CA2391472A1 - Fail-safe, fault-tolerant switching system for a critical device - Google Patents
Fail-safe, fault-tolerant switching system for a critical device Download PDFInfo
- Publication number
- CA2391472A1 CA2391472A1 CA002391472A CA2391472A CA2391472A1 CA 2391472 A1 CA2391472 A1 CA 2391472A1 CA 002391472 A CA002391472 A CA 002391472A CA 2391472 A CA2391472 A CA 2391472A CA 2391472 A1 CA2391472 A1 CA 2391472A1
- Authority
- CA
- Canada
- Prior art keywords
- switching
- fault
- fail
- safe
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01H—ELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
- H01H47/00—Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
- H01H47/22—Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current for supplying energising current for relay coil
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T8/00—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
- B60T8/17—Using electrical or electronic regulation means to control braking
- B60T8/1701—Braking or traction control means specially adapted for particular types of vehicles
- B60T8/1705—Braking or traction control means specially adapted for particular types of vehicles for rail vehicles
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T8/00—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
- B60T8/32—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
- B60T8/88—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
- B60T8/885—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01H—ELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
- H01H47/00—Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
- H01H47/002—Monitoring or fail-safe circuits
- H01H47/004—Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T2270/00—Further aspects of brake control systems not otherwise provided for
- B60T2270/40—Failsafe aspects of brake control systems
- B60T2270/406—Test-mode; Self-diagnosis
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T2270/00—Further aspects of brake control systems not otherwise provided for
- B60T2270/40—Failsafe aspects of brake control systems
- B60T2270/415—Short-circuit, open circuit failure
Landscapes
- Engineering & Computer Science (AREA)
- Transportation (AREA)
- Mechanical Engineering (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Valves And Accessory Devices For Braking Systems (AREA)
Abstract
A fail-safe, fault-tolerant switching system for a critical device includes a first pair of terminals for connection to a power source; a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals; a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals; and a second pair of terminals one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when the first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device and second switching devi ce and third switching device.
Description
FAIL-SAFE, FAULT-TOLERANT SWITCHING SYSTEM
FOR A CRITICAL DEVICE
FIELD OF INVENTION
This invention relates to a fail-safe, fault-tolerant switching system for a critical device.
BACKGROUND OF INVENTION
Fail-safe devices are used where risk of personal injury or damage to property can occur. For example, air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe". In railroad trains a "vital relay" is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal. The use of ever more sophisticated electronic and computer controlled systems such as in personal rapid transit (PRT) systems has given rise to more sophisticated requirements for fail-safe operation. PRT
systems are driverless, automated, small, passenger vehicles that operate on guideways. In addition, fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration. PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault can be tolerated to at least move the vehicle from the guideway to a maintenance area. PRT is but one instance where fail-safe, fault-tolerant systems are needed.
This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability.
BRIEF SUMMARY OF THE INVENTION
It is therefore an object of this invention to provide an improved fail-safe switching system.
It is a further object of this invention to provide an improved fail-safe switching system which is inherently fault-tolerant to some faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is simple, reliable, and uses few and conventional parts.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be self tested with fault tracing down to individual switching elements.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be monitored and controlled to reconfigure for fault-tolerant operation for additional faults.
FOR A CRITICAL DEVICE
FIELD OF INVENTION
This invention relates to a fail-safe, fault-tolerant switching system for a critical device.
BACKGROUND OF INVENTION
Fail-safe devices are used where risk of personal injury or damage to property can occur. For example, air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe". In railroad trains a "vital relay" is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal. The use of ever more sophisticated electronic and computer controlled systems such as in personal rapid transit (PRT) systems has given rise to more sophisticated requirements for fail-safe operation. PRT
systems are driverless, automated, small, passenger vehicles that operate on guideways. In addition, fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration. PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault can be tolerated to at least move the vehicle from the guideway to a maintenance area. PRT is but one instance where fail-safe, fault-tolerant systems are needed.
This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability.
BRIEF SUMMARY OF THE INVENTION
It is therefore an object of this invention to provide an improved fail-safe switching system.
It is a further object of this invention to provide an improved fail-safe switching system which is inherently fault-tolerant to some faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is simple, reliable, and uses few and conventional parts.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be self tested with fault tracing down to individual switching elements.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be monitored and controlled to reconfigure for fault-tolerant operation for additional faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which uses fuses to overnde faults due to switching devices that have failed in the closed mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which reduces the probability of failure in an unsafe mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can work around a single fault.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is resistant to common mode failures.
