GB2183113A - Failsafe electrical power supply - Google Patents
Failsafe electrical power supply Download PDFInfo
- Publication number
- GB2183113A GB2183113A GB08621642A GB8621642A GB2183113A GB 2183113 A GB2183113 A GB 2183113A GB 08621642 A GB08621642 A GB 08621642A GB 8621642 A GB8621642 A GB 8621642A GB 2183113 A GB2183113 A GB 2183113A
- Authority
- GB
- United Kingdom
- Prior art keywords
- output
- power supply
- circuit
- supply unit
- voltage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 230000000737 periodic effect Effects 0.000 claims abstract description 8
- 230000000694 effects Effects 0.000 claims description 6
- 239000004065 semiconductor Substances 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 7
- 238000013461 design Methods 0.000 description 5
- 238000009499 grossing Methods 0.000 description 5
- 239000003990 capacitor Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004804 winding Methods 0.000 description 4
- 238000007664 blowing Methods 0.000 description 3
- 230000009849 deactivation Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 238000007598 dipping method Methods 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011017 operating method Methods 0.000 description 1
- 230000007420 reactivation Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L1/00—Devices along the route controlled by interaction with the vehicle or train
- B61L1/20—Safety arrangements for preventing or indicating malfunction of the device, e.g. by leakage current, by lightning
Landscapes
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Mechanical Engineering (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Dc-Dc Converters (AREA)
Abstract
An electrical power supply unit includes a cyclically-operating input stage (15) which, when fed with one or more periodic control waveforms, is operative to produce a d.c. voltage of opposite polarity to that used to power the supply unit as a whole. This d.c. voltage powers a control circuit (16) which generates a cyclically-varying drive signal used to drive a dynamic output circuit (17) of the supply unit. In the absence of the control waveforms, input stage (15) fails to produce the d.c. voltage and control circuit (16) is therefore unable to generate the drive signal; as a result, output circuit (17) ceases to function. To provide rapid cut- off of the drive signal, a duplicated semiconductor switch arrangement (70) is connected between a line carrying the drive signal and ground. Correct functioning of the switches is checked by operating each in turn and monitoring the power supply output for the expected dip in the output voltage by means of a duplicated dip detector (71). <IMAGE>
Description
SPECIFICATION
Failsafe electrical power supply unit
The present invention relates to an electrical power supply unit with a fail-safe shut-down capability; in particular, but not exclusively, the invention relates to such a supply unit intended to power the output stage of a fail-safe control system, the system including duplicated cross-checking processors which, upon detection of a fault, are arranged to initiate shut down of the output stage power supply.
Due to the unpredictability of the failure modes of complex control processors, such as microprocessors, their use in applications calling for fail-safe control systems (for example railway signalling) has only gained favour with the introduction of redundant/diverse processor hardware and software techniques. By using two or more processors to perform identical tasks and cross-checking between them at regular intervals, a fault in the control system can be safely detected and the system shut down.
For fault-initiated shutdowns, there are two conflicting requirements. Thus, on the one hand, the output stage of the control system must be shutdown rapidly in order to remove the possibility of erroneous control signals being output (the controlled system will, of course, be designed to reside in a safe condition in the absence of control signals). On the other hand, it is highly desirable that the processors themselves are shutdown slowly in order to allow them to run self-checks and maintenance routines to find the cause of the fault and write it into some form of permanent memory before shutdown.
Both of the foregoing requirements can be satisfied by arranging for the supply of power to the output stage to be cut off before power to the processors is removed. The present invention is, in particular, concerned with the fail-safe shutdown of the output-stage supply.
In one known failsafe, duplicated-processor control system, shutdown of the output-stage power supply upon detection of a fault by the system is effected by a transistor switch inserted in one of the supply lines, this switch being normally on but being turned off by one of the processors upon the shutdown routine being entered. Since the transistor switch may fail short circuit, it is essential to provide a back-up arrangement that can be reiied upon to shutdown the output-stage power supply in cases where the transistor switch has failed. To this end a fuse is inserted in the supply downstream of the switch and two normally closed relays are connected in parallel across the supply downstream of the fuse.These relays, which are generally known as "crowbar" relays, are kept open during normal operation of the system by dynamic drives from respective ones of the processors. Upon the shutdown routine being entered, the transistor switch is first closed and then the crowbar relays are denergised causing them to close across the outputstage supply. If the switch has opened, the fuse remains intact; however, if the switch has failed short circuit the fuse is blown and cuts off the supply.
