GB2150373A - Electrical power supply unit with a failsafe shutdown capability - Google Patents

Electrical power supply unit with a failsafe shutdown capability Download PDF

Info

Publication number
GB2150373A
GB2150373A GB08427287A GB8427287A GB2150373A GB 2150373 A GB2150373 A GB 2150373A GB 08427287 A GB08427287 A GB 08427287A GB 8427287 A GB8427287 A GB 8427287A GB 2150373 A GB2150373 A GB 2150373A
Authority
GB
United Kingdom
Prior art keywords
output
power supply
supply unit
circuit
voltage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB08427287A
Other versions
GB2150373B (en
GB8427287D0 (en
Inventor
Geoffrey Peter Gledhill
Peter John Cross
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ML Engineering Plymouth Ltd
Original Assignee
ML Engineering Plymouth Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ML Engineering Plymouth Ltd filed Critical ML Engineering Plymouth Ltd
Publication of GB8427287D0 publication Critical patent/GB8427287D0/en
Publication of GB2150373A publication Critical patent/GB2150373A/en
Application granted granted Critical
Publication of GB2150373B publication Critical patent/GB2150373B/en
Expired legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L1/00Devices along the route controlled by interaction with the vehicle or vehicle train, e.g. pedals
    • B61L1/20Safety arrangements for preventing or indicating malfunction of the device, e.g. by leakage current, by lightning
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems

Abstract

An electrical power supply unit includes a cyclically-operating input stage (15) which when fed with one or more periodic control waveforms is operative to produce a d.c. voltage of opposite polarity to that used to power the supply unit as a whole. This d.c. voltage powers a control circuit (16) which generates a cyclically-varying drive signal used to drive a dynamic output circuit (17) of the supply unit. In the absence of said control waveforms, the input stage (15) fails to produce said d.c. voltage and the control circuit (16) is therefore unable to generate the drive signal; as a result, the output circuit (17) ceases to function. The nature of the circuitry used in the supply unit is such that shutdown of the unit is guaranteed upon removal of the control waveforms, regardless of possible faults within the unit. Various ways are described of ensuring failsafe removal of the control waveforms when shutdown of the unit is controlled by a duplicated, cross-checking processor system (A, B). <IMAGE>

