Patent Grant
7729098
This invention relates to fault detection in electrical circuits, in particular it relates to overload protection in a switch circuit for digital output modules.
In safety control systems, fault tolerance is of utmost importance. Fault tolerance is the ability to continue functioning in the event of one or more failures within the system.
Fault tolerance may be achieved by a number of different techniques, each with its specific advantages and disadvantages. One example of fault tolerance is known as Hardware Implemented Fault Tolerance (HIFT). HIFT means that the system relies on robust hardware circuits (as opposed to complex software algorithms) to perform the fault detection and redundancy management functions. A significant advantage HIFT has over software-implemented fault tolerance is that HIFT eliminates the overhead for communications between processors, leaving more time for controlling the process. This makes HIFT systems significantly faster and more dependable than systems using software-implemented fault tolerance.
An example of a HIFT system is a system which provides redundancy, in particular Triple Modular Redundancy (TMR). Using TMR, critical circuits are triplicated and perform identical functions simultaneously and independently. The data output from each of the three circuits is voted in a majority-voting circuit, before affecting the system's outputs. If one of the triplicated circuits fails, its data output is ignored. However, the system continues to output to the process the value (voltage, current level, or discrete output state) that agrees with the majority of the functional circuits. TMR provides continuous, predictable operation.
HIFT and TMR provides for automatic fault recovery with no disruption to system operation and ensures minimal fault detection periods.
Another approach to fault tolerance is the use of hot-standby modules. This approach provides a level of fault tolerance whereby the standby module maintains system operation in the event of module failure. With this approach there may be some disruption to system operation during the changeover period if the modules are not themselves fault-tolerant.
Fault tolerant systems ideally create a Fault Containment Region (FCR) to ensure that a fault within the FCR boundary does not propagate to the remainder of the system. This enables multiple faults to co-exist on different parts of a system without affecting operation.
Fault tolerant systems generally employ dedicated hardware and software test and diagnostic regimes that provide very fast fault recognition and response times to provide a safer system.
Commonly, it is possible to repair faults without interrupting system operation (known as hot replacement). For example active and standby module may operate in parallel so that if an active module becomes faulty there is an automatic change over to a standby module.
Safety control systems are generally designed to be ‘fail-operational/fail-safe’. Fail operational means that when a failure occurs, the system continues to operate: it is in a fail-operational state. The system should continue to operate in this state until the failed module is replaced and the system is returned to a fully operational state.
An example of fail safe operation occurs, for example if, in a TMR system, a failed module is not replaced before a second failure in a parallel circuit occurs, the second failure should cause the TMR system to shut down to a fail-safe state.
Typical safety control applications include emergency and safety shutdown systems, process control, reactor control, wellhead control, turbine and compressor control, fire and gas detection and abatement, and are applicable to many industries including oil and gas production and refining, chemical production and processing, power generation, paper and textile mills and sewage treatment plants.
According to the invention there is provided a switch for a fault tolerant digital output module comprising: an output transistor pair for enabling and disabling an alternating output current; and a current limiter for clamping the output current to a predetermined maximum value.
Preferably, the current limiter comprises a pair of current sense transistors.
Preferably the switch further comprises a voltage monitor for monitoring the voltage across the output transistor and which sets a signal in the event that the monitored voltage exceeds a predetermined maximum voltage and which is arranged in operation to sample the overvoltage signal at overvoltage sampling intervals and in the event that that the output transistor is enabling the output alternating current and the overvoltage signal is set for more than a predetermined number of voltage samples an overload condition is detected.
In a preferred embodiment the voltage sampling interval is substantially equal to 60 μs, the predetermined maximum voltage value is substantially between 10V and 35V and the predetermined number of voltage samples is equal to 1, 2, 3 or 4.
Preferably, the switch further comprises a current monitor for monitoring the current through the output transistor and which is arranged in operation to sample the current at current sampling intervals and in the event that the current exceeds a predetermined absolute maximum current value for more than a predetermined number of current samples an overload condition is detected.
In a preferred embodiment, the current sampling interval is substantially equal to 240 μs and the predetermined number of current samples is in the range 1-4.
Preferably, the switch further comprises an average current monitor for monitoring the average current though the output transistors and which is arranged in operation to sample the average current at average current sampling intervals and in the event that the average current exceeds an average current predetermined threshold for more than a predetermined number of AC cycles an overload condition is detected.
In a preferred embodiment, the average current sampling interval is substantially equal to 300 ms and the predetermined number of AC cycles is 3.
The invention will now be described, by way of example only, with reference to the accompanying drawings in which:
Referring now to
If an internal circuit in the system fails, it is simply voted out. Comprehensive distributed voting both out-votes failures, preventing them from being propagated into the process, and simplifies the process of identifying where faults have occurred.
The output field interface unit 6403 comprises replicated output field interface modules 6404 which are galvanically isolated from replicated output switches 600 connected in a series/parallel configuration as shown.
For safety systems it is beneficial for output modules driving alternating current loads to protect the drive circuitry from damage due to external short circuit faults, as well as from less extreme load problems that may cause long-term overheating of the output drivers if not recognised. The method of protection must be balanced against the requirement to provide as much current to the load as is safely possible.
In the preferred embodiment of the invention, there are four layers of protection to prevent overload damage to the output module, while handling turn-on current surges and tolerating brief overloads.
A driver 6221 receives the input signal and drives two back-to-back FET output transistors 6281, 6251 in dependence upon the received signal 6301.
A transformer isolated high frequency AC input power signal differential pair (Pwr1 and Pwr2) are rectified and regulated by a bridge rectifier and filter 6201 and a voltage regulator 6211 to generate isolated 10V and 3.3V power supplies for various components.
A first level of overload protection is implemented in hardware directly in the output transistor control circuit. Each gate of the FET output transistors 6281, 6251 is clamped with a current sense NPN transistor pair 6231.
This current limiting transistor pair 6231 provides a virtually instantaneous current limit function to approximately 10 A to 40 A, depending upon the desired output current range of the implementation.
The voltage across the FET output transistors 6281, 6251 is measured by the signal VMON and the current through the FET output transistors 6281, 6251 is measured using the signal IMON which measures the current though a current sense resistor 6232.
A second level of overload protection is provided by monitoring the voltage across the output transistors at a relatively high sample rate, in the preferred embodiment every 60 μs, and sending a signal to a diagnostic monitor 6291. The monitoring is done in hardware by a switch overvoltage detect transistor 6261. When the voltage across R2121 (
In the preferred embodiment this signal is asserted if the voltage exceeds between 10V to 35V, depending upon the output current rating of the switch. If the output field interface module 6040 is commanding binary input signal 6301 such that the output is enabled, and if the voltage exceeds the predetermined maximum voltage value for more than a predetermined number of samples (in the range of 1-4 in the preferred embodiment), the output field interface module 6040 sets an overload condition and sends it via the binary input signal 6301 to be reset in order to turn the FET output transistors 6281, 6251 off and thus to disable the AC output.
A third layer of protection is provided by monitoring the load current every alternating current cycle. The load current is digitized every 240 μs and transmitted to the output host interface unit 6402 via the output field interface unit 6404 as signal IMON by the diagnostic monitor 6291. If the output host interface unit 6402 detects that the load current has saturated the IMON A/D converters in either or both directions for three consecutive AC cycles, then the output field interface module 6404 is instructed to set an overload condition and cause the binary input signal 6301 to be reset in order to turn the FET output transistors 6281, 6251 off and thus to disable the AC output.
A final layer of protection involves monitoring the load current for a persistent long term average magnitude that would result in too much heat being dissipated in the output FETs, resulting in their junction temperature exceeding the maximum rating. This is performed by in the output host interface unit 6402 by sampling the IMON load current signal every 300 mSec and averaging the value in the output host interface unit 6402. If it exceeds a given predetermined maximum average value for more than 1.5 seconds, the switch is turned off as before.
There is also a temperature monitor 6271 which sends a temperature monitor signal to the output field interface module 6404 via the diagnostic monitor 6291
It is to be recognised that various alterations, modifications, and/or additions may be introduced into the constructions and arrangements of parts described above without departing from the scope of the present invention as defined in the following claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 06114806 | May 2006 | EP | regional |
This application is related to and claims priority from U.S. Provisional Application No. 60/785,537 filed Mar. 24, 2006 entitled Fault Detection and Apparatus, which is incorporated fully herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4535378 | Endo et al. | Aug 1985 | A |
| 4539683 | Hahn et al. | Sep 1985 | A |
| 4679028 | Wilson | Jul 1987 | A |
| 5128625 | Yatsuzuka et al. | Jul 1992 | A |
| 5293082 | Bathaee | Mar 1994 | A |
| 5324989 | Thornton et al. | Jun 1994 | A |
| 5552881 | Jezwinski et al. | Sep 1996 | A |
| 5594439 | Swanson | Jan 1997 | A |
| 5621603 | Adamec et al. | Apr 1997 | A |
| 5774321 | Kim et al. | Jun 1998 | A |
| 5867014 | Wrathall et al. | Feb 1999 | A |
| 5896263 | Terdan et al. | Apr 1999 | A |
| 5909660 | Foote | Jun 1999 | A |
| 6061006 | Hopkins | May 2000 | A |
| 6125024 | LeComte et al. | Sep 2000 | A |
| 6320283 | Salim et al. | Nov 2001 | B1 |
| 6339236 | Tomii et al. | Jan 2002 | B1 |
| 6351835 | Sakaguchi | Feb 2002 | B1 |
| 6400163 | Melcher et al. | Jun 2002 | B1 |
| 6459599 | Agirman et al. | Oct 2002 | B1 |
| 6557131 | Arabi | Apr 2003 | B1 |
| 6594129 | Baba et al. | Jul 2003 | B1 |
| 6653963 | Barrenscheen et al. | Nov 2003 | B1 |
| 6657464 | Balardeta et al. | Dec 2003 | B1 |
| 6768350 | Dickey | Jul 2004 | B1 |
| 20030043521 | Thiele | Mar 2003 | A1 |
| 20030063679 | Scrofano | Apr 2003 | A1 |
| 20040125007 | Pezzini | Jul 2004 | A1 |
| 20050135037 | Thiery et al. | Jun 2005 | A1 |
| 20050154945 | Haag et al. | Jul 2005 | A1 |
| 20050174273 | Luo et al. | Aug 2005 | A1 |
| 20050248477 | Jongsma et al. | Nov 2005 | A1 |
| 20060061303 | Takeda et al. | Mar 2006 | A1 |
| Number | Date | Country |
|---|---|---|
| 19750349 | May 1998 | DE |
| 0325786 | Aug 1989 | EP |
| 0789458 | Aug 1997 | EP |
| 1322139 | Jun 2003 | EP |
| 1545163 | Jun 2005 | EP |
| 55096708 | Jul 1980 | JP |
| 60236073 | Jan 1985 | JP |
| 08023244 | Jan 1996 | JP |
| WO03107019 | Dec 2003 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20080019069 A1 | Jan 2008 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60785537 | Mar 2006 | US |