This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices.
This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals. There is a second pair of terminals, one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact; the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact; the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device; the first, second, third and fourth switching devices are open, the fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device, second switching device and third switching device.
In a preferred embodiment there may be a unidirectional current flow circuit interconnected between the second pair of terminals and the critical device for permitting current flow in one direction. The unidirectional current flow circuit may include a diode bridge. There may be a first monitor circuit for monitoring the first switching device, a second monitor circuit for monitoring the second switching device, a third monitor circuit for monitoring the third switching device, and a fourth monitor circuit for monitoring the fourth switching device. There may be a controller responsive to the monitor circuit for selectively operating the switching devices.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects, features and advantages will occur to those skilled in the art from the following description of a preferred embodiment and the accompanying drawings, in which:
Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention;
Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches;
Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load;
Figs. 3-7 are flow charts explaining the operation of the controllers and monitors; and Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
There is shown in Fig. 1 a basic H switch 10 including four switches:
switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22. The switch is arranged in an "H" shape with the critical load 24 in the middle. The switches may be conventional switches, relays, or semiconductor devices. A first network 26 inciu'ding fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively. The second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30. A critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 16, and terminal 36 which is located between switch 2 14 and switch 4 18. This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state.
TABLE I
off off off off Safe 1 off off off on Self test off off on off Self test off off on on Safe 2 off on off off Self test off on off on Blow fuse off on on off Energized off on on on Blow fuse on off off off Self test on off off on Energized on off on off Blow fuse on off on on Blow fuse on on off off Safe 3 on on off on Blow fuse on on on off Blow fuse on on on on Blow fuse The two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off. This assumes that the critical load 24 is not polarized.
Such is the case when it is a solenoid, for example.
External circuitry functions to control the H switch 10 in the following manner. The external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self test is performed on the switches. This self test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows.
Besides the protection the fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system. The four switches are monitored by four monitors, Fig.
2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this embodiment each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays.
This reduces the chance for the monitors to negatively impact the critical device and enhances reliability of the circuit. System safety is not reduced significantly by the presence of the monitors because in normal operation their current is limited by the series resistors 50 to a fraction of that needed to operate the solenoid. As the resistors can only fail in the open state, they cannot energize the solenoid.
Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7.
H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner. One procedure that controller 52 can implement is the following.
At the time that controller 52 is required to disengage the brakes, a self test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged. If switch 3 fails closed, operation is still possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged. A similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged. When the controller is requested to apply the brakes, switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened.
Critical device 24a, Fig. 2A, may include a polarized load requiring unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively. Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25.
Thus, irrespective of whether the operational switch state is switch 1 and switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load.
The following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle. The brake is applied when no current flows through the brake actuator and this is the safe state for the system. By combination of the switch components, monitoring circuits and process steps in the control logic the function removes the brakes when a request-ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made. The application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded.
The switch monitor and control functions collectively provide a highly reliable Control Function. The Control Function can be commanded two states:
ON or OFF. In this application OFF applies the brakes, ON releases them. The control Function will go to one of four states in consequence of the external states being applied.
State 1: Off State, applies indefinitely in response to the external command maintaining an OFF state.
State 2: Self Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state. This state is transient, and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist.
State 3: ON State, applies indefinitely following a successful Self Test, in response to the external command maintaining an ON state.
State 4: Self Test, Transition to OFF, occurs in response to the external command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements.
The following description of states refers to the flow diagrams in Figs. 3-7.
The point of entry for the process is arbitrarily defined as State 1, the OFF
state.
Switches 1, 2, 3 and 4 are referred to as S1, S2, S3, S4, Monitors 1, 2, 3 and 4 as M 1, M2, M3 and M4.
( 1 ) State 1 is predominantly satisfied by having switches S 1 and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized.
Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, S1, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction.
(2) When the External Sequence transitions from the off state to the on-state a self test-transition-to-ON process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de-asserting the external state and mid-self test is to be avoided via logic. For the PRT brake application, the self test took less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, typically 100 seconds.
(3) Initially all switches S 1 through S4 are deactivated. From this state all switches can be individually checked as a serial sequence. This is done by turning on each switch singularly, and verifying operation through the use of the monitors M 1 through M4. During this process the load is not energized. It is possible, as a consequence of a fault, that activating one switch will provide a path via a fault and the load will be momentarily energized. For the function of brake control on PRT, the time constant of the load (brakes) was significantly longer than the event of being momentarily energized, such that no consequence propagated from this brief event.