Description

SPECIFICATION Electrical power supply unit with a fail-safe shutdown capability The present invention relates to an electrical power supply unit with a fail-safe shut-down capability; in particular, but not exclusively, the invention relates to such a supply unit intended to power the output stage of a fail-safe control system, the system including duplicated cross-checking processors which, upon detection of a fault, are arranged to initiate shut down of the output stage power supply.
Due to the unpredictability of the failure modes of complex control processors, such as microprocessors, their use in applications calling for failsafe control systems (for example railway signalling) has only gained favour with the introduction of redundant/diverse processor hardware and software techniques. By using two or more processors to perform identical tasks and cross-checking between them at regular intervals, a fault in the control system can be safely detected and the system shut down.
For fault-initiated shutdowns, there are two conflicting requirements. Thus, on the one hand, the output stage of the control system must be shutdown rapidly in order to remove the possibility of erroneous control signals being output (the controlled system will, of course, be designed to reside in a safe condition in the absence of control signals). On the other hand, it is highly desirable that the processors themselves are shutdown slowly in order to allow them to run self-checks and maintenance routines to find the cause of the fault and write it into some form of permanent memory before shutdown.
Both of the foregoing requirements can be satisfied by arranging for the supply of power to the output stage to be cut off before power to the processors is removed. The present invention is, in particular, concerned with the fail-safe shutdown of the output-stage supply.
In one known failsafe, duplicated-processor control system, shutdown of the output-stage power supply upon detection of a fault by the system is effected by a transistor switch inserted in one of the supply lines, this switch being normally on but being turned off by one of the processors upon the shutdown routing being entered. Since the transistor switch may fail short circuit, it is essential to provide a back-up arrangement that can be relied upon to shutdown the output-stage power supply in cases where the transistor switch has failed. To this end a fuse is inserted in the supply downstream of the switch and two normally closed relays are connected in parallel across the supply downstream of the fuse. These relays, which are generally known as "crowbar" relays, are kept open during normal operation of the system by dynamic drives from respective ones of the processors.Upon the shutdown routine being entered, the transistor switch is first closed and then the crowbar relays are denergised causing them to close across the output-stage supply. If the switch has opened, the fuse remains intact; however, if the switch has failed short circuit the fuse is blown and cuts off the supply.
It is conceivable that a fault condition may arise in which, following shu.down of the output stage power supply, the two processors could try to reestablish this supply by turning on the transistor switch and opening the crowbar relays. To avoid this possibility, a security fuse is provided in the drive circuitry of the relays; this fuse is blown, during a fault-initiated shutdown, following de-energisation of the relays and must be replaced before the relays can be energised again.
Whether or not the arrangement for shutting down the output-stage power supply is fail-safe in nature is dependent on the form and operation of the crowbar relay circuitry. Clearly, this circuitry is not itself inherently failsafe as both sets of relay contacts could stick open. It is, of course, highly unlikely that the two contact sets would suddenly both fail in this manner simultaneously or nearly together, and it is there or generally held that the circuitry can be considered fail-safe provided that the relay contacts are regularly "proved" (that is, their ability to close is checked) and the system shutdown should either contact set fail this check (the other contact set ensuring that shutdown is achieved). This proving can be effected whenever the output supply is shut down by routing a test signal through the relay contacts.However, as this proving must be carried out regularly, the use of duplicated, provable crowbar relays to provide failsafe power supply shutdown is only possible in systems where regular shutdown of the outputstage power supply is effected as part of the normal operating procedure of the system and not solely in response to the detection of a fault condition (these regular shutdowns, unlike fault-initiated shutdowns, being effected without blowing of the system fuses, unless, of course, a fault should appear in the shutdown circuitry). The use of duplicated, provable crowbar relays is thus unacceptable in systems where power may be required to be supplied to the output stage for extended periods or on a continuous basis.
It is an object of the present invention to provide a power supply which can be shutdown in a failsafe manner and does not need to be intermittently proved in a shutdown state.
This object is achieved by the present invention by arranging for the power supply output to be generated by a cyclically driven output circuit the drive to which is removed upon shutdown; this contrasts with the above described prior art arrangements where the shutdown mechanism operates directly on the already-generated full supply output. In one implementation of the invention, the output circuit drive is arranged to be generated by control circuitry powered from a d.c. voltage of opposite polarity to that used to power the supply unit as a whole, this d.c. voltage being produced only upon dynamic operation of an input stage in response to a periodic control waveform fed thereto.Thus, according to one aspect of the pres ent invention, there is provided an electrical power supply unit with a fail-safe shut down capability, the power supply being intended for connection on its power input side between a first power line and one or more second power lines all of the same voltage polarity with respect to said first line, the unit comprising: - a cyclically-operating input stage operative upon being supplied with at least one periodic control waveform to output a d.c. voltage of a polarity with respect said first line opposite to that of the second lines, - a control circuit connected to receive said d.c.
voltage output by the input stage as a supply voltage, and arranged in the presence of said d.c. voltage to generate a cyclically-varying drive signal; - a dynamic output circuit operative to provide an output power supply from the said power lines only when cyclically driven by said drive signal.
With such an arrangement, absence of the control waveform or waveforms will result in disappearance of the d.c. supply voltage to the control circuit, as a consequence of which the drive signal will not be produced and the output of the power supply unit will be shutdown. Since the d.c. volt age output by the input state is of opposite polarity to that carried by the said second lines (the first line being the reference or common line), it is virtually impossible for failure of the control circuit to result in the erroneous production of the drive sig nal. Furthermore, the dynamic nature of the input stage and output circuit make it highly unlikely that a failure in either could result in their operation in the absence of their respective input signals of pe riodic form.The shutdown of the power supply unit is thus guaranteed once the control waveforms are removed from input stage.
Advantageously, the input stage comprises a diode pump, while the control and output circuits together constitute a switched mode power supply.