It is conceivable that a fault condition may arise in which, following shutdown of the output stage power supply, the two processors could try to reestablish this supply by turning on the transistor switch and opening the crowbar relays. To avoid this possibility, a security fuse is provided in the drive circuitry of the relays; this fuse is blown, during a fault-initiated shutdown, following deenergisation of the relays and must be replaced before the relays can be energised again.
Whether or not the arrangement for shutting down the output-stage power supply is fail-safe in nature is dependent on the form and operation of the crowbar relay circuitry. Clearly, this circuitry is not itself inherently failsafe as both sets of relay contacts could stick open. It is, of course, highly unlikely that the two contact sets would suddenly both fail in this manner simultaneously or nearly together, and it is therefore generally held that the circuitry can be considered fail-safe provided that the relay contacts are regularly "proved" (that is, their ability to close is checked) and the system shutdown should either contact set fail this check (the other contact set ensuring that shutdown is achieved). This proving can be effected whenever the output supply is shut down by routing a test signal through the relay contacts.However, as this proving must be carried out regularly, the use of duplicated, provable crowbar relays to provide failsafe power supply shutdown is only possible in systems where regular shutdown of the outputstage power supply is effected as part of the normal operating procedure of the system and not solely in response to the detection of a fault condition (these regular shutdowns, unlike fault-initiated shutdowns, being effected without blowing of the system fuses, unless, of course, a fault should appear in the shutdown circuitry). The use of duplicated, provable crowbar relays is thus unacceptable in systems where power may be required to be supplied to the output stage for extended periods or on a continuous basis.
It is an object of the present invention to provide a power supply which can be shutdown in afailsafe manner and does not need to be intermittently proved in a shutdown state.
This object is achieved by the present invention by arranging for the power supply output to be generated by a cyclically driven output circuit the drive to which is removed upon shutdown; this contrasts with the above described prior art arrangements where the shutdown mechanism operates directly on the already-generated full supply output.
According to this invention, an electrical power supply unit with a failsafe shutdown capability comprises: a dynamic output arranged to provide an output power supply only when cyclically driven by a predetermined periodic drive signal supplied thereto, two switches each operable to remove the drive signal from the output circuit, and monitoring means for monitoring the effect on the output power supply of individually operating each switch.
Should the monitoring means fail to indicate the expected effect on the output supply upon one or other switch being momentarily operated (for example, due to failure of that switch), then the system overseeing control of the power supply unit attempts to shut down the unit by operating both switches to remove the drive signal from the output circuit.
In a preferred embodiment of the invention, each switch comprises a photo-transistor forming part of a respective opto-isolator coupled to respective data processor outputs. Each switch may be operable individually to remove the drive signal for a predetermined time interval, and the monitoring means being responsive to a dip in the output voltage of the output power supply below a predetermined voltage threshold. The monitoring means preferably comprises duplicated dip detectors which are coupled to respective data processors, the said processors each being operatively coupled to a respective one of the switches, and being operable such that, if one processor fails to sense the dip in the output voltage, a shutdown routine is initiated.
The drive signal may be generated by control circuitry powered from a d.c. voltage of opposite polarityto that used to power the supply unit as a whole, this d.c. voltage being produced only upon dynamic operation of an input stage in response to a period control waveform fed thereto.
With such an arrangement, absence of the control waveform orwaveformswill result in disappearance of the d.c. supply voltage to the control circuit, as a consequence of which the drive signal will not be produced and the output of the power supply unit will be shutdown. Since the d.c.
voltage output by the input stage is of opposite polarity to that carried by the said second lines (the first line being the reference or common line), it is virtually impossible for failure of the control circuit to result in the erroneous production of the drive signal. Furthermore, the dynamic nature of the input stage and output circuit make it highly unlikely that a failure in either could result in their operation in the absence of their respective input signals of periodic form. The shutdown of the power supply unit is thus guaranteed once the control waveforms are removed from input stage.
Advantageously, the input stage comprises a diode pump, while the control and output circuits together constitute a switched mode power supply.
Preferably, the control circuit takes the form of a regulator receiving voltage and/or current feedback signals from the output of the power supply unit, and adjusting the parameters of its periodic output signal in response to these signals. As already explained, it is highly improbably that a failure of this control circuit, however sophisticated, could result in generation of a periodic output signal in the absence of the d.c. voltage rail from the input stage.
