • B60T8/1701Braking or traction control means specially adapted for particular types of vehicles
    • B60T8/1705Braking or traction control means specially adapted for particular types of vehicles for rail vehicles
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/32Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
    • B60T8/88Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
    • B60T8/885Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/002Monitoring or fail-safe circuits
    • H01H47/004Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/406Test-mode; Self-diagnosis
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/415Short-circuit, open circuit failure

Landscapes

  • Engineering & Computer Science (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Valves And Accessory Devices For Braking Systems (AREA)

Abstract

A fail-safe, fault-tolerant switching system for a critical device includes a first pair of terminals for connection to a power source; a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals; a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals; and a second pair of terminals one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when the first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device and second switching devi ce and third switching device.

Description

FAIL-SAFE, FAULT-TOLERANT SWITCHING SYSTEM
FOR A CRITICAL DEVICE
FIELD OF INVENTION
This invention relates to a fail-safe, fault-tolerant switching system for a critical device.
BACKGROUND OF INVENTION
Fail-safe devices are used where risk of personal injury or damage to property can occur. For example, air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe". In railroad trains a "vital relay" is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal. The use of ever more sophisticated electronic and computer controlled systems such as in personal rapid transit (PRT) systems has given rise to more sophisticated requirements for fail-safe operation. PRT
systems are driverless, automated, small, passenger vehicles that operate on guideways. In addition, fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration. PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault can be tolerated to at least move the vehicle from the guideway to a maintenance area. PRT is but one instance where fail-safe, fault-tolerant systems are needed.
This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability.
BRIEF SUMMARY OF THE INVENTION
It is therefore an object of this invention to provide an improved fail-safe switching system.
It is a further object of this invention to provide an improved fail-safe switching system which is inherently fault-tolerant to some faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is simple, reliable, and uses few and conventional parts.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be self tested with fault tracing down to individual switching elements.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be monitored and controlled to reconfigure for fault-tolerant operation for additional faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which uses fuses to overnde faults due to switching devices that have failed in the closed mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which reduces the probability of failure in an unsafe mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can work around a single fault.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is resistant to common mode failures.
This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices.
This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals. There is a second pair of terminals, one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact; the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact; the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device; the first, second, third and fourth switching devices are open, the fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device, second switching device and third switching device.
In a preferred embodiment there may be a unidirectional current flow circuit interconnected between the second pair of terminals and the critical device for permitting current flow in one direction. The unidirectional current flow circuit may include a diode bridge. There may be a first monitor circuit for monitoring the first switching device, a second monitor circuit for monitoring the second switching device, a third monitor circuit for monitoring the third switching device, and a fourth monitor circuit for monitoring the fourth switching device. There may be a controller responsive to the monitor circuit for selectively operating the switching devices.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects, features and advantages will occur to those skilled in the art from the following description of a preferred embodiment and the accompanying drawings, in which:
Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention;
Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches;
Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load;
Figs. 3-7 are flow charts explaining the operation of the controllers and monitors; and Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
There is shown in Fig. 1 a basic H switch 10 including four switches:
switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22. The switch is arranged in an "H" shape with the critical load 24 in the middle. The switches may be conventional switches, relays, or semiconductor devices. A first network 26 inciu'ding fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively. The second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30. A critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 16, and terminal 36 which is located between switch 2 14 and switch 4 18. This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state.
TABLE I

off off off off Safe 1 off off off on Self test off off on off Self test off off on on Safe 2 off on off off Self test off on off on Blow fuse off on on off Energized off on on on Blow fuse on off off off Self test on off off on Energized on off on off Blow fuse on off on on Blow fuse on on off off Safe 3 on on off on Blow fuse on on on off Blow fuse on on on on Blow fuse The two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off. This assumes that the critical load 24 is not polarized.
Such is the case when it is a solenoid, for example.
External circuitry functions to control the H switch 10 in the following manner. The external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self test is performed on the switches. This self test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows.
Besides the protection the fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system. The four switches are monitored by four monitors, Fig.