Preferably, the control circuit takes the form of a regulator receiving voltage and/or current feedback signals from the output of the power supply unit, and adjusting the parameters of its periodic output signal in response to these signals. As already ex plained, it is highly improbable that a failure of this control circuit, however sophisticated, could result in generation of a periodic output signal in the ab sence of the d.c. voltage rail from the input stage.
Where the control circuit is of complex form, its power demand from the input stage may be signif icant; in this case, the input stage can advanta geously be constituted by a diode pump used to drive an oscillator which, in turn drives a switched mode power supply to generate said d.c. voltage.
Of course, although the power supply unit when considered alone possesses a failsafe shutdown capability, whether a system incorporating the unit retains this capability will depend on the ability of the system to remove the said at least one control waveform when demanding shutdown of the power supply unit. More particularly, for the fail safe shutdown capability of the power supply unit to be retained when the latter is in situ in a sys tem, this system must, upon shutdown being demanded, operate in a failsafe manner to prevent the input stage of the power supply unit being operated by the control waveform(s).
The power supply unit is, in fact, primarily intended for use as an output stage power supply in a failsafe processor system including at least two cross-checking processors. For such a system to effect failsafe shutdown of the power supply unit, at least two processors should be individually capable of bringing about the desired shutdown since the reason for a shutdown being required might well be the failure of one of these processors.By way of example, the incorporation of the power supply unit in a duplicated cross-checking processor system in a manner enabling failsafe shutdown of the unit, can be effected in any of the following ways: i) by arranging for both processors of the system to generate control waveforms which are then combined by circuitry performing a failsafe logical AND function, the input stage of the power supply unit being controlled by this circuitry to produce said d.c. voltage only when both control waveforms are present. In this case, upon shutdown being required, both processors attempt to cease production of the control waveforms, the cessation of either being sufficient to shutdown the supply unit.
ii) by arranging for the two processors to be independently capable of operating a failsafe cut-off circuit through which the control waveform(s) pass to the input stage of the power supply unit. In this case, upon shutdown being required, both processors are arranged immediately to attempt to operate the cut-off circuit; at least one processor will be successful and interrupt the passage of the control waveforms to the input stage resulting in shutdown of the supply unit. A disadvantage of this arrangement is that with the standard implementation of a failsafe cut-off circuit, that is, a security fuse circuit including a security fuse capable of being blown by each processor independently of the other, each time the supply unit is shutdown by the processors, it is necessary to replace the security fuse.
iii) by arranging for one or both processors to generate control waveforms, and for both processors to be independently capable of operating a failsafe cut-off circuit through which the control waveform(s) are fed to the input stage of the power supply unit. Upon shutdown being required, the processors first attempt to shutdown the power supply unit by attempting to cease control waveform generation - however, this attempt may fail due to previous failure of one of the processors (possibly in combination with other faults). To provide for this situation, the processors are arranged to monitor the output of the supply unit in a failsafe manner (for example, using duplicated, provable output voltage detectors) so that should the supply output not disappear upon the attempted cessation of control waveform generation, the processors can recognise this fact and proceed to shutdown the supply unit using the cut-off circuit.
This arrangement is, of course, similar to arrange ment (ii) above in that the final guarantee of failsafe shutdown is the failsafe cut-off circuit; however, the present arrangement has the advantage of only operation the cut-off circuit under certain fault conditions, and not all. Preferably, both processors will generate control waveforms which are then combined in non-failsafe logical AND circuitry used to control operation of the supply unit input stage; in this case, two faults must be present before the cut-off circuit is operated during shutdown, namely failure of one processor and failure of the AND circuitry.
Due to the form of circuitry used in the power supply unit to generate the drive signal for driving the output circuit, it may take a little time for the drive signal to disappear upon removal of the control inputs to the unit. In this case, it may be necessary in certain applications to provide a fastacting semiconductor switch to speed up cut off the drive signal to the power-supply output circuit.
As a semiconductor switch is not inherently failsafe the switch must be of duplicated, provable form. This proving is carried out by momentarily closing the switch and watching for a dip in the power-supply output, the dip being designed to have a duration and depth insufficient to effect adversely the operation of the equipment powered by the supply. In fact the same circuits used to form this duplicated provable switch can also be used as the duplicated provable output-monitoring arrangement referred to in the last preceding paragraph.
Furthermore, it is possible to implement the present invention, in its broad conception, solely by the use of a duplicated provable semiconductor switch arrangement to cut off the drive signal to the output circuit. Thus according to a still further aspect, the present invention provides an electrical power supply unit with a failsafe shutdown capability, the power supply unit comprising: - a dynamic output circuit arranged to provide an output power supply only when cyclically driven by a predetermined periodic drive signal supplied thereto, - two switches each operable to remove said drive signal from the output circuit, and - monitoring means for monitoring the effect on said output power supply of individually operating each switch.
Should the monitoring means fail to indicate the expected effect on the output supply upon one or other switch being momentarily operated (for example, due to failure of that switch), then the system overseeing control of the power supply unit attempts to shut down the unit by operating both switches to remove the drive signal from the output circuit.
Various other novel aspects and features of the invention will become apparent from the following description, given by way of example, of two embodiments of an output-stage power supply unit for a fail-safe, duplicated-processor control system, reference being made to the accompanying diagrammatic drawings, in which:: Figure 1 is a block diagram of a duplicated-processor control system provided with the outputstage power supply unit; Figure 2 is a circuit diagram of a diode pump of a first embodiment of the output-stage power supply unit; Figure 3 is a circuit diagram of a switched mode power supply of the first embodiment of the unit; Figure 4 is a circuit diagram of a boosted diode pump arrangement of a second embodiment of the output-stage power supply unit, Figure 5 is a circuit diagram of a switched mode power supply of the second embodiment of the unit, Figure 6 is a circuit diagram of a duplicated fast cut-off switch for use in the second embodiment of the output-stage power supply unit; Figure 7 is a circuit diagram of a duplicated dip detector for monitoring the effect of the fast cut-off switch of Figure 6; and Figure 8 is a voltage-time graph illustrating the output voltage dip produced in the output of the output-stage power supply unit upon momentary operation of the Figure 6 cut-off switch.