(4) S 1 is activated, which will cause M 1 to be OFF. If M 1 remains ON, then a fault has occurred, which is assumed to be that S 1 has failed open-circuit.
The outcome of this test is logged for switch S1, functional (OK), or failed open-circuit (0C).
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which reduces the probability of failure in an unsafe mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can work around a single fault.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is resistant to common mode failures.
This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices.
This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals. There is a second pair of terminals, one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact; the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact; the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device; the first, second, third and fourth switching devices are open, the fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device, second switching device and third switching device.
In a preferred embodiment there may be a unidirectional current flow circuit interconnected between the second pair of terminals and the critical device for permitting current flow in one direction. The unidirectional current flow circuit may include a diode bridge. There may be a first monitor circuit for monitoring the first switching device, a second monitor circuit for monitoring the second switching device, a third monitor circuit for monitoring the third switching device, and a fourth monitor circuit for monitoring the fourth switching device. There may be a controller responsive to the monitor circuit for selectively operating the switching devices.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects, features and advantages will occur to those skilled in the art from the following description of a preferred embodiment and the accompanying drawings, in which:
Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention;
Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches;
Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load;
Figs. 3-7 are flow charts explaining the operation of the controllers and monitors; and Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
There is shown in Fig. 1 a basic H switch 10 including four switches:
switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22. The switch is arranged in an "H" shape with the critical load 24 in the middle. The switches may be conventional switches, relays, or semiconductor devices. A first network 26 inciu'ding fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively. The second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30. A critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 16, and terminal 36 which is located between switch 2 14 and switch 4 18. This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state.
TABLE I
off off off off Safe 1 off off off on Self test off off on off Self test off off on on Safe 2 off on off off Self test off on off on Blow fuse off on on off Energized off on on on Blow fuse on off off off Self test on off off on Energized on off on off Blow fuse on off on on Blow fuse on on off off Safe 3 on on off on Blow fuse on on on off Blow fuse on on on on Blow fuse The two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off. This assumes that the critical load 24 is not polarized.
Such is the case when it is a solenoid, for example.
External circuitry functions to control the H switch 10 in the following manner. The external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self test is performed on the switches. This self test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows.
Besides the protection the fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system. The four switches are monitored by four monitors, Fig.
2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this embodiment each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays.
This reduces the chance for the monitors to negatively impact the critical device and enhances reliability of the circuit. System safety is not reduced significantly by the presence of the monitors because in normal operation their current is limited by the series resistors 50 to a fraction of that needed to operate the solenoid. As the resistors can only fail in the open state, they cannot energize the solenoid.
Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7.
H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner. One procedure that controller 52 can implement is the following.
At the time that controller 52 is required to disengage the brakes, a self test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged. If switch 3 fails closed, operation is still possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged. A similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged. When the controller is requested to apply the brakes, switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened.
Critical device 24a, Fig. 2A, may include a polarized load requiring unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively. Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25.
Thus, irrespective of whether the operational switch state is switch 1 and switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load.
The following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle. The brake is applied when no current flows through the brake actuator and this is the safe state for the system. By combination of the switch components, monitoring circuits and process steps in the control logic the function removes the brakes when a request-ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made. The application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded.
The switch monitor and control functions collectively provide a highly reliable Control Function. The Control Function can be commanded two states:
ON or OFF. In this application OFF applies the brakes, ON releases them. The control Function will go to one of four states in consequence of the external states being applied.
State 1: Off State, applies indefinitely in response to the external command maintaining an OFF state.
State 2: Self Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state. This state is transient, and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist.
State 3: ON State, applies indefinitely following a successful Self Test, in response to the external command maintaining an ON state.
State 4: Self Test, Transition to OFF, occurs in response to the external command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements.
The following description of states refers to the flow diagrams in Figs. 3-7.
The point of entry for the process is arbitrarily defined as State 1, the OFF
state.
Switches 1, 2, 3 and 4 are referred to as S1, S2, S3, S4, Monitors 1, 2, 3 and 4 as M 1, M2, M3 and M4.
( 1 ) State 1 is predominantly satisfied by having switches S 1 and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized.
Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, S1, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction.
(2) When the External Sequence transitions from the off state to the on-state a self test-transition-to-ON process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de-asserting the external state and mid-self test is to be avoided via logic. For the PRT brake application, the self test took less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, typically 100 seconds.
