[go: up one dir, main page]

GB2183411A - Testing fuses - Google Patents

Testing fuses Download PDF

Info

Publication number
GB2183411A
GB2183411A GB08524733A GB8524733A GB2183411A GB 2183411 A GB2183411 A GB 2183411A GB 08524733 A GB08524733 A GB 08524733A GB 8524733 A GB8524733 A GB 8524733A GB 2183411 A GB2183411 A GB 2183411A
Authority
GB
United Kingdom
Prior art keywords
fuse
blowing
path
processors
test
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB08524733A
Other versions
GB8524733D0 (en
Inventor
Colin Bendall
John Parker Smith
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ML Engineering Plymouth Ltd
Original Assignee
ML Engineering Plymouth Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ML Engineering Plymouth Ltd filed Critical ML Engineering Plymouth Ltd
Priority to GB08524733A priority Critical patent/GB2183411A/en
Publication of GB8524733D0 publication Critical patent/GB8524733D0/en
Publication of GB2183411A publication Critical patent/GB2183411A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R27/00Arrangements for measuring resistance, reactance, impedance, or electric characteristics derived therefrom
    • G01R27/02Measuring real or complex resistance, reactance, impedance, or other two-pole characteristics derived therefrom, e.g. time constant
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/24Marginal checking or other specified testing methods not covered by G06F11/26, e.g. race tests

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Automation & Control Theory (AREA)
  • Computer Hardware Design (AREA)
  • Fuses (AREA)

Abstract

A security fuse arrangement for a fail-safe control system has duplicated fuse-blowing circuits (4A,4B) each coupled to a power supply line (1) containing a fuse (2) and operable in response to a signal from a respective one of two duplicated processors (A,B) to cause a fuse-blowing current to be passed through the fuse (2) and a respective fuse-blowing path (3A, 3B) in the event of a control system fault. The processors (A,B) are programmed to test periodically the ability of each processor (A,B) to energise both of the fuse-blowing circuits (4A, 4B), and the ability of each fuse-blowing path (3A, 3B) to carry a sufficiently large current to blow the fuse (2) independently of the other path (3B,3A). This test is carried out by causing each circuit (4A, 4B) singly and in alternation to pass a current through its associated path (3A, 3B) for a time interval which is insufficiently long to blow the fuse (2), and then monitoring the decay of the voltage across a resistance in the path (3A,3B) due to capacitance in the circuit (4A,4B). <IMAGE>

