FAULT DETECTION ISOLATION AND RECONFIGURATION SYSTEM FOR SAFETY BREAKS AND RELAY DRIVERS IN REDUNDANT SYSTEMS

Abstract

The present invention provides a fault detection isolation and reconfiguration system for safety breaks and relay drivers in redundant systems. The system (100) comprises of a driver block (10), a battery module (20), onboard operated safety breaks with FDIR module (30) and one or more chain of one or more load connected across module (30) and module (20). The block (10) comprises a driver side supply (11); a ground operated SAFE/ARM break (12); an onboard operated SAFE/ ARM break (13); one or more reconfiguration break (14); and the driver module with FDIR (15). The battery module (20) comprises a load side battery (21), a ground operated ON/OFF break (22), an onboard operated battery ON/OFF break (23), one or more reconfiguration breaks (24), and current sensor (25). The module (30) comprises one or more safety breaks connected in series and configured to operate load on their own chain and on other chains in the case of failures on other chains.

Specification

Description:FORM - 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003


COMPLETE SPECIFICATION
(SEE SECTION 10, RULE 13)


FAULT DETECTION ISOLATION AND RECONFIGURATION SYSTEM FOR SAFETY BREAKS AND RELAY DRIVERS IN REDUNDANT SYSTEMS


INDIAN SPACE RESEARCH ORGANIZATION, A GOVERNMENT OF INDIA ORGANIZATION, WHOSE ADDRESS IS ISRO HEADQUARTERS, DEPARTMENT OF SPACE, ANTARIKSH BHAVAN NEW BEL ROAD, BANGALORE - 560094, KARNATAKA, INDIA



THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.
TECHNICAL FIELD OF THE INVENTION
[0001] The present invention relates generally to the Fault Detection Isolation and Reconfiguration (FDIR) system. More specifically, to a Fault Detection Isolation and Reconfiguration (FDIR) system for identifying faults of safety breaks and relay driver circuits in redundant systems.
BACKGROUND OF THE INVENTION
[0002] In critical ground and flight safety systems, safety breaks are used in a variety of applications for preventing inadvertent command execution. The number of safety breaks in series is often determined by the number of failures that the system needs to tolerate. Further, redundant paths or chains are provided for safety breaks to take care of failure of a single chain. Depending on the safety criticality, operability on fault isolation, cost and reliability factors most safety systems use dual, triple, quad or penta redundant systems. Implementation of such systems uses relay and relay drivers in redundant configuration to meet the requirement. The safety break scheme adopted in existing dual, triple, and quad redundant system for launch vehicle and human rated missions does not cater to identification of safety breaks (relays) and driver failures. This can lead to adverse effects in scenarios of multiple failure modes. The existing schemes are capable only identifying relay contact stuck at open or close based on the voltage developed across the contacts.
[0003] The existing prior art have some limitation which includes incapability of identifying relay driver failures and also not capable of reconfiguring and reusing the system even in the event of N-1 system failures (where N is the number of redundant systems). Below are some available prior arts where all these prior arts do not provide re-usability of safety break command logics and driver circuits.
[0004] Indian publication number 202241010568 (A) titled "system and method for reconfiguration of a relay driving scheme in quad redundant configuration" describes a system for reconfiguration of a relay driving scheme, comprising a set of relays for executing a set of commands based on sequence of events, one or more execution elements coupled to the execution module, a plurality of controllers coupled to the execution modules, the plurality of controller configured to generate the set of commands pertaining to non-latching commands and latching commands, execute the generated set of commands through the set of relays; and actuate the coils of the set of relays to operate the execution elements, wherein the set of relays is driven with at least one controller of the plurality of controllers in an event of failure of other controllers.
[0005] Chinese publication number CN105278328A titled "A third selecting second redundancy switch control circuit and control method for simulating circuit" claims a one-out-of-three selection system simulating two switch control circuit in each branch. When any instruction (base drive) is stuck at low fault, or any one of the transistor switches fails in open mode, the current through the resistor will help to identify the failure of transistor. The technical solution of the invention can improve the reliability and safety of the analog circuit.
[0006] Another Chinese Patent CN106712273B titled "A multi-margin redundancy control based on magnetic latching relay for distribution circuit" describes a multi- redundant control based on latching relay. This is useful for power distribution.
[0007] Another Chinese utility patent application CN202362430U & Chinese patent publication number CN102565691A titled "Relay failure detection device and method of grid-connected Inverter" describes a method for redundant break management in a grid-connected inverter. In case of failure of closing of one relay when required, the voltage across the relay will indicate this difference and hence the redundant relay will be closed. The control module is TMS320F28035 digital signal processor.
[0008] Another Chinese utility patent application CN202522679U titled "Single-phase photovoltaic inverter relay error detection device" describes a utility model claiming a single-phase photovoltaic inverter relay fault detecting device.
[0009] Granted Chinese Patent Application Number CN10459775013 entitled "A core relay failure detection and redundancy control system and control method" details about failure detection comprises of a detecting mechanism when failure occurs in the relay, the PLC detects the failure and the redundant relay is commanded, and a fault indication is also raised. It also ensures the reliability of loop control system in advance by isolating the failed relay and commanding the backup relay.
[0010] Yet another granted Chinese Patent Application Number CN104682432B titled 'Relay failure detecting and filtering capacitor protection method of the photovoltaic grid- connected inverter' describes the technical field of photovoltaic grid-connected inverter. The health of the relay is assessed by measuring the voltage across the relay input and output. If the difference in voltage - is not within a threshold, it is assumed that the relay has failed, and the second set of relays will be operated to protect the system.
[0011] Granted US Patent Application Number US11525860B2 titled "Relay failure detection and robot" describes a relay failure detection circuit. AC voltage across the terminals of relay contact is acquired and converted into digital signal using opto diode and compared with the digital signal of input AC supply voltage acquired using opto. Comparator output determines the failure of relay contact.
[0012] Another Chinese Patent Publication number CN110412456A entitled "A relay fault detection method and photovoltaic energy system" claims a relay fault detection method for a photovoltaic energy system. The voltage to the grid is measured. If the voltage is below the expected voltage, the redundant set of relays is commanded.
[0013] Another Granted US Patent Application Number US9236209(B2) titled "Relay failure detection system" describes about relay failure detection system to detect relay faults. Relay primary inputs are coupled to a level detector circuit whose outputs are compared with a known threshold. Output of the comparator is sent to a decision system which is used to control the state of the relays. If any of the relays fails to make good electrical contact, the primary input signal detected by the level detector will have different amplitude than that of threshold and comparator output switches.
[0014] Another Chinese utility patent application CN215067207U entitled 'Fault detecting device and charging device' claims a method for detection of relay failures while connecting with the load. In case of any relay K1/ K2 / K3 / K4 not closing, the voltage detected at the output of opto coupler collector will not be as expected and hence, we can identify the failure of the relay.
[0015] Another granted Chinese patent application CN111337823B titled 'Relay failure detecting device and method' describes a method which is suitable for relay failure detection. The device consists of a resistor and capacitor. The voltage developed across the capacitor helps to identify if either K1 or K2 is faulty. This device is usually used to connect solar cell output to load through a relay.
[0016] Japanese Patent Publication Number JP2008226619A titled "Fail safe output circuit having Relay failure detection function" that claims the circuit aims to detect a short-circuit failure of serially-connected relays with a simple circuit. Two resistors A and B are serially connected across the battery, and a device for failure diagnosis is connected from a point between the relays RL-A and RL-B to a point between the resistors A and B. When either of the two relays is closed, a current flows through the fault detection apparatus, and occurrence of a short-circuit failure is detected.
[0017] German Patent Application number DE19806821C2 titled "Failure detection means for detecting a fault in a solenoid valve" describes a fault detection device for detecting a disorder in a solenoid valve. The failure of a solenoid valve coil can be detected by switching on relay (2) and measuring the voltage developed across the resistor (8b). If the solenoid valve coil is healthy, then the return is also closed, and the valve is operated. If there is an issue with the coil monitoring, the relays (2/ 4) are operated to isolate the valve from operation.
[0018] Another Japanese Patent Publication Number JP2002203717A tiled "Solenoid drive circuit" describes on a solenoid drive circuit capable of detecting (failure detection) a short circuit in a solenoid. It has a control circuit which controls the supply to a solenoid from a power source. This control circuit is equipped with the A/D-conversion circuit which acquires the voltage across the solenoid coil (through AN2 & AN1). For this 102 is turned ON, which will turn on the low current relay (13). The voltage across the solenoid is evaluated and only if it is greater than a threshold, the pin 101 is commanded to allow the entire current to flow and energize the solenoid.
[0019] Further, In the conventional scheme, separate FPGA/ microcontroller circuits are used for generation of command and command complement both being logic HIGH when commanded. Similarly, the conventional scheme makes use of 2M relay drivers and 2M FPGA/ microcontroller pins per chain for interfacing the commands to functional relays or solid-state switches for 'M' commands. Hence an N-redundant system i.e., a system having N redundant elements or chains required '2MN' drivers. Implementing an FDI scheme for this conventional method would thereby result in a large overhead of additional components, which is not cost effective and adds penalty in applications where weight and size is of constraint.
[0020] There is still a need of an invention which provides a simple, reliable, and cost-effective methodology for identifying relay driver failures or command pin failures or relay coil failures and relay contact failures in either open/ short mode and provide synthesized information for isolating the failed chain and reconfiguring the relays for improving system availability and reliability.
SUMMARY OF THE INVENTION
[0021] This summary is provided to introduce concepts of the present invention. This summary is neither intended to identify essential features of the present invention nor is it intended for use in determining or limiting the scope of the present invention.
[0022] In one aspect, the present invention provides a Fault Detection Isolation and Reconfiguration (FDIR) system or scheme for identifying faults of safety breaks and relay driver circuits which is a simple, reliable and cost-effective methodology for identifying relay driver failures or command pin failures or relay coil failures and relay contact failures in either open/ short mode and provide synthesized information for isolating the failed chain and reconfiguring the relays for improving system availability and reliability.
[0023] The present invention is capable of identifying and isolating failures of relay coils, relay contacts stuck semiconductor switches and relay drivers in either open or short mode. This is a simple add-on circuit to existing hardware and can be easily incorporated into the existing design with minimal overhead. The has the ability to reconfigure and reuse the system even in the event of N-1 system failures (where N is the number of redundant systems). The system is capable of identifying the health of the relay contacts without connecting any active device in parallel to the relay pole & contact, thereby ensuring galvanic isolation, even in the failure of the health monitoring circuit. This system makes use of lesser resources (drivers / microcontroller or FPGA pins) and also scalable to N order redundant systems. The system provides re-usability of safety break command logics and driver circuits using a matrix-based approach, thereby reducing components used without compromising reliability.
[0024] Accordingly, in one aspect, the present invention provides a fault detection isolation and reconfiguration system for safety breaks and relay drivers in redundant systems. The fault detection isolation and reconfiguration system comprising a driver block, a battery module, an onboard operated safety break with FDIR module and one or more chain of one or more load connected across onboard operated safety break with FDIR module and the battery module (a driver side supply. The driver block Further comprises a ground operated SAFE/ARM break connected in series with the driver side supply, an onboard operated SAFE/ARM break connected in series with the ground operated SAFE/ARM break, one or more reconfiguration break connected in parallel with the onboard operated SAFE/ ARM break and the driver module with FDIR connected in series with the onboard operated SAFE/ ARM break and one or more reconfiguration break. The battery module further comprising a load side battery, a ground operated battery ON/OFF break connected between the positive and negative terminals of the load side battery, an onboard operated battery ON/OFF break connected in series with the ground operated battery ON/OFF break at positive terminal of load side battery, one or more reconfiguration breaks connected in parallel with the ground operated battery ON/OFF break at positive terminal of load side battery and a current sensor connected in series with the ground operated battery ON/OFF break at negative terminal of load side battery. The onboard operated safety break with FDIR module comprising one or more safety breaks connected in series. The module is configured to operate one or more load on their own chain and on other than the own chains in the case of failures on other than their own chains.
[0025] Preferably, the driver block connects a digital logic commanding block mounted inside the driver module with FDIR to one or more load side switches through one or more relay drivers.
[0026] Preferably, the ground operated SAFE/ARM break is configured to operate one or more relay drivers in a SAFE mode when no command is issued by the system and in ARM mode when a command is issued by the system.
[0027] Preferably, the ground operated battery ON/OFF break is configured to turn OFF the battery module when no command is issued by the system and turn ON the battery module when a command is issued by the system.
[0028] Preferably, the onboard operated SAFE/ ARM break and the onboard operated Battery ON/OFF break are implemented by relays or transistor switches with series redundancy.
[0029] Preferably, the onboard operated SAFE/ ARM break and the onboard operated battery ON/OFF break are implemented as consistency check logic blocks with other healthy chains in the system.
[0030] Also, the onboard operated SAFE/ ARM break and the onboard operated battery ON/OFF break are further configured to route the power to one or more relay drivers and transistor switches if at least two or the majority of the chains coordinate with the issued command.
[0031] Preferably, one or more reconfiguration breaks operate if all other chains failed and commands are still to be executed from a single healthy chain in the driver block.
[0032] Preferably, the one or more reconfiguration break operates if all other chains failed and commands are still to be executed from a single healthy chain in the load side.
[0033] Further, the system detects, and isolates failure of the digital logic commanding block mounted inside the driver module with FDIR when the block attempts to issue an inadvertent command and command complement.
[0034] Furthermore, the system isolates up to (N-1) chain failures in an N redundant system and reconfigures the redundant system in the load side without single point failures.
[0035] Preferentially, the system is configured to perform:
fault detection and isolation (FDI) of the chain based on detection of faults in relay drivers or transistor switch from the corresponding digital logic commanding block mounted inside the driver module with FDIR and
fault detection, isolation and reconfiguration (FDIR) of the chain based on detection of faults in relay drivers or transistor switch on the load side.
[0036] Additionally, the system has an inbuilt fault detection and isolation (FDI) logic and implemented through an analog FDI circuit to perform fault detection and isolation (FDI) of the chain based on detection of faults in relay drivers or transistor switch from the corresponding digital logic commanding block mounted inside the driver module with FDIR.
[0037] Preferably, the safety break is a relay or an opto isolated solid-state safety break.
[0038] Preferably, the system detects faults of safety break in open (OFF) or short (ON) mode.
[0039] Preferably, the fault is an isolated coil failure in open mode or short mode for relays, and/or opto primary diode failure in open mode or short mode on the opto isolated solid-state safety break.
[0040] Other aspects, advantages, and salient features of the invention will become apparent to those skilled in the art from the following detailed description, which, taken in conjunction with the annexed drawings, discloses exemplary embodiments of the invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
[0041] The detailed description is described with reference to the accompanying figures. The same numbers are used throughout the drawings to reference like features and modules.
[0042] Figure 1 illustrates a generalized block diagram representation of the Fault Detection Isolation and Reconfiguration (FDIR) system used for sequencing functions, according to an exemplary implementation of the present invention.
[0043] Figure 2 illustrates details of the driver block without the Fault Detection Isolation (FDI) circuit, according to an exemplary implementation of the present invention.
[0044] Figure 3 illustrates a circuit for failure detection of relay coils and relay drivers/ command pins in either short mode or open mode, according to an exemplary implementation of the present invention.
[0045] Figure 4 illustrates a schematic representation of the amplifier and comparator circuit, according to an exemplary implementation of the present invention.
[0046] Figure 5 illustrates an entire re-usable driver side schematic for an 'M' sequencing command system, according to an exemplary implementation of the present invention.
[0047] Figure 6 illustrates the flight operated consistency check module along with the reconfiguration breaks (either on load side or driver side) for dual, triple and quad redundant configurations, according to an exemplary implementation of the present invention.
[0048] Figure 6A illustrates onboard operated break with minimum two chains agreeing for issuing a command and reconfiguration system, according to an exemplary implementation of the present invention.
[0049] Figure 6B illustrates onboard operated break with all chains agreeing for issuing a command and reconfiguration system, according to an exemplary implementation of the present invention.
[0050] Figure 6C illustrates onboard operated breaks with a majority of the chains agreeing for issuing a command and reconfiguration system, according to an exemplary implementation of the present invention.
[0051] Figure 7 illustrates details of the circuit for detection of contact fault detection and reconfiguration in the load side, for very low resistance loads like pyro devices using relays switches, according to an exemplary implementation of the present invention.
[0052] Figure 8 illustrates details of the circuit for detection of contact fault detection and reconfiguration in the load side, for very low resistance loads like pyro devices using transistor switches, according to an exemplary implementation of the present invention.
[0053] Figure 9 illustrates details the circuit for detection of contact fault detection and reconfiguration in the load side, for large resistive loads like valve coils, using relays switches, according to an exemplary implementation of the present invention.
[0054] Figure 10 illustrates details the circuit for detection of contact fault detection and reconfiguration in the load side, for large resistive loads like valve coils, using transistor switches, according to an exemplary implementation of the present invention.
[0055] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative methods embodying the principles of the present invention. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION OF THE INVENTION
[0056] The various embodiments of the present invention describe a Fault Detection Isolation and Reconfiguration (FDIR) system for safety breaks and relay drivers in redundant systems.
[0057] In the following description, for the purpose of explanation, specific details are set forth in order to provide an understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these details. One skilled in the art will recognize that embodiments of the present invention, some of which are described below, may be incorporated into a number of systems.
[0058] However, the systems and methods are not limited to the specific embodiments described herein. Further, structures and devices shown in the figures are illustrative of exemplary embodiments of the presently disclosure and are meant to avoid obscuring of the presently disclosure.
[0059] It should be noted that the description merely illustrates the principles of the present invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described herein, embody the principles of the present invention. Furthermore, all examples recited herein are principally intended expressly to be only for explanatory purposes to help the reader in understanding the principles of the invention and the concepts contributed by the inventor to furthering the art and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass equivalents thereof.
[0060] In one aspect, the present invention provides a Fault Detection Isolation and Reconfiguration (FDIR) system or scheme for identifying faults of safety breaks and relay driver circuits. The present invention is capable of identifying and isolating failures of relay coils, relay contacts stuck semiconductor switches and relay drivers in either open or short mode. This is a simple add-on circuit to existing hardware and can be easily incorporated into the existing design with minimal overhead. The has the ability to reconfigure and reuse the system even in the event of N-1 system failures where N is the number of redundant systems. The system is capable of identifying the health of the relay contacts without connecting any active device in parallel to the relay pole & contact, thereby ensuring galvanic isolation, even in the failure of the health monitoring circuit. This system uses lesser resources (e.g., drivers / microcontroller or FPGA pins) and also scalable to N order redundant systems. The system provides re-usability of safety break command logics and driver circuits using a matrix-based approach, thereby reducing components used without compromising reliability.
[0061] In another aspect, the provided Fault Detection Isolation and Reconfiguration (FDIR) system for identifying faults of safety breaks and relay driver circuits ensures safe and reliable operation of breaks safety critical applications including pyro/ squib operations. The system further provides identification of the failure of not just controller modules or pins, but also to isolate and reconfigure the system for further operation and is capable of operating even in the case of N-1 failures in human rated applications.
[0062] In another aspect, the provided Fault Detection Isolation and Reconfiguration (FDIR) system for identifying faults of safety breaks and relay driver circuits is simple enough to be plugged into existing FDI logic circuit, for ease of implementation and is reconfigurable after isolation of fault in any chain so as to enhance fault tolerance capability.
[0063] Another object of the invention is the present system is a simple add-on circuit to existing hardware and can be easily incorporated into the existing design with minimal overhead. The system can further identify relay driver and relay coil failures. The EDT identification of relay drivers and coils does not require complex digital logic circuitry and can be handled in analog domain itself. The system is further capable of identifying the health of the relay contacts without connecting any active device in parallel to the relay pole & contact, thereby ensuring galvanic isolation, even in the failure of the health monitoring circuit.
[0064] Yet in another aspect, the system provides re-usability of safety break command logics and driver circuits using a matrix-based approach, thereby reducing components used without compromising reliability.
[0065] The Fault Detection Isolation and Reconfiguration (FDIR) system of the present invention is divided into two segments. The first segment deals with fault detection and isolation of a sequencing chain based on detection of faults in relay coils, relay drivers or transistor switch and command pins from the corresponding digital logic blocks which include FPGA or microcontroller or microprocessor. The second segment deals with fault detection, isolation and reconfiguration of a sequencing chain based on detection of faults in relay contacts/ transistor switches on the load side.
[0066] Now referring to figure 1 of the present invention, a generalized block diagram representation of the Fault Detection Isolation and Reconfiguration (FDIR) system used for sequencing functions is illustrated. The Fault Detection Isolation and Reconfiguration (FDIR) system (100) comprises of a driver block (10), battery module (20), onboard operated (also known as Flight operated) safety breaks with FDIR module (30) for pyro initiation or valve operation and one or more chain of one or more load connected across onboard operated safety break with FDIR module (30) and the battery module (20).
[0067] The driver block (10) further comprises of a relay coil or a driver side supply (11), a ground operated SAFE/ARM break (12), an onboard operated (also known as Flight operated) SAFE/ ARM break (13), one or more reconfiguration breaks (14) and the driver module with FDIR (15). The ground operated SAFE/ARM break (12) is connected in series with the driver side supply (11). The onboard operated SAFE/ARM break (13) is connected in series with the ground operated SAFE/ARM break (12). Further, one or more reconfiguration break (14) connected in parallel with the onboard operated SAFE/ ARM break (13) and the driver module with FDIR (15) connected in series with the onboard operated SAFE/ ARM break (13) and one or more reconfiguration break (14).
[0068] In one embodiment, the onboard operated SAFE/ ARM breaks (13) are used as consistency check logic with other healthy chains in the system of the present invention. The one or more reconfiguration breaks (14) operates if all other chains have failed and commands are still to be executed from a single healthy chain in the driver block.
[0069] The battery module (20) comprises of a load side battery power (21), ground operated battery ON/OFF break (22), onboard/Flight operated Battery ON/OFF breaks (23), one or more reconfiguration breaks (24) and current sensor (25) for load current monitoring. The ground operated battery ON/OFF break (22) is connected between the positive and negative terminals of the load side battery (21). The onboard operated battery ON/OFF break (23) is connected in series with the ground operated battery ON/OFF break (22) at positive terminal of load side battery (21). Further, one or more reconfiguration breaks (24) is connected in parallel with the ground operated battery ON/OFF break (22) at positive terminal of load side battery (21) and the current sensor (25) connected in series with the ground operated battery ON/OFF break (22) at negative terminal of load side battery (21).
[0070] In one embodiment, the onboard/Flight operated Battery ON/OFF breaks (23) are used as consistency check logic with other healthy chains in the system of the present invention. The one or more reconfiguration breaks (24) operates if all other chains failed and commands are still to be executed from a single healthy chain in the load side.
