Note: Descriptions are shown in the official language in which they were submitted.
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
1
FAIL-SAFE, FAULT-TOLERANT SWITCHING SYSTEM
FOR A CRITICAL DEVICE
FIELD OF INVENTION
This invention relates to a fail-safe, fault-tolerant switching system for a
critical device.
BACKGROUND OF INVENTION
Fail-safe devices are used where risk of personal injury or damage to
property can occur. For example, air brakes on large trucks are released by
force of
air pressure against strong actuators. Any failure of the air pressure system
releases the springs to apply the brakes so the system "fails safe". In
railroad trains
a "vital relay" is used to monitor the presence of a vehicle to control
separation
between trains. When less than the required separation is sensed the power to
the
relay is cut off and "fail safe" gravity force is relied upon to close
contacts and
provide a warning signal. The use of ever more sophisticated electronic and
computer controlled systems such as in personal rapid transit (PRT) systems
has
given rise to more sophisticated requirements for fail-safe operation. PRT
systems
are driverless, automated, small, passenger vehicles that operate on
guideways. In
addition, fault-tolerant operation to permit continued operation of partially
disabled
but still safe vehicles is an important consideration. PRTs for example must
always be operated fail-safe but need some fault tolerance so that faulty
vehicles
are not simply stopped, interfering with operation of other vehicles when the
fault
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
2
can be tolerated to at least move the vehicle from the guideway to a
maintenance
area. PRT is but one instance where fail-safe, fault-tolerant systems are
needed.
This gave rise to switching circuits with a number of switches to provide fail-
safe
operation: one switch is generally not enough because a switch, be it
mechanical
or semiconductor, can fail in either the closed or open mode. Thus the outcome
is
not predictable and failure to a safe state is not assured. Two or more
switches
connected in series will increase reliability and are safe if a defective
switch can be
detected. Two or more switches in parallel provide redundancy but do not
improve
reliability.
BRIEF SUMMARY OF THE INVENTION
It is therefore an object of this invention to provide an improved fail-safe
switching system.
It is a further object of this invention to provide an improved fail-safe
switching system which is inherently fault-tolerant to some faults.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which is simple, reliable, and uses few and conventional
parts.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which can be self tested with fault tracing down to
individual
switching elements.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which can be monitored and controlled to reconfigure for
fault-
tolerant operation for additional faults.
CA 02391472 2002-05-13
WO 01/35432 PCT/L1S00/30799
3
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which uses fuses to overnde faults due to switching devices
that
have failed in the closed mode.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which reduces the probability of failure in an unsafe mode.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which can work around a single fault.
It is a further object of this invention to provide such a fail-safe, fault-
tolerant
switching system which is resistant to common mode failures.
This invention results from the realization that a truly fail-safe, fault-
tolerant
switching system for a critical device can be achieved using two parallel
networks
each including a fuse device and two switch devices in series with the
critical device
connected between the networks at the junction of a switch device and fuse
device in
each network so that the system is entirely fail-safe and fault-tolerant
through its
inherent operation supplemented by automatic monitoring and control of the
switching devices.
This invention features a fail-safe, fault-tolerant switching system for a
critical device including a first pair of terminals for connection to a power
source, a
first network including a first fuse device, first switching device and third
switching
device connected in series between the first pair of terminals and a second
network in
parallel with the first network including a second fuse device, second
switching
device and fourth switching device connected in series between the first pair
of
terminals. There is a second pair of terminals, one between the first and
third
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
4
switching devices and one between the second and fourth switching devices for
connection to the critical device for fail-safe current removal from the
critical device
when first and second switching devices are open and the third and fourth
switching
devices are closed, the first, second, third and fourth switching devices are
open, the
first and second fuse devices are open and the first and second switching
devices are
open and the third and fourth switching devices are closed and the first and
second
fuse devices are intact; the first switching device has failed ON and the
second
switching device is open and the third and fourth switching devices are closed
and
fuse 1 is caused to open due to short circuit path through the first and third
switching
device and the second fuse device is intact; the first switching device is
open and the
second switching device has failed ON and the third and fourth switching
devices are
closed and fuse 1 is intact and fuse 2 is caused to open due to a short
circuit path
through the second and fourth switching device; the first, second, third and
fourth
switching devices are open, the fault-tolerant operation occurs through the
first fuse
device, first switching device and fourth switching device, or the second fuse
device,
second switching device and third switching device.
In a preferred embodiment there may be a unidirectional current flow
circuit interconnected between the second pair of terminals and the critical
device
for permitting current flow in one direction. The unidirectional current flow
circuit
may include a diode bridge. There may be a first monitor circuit for
monitoring
the first switching device, a second monitor circuit for monitoring the second
switching device, a third monitor circuit for monitoring the third switching
device,
and a fourth monitor circuit for monitoring the fourth switching device. There
may
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
be a controller responsive to the monitor circuit for selectively operating
the
switching devices.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects, features and advantages will occur to those skilled in the art
from the following description of a preferred embodiment and the accompanying
drawings, in which:
Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch
according
to this invention;
Fig. 2 is a view similar to Fig. 1 including monitoring devices and a
controller for monitoring and controlling the operation of the individual
switches;
Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected
across a polarized load;
Figs. 3-7 are flow charts explaining the operation of the controllers and
monitors; and
Fig. 8 is a diagram depicting the desired behavior of the H switch according
to this invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
There is shown in Fig. 1 a basic H switch 10 including four switches:
switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1
20,
and fuse 2 22. The switch is arranged in an "H" shape with the critical load
24 in
the middle. The switches may be conventional switches, relays, or
semiconductor
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
6
devices. A first network 26 inciu'ding fuse 1 20, switch 1 12 and switch 3 16,
is
connected between a pair of terminals 28 and 30 which in this embodiment are
connected to a positive power supply and ground, respectively. The second
network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in
parallel with network 26 between terminals 28 and 30. A critical device 24 is
connected between terminal 34 which is located between switch 1 12 and switch
3
16, and terminal 36 which is located between switch 2 14 and switch 4 18. This
basic configuration of four switches has sixteen combinations. Two of them
allow
the device to be energized. This relies on the fact that the device can be
driven
with current flowing either left to right or in a right to left fashion
through the
critical device 24. Four combinations turn on only one switch and may be used
in
a self test circuit; three combinations are safe states; and the seven other
combinations blow a fuse and revert to one of the others. The following
contains
this information in more detail. Note that the two energized modes are
complementary. This protects against common mode failures and thus decreases
probability of failing in an unsafe state.
TABLE I
SWITCH 4 SWITCH 3 SWITCH 2 SWITCH 1 MODE
off off off off Safe 1
off off off on Self test
1
off off on off Self test
2
off off on on Safe 2
off on off off Self test
3
off on off on Blow fuse
off on on off Energized
1
off on on on Blow fuse
on off off off Self test
4
on off off on Energized
2
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
7
on off on off Blow fuse
on off on on Blow fuse
on on off off Safe 3
on on off on Blow fuse
on on on off Blow fuse
on on on on Blow fuse
The two states which actually allow the brakes to be released are (1) Switch 1
and
Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on
and
Switch 1 and Switch 4 off. This assumes that the critical load 24 is not
polarized.
Such is the case when it is a solenoid, for example.
External circuitry functions to control the H switch 10 in the following
manner. The external circuits in a deenergized mode disable all switches and
monitor them to see if either switch 1 or 2 is shorted. If they are not,
switches 3
and 4 are turned on. This is a safe state. If a request in the deenergized
state is
made, a self test is performed on the switches. This self test runs through a
check
to see if each of the switches can be turned on and off. It then makes a
determination as to whether the H switch can be energized safely and if so, in
which energized mode. This will be understood more readily by the explanation
which follows.
Besides the protection the fuses give for illegal combinations of the four
signals, they also allow the controller to change the failure of the top two
switches
from failed closed to failed open. This is accomplished by closing the switch
in the
same leg intentionally. Failed open is much easier to deal with than failed
closed
for a fault-tolerant system. The four switches are monitored by four monitors,
Fig.
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
8
2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this
embodiment each of the monitors is implemented as shown with respect to
monitor
1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows
controller
52 to be electrically isolated from the critical load. This electrical
isolation can be
made complete if the actual switches are implemented by solid state relays.
This
reduces the chance for the monitors to negatively impact the critical device
and
enhances reliability of the circuit. System safety is not reduced
significantly by the
presence of the monitors because in normal operation their current is limited
by the
series resistors 50 to a fraction of that needed to operate the solenoid. As
the
resistors can only fail in the open state, they cannot energize the solenoid.
Controller 52 may be a microprocessor such as a Motorola 68040 programmed to
function as described with respect to the following discussion and Figs. 3-7.
H switch 10 can have any switch fail open or closed and still operate in the
fail-safe manner. One procedure that controller 52 can implement is the
following.
At the time that controller 52 is required to disengage the brakes, a self
test is run
that checks each switch's ability to turn on and off. If switch 1 has failed
open the
H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and
the
critical device will be engaged. If switch 1 had failed closed, the H switch
would
turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow
fuse 1 in line with switch 1 and the critical device would be engaged. The
similar
procedure could be made for switch 2 failure modes. If switch 3 fails open,
then
the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so
that
the critical device will be engaged. If switch 3 fails closed, operation is
still
CA 02391472 2002-05-13
WO 01/35432 PCT/LTS00/30799
9
possible by turning on switches 2 and 3 and turning off switches 1 and 4
whereupon the critical device will again be engaged. A similar procedure can
be
made for switch 4 failure modes. If multiple failures are found then all four
switches can be turned off and the critical device can be disengaged. When the
controller is requested to apply the brakes, switches 1 and 2 are turned off
and
switches 3 and 4 are turned on. If for any reason it detects a second fault in
either
switch 1 or 2, such that they stay on when they should not, then all four
switches
are opened.
Critical device 24a, Fig. 2A, may include a polarized load requiring
unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37
connected to terminals 34 and 36, respectively. Critical device 24a is
connected to
polarized terminals 39, which is positive, and 41, which is negative, of diode
bridge 25.
Thus, irrespective of whether the operational switch state is switch 1 and
switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a
will
always have a positive potential on its positive terminal and a negative
potential on
its negative terminal. In this way, diode bridge 25 does not compromise the
fail
safe aspect of the circuit to reliably remove current from polarized critical
device
24a, while maintaining unidirectional current through the load.
The following describes the use of the switch and monitoring function to
perform highly reliable control of a brake system on a PRT vehicle. The brake
is
applied when no current flows through the brake actuator and this is the safe
state
for the system. By combination of the switch components, monitoring circuits
and
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
process steps in the control logic the function removes the brakes when a
request-
ON is made so that the vehicle is permitted to move and reliably applies the
brakes
when a request-OFF is made. The application also tolerates a hardware failure,
by
reconfiguring automatically on detecting a fault to permit the brakes to be
removed
and the vehicle moved, and provides the same level of reliability in being
able to
re-apply the brakes when commanded.
The switch monitor and control functions collectively provide a highly
reliable Control Function. The Control Function can be commanded two states:
ON or OFF. In this application OFF applies the brakes, ON releases them. The
control Function will go to one of four states in consequence of the external
states
being applied.
State 1: Off State, applies indefinitely in response to the external command
maintaining an OFF state.
State 2: Self Test, Transition to On, occurs in response to the external
command transitioning from an OFF state to an ON state. This state is
transient, and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines which
one of the two different hardware internal ON states will be selected based
on health of the hardware elements, or a permanent OFF state if it is
determined that an excessive number of hardware failures exist.
State 3: ON State, applies indefinitely following a successful Self Test, in
response to the external command maintaining an ON state.
State 4: Self Test, Transition to OFF, occurs in response to the external
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
11
command transitioning from an ON state to an OFF state. This state is
transient and of short duration compared to the system responsiveness.
During this state the output is effectively off. The outcome determines
which one of the two different hardware internal OFF states will be selected,
based on health of the hardware elements.
The following description of states refers to the flow diagrams in Figs. 3-7.
The point of entry for the process is arbitrarily defined as State 1, the OFF
state.
Switches 1, 2, 3 and 4 are referred to as S1, S2, S3, S4, Monitors 1, 2, 3 and
4 as
M 1, M2, M3 and M4.
( 1 ) State 1 is predominantly satisfied by having switches S 1 and S2
deactivated, and switches S3 and S4 activated. This applies a short-circuit
via
ground to the two ends of the load (Brake actuator) to insure it is de-
energized.
Alternately, and only as a consequence of determining a fault condition via
prior
testing, all four switches, S1, S2, S3 and S4 will be deactivated to reduce
the
probability of inadvertently setting up a path of conduction.
(2) When the External Sequence transitions from the off state to the on-
state a self test-transition-to-ON process is initiated. This process is an
orderly
fixed sequence and takes a fixed time-period. Interrupting the sequence by de-
asserting the external state and mid-self test is to be avoided via logic. For
the
PRT brake application, the self test took less than 100msec, compared with
brake
cycling which was controlled to occur at rates slower than once per 1.5
seconds,
typically 100 seconds.
(3) Initially all switches S 1 through S4 are deactivated. From this state
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
12
all switches can be individually checked as a serial sequence. This is done by
turning on each switch singularly, and verifying operation through the use of
the
monitors M 1 through M4. During this process the load is not energized. It is
possible, as a consequence of a fault, that activating one switch will provide
a path
via a fault and the load will be momentarily energized. For the function of
brake
control on PRT, the time constant of the load (brakes) was significantly
longer than
the event of being momentarily energized, such that no consequence propagated
from this brief event.
(4) S 1 is activated, which will cause M 1 to be OFF. If M 1 remains ON,
then a fault has occurred, which is assumed to be that S 1 has failed open-
circuit.
The outcome of this test is logged for switch S1, functional (OK), or failed
open-
circuit (0C).
(5) S 1 is deactivated. All switches are now in a deactivated state.
(6) S2 is activated, which will cause M2 to be OFF. If M2 remains ON,
then a fault has occurred, which is assumed to be that S2 has failed open-
circuit.
One of two states is logged for switch S2, functional (OK) or failed open-
circuit
(0C).
7) S2 is deactivated. All switches are now in a deactivated state.
8) S3 is activated, which will cause M3 to be OFF. If M remains ON,
then a fault has occurred, which is assumed to be that S3 has failed open-
circuit.
One of two states is logged for switch S3, functional (OK), or failed open-
circuit
(0C).
9) S3 is deactivated. All switches are now in a deactivated state.
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
13
10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON,
then a fault has occurred, which is assumed to be that S4 has failed open-
circuit.
One of two states is logged for switch S4, functional (OK), or failed open-
circuit
(0C).
11 ) S4 is deactivated. All switches are now in a deactivated states.
12) Monitors M1 through M4 are next checked to verify they are all
ON, signifying the correct bias across the switches S 1 through S4, when de-
energized, which is the expected state. If any monitor, M1 through M3 is off,
then
a fault has occurred. The fault is assumed to be a short-circuit in the
associated
switch, S 1 through S4. It is most likely that the monitoring circuit for S 1
or S2 has
failed if either of these switches is reported as being short-circuit, as the
prior tests
would have blown the affected fuse on a shorted switch, which consequently
removes the short-circuit.
13) Having tested all four switches individually, a decision can be
arrived at as to which of three desirable states the switches can be
configured in:
The predominant case is to energize switches S 1 and S4, which is
applicable to fully-functional hardware, or hardware with a specific set of
deduced faults. This activates the load.
Certain faults can be withstood with the hardware by choosing the
alternative path, energizing switches S2 and S3.
This also activates the load, but reverses the current through-it compared
with activating S 1 and S4. In the application for PRT of a brake release
function, the load was non-polarized and not affected by the direction of
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
14
flow of current.
Specific combinations of hardware faults cannot be tolerated. The function
reacts to these faults by holding all switches off and the brakes remain on.
Determination of the appropriate load state is achieved by assessing the 24
possible states of the combination of all four switches in accordance with the
following table:
TABLE II
State S1 S2 S3 S4 Outcome
1 OK OK OK OK Select S1,S4
2 OK OK OK OC Select S2,S3
3 OK OK OK SC Select S1,S4
4 OK OK OC OK Select Sl,S4
OK OK OC OC Select None
6 OK OK OC SC Select S1,S4
7 OK OK SC OK Select S2,S3
8 OK OK SC OC Select S2,S3
9 OK OK SC SC Select None
OK OC OK OK Select Sl,S4
11 OK OC OK OC Select None
12 OK OC OK SC Select Sl,S4
13 OK OC OC OK Select S1,S4
14 OK OC OC OC Select None
OK OC OC SC Select S1,S4
16 OK OC SC OK Select None
17 OK OC SC OC Select None
18 OK OC SC SC Select None
19 OK SC OK OK Select 51,54
OK SC OK OC Select S2,S3
21 OK SC OK SC Select S1,S4
22 OK SC OC OK Select S1,S4
23 OK SC OC OC Select None
24 OK SC OC SC Select None
OK SC SC OK Select S1,S4
26 OK SC SC OC Select None
27 OK SC SC SC Select None
28 OC OK OK OK Select S2,S3
29 OC ~ OK I OK ~ OC ~ Select S2,S3
CA 02391472 2002-05-13
WO 01/35432 PCT/LTS00/30799
30 OC OK OK SC Select None
31 OC OK OC OK Select None
32 OC OK OC OC Select None
33 OC OK OC SC Select None
34 OC OK SC OK Select S2,S3
35 OC OK SC OC Select None
36 OC OK SC SC Select None
37 OC OC OK OK Select None
38 OC OC OK OC Select None
39 OC OC OK SC Select None
40 OC OC OC OK Select None
41 OC OC OC OC Select None
42 OC OC OC SC Select None
43 OC OC SC OK Select None
44 OC OC SC OC Select None
45 OC OC SC SC Select None
46 OC SC OK OK Select S2,S3
47 OC SC OK OC Select None
48 OC SC OK SC Select None
49 OC SC OC OK Select None
50 OC SC OC OC Select None
51 OC SC OC SC Select None
52 OC SC SC OK Select None
53 OC SC SC OC Select None
54 OC SC SC SC Select None
55 SC OK OK OK Select S2,S3
56 SC OK OK OC Select S2,S3
57 SC OK OK SC Select None
58 SC OK OC OK Select None
59 SC OK OC OC Select None
60 SC OK OC SC Select None
61 SC OK SC OK Select S2,S3
62 SC OK SC OC Select S2,S3
63 SC OK SC SC Select None
64 SC OC OK OK Select None
65 SC OC OK OC Select None
66 SC OC OK SC Select None
67 SC OC OC OK Select None
68 SC OC OC OC Select None
69 SC OC OC SC Select None
70 SC OC SC OK Select None
71 SC OC SC OC Select None
72 SC OC SC SC Select None
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
16
73 SC SC OK OK Select S1,S4
74 SC SC OK OC Select S2,S3
75 SC SC OK SC Select None
76 SC SC OC OK Select S1,S4
77 SC SC OC OC Select None
78 SC SC OC SC Select None
79 SC SC SC OK Select None
80 SC SC SC OC Select None
81 SC SC SC SC I Select None
14) If it is determined that the load can be made active, the appropriate
switches are energized and State 3 commences. Failure of the load to be
activated
will be as a consequence of the prior tests and requires repair of the
hardware to
proceed.
15) If S1 and S4 are activated, then for the duration that state 3 is
effective the occurrence of new faults will cause the switches to behave in
accordance with the eight possible combinations defined in the following
table:
TABLE III
S 1 Fails OC Fail-off
S 1 Fails SC Continue
S2 Fails OC Continue
S2 Fails SC Blow S2 fuse, continue
S3 Fails OC Continue
S3 Fails SC Blow S1 fuse, fail-off
S4 Fails OC Fail-off
S4 Fails SC Continue
16) If S2 and S3 are activated, then for the duration that state 3 is
effective the occurrence of new faults will cause the switches to behave in
accordance with the eight possible combinations defined in the following
table:
TABLE IV
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
17
S 1 Fails OC Continue
S 1 Fails SC Blow S 1 fuse, continue
S2 Fails OC Fail-off
S2 Fails SC Continue
S3 Fails OC Fail-off
S3 Fails SC Continue
S4 Fails OC Continue
S4 Fails SC Blow S2 fuse, fail-off
17) The outcome is that the load is predominantly energized for the
duration that the system is in state 3. There is a probability that a fault
may occur
that causes the load to be de-activated. The system should be aware that this
has
happened. In the application of the brake-release function for PRT, the event
of
having the brakes re-applied would cause the vehicle to stop and proceed
through a
set of diagnostics. These diagnostics included removing the command to release
the brakes (ON to OFF) and re-applying the command to release the brakes (OFF
to ON). The process re-invoked the Self Test Transition to ON, at which point
a
different outcome to the appropriate switch configuration may be arrived at.
For
example, if the load was activated by switches S 1 and S4 being active and a
fault
occurred that caused S 1 to go open-circuit, the brake-release function would
be de-
asserted and the PRT vehicle would stop. The command to release the brakes
would be removed and re-applied. The Self Test Transition to ON that occurs
would deduce the need to activate switches S2 and S3 to energize the load and
release the brakes. Hence this cycling event would permit the system to
continue
in the presence of a fault that had caused a temporary stoppage.
18) When the External Sequence transition from the on-state to the off
state a 'self test-transition-to-OFF' process is initiated. This process is an
orderly
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
18
fixed sequence and takes a fixed time-period. Interrupting the sequence by de-
asserting the external state mid-self test is to be avoided via logic. For the
PRT
brake application, the self test is less than 100msec, compared with brake
cycling
which was controlled to occur at rates slower than once per 1.5 seconds, with
typically greater than 100 seconds between trip start and ending times.
19) Initially all switches S 1 though S4 are deactivated, then switches S3
and S4 are activated. This two-step process insures no state-change conditions
occur where switch combinations induce a transient short circuit path.
20) From this state the switches can be checked using the monitors M1
and M2. If either monitor M1 or monitor M2 is in an Off state, it is
indicative that
either switch S3 or S4 has blown open-circuit, and another bias path exists to
drive
the output to ON. Immediately on occurrence of this case, all switches are
deactivated. The response time is such that the corrective action takes less
than
100msec and is inconsequential.
The outcome is that one of two states is determined to be appropriate to
insure the load is de-energized (the brakes applied).
21) Predominantly, when all the hardware is functional, or in the
presence of selective faults, the switches S 1 and S2 will remain de-activated
and
the switches S3 and S4 will be activated, providing a short-circuit via ground
across the load terminals. Alternately, on deduction of the above-described
fault
combinations, all four switches will remain de-activated to reduce the
probability
of inadvertently setting up a path of conduction. Both these conditions serve
for
state 1.
CA 02391472 2002-05-13
WO 01/35432 PCT/LTS00/30799
19
22) If S3 and S4 are activated, then for the duration that state 1 is
effective the occurrence of new faults will cause the switches to behave in
accordance with the eight possible combinations defined in the following
table:
TABLE V
S 1 Fails OC Continue
S 1 Fails SC Blow S 1 fuse, continue
S2 Fails OC Continue
S2 Fails SC Blow S2 fuse, continue
S3 Fails OC Continue
S3 Fails SC Continue
S4 Fails OC Continue
S4 Fails SC Continue
23) If all switches are de-activated, then for the duration that state 1 is
effective
the occurrence of new faults will cause the switches to behave in accordance
with
the eight possible combinations defined in the following table:
TABLE VI
S 1 Fails OC Continue
S 1 Fails SC Continue
S2 Fails OC Continue
S2 Fails SC Continue
S3 Fails OC Continue
S3 Fails SC Continue
S4 Fails OC Continue
S4 Fails SC Continue
24) The outcome is that the load is always de-energized for the duration
that the system is in state 1. There is probability that changes the state of
the
individual switches, and may induce a fuse to blow, but the load remains de-
energized. The function remains in this state until the next external
transition from
CA 02391472 2002-05-13
WO 01/35432 PCT/US00/30799
OFF to ON, at which point the process as described and depicted in the flow
charts
is repeated.
The operation of H switch 10 is depicted in summary in Fig. 8 where it can
be seen that the desired behavior is off with the brake applied and then on
when the
brakes are removed and motion is permitted, as indicated by path 60, Fig. 8.
There
it can be seen that during the four states of the switch process the brakes
are off in
state 1 62, the off state, and in state 4 64, the self test sequence
transition to off, the
brakes transition to on in state 2 66, and in state 3 68, they are in the on
state.
Although specific features of the invention are shown in some drawings and
not in others, this is for convenience only as each feature may be combined
with
any or all of the other features in accordance with the invention.
Other embodiments will occur to those skilled in the art and are within the
following claims:
What is claimed is:
