a. Field of the Invention
This invention relates to overload protection for a circuit
driving a direct current (DC) load, in particular it relates to overload protection
for output drive modules for safety control systems. The invention allows for maximum
output load driving capability while retaining protection for the driving circuit.
In safety control systems, fault tolerance is of utmost
importance. Fault tolerance is the ability to continue functioning in the event
of one or more failures within the system.
Fault tolerance may be achieved by a number of different
techniques, each with its specific advantages and disadvantages. One example of
fault tolerance is known as Hardware Implemented Fault Tolerance (HIFT). HIFT means
that the system relies on robust hardware circuits (as opposed to complex software
algorithms) to perform the fault detection and redundancy management functions.
A significant advantage HIFT has over software-implemented fault tolerance is that
HIFT eliminates the overhead for communications between processors, leaving more
time for controlling the process. This makes HIFT systems significantly faster and
more dependable than systems using software-implemented fault tolerance.
An example of a HIFT system is a system which provides
redundancy, in particular Triple Modular Redundancy (TMR). Using TMR, critical circuits
are triplicated and perform identical functions simultaneously and independently.
The data output from each of the three circuits is voted in a majority-voting circuit,
before affecting the system's outputs. If one of the triplicated circuits fails,
its data output is ignored. However, the system continues to output to the process
the value (voltage, current level, or discrete output state) that agrees with the
majority of the functional circuits. TMR provides continuous, predictable operation.
HIFT and TMR provides for automatic fault recovery with
no disruption to system operation and ensures minimal fault detection periods.
Another approach to fault tolerance is the use of hot-standby
modules. This approach provides a level of fault tolerance whereby the standby module
maintains system operation in the event of module failure. With this approach there
may be some disruption to system operation during the changeover period if the modules
are not themselves fault-tolerant.
Fault tolerant systems ideally create a Fault Containment
Region (FCR) to ensure that a fault within the FCR boundary does not propagate to
the remainder of the system. This enables multiple faults to co-exist on different
parts of a system without affecting operation.
Fault tolerant systems generally employ dedicated hardware
and software test and diagnostic regimes that provide very fast fault recognition
and response times to provide a safer system.
Commonly, it is possible to repair faults without interrupting
system operation (known as hot replacement). For example active and standby module
may operate in parallel so that if an active module becomes faulty there is an automatic
change over to a standby module.
Safety control systems are generally designed to be 'fail-operational/fail-safe'.
Fail operational means that when a failure occurs, the system continues to operate:
it is in a fail-operational state. The system should continue to operate in this
state until the failed module is replaced and the system is returned to a fully
An example of fail safe operation occurs, for example if,
in a TMR system, a failed module is not replaced before a second failure in a parallel
circuit occurs, the second failure should cause the TMR system to shut down to a
Typical safety control applications include emergency and
safety shutdown systems, process control, reactor control, wellhead control, turbine
and compressor control, fire and gas detection and abatement, and are applicable
to many industries including oil and gas production and refining, chemical production
and processing, power generation, paper and textile mills and sewage treatment plants.
SUMMARY OF THE INVENTION
According to the invention there is provided a method of
generating an overload condition for an output module driving a load having a load
current and a load voltage comprising the steps of: monitoring the load current
at sample intervals; comparing the monitored load current to a predetermined load
current threshold; starting an overload timer in the event that the timer is not
running and the monitored load current is greater than said load current threshold;
monitoring the load voltage at said sample intervals; generating a ramped load voltage
waveform for reference purposes in dependence upon an initial load voltage and a
predetermined step size load voltage in the event that the overload timer is running;
generating an overload condition in the event that the monitored load voltage is
less than said ramped load voltage reference waveform, the monitored voltage is
less than a predetermined positive ramp limit and the overload timer is running.
Preferably, the predetermined ramp value is a function
of an initial value of said monitored load voltage when said overload time is started.