2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this embodiment each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays.
This reduces the chance for the monitors to negatively impact the critical device and enhances reliability of the circuit. System safety is not reduced significantly by the presence of the monitors because in normal operation their current is limited by the series resistors 50 to a fraction of that needed to operate the solenoid. As the resistors can only fail in the open state, they cannot energize the solenoid.
Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7.
H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner. One procedure that controller 52 can implement is the following.
At the time that controller 52 is required to disengage the brakes, a self test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged. If switch 3 fails closed, operation is still possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged. A similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged. When the controller is requested to apply the brakes, switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened.
Critical device 24a, Fig. 2A, may include a polarized load requiring unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively. Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25.
Thus, irrespective of whether the operational switch state is switch 1 and switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load.
The following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle. The brake is applied when no current flows through the brake actuator and this is the safe state for the system. By combination of the switch components, monitoring circuits and process steps in the control logic the function removes the brakes when a request-ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made. The application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded.
The switch monitor and control functions collectively provide a highly reliable Control Function. The Control Function can be commanded two states:
ON or OFF. In this application OFF applies the brakes, ON releases them. The control Function will go to one of four states in consequence of the external states being applied.
State 1: Off State, applies indefinitely in response to the external command maintaining an OFF state.
State 2: Self Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state. This state is transient, and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist.
State 3: ON State, applies indefinitely following a successful Self Test, in response to the external command maintaining an ON state.
State 4: Self Test, Transition to OFF, occurs in response to the external command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements.
The following description of states refers to the flow diagrams in Figs. 3-7.
The point of entry for the process is arbitrarily defined as State 1, the OFF
state.
Switches 1, 2, 3 and 4 are referred to as S1, S2, S3, S4, Monitors 1, 2, 3 and 4 as M 1, M2, M3 and M4.
( 1 ) State 1 is predominantly satisfied by having switches S 1 and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized.
Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, S1, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction.
(2) When the External Sequence transitions from the off state to the on-state a self test-transition-to-ON process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de-asserting the external state and mid-self test is to be avoided via logic. For the PRT brake application, the self test took less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, typically 100 seconds.
(3) Initially all switches S 1 through S4 are deactivated. From this state all switches can be individually checked as a serial sequence. This is done by turning on each switch singularly, and verifying operation through the use of the monitors M 1 through M4. During this process the load is not energized. It is possible, as a consequence of a fault, that activating one switch will provide a path via a fault and the load will be momentarily energized. For the function of brake control on PRT, the time constant of the load (brakes) was significantly longer than the event of being momentarily energized, such that no consequence propagated from this brief event.
(4) S 1 is activated, which will cause M 1 to be OFF. If M 1 remains ON, then a fault has occurred, which is assumed to be that S 1 has failed open-circuit.
The outcome of this test is logged for switch S1, functional (OK), or failed open-circuit (0C).
(5) S 1 is deactivated. All switches are now in a deactivated state.
(6) S2 is activated, which will cause M2 to be OFF. If M2 remains ON, then a fault has occurred, which is assumed to be that S2 has failed open-circuit.
One of two states is logged for switch S2, functional (OK) or failed open-circuit (0C).
7) S2 is deactivated. All switches are now in a deactivated state.
8) S3 is activated, which will cause M3 to be OFF. If M remains ON, then a fault has occurred, which is assumed to be that S3 has failed open-circuit.
One of two states is logged for switch S3, functional (OK), or failed open-circuit (0C).
9) S3 is deactivated. All switches are now in a deactivated state.
10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON, then a fault has occurred, which is assumed to be that S4 has failed open-circuit.
One of two states is logged for switch S4, functional (OK), or failed open-circuit (0C).
11 ) S4 is deactivated. All switches are now in a deactivated states.
12) Monitors M1 through M4 are next checked to verify they are all ON, signifying the correct bias across the switches S 1 through S4, when de-energized, which is the expected state. If any monitor, M1 through M3 is off, then a fault has occurred. The fault is assumed to be a short-circuit in the associated switch, S 1 through S4. It is most likely that the monitoring circuit for S 1 or S2 has failed if either of these switches is reported as being short-circuit, as the prior tests would have blown the affected fuse on a shorted switch, which consequently removes the short-circuit.
13) Having tested all four switches individually, a decision can be arrived at as to which of three desirable states the switches can be configured in:
The predominant case is to energize switches S 1 and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load.
Certain faults can be withstood with the hardware by choosing the alternative path, energizing switches S2 and S3.
This also activates the load, but reverses the current through-it compared with activating S 1 and S4. In the application for PRT of a brake release function, the load was non-polarized and not affected by the direction of flow of current.
Specific combinations of hardware faults cannot be tolerated. The function reacts to these faults by holding all switches off and the brakes remain on.