Description

SPECIFICATION Security fuse arrangement for fail-safe control system This invention relates to a securityfuse arrangement and a method of testing a security fuse ci rcuit for use with a fail-safe control system.
The invention isparticularlyapplicabletoafail safe control system including duplicated crosschecking processors which, upon detection of a fault, initiate shut-down of the power supply of the system. One such fail-safe power supply unit is described in U.K. Patent Application GB 21 50373A ofthe present applicants.
An objectofthe present invention isto provide a guarantee of fail-safe operation of a control system of the kind referred to by ensuring that each of the two processors has the ability to blow a security fuse for the purpose of removing power from the output stage of the system if a dangerous or potentially dan gerous condition, event or set of conditions exists or occurs.
According to the invention in one aspect there is provided a method of testing a security fuse circuit associated with a fail-safe control system including duplicated cross-checking processors which, upon detection of a fault, initiate shut down of a power supply, in which the processors are programmed to test the security fuse circuit periodically in order to check the integrity of each of two fuse-blowing paths associated with each respective microprocessor.
In a preferred arrangement the periodic tests car ried out by the processors establish that the follow- ing conditions are satisfied, namelythat: (a) each processor has the ability to energise both ofthefuse-blowing paths, and (b) each fuse-blowing path can carry a sufficiently large current to blowthefuse independently ofthe otherfuse-blowing path.
Each processor is programmed to perform the periodictests of both fuse blowing paths, the processors performing their tests singly and in alternation.
The invention will be fu rther described, by way of example only, with reference to the accompanying drawings, in which :- Figure 1 is a schematic diagram of a security fuse arrangement according to one embodiment ofthe invention; Figure2is an example of a fuse blowing circuitfor use in an arrangementsuch asthatshown in Figure 1; Figure3is an example of a single fuse blowing cir cuit associated with one ofthe two microprocessors ofthe circuit shown in Figure 2, and Figure 4 illustrates typical waveforms associated with the operation of the circuit shown in Figure 3.
Figure 1 showsschematicallya power supply line 1 incorporating a security fuse 2. Downstream of the securityfuse 2the power supply line 1 leads to the output stages (not shown) of a telemetry control system which includes duplicated cross checking microprocessors A,B. The microprocessors A,B are arranged, for example, as described in U.K. Patent Application GB 21 50373A, to afford a fail-safe shutdown capability.
The object of the present invention is to provide an arrangement for the fai l-safe proving ofthe security fuse 2 and its associated fuse blowing paths. One possible method of doing this would be to apply a large currenttothefuseforsuch a shorttimethatthe fuse would not blow, but the fuse-blowing paths would be proved. The time taken to blow a fuse is inversely proportionalyto the square ofthe applied current. A disadvantage of such a technique is that it is difficultto detect whether the fuse-blowing path has become more resistive than it should be while still applying the tests currentfor a sufficiently short timetoensurethatthefusedoes not blow.
The arrangement illustrated schematically in Figure 1 utilises the microprocessors A,B which form part of the duplicated cross-checking control system to detect a dangerous or potentially dangerous condition or set of conditions in the control system and to blow the fuse 2 whenever such conditions are set ected thereby removing power from the output stages. Included in such conditions would be the det ection of a fault in the fuse blowing paths associated with the securityfuse 2.
Two fuse blowing paths 3A, 3B are shown schematically, each of which is capable of carrying a current sufficient to blow the fuse 2 under control of a respectivefuse blowing circuit 4A, 4B.
The programs for the two processors A,8 include in each complete test "loop" forthe associated control system a period allocated to the testing of the fuse 2 and its associated fuse blowing circuit to ensurethat, in the eventofa failure, at least one ofthe processors A,B would be capable of blowing the fuse 2via at least one ofthe fuse blowing paths 3A, 3B.
The object of the periodic testing is to satisfy the fol- lowing conditions: (a) each processors A,B has the ability to blowthe fuse 2 throug h both of the fuse blowing paths 3A, 3B, and (b)eachfuseblowing path 3A, 38 can carrysuf- ficient currentto blow the fuse 2 independently of the other fuse blowing path.
If the periodic tests show that either of the above conditions is not met the fuse 2 is blown automatic ally bythe processorAor B ensuring thefail-safe aspect of the fuse control circuit.
The processor A is connected to both fuse blowing circuits 4A, 4B through two test lines 5A, 6A and the processor B is connected to both fuse blowing circuits 4A, 4B through test lines 5B, 6B. Each fuse blowing circuit 4A, 48 is connected to the associated processor A, B through a respective test monitor line 7A, 78, so that each processor A, 8 is arranged to monitor only the tests performed on its associated fuse blowing path 3A, 3B respectively.
The fuse blowing circuits 4A, 4B are shown in Figure 2 with the associated test lines 5A, 5B and 6A, 6B and the associated test monitor lines 7A, 7B. The lines 5, 6 and 7 are connected to each respective processorthrough the associated peripheral interfacing adaptor (PIA) of the processor.
The cross checking connections between the two processors A and Bare indicated schematically as 8A, 8B in Figure 1. A period oftime is allocated within the cyclic control and monitoring loop ofthe program ofthe processors A and B during which the testing of the fuse 2 and its associated fuse blowing circuits 4A, 48 is carried out. The test is performed in a sequence of five steps, described with reference to Figure 1: Step 1 The two processors A, B cannot perform tests on the fuse 2 simultaneously, since the rating ofthefuse 2would be exceeded during thetimetaken to mon itorthe test and the fuse would blow. Accordingly each processor A, 8 performs its sequence of tests alternately.Since, however, each processor A, B is connected to both fuse blowing circuits 4A, 4B the first step is a "side" test to determine on which ofthe two "sides" (A or B) each microprocessor is operating. Thusforthis initial step both processorsa and B initiate a test on the lines 6A and 5B respectively. The processor which "sees" the result of this test is that connected to the fuse blowing path 48, that is processor B, since each processorA,B, is capable of reading the test results only on its associated fuse blowing path 4A, 4B.
The asymmetry of the circuittherefore determines which of the two microprocessors A, B com mences the test sequence, and once this has been established thefollowing further steps in the sequence are performed under control ofthe processor pro grams.