Where the control circuit is of complex form, its power demand from the input stage may be significant; in this case, the input stage can advantageously be constituted by a diode pump used to drive an oscillator which, in turn drives a switched mode power supply to generate said d.c.
voltage.
Various other novel aspects and features of the invention will become apparent from the following description, given by way of example, of two embodiments of an output-stage power supply unit for a fail-safe, duplicated-processor control system, reference being made to the accompanying diagrammatic drawings, in which::
Figure lisa block diagram of a duplicatedprocessor control system provided with the outputstage power supply unit;
Figure 2 is a circuit diagram of a diode pump of a first embodiment of the output-stage power supply unit;
Figure 3 is a circuit diagram of a switched mode power supply of the first embodiment of the unit;
Figure 4 is a circuit diagram of a boosted diode pump arrangement of a second embodiment of the output-stage power supply unit,
Figure 5 is a circuit diagram of a switched mode power supply of the second embodiment of the unit,
Figure 6 is a circuit diagram of a duplicated fast cut-off switch for use in the second embodiment of the output-stage power supply unit;
Figure 7 is a circuit diagram of a duplicated dip detector for monitoring the effect of the fast cut-off switch of Figure 6; and
Figure 8 is a voltage-time graph illustrating the output voltage dip produced in the output of the output-stage power supply unit upon momentary operation of the Figure 6 cut-off switch.
The control system shown in Figure 1 comprises two microprocessors A and B which are fed with the same inputs and are arranged to carry out the same tasks. The control outputs of the processors A and B are fed via buses 10 and 11 to an output stage 12.
However, in the present example, for each required control output only one processor supplies the needed output (via bus 10 or 11) to the stage 12. The bus 10 and 11 also serves to provide each processor with an indication of the control outputs set by the other processor; this enables the two processors to check each other. Should this checking indicate a fault or should the processors detect a fault in some other manner (for example, as a result of crosschecks effected between the processors via bus 9, for identity of programs and/or intermediate results), the processors enter into a shutdown routine.
The control system is powered from a +24 v power line 13 (the ground return line not being shown in Figure 1. This line 13 is used to power a processor power supply circuit 14 producing a +5v supply for the processors A and B. The circuit 14 may be of any suitable design; th us, for example, the circuit 14 may be a switched mode power supply enabling a wide range of voltages to be accommodated. Excellent isolation of the two processors can be provided by constituting the circuit 14 as two switched mode supplies, one for each processor A, B, the supply voltages for processor A being hereinafter suffixed "a" and those for processor B being suffixed "b".
The 24v line 13 is also used to supply an output stage power supply unit feeding the output stage 12.
This supply unit is basically constituted by the blocks 15, 16 and 17 of Figure 1 which will be described in more detail hereinafter.
The output-stage supply unit 15, 16, 17 can be shut down under the control of the processors A, B and to this end control lines 18, 19 are arranged to feed control signals from the processors A and B respectively, via a security fuse stage 20, to inputs 21,22 of block 15. In fact, as will be described more fully hereinafter, the blocks 15,16 and 17 are such that the output-stage supply unit is normally only operative when the two processors are both feeding predetermined control waveforms to the inputs 21, 22.
In the event of the processors A, B entering the shutdown routine, each processor, if operating correctly, will cease to output the control waveform it normally feeds to the inputs to the block 15. As a result, the supply of power to the output stage 12 is cut off, preventing the output of possibly dangerous control outputs. To ensure removal of the control waveforms from the block 15 and prevent reactivation of the output-stage supply unit in error, a security fuse is blown in the stage 20 by signals fed thereto from the processors A and B over buses 23,25; the blowing of this fuse prevents the passage of signals on the lines 18 and 19 through the stage 20 to the inputs 21,22. The circuitry for blowing the security fuse is of the duplicated, provable type already known in the art.
The output-stage power supply unit 15, 16 and 17 will now be considered in more detail.
The block 15 is an input circuit powered directly from the line 13 and normally operative only in the presence of both control waveforms from the processors A and B to produce a negative d.c.
output voltage (with respect to ground). This negative d.c. voltage is fed to a control circuit constituting the block 16 and forms the supply rail for that circuit. The control circuit 16 is used to produce a dynamic cyclically varying drive signal on a line 27, the form of the signal being such that it can only be produced when the circuit 16 is fed with the negative d.c. voltage from the block 15. The cyclically varying control signal is used to control a power-supply output circuit (block 17) powered from the line 13, the form of this output circuit being such that it only produces an output when dynamically driven by said cyclically-varying control signal; in the embodiments to be described hereinafter, the output circuit 17 is constituted by the output stage of a switched mode power supply.