Determination of the appropriate load state is achieved by assessing the 24 possible states of the combination of all four switches in accordance with the following table:
TABLE II
State S1 S2 S3 S4 Outcome 1 OK OK OK OK Select S1,S4 2 OK OK OK OC Select S2,S3 3 OK OK OK SC Select S1,S4 4 OK OK OC OK Select Sl,S4 OK OK OC OC Select None 6 OK OK OC SC Select S1,S4 7 OK OK SC OK Select S2,S3 8 OK OK SC OC Select S2,S3 9 OK OK SC SC Select None OK OC OK OK Select Sl,S4 11 OK OC OK OC Select None 12 OK OC OK SC Select Sl,S4 13 OK OC OC OK Select S1,S4 14 OK OC OC OC Select None OK OC OC SC Select S1,S4 16 OK OC SC OK Select None 17 OK OC SC OC Select None 18 OK OC SC SC Select None 19 OK SC OK OK Select 51,54 OK SC OK OC Select S2,S3 21 OK SC OK SC Select S1,S4 22 OK SC OC OK Select S1,S4 23 OK SC OC OC Select None 24 OK SC OC SC Select None OK SC SC OK Select S1,S4 26 OK SC SC OC Select None 27 OK SC SC SC Select None 28 OC OK OK OK Select S2,S3 29 OC ~ OK I OK ~ OC ~ Select S2,S3 30 OC OK OK SC Select None 31 OC OK OC OK Select None 32 OC OK OC OC Select None 33 OC OK OC SC Select None 34 OC OK SC OK Select S2,S3 35 OC OK SC OC Select None 36 OC OK SC SC Select None 37 OC OC OK OK Select None 38 OC OC OK OC Select None 39 OC OC OK SC Select None 40 OC OC OC OK Select None 41 OC OC OC OC Select None 42 OC OC OC SC Select None 43 OC OC SC OK Select None 44 OC OC SC OC Select None 45 OC OC SC SC Select None 46 OC SC OK OK Select S2,S3 47 OC SC OK OC Select None 48 OC SC OK SC Select None 49 OC SC OC OK Select None 50 OC SC OC OC Select None 51 OC SC OC SC Select None 52 OC SC SC OK Select None 53 OC SC SC OC Select None 54 OC SC SC SC Select None 55 SC OK OK OK Select S2,S3 56 SC OK OK OC Select S2,S3 57 SC OK OK SC Select None 58 SC OK OC OK Select None 59 SC OK OC OC Select None 60 SC OK OC SC Select None 61 SC OK SC OK Select S2,S3 62 SC OK SC OC Select S2,S3 63 SC OK SC SC Select None 64 SC OC OK OK Select None 65 SC OC OK OC Select None 66 SC OC OK SC Select None 67 SC OC OC OK Select None 68 SC OC OC OC Select None 69 SC OC OC SC Select None 70 SC OC SC OK Select None 71 SC OC SC OC Select None 72 SC OC SC SC Select None 73 SC SC OK OK Select S1,S4 74 SC SC OK OC Select S2,S3 75 SC SC OK SC Select None 76 SC SC OC OK Select S1,S4 77 SC SC OC OC Select None 78 SC SC OC SC Select None 79 SC SC SC OK Select None 80 SC SC SC OC Select None 81 SC SC SC SC I Select None 14) If it is determined that the load can be made active, the appropriate switches are energized and State 3 commences. Failure of the load to be activated will be as a consequence of the prior tests and requires repair of the hardware to proceed.
15) If S1 and S4 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE III
S 1 Fails OC Fail-off S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Blow S1 fuse, fail-off S4 Fails OC Fail-off S4 Fails SC Continue 16) If S2 and S3 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE IV
S 1 Fails OC Continue S 1 Fails SC Blow S 1 fuse, continue S2 Fails OC Fail-off S2 Fails SC Continue S3 Fails OC Fail-off S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Blow S2 fuse, fail-off 17) The outcome is that the load is predominantly energized for the duration that the system is in state 3. There is a probability that a fault may occur that causes the load to be de-activated. The system should be aware that this has happened. In the application of the brake-release function for PRT, the event of having the brakes re-applied would cause the vehicle to stop and proceed through a set of diagnostics. These diagnostics included removing the command to release the brakes (ON to OFF) and re-applying the command to release the brakes (OFF
to ON). The process re-invoked the Self Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at.
For example, if the load was activated by switches S 1 and S4 being active and a fault occurred that caused S 1 to go open-circuit, the brake-release function would be de-asserted and the PRT vehicle would stop. The command to release the brakes would be removed and re-applied. The Self Test Transition to ON that occurs would deduce the need to activate switches S2 and S3 to energize the load and release the brakes. Hence this cycling event would permit the system to continue in the presence of a fault that had caused a temporary stoppage.
18) When the External Sequence transition from the on-state to the off state a 'self test-transition-to-OFF' process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de-asserting the external state mid-self test is to be avoided via logic. For the PRT
brake application, the self test is less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, with typically greater than 100 seconds between trip start and ending times.
19) Initially all switches S 1 though S4 are deactivated, then switches S3 and S4 are activated. This two-step process insures no state-change conditions occur where switch combinations induce a transient short circuit path.
20) From this state the switches can be checked using the monitors M1 and M2. If either monitor M1 or monitor M2 is in an Off state, it is indicative that either switch S3 or S4 has blown open-circuit, and another bias path exists to drive the output to ON. Immediately on occurrence of this case, all switches are deactivated. The response time is such that the corrective action takes less than 100msec and is inconsequential.
The outcome is that one of two states is determined to be appropriate to insure the load is de-energized (the brakes applied).
21) Predominantly, when all the hardware is functional, or in the presence of selective faults, the switches S 1 and S2 will remain de-activated and the switches S3 and S4 will be activated, providing a short-circuit via ground across the load terminals. Alternately, on deduction of the above-described fault combinations, all four switches will remain de-activated to reduce the probability of inadvertently setting up a path of conduction. Both these conditions serve for state 1.
22) If S3 and S4 are activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE V
S 1 Fails OC Continue S 1 Fails SC Blow S 1 fuse, continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 23) If all switches are de-activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE VI
S 1 Fails OC Continue S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 24) The outcome is that the load is always de-energized for the duration that the system is in state 1. There is probability that changes the state of the individual switches, and may induce a fuse to blow, but the load remains de-energized. The function remains in this state until the next external transition from OFF to ON, at which point the process as described and depicted in the flow charts is repeated.
The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8.
There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state.
Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention.
Other embodiments will occur to those skilled in the art and are within the following claims:
What is claimed is:

Claims (5)

1. A fail-safe, fault-tolerant switching system for a critical device comprising a first pair of terminals for connection to a power source;
a first network including a first fuse device, first switching device and third switching device connected in series between said first pair of terminals;
a second network in parallel with said first network including a second fuse device, second switching device and fourth switching device connected in series between said first pair of terminals; and a second pair of terminals one between said first and third switching devices and one between said second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when either said first and second switching devices are open and said third and fourth switching devices are closed or said first, second, third and fourth switching devices are open;
and fault-tolerant operation occurs through said first fuse device, first switching device and fourth switching device or said second fuse device, secund switching device and third switching device.
2. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a unidirectional current flow circuit interconnected between said second pair of terminals and said critical device for permitting current flow in one direction.
3. The fail-safe, fault-tolerant switching system for a critical device of claim 2 in which said unidirectional current flow circuit includes a diode bridge having a first terminal connected between the third and first switching device and a second terminal connected between the second and fourth switching device and the polarized terminals are applied across the critical device.
4. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a first monitor circuit for monitoring said first switching device, a second monitor circuit for monitoring said second switching device, a third monitor circuit for monitoring said third switching device and a fourth monitor circuit for monitoring said fourth switching device.
5. The fail-safe, fault-tolerant switching system for a critical device of claim 4 further including a controller responsive to said monitoring circuits for selectively operating said switching devices.
CA002391472A 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device Abandoned CA2391472A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US43819599A 1999-11-11 1999-11-11
US09/438,195 1999-11-11
PCT/US2000/030799 WO2001035432A1 (en) 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device