The control system shown in Figure 1 comprises two microprocessors A and B which are fed with the same inputs and are arranged to carry out the same tasks. The control outputs of the processors A and B are fed via buses 10 and 11 to an output stage 12. However, in the present example, for each required control output only one processor supplies the needed output (via bus 10 or 11) to the stage 12. The bus 10 and 11 also serves to provide each processor with an indication of the control outputs set by the other processor; this enables the two processors to check each other.
Should this checking indicate a fault or should the processors detect a fault in some other manner (for example, as a result of cross-checks effected between the processors via bus 9, for identity of programs and/or intermediate results), the processors enter into a shutdown routine.
The control system is powered from a + 24 v power line 13 (the ground return line not being shown in Figure 1). This line 13 is used to power a processor power supply circuit 14 producing a +5v supply for the processors A and B. The circuit 14 may be of any suitable design; thus, for example, the circuit 14 may be a switched mode power supply enabling a wide range of voltages to be accommodated. Excellent isolation of the two processors can be provided by constituting the circuit 14 as two switched mode supplies, one for each processor A, B, the supply voltages for processor A being hereinafter suffixed "a" and those for processor B being suffixed "b".
The 24v line 13 is also used to supply an outputstage power supply unit feeding the output stage 12. This supply unit is basically constituted by the blocks 15, 16 and 17 of Figure 1 which will be described in more detail hereinafter.
The output-stage supply unit 15, 16, 17 can be shut down under the control of the processors A, B and to this end control lines 18, 19 are arranged to feed control signals from the processors A and B respectively; via a security fuse stage 20, to inputs 21, 22 of block 15. In fact, as will be described more fully hereinafter, the blocks 15, 16 and 17 are such that the output-stage supply unit is normally only operative when the two processors are both feeding predetermined control waveforms to the inputs 21, 22.
In the event of the processors A, B entering the shutdown routine, each processor, if operating cor rectly, will cease to output the control waveform it normally feeds to the inputs to the block 15. As a result, the supply of power to the output stage 12 is cut off, preventing the output of possibly dangerous control outputs. To ensure removal of the control waveforms from the block 15 and prevent reactivation of the output-stage supply unit in er ror, a security fuse is blown in the stage 20 by sig nals fed thereto from the processors A and B over buses 23, 25; the blowing of this fuse prevents the passage of signals on the lines 18 and 19 through the stage 20 to the inputs 21, 22. The circuitry for blowing the security fuse is of the duplicated, provable type already known in the art.
The output-stage power supply unit 15, 16 and 17 will now be considered in more detail.
The block 15 is an input circuit powered directly from the line 13 and normally operative only in the presence of both control waveforms from the processors A and B to produce a negative d.c. output voltage (with respect to ground). This negative d.c.
voltage is fed to a control circuit constituting the block 16 and forms the supply rail for that circuit.
The control circuit 16 is used to produce a dynamic cyclically varying drive signal on a line 27, the form of the signal being such that it can only be produced when the circuit 16 is fed with the negative d.c. voltage from the block 15. The cyclically varying control signal is used to control a powersupply output circuit (block 17) powered from the line 13, the form of this output circuit being such that it only produces an output when dynamically driven by said cyclically-varying control signal; in the embodiments to be described hereinafter, the output circuit 17 is constituted by the output stage of a switched mode power supply.
In the first embodiment of the output-stage power supply unit shown in Figures 2 and 3, the fail-safe circuit 15 producing the negative rail voltage for block 16 is constituted by a diode pump (Fig. 2). This diode pump comprises a main switching transistor 30 arranged to be turned on by the simultaneous conduction of two series-connected photo-transistors 31, 32. Each of the transistors 31, 32 forms part of a respective opto-isolator fed, via a respective drive transistor 33, 34 and a respective one of the two block inputs 21, 22, with a respective one of the control waveforms produced by the processors A, B.The two control waveforms are constituted by regularly occurring pulses, the pulses of the two waveforms occurring simultaneously, typically the two processors each produce a 40 Fs pulse once every program cycle, the latter having a duration of, for example, 8 to 40 ms. The control waveforms thus act to render the phototransistors 31, 32 simultaneously conductive at regular intervals as a result of which the transistor 30 is turned on and off at the same frequency.
When transistor 30 conducts, current builds up through an inductor 47 connected into the collector circuit of the transistor 30. Upon the transistor 30 turning off, the current flow through the inductor 47 begins to fall inducing a negative voltage ther eacross which is transferred via a diode 28 to a ca pacitor 29. The voltage across the capacitor 29 is regulated by a zenor diode 44 to provide -10v at the output 26 of the block 15.
As already mentioned, this negative voltage is used to power the control circuit 16, the latter being shown in detail in the left-hand portion of Figure 3. In the present example, the control circuit 16 is constituted by an oscillator, composed of suitably interconnected NAND gates 35, 36 and 37, that supplies a 20 KHz squarewave via an output driver (NAND gate 38) to the line 27. The circuit configuration of the oscillator is standard and will not be considered in more detail except to note that the mark/space ratio of the output squarewave is determined by the relative values of the resistors 45, 46.
It will be appreciated that the presence of the negative d.c. voltage supplied from the diode pump output 26 is essential if the oscillator circuit 16 is to generate the drive signal constituted by the 20 KHz squarewave oscillator output appearing on line 27.
The squarewave drive signal is fed from the control circuit 16 to the power-supply output circuit 17 which in the present example is constituted by a switched mode power supply, the drive signal providing a switching drive to this switched mode supply. More particularly, the line 27 is connected to the gate of a transistor 39 used to drive a power FET 40 that is connected in series with the primary winding of a transformer 41. The secondary winding of the transformer 41 is connected across a bridge rectifier 42 providing a rectified supply for the output stage 12. A smoothing capacitor 43 is connected across the d.c. side of the bridge rectifier 42.
In operation of the system, the processors A and B normally supply the required in-phase control waveforms to the diode pump inputs 21 and 22 to maintain the negative d.c. voltage at the pump output 26 and thereby cause the necessary squarewave drive signal to be fed from the circuit 16 to the circuit 17 to cause the latter to output a supply voltage for the output stage 12.
If now the processors should detect a system fault and enter the shutdown routine, each processor attempts to cease output of the control waveform it normally feeds to the corresponding diode pump input. Under certain fault conditions, one of the processors may in fact fail to cease control waveform output; however, provided the input circuit 15 is functioning correctly, the absence of even one control waveform is sufficient to render the diode pump inoperative resulting in the collapse of the negative supply to the control circuit 16 and consequential shutdown of the power-supply output circuit 17.
In fact, the form of input circuit 16 shown in Fig ure 2 does not perform a failsafe AND function on the two control waveforms and it is possible for the circuit to fail in a manner causing it to require only one waveform to remain operative. Since such a fault could occur jointly with a processor fault of the type resulting in one processor continuing to output a control waveform upon shutdown, in order to ensure failsafe deactivation of the diode pump, each processor A and B is also arranged to attempt to blow the security fuse upon the shutdown routine being entered.
The output-stage power supply unit is failsafe in operation since the dynamic cyclically-operating output circuit 17 will only provide an output supply if fed with an appropriate switching waveform and such a waveform can only be produced when the oscillator 16 is supplied with a negative d.c. voltage from the diode pump. As the system does not include a negative supply other than that generated by the diode pump 15, it is highly unlikely that the oscillator 16 could be powered up otherwise than as a result of the correct operation of the diode pump. The correct operation of the diode pump is wholly dependent on the latter being fed with both of the control waveforms from the processors A and B. The lock-up of either processor will result in the negative d.c. voltage disappearing from the diode pump output and the consequent collapse of the switching signal on line 27.
The need to replace the security fuse each time the supply is shut down under fault conditions is, of course, generally inconvenient. To overcome this, the input circuit 15 can be designed to effect a failsafe AND function, absence of either control waveform causing deactivation of the pump under all fault conditions of the circuit. Alternatively, the circuit of the power supply unit could be monitored to ascertain if attempted deactivation of the supply unit by the processors attempting to cease control waveform output, has proved successful and only if this is not so would the processors blow the security fuse. This latter arrangement requires the use of failsafe output monitoring means which will generally take the form of duplicated monitoring circuits capable of being intermittently proved.Such proving requires the output of the supply unit to be temporarily switched off, or at least dipped, by suitable means (which need not be duplicated). A failsafe output monitoring arrangement is incorporated in the second embodiment of the output-stage power supply unit to be described hereinafter, though in that embodiment, the provable monitoring arrangement also serves as a provable fast-acting switch. It should be noted that the requirements to turn off or dip the supply output to prove the monitoring arrangement may not be acceptable in certain circumstances in which case a failsafe output monitoring arrangement of the form described cannot be used.
The second embodiment of the output-stage power supply unit will now be described with reference to Figures 4 and 5. A major difference between the first and second embodiments is that in the second embodiment both current and voltage feedback are provided to regulate the output voltage generated by the output circuit block 17. Regulation of the output voltage in this manner is, as will be described, effected by a regulator built around a standard intecrated circuit, the regulator constituting the control circuit block 16. In practice, the current drawn by the regulator circuitry is greater than that which can be provided by the simple form of diode pump used in the first embodiment of the power supply unit.Accordingly, in the second embodiment the input circuit 15 producing the negative rail voltage for the control circuit block 16 is arranged to provide a significantly greater current that the diode pump of Figure 2.
The input circuit of the second embodiment is shown in Figure 4 and comprises three stages, namely: 1) a diode circuit of identical design to that constituting the whole of the circuit 15 of the first embodiment; 2) a 20 kHz oscillator powered from the negative voltage output on line 26 by the diode pump stage, the oscillator being of substantially the same design as that constituting the control circuit 16 of the first embodiment, 3) a switched mode power supply stage driven by the output of the oscilator stage and providing a -12v supply on line 50; the form of the switch mode power supply is substantially the same as that constituting the output circuit 17 of the first embodiment except that a small flyback transformer 51 is used instead of the transformer 41.
For convenience, in Figure 4 the same reference have been used as in Figures 2 and 3 to denote equivalent components though, of course, the components shown in Figure 4 are all part of the block 15 of the second embodiment whereas the components shown in Figures 2 and 3 make up all three blocks 15, 16 and 17 of the first embodiment of the power supply unit. Typically, whereas the block 15 of the first embodiment is adequate to provide a -10v, 3mA supply, the block 15 of the second embodiment provides a -12v, 150mA supply.
The negative rail constituted by line 50 is used, after regulation by regulator 49, to power a pulsewidth switching regulator control circuit forming the block 16. This control circuit can conveniently be built around a standard integrated circuit chip 52 such as the Signetics NE5560N chip. The design of the support circuitry for this chip is well within the capability of persons skill skilled in the relevant art and this support circuitry will therefore not be described in detail herein.
The output of the chip 52 is supplied via line 53 and a bank of inverters 54 acting as drivers, to the input 55 of the output circuit 17 of the second embodiment. The signal appearing on line 53 is a switching waveform, the width of the pulses making up this waveform being controlled by the regulator chip 52 in dependence on feedback characteristics of the output supply as will be explained in more detail hereinafter.
The output circuit 17 of the second embodiment comprises a driver transistor 56 receiving the signal presented to input 55, a power FET 57, a trans former 58, and rectifying and smoothing circuitry 59 connected across the secondary winding of the transformer 58. The output of the rectifying and smoothing circuitry 59 is a 24v supply between lines 60 and 61.
Current feedback to the switching regulator control chip 52 is provided by a winding 52 of the transformer 58. Voltage feedback to the chip 52 is provided via an op-amp 63 and an opto-isolator 64.
The second embodiment of the output-stage power supply unit operates in substantially the same manner as the first unit except that the output supply is regulated in dependence on the current and voltage feedback signals, this regulation being effected by chip 52 by varying the width of the pulses fed therefrom, via line 53 and inverters 54, to the drive transistor 56 of the output circuit.
The power required to run the regulator circuitry is derived from the switched mode power supply forming the output stage of the block 15, this switched mode power supply being driven from the low power oscillator run off the diode pump stage.