In the first embodiment of the output-stage power supply unit shown in Figures 2 and 3, the fail-safe circuit 15 producing the negative rail voltage for block 16 is constituted by a diode pump (Fig. 2). This diode pump comprises a main switching transistor 30 arranged to be turned on by the simultaneous conduction of two series-connected phototransistors 31, 32. Each of the transistors 31,32 forms part of a respective opto-isolator fed, via a respective drive transistor 33,34 and a respective one of the two block inputs 21, 22, with a respective one of the control waveforms produced by the processors A, B.The two control waveforms are constituted by regularly occurring pulses, the pulses of the two waveforms occurring simultaneously; typically the two processors each produce a 40 us pulse once every program cycle, the latter having a duration of, for example, 8 to 40 ms. The control waveforms thus act to render the photo-transistors 31,32 simultaneously conductive at regular intervals as a result of which the transistor 30 is turned on and off at the same frequency. When transistor 30 conducts, current builds up through an inductor 47 connected into collector circuit of the transistor 30. Upon the transistor 30 turning off, the current flow through the inductor 47 begins to fall inducing a negative voltage thereacross which is transferred via a diode 28 to a capacitor 29.The voltage across the capacitor 29 is regulated by a zenor diode 44 to provide -10v at the output 26 of the block 15.
As already mentioned, this negative voltage is used to power the control circuit 16, the latter being shown in detail in the left-hand portion of Figure 3.
In the present example, the control circuit 16 is constituted by an oscillator, composed of suitably interconnected NAND gates 35, 36 and 37, that supplies a 20 KHz squarewave via an output driver (NAND gate 38) to the line 27. The circuit configuration of the oscillator is standard and will not be considered in more detail except to note that the mark/space ratio of the output squarewave is determined by the relative values of the resistors 45, 46.
It will be appreciated that the presence of the negative d.c. voltage supplied from the diode pump output 26 is essential if the oscillator circuit 16 is to generate the drive signal constituted by the 20 KHz squarewave oscillator output appearing on line 27.
The squarewave drive signal is fed from the control circuit 16 to the power-supply output circuit 17 which in the present example is constituted by a switched mode power supply, the drive signal providing a switching drive to this switched mode supply. More particularly, the line 27 is connected to the gate of a transistor 39 used to drive a power FET 40 that is connected in series with the primary winding of a transformer 41. The secondary winding of the transformer 41 is connected across a bridge rectifier 42 providing a rectified supply for the output stage 12. A smoothing capacitor 43 is connected across the d.c. side of the bridge rectifier 42.
In operation of the system, the processors A and B normally supply the required in-phase control waveforms to the diode pump inputs 21 and 22 to maintain the negative d.c. voltage at the pump output 26 and thereby cause the necessary squarewave drive signal to be fed from the circuit 16 to the circuit 17 to cause the latter to output a supply voltage for the output stage 12.
If now the processors should detect a system fault and enter the shutdown routine, each processor attempts to cease output of the control waveform it normally feeds to the corresponding diode pump input. Under certain fault conditions, one of the processors may in fact fail to cease control waveform output; however, provided the input circuit 15 is functioning correctly, the absence of even one control waveform is sufficient to render the diode pump inoperative resulting in the collapse of the negative supply to the control circuit 16 and consequential shutdown of the power-supply output circuit 17.
In fact, the form of input circuit 16 shown in Figure 2 does not perform a failsafe AND function on the two control waveforms and it is possible for the circuit to fail in a manner causing it to require only one waveform to remain operative. Since such a fault could occur jointly with a processor fault of the type resulting in one processor continuing to output a control waveform upon shutdown, in order to ensure failsafe deactivation of the diode pump, each processor A and B is also arranged to attempt to blow the security fuse upon the shutdown routine being entered.
The output-stage power supply unit is failsafe in operation since the dynamic cyclically-operating output circuit 17 will only provide an output supply if fed with an appropriate switching waveform and such a waveform can only be produced when the oscillator 16 is supplied with a negative d.c. voltage from the diode pump. As the system does not include a negative supply other than that generated by the diode pump 15, it is highly unlikely that the oscillator 16 could be powered up otherwise than as a result of the correct operation of the diode pump.