Step 2 Processor A tests the fuse blowing path 3B and processor Breads the result of this test through the test monitor line 7B and communicatesto processor Athrough the cross checking connection 8B. If pro cessor B does not communicate the correct result within a given time, processor A automatically init iates blowing of the fuse 2 through its fuse blowing circuit 4A.
Step 3 Processor A tests its associated fuse blowing path 3A by initiating a test currentthrough the fuse blow ing circuit4A. This has the object of (a) determining whether processor A can respond to a fuse blowing command and (b) whether the fuse blowing path 3A can pass enough currentto blowthefuse. The result ofthe test is monitored through the test monitor line 7A bythe processor A and the result is passed bythe processor to processor B through the connection 8A.
If the test fails in either respect processorawill still attempt to blowthe fuse 2 through its associated fuse blowing circuit4A, but this attempt will be backed up by processor B which, after a pred etermined time interval following no receipt of com munication from processor A, will initiate its own in dependentfuse-blowing routine, effectively by-passing the failed fuse blowing circuits associa ted with processor A.
Step 4 The processor B tests its own fuse blowing path 38 in a manner exactly analogous to step 3. If the associated fuse blowing path 3B orthefuse blowing circuit 48 fails the test the processorAwill, after a predetermined time interval initiate fuse blowing independently.
Step 5 Processor B tests the fuse blowing path 3Ato ensure that it can execute and attempt to blow the fuse 2 by this path. This step is analogous to step 2 and completes the sequence of tests of the two fuse blowing circuits 4A, 4B and their associated fuse blowing paths 3A, 3B.
It will be noted that any failure of the tests performed in the above sequence of steps will result in the security fuse 2 being blown and the security fuse arrangement is, therefore inherentlyfail-safe since it will lead to shut-down ofthe associated power supply.
Figure 3 illustrates one possible circuit arrangementfor one of the fuse blowing circuits 4A, 4B, in Figure 1. The associated fuse blowing path 3A has a resistance RFB. Afirst controlled switch device in the form of transistorTR1 is connected in series with the resistor RFB and is the main fuse blowing switch, controlled by signals applied to its base. Thus the trans istorTRl is normally held in its non-conducting "off" state by the application of a Iowvoltageto its base.
A capacitive timing network comprising a resistor R1 and a capacitor C1 in series is connected across the collector-emitter of the switching transistorTrl.
The collectorvoltage of the transistorTr1 is monitor red through a resistor R2 connected to the base of a voltage sensing second transistorTR2. A "flag" voltage VF is measured at the collector load of TR2 and is directly related to the collector voltage TR1 which in turn is directly proportional to the instantaneousvol- tage across the fuse blowing path resistor RFB.
When a fuse testing sequence is initiated, the associated microprocessor (A or B according to the step in the test sequence described above) applies a positive voltage pulse to the base of TR1 to switch on TR1 for a predetermined short period (42#s). The capacitor Cl which, during the time thatTR1 is nonconducting has as voltage equal to that of the fuse power supply line (5 volts), discharges through the resistor R1 and the collector-emitter of TR1 to a min imum voltage of 0.3 volts. The variation with time of the voltage Vc across the capacitor C1 is plotted in Figure 4 (a).
The sensing transistorTR2 is conducting during this initial discharge of the capacitor Cl so thatthe flag voltage VF passed through the line 7Ato the mic roprocessorA is high.
Immediatelythefuse blowing transistorTR1 switches offfollowing its brief period of conduction the capacitor C1 begins to charge through the resistor R1 and the fuse blowing resistor RFB. The voltage Vc rises exponentially and is accompanied by a similar but smaller exponential riseofthecollectorvol- tageV#oftransistorTRl as shown in Figure 4(b).
As the collector voltage VT of TR1 rises a point is reached when the base voltage of TR2 is sufficiently positive to switch offtransistorTR2 causing the flag voltage VFto drop to zero, as shown in Figure 4(c).
This transition in the flag voltage will occur at a pred etermined time from the initiation of the test. As shown in Figure 4 the transistion occurs when the voltage across the fuse blowing resistor RFB is 0.6V, the base current oftransistor TR2 being neglig- ible. Itcan n shown shown for components with the magnitudes indicated in Figure 3the voltageVc of the capacitor Cl at which thetransistion in theflag voltage VF occurs will be 3.3V, and thetimetaken for thisvoltageto be reachedfromthestartofthechar- ging curve (Figure 4a) will be nominally 23.Sus.
The monitoring oftheflag vokageV# is carried out at two times ti t2 which are respectively before and afterthe step transistion in the flag voltage VF under normal operating conditions.
The times ts and to at which the processorA monitors the flag voltage VF are chosen so that they repro- sentthetimesatwhichthetransistion in the flag vol tageV#wiII occurforthe minimum and maximum allowable values of the fuse blowing resistor RFB. For example,fora nominal resistance RFB of 12 ohms the allowable limits are RFB may be 9-16 ohms, the lower end ofthe resistance range corresponding to the maximum specified value for the collector current of the switching transistorTR1 and the upper end of this resistance range corresponding to a minimum guaranteed fuse blowing current of 300 mA.With these resistance limitsthetimet would be 17.28 Fs from the start of the capacitorcharging curve and the time t2 30.92 ys.
If the resistance RFB of the fuse blowing path 3A is in its allowable range then at the ti m e tl ofthefirst test oftho flag voltage VTthO processorAwould ox- pectto "see" the flag voltage VF high, while atthe second test, at time t2 the processorwould expect to "see" the flag voltage low. If either of these coneditions is not met the test fails and the processor (A or B) initiates fuse blowing by switching on transistorTR1 as stated earlier. This is backed up by an inde pendent fuse-blowing sequence controlled by the other microprocessor.
Accordingthereforetoafurtheraspectofthei vention there is provided a fuse testing circuit for testing the integrity and monitoring the resistance of a fuse-blowing path, comprising a first controlled switch device in series with the fuse-blowing path and a capacitive timing network connected across the switch device, means for closing the switch device for a predetermined time interval which is too short to blow the fuse but which initiates discharge of the capacitor, following which the switch device opens to allow the capacitor to charge through the fuse-blowing path, at a rate dependent upon there sistance of the latter, and means responsive to the consequent variation with time of a voltage in the timing networkor in thefuse blowing path to signal when this voltage variation lies outside acceptable limits.