Publications (1)

Publication Number Publication Date
CA2391472A1 true CA2391472A1 (en) 2001-05-17

Family

ID=23739642

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002391472A Abandoned CA2391472A1 (en) 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device

Country Status (5)

Country Link
EP (1) EP1228520A1 (en)
KR (1) KR100497116B1 (en)
AU (1) AU1592001A (en)
CA (1) CA2391472A1 (en)
WO (1) WO2001035432A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7352544B2 (en) * 2005-07-07 2008-04-01 Pratt + Whitney Canada Corp. Method and apparatus for providing a remedial strategy for an electrical circuit
US8390972B2 (en) * 2007-04-17 2013-03-05 Hamilton Sundstrand Corporation Secondary protection approach for power switching applications
DE102007030627A1 (en) * 2007-07-02 2009-01-08 Continental Automotive Gmbh Control of an actuator of a brake of a motor vehicle
DE102012101951A1 (en) 2012-03-08 2013-09-12 Maschinenfabrik Reinhausen Gmbh step switch
EP3196913B1 (en) * 2016-01-20 2019-04-10 Schneider Electric Industries SAS Relay circuit and method for performing self-test of relay circuit
JP6683512B2 (en) * 2016-03-18 2020-04-22 リンナイ株式会社 Dishwasher
DE102016117821A1 (en) * 2016-09-21 2018-03-22 Pilz Gmbh & Co. Kg Safety circuit for fail-safe disconnection of a hazardous technical system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4433357A (en) * 1980-10-13 1984-02-21 Matsushita Electric Works Ltd. Drive circuit for a latching relay
DE3737791A1 (en) * 1987-09-25 1989-04-13 Pepperl & Fuchs Fail-safe switch device
DE4342586A1 (en) * 1993-12-14 1995-06-22 Bosch Gmbh Robert Display device for electrical control devices
SE505747C2 (en) * 1996-02-07 1997-10-06 Asea Brown Boveri Contactor
WO1999031696A1 (en) * 1997-12-17 1999-06-24 Siemens Electromechanical Components, Inc. Electronic control circuit for a latching relay

Also Published As

Publication number Publication date
EP1228520A1 (en) 2002-08-07
WO2001035432A1 (en) 2001-05-17
AU1592001A (en) 2001-06-06
KR20020048432A (en) 2002-06-22
KR100497116B1 (en) 2005-06-28

Similar Documents

Publication Publication Date Title
JP3955500B2 (en) Fuse trigger circuit and method for protecting electrohydraulic system including fuse
CN105829232B (en) Security system for lift facility
US6490141B2 (en) Power distribution system
JP4884478B2 (en) Safety switching device for fail-safe disconnection of electrical loads
US5411324A (en) Circuit configuration for a controller
US10532714B2 (en) Safety switching device for switching on and safely switching off an electrical load
JP4384174B2 (en) Safety switching device and method for fail-safe stop of electric load
US4926281A (en) Fail-safe and fault-tolerant alternating current output circuit
EP2495659B1 (en) Architecture using integrated backup control and protection hardware
US6297569B1 (en) Power switching system
JPH0382661A (en) Safety relay actuating circuit
CA2391472A1 (en) Fail-safe, fault-tolerant switching system for a critical device
KR102376575B1 (en) Brake drive control circuit and its fault detection method
US6366434B2 (en) Apparatus for safely disconnecting an electrical load from an electrical DC voltage supply
CN109565250B (en) Soft starter, operation method and switch system
CN112141166A (en) Motor train unit safety loop bypass system
KR20170124817A (en) Digital triple protection relay system
JP7281699B2 (en) BRAKE DRIVE CONTROL CIRCUIT AND ITS FAILURE DETECTION METHOD
CN109653603B (en) Double-redundancy thermal backup actuator electromagnetic lock unlocking and unlocking monitoring circuit
JP2004086268A (en) Automatic controller
WO2022264690A1 (en) Interruption device
US20240353102A1 (en) Method for safety-oriented control
US20020011888A1 (en) Circuit provided with a protective function
WO2024185230A1 (en) Power distribution device and wire-disconnect determination method
JPH05260654A (en) Dual power supply equipment

Legal Events

Date Code Title Description
EEER Examination request
FZDE Dead