EP1228520A1 - Fail-safe, fault-tolerant switching system for a critical device - Google Patents

Fail-safe, fault-tolerant switching system for a critical device

Info

Publication number
EP1228520A1
EP1228520A1 EP00978459A EP00978459A EP1228520A1 EP 1228520 A1 EP1228520 A1 EP 1228520A1 EP 00978459 A EP00978459 A EP 00978459A EP 00978459 A EP00978459 A EP 00978459A EP 1228520 A1 EP1228520 A1 EP 1228520A1
Authority
EP
European Patent Office
Prior art keywords
switching
fault
fail
safe
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00978459A
Other languages
German (de)
French (fr)
Inventor
Martin Batten
Peter Desany
Thomas Harmon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Raytheon Co
Original Assignee
Raytheon Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Raytheon Co filed Critical Raytheon Co
Publication of EP1228520A1 publication Critical patent/EP1228520A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/22Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current for supplying energising current for relay coil
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/17Using electrical or electronic regulation means to control braking
    • B60T8/1701Braking or traction control means specially adapted for particular types of vehicles
    • B60T8/1705Braking or traction control means specially adapted for particular types of vehicles for rail vehicles
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/32Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
    • B60T8/88Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
    • B60T8/885Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01HELECTRIC SWITCHES; RELAYS; SELECTORS; EMERGENCY PROTECTIVE DEVICES
    • H01H47/00Circuit arrangements not adapted to a particular application of the relay and designed to obtain desired operating characteristics or to provide energising current
    • H01H47/002Monitoring or fail-safe circuits
    • H01H47/004Monitoring or fail-safe circuits using plural redundant serial connected relay operated contacts in controlled circuit
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/406Test-mode; Self-diagnosis
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/415Short-circuit, open circuit failure

Definitions

  • This invention relates to a fail-safe, fault-tolerant switching system for a critical device.
  • Fail-safe devices are used where risk of personal injury or damage to property can occur.
  • air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe”.
  • a "vital relay” is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal.
  • PRT personal rapid transit
  • PRT systems are driverless, automated, small, passenger vehicles that operate on guideways.
  • fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration.
  • PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault can be tolerated to at least move the vehicle from the guideway to a maintenance area.
  • PRT is but one instance where fail-safe, fault-tolerant systems are needed. This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability.
  • This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices.
  • This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in
  • first and second switching devices are open and the third and fourth switching devices
  • the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact
  • the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact
  • the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device
  • the first, second, third and fourth switching devices are open, the fault
  • the unidirectional current flow circuit may include a diode bridge.
  • Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention
  • Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches;
  • Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load;
  • Figs. 3-7 are flow charts explaining the operation of the controllers and monitors.
  • Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention.
  • a basic H switch 10 including four switches: switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22.
  • the switch is arranged in an "H" shape with the critical load 24 in the middle.
  • the switches may be conventional switches, relays, or semiconductor devices.
  • a first network 26 including fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively.
  • the second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30.
  • a critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 3 16, and terminal 36 which is located between switch 2 14 and switch 4 18.
  • This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self-test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state.
  • the two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off.
  • External circuitry functions to control the H switch 10 in the following manner.
  • the external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self-test is performed on the switches. This self-test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows.
  • fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system.
  • the four switches are monitored by four monitors, Fig. 2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46.
  • each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50.
  • opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays.
  • Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7.
  • H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner.
  • One procedure that controller 52 can implement is the following. At the time that controller 52 is required to disengage the brakes, a self-test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged.
  • switch 3 fails closed, operation is still possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged.
  • a similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged.
  • switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened.
  • Critical device 24a may include a polarized load requiring unidirectional current flow.
  • Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively.
  • Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25.
  • polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load.
  • the following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle.
  • the brake is applied when no current flows through the brake actuator and this is the safe state for the system.
  • the function removes the brakes when a request- ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made.
  • the application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded.
  • the switch monitor and control functions collectively provide a highly reliable Control Function.
  • the Control Function can be commanded two states: ON or OFF. In this application OFF applies the brakes, ON releases them.
  • the control Function will go to one of four states in consequence of the external states being applied.
  • Off State applies indefinitely in response to the external command maintaining an OFF state.
  • State 2 Self-Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state.
  • This state is transient, and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist.
  • State 3 ON State, applies indefinitely following a successful Self-Test, in response to the external command maintaining an ON state.
  • State 4 Self-Test, Transition to OFF, occurs in response to the external command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements.
  • the following description of states refers to the flow diagrams in Figs. 3-7.
  • the point of entry for the process is arbitrarily defined as State 1 , the OFF state.
  • Switches 1, 2, 3 and 4 are referred to as SI, S2, S3, S4, Monitors 1, 2, 3 and 4 as
  • State 1 is predominantly satisfied by having switches SI and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized. Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, SI, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction.
  • SI is activated, which will cause Ml to be OFF. If Ml remains ON, then a fault has occurred, which is assumed to be that SI has failed open-circuit. The outcome of this test is logged for switch SI, functional (OK), or failed open- circuit (OC).
  • S2 is activated, which will cause M2 to be OFF. If M2 remains ON, then a fault has occurred, which is assumed to be that S2 has failed open-circuit.
  • One of two states is logged for switch S2, functional (OK) or failed open-circuit (OC).
  • S3 is activated, which will cause M3 to be OFF. If M remains ON, then a fault has occurred, which is assumed to be that S3 has failed open-circuit.
  • One of two states is logged for switch S3, functional (OK), or failed open-circuit
  • S3 is deactivated. All switches are now in a deactivated state. 10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON, then a fault has occurred, which is assumed to be that S4 has failed open-circuit.
  • One of two states is logged for switch S4, functional (OK), or failed open-circuit (OC).
  • Monitors Ml through M4 are next checked to verify they are all ON, signifying the correct bias across the switches SI through S4, when deenergized, which is the expected state. If any monitor, Ml through M3 is off, then a fault has occurred. The fault is assumed to be a short-circuit in the associated switch, SI through S4. It is most likely that the monitoring circuit for SI or S2 has failed if either of these switches is reported as being short-circuit, as the prior tests would have blown the affected fuse on a shorted switch, which consequently removes the short-circuit.
  • the predominant case is to energize switches SI and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load.
  • the outcome is that the load is predominantly energized for the duration that the system is in state 3. There is a probability that a fault may occur that causes the load to be de-activated. The system should be aware that this has happened.
  • the event of having the brakes re-applied would cause the vehicle to stop and proceed through a set of diagnostics. These diagnostics included removing the command to release the brakes (ON to OFF) and re-applying the command to release the brakes (OFF to ON). The process re-invoked the Self-Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at.
  • H switch 10 The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8. There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self-test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Valves And Accessory Devices For Braking Systems (AREA)

Abstract

A fail-safe, fault-tolerant switching system for a critical device includes a first pair of terminals for connection to a power source; a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals; a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals; and a second pair of terminals one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when the first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device and second switching device and third switching device.

Description

FAIL-SAFE, FAULT-TOLERANT SWITCHING SYSTEM FOR A CRITICAL DEVICE
FIELD OF INVENTION This invention relates to a fail-safe, fault-tolerant switching system for a critical device.
BACKGROUND OF INVENTION Fail-safe devices are used where risk of personal injury or damage to property can occur. For example, air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe". In railroad trains a "vital relay" is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal. The use of ever more sophisticated electronic and computer controlled systems such as in personal rapid transit (PRT) systems has given rise to more sophisticated requirements for fail-safe operation. PRT systems are driverless, automated, small, passenger vehicles that operate on guideways. In addition, fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration. PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault can be tolerated to at least move the vehicle from the guideway to a maintenance area. PRT is but one instance where fail-safe, fault-tolerant systems are needed. This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability.
BRIEF SUMMARY OF THE INVENTION
It is therefore an object of this invention to provide an improved fail-safe switching system.
It is a further object of this invention to provide an improved fail-safe switching system which is inherently fault-tolerant to some faults.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is simple, reliable, and uses few and conventional parts.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be self-tested with fault tracing down to individual switching elements.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be monitored and controlled to reconfigure for fault- tolerant operation for additional faults. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which uses fuses to override faults due to switching devices that have failed in the closed mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which reduces the probability of failure in an unsafe mode.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can work around a single fault.
It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is resistant to common mode failures.
This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices.
This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in
parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals. There is a second pair of terminals, one between the first and third switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact; the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact; the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device; the first, second, third and fourth switching devices are open, the fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device, second switching device and third switching device.
In a preferred embodiment there may be a unidirectional current flow circuit interconnected between the second pair of terminals and the critical device for permitting current flow in one direction. The unidirectional current flow circuit may include a diode bridge. There may be a first monitor circuit for monitoring the first switching device, a second monitor circuit for monitoring the second switching device, a third monitor circuit for monitoring the third switching device, and a fourth monitor circuit for monitoring the fourth switching device. There may be a controller responsive to the monitor circuit for selectively operating the switching devices.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects, features and advantages will occur to those skilled in the art from the following description of a preferred embodiment and the accompanying drawings, in which:
Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention;
Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches;
Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load;
Figs. 3-7 are flow charts explaining the operation of the controllers and monitors; and
Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
There is shown in Fig. 1 a basic H switch 10 including four switches: switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22. The switch is arranged in an "H" shape with the critical load 24 in the middle. The switches may be conventional switches, relays, or semiconductor devices. A first network 26 including fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively. The second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30. A critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 3 16, and terminal 36 which is located between switch 2 14 and switch 4 18. This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self-test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state.
TABLE I
The two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off. This assumes that the critical load 24 is not polarized. Such is the case when it is a solenoid, for example.
External circuitry functions to control the H switch 10 in the following manner. The external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self-test is performed on the switches. This self-test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows.
Besides the protection the fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system. The four switches are monitored by four monitors, Fig. 2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this embodiment each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays. This reduces the chance for the monitors to negatively impact the critical device and enhances reliability of the circuit. System safety is not reduced significantly by the presence of the monitors because in normal operation their current is limited by the series resistors 50 to a fraction of that needed to operate the solenoid. As the resistors can only fail in the open state, they cannot energize the solenoid. Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7.
H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner. One procedure that controller 52 can implement is the following. At the time that controller 52 is required to disengage the brakes, a self-test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged. If switch 3 fails closed, operation is still possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged. A similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged. When the controller is requested to apply the brakes, switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened.
Critical device 24a, Fig. 2A, may include a polarized load requiring unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively. Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25.
Thus, irrespective of whether the operational switch state is switch 1 and switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load.
The following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle. The brake is applied when no current flows through the brake actuator and this is the safe state for the system. By combination of the switch components, monitoring circuits and process steps in the control logic the function removes the brakes when a request- ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made. The application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded.
The switch monitor and control functions collectively provide a highly reliable Control Function. The Control Function can be commanded two states: ON or OFF. In this application OFF applies the brakes, ON releases them. The control Function will go to one of four states in consequence of the external states being applied.
State 1 : Off State, applies indefinitely in response to the external command maintaining an OFF state.
State 2: Self-Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state. This state is transient, and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist.
State 3: ON State, applies indefinitely following a successful Self-Test, in response to the external command maintaining an ON state. State 4: Self-Test, Transition to OFF, occurs in response to the external command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements. The following description of states refers to the flow diagrams in Figs. 3-7.
The point of entry for the process is arbitrarily defined as State 1 , the OFF state.
Switches 1, 2, 3 and 4 are referred to as SI, S2, S3, S4, Monitors 1, 2, 3 and 4 as
Ml, M2, M3 and M4.
(1) State 1 is predominantly satisfied by having switches SI and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized. Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, SI, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction.
(2) When the External Sequence transitions from the off-state to the on- state a self-test-transition-to-ON process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de- asserting the external state and mid-self-test is to be avoided via logic. For the PRT brake application, the self-test took less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, typically 100 seconds.
(3) Initially all switches SI through S4 are deactivated. From this state all switches can be individually checked as a serial sequence. This is done by turning on each switch singularly, and verifying operation through the use of the monitors Ml through M4. During this process the load is not energized. It is possible, as a consequence of a fault, that activating one switch will provide a path via a fault and the load will be momentarily energized. For the function of brake control on PRT, the time constant of the load (brakes) was significantly longer than the event of being momentarily energized, such that no consequence propagated from this brief event.
(4) SI is activated, which will cause Ml to be OFF. If Ml remains ON, then a fault has occurred, which is assumed to be that SI has failed open-circuit. The outcome of this test is logged for switch SI, functional (OK), or failed open- circuit (OC).
(5) SI is deactivated. All switches are now in a deactivated state.
(6) S2 is activated, which will cause M2 to be OFF. If M2 remains ON, then a fault has occurred, which is assumed to be that S2 has failed open-circuit. One of two states is logged for switch S2, functional (OK) or failed open-circuit (OC).
7) S2 is deactivated. All switches are now in a deactivated state.
8) S3 is activated, which will cause M3 to be OFF. If M remains ON, then a fault has occurred, which is assumed to be that S3 has failed open-circuit. One of two states is logged for switch S3, functional (OK), or failed open-circuit
(OC).
9) S3 is deactivated. All switches are now in a deactivated state. 10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON, then a fault has occurred, which is assumed to be that S4 has failed open-circuit. One of two states is logged for switch S4, functional (OK), or failed open-circuit (OC).
11) S4 is deactivated. All switches are now in a deactivated states.
12) Monitors Ml through M4 are next checked to verify they are all ON, signifying the correct bias across the switches SI through S4, when deenergized, which is the expected state. If any monitor, Ml through M3 is off, then a fault has occurred. The fault is assumed to be a short-circuit in the associated switch, SI through S4. It is most likely that the monitoring circuit for SI or S2 has failed if either of these switches is reported as being short-circuit, as the prior tests would have blown the affected fuse on a shorted switch, which consequently removes the short-circuit.
13) Having tested all four switches individually, a decision can be arrived at as to which of three desirable states the switches can be configured in:
The predominant case is to energize switches SI and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load.
Certain faults can be withstood with the hardware by choosing the alternative path, energizing switches S2 and S3.
This also activates the load, but reverses the current through-it compared with activating SI and S4. In the application for PRT of a brake release function, the load was non-polarized and not affected by the direction of flow of current.
Specific combinations of hardware faults cannot be tolerated. The function reacts to these faults by holding all switches off and the brakes remain on. Determination of the appropriate load state is achieved by assessing the 24 possible states of the combination of all four switches in accordance with the following table:
TABLE II
14) If it is determined that the load can be made active, the appropriate switches are energized and State 3 commences. Failure of the load to be activated will be as a consequence of the prior tests and requires repair of the hardware to proceed.
15) If SI and S4 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE III
16) If S2 and S3 are activated, then for the duration that state 3 is
effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE IV SI Fails OC Continue
SI Fails SC Blow SI fuse, continue
S2 Fails OC Fail-off
S2 Fails SC Continue
S3 Fails OC Fail-off
S3 Fails SC Continue
S4 Fails OC Continue
S4 Fails SC Blow S2 fuse, fail-off
17) The outcome is that the load is predominantly energized for the duration that the system is in state 3. There is a probability that a fault may occur that causes the load to be de-activated. The system should be aware that this has happened. In the application of the brake-release function for PRT, the event of having the brakes re-applied would cause the vehicle to stop and proceed through a set of diagnostics. These diagnostics included removing the command to release the brakes (ON to OFF) and re-applying the command to release the brakes (OFF to ON). The process re-invoked the Self-Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at. For example, if the load was activated by switches S 1 and S4 being active and a fault occurred that caused SI to go open-circuit, the brake-release function would be de- asserted and the PRT vehicle would stop. The command to release the brakes would be removed and re-applied. The Self-Test Transition to ON that occurs would deduce the need to activate switches S2 and S3 to energize the load and
release the brakes. Hence this cycling event would permit the system to continue in the presence of a fault that had caused a temporary stoppage.
18) When the External Sequence transition from the on-state to the off- state a 'self-test-transition-to-OFF' process is initiated. This process is an orderly fixed sequence and takes a fixed Interrupting the sequence by de- asserting the external state mid-self-test is to be avoided via logic. For the PRT brake application, the self-test is less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, with typically greater than 100 seconds between trip start and ending times.
19) Initially all switches SI though S4 are deactivated, then switches S3 and S4 are activated. This two-step process insures no state-change conditions occur where switch combinations induce a transient short circuit path.
20) From this state the switches can be checked using the monitors Ml and M2. If either monitor Ml or monitor M2 is in an Off state, it is indicative that either switch S3 or S4 has blown open-circuit, and another bias path exists to drive the output to ON. Immediately on occurrence of this case, all switches are deactivated. The response time is such that the corrective action takes less than 100msec and is inconsequential.
The outcome is that one of two states is determined to be appropriate to insure the load is de-energized (the brakes applied).
21) Predominantly, when all the hardware is functional, or in the presence of selective faults, the switches SI and S2 will remain de-activated and the switches S3 and S4 will be activated, providing a short-circuit via ground across the load terminals. Alternately, on deduction of the above-described fault combinations, all four switches will remain de-activated to reduce the probability of inadvertently setting up a path of conduction. Both these conditions serve for state 1. 22) If S3 and S4 are activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE V
23) If all switches are de-activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table:
TABLE VI
SI Fa Is OC Continue
SI Fa: Is SC Continue
S2 Faι Is OC Continue
S2 Fa: Is SC Continue
S3 Fa Is OC Continue
S3 Fa: Is SC Continue
S4 Fa: Is OC Continue
S4 Fa: Is SC Continue
24) The outcome is that the load is always de-energized for the duration that the system is in state 1. There is probability that changes the state of the individual switches, and may induce a fuse to blow, but the load remains deenergized. The function remains in this state until the next external transition from OFF to ON, at which point the process as described and depicted in the flow charts is repeated.
The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8. There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self-test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state.
Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention.
Other embodiments will occur to those skilled in the art and are within the following claims:
What is claimed is:

Claims

CLAIMS 1. A fail-safe, fault-tolerant switching system for a critical device comprising: a first pair of terminals for connection to a power source; a first network including a first fuse device, first switching device and third switching device connected in series between said first pair of terminals; a second network in parallel with said first network including a second fuse device, second switching device and fourth switching device connected in series between said first pair of terminals; and a second pair of terminals one between said first and third switching devices and one between said second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when either: said first and second switching devices are open and said third and fourth switching devices are closed; said first, second, third and fourth switching devices are open and fault-tolerant operation occurs through said first fuse device, first switching device and fourth switching device or said second fuse device, second switching device and third switching device.
2. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a unidirectional current flow circuit interconnected between said second pair of terminals and said critical device for permitting current flow in one direction.
3. The fail-safe, fault-tolerant switching system for a critical device of claim 2 in which said unidirectional current flow circuit includes a diode bridge having a first terminal connected between the third and first switching device and a second terminal connected between the second and fourth switching device and the polarized terminals are applied across the critical device.
4. The fail-safe, fault-tolerant switching system for a critical device of claim 1 further including a first monitor circuit for monitoring said first switching device, a second monitor circuit for monitoring said second switching device, a third monitor circuit for monitoring said third switching device and a fourth monitor circuit for monitoring said fourth switching device.
5. The fail-safe, fault-tolerant switching system for a critical device of claim 4 further including a controller responsive to said monitoring circuits for selectively operating said switching devices.
EP00978459A 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device Withdrawn EP1228520A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US43819599A 1999-11-11 1999-11-11
US438195 1999-11-11
PCT/US2000/030799 WO2001035432A1 (en) 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device

Publications (1)

Publication Number Publication Date
EP1228520A1 true EP1228520A1 (en) 2002-08-07

Family

ID=23739642

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00978459A Withdrawn EP1228520A1 (en) 1999-11-11 2000-11-10 Fail-safe, fault-tolerant switching system for a critical device

Country Status (5)

Country Link
EP (1) EP1228520A1 (en)
KR (1) KR100497116B1 (en)
AU (1) AU1592001A (en)
CA (1) CA2391472A1 (en)
WO (1) WO2001035432A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7352544B2 (en) 2005-07-07 2008-04-01 Pratt + Whitney Canada Corp. Method and apparatus for providing a remedial strategy for an electrical circuit
US8390972B2 (en) * 2007-04-17 2013-03-05 Hamilton Sundstrand Corporation Secondary protection approach for power switching applications
DE102007030627A1 (en) * 2007-07-02 2009-01-08 Continental Automotive Gmbh Control of an actuator of a brake of a motor vehicle
DE102012101951A1 (en) 2012-03-08 2013-09-12 Maschinenfabrik Reinhausen Gmbh step switch
EP3196913B1 (en) * 2016-01-20 2019-04-10 Schneider Electric Industries SAS Relay circuit and method for performing self-test of relay circuit
JP6683512B2 (en) * 2016-03-18 2020-04-22 リンナイ株式会社 Dishwasher
DE102016117821A1 (en) * 2016-09-21 2018-03-22 Pilz Gmbh & Co. Kg Safety circuit for fail-safe disconnection of a hazardous technical system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4433357A (en) * 1980-10-13 1984-02-21 Matsushita Electric Works Ltd. Drive circuit for a latching relay
DE3737791A1 (en) * 1987-09-25 1989-04-13 Pepperl & Fuchs Fail-safe switch device
DE4342586A1 (en) * 1993-12-14 1995-06-22 Bosch Gmbh Robert Display device for electrical control devices
SE505747C2 (en) * 1996-02-07 1997-10-06 Asea Brown Boveri Contactor
WO1999031696A1 (en) * 1997-12-17 1999-06-24 Siemens Electromechanical Components, Inc. Electronic control circuit for a latching relay

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0135432A1 *

Also Published As

Publication number Publication date
AU1592001A (en) 2001-06-06
CA2391472A1 (en) 2001-05-17
WO2001035432A1 (en) 2001-05-17
KR100497116B1 (en) 2005-06-28
KR20020048432A (en) 2002-06-22

Similar Documents

Publication Publication Date Title
JP3955500B2 (en) Fuse trigger circuit and method for protecting electrohydraulic system including fuse
US6490141B2 (en) Power distribution system
CN105829232B (en) Security system for lift facility
US5411324A (en) Circuit configuration for a controller
EP0396265B1 (en) Air bag firing circuit
CN104412192B (en) Switching device
EP2495659B1 (en) Architecture using integrated backup control and protection hardware
US6297569B1 (en) Power switching system
JPH0382661A (en) Safety relay actuating circuit
WO2001035432A1 (en) Fail-safe, fault-tolerant switching system for a critical device
US7468876B2 (en) Safety switch
KR102376575B1 (en) Brake drive control circuit and its fault detection method
JPS61170246A (en) Power supply interface circuit
CN109565250B (en) Soft starter, operation method and switch system
CN112141166B (en) Motor train unit safety loop bypass system
US6366434B2 (en) Apparatus for safely disconnecting an electrical load from an electrical DC voltage supply
EP2210262A1 (en) System and method for protecting a coil structure in a controlled switch
JP7281699B2 (en) BRAKE DRIVE CONTROL CIRCUIT AND ITS FAILURE DETECTION METHOD
KR101201357B1 (en) double door control apparatus of train
EP0428338A2 (en) Transducer monitoring apparatus and method
WO2022264690A1 (en) Interruption device
US20020011888A1 (en) Circuit provided with a protective function
EP4124541A1 (en) Emulated voltage-free safety contact
JPH05260654A (en) Dual power supply equipment
JP2024037163A (en) Relay device and safety switch device provided with at least one relay device

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020521

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20060601