Claims (8)

1. A method of testing a security fuse circuit associated with a fail-safe electrical control system including duplicated cross-checking processors which, upon detection of a fault, initiate shut-down of a power supply, in which the processors are prog rammed to test the security fuse circuit periodically in order to check the integrity of each of two fuse blowing paths associated with each respective microprocessor, wherein each processor tests a fuse blowing path by applying a test current through the path for a predetermined time interval insufficient to blowthe fuse and monitors the variation ofthevoltage across a resistance connected in series in the said path due to capacitance in associated circuitry after the end of the said time interval.
2. A method according to claim 1, in which the periodic tests establish that the following conditions are satisfied, namelythat: (a) each processor has the ability to energise both ofthefuse-blowing paths,and (b) each fuse-blowing path can carry a sufficiently large currentto blow the fuse independently of the otherfuse-blowing path.
3. A method according to claim 2, in which the processors are each programmed to perform per iodictests of both fuse-blowing paths, the processors performing theirtests singly and in alternation.
4. Afail-safe control system having a security fuse, and meansfortesting the ability of circuitry coupled to thofuse to blowthefuse in the event of a fault being detected, wherein the system comprises: - duplicated fuse blowing circuits each including a fuse blowing current path, and - duplicated cross-checking processors coupled to the fuse blowing circuits and each programmed to check the integrity of each fuse blowing path, and wherein each processor is associated with a respective one of the fuse blowing circuits and is pro gramme (a) to initiate a test sequence in which the otherfuse blowing circuit is caused to pass a test cur~ rent through the fuse and its fuse blowing path for a time interval of insufficient duration to blow the fuse, nd (b) to monitorthe result of a test sequence initiated by the other processor by sensing the voltage across a resistance in the last mentioned fuse blowingpath after the end of the time interval of the lattertest sequence.
5. A system according to claim 4, wherein the fuse is in a power supply line of the control system and each fuse blowing circuitcomprises an elec tronicswitchoperabletocouplethesupplylineto ground through a resistance, a capacitor coupled to the connection between the switch and the resist cancel and a voltage sensitive device coupled to one of the processors and arranged to sense sensing the voltage at the said connection immediately after the switch is caused to assume a non-conductive state.
6. A fuse-testing circuit for testing the integrity and monitoring the resistance of a fuse-blowing path, comprising a first controlled switch device in series with fuse-blowing path and a capacitive timing network connected across the switch device, means for closing the switch device for a predetermined time interval which is too short to blow the fuse but which initiatesdischargeofthecapaci- tor, following which the switch device opens to allow the capacitor to charge through the fuse-blowing path at a rate dependent upon the resistance ofthat latter, and means responsive to the consequentvari- ation with time of a voltage in thetiming networkor in the fuse blowing path to signal when this voltage variation lies outside a predetermined range.
7. A method of testing a security fuse ci rcuit su b- stantially as herein described with reference to the drawings.
8. A fail-safe control system constructed and arranged substantially as herein described and shown in the drawings.
GB08524733A 1985-10-08 1985-10-08 Testing fuses Withdrawn GB2183411A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB08524733A GB2183411A (en) 1985-10-08 1985-10-08 Testing fuses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB08524733A GB2183411A (en) 1985-10-08 1985-10-08 Testing fuses