The correct operation of the diode pump is wholly dependent on the latter being fed with both of the control waveforms from the processors A and B.
The lock-up of either processor will result in the negative d.c. voltage disappearing from the diode pump output and the consequent collapse of the switching signal on line 27.
The need to replace the security fuse each time the supply is shut down under fault conditions is, of course, generally inconvenient. To overcome this, the input circuit 15 can be designed to effect a failsafe AND function, absence of either control waveform causing deactivation of the pump under all fault conditions of the circuit. Alternatively, the circuit of the power supply unit could be monitored to ascertain if attempted deactivation of the supply unit by the processors attempting to cease control waveform output, has proved successful and only if this is not so would the processors blow the security fuse. This latter arrangement requires the use of failsafe output monitoring means which will generally take the form of duplicated monitoring circuits capable of being intermittently proved.Such proving requires the output of the supply unit to be temporarily switched off, or at least dipped, by suitable means (which need not be duplicated). A failsafe output monitoring arrangement is incorporated in the second embodiment of the output-stage power supply unit to be described hereinafter, though in that embodiment, the provable monitoring arrangement also serves as a provable fast-acting switch. It should be noted that the requirement to turn off or dip the supply output to prove the monitoring arrangement may not be acceptable in certain circumstances in which case a failsafe output monitoring arrangement of the form described cannot be used.
The second embodiment of the output-stage power supply unit will now be described with reference to Figures 4 and 5. A major difference between the first and second embodiments is that in the second embodiment both current and voltage feedback are provided to regulate the output voltage generated by the output circuit block 17. Regulation of the output voltage in this manner is, as will be described, effected by a regulator buiit around a standard integrated circuit, the regulator constituting the control circuit block 16. In practice, the current drawn by the regulator circuitry is greater than that which can be provided by the simpleform of diode pump used in the first embodiment of the power supply unit.Accordingly, in the second embodiment the input circuit 15 producing the negative rail voltage for the control circuit block 16 is arranged to provide a significantly greater current than the diode pump of Figure 2.
The input circuit of the second embodiment is shown in Figure 4 and comprises three stages, namely:
1) a diode pump circuit of identical design to that constituting the whole of the circuit 15 of the first embodiment;
2) a 20 kHz oscillator powered from the negative voltage output on line 26 by the diode pump stage, the oscillator being of substantially the same design as that constituting the control circuit 16 of the first embodiment,
3) a switched mode power supply stage driven by the output of the oscillator stage and providing a -12v supply on line 50; the form of the switch mode power supply is substantially the same as that constituting the output circuit 17 of the first embodiment except that a small flybacktransformer 51 is used instead of the transformer 41.
For convenience, in Figure 4 the same references have been used as in Figures 2 and 3 to denote equivalent components though, of course, the components shown in Figure 4 are all part of the block 15 of the second embodiment whereas the components shown in Figures 2 and 3 make up all three blocks 15, 16 and 17 of the first embodiment of the power supply unit. Typically, whereas the block 15 of the first embodiment is adequate to provide a -10v, 3mA supply, the block 15 of the second embodiment provides a -12v, 150mA supply.
The negative rail constituted by line 50 is used, after regulation by regulator 49, to power a pulsewidth switching regulator control circuit forming the block 16. This control circuit can conveniently be built around a standard integrated circuit chip 52 such as the Signetics NE5560N chip. The design of the support circuitry for this chip is weil within the capability of persons skill skilled in the relevant art and this support circuitry will therefore not be described in detail herein.
The output of the chip 52 is supplied via line 53 and a bank of inverters 54 acting as drivers, to the input 55 of the output circuit 17 of the second embodiment. The signal appearing on line 53 is a switching waveform, the width of the pulses making up this waveform being controlled by the regulator chip 52 in dependence on feedback characteristics of the output supply as will be explained in more detail hereinafter.
The output circuit 17 of the second embodiment comprises a driver transistor 56 receiving the signal presented to input 55, a power FET 57, a transformer 58, and rectifying and smoothing circuitry 59 connected across the secondary winding of the transformer 58. The output of the rectifying and smoothing circuitry 59 is a 24v supply between lines 60and61.
Current feedback to the switching regulator control chip 52 is provided by a winding 52 of the transformer 58. Voltage feedback to the chip 52 is provided via an op-amp 63 and an opto-isolator 64.
The second embodiment of the output-stage power supply unit operates in substantially the same manner as the first unit except that the output supply is regulated in dependence on the current and voltage feedback signals, this regulation being effected by chip 52 by varying the width of the pulses fed therefrom, via line 53 and inverters 54, to the drive transistor 56 of the output circuit. The power required to run the regulator circuitry is derived from the switched mode power supply forming the output stage of the block 15, this switched mode power supply being driven from the low power oscillator run off the diode pump stage.
It will be appreciated that, as in the first embodiment, running the control circuit (regulator) block 16 from a negative rail ensures that the output circuit 17 can only be effectively driven when a negative voltage is produced by the block 15, it being highly unlikely that any failure in the control circuit block 16 could produce a switching waveform in the absence of a negative supply thereto.
Furthermore, the input circuit block 15 producing the negative rail can normally only do so when both control waveforms produced by processors A, B are present, the first and third stage of this block being dynamic in operation and requiring a cyclicallyvarying drive signal, and the second stage requiring a negative voltage that will only be present if the first stage is functioning correctly.
In both of the afore-described embodiments of the output-stage power supply unit, because of the relatively high switching frequency (20 KHz) used to drive the switched mode power supply constituting the circuit 17, only a small smoothing capacitor is required in the smoothing circuitry of the output circuit. As a result, once the drive signal has been removed from the line feeding the circuit 17, the output supply produced by the circuit 17 will decay fairly rapidly. However, the output from the negative-rail block 15 is slow to decay following removal of one or both of the control waveforms from its inputs and it is this factor which sets the overall decay time of the supply to the output stage 12 upon shutdown of the supply being commanded by the processors A, B. In certain applications, the supply decay time may not be fast enough to prevent a wrong side failure.For this reason, a fast cut off switch must be incorporated into the outputstage power supply unit downstream of the block 15. Such a switch 70 is interposed in the line extending between the blocks 16 and 17 as is indicated in Figure 1, or in any other position suitable for preventing the drive signal produced by the control circuit block 16 from reaching the final stage of the output circuit block 17.
In practice, the switch 70 will not be inherently fail-safe so that it is necessary to provide a duplicated switch arrangement and to prove each switch 70 independently at periodic intervals.
Proving each switch 70 during operation of the power supply circuit can be achieved by momentarily operating the switch and checking to see if this has any effect on the supply output; if the switch is functioning correctly, then the output supply voltage should dip and this can be sensed by a suitable dip detector (see block 71 shown in Figure 1). It should be noted that dipping of the supply output in this manner may render the second embodiment unsuitable for certain applications.
A form of duplicated fast cut-off switch suitable for use with the described second embodiment of the power supply unit is shown in Figure 6. The two cut-off switches are constituted by respective phototransistors 73,74 both connected across points X1,
X2 of the Figure 5 output circuit, that is, between the ground rail 75 and the gate 76 of the power FET 57.
The transistors 73,74 form part of respective opto isolatorsthe inputs of which are controlled via respective drive transistors 77,78 by the processors
A, B respectively. Upon one or both of the transistors 73,74 being turned on by a control signal issued by the corresponding processor(s), the gate of the power FET 57 is grounded causing the dynamic operation of the finai stage of the output circuit 17 to cease and the output supply between lines 60, 61 to decay.
During shutdown of the power supply unit by the processors A, B both transistors 73,74 will normally be turned on; however, if for any reason, one processor is inoperative or one of the transistors 73, 74 fails to function, operation of one only of the two transistors 73,74 is still adequate to disable operation of the output circuit 17.
Proving of the transistors 73, 74 and their associated circuitry is carried out by arranging for the processors A, B to alternately turn on the corresponding transistor 73,74 to produce a dip in supply output voltage between lines 60,61 below 18v. Thus, with reference to Figure 8, the transistor 73,74 being proved is turned on by the corresponding processor for a time period t1-t3 to result in a dip below l8vfortimet2-t4. If this dip is sensed (via the dip detector block 71) by both processors, the transistor under test is deemed to have passed its proving test and no action is taken; if one or both processors fails to sense the dip at the expected time, then the shutdown routine is initiated, including the attempted turn on of both transistors 73, 74.
The dip detector block 71 is constituted by duplicated dip detectors 71A, 71 B of the form shown in Figure 7. Each dip detector 71 comprises a threshold circuit including zener diode 80 and transistor 81 connected between supply rails which in turn are connected to points Y1 (for detector 71A) or Y2 (for detector 71 B) of the output circuit 17, these points being on the output lines 60,61. Inserted in the collector circuit of the transistor 81 of the threshold circuit is an opto-isolator82 interfacing the threshold circuit with a corresponding one of the processors A, B.
Upon the voltage across the output lines 60, 61 of the supply unit dipping below 1 8v, the transistor 81 in each dip detector71 turns off and a corresponding signal is fed via the opto-isolator 82 to the corresponding processor; both processors should thus normally receive an indication that the supply voltage has dipped below 18v.
Should the transistor being proved fail to turn on when commanded or should either dip detector fail to function, then one or both processors will not receive the expected dip signal from its dip detector 71 and the shutdown routine will be entered.
Proving of each transistor 73,74 preferably takes place once every program cycle of the processors, typically once every 8 to 50 ms.
As previously indicated, the duplicated, provable fast cut-off switch arrangement described with reference to Figures 6 and 7 can also be employed as a duplicated, provable output monitoring arrangement enabling the processors to check whether their attempted shutdown of the output stage power supply unit has been successful. When the circuitry of Figures 6 and 7 is employed in this manner, the processors, upon the shutdown routing being entered, initially need only attempt to switch off the output stage supply by attempting to cease their output of control waveforms to the input circuit 15; only if this attempt should prove unsuccessful (as determined by the output monitoring arrangement) need the processors blow the security fuse 20.
Various modifications to the described embodiments of the output-stage power supply unit are, of course, possible. Thus, for example, the input circuit block 15 need not include a diode pump but instead may be constituted by a switched mode power supply driven from a unified waveform derived from the two processor control waveforms.
It will be appreciated that although the described embodiments of the output-stage power supply unit are controlled by inphase waveforms produced by the two processors A, B, it is possible to design input circuitry arranged to receive waveforms in any phase relationship. Furthermore, where a security fuse circuit is provided that is operable by both processors independently to isolate them from the supply input stage, then only one control waveform need to be fed to the input stage, the latter being designed accordingiy.
Power supply units embodying the invention can, of course, be designed for operation with triplicated cross-checking processors with each processor generating a control waveform; in this case, the input circuit might be arranged to operate on a majority voting principle rather than a 3 out of 3 principle as regards the presence of the control waveforms.
Although the dip detector 71 has been described as being connected directly across the output line 60,61 of the circuit 17, it is possible to monitor the effects of the cut off switches 70 at other locations, for example in the source or drain circuit of the power FET 57.
This application is divided out of Application No.
8427287 in which the main claim is directed to an electrical power supply unit with a fail-safe shut down capability, the power supply unit being intended for connection on its power input side between a first power line and one or more second power lines all of the same voltage polarity with respect to said first line, the unit comprising: a cyclically-operating input stage operative upon being supplied with at least one periodic control waveform to output a d.c. voltage of a polarity with respect to said first line opposite to that of the second lines, a control circuit connected to receive said d.c. voltage output by the input stage as a supply voltage, and arranged in the presence of said d.c. voltage to generate a cyclically-varying drive signal, a dynamic output circuit operative to provide an output power supply from the said power lines onlywhen cyclically driven by said drive signal.
Claims (4)
1. An electrical power supply unit with a failsafe shutdown capability, the power supply unit comprising:
a dynamic output circuit arranged to provide an output power supply only when cyclically driven by a predetermined periodic drive signal supplied thereto,
two switches each operable to remove the drive signal from the output circuit, and
monitoring means for monitoring the effect on the output power supply of individually operating each switch.
2. A power supply unit according to claim 1, wherein each switch comprises a photo-transistor forming part of a respective opto-isolator coupled to respective data processor outputs.
3. A power supply unit according to claim 1 or claim 2, wherein each switch is operable individually to remove the drive signal for a predetermined time interval, and wherein the monitoring means is responsive to a dip in the output voltage of the output power supply below a predetermined voltage threshold.
4. A power supply according to claim 3, wherein the monitoring means comprises duplicated dip detectors which are coupled to respective data processors, the said processors each being operatively coupled to a respective one of the switches, and being operable such that, if one processor fails to sense the dip in the output voltage, a shutdown routine is initiated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB08621642A GB2183113B (en) | 1983-10-29 | 1986-09-09 | Failsafe electrical power supply |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB838328926A GB8328926D0 (en) | 1983-10-29 | 1983-10-29 | Electrical power supply unit |
| GB08621642A GB2183113B (en) | 1983-10-29 | 1986-09-09 | Failsafe electrical power supply |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| GB8621642D0 GB8621642D0 (en) | 1986-10-15 |
| GB2183113A true GB2183113A (en) | 1987-05-28 |
| GB2183113B GB2183113B (en) | 1987-12-02 |
Family
ID=26286949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB08621642A Expired GB2183113B (en) | 1983-10-29 | 1986-09-09 | Failsafe electrical power supply |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2183113B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4812677A (en) * | 1987-10-15 | 1989-03-14 | Motorola | Power supply control with false shut down protection |
| EP0614049A1 (en) * | 1993-03-05 | 1994-09-07 | Landis & Gyr Technology Innovation AG | Voltage supply for a redundant computer of a control device |
| WO1996028769A1 (en) * | 1995-03-11 | 1996-09-19 | Leuze Electronic Gmbh + Co. | Safety switch arrangement |
| WO2009026600A1 (en) * | 2007-08-24 | 2009-03-05 | Stiwa - Fertigungstechnik Sticht Gesellschaft M.B.H. | Decentralised energy supply device for a modular, failsafe control system |
-
1986
- 1986-09-09 GB GB08621642A patent/GB2183113B/en not_active Expired
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4812677A (en) * | 1987-10-15 | 1989-03-14 | Motorola | Power supply control with false shut down protection |
| EP0614049A1 (en) * | 1993-03-05 | 1994-09-07 | Landis & Gyr Technology Innovation AG | Voltage supply for a redundant computer of a control device |
| US5513062A (en) * | 1993-03-05 | 1996-04-30 | Landis & Gyr Business Support Ag | Power supply for a redundant computer system in a control system |
| WO1996028769A1 (en) * | 1995-03-11 | 1996-09-19 | Leuze Electronic Gmbh + Co. | Safety switch arrangement |
| US5777834A (en) * | 1995-03-11 | 1998-07-07 | Leuze Electronic Gmbh+Co. | Safety switch arrangement |
| WO2009026600A1 (en) * | 2007-08-24 | 2009-03-05 | Stiwa - Fertigungstechnik Sticht Gesellschaft M.B.H. | Decentralised energy supply device for a modular, failsafe control system |
Also Published As
| Publication number | Publication date |
|---|---|
| GB2183113B (en) | 1987-12-02 |
| GB8621642D0 (en) | 1986-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4868826A (en) | Fault-tolerant output circuits | |
| US4400792A (en) | Dual-channel data processing system for railroad safety purposes | |
| EP0190664B1 (en) | Redundant control circuit | |
| US5644175A (en) | Static switch method and apparatus | |
| JP3668632B2 (en) | Railway safety control device and security control system | |
| GB2183113A (en) | Failsafe electrical power supply | |
| GB2150373A (en) | Electrical power supply unit with a failsafe shutdown capability | |
| JP4613200B2 (en) | Method for operating a supply unit for a drive circuit and a supply unit for a drive circuit | |
| NL8100131A (en) | LOAD CONTROL. | |
| CZ18494A3 (en) | Safety power interface | |
| US4880994A (en) | Method and device for the redundant control of a power controlled unit | |
| KR100412301B1 (en) | Dual control method in hierarchical control system and apparatus thereof | |
| JP7420656B2 (en) | relay output control device | |
| JP3751746B2 (en) | Fail-safe output device | |
| US5671348A (en) | Non-vital turn off of vital output circuit | |
| EP0806536B1 (en) | Control system for automatic doors | |
| KR100611191B1 (en) | Circuit for controlling a relay of the railroad signal and method thereof | |
| JPH0343837Y2 (en) | ||
| JPH10213291A (en) | Monitor system with monitor switch | |
| EP1046089B1 (en) | A positive safety control system | |
| US20210216393A1 (en) | Protection Against Internal Faults In Burners | |
| EP0341224B1 (en) | Apparatus for monitoring the state of a remotely controlled device | |
| JP3802895B2 (en) | Parallel output type electronic interlocking device with a fail-safe majority logic circuit | |
| JPS59139872A (en) | Gate signal generator for power converter | |
| EP1625653B1 (en) | Highly fail-safe power generator, particularly for rail systems, or the like |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PCNP | Patent ceased through non-payment of renewal fee |