WO1994029794A1 - Dynamic self-checking safety circuit means - Google Patents
Dynamic self-checking safety circuit means Download PDFInfo
- Publication number
- WO1994029794A1 WO1994029794A1 PCT/US1993/005773 US9305773W WO9429794A1 WO 1994029794 A1 WO1994029794 A1 WO 1994029794A1 US 9305773 W US9305773 W US 9305773W WO 9429794 A1 WO9429794 A1 WO 9429794A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- microprocessor
- predetermined sequence
- logic bits
- keyword
- bit
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0796—Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
- G06F11/0763—Error or fault detection not based on redundancy by bit configuration check, e.g. of formats or tags
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
Definitions
- This invention relates to proving the safe operation of electronics, particularly for detecting malfunctions in the computer hardware of a monitoring system.
- flame safeguard systems Many types of systems have been developed for monitoring computer hardware that can create an unsafe condition if a failure occurs.
- An example is a burner control system in a furnace that is operated under the direction of units that are generically referred to as flame safeguard systems.
- flame safeguard systems it is essential that if a certain failure occurs, the fuel valve to a fuel burner will close.
- the failure of a flame safeguard control system to operate properly can lead to a situation in which a fuel valve is left open when no flame exists, and a fuel-burning chamber can be loaded with fuel. This fuel can then be accidentally ignited causing an explosion.
- the existing technology taught a flame safeguard system which utilized safety circuits that check for proper operation at the beginning of each burner cycle. This is commonly known as safe start check.
- a decoder receives the sequence of logic bits and will output a high signal if all the bits in the sequence indicate a certain operational status of the microprocessor. Between each generation of a high signal, the microprocessor outputs a preset low signal. If the microprocessor is operating properly, an alternating signal is output from the decoder, and this signal keeps a switch to the fuel valve energized. If the microprocessor malfunctions, the signal will no longer be alternating and the switch will de-energize.
- a disadvantage of the Clark et al system is that not all system errors will be detected. It is possible that a bit path in the decoder may malfunction so that it constantly outputs a particular signal regardless of the signal it receives from the microprocessor.
- the signal output from the stuck bit path represents the desired operation of a particular function of the microprocessor, the actual failure of this microprocessor function will not be detected. This could create a hazardous situation. Because of the inherent danger in technologies such as burner controls, it is important that the safety control systems be reliable. However, the system should not be overly complicated or expensive in achieving this goal.
- an apparatus for providing reliable operation of a dynamic self-checking safety circuit means where the circuit includes a microprocessor.
- the microprocessor outputs a sequence of logic bits, also known as a keyword, in which each logic bit represents the status of an internal function of the microprocessor.
- the keyword is generated repetitively and at a particular frequency, and is output to a keyword decoder.
- one position in the keyword is chosen and the logic bit in that position is inverted. For example, if the position chosen in the keyword contained a "1" logic bit, it would be inverted to "0".
- a first unique signal is output by the keyword decoder.
- the keyword contains a logic bit which does not indicate the normal operation of the electronic circuit, or a bit which has been inverted, a second unique signal is output. If the microprocessor is operating normally, the keyword decoder will output a signal which alternates regularly between the first and second unique signals.
- the output of the keyword decoder is received by both a dynamic safety relay drive circuit and the microprocessor.
- the dynamic safety relay drive circuit controls electric power to the critical load by holding a switch closed only as long as it receives a signal in the form of a square wave from the keyword decoder.
- the position of the inverted logic bit in the keyword is rotated through the keyword on a regular basis. This enables the system to send the inverted logic bit through different bit paths in the keyword decoder in order to check for malfunctions.
- Figure 1 is a schematic representation of the continuous checking means.
- Figure 2 is an example of four consecutive keywords generated by the microprocessor of the microcomputer.
- FIG. 3 illustrates a flow chart of the operation of the continuous checking means.
- the present invention relates to a safety monitoring system which uses a microprocessor.
- a likely application of this system is the monitoring of a fuel burner in a furnace or boiler.
- the microprocessor is used to program an ignition period, check for the presence of a pilot flame, and then check for the establishment of a main flame in the burner.
- a system must be established where the furnace or boiler is turned off and any open fuel valves are closed.
- the present invention discloses a monitoring system which will deactivate the fuel valve to a furnace or boiler when an error is detected in any part of the monitoring system. This invention has the capability to detect simultaneous errors which can occur throughout the monitoring system which were not detectable by the prior art.
- the dynamic self-checking safety circuit described herein is applicable to a wide range of computer systems.
- the embodiment illustrated in Figure 1 shows a dynamic self-checking safety circuit 2 which includes a microprocessor 10, a keyword decoder 20, and a dynamic safety relay drive circuit 40.
- a microprocessor is used in the description of this invention, but a microcomputer would work equally as well.
- a possible microprocessor for use in this invention is the MCG8HC05 manufactured by Motorola.
- the system is built around the microprocessor 10.
- the microprocessor controls the operation of a device such as furnace, and receives sensed conditions 6 in order to perform this task.
- the microprocessor 10 generates a predetermined sequence of logic bits, also known as keyword, which represents the operating status of particular internal functions of the microprocessor.
- microprocessor functions may range from hardware checks for the read only memory (ROM), the random access memory (RAM), and the internal clock, to checks on software functions such as determining if a piece of software is present or determining if a piece of software has run.
- Another software test may be running a programmer counter test.
- a single bit of the keyword may indicate the status of one microprocessor function, or it may indicate the status of many microprocessor functions. If each of the microprocessor functions is operating as desired, a logic bit in the keyword will be given either a " 1 " or a "0" . Each function or set of functions is given a particular position within the keyword to indicate the result of its own internal test.
- the microprocessor outputs a select signal 12, a data signal 14, and a clock signal 16.
- the keyword decoder 20 is activated when a select signal is received from the microprocessor 10.
- the keyword decoder 20 receives the logic bits of the keyword at intervals controlled by the clock signal 16 and each position in the shift register 22 is filled by a logic bit of the keyword.
- the keyword decoder can be implemented on an application specific integrated circuit (ASIC) which is manufactured by National Semiconductor.
- ASIC application specific integrated circuit
- Each logic bit of the keyword is sent on bit paths 27a-h to AND gate 26.
- the AND gate 26 will output a signal over conductor 28 which is stored in latch 29.
- the latch Upon receiving a timed input over conductor 18, the latch will output the signal received from the AND gate 26 over the conductor 32 to the microprocessor and the dynamic safety relay drive circuit 40.
- the dynamic safety relay drive circuit 40 can be of the type disclosed in U.S. Patent No. 3,569,793 issued to Pinkaers. Very generally, 3,569,793 discloses a fail ⁇ safe circuit which responds only to a cyclic input signal. In this fail safe circuit, there is a switch which controls current to a load. Normally the switch is left open, but if a coil in the fail-safe circuit becomes energized, the switch will close. This coil will only become energized if the fail-safe circuit receives a cyclic input that has a frequency which varies between a particular range. As seen in Figure 1, the switch which the dynamic safety relay drive circuit 40 opens and closes is electrical contact 42.
- the load 45 is a fuel valve in a burner control system.
- an oscillating signal in the form of a square wave is received by the dynamic safety relay drive circuit, and contact 42 is kept closed.
- the signal to the dynamic safety relay drive circuit is either cut off or will no longer oscillate, and this will cause contact 42 to open and the fuel valve to shut down.
- Electrical load contact 43 is put in series with contact 42.
- Load contact 43 is opened and closed in response to a signal sent over conductor 44 from the microprocessor 10.
- the microprocessor responds to the sensed conditions 6, and controls the operation of the load.
- Contact 42 provides a safety interlock for this circuit.
- the microprocessor 10 receives an input request to supply heat by initiating a burner cycle. At this time the safety relay circuit is not being driven and contact 42 is open. Proper operation of this relay is verified by receiving the sensed conditions 6 which indicate the status of the load 45. Several burner cycle functions such as purging of the combustion chamber are performed before the fuel valve is activated.
- the microprocessor 10 begins running internal tests of its functions and generating a keyword which represents their operational status. At the appropriate time, the safety relay contacts 42 and load contacts 43 close to provide power to the load 45. Each test will generate either a "1" or a "0" to signify the normal operation of the function. These outputs can then be combined to create a unique keyword for the microprocessor.
- a keyword which indicates the desired operation of all the functions is a "valid" keyword.
- Each function or functions is assigned a particular position in the keyword into which to place its bit.
- the select output 12 then signals the keyword decoder to begin receiving the keyword.
- the bits in the keyword are output from the microprocessor through data signal 14.
- the keyword is generated repetitively by the microprocessor 10 at a predetermined frequency.
- a program within the microprocessor chooses a bit position within the keyword and inverts the logic of one bit from a "1" to a "0", or vice versa.
- Figures 2a-d show four consecutive keywords which have been generated by the microprocessor. The first keyword generated, as seen in Figure 2a, is a valid keyword.
- Figure 2b shows the next keyword generated, and it is an invalid keyword because of the inverted bit in position bO.
- the microprocessor then generates a valid keyword which can be seen in Figure 2c.
- the keyword in Figure 2d is again invalid, but the inverted bit has been rotated to position bl .
- This alternating process continues as long as the microprocessor is operating, and the position of the bit that is to be replaced is changed so that each bit path in the keyword decoder is eventually tested. It is not important in what order the positions are chosen, only that bits in all the positions of the keyword are inverted regularly. For example, the 8 bits could rotate through the bit checking program one out of every eight checks.
- the keywords are received through the data signal 14 in the keyword decoder 20, and are stored in the shift register 22. After all the bits from the keyword are stored, a clock signal 16 is received by the shift register 22 and all the bits in the keyword are then transmitted simultaneously over the bit paths 27a-h to the AND gate 26.
- a clock signal 16 is received by the shift register 22 and all the bits in the keyword are then transmitted simultaneously over the bit paths 27a-h to the AND gate 26.
- Figure 1 it can be seen that the bits in positions bl, b3, and b7 will encounter inverters 23, 24, and 25. The positioning of the inverters is completely dependent on the valid keyword output by the microprocessor.
- the AND gate 26 outputs a "true” signal when a valid keyword is received and it outputs a "false” signal when an invalid keyword is received.
- the "true” or “false” signals that are output from the AND gate are held in the latch 29 until a signal is received from the timer output 18. Once this signal is received, either a “true” or “false” signal is output over the conductor 32 to the microprocessor 10 and the dynamic safety relay drive circuit 40. If the microprocessor is operating as desired, the AND gate 26 will output a high and low signal in an alternating fashion. This will cause the latch 29 to output a square wave of a particular frequency. The square wave is transmitted through the conductor 32 to the microprocessor and the dynamic safety relay drive circuit 40. The coil in the dynamic safety relay drive circuit will continue to be energized as long as the signal continues to be a square wave of a particular frequency. This will keep contact 42 closed. The conductor 32 also conducts the square wave from the latch to the microprocessor, and if the square wave flattens out or changes frequency, the microprocessor will send a signal along conductor 44 to open load contact 43 and cut power to the load 45.
- a keyword decoder may malfunction so that an inverter continually outputs one signal regardless of the signal which is input. Essentially, the inverter becomes stuck. An inverter may stick so that it always outputs a signal which indicates the desired operation of a microprocessor function which transmits over the bit path. If an error occurs in that particular microprocessor function, the output from the inverter will not change to show an error condition, and the system will continue operating with faulty hardware.
- the prior art offers no solution for this type of malfunction.
- the signal output from the inverter will indicate a no error condition.
- the inverted bit will still rotate through the keyword on alternate generations, and when it comes to the malfunctioning bit path it will also pass through the system undetected. Since neither the error bit or the inverted bit have been detected by the system, the decoder has now output two consecutive "true" signals which will disrupt the square wave and cause the dynamic safety relay drive circuit 40 to de-energize. Once it is determined that the keyword decoder has malfunctioned, it can then be replaced.
- the operational logic of the dynamic self-checking safety circuit means is illustrated by the flow chart in Figure 3.
- path 1 signifies when a valid keyword will be generated
- path 2 indicates when a invalid keyword will be generated.
- the microprocessor must determine in step 50 if path 1 or 2 is to be followed. If it is path 1, a valid keyword is generated in step 52 and sent to the decoder. The keyword is then checked in step 56, and if the valid keyword is indeed detected, a "true” signal is output. If an invalid keyword is detected, a "false" signal is output.
- step 60 the output of the keyword decoder is checked and if it is "true", the path is set to "2" at step 68. The cycle is then continued at step 72. However, if the output signal is "false” at 60, the microprocessor will output a signal to cut power to the load. If the path is "2" at step 50, the microprocessor will send an invalid keyword to the keyword decoder at step 54. The keyword will be read at step 58, and if it is an invalid keyword, a "false” signal will be output. The output signal is checked at step 62, and if the signal is indeed "false", the error bit is rotated to a new position in the keyword at step 66 and the path is set back to "1" at step 70. The process is then started again at step 72. However, if a valid keyword is detected at step 62, the microprocessor will be output a signal to cut power to the load.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Regulation And Control Of Combustion (AREA)
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US07/898,056 US5309445A (en) | 1992-06-12 | 1992-06-12 | Dynamic self-checking safety circuit means |
AU46378/93A AU672805B2 (en) | 1993-06-16 | 1993-06-16 | Dynamic self-checking safety circuit means |
DE69312514T DE69312514T2 (en) | 1993-06-16 | 1993-06-16 | DYNAMIC SELF-TESTING SAFETY CIRCUIT |
PCT/US1993/005773 WO1994029794A1 (en) | 1992-06-12 | 1993-06-16 | Dynamic self-checking safety circuit means |
EP93916571A EP0704074B1 (en) | 1993-06-16 | 1993-06-16 | Dynamic self-checking safety circuit means |
CA002164418A CA2164418C (en) | 1993-06-16 | 1993-06-16 | Dynamic self-checking safety circuit means |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US07/898,056 US5309445A (en) | 1992-06-12 | 1992-06-12 | Dynamic self-checking safety circuit means |
PCT/US1993/005773 WO1994029794A1 (en) | 1992-06-12 | 1993-06-16 | Dynamic self-checking safety circuit means |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1994029794A1 true WO1994029794A1 (en) | 1994-12-22 |
Family
ID=26786823
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1993/005773 WO1994029794A1 (en) | 1992-06-12 | 1993-06-16 | Dynamic self-checking safety circuit means |
Country Status (2)
Country | Link |
---|---|
US (1) | US5309445A (en) |
WO (1) | WO1994029794A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5555456A (en) * | 1994-08-02 | 1996-09-10 | Itt Corporation | Reconfigurable fault control apparatus |
US5726995A (en) * | 1994-12-15 | 1998-03-10 | Intel Corporation | Method and apparatus for selecting modes of an intergrated circuit |
US5751948A (en) * | 1995-12-26 | 1998-05-12 | Carrier Corporation | System for processing HVAC control information |
US5818347A (en) * | 1995-12-26 | 1998-10-06 | Carrier Corporation | Identification of HVAC systems in a communication network |
GB0012352D0 (en) * | 2000-05-22 | 2000-07-12 | Northern Telecom Ltd | Reliable hardware support for the use of formal languages in high assurance systems |
US7045916B2 (en) * | 2003-05-30 | 2006-05-16 | Honeywell International Inc. | Electronic fuel selection switch system |
US20070208461A1 (en) * | 2006-03-01 | 2007-09-06 | Johnson Controls Technology Company | Hvac control with programmed run-test sequence |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3919533A (en) * | 1974-11-08 | 1975-11-11 | Westinghouse Electric Corp | Electrical fault indicator |
US4181849A (en) * | 1978-01-30 | 1980-01-01 | General Signal Corporation | Vital relay driver having controlled response time |
GB2149539A (en) * | 1983-11-10 | 1985-06-12 | Gen Signal Corp | Modular output driver for vital processor systems |
GB2165972A (en) * | 1984-10-22 | 1986-04-23 | Westinghouse Electric Corp | Random pattern lock and key fault detection scheme for microprocessor systems |
US4594685A (en) * | 1983-06-24 | 1986-06-10 | General Signal Corporation | Watchdog timer |
GB2169114A (en) * | 1983-11-10 | 1986-07-02 | Gen Signal Corp | Vital processor v |
DE3728561A1 (en) * | 1987-08-27 | 1989-03-09 | Vdo Schindling | Method of testing a monitoring device for a microprocessor |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3569793A (en) * | 1969-06-18 | 1971-03-09 | Honeywell Inc | Fail safe circuit which detects the presence or absence of a cyclic signal of reversible polarity |
US4327556A (en) * | 1980-05-08 | 1982-05-04 | General Electric Company | Fail-safe electronically controlled defrost system |
US4422067A (en) * | 1981-10-05 | 1983-12-20 | Honeywell Inc. | Dynamic self-checking safety circuit means |
US4726024A (en) * | 1986-03-31 | 1988-02-16 | Mieczyslaw Mirowski | Fail safe architecture for a computer system |
US4800507A (en) * | 1986-12-15 | 1989-01-24 | Brown Christopher R | Proving safe operation |
US4955806A (en) * | 1987-09-10 | 1990-09-11 | Hamilton Standard Controls, Inc. | Integrated furnace control having ignition switch diagnostics |
US5113399A (en) * | 1989-10-16 | 1992-05-12 | Rockwell International Corporation | Memory test methodology |
-
1992
- 1992-06-12 US US07/898,056 patent/US5309445A/en not_active Expired - Lifetime
-
1993
- 1993-06-16 WO PCT/US1993/005773 patent/WO1994029794A1/en active IP Right Grant
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3919533A (en) * | 1974-11-08 | 1975-11-11 | Westinghouse Electric Corp | Electrical fault indicator |
US4181849A (en) * | 1978-01-30 | 1980-01-01 | General Signal Corporation | Vital relay driver having controlled response time |
US4594685A (en) * | 1983-06-24 | 1986-06-10 | General Signal Corporation | Watchdog timer |
GB2149539A (en) * | 1983-11-10 | 1985-06-12 | Gen Signal Corp | Modular output driver for vital processor systems |
GB2169114A (en) * | 1983-11-10 | 1986-07-02 | Gen Signal Corp | Vital processor v |
GB2165972A (en) * | 1984-10-22 | 1986-04-23 | Westinghouse Electric Corp | Random pattern lock and key fault detection scheme for microprocessor systems |
DE3728561A1 (en) * | 1987-08-27 | 1989-03-09 | Vdo Schindling | Method of testing a monitoring device for a microprocessor |
Also Published As
Publication number | Publication date |
---|---|
US5309445A (en) | 1994-05-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5309445A (en) | Dynamic self-checking safety circuit means | |
WO1994007089A1 (en) | Optical flame detector performance tester | |
JPS63282506A (en) | Monitor system | |
GB2099158A (en) | Gas flow control apparatus | |
TWI222510B (en) | Combustion control device | |
US4451226A (en) | Flame safeguard sequencer having safe start check | |
US5051936A (en) | Microprocessor-based controller with synchronous reset | |
CA1225732A (en) | Microcomputer driven fail-safe device with short circuit detection for electronic control circuitry | |
EP0704074B1 (en) | Dynamic self-checking safety circuit means | |
EP2304331A1 (en) | Ignition control with safeguard function | |
EP0053447B1 (en) | Fail safe digital timer | |
US4422067A (en) | Dynamic self-checking safety circuit means | |
US4239478A (en) | Check circuit for combustion process control timer | |
US4931975A (en) | Microprocessor-based controller with synchronous reset | |
US4832594A (en) | Control system with timer redundancy | |
US4451225A (en) | Flame safeguard sequencer having interlock checking means | |
US4963088A (en) | Safety-related parameter inputs for microprocessor ignition controller | |
JP2004069077A (en) | Safety circuit for shutting gas passage | |
JP3120009B2 (en) | Combustion control device | |
JPH02122113A (en) | Safety device for gas burner | |
US4451227A (en) | Flame safeguard sequencer having switch test functions | |
JPH08247458A (en) | Burner combustion control device and burner combustion controlling method | |
US5596515A (en) | Microprocessor control circuit with inverted reset and extendable runtime | |
JPH0776614B2 (en) | Method for detecting abnormality of wind pressure switch in combustion device | |
JPS61231447A (en) | Apparatus for detecting flame |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1993916571 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2164418 Country of ref document: CA |
|
WWP | Wipo information: published in national office |
Ref document number: 1993916571 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1993916571 Country of ref document: EP |