Publications (2)

Publication Number Publication Date
GB8524733D0 GB8524733D0 (en) 1985-11-13
GB2183411A true GB2183411A (en) 1987-06-03

Family

ID=10586328

Family Applications (1)

Application Number Title Priority Date Filing Date
GB08524733A Withdrawn GB2183411A (en) 1985-10-08 1985-10-08 Testing fuses

Country Status (1)

Country Link
GB (1) GB2183411A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0486222A3 (en) * 1990-11-10 1993-02-24 Lucas Industries Public Limited Company Improvements in and relating to microprocessor based systems
WO1997049020A3 (en) * 1996-06-20 1998-05-07 Combustion Eng Automatic self-testing system
FR2788713A1 (en) * 1999-01-22 2000-07-28 Robot Coupe Sa Bread slicer has exit conduit with optoelectronic screen, detection crossing of cut slices, that stops if slice is stuck in slicer
US6292523B1 (en) * 1997-06-06 2001-09-18 Westinghouse Electric Company Llc Digital engineered safety features actuation system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0486222A3 (en) * 1990-11-10 1993-02-24 Lucas Industries Public Limited Company Improvements in and relating to microprocessor based systems
US5412794A (en) * 1990-11-10 1995-05-02 Lucas Industries Public Limited Company Microprocessor based systems providing simulated low voltage conditions for testing reset circuits
WO1997049020A3 (en) * 1996-06-20 1998-05-07 Combustion Eng Automatic self-testing system
US6167547A (en) * 1996-06-20 2000-12-26 Ce Nuclear Power Llc Automatic self-test system utilizing multi-sensor, multi-channel redundant monitoring and control circuits
CN1103949C (en) * 1996-06-20 2003-03-26 Abb燃烧工程核力公司 Automatic self-testing system
US6292523B1 (en) * 1997-06-06 2001-09-18 Westinghouse Electric Company Llc Digital engineered safety features actuation system
FR2788713A1 (en) * 1999-01-22 2000-07-28 Robot Coupe Sa Bread slicer has exit conduit with optoelectronic screen, detection crossing of cut slices, that stops if slice is stuck in slicer

Also Published As

Publication number Publication date
GB8524733D0 (en) 1985-11-13

Similar Documents

Publication Publication Date Title
US4409635A (en) Electrical power system with fault tolerant control unit
US4926281A (en) Fail-safe and fault-tolerant alternating current output circuit
US5446451A (en) On board hot bearing detector system with fault detection
GB2077076A (en) A circuit for detecting short circuits and for shutting down individual line sections of a bus-line
US4633241A (en) Method of automated in-place SCR testing
WO1994006028A1 (en) A method and a device for checking the condition of semiconductor valves
US4401942A (en) Monitoring system for a capacitor battery in an AC voltage network
US4458132A (en) Welding apparatus and control system therefor
GB2183411A (en) Testing fuses
US4415884A (en) Diagnostic circuit for programmable logic safety control systems
JP3802093B2 (en) Control device for operating the switching device according to a time program
EP0221775B1 (en) Testable voted logic power circuit and method of testing the same
EP0486222B1 (en) Improvements in and relating to microprocessor based systems
US6118190A (en) Fail-safe system
US5023471A (en) Testable input/output circuit for a load decoupled by a transformer
US4442480A (en) Protective circuit for thyristor controlled systems and thyristor converter embodying such protective circuit
JPH077962A (en) Inverter failure detection device
SU1239654A1 (en) Device for automatic monitoring of electric circuits with capacitors
JPH08184615A (en) Malfunction detector for control circuit
SU1332442A2 (en) Device for checking the relay protection
SU1160420A2 (en) Device for generating diagnostic test and diagnostic checking of combination circuits
EP0080857A1 (en) A device for testing circuit breakers
SU1339460A1 (en) Automatic device for checking insulation resistance of electric circuits
SU337662A1 (en) DEVICE FOR MEASURING THE TEMPERATURE OF OBJECTS
SU1501116A1 (en) Arrangement for multipoint alarm of emergency situations

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)