It will be appreciated that, as in the first embodiment, running the control circuit (regulator) block 16 from a negative rail ensures that the output circuit 17 can only be effectively driven when a negative voltage is produced by the block 15, it being highly unlikely that any failure in the control circuit block 16 could produce a switching waveform in the absence of a negative supply thereto. Furthermore, the input circuit block 15 producing the negative rail can normally only do so when both control waveforms produced by processors A, B are present, the first and third stage of this block being dynamic in operation and requiring a cyclically-varying drive signal, and the second stage requiring a negative voltage that will only be present if the first stage is functioning correctly.
In both of the afore-described embodiments of the output-stage power supply unit, because of the relatively high switching frequency (20 KHz) used to drive the switched mode power supply constituting the circuit 17, only a small smoothing capacitor is required in the smoothing circuitry of the output circuit. As a result, once the drive signal has been removed from the line feeding the circuit 17, the output supply produced by the circuit 17 will decay fairly rapidly. However, the output from the negative-rail block 15 is slow to decay following removal of one or both of the control waveforms from its inputs and it is this factor which sets the overall decay time of the supply to the output stage 12 upon shutdown of the supply being commanded by the processors A, B.In certain applications, the supply decay time may not be fast enough to prevent a wrong side failure; in this case, a fast cut off switch must be incorporated into the output-stage power supply unit downstream of the block 15. Such a switch 70 can be interposed in the line extending between the blocks 16 and 17 as is indicated in dashed outline in Figure 1, or in any other position suitable for preventing the drive signal produced by the control circuit block 16 from reaching the final stage of the output circuit block 17.
In practice, the switch 70 will not be inherently fail-safe so that it is necessary to provide a duplicated switch arrangement and to prove each switch 70 independently at periodic intervals. Proving each switch 70 during operation of the power supply circuit can be achieved by momentarily operating the switch and checking to see if this has any effect on the supply output; if the switch is functioning correctly, then the output supply voltage should dip and this can be sensed by a suitable dip detector (see block 71 shown in dashed outline in Figure 1). It should be noted that dipping of the supply output in this manner may render the second embodiment unsuitable for certain applications.
A form of duplicated fast cut-off switch suitable for use with the described second embodiment of the power supply unit is shown in Figure 6. The two cut-off switches are constituted by respective photo-transistors 73, 74 both connected across points Xl, X2 of the Figure 5 output circuit, that is, between the ground rail 75 and the gate 76 of the power FET 57. The transistors 73, 74 form part of respective opto-isolators the inputs of which are controlled via respective drive transistors 77, 78 by the processors A, B respectively. Upon one of both of the transistors 73, 74 being turned on by a control signal issued by the corresponding processor(s), the gate of the power FET 57 is grounded causing the dynamic operation of the final stage of the output circuit 17 to cease and the output supply between lines 60, 61 to decay.
During shutdown of the power supply unit by the processors A, B both transistors 73, 74 will normally be turned on; however, if for any reason, one processor is inoperative or one of the transistors 73, 74 fails to function, operation of one only of the two transistors 73, 74 is still adequate to disable operation of the output circuit 17.
Proving of the transistors 73, 74 and their associated circuitry is carried out by arranging for the processors A, B to alternately turn on the corresponding transistor 73, 74 to produce a dip in supply output voltage between lines 61, 61 below 18v.
Thus, with reference to Figure 8, the transistor 73, 74 being proved is turned on by the corresponding processor for a time period t, - t3 to result in a dip below 18v for time t2 - t4. If this dip is sensed (via the dip detector block 71) by both processors, the transistor under test is deemed to have passed its proving test and no action is taken; if one or both processors fails to sense the dip at the expected time, then the shutdown routine is initiated, including the attempted turn on of both transistors 73, 74.
The dip detector block 71 is constituted by duplicated dip detectors 71A, 71 B of the form shown in Figure 7. Each dip detector 71 comprises a threshold circuit including zenor diode 80 and transistor 81 connected between supply rails which in turn are connected to points Yl (for detector 71A) or Y2 (for detector 71B) of the output circuit 17, these points being on the output lines 60, 61. Inserted in the collector circuit of the transistor 81 of the threshold circuit is an opto-isolator 82 interfacing the threshold circuit with a corresponding one of the processors A, B.
Upon the voltage across the output lines 60, 61 of the supply unit dipping below 18v, the transistor 81 in each dip detector 71 turns off and a corresponding signal is fed via the opto-isolator 82 to the corresponding processor; both processors should thus normally receive an indication that the supply voltage has dipped below 18v.
Should the transistor being proved fail to turn on when commanded or should either dip detector fail to function, then one or both processors will not receive the expected dip signal from its dip detector 71 and the shutdown routine will be entered.
Proving of each transistor 73, 74 preferably takes place once every program cycle of the processors, typically once every 8 to 50 ms.
As previously indicated, the duplicated, provable fast cut-off switch arrangement described with reference to Figures 6 and 7 can also be employed as a duplicated, provable output monitoring arrange ment enabling the processors to check whether their attempted shutdown of the output stage power supply unit has been successful. When the circuitry of Figures 6 and 7 is employed in this manner, the processors, upon the shutdown rout ing being entered, initially need only attempt to switch off the output stage supply by attempting to cease their output of control waveforms to the in put circuit 15; only if this attempt should prove un successful (as determined by the output monitoring arrangement) need the processors blow the security fuse 20.
Various modifications to be described embodi ments of the output-stage power supply unit are, of course, possible. Thus, for example, the input circuit block 15 need not include a diode pump but instead may be constituted by a switched mode power supply driven from a unified waveform de rived from the two processor control waveforms.
It will be appreciated that although the described embodiments of the output-stage power supply unit are controlled by inphase waveforms pro duced by the two processors A, B, it is possible to design input circuitry arranged to receive waveforms in any phase relationship. Furthermore, where a security fuse circuit is provided that is operable by both processors independently to isolate them from the supply input stage, then only one control waveform need to be fed to the input stage, the latter being designed accordingly.
Power supply units embodying the invention can, of course, be designed for operation with tri plicated cross-checking processors with each processor generating a control waveform; in this case, the input circuit might be arranged to operate on a majority voting principle rather than a 3 out of 3 principle as regards the presence of the control waveforms.
Although the dip detector 71 has been described as being connected directly across the output line 60, 61 of the circuit 17, it is possible to monitor the effects of the cut off switches 70 at other locations, for example in the source of drain circuit of the power FET 57.

Claims (16)

1. An electrical power supply unit with a failsafe shut down capability, the power supply unit being intended for connection on its power input side between a first power line and one or more second power lines all of the same voltage polarity with respect to said first line, the unit comprising: - a cyclically-operating input stage operative upon being supplied with at least one periodic control waveform to output a d.c. voltage of a polarity with respect to said first line opposite to that of the second lines, - a control circuit connected to receive said d.c.
voltage output by the input stage as a supply voltage, and arranged in the presence of said d.c. voltage to generate a cyclically-varying drive signal, - a dynamic output circuit operative to provide an output power supply from the said power lines only when cyclically driven by said drive signal.
2. A power supply unit according to claim 1, wherein the input stage comprises a diode pump arranged to generate directly said d.c. voltage.
3. A power supply unit according to claim 1, wherein the input stage comprises a diode pump, an oscillator arranged to be powered by the diode pump and a switched mode power supply arranged to be driven from the output of the oscillator, the output of the switched mode power supply constituting said d.c. voltage.
4. A power supply unit according to any one of the preceding claims, wherein the control and output circuits together constitute a switched mode power supply.
5. A power supply unit according to claim 4, wherein the control circuit takes the form of a regulator arranged to receive voltage and/or current feedback signals from the output of the power supply unit and to adjust the parameters of its periodic output signal in response to these signals.
6. A power supply unit according to any one of the preceding claims, further comprising a fast-acting semiconductor switch arrangement selectively operable to interrupt the passage of said drive signal to the output circuit.
7. A system including both a processor arrangement constituted by a least two cross-checking processors, and a power supply unit arranged to supply items other than said processors, the power supply unit being in accordance with any one of claims 1 to 5, and the processor arrangement being operative to generate said at least one control waveform and to cease generation of the latter upon shutdown of said supply unit being required.
8. A system according to claim 7, wherein said processors are arranged to generate respective said control waveforms, the said input stage of the power supply unit being arranged to perform a failsafe, logical AND function with said control waveforms whereby the input stage is only operative in the presence of all said control waveforms.
9. A system according to claim 7, further com prising a failsafe cut-off circuit through which the said at least one control waveform is arranged to pass from the processor arrangement to the input stage of the power supply unit, said failsafe cut-off circuit being independently operable by each processor to prevent passage of said at least one control waveform to the said input stage, and each said processor being arranged to operate the cutoff circuit upon shutdown of the power supply unit being required.
10. A system according to claim 7, further comprising: - a failsafe cut-off circuit through which the said at least one control waveform is arranged to pass from the processor arrangement to the input stage of the power supply unit, said failsafe cut-off circuit being operable independently by each processor to prevent passage of said at least one control waveform to the said input stage, and - failsafe output monitoring means arranged to monitor the output of the power supply unit, the processor arrangement being operatively connected to the monitoring means and being arranged, upon shutdown of the power supply unit being required, to: a) attempt to effect the shutdown by attempting to cease generation of said at least one control waveform; b) thereafter to operate the cut-off circuit only if the monitoring means indicates that the shutdown attempt in (a) has not succeeded.
11. A system according to claim 10, wherein said failsafe output monitoring means comprises: - a respective voltage detector associated with each processor, each detector being arranged to detect the presence or absence of a voltage, in excess of a predetermined voltage, at the power supply output, and - switch means controllable by said processor arrangement to momentarily interrupt the operation of the power supply unit at intervals whereby to cause momentary dips in the supply output voltage below said predetermined voltage for the purpose of proving the operation of the voltage detectors, the processors being arranged to operate said cut-off circuit if either voltage detector fails to detect a voltage dip following operation of said switch means.
12. A system according to any one of claims 7 to 11, further comprising a failsafe fast-acting switch arrangement operable by said processor arrangement to interrupt the passage of said drive signal to the output circuit of the power supply unit whereby to enable the supply unit output to be rapidly removed upon shutdown being required.
13. A system according to claim 12, wherein said failsafe switch arrangement is of duplicated, provable form and comprises two semiconductor switches each operable, by a respective said processor, to interrupt the passage of said drive signal to the supply-unit output circuit, and a monitoring arrangement for monitoring the effect on the output of the power supply unit of operating each switch individually, the processor arrangement being operatively connected to said monitoring arrangement and being arranged at intervals to prove said switches by momentarily operating each switch in turn and observing the effect on the supply output, failure of the supply output to dip following proving operation of a said switch resulting in the processor arrangement effecting shutdown of the power supply unit.
14. A system accord ng to claim 13 when dependent on claim 11 wherein: - the two said switches of the fast-acting switch arrangement constitute the switch means of said output monitoring means, and - the two voltage detectors of the output monitoring means constitute the monitoring arrangement of the fast-acting switch arrangement.
15. An electrical power supply unit with a failsafe shutdown capability, the power supply unit comprising: - a dynamic output circuit arranged to provide an output power supply only when cyclically driven by a predetermined periodic drive signal supplied thereto, - two switches each operable to remove said drive signal from the output circuit, and - monitoring means far monitoring the effect on said output power supply of individually operating each switch.
16. An electrical poser supply unit with a failsafe shutdown capability, said unit being substantially as hereinbefore described with reference to Figures 1 to 3, or with reference to Figures 1 and 4 to 8, of the accompanying drawings.
GB08427287A 1983-10-29 1984-10-29 Electrical power supply unit with a failsafe shutdown capability Expired GB2150373B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB838328926A GB8328926D0 (en) 1983-10-29 1983-10-29 Electrical power supply unit

Publications (3)

Publication Number Publication Date
GB8427287D0 GB8427287D0 (en) 1984-12-05
GB2150373A true GB2150373A (en) 1985-06-26
GB2150373B GB2150373B (en) 1987-06-17

Family

ID=10550921

Family Applications (2)

Application Number Title Priority Date Filing Date
GB838328926A Pending GB8328926D0 (en) 1983-10-29 1983-10-29 Electrical power supply unit
GB08427287A Expired GB2150373B (en) 1983-10-29 1984-10-29 Electrical power supply unit with a failsafe shutdown capability

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB838328926A Pending GB8328926D0 (en) 1983-10-29 1983-10-29 Electrical power supply unit

Country Status (1)

Country Link
GB (2) GB8328926D0 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1993005453A1 (en) * 1991-09-09 1993-03-18 Gti Industrial Automation B.V. Safe system provided with neural circuit
GB2323224A (en) * 1997-03-13 1998-09-16 Emerson Electric Co Safe control system
US7597679B2 (en) 2002-03-27 2009-10-06 Novo Nordisk A/S Safety system for an electrically driven medical delivery device and a computer-readable medium
EP2757018A3 (en) * 2013-01-22 2017-12-27 Siemens AG Österreich Monitoring of an electrical component

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1993005453A1 (en) * 1991-09-09 1993-03-18 Gti Industrial Automation B.V. Safe system provided with neural circuit
US5586220A (en) * 1991-09-09 1996-12-17 Gti Industrial Automation B.V. Safe system provided with neural circuit
GB2323224A (en) * 1997-03-13 1998-09-16 Emerson Electric Co Safe control system
GB2323224B (en) * 1997-03-13 2001-05-02 Emerson Electric Co Appliance control system
US7597679B2 (en) 2002-03-27 2009-10-06 Novo Nordisk A/S Safety system for an electrically driven medical delivery device and a computer-readable medium
EP2757018A3 (en) * 2013-01-22 2017-12-27 Siemens AG Österreich Monitoring of an electrical component

Also Published As

Publication number Publication date
GB2150373B (en) 1987-06-17
GB8427287D0 (en) 1984-12-05
GB8328926D0 (en) 1983-11-30

Similar Documents

Publication Publication Date Title
US4400792A (en) Dual-channel data processing system for railroad safety purposes
CA1270901A (en) Power supply with battery backup
KR20140039235A (en) Railway signaling system with redundant controllers
JPS58137002A (en) Control signal interlocking system
GB2150373A (en) Electrical power supply unit with a failsafe shutdown capability
US4351014A (en) Solid state self-checking relay
US4215340A (en) Process for the automatic signalling of faults of a static automatic module and a module for realizing the process
US4808982A (en) Facility for monitoring the operation of a signal lamp
GB2183113A (en) Failsafe electrical power supply
US3612894A (en) Ac supply system
JP2007529977A (en) Method for operating a supply unit for a drive circuit and a supply unit for a drive circuit
US4880994A (en) Method and device for the redundant control of a power controlled unit
US4649469A (en) Interface for connecting a computer system to an activator module
KR20160080025A (en) Redundancy control system
EP0806536B1 (en) Control system for automatic doors
US5671348A (en) Non-vital turn off of vital output circuit
JP2021195010A (en) Relay output control device
JPH0343837Y2 (en)
JPH10213291A (en) Monitor system with monitor switch
EP1625653B1 (en) Highly fail-safe power generator, particularly for rail systems, or the like
WO1999035544A1 (en) A positive safety control system
EP0341224B1 (en) Apparatus for monitoring the state of a remotely controlled device
JPS5918484Y2 (en) Fault detection circuit
US4401970A (en) Vital lowest speed command selector
JPS59139872A (en) Gate signal generator for power converter

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee