GB2200002A - Microprocessor-based controller especially for hazardous environment - Google Patents
Microprocessor-based controller especially for hazardous environment Download PDFInfo
- Publication number
- GB2200002A GB2200002A GB08729866A GB8729866A GB2200002A GB 2200002 A GB2200002 A GB 2200002A GB 08729866 A GB08729866 A GB 08729866A GB 8729866 A GB8729866 A GB 8729866A GB 2200002 A GB2200002 A GB 2200002A
- Authority
- GB
- United Kingdom
- Prior art keywords
- microprocessor
- output
- control device
- input
- outputs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
Abstract
Intrinsically safe microprocessor-based controller has a circuit containing switches 18, 28, 29, which can interrupt current through a relay coil 22. De-energizing relay coil 22 cuts off output power supplies and hence forces outputs to an off, failsafe state. The microprocessor 10 verifies inputs and outputs by reading back from output lines, and verifies inputs by writing to them. In the event of error, the microprocessor de-energizes relay coil 22, hence forcing outputs to the failsafe state otherwise than by normal control of outputs. A watchdog timer is included. <IMAGE>
Description
MICROPROCESSOR-BASED CONTROLLERS
ESPECIALLY FOR HAZARDOUS ENVIRONMENT
This invention relates to control devices which incorporate a microprocessor. Such devices necessarily have one or more outputs controlled by the microprocessor and usually have one or more inputs to receive signals from external events. The control devices may serve to control machinery.
The control devices may be discrete devices connected by cable to the equipment which they control.
Notably this invention can be applied to a programmable logic controller intended to be connected by a user to equipment which he wishes to control in accordance with a program written by the user. Alternatively the control device may be integral with the equipment which it controls such as for example a microprocessor-based controller built into an automatic machine tool.
The present invention is concerned with increasing the safety of microprocessor-based control. The invention may in particular be applied to intrinsically safe microprocessor-based controllers such as might be employed in a hazardous area, but need not be confined to such applications.
It is conventional for machinery to be provided with controls to bring about an emergency stop. A typical example of this is the push button provided for a machine operator to stop the machine in the event of accident.
Another example would be a control intended to bring about emergency stop automatically in the event of overtravel beyond a limit position. We have appreciated that if such controls operate through the software of a controller, then a software error or a hardware malfunction could have the consequence that an emergency stop control would not function. It is possible that a fault would send the controlled machinery into a dangerous condition, and also render the operator's emergency stop button inoperative.
One aspect of this invention is concerned to avoid the risks just mentioned. In this aspect the invention provides a control device incorporating a microprocessor and having one or more outputs controlled by the microprocessor, characterised by means operable to force each output to a failsafe state overriding or terminating control of the outputs by the microprocessor in normal execution of the program which controls the microprocessor. The failsafe state of an output could possibly be to stay in whatever state it happened to be in, particularly if the state of an output designated the position to be occupied by a piece of equipment rather than commanding a motion. However, it will generally be desirable that the failsafe state should be a predetermined state of the output, usually its "off" state.The means to force a failsafe state may well be constructed to be operable from any of a plurality of locations.
In a second aspect of this invention we appreciated that it would be desirable to enable the micropocessor of a control device to initiate overriding action in response to a detection of an alarm condition. Such alarm conditions might include an output failing to respond to commands sent to it by the microprocessor. Accordingly, in this aspect the invention provides a control device incorporating a microprocessor and having one or more outputs controlled by the microprocessor characterised by alternative circuitry operable by the microprocessor to force each output to a failsafe state, overriding or terminating control of the output through the path by which the microprocessor normally controls the output.
Multiple outputs which can be forced to a failsafe state in this way may be run from more than one separate source of power.
Conceivably the means to force a failsafe state, in accordance with either aspect mentioned above could operate to interrupt the microprocessor. The ensuing interrupt routine could then prevent change of the outputs or force each output to a predetermined state.
Such an interrupt routine might avoid using any subroutines from the program which it interrupts and might also have no return to the main program, instead terminating in an endless loop. Whilst this still uses software to bring about the failsafe state it could nevertheless enhance the safety by utilizing a routine which is separate from the main program and which could be more comprehensively tested.
Better however, would be to avoid use of any stored program and instead stop operation of the microprocessor by means of a control input of the microprocessor. An example of this is a halt command, if the microprocessor has a pin for that purpose. Another example is taking a reset pin to logic high (after which the microprocessor will restart from a reset condition when the pin is eventually taken back to logic low). This could leave the outputs unchanged, or drive them to a known state, e.g. by resetting output latches. A further possibility is th-at the outputs would be driven to a known state by a watchdog timer when microprocessor activity ceased.
A more preferred arrangement is that the means to force a failsafe state operates to take control of the outputs independently of any signals to them from the microprocessor. This could be done in addition to the microprocessor being halted or reset as mentioned above.