(3) Initially all switches S 1 through S4 are deactivated. From this state all switches can be individually checked as a serial sequence. This is done by turning on each switch singularly, and verifying operation through the use of the monitors M 1 through M4. During this process the load is not energized. It is possible, as a consequence of a fault, that activating one switch will provide a path via a fault and the load will be momentarily energized. For the function of brake control on PRT, the time constant of the load (brakes) was significantly longer than the event of being momentarily energized, such that no consequence propagated from this brief event.
(4) S 1 is activated, which will cause M 1 to be OFF. If M 1 remains ON, then a fault has occurred, which is assumed to be that S 1 has failed open-circuit.
The outcome of this test is logged for switch S1, functional (OK), or failed open-circuit (0C).
(5) S 1 is deactivated. All switches are now in a deactivated state.
(6) S2 is activated, which will cause M2 to be OFF. If M2 remains ON, then a fault has occurred, which is assumed to be that S2 has failed open-circuit.
One of two states is logged for switch S2, functional (OK) or failed open-circuit (0C).
One of two states is logged for switch S2, functional (OK) or failed open-circuit (0C).
7) S2 is deactivated. All switches are now in a deactivated state.
8) S3 is activated, which will cause M3 to be OFF. If M remains ON, then a fault has occurred, which is assumed to be that S3 has failed open-circuit.
One of two states is logged for switch S3, functional (OK), or failed open-circuit (0C).
One of two states is logged for switch S3, functional (OK), or failed open-circuit (0C).
9) S3 is deactivated. All switches are now in a deactivated state.
10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON, then a fault has occurred, which is assumed to be that S4 has failed open-circuit.
One of two states is logged for switch S4, functional (OK), or failed open-circuit (0C).
One of two states is logged for switch S4, functional (OK), or failed open-circuit (0C).
11 ) S4 is deactivated. All switches are now in a deactivated states.
12) Monitors M1 through M4 are next checked to verify they are all ON, signifying the correct bias across the switches S 1 through S4, when de-energized, which is the expected state. If any monitor, M1 through M3 is off, then a fault has occurred. The fault is assumed to be a short-circuit in the associated switch, S 1 through S4. It is most likely that the monitoring circuit for S 1 or S2 has failed if either of these switches is reported as being short-circuit, as the prior tests would have blown the affected fuse on a shorted switch, which consequently removes the short-circuit.
13) Having tested all four switches individually, a decision can be arrived at as to which of three desirable states the switches can be configured in:
The predominant case is to energize switches S 1 and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load.
Certain faults can be withstood with the hardware by choosing the alternative path, energizing switches S2 and S3.
This also activates the load, but reverses the current through-it compared with activating S 1 and S4. In the application for PRT of a brake release function, the load was non-polarized and not affected by the direction of flow of current.
Specific combinations of hardware faults cannot be tolerated. The function reacts to these faults by holding all switches off and the brakes remain on.
Determination of the appropriate load state is achieved by assessing the 24 possible states of the combination of all four switches in accordance with the following table:
TABLE II
State S1 S2 S3 S4 Outcome 1 OK OK OK OK Select S1,S4 2 OK OK OK OC Select S2,S3 3 OK OK OK SC Select S1,S4 4 OK OK OC OK Select Sl,S4 OK OK OC OC Select None 6 OK OK OC SC Select S1,S4 7 OK OK SC OK Select S2,S3 8 OK OK SC OC Select S2,S3 9 OK OK SC SC Select None OK OC OK OK Select Sl,S4 11 OK OC OK OC Select None 12 OK OC OK SC Select Sl,S4 13 OK OC OC OK Select S1,S4 14 OK OC OC OC Select None OK OC OC SC Select S1,S4 16 OK OC SC OK Select None 17 OK OC SC OC Select None 18 OK OC SC SC Select None 19 OK SC OK OK Select 51,54 OK SC OK OC Select S2,S3 21 OK SC OK SC Select S1,S4 22 OK SC OC OK Select S1,S4 23 OK SC OC OC Select None 24 OK SC OC SC Select None OK SC SC OK Select S1,S4 26 OK SC SC OC Select None 27 OK SC SC SC Select None 28 OC OK OK OK Select S2,S3 29 OC ~ OK I OK ~ OC ~ Select S2,S3 30 OC OK OK SC Select None 31 OC OK OC OK Select None 32 OC OK OC OC Select None 33 OC OK OC SC Select None 34 OC OK SC OK Select S2,S3 35 OC OK SC OC Select None 36 OC OK SC SC Select None 37 OC OC OK OK Select None 38 OC OC OK OC Select None 39 OC OC OK SC Select None 40 OC OC OC OK Select None 41 OC OC OC OC Select None 42 OC OC OC SC Select None 43 OC OC SC OK Select None 44 OC OC SC OC Select None 45 OC OC SC SC Select None 46 OC SC OK OK Select S2,S3 47 OC SC OK OC Select None 48 OC SC OK SC Select None 49 OC SC OC OK Select None 50 OC SC OC OC Select None 51 OC SC OC SC Select None 52 OC SC SC OK Select None 53 OC SC SC OC Select None 54 OC SC SC SC Select None 55 SC OK OK OK Select S2,S3 56 SC OK OK OC Select S2,S3 57 SC OK OK SC Select None 58 SC OK OC OK Select None 59 SC OK OC OC Select None 60 SC OK OC SC Select None 61 SC OK SC OK Select S2,S3 62 SC OK SC OC Select S2,S3 63 SC OK SC SC Select None 64 SC OC OK OK Select None 65 SC OC OK OC Select None 66 SC OC OK SC Select None 67 SC OC OC OK Select None 68 SC OC OC OC Select None 69 SC OC OC SC Select None 70 SC OC SC OK Select None 71 SC OC SC OC Select None 72 SC OC SC SC Select None 73 SC SC OK OK Select S1,S4 74 SC SC OK OC Select S2,S3 75 SC SC OK SC Select None 76 SC SC OC OK Select S1,S4 77 SC SC OC OC Select None 78 SC SC OC SC Select None 79 SC SC SC OK Select None 80 SC SC SC OC Select None 81 SC SC SC SC I Select None 14) If it is determined that the load can be made active, the appropriate switches are energized and State 3 commences. Failure of the load to be activated will be as a consequence of the prior tests and requires repair of the hardware to proceed.
The predominant case is to energize switches S 1 and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load.
Certain faults can be withstood with the hardware by choosing the alternative path, energizing switches S2 and S3.
This also activates the load, but reverses the current through-it compared with activating S 1 and S4. In the application for PRT of a brake release function, the load was non-polarized and not affected by the direction of flow of current.
Specific combinations of hardware faults cannot be tolerated. The function reacts to these faults by holding all switches off and the brakes remain on.
Determination of the appropriate load state is achieved by assessing the 24 possible states of the combination of all four switches in accordance with the following table:
TABLE II
State S1 S2 S3 S4 Outcome 1 OK OK OK OK Select S1,S4 2 OK OK OK OC Select S2,S3 3 OK OK OK SC Select S1,S4 4 OK OK OC OK Select Sl,S4 OK OK OC OC Select None 6 OK OK OC SC Select S1,S4 7 OK OK SC OK Select S2,S3 8 OK OK SC OC Select S2,S3 9 OK OK SC SC Select None OK OC OK OK Select Sl,S4 11 OK OC OK OC Select None 12 OK OC OK SC Select Sl,S4 13 OK OC OC OK Select S1,S4 14 OK OC OC OC Select None OK OC OC SC Select S1,S4 16 OK OC SC OK Select None 17 OK OC SC OC Select None 18 OK OC SC SC Select None 19 OK SC OK OK Select 51,54 OK SC OK OC Select S2,S3 21 OK SC OK SC Select S1,S4 22 OK SC OC OK Select S1,S4 23 OK SC OC OC Select None 24 OK SC OC SC Select None OK SC SC OK Select S1,S4 26 OK SC SC OC Select None 27 OK SC SC SC Select None 28 OC OK OK OK Select S2,S3 29 OC ~ OK I OK ~ OC ~ Select S2,S3 30 OC OK OK SC Select None 31 OC OK OC OK Select None 32 OC OK OC OC Select None 33 OC OK OC SC Select None 34 OC OK SC OK Select S2,S3 35 OC OK SC OC Select None 36 OC OK SC SC Select None 37 OC OC OK OK Select None 38 OC OC OK OC Select None 39 OC OC OK SC Select None 40 OC OC OC OK Select None 41 OC OC OC OC Select None 42 OC OC OC SC Select None 43 OC OC SC OK Select None 44 OC OC SC OC Select None 45 OC OC SC SC Select None 46 OC SC OK OK Select S2,S3 47 OC SC OK OC Select None 48 OC SC OK SC Select None 49 OC SC OC OK Select None 50 OC SC OC OC Select None 51 OC SC OC SC Select None 52 OC SC SC OK Select None 53 OC SC SC OC Select None 54 OC SC SC SC Select None 55 SC OK OK OK Select S2,S3 56 SC OK OK OC Select S2,S3 57 SC OK OK SC Select None 58 SC OK OC OK Select None 59 SC OK OC OC Select None 60 SC OK OC SC Select None 61 SC OK SC OK Select S2,S3 62 SC OK SC OC Select S2,S3 63 SC OK SC SC Select None 64 SC OC OK OK Select None 65 SC OC OK OC Select None 66 SC OC OK SC Select None 67 SC OC OC OK Select None 68 SC OC OC OC Select None 69 SC OC OC SC Select None 70 SC OC SC OK Select None 71 SC OC SC OC Select None 72 SC OC SC SC Select None 73 SC SC OK OK Select S1,S4 74 SC SC OK OC Select S2,S3 75 SC SC OK SC Select None 76 SC SC OC OK Select S1,S4 77 SC SC OC OC Select None 78 SC SC OC SC Select None 79 SC SC SC OK Select None 80 SC SC SC OC Select None 81 SC SC SC SC I Select None 14) If it is determined that the load can be made active, the appropriate switches are energized and State 3 commences. Failure of the load to be activated will be as a consequence of the prior tests and requires repair of the hardware to proceed.
15) If S1 and S4 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE III
S 1 Fails OC Fail-off S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Blow S1 fuse, fail-off S4 Fails OC Fail-off S4 Fails SC Continue 16) If S2 and S3 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE IV
TABLE III
S 1 Fails OC Fail-off S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Blow S1 fuse, fail-off S4 Fails OC Fail-off S4 Fails SC Continue 16) If S2 and S3 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE IV
S 1 Fails OC Continue S 1 Fails SC Blow S 1 fuse, continue S2 Fails OC Fail-off S2 Fails SC Continue S3 Fails OC Fail-off S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Blow S2 fuse, fail-off 17) The outcome is that the load is predominantly energized for the duration that the system is in state 3. There is a probability that a fault may occur that causes the load to be de-activated. The system should be aware that this has happened. In the application of the brake-release function for PRT, the event of having the brakes re-applied would cause the vehicle to stop and proceed through a set of diagnostics. These diagnostics included removing the command to release the brakes (ON to OFF) and re-applying the command to release the brakes (OFF
to ON). The process re-invoked the Self Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at.
For example, if the load was activated by switches S 1 and S4 being active and a fault occurred that caused S 1 to go open-circuit, the brake-release function would be de-asserted and the PRT vehicle would stop. The command to release the brakes would be removed and re-applied. The Self Test Transition to ON that occurs would deduce the need to activate switches S2 and S3 to energize the load and release the brakes. Hence this cycling event would permit the system to continue in the presence of a fault that had caused a temporary stoppage.
to ON). The process re-invoked the Self Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at.
For example, if the load was activated by switches S 1 and S4 being active and a fault occurred that caused S 1 to go open-circuit, the brake-release function would be de-asserted and the PRT vehicle would stop. The command to release the brakes would be removed and re-applied. The Self Test Transition to ON that occurs would deduce the need to activate switches S2 and S3 to energize the load and release the brakes. Hence this cycling event would permit the system to continue in the presence of a fault that had caused a temporary stoppage.
18) When the External Sequence transition from the on-state to the off state a 'self test-transition-to-OFF' process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de-asserting the external state mid-self test is to be avoided via logic. For the PRT
brake application, the self test is less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, with typically greater than 100 seconds between trip start and ending times.
brake application, the self test is less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, with typically greater than 100 seconds between trip start and ending times.
19) Initially all switches S 1 though S4 are deactivated, then switches S3 and S4 are activated. This two-step process insures no state-change conditions occur where switch combinations induce a transient short circuit path.
20) From this state the switches can be checked using the monitors M1 and M2. If either monitor M1 or monitor M2 is in an Off state, it is indicative that either switch S3 or S4 has blown open-circuit, and another bias path exists to drive the output to ON. Immediately on occurrence of this case, all switches are deactivated. The response time is such that the corrective action takes less than 100msec and is inconsequential.
The outcome is that one of two states is determined to be appropriate to insure the load is de-energized (the brakes applied).
The outcome is that one of two states is determined to be appropriate to insure the load is de-energized (the brakes applied).
21) Predominantly, when all the hardware is functional, or in the presence of selective faults, the switches S 1 and S2 will remain de-activated and the switches S3 and S4 will be activated, providing a short-circuit via ground across the load terminals. Alternately, on deduction of the above-described fault combinations, all four switches will remain de-activated to reduce the probability of inadvertently setting up a path of conduction. Both these conditions serve for state 1.
22) If S3 and S4 are activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE V
S 1 Fails OC Continue S 1 Fails SC Blow S 1 fuse, continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 23) If all switches are de-activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE VI
S 1 Fails OC Continue S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 24) The outcome is that the load is always de-energized for the duration that the system is in state 1. There is probability that changes the state of the individual switches, and may induce a fuse to blow, but the load remains de-energized. The function remains in this state until the next external transition from OFF to ON, at which point the process as described and depicted in the flow charts is repeated.
The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8.
There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state.
Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention.
Other embodiments will occur to those skilled in the art and are within the following claims:
What is claimed is:
TABLE V
S 1 Fails OC Continue S 1 Fails SC Blow S 1 fuse, continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 23) If all switches are de-activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE VI
S 1 Fails OC Continue S 1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 24) The outcome is that the load is always de-energized for the duration that the system is in state 1. There is probability that changes the state of the individual switches, and may induce a fuse to blow, but the load remains de-energized. The function remains in this state until the next external transition from OFF to ON, at which point the process as described and depicted in the flow charts is repeated.
The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8.
There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state.
Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention.
Other embodiments will occur to those skilled in the art and are within the following claims:
What is claimed is:
Claims (5)
1. A fail-safe, fault-tolerant switching system for a critical device comprising a first pair of terminals for connection to a power source;
a first network including a first fuse device, first switching device and third switching device connected in series between said first pair of terminals;
a second network in parallel with said first network including a second fuse device, second switching device and fourth switching device connected in series between said first pair of terminals; and a second pair of terminals one between said first and third switching devices and one between said second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when either said first and second switching devices are open and said third and fourth switching devices are closed or said first, second, third and fourth switching devices are open;
and fault-tolerant operation occurs through said first fuse device, first switching device and fourth switching device or said second fuse device, secund switching device and third switching device.
a first network including a first fuse device, first switching device and third switching device connected in series between said first pair of terminals;
a second network in parallel with said first network including a second fuse device, second switching device and fourth switching device connected in series between said first pair of terminals; and a second pair of terminals one between said first and third switching devices and one between said second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when either said first and second switching devices are open and said third and fourth switching devices are closed or said first, second, third and fourth switching devices are open;
and fault-tolerant operation occurs through said first fuse device, first switching device and fourth switching device or said second fuse device, secund switching device and third switching device.
2. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a unidirectional current flow circuit interconnected between said second pair of terminals and said critical device for permitting current flow in one direction.
3. The fail-safe, fault-tolerant switching system for a critical device of claim 2 in which said unidirectional current flow circuit includes a diode bridge having a first terminal connected between the third and first switching device and a second terminal connected between the second and fourth switching device and the polarized terminals are applied across the critical device.
4. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a first monitor circuit for monitoring said first switching device, a second monitor circuit for monitoring said second switching device, a third monitor circuit for monitoring said third switching device and a fourth monitor circuit for monitoring said fourth switching device.
5. The fail-safe, fault-tolerant switching system for a critical device of claim 4 further including a controller responsive to said monitoring circuits for selectively operating said switching devices.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US43819599A | 1999-11-11 | 1999-11-11 | |
US09/438,195 | 1999-11-11 | ||
PCT/US2000/030799 WO2001035432A1 (en) | 1999-11-11 | 2000-11-10 | Fail-safe, fault-tolerant switching system for a critical device |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2391472A1 true CA2391472A1 (en) | 2001-05-17 |
Family
ID=23739642
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002391472A Abandoned CA2391472A1 (en) | 1999-11-11 | 2000-11-10 | Fail-safe, fault-tolerant switching system for a critical device |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1228520A1 (en) |
KR (1) | KR100497116B1 (en) |
AU (1) | AU1592001A (en) |
CA (1) | CA2391472A1 (en) |
WO (1) | WO2001035432A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7352544B2 (en) * | 2005-07-07 | 2008-04-01 | Pratt + Whitney Canada Corp. | Method and apparatus for providing a remedial strategy for an electrical circuit |
US8390972B2 (en) * | 2007-04-17 | 2013-03-05 | Hamilton Sundstrand Corporation | Secondary protection approach for power switching applications |
DE102007030627A1 (en) * | 2007-07-02 | 2009-01-08 | Continental Automotive Gmbh | Control of an actuator of a brake of a motor vehicle |
DE102012101951A1 (en) | 2012-03-08 | 2013-09-12 | Maschinenfabrik Reinhausen Gmbh | step switch |
EP3196913B1 (en) * | 2016-01-20 | 2019-04-10 | Schneider Electric Industries SAS | Relay circuit and method for performing self-test of relay circuit |
JP6683512B2 (en) * | 2016-03-18 | 2020-04-22 | リンナイ株式会社 | Dishwasher |
DE102016117821A1 (en) * | 2016-09-21 | 2018-03-22 | Pilz Gmbh & Co. Kg | Safety circuit for fail-safe disconnection of a hazardous technical system |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4433357A (en) * | 1980-10-13 | 1984-02-21 | Matsushita Electric Works Ltd. | Drive circuit for a latching relay |
DE3737791A1 (en) * | 1987-09-25 | 1989-04-13 | Pepperl & Fuchs | Fail-safe switch device |
DE4342586A1 (en) * | 1993-12-14 | 1995-06-22 | Bosch Gmbh Robert | Display device for electrical control devices |
SE505747C2 (en) * | 1996-02-07 | 1997-10-06 | Asea Brown Boveri | Contactor |
WO1999031696A1 (en) * | 1997-12-17 | 1999-06-24 | Siemens Electromechanical Components, Inc. | Electronic control circuit for a latching relay |
-
2000
- 2000-11-10 WO PCT/US2000/030799 patent/WO2001035432A1/en not_active Application Discontinuation
- 2000-11-10 EP EP00978459A patent/EP1228520A1/en not_active Withdrawn
- 2000-11-10 KR KR10-2002-7006062A patent/KR100497116B1/en not_active IP Right Cessation
- 2000-11-10 CA CA002391472A patent/CA2391472A1/en not_active Abandoned
- 2000-11-10 AU AU15920/01A patent/AU1592001A/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
EP1228520A1 (en) | 2002-08-07 |
WO2001035432A1 (en) | 2001-05-17 |
AU1592001A (en) | 2001-06-06 |
KR20020048432A (en) | 2002-06-22 |
KR100497116B1 (en) | 2005-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP3955500B2 (en) | Fuse trigger circuit and method for protecting electrohydraulic system including fuse | |
CN105829232B (en) | Security system for lift facility | |
US6490141B2 (en) | Power distribution system | |
JP4884478B2 (en) | Safety switching device for fail-safe disconnection of electrical loads | |
US5411324A (en) | Circuit configuration for a controller | |
US10532714B2 (en) | Safety switching device for switching on and safely switching off an electrical load | |
JP4384174B2 (en) | Safety switching device and method for fail-safe stop of electric load | |
US4926281A (en) | Fail-safe and fault-tolerant alternating current output circuit | |
EP2495659B1 (en) | Architecture using integrated backup control and protection hardware | |
US6297569B1 (en) | Power switching system | |
JPH0382661A (en) | Safety relay actuating circuit | |
CA2391472A1 (en) | Fail-safe, fault-tolerant switching system for a critical device | |
KR102376575B1 (en) | Brake drive control circuit and its fault detection method | |
US6366434B2 (en) | Apparatus for safely disconnecting an electrical load from an electrical DC voltage supply | |
CN109565250B (en) | Soft starter, operation method and switch system | |
CN112141166A (en) | Motor train unit safety loop bypass system | |
KR20170124817A (en) | Digital triple protection relay system | |
JP7281699B2 (en) | BRAKE DRIVE CONTROL CIRCUIT AND ITS FAILURE DETECTION METHOD | |
CN109653603B (en) | Double-redundancy thermal backup actuator electromagnetic lock unlocking and unlocking monitoring circuit | |
JP2004086268A (en) | Automatic controller | |
WO2022264690A1 (en) | Interruption device | |
US20240353102A1 (en) | Method for safety-oriented control | |
US20020011888A1 (en) | Circuit provided with a protective function | |
WO2024185230A1 (en) | Power distribution device and wire-disconnect determination method | |
JPH05260654A (en) | Dual power supply equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
FZDE | Dead |