In a preferred embodiment the method further comprises
the steps of: setting a voltage max flag in the event that a predetermined positive
max voltage is reached; generating an overload condition in the event that the monitored
load voltages is less than a predetermined negative ramp limit, the voltage max
flag is set and overload timer is running.
Preferably, the method further comprises the step of: generating
an overload condition in the event that the monitored load current is greater than
said load current threshold and said timer exceeds a predetermined time limit.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will now be described, by way of example
only, with reference to the accompanying drawings in which:
- Figure 1 illustrates schematically a fault tolerant architecture;
- Figure 2 illustrates a digital output channel fail-safe switch;
- Figure 3 illustrates architecture for an apparatus according to the present
- Figure 4 is a flow chart illustrating method of operation of an overload timer;
- Figure 5 is a flow chart illustrating method of operation in the event that
an overload current is detected; and
- Figure 6 is a graph illustrating monitored signal during turn on for a 1000µF
capacitor in parallel with a 24&OHgr; resistor.
Referring now to Figure 1, signals 1 from an input field
device (not shown) are connected to the system via an input Field Termination Assembly
(FTA) 2. An input 3 module receives, buffers and carries out any necessary conversion
of the input data from the field device. The input data is then transmitted over
a triplicated Inter-Module Bus (IMB) 5 to a TMR processor 4. Triplicated microprocessors
of the TMR processor receive the input data from each channel of the IMB 5 and carry
out a majority vote of the data. During data processing, each of the three processors
compares and majority votes its input data against that of the other two processors.
The processors synchronously execute the application program, and the derived output
data is transmitted back to the IMB. An output module 6 receives, majority votes,
and carries out any necessary conversion of the output data from the TMR processor
4. The output circuits are then driven by the majority-voted command. The output
signals are connected to a field device (not shown) via an output FTA 7. A communications
interface 8 provides facilities to allow systems to be networked using peer to peer
communications links, the collection of Sequence of Events (SOE) data, and connection
to other systems.
If an internal circuit in the system fails, it is simply
voted out. Comprehensive distributed voting both out-votes failures, preventing
them from being propagated into the process, and simplifies the process of identifying
where faults have occurred.
Figure 2 illustrates a digital output channel fail safe
switch. A field effect transistor (FET) 201 is driven with a command signal 202.
When the command signal 202 is high the FET 201 is off and when the command signal
202 is low the FET 201 is on.
FETs 203, 204 are used as a fail safe disable and are driven
by a fail safe signal 205. Resistor 206 provides fault current limiting and the
fail safe signal 205 is routed through an inverter circuit comprising FET 204 so
that when the fail safe signal is low the FET 203 is off and when the fail safe
signal 205 is high the FET 203 is on.
Current monitor outputs connected each side of resistor
RSENSE are processed by a load current differential amplifier 207 to
provide a signal at a suitable level for an analogue to digital (A/D) circuit 208
used for monitoring the current through the switches. The A/D circuit 208 produces
the digital monitored load current value for use in the overload controller of the
A voltage monitor output is connected to a voltage conditioner
209 to provide a signal at a suitable level for a voltage A/D circuit 210. The A/D
circuit 210 produces the digital monitored load voltage value for use in the overload
controller of the present invention.
The bias signal is driven to be at least 6V lower than
a power rail supplying power to the output controller.
In the case of a digital output module driving DC loads
it is necessary to energise loads with high turn-on currents, such as many solenoids,
flashers, lamps, etc. ideally the output module should be able to energise the highest
surge current load possible, without compromising the self-protection behaviour
of the output module in overload situations such as short circuits or loads with
extremely high prolonged turn-on current characteristics such as very large capacitors.
In prior art systems output load current is monitored every
so often. In fact an overload controller scans a number of channels on a cyclic
basis. An overload current condition is generated if monitored load current exceeds
a predetermined threshold value for a single scan. This is a very conservative approach
which may cause unnecessary module shutdown. Any load that is low impedance during
turn-on, for example a capacitive load, may cause a premature overload current condition.
In an improved method load current and, in a preferred
embodiment, load voltage is monitored in real time as a load is being energised.
Furthermore, the digitised monitored load current, for
a 24V digital output module has a range of just 1.5 amps full scale, above which
it saturates to all 1's. The actual load current, of course, continues to increase
beyond there, but this cannot be observed in the digitised value because it is already
as high as it can go. Monitoring the behaviour of the load voltage provides an advantage
over prior art methods because it does not saturate. The digitised current range
is set to only 1.5 amps, instead of say, 15 amps, because it is desirable to keep
it as sensitive as possible for being able to measure low load currents accurately.
An overload controller continuously evaluates whether or
not there is an overload condition present which requires the turn-on operation
to be aborted.
The improved method allows the monitored load current to
exceed a predetermined overload current threshold as long as other conditions are
met for example:
- after turn-on, the monitored load current must decay to below the predetermined
threshold within a predetermined time period.
- after turn-on, the monitored voltage value must increase faster than a predetermined
rate, said rate being a function of the voltage across the switch, and within the
pre-determined time period.
- after turn-on, the monitored voltage must never decrease, once it is outside
said predetermined range and within said predetermined time period.
The improved method allows for a longer duration of high
amplitude current during turn-on, provided that the voltage is increasing at a reasonable
rate and in the preferred embodiment provided that the voltage does not decrease
after the voltage has reached a predetermined ramp limit voltage with the voltage
across the switch being below a threshold value which will not result in steady
state damage to the output FET's.
Figure 3 illustrates the enhanced overload control architecture.
In the preferred embodiment the architecture provides for eight channels and the
random access memories (RAMs) are addressed by the channel number ie zero to seven.
The channels are scanned sequentially such that each channel is monitored every
153.6 µs, referred to herein as a sample period.
For simplicity only one channel is illustrated in Figure
3. An overload controller 303 comprises an overload status bit 304 an overload threshold
register 305 which contains a predetermined overload current threshold represented
by four bits, corresponding to the most significant bits of the monitored load current
value, and an overload serial detector 306. The current A/D converter 208 has a
serial output and comparison with the value in the overload threshold register 305
is carried out on the serial data by the overload serial detector 306.
The value in the overload threshold register 305 may be
reduced to a lower value in order to carry out testing the output transistors by
a background process, not pertinent to this invention.
The overload controller 303 receives data from the current
A/D indicating a monitored load current every sample period. The overload controller
303 also receives data indicating whether the output module is enabling a DC output
current though the load (ie switched on) or disabling a DC output current though
the load (ie switched off).
An overload reset 302 comprises a single bit. When the
overload reset bit 302 is changed from a zero to a one the overload status bit 304
in the overload controller 303 is reset and an overload timer 307 is cleared.
The overload timer 307 comprises six bits and serves to
count the number of samples since the monitored load current exceeded the predetermined
overload current threshold.
An updated overload timer value is then stored into RAM
(not shown) after each sample period for retrieval during the next scan. Two comparators
310, 311 are used. Comparator 310 detects when the overload timer = zero and comparator
311 detects when the overload timer is greater than or equal to a maximum value
indicating a predetermined maximum time limit. When the timer has reached the maximum
value, the monitored load current must be less than the overload threshold. If not
the overload status bit is set and the output controller causes the output current
to be disabled by negating the command data (Fig 2, 202) to the top FET.
Each sample period the overload timer 307 operates as illustrated
in Figure 4. At step 402 a check is made to determine whether an overload reset
302 has occurred. At step 404 a check is made to check whether the switch is off.
If the switch is off or an overload reset has occurred
then the overload timer 307 is set to zero at step 406.
If no overload reset has occurred and the switch is on
then at step 410 the timer 307 is compared to zero. If the timer 307 is equal to
zero (ie the timer is not already running) then at step 408 the monitored load current
is compared to the overload threshold 305. If the monitored load current is greater
than the overload current threshold then at step 416 a current overload set pulse
328 is asserted and at step 414 the timer is incremented. If the timer is already
running at step 410 then at step 412 the timer is compared to the maximum value
indicating the predetermined maximum time limit. If the timer has not reached the
maximum value then at step 414 the time is incremented.
If the timer has reached the maximum value then at step
418 the monitored load current is compared to the overload current threshold 305.
If the monitored load current is greater than the overload threshold then at step
420 the overload status bit 304 is set.
Referring back to Figure 3 with reference to the flow chart
shown in Figure 5, in response to the current overload set pulse 328 generated by
the overload controller 303, a trap random access memory 308 reads the most significant
five bits of a twelve bit monitored load voltage at step 501. This trap value is
used to access a read only memory 309 to determine a nine bit step size at step
The trap random access memory 308 simply stores the monitored
load voltage at the time of the start of the overload event (the start is determined
by detecting the monitored current becoming greater than the overload current threshold
305 and setting the current overload set pulse).
This trapped monitored voltage A/D value is used to point
to a step size value which is used to define a load voltage ramp rate value which
must be attained to satisfy a load voltage ramp up requirement necessary to keep
the total power dissipation in the output FET's within a safe limit for them for
the duration of the turn-on event.
A higher voltage across the switch requires a faster increment
to protect the FETs 201, 203 (Figure 2) from damage because there will be more power
dissipated in them, and hence they cannot withstand a given load current for as
long a time.
Note the more voltage there is across the load, the less
voltage there is across the switch.
When the current overload set pulse 328 is asserted, a
multiplexer 314 causes a threshold random access memory 312 to read the twelve bit
monitored voltage at step 502. This is the starting value for the reference voltage
monitor ramp signal which is to be generated in subsequent scans, and against which
the actual voltage monitor values are compared.
The threshold random access memory 312 stores a computed
ramp value below which the actual monitored load voltage signal may not dip.
The latest ramp value stored in the threshold memory 312
is added to the step size read from the read only memory 309 by an adder 316 to
generate a new ramped value 324 at step 504.
When the overload set pulse is disabled the multiplexer
314 causes the threshold random access memory 312 to read the ramped load voltage
324 in order to update the value in the threshold memory 312 to the latest value.
Three comparators 318, 320, 322 serve to determine whether
the overload status bit 304 should be set.
AT step 505 comparator 318 compares the ramped load voltage
to a predetermined positive ramp limit. In a preferred embodiment the positive ramp
limit is set to 4.4V below the top rail.
In the event that the ramped load voltage exceeds the predetermined
positive ramp limit a signal monitored voltage max 326 (the output of comparator
318) is asserted and sent to the controller 303. The controller 303 then asserts
a signal negative ramp compare 329. In the event that the signal monitored voltage
max 326 is not asserted the controller 303 asserts a signal positive ramp compare
If the signal positive ramp compare 330 is asserted then
comparator 320 compares the monitored load voltage with the ramped load reference
voltage 324 at step 507. If the monitored load voltage is less than the ramped load
voltage reference created in step 504 then the monitored load voltage is not increasing
fast enough and the overload status bit 304 should be set at step 506.
If the signal negative ramp compare 328 is asserted then
the comparator 322 compares the monitored load voltage with a predetermined negative
ramp limit at step 508. If the monitored load voltage is less than the predetermined
negative ramp limit then the monitored voltage has started to decrease and the overload
status bit 304 should be set at step 506. In a preferred embodiment the negative
ramp limit is set to 4.23V below top rail.
It should be appreciated that the vertical axis of the
graph is scaled and offset to show the values seen by the current and voltage A/D
converters 208, 210. These values are relative to the power rail.
Or gate 361 asserts the signal set overload set pulse 362
at step 506 in the event that either comparator, 320 or 322 indicates that the overload
status bit 304 should be set.
Figure 6 illustrates monitored current, monitored voltage
during turn on of a load comprising a 1000 uF capacitor in parallel with a 24 Ohm
resistor in a 24V embodi ment.
It is to be recognised that various alterations, modifications,
and/or additions may be introduced into the constructions and arrangements of parts
described above without departing from the scope of the present invention as defined
in the following claims.