[0071] The onboard/flight operated safety breaks with FDIR module (30) comprises of safety breaks (two in series), which are capable of operating the load on its own chain and on other chains in the case of failures on other chains.
[0072] In one preferred embodiment, the present invention proposes a Fault Detection Isolation (FDI) circuit within the driver module with FDIR (15) and the onboard/flight operated safety breaks with FDIR module (30). In another preferred embodiment, the present invention proposes a method for command execution based on consistency check between various chains and a means to re-use drivers and reconfigure a chain in the event of failure in the other chains.
[0073] In one embodiment, the safety break is a relay or an opto isolated solid-state safety break and the system detects faults of safety break in open (OFF) or short (ON) mode. The fault can include an isolated coil failures in open mode or short mode for relays and opto primary diode failures in open mode or short mode on the opto isolated solid-state safety break.
[0074] The Fault Detection Isolation and Reconfiguration (FDIR) system as illustrated in Figure 1 is for a single chain for mission critical/ safety critical applications in an N-redundant system. The driver block (10) is used to connect a digital logic commanding block which is mounted inside the driver module with FDIR (15) to the load side switches through one or more relay drivers. It consists of ground operated SAFE / ARM break (12) to operate one or more relay drivers in a SAFE mode when no command is issued by the system (100) and in ARM mode when a command is issued by the system (100). Additionally, onboard/flight operated SAFE/ARM break (13) is introduced in the driver block (10) which is operated by different chains. This onboard operated SAFE/ARM breaks (13) acts as a consistency check module that route the power to one or more relay drivers and transistor switches if at least two or the majority of the chains coordinate with the issued command. In case N-1 chains fail, the reconfiguration breaks will be commanded so as to operate the system in a single chain. Accordingly, the system isolates up to (N-1) chain failures in an N redundant system and reconfigures the system in the load side without single point failures and hence caters to the requirement of FO-FOFS (FAIL-OPERATE, FAIL-OPERATE, FAIL-SAFE) in a quad chain system and FO-FS in a triple redundant system. The details of the FDIR system implemented for identifying relay drivers, digital block pins, relay coil failures are mentioned below the description.
[0075] In one embodiment, the system (100) detects, and isolates failure of the digital logic commanding block mounted inside the driver module with FDIR (15) where the block attempts to issue an inadvertent command and command complement.
[0076] The battery module (20) is used to connect the battery source to the onboard/flight operated safety breaks with FDIR module (30). It consists of ground operated battery ON / OFF breaks (22) to turn OFF the battery module (20) when no command is issued by the system (100) and turn ON the battery module (20) when a command is issued by the system (100). Additionally, onboard/flight operated battery ON/OFF breaks (23) is introduced, which is operated by different chains. This onboard/flight operated battery ON/OFF breaks (23) acts as a consistency check module that routes the power to the onboard operated safety breaks and is similar in function to the onboard operated SAFE/ARM breaks (13). Here also, in case N-1 chains fail, the reconfiguration breaks will be commanded so as to not only operate the load on its own chain but also the loads connected on other chains. This will also help to take care of N-1 chain failures and multiple load failures.
[0077] In one embodiment, the loads can typically be pyro initiators/ squibs or electro pneumatic valves or solenoid valves or nichrome wire fuses and so on. The details of the system implemented for identifying onboard operated battery ON/OFF failures and onboard operated SAFE/ARM failures are highlighted below the description.
[0078] In an embodiment, the system has an inbuilt fault detection and isolation (FDI) logic and implemented through an analog FDI circuit to performs fault detection and isolation (FDI) of the chain based on detection of faults in relay drivers or transistor switch from the corresponding digital logic commanding block mounted inside the driver module with FDIR (15).
[0079] The driver block (10) without FDI circuits is illustrated. Further, figures 3 and 4 illustrates the circuits of driver block (10) of figure-1 with FDI circuits. The highlighted segment i.e. segment indicated in dotted boxes of figure-3 represents the circuit for failure detection of relay coils and relay drivers/command pins in either short mode or open mode. Health of the drivers and command pins is detected by combining two monitorings, in which one is the current value, which is monitored using a sense resistor (RX) at common emitter and the second is individual driver health using opto-coupler circuits. Finally, a synthesized monitoring is generated after combining with processor FDI and synthesized signal is used to cut off the chain by operating relay (RL3). Figure 4 is the schematic representation of the amplifier and comparator circuit which is used to generate the hardcore signal in the event of a fault in the relays or relay drivers or commanding pins of a particular chain. Further, the failure detection of relay coils, relay drivers and digital block controller pins using an independent fault detection circuit is performed in analog domain.
[0080] Now referring to figures 2-4, the relay supply is routed to the relays RL1 and RL2 through ARM breaks A1 & Al'. The current that flows through the relay coils RL1 and RL2 and through the corresponding drivers Q1 and Q2 flow through the resistor Rx when commanded. Hence for successful execution of a function, four drivers must be turned ON in the present system i.e. one each for ARM and ARM complement and one each for COMMAND and COMMANDBAR).
[0081] The voltage developed across the differential buffer (Vx) is proportional to the current flowing across the resistor Rx. When a command is issued, the command pin of the microcontroller is logic 'HIGH', and command complement pin is logic 'LOW'.
[0082] In Figure-3, the fault detection circuit comprises of an opto-coupler IC1 whose primary diode anode is connected to the relay coil supply, the primary diode cathode is connected to the collector of relay drivers Q1 and Q2 through sneak path protection diodes. It also consists of a second opto-coupler IC2 placed between the command and command complement pins of the corresponding function. The second opto-coupler IC2 is used to detect the failure of command and command complement pins of the digital commanding block (FPGA/ Microcontroller).
[0083] In the normal condition, when a command is issued, a voltage will be developed across Rx which is amplified and obtained as differential buffer (VX). This voltage will be proportional to the relay coil currents and the opto-coupler primary diode current of IC1 and the opto-coupler secondary current of IC2.
[0084] In a faulty condition, with any one or both relay coil or anyone relay driver (Q1/ Q2) open or command/command bar pin open, the value of VX will be less than expected when commanded. However, the opto-coupler IC1 output will still generate a logic 'LOW' when the other relay or driver or pin is commanded corresponding to the particular function. Hence, output O1 of IC1 will be logic HIGH and VY will not match with VX, thereby resulting in chain isolation.
[0085] In a faulty condition, with any one or both drivers (Q1, Q2) short or command pin stuck at HIGH, or command bar pin stuck at LOW, VY will be generated even when no command is issued, thereby resulting in chain isolation, which is a major advantage over existing method as illustrated in Figure-2.
[0086] In a faulty condition, with any one or both relay coils short, VX will be much larger than expected when commanded and hence will not match with VY, thereby resulting in isolation. In a faulty condition, when both relay drivers (Q1 & Q2) are open, IC1 will not conduct when commanded and hence O1 will be low always. VX will still be generated from the output of IC2 when commanded and this would result in chain isolation.
[0087] In a faulty condition when a wrong command is issued (command pin is HIGH and command bar pin is LOW), still the ARM breaks or the flight consistency check breaks will not act and hence VX will be generated only from the secondary of opto-coupler 1C2. Hence Vx will not match with Vy, and the chain will be isolated.
[0088] The opto-coupler primary bias of IC1 is chosen such that in a normal working condition, when the drivers (Q1 and/or Q2) are commanded to switch ON, the opto-coupler IC1 conducts, thereby resulting in the input of the inverter to be logic 'LOW' and hence a logical 'HIGH' signal is generated at O1. The secondary opto-coupler IC1 is pulled up to the same supply used for microcontroller/ FPGA I/O supply (VCC).
[0089] The output O1 is given to a summing amplifier (highlighted portion in Figure-4) with tunable gains in each arm. The gain/ attenuation is chosen such that for a logical 'HIGH' of O1, the output Vy should be proportional or equal to the voltage Vx developed across the differential buffer. If Vx and Vy match within a particular threshold (theoretically near null, this is configurable in practical hardware depending on practical system offsets), then the comparator OC1 output will be LOW, and the chain will be functional.
[0090] In designs using relays as switches, the relay coil resistance has a nominal value. In one preferred embodiment, the relays of coil resistance of 300Ω, 450Ω, 600Ω, or 900Ω are used in the present invention. Hence, the gain tuning resistances can be chosen as four different values such that each resistance determined gain corresponds to the required relay coil current.
[0091] For simplicity of interpreting the system with an illustration, it is assumed that ARM breaks are currently not present in Figure-3 and that IC1 and IC2 are designed to turn ON for 10mA primary current. The secondary current of IC2 is designed to be around 10mA. Since IC1 is connected to the command and command complement drivers, a maximum of 20mA current can flow when both Q1 and Q2 are ON. Assuming VCC = 3.3V, and the gain of the differential buffer as 10, for Rx as 2Ω, the value of the scaling resistor in Figure-3 is shown in Table-1.

Table 1: Gain selection for Different types of relays

[0092] In the event of a failure of any element in Figure-3 related to the relay drive circuit, the comparator OC1 output will be HIGH and the corresponding chain FDI signal will isolate the chain from further downstream command execution by commanding relay RL3 to open. The effect of fault in any element and its detectability is detailed in Table-2.

Table 2: Detectability in case of failure of elements in Figure -3.
No Failure Mode Effect Output O1 Detectability
1 Relay RL1 or/ and RL2 coil open No command from corresponding chain when required HIGH when
commanded Vx will be generated only from the output of IC2 when both relay coils are open. VX will be less than expected in the case of one/both relay coil open thereby resulting in chain isolation.
2 Relay RL1 or/ and RL2 coil short HIGH when
commanded VX will be very large than compared to VY and hence chain will be isolated
3 Relay driver Q1 or/ and Q2 collector shorted to emitter OR command pin stuck at HIGH or/and command complement pin stuck at LOW No inadvertent command from corresponding chain as the Arm breaks and other chains will protect HIGH always This will be detected much before the actual command is posted and hence the chain will be isolated. This is the advantage of this system over Figure-2.
4 Relay driver Q1 or Q2 collector / base open OR Diode D1/ D2/ D3/ D4 open OR Resistor R4 open No command from the corresponding chain when required HIGH when
commanded VX will be less than VY and hence chain will be isolated
5 Relay driver Q1 and Q2 collector / base open No command from the corresponding chain when required LOW always VX will be generated from IC2 output when commanded and VY will be zero. Hence the chain will be isolated.
6 Resistor R3 open Loss of corresponding chain HIGH always VX will not match with VY
7 IC1 Opto primary diode open OR IC1 Opto primary diode
short OR IC1 Opto secondary open Loss of corresponding chain LOW always VX will not match with VY when commanded and hence chain will be isolated
8 Resistor R2 open Loss of corresponding chain HIGH when
commanded VX will not match with VY when commanded and hence chain will be isolated.
9 Any one of resistor R1 open Loss of corresponding chain HIGH when
commanded VX will not match with VY when commanded and hence chain will be isolated.
10 IC1 Opto secondary short Loss of corresponding chain HIGH always VX will not match with VY when not commanded and hence chain will be isolated
11 1C2 Opto primary diode open or IC2 opto primary diode short or IC2 opto secondary open Loss of corresponding chain HIGH when
commanded VX will not match with VY when commanded and hence chain will be isolated.
12 IC2 Opto secondary short Loss of corresponding chain HIGH when
commanded VX will not match with VY even when not commanded and hence chain will be isolated.
13 FPGA/ Microcontroller pins stuck at HIGH Command driver will turn ON. However, No inadvertent command from
corresponding chain. HIGH always VX will not match with VY when not commanded and hence chain will be isolated
14 FPGA/ Microcontroller pins stuck at LOW Command complement driver will turn ON. No inadvertent command from
corresponding chain HIGH always VX will not match with VY when not commanded and hence chain will be isolated
15 Any one of Resistor Rx open Loss of corresponding chain HIGH when
commanded VX will not match with VY when not commanded and hence chain will be isolated
16 Any one of sneak path diodes D5- D7 open Loss of corresponding chain HIGH when
commanded VX will not match with VY when not commanded and hence chain will be isolated

[0093] Figure-3 is applicable for safety breaks (which can either be relays or opto isolated semiconductor switches) which require a sufficient current drive for actuation. Further, the highlighted portion of Figure-4 is the add-on circuit which is intended to isolate the chain in case of fault in any of the above elements.
[0094] The output of opamp OP1 (Vy) will be equal to the expected DBA output Vx, but opposite in sign. Hence another summing opamp OP2 is used to add Vx and Vy, which should give an output (Vw) equal to zero in normal condition.
[0095] The mathematical interpretation of this circuit is given in Equation-1 and 2 below:

[0096] This is then given to a window detector whose upper and lower threshold can be set within a few hundreds of millivolts and subsequently given to a delay circuit and comparator for generating the isolation signal.
[0097] The window detector is implemented using two comparators having open collector outputs that are pulled to VCC through resistor RP.
[0098] As long as the signal VW is within the upper and lower thresholds, the output of both comparators will be HIGH, hence the transistor will be ON. The capacitor will not charge and hence the isolation signal will be low in normal operation. When VW is beyond either the upper or lower thresholds, the corresponding comparator output will be LOW and hence the transistor will be OFF, which results in VZ to be HIGH after a delay and thereby results in generation of the isolation signal.
[0099] In the event of failure of FPGA/ Microcontroller logics or diagnostics, the refresh pulse from the FPGA (shown in the un-highlighted portion of Figure-4) will cease to exist and this also will result in chain isolation.
[00100] The opto-coupler outputs (Oi) can also be looped back to the digital block for additional software based FDI comparison and protection.
[00101] Failure of the FDIR detection opamps and comparator can either result in chain isolation (even when functionality is met) or a scenario in which chain is never isolated. This failure mode can be addressed by implementing majority voting (TMR) in the comparator and