It is generally desirable that means to force a failsafe state should be such that the microprocessor is unable to reassert control without the intervention of a human supervisor.
Preferably the means to force a failsafe state is circuitry arranged so that it can be operated by the microprocessor and also externally to the microprocessor in accordance with the first aspect of this invention.
A preferred form of circuitry includes a relay whose coil is held energized by an electrical supply arranged to be interrupted by manually operable controls and/or by sensing means detecting alarm states and/or by the microprocessor when it detects an alarm state. A connection through other contacts which make or break when the relay coil de-energises serves then to force the failsafe state. The electrical supply to the relay should itself be interrupted by de-energising of the relay, e.g. by passing through further contacts held closed by the relay, so that the relay cannot be reenergised. A manually operable reset switch should then be provided to supply current to the relay coil temporarily when the control device is manually reset.
Further relays may be provided which are held energised by the first mentioned relay as long as the first mentioned relay is itself energised.
Where the microprocessor has memory mapped input and output, or a separate input/output map, the means to force a- failsafe state may by-pass the normal process of writing data to an output address. For example, circuitry to override normal control by the microprocessor may be connected to enable input or output
o latches and act by disabling the latches. Alternatively it may act by cutting off the supply of output power, especially if this is separate from the microprocessor's power supply.
As an alternative to using a relay, a power supply to the microprocessor could be led through switches arranged in series so that opening any switch cut-off power to the microprocessor.
In a particularly preferred form, the present invention provides a control device incorporating a microprocessor and having a plurality of outputs controlled by the microprocessor by writing data to respective output addresses characterised in that means are provided to force each output to a failsafe state and thereafter retain it in said failsafe state otherwise than by writing data to the output addresses,
the said means being operable by the microprocessor, notably by being arranged to be operated by the microprocessor in the event that the value read from an output differs from the value written to the output and/or being operable from a plurality of locations external to the control device, notably by means of a switch at each of the said locations.
A third aspect of this invention seeks to guard against the possibility of hardware malfunction.
In this third aspect, the invention provides a control device incorporating a microprocessor and having one or more inputs read by the microprocessor and/or outputs controlled by the- microprocessor, characterised in that the device is arranged to verify output(s) by reading the value of the output, and/oris arranged to verify input(s) by writing to the input to change the input value.
Where input/output is memory mapped or located in a separate input/output map, different addresses are preferably employed for reading and writing to the same input/output.
Preferably also separate address decoding circuitry is employed for reading and writing, so that failure of decoding circuitry will be detectable by failure to achieve verification of an input or output.
In a fourth aspect this invention provides a control device incorporating a microprocessor having one or more inputs read by and/or outputs controlled by the microprocessor, characterised in that the microprocessor is programmed to read from and/or write to input(s) and/or output(s) repeatedly, and in that the device includes a watchdog timer reset by said reading and/or writing. Such a watchdog timer can signal an alarm condition and/or force output(s) to a failsafe state if said reading and/or writing ceases to be repeated.
An embodiment of this invention will now be described by way of example only with reference to the accompanying drawings, which are circuit diagrams and in which:
Fig. 1 shows part of the circuitry connected to the microprocessor of a controller;
Fig. 2 shows its safety circuit;
Fig. 3 shows address decoding for input/output;
Fig. 4 shows output at one channel of a sixteen channel output board;
Fig. 5 shows two input amplifiers of an input board;
Fig. 6 shows address decoding of an eight channel output board;
Fig. 7 shows output at one channel of an eight channel output board;
Fig. 8 shows a watchdog timer.
The embodiment which is now to be described, is described by way of example only and it must be appreciated that the invention could be embodied in a great many different forms.
This embodiment is a programmable logic controller intended for use in a hazardous area, necessitating electrical isolation of circuits and a limitation on the energy in any one circuit. In the drawings segregation boundaries between circuits connected to differing intrinsically safe power supplies are indicated by chain dotted lines. The controller has a microprocessor connected by address, data and control lines to memory chips. These comprise a non-volatile memory containing the operating system for the microprocessor, RAM serving as å "scratchpad" memory to hold, for example, variables and a stack, and also further memory which maybe volatile or non-volatile and which contains a program loaded by a user of the controller.The microprocessor and these memories are, in this embodiment, contained on the same circuit board with any decoding logic which is necessary.
These items may be- as described in our UK Application 86.16224, now UK 2177521A.
The circuit board carrying these items is connected by an edge-connector to a back plane carrying some data address and control lines. Fitted to further connectors on the backplane are further circuit boards carrying components providing for input and output.
The controller also has a safety circuit which may conveniently be carried on yet another circuit board, but this safety circuit board does not need to be fitted to the backplane.
In order to meet hazardous area requirements the controller is powered by a number of separate intrinsically safe power supplies. One supplies 7.5 v
D.C. for the microprocessor board 5 volt regulator and 7.5 v D.C. to all the input boards' oscillators. Output power comes from a separate power supply for each output board or in some cases one separate power supply to each of two segregated "islands" of circuity on one output board. The safety circuit also has a separate 15v A.C.
power supply.
Fig. 1 shows part of the circuitry on the board which carries the microprocessor. This microprocessor 10 is of a type which has integral inputs and outputs. One such output 12 is connected through a resistor R1 to the gate of an FET 14 controlling current through the coil 16 of a small relay operating from the same 5 volt power supply as does the microprocessor 10. The diodes D1, D2 provide a path for induced reverse current when the coil is switched off, Zener diode D3 protects the FET 14 from any voltage spikes. Energising the relay coil 16 closes a single contact 18 which forms part of the safety circuit shown in Fig. 2.
Referring now to Fig. 2, the safety circuit has'its own 15 volt AC power supply. Power from this supply is transmitted through a succession of switches arranged in series to a diode D4 and then through the coil 22 of a relay referred to as relay "A".
The switches arranged in series are the contact 18 of the relay on the microprocessor board, a switch 24 separate from the main on/off switch for the controller, a contact 26 of the relay A, and various normally closed contacts 28, 29. The number -of these may be greater or fewer than the three shown in Fig. 2 provided they are connected in series. They can be provided as push buttons 28 for use by plant operators in emergency or they may be switches 29 tripped open by the plant itself if it travels beyond prescribed limits.
The relay contact 26 can be by-passed by closing a normally open push button 30. To set the safety circuit into its "healthy"- state after the main switch of the controller and the safety circuit switch 24 have been turned on, the reset button 30 must be depressed. Power is then supplied to the coil 22 of the relay A and the energised coil then holds the contact 26 closed so that the reset button 30 can be released without effect. -The relay A also has a change-over contact 32. When the coil 22 of relay A is energised the change-over contact supplies power through diode D5 to the coil 34 of a relay "B". A further segregated contact 36 of the relay A forms part of the circuit of the microprocessor and when closed grounds an input pin 38 of the microprocessor.
Opening the contacts controlled by the relay B switches off the power supplied to outputs from the controller. One such contact is indicated as 39 in Fig.
7.
When the controller is operating, if any of the push buttons 28 is depressed, the coil of relay A is deenergised hence changing over contact 32 and deenergizing coil 34 of relay B which in turn opens the contacts controlled by relay B and switches off the power to the outputs of the controller. At the same time, the contact 36 of relay A grounds the pin 38 of the microprocessor. The microprocessor is programmed in its operating system to monitor this pin as an input and if the pin is grounded, the microprocessor's operating system ceases to run the program provided by the user.
In very much the same way, the microprocessor 10 can trip the safety circuit by de-energizing the relay coil 16 and hence opening the contact 18.
It will thus be appreciated that the safety circuit can be tripped by a human operator pressing a button 28 or the plant opening a contact 29 or it can be tripped by the microprocessor itself de-energizing the relay coil 16. When the safety circuit is tripped it overrides control of the outputs by the microprocessor by the direct expedient of switching off output power supplies hence putting the outputs in a known state, i.e. off. It also takes control by the less direct expedient of grounding an input to the microprocessor, whereupon the microprocessor ceases to run the user program. Once the safety circuit has been tripped, the open relay contact 26 ensures that it stays tripped until the reset button 30 is operated by a human operator.
The safety circuit includes indicator lamps 40 as shown which serve to reveal whether the circuit is healthy or tripped and a further indicator lamp 42 which serves to show that the microprocessor has not energized the relay coil 18.
Modifications to the above circuit arrangement are of course possible. The relay contact 36 might ground a
HALT or non-maskable interrupt (NMI) pin of the microprocessor rather than input pin. Yet again, it might take a RESET pin high and thereby halt the microprocessor in a reset state.
If the microprocessor 10 did not include inputs/outputs 12, 38, these could be provided by a parallel interface adapter chip connected to the microprocessor.
The relays could conceivably be replaced by optoisolators or even be replaced by transistors if there was no need for electrical isolation between the safety circuit and the microprocessor circuit.
The input/output arrangements for the controller will now be described. The inputs and outputs are memory mapped although they could equally well be in a separate input/output map if the micropocessor utilized such a separate input/oupu' map.
Fig. 1 shows how the address, data and control lines are bussed onto the backplane. The microprocessor 10 provides READ and WRITE control outputs. These are input to a two to four line decoder 50 which generates further
READ and WRITE signals while ensuring that the lines carrying these signals are never low simultaneously.
The two most significant address lines A14 and A15 are connected to second two to four decoder 52 enabled by
READ and WRITE through gate 54. Three of the four outputs from this decoder provide chip select (CS) signals to memory chips which are not shown. The fourth output, which corresponds to the most significant quarter of the memory map provides an I/O SELECT signal which is used to enable input and output.
The three control signals, READ, WRITE and I/O
SELECT are transmitted to the backplane by drivers 56.
The eight least significant address lines Ao to A7 are connected to an eight line address bus on the backplane by a driver chip 58. The eight data lines Do to D7 are connected to a data bus on the backplane by a two-way transceiver chip 60 which is enabled by I/O SELECT and whose direction of transmission is determined by READ.
The five least significant data lines Do to D4 are connected to ground through pulldown resistors 62.
Since only eight address lines are bussed on the backplane, the controller can read from and write to a maximum of 256 input/output addresses, all of which are located in the most significant quarter of the memory map. These inputs and outputs are provided by means of three types of circuit board which are fitted into slots (connectors) provided on the backplane. The three types of circuit board respectively provide sixteen input channels or sixteen output channels to indicator lamps or eight higher integrity output channels suitable for the control of machinery. The last-mentioned eight channel boards' outputs each have used and unused addresses as will be explained.
Each input or output circuit board carries address decoding circuitry, as well as components for accomplishing input or output. The output boards also carry watchdog timers and the input boards have an oscillator.
The decoding circuitry on each circuit board is duplicated in a way which makes it possible to read or write to an input via different addresses and read or write to an output via different addresses.
Fig. 3 shows the decoding circuitry for a sixteen channel output board.
The board carries a pair of four bit comparators 102, 104 which are enabled by the outputs from NOR gates 106, 108 respectively. The comparator 102 is enabled if
READ and I/O SELECT go low together. Comparator 104 is enabled if WRITE and I/O SELECT go low together.
One set of inputs to each comparator is supplied with a four bit binary code unique to that circuit board.
The binary code is supplied along lines 111 and may be generated by connections through change over switches 110 on the board enabling connection to logic high and logic low. Alternatively, and preferably, this code is supplied through the connector on the backplane. This latter alternative is preferable because if a circuit board is replaced it eliminates the risk of switches on the replacement board being set incorrectly.
Comparator 102 receives the significant nibble
A7 Comparator 104 receives the less significant nibble A0-A3. Thus for a read the more significant nibble A4-A7 determines which circuit board is addressd while for a write it is the less significant nibble which determines the circuit board which is addressed. For a read, if the code supplied on the more significant address lines matches the code for the board on lines 111, then the comparator 102 sends an output signal to NAND gates -112, 114. The other inputs to these gates are A3 and A3 inverted by gate 116. Depending on whether A3 is high or low one or other of these gates 112, 114 sends an output signal to the strobe input of a multiplexer 118.
Each multiplexer 118 receives eight input signals on lines 120. A binary code selecting one of the eight inputs is supplied by A0-A2. The value of the selected input of the strobed multiplexer is output to a data line 121 connected to one of the data lines Do to D4.
By reason of this arrangement when the microprocessor reads an input it must be arranged to provide an address on Ao to A7. A4 to A7 determine which circuit board is addressed, A3 determines which multiplexer 118 on the circuit board is strobed and A to A2 determine which input to that multiplexer is in fact read.
An analagous arrangement is provided for write operations. The output from comparator 104 is supplied to NAND gates 122, 124 which are also supplied with A4 and its complement A4. The outputs from the NAND gates 122, 124 go to the enable inputs of de-multiplexers 128.
Each of these has eight latched output lines 130 selected by A5 to A7. During å write the microprocessor must provide an address in which A0to A3 determine which circuit board is address, A4 determines which demultiplexer on that circuit board and A5 to A7 determine which output from that de-multiplexer. A write operation causes the value supplied on a data line 131 to be latched as the output on the selected output line 130.
The data line 131 is connected to one of the data lines
D5 to D7.
The outputs on lines 130 go to respective output optoisolators 132. One of these is shown in Fig. 4. The output on a line 130 passes through an indicator LED 134 and the diode of optoisolator 132. The optoisolator's output transistor serves to control current through an output Darlington -136 thus permitting current flow along the output line 138. The output power supply is separate from that for the microprocessor 10, and the decoding circuitry on the output circuit board. The optoisolator 132 provides electrical isolation between the circuits fed by the separate power supplies. The smoothing capacitors- shown inhibit back feed of noise.
As can be seen from Fig. 3, each output line 130 is directly connected to a respective input line 120. In
7 consequence, the value which has been output on a line 130 can be checked by reading the resulting input along the respective line 120. The microprocessor operating system is arranged so that after writing to any output line 130 it then reads the value which is actually output and checks that the two values are the same. If a discrepancy is observed the microprocessor operating system stops operation of the user-written program and shuts down operation of the controller by de-energizing the relay coil 16 to trip the safety circuit in the manner described.
Because an output is written through one memory map address, and read back through a different address, and different decoding circuitry, a failure of the addressing/decoding circuitry will give rise to discrepancies between output values and the values which are read as inputs, so that the fault condition will be detected.
As an example, suppose that the switches 110 are set to code the binary number 0111. Input number 3 to the upper multiplexer can then be read by the address 01110011 (Hexadecimal 73) plus a READ signal. Writing to the corresponding output (number three from the upper demultiplexer) is accomplished by address 01100111 (Hexadecimal 67) plus a WRITE and is accomplished by different decoding components.
01100111 (Hexadecimal 67) plus a READ would read an input/output channel on a different circuit board (coded 0110) if such board was fitted. Writing 01110011 would address yet another board coded 0011.
Circuit boards providing sixteen input channels used the same decoding arrangement as shown in Fig. 3.
However the input and output lines 12, 130 are not connected to each other but are used in a different way, shown in Fig. 5.
The circuit board carries an oscillator 148 which generates a square wave oscillating with a mark/space ratio less than one. Circuitry for such an oscillator can be conventional and is not shown in detail.
Each channel has an input amplifier containing an op-amp 156. An input line 120 to a multiplexer 118 receives the signal from the op-amp 156. An output line 130 is connected through diode D11 to the non-inverting input of the op-amp.
Each channel receives a signal from a remote contact 150 which is normally open. The unequal square wave is transmitted to each remote contact 150 along a respective cable 152. If the contact 150 is closed the positive part of the square wave is returned, via diode D10 located at the contact, to an input filter formed by resistor R10 and capacitors C10, C11. The positive voltage charges this input filter and delivers voltage through diode D12 to the non-inverting input of the opamp 156. If the contact is opened no signal is supplied to the input filter and any charge on the capacitor C10 will discharge through resistor R13. Any short across the cable 152 will by-pass the diode D10 as well as contact 150 so that the input filter will receive the entire square wave and not charge because the square wave has a mark/space ratio less than 1.
Normally, the line 130 is low so that the inverting input of the op-amp 156 receives the reference voltage of around 2 volts established by R11 and R12 while D11 is reverse biassed. At this time, if the remote contact 150 is open no voltage is supplied to the non-inverting input and the output from the op-amp 156 is low. If the remote contact 150 is closed the positive voltage delivered through the input filter to the non-inverting input will drive the output of the op-amp to logic high, thus providing a high input along the line 120 to the multiplexer 118 and also lighting the indicating LED 158.
If a logic high is written to the line 130 it will be passed through diode Dli to the inverting input of the op-amp 156 and will drive the line 120 low regardless of the state of contact 150.
The operating system of the microprocessor is arranged so that the line 130 to each input channel is normally kept low but in any event that a logic high is detected on a line 120, a logic high is written to corresponding line 130 which should force the line 120 low. By doing this the correct functioning of the op-amp 156 and the address decoding circuitry can all be verified. If verification is not achieved the microprocessor operating system stops operation of the user-written program and shuts down operation of the controller by de-energising the relay coil 16 to trip the safety circuit.
Boards of higher integrity, suitable for controlling machinery, have a decoding arrangement shown in Fig. 6, and which its slightly different to that shown in Fig. 3.
Boards shown here have eight channels, but could be constructed to provide sixteen channels. There is only a single multiplexer 118 and a single demultiplexer 128.
During a read operation address lines Ao, A1 and A3 determine which of the eight output channels is selected.
The address line A2 is inverted by NAND gate 116 and the inverted signal A2 is supplied to one input of NAND gate 114 which also receives the output from comparator 102.
The output from this NAND gate 114 provides the strobe signal to the multiplexer 118. By virtue of this arrangement the eight channels all have an output address with A2 high. An attempt to address a non-existent channel which comes within the range of addresses provided by the output board but has A2 low is frustrated because A2 inhibits the strobe signal to the multiplexer.
In analogous fashion the address lines A4, A5 and A6 select the output channel during a write operation and address line A7, if low serves to inhibit generation of the enable signal to the de-multiplexer 128.
As an example of the addressing, suppose once again that the lines 111 carry the binary number 0111. Input number three to the multiplexer 118 can then be read by the adress 01110111 (Hexadecimal 77) plus a READ signal.
Writing to the corresponding output (number three from the de-multiplexer) is acomplished by address 10110111 (Hexadecimal 137) plus a WRITE and as before it is accomplished by different decoding components.
As shown by Fig. 7 the output lines 130 from demultiplexer 128 are each connected through a current limiting resistor to an LED 134 and the diode of an optoisolator 132. However, the output lines 130 are not connected directly to any of the input lines 120. The output from the optoisolator 132 controls current through a Darling'own 136 and hence enables flow of current on output line 160. Just as in Fig. 4. However, this output line 160 is connected to the input diode of another optoisolator 162 whose output is connected to one of the input lines 120 to the multiplexer 118. Thus, when the microprocessor 10 read an output value from this circuit board it reads the actual output value from a line 160 which is transmitted back through the second optoisolator 162 across the segregaticri boundary between isolated circuits.Consequently, the controller would be able to detect failure of an optoisolator or Darlington whereas this is not possible for the sixteen channel output boards. For this reason the sixteen channel output boards are regarded as satisfactory for driving indicator lamps as outputs but the eight chunnel boards have a higher level of safety intended for control of machinery.
Both kinds of output board have an additional safety feature. The outputs from the comparators 102, 104 are each connected to an edge sensitive input of a respective watchdog timer 170, 172. These timers are essentially similar and one of them is shown in more detail in Fig.
8.
The rising edge entering at the timer input 174 is converted to a falling edge by NOR gate 176 and is capacitively coupled to a second NOR gate 178 which converts it back to a rising edge which triggers a first monostable 180. This produces high and low output pulses on lines 182 and 184 respectively. The high output pulse on line 182 is input to a second monostable which generates a longer high pulse which is supplied to the second input of the NOR gate 178 and prevents further edges on line 174 from passing through the gate 178 to retrigger the monostable 180. This inhibition of retriggering ensures that a succession of pulses arriving on input line 174 generates a succession of pulses on line 184 rather than a continuous output. The (logic law) pulses on line 184 charge the capacitor C15 through the diode D15.The capacitor discharges only slowly through the high resistance R15, consequently giving a high output on line 188 as long as the monostable 180 is retriggered at least once per second. The first monostable 180 can only be triggered when its enable input 190 is high. This is tied high for watchdog 170, but the output of watchdog 170 goes to the enable input 190 of watchdog 172.
Each time an address on an output board is read, a pulse is supplied from that board's comparator 102 to the input 174 of that board's watchdog 170. Repeated reads charge the capacitor C15 of this watchdog and generate an output which enables watchdog 172. Writes to this circuit board send pulses from the comparator 104 to the input 174 of the watchdog 172 and (provided this watchdog is enabled by the watchdog 170) charge its capacitor C15 thus generating an output which is connected to enable the demultiplexer(s) 128.
The operating system of the microprocessor is such that it repeatedly reads and writes to and from the outputs even if the data which is written merely reinstates data which is already there. This is arranged to take place sufficiently quickly to keep the capacitors
C15 of both watchdogs on each output board charged and hence keep the demultiplexer(s) 128 operating. However, if at any time frequency of reading addresses on a circuit board falls to less than 1 per second the capacitor Cl5 of its watchdog 170 will discharge, preventing retriggering of watchdog 172, so that its capacitor Cl5 discharges. If the frequency of writing to the circuit board falls to less than 1 per second the capacitor Cl5 of watchdog 172 will again discharge. The result in either case is that the loss of output from watchdog 172 clears the demultiplexer(s) 128 hence driving all the outputs to a failsafe off state.
A further consequence of this arrangement is that all the outputs are in the off state when the controller is first turned on. Outputs only appear after the watchdogs' capacitors C15 have been charged through repeated reading and writing to addresses on the output board(s). The previously described process of verifying the outputs must of course take account of this. This can be done by the microprocessor operating system being arranged to tolerate, for a limited period, disconformity between the value written to an output and the actual value read back from that output. Alternatively the operating system could be arranged to tolerate a low value read back from an output even though the output has been commanded to turn on but not tolerate reading back a logic high value after an output has been commanded to turn off.
The embodiment of equipment described above is constructed to detect faults and errors in various ways and respond by going to a failsafe state. The invention is embodied in more than one way in that the safety circuit shown in Fig. 2 can force output to a predetermined failsafe "off" state by the very direct expedient of de-energising the relays "A" and "B" and hence cutting off the supply of power to the outputs. It also drives the outputs to an off-state by the less direct expedient of grounding the microprocessor input 38 causing the microprocessor to discpntinue running the user-written program and discontinue reading to and writing from the inputs and outputs with the consequence that the watchdogs will clear the demultiplexer(s) 128 and in that way also force the outputs to the "off" state.
Claims (12)
1. A control device incorporating a microprocessor and having one or more outputs controlled by the microprocessor characterised by safety means operable to force each said output to a failsafe state, and override or terminate normal control of the output by the microprocessor.
2. A control device according to claim 1 having said safety means operable other than by the microprocessor.
3. A control device according to claim 2 wherein said safety means is constructed to be operable from any of a plurality of locations.
4. A control device according to any one of the preceding claims wherein said safety means is, or includes, alternative circuitry operable by the microprocessor to force each output to a failsafe state, overriding or terminating control of the output through the path by which the microprocessor normally controls the output.
5. A control device according to any one of the preceding claims wherein said safety means is, or includes, circuitry to stop operation of the microprocessor by means of a control input of the microprocessor.
6. A control device according to claim 5 including a watchdog timer arranged to drive the outputs to a known state when operation of the microprocessor ceases.
7. A control device according to any one of the preceding claims wherein the safety means operates to take control of the outputs independently of any signals to them from the microprocessor.
8. A control device according to any one of the preceding claims wherein the safety means includes a relay whose coil is arranged to be held energized by an electrical supply interruptible by manually operable controls and/or by sensing means and/or by the microprocessor, and making or breaking of a connection through other contacts of the relay which change state when the relay coil de-energizes is arranged to force the outputs to a predetermined failsafe state.
9. A control device according to any one of the preceding claims having a plurality of said outputs controlled by the microprocessor by writing data to respective output addresses, the said safety means being arranged to force each output to a failsafe state and thereafter retain it in said failsafe state otherwise than by writing data to the output addresses, the said means being operable by the microprocessor in the event that the value read from an output differs from the value written to the output and/or being operable from a plurality of locations external to the control device, by means of a respective switch at each of the said locations.
10. A control device according to any one of the preceding claims having one or more inputs read by the microprocessor and/or outputs controlled by the microprocessor, wherein the device is arranged to verify output(s) by reading the value of the output, and/or is arranged to verify input(s) by writing to the input to change the input value.
11. A control device according to any one of the preceding claims wherein the microprocessor is programmed to read from and/or write to input(s) and/or output(s) repeatedly, and the device further includes a watchdog timer reset by said reading and/or writing.
12. A control device substantially as herein described with reference to the accompanying drawings.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB868630674A GB8630674D0 (en) | 1986-12-23 | 1986-12-23 | Microprocessor-based controllers |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| GB8729866D0 GB8729866D0 (en) | 1988-02-03 |
| GB2200002A true GB2200002A (en) | 1988-07-20 |
| GB2200002B GB2200002B (en) | 1991-09-11 |
Family
ID=10609458
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB868630674A Pending GB8630674D0 (en) | 1986-12-23 | 1986-12-23 | Microprocessor-based controllers |
| GB8729866A Expired - Lifetime GB2200002B (en) | 1986-12-23 | 1987-12-22 | Microprocessor-based controllers especially for hazardous environment |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB868630674A Pending GB8630674D0 (en) | 1986-12-23 | 1986-12-23 | Microprocessor-based controllers |
Country Status (1)
| Country | Link |
|---|---|
| GB (2) | GB8630674D0 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2323224A (en) * | 1997-03-13 | 1998-09-16 | Emerson Electric Co | Safe control system |
| FR2761173A1 (en) * | 1997-03-19 | 1998-09-25 | Schneider Automation | PROGRAMMABLE PLC MODULE |
| WO2000024664A1 (en) * | 1998-10-26 | 2000-05-04 | Kone Corporation | Method for disconnecting transport systems for persons and a security circuit for transport systems for persons |
| NL1010618C2 (en) * | 1998-11-20 | 2000-05-26 | Ten Holter Consultancy | Switching of emergency power supply to pick up priority loads when primary power fails |
| GB2357642A (en) * | 1999-12-22 | 2001-06-27 | Alstom | Trip circuit fault protection apparatus |
| EP1351107A1 (en) * | 2002-04-04 | 2003-10-08 | Zf Friedrichshafen Ag | Security system for an electrical drive |
| WO2016169381A1 (en) * | 2015-04-23 | 2016-10-27 | 常州格力博有限公司 | Control board monitoring system for grass cutter, and monitoring method for control board monitoring system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2038033A (en) * | 1978-11-27 | 1980-07-16 | Nsm Apparatebau Gmbh Kg | Microprocessor fault protection |
| GB2105877A (en) * | 1981-09-14 | 1983-03-30 | United Technologies Corp | Watch-dog timer circuit |
| EP0152109A2 (en) * | 1984-02-15 | 1985-08-21 | Fireye, Inc. | Microcomputer driven fail-safe device with short circuit detection for electronic control circuitry |
| GB2188456A (en) * | 1986-03-24 | 1987-09-30 | Gen Signal Corp | A method & apparatus for testing a railway signalling system |
| GB2194108A (en) * | 1986-06-26 | 1988-02-24 | Diehl Gmbh & Co | Circuit arrangement with a microprocessor |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4786862A (en) * | 1986-06-09 | 1988-11-22 | Niagara Mohawk Power Corporation | Watchdog circuit for transmission line sensor module |
| FR2602618B1 (en) * | 1986-08-08 | 1995-03-31 | Merlin Gerin | SELF-MONITORED STATIC DIGITAL TRIGGER |
| DE3631289A1 (en) * | 1986-09-13 | 1988-03-24 | Vdo Schindling | DEVICE FOR LIMITING THE SPEED OF A MOTOR VEHICLE |
| DE3708999A1 (en) * | 1987-03-19 | 1988-10-06 | Vdo Schindling | SYSTEM FOR CONTROLLING THE IDLE SPEED OF AN INTERNAL COMBUSTION ENGINE |
-
1986
- 1986-12-23 GB GB868630674A patent/GB8630674D0/en active Pending
-
1987
- 1987-12-22 GB GB8729866A patent/GB2200002B/en not_active Expired - Lifetime
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2038033A (en) * | 1978-11-27 | 1980-07-16 | Nsm Apparatebau Gmbh Kg | Microprocessor fault protection |
| GB2105877A (en) * | 1981-09-14 | 1983-03-30 | United Technologies Corp | Watch-dog timer circuit |
| EP0152109A2 (en) * | 1984-02-15 | 1985-08-21 | Fireye, Inc. | Microcomputer driven fail-safe device with short circuit detection for electronic control circuitry |
| GB2188456A (en) * | 1986-03-24 | 1987-09-30 | Gen Signal Corp | A method & apparatus for testing a railway signalling system |
| GB2194108A (en) * | 1986-06-26 | 1988-02-24 | Diehl Gmbh & Co | Circuit arrangement with a microprocessor |
Non-Patent Citations (1)
| Title |
|---|
| WO A1 85/02042 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2323224A (en) * | 1997-03-13 | 1998-09-16 | Emerson Electric Co | Safe control system |
| GB2323224B (en) * | 1997-03-13 | 2001-05-02 | Emerson Electric Co | Appliance control system |
| FR2761173A1 (en) * | 1997-03-19 | 1998-09-25 | Schneider Automation | PROGRAMMABLE PLC MODULE |
| WO2000024664A1 (en) * | 1998-10-26 | 2000-05-04 | Kone Corporation | Method for disconnecting transport systems for persons and a security circuit for transport systems for persons |
| US6758319B1 (en) | 1998-10-26 | 2004-07-06 | Kone Corporation | Method for disconnecting transport systems and a security circuit for transport systems |
| NL1010618C2 (en) * | 1998-11-20 | 2000-05-26 | Ten Holter Consultancy | Switching of emergency power supply to pick up priority loads when primary power fails |
| GB2357642A (en) * | 1999-12-22 | 2001-06-27 | Alstom | Trip circuit fault protection apparatus |
| GB2357642B (en) * | 1999-12-22 | 2003-11-19 | Alstom | A fault protection apparatus |
| EP1351107A1 (en) * | 2002-04-04 | 2003-10-08 | Zf Friedrichshafen Ag | Security system for an electrical drive |
| WO2016169381A1 (en) * | 2015-04-23 | 2016-10-27 | 常州格力博有限公司 | Control board monitoring system for grass cutter, and monitoring method for control board monitoring system |
Also Published As
| Publication number | Publication date |
|---|---|
| GB2200002B (en) | 1991-09-11 |
| GB8630674D0 (en) | 1987-02-04 |
| GB8729866D0 (en) | 1988-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP0865636B1 (en) | Continuous real time safety-related control system | |
| CA1215446A (en) | Control system for presses | |
| JP5089378B2 (en) | Signal transmission device for safety circuit | |
| US5339014A (en) | Apparatus for safety monitoring in protective arrangements with normal and enhanced safety of machinery performing multiple-axis rotations | |
| US8560094B2 (en) | Safety controller and method for controlling an automated installation | |
| ATE166981T1 (en) | CONTROL AND REGULATION FOR A DOOR DRIVEN BY AN ELECTROMECHANICAL MOTOR | |
| EP0436543B1 (en) | Failure detection mechanism for microcontroller based control system | |
| JP2007532846A (en) | Safety switch for safety circuit | |
| US4912382A (en) | Fail safe monitoring apparatus and method | |
| US4743078A (en) | Movable storage unit control system | |
| US4759592A (en) | Movable storage unit control system with system resetting watchdog circuit | |
| GB2200002A (en) | Microprocessor-based controller especially for hazardous environment | |
| CA1276713C (en) | Movable storage unit control system | |
| JP2020101526A (en) | Voltage monitoring device and method | |
| US5676055A (en) | Control device for a printing machine | |
| CN101600609A (en) | The parking brake system that has electrical control | |
| JPS56123014A (en) | Overrun preventing device of program control device | |
| US6370438B1 (en) | Programmable controller module | |
| RU2022652C1 (en) | Device for adjusting unload of heavy fraction away from jigging machine | |
| KR970003824B1 (en) | Read-only sequence controller | |
| KR880003413Y1 (en) | Error detectable lamp of nc apparatus | |
| JPH0114647B2 (en) | ||
| KR0115906Y1 (en) | Prevention circuit of wrong action for the washing motor in a washing machine | |
| KR0155722B1 (en) | Robot system of electric cut-off control | |
| KR100357350B1 (en) | Safety circuit for electronic controller of wheel lock prevention device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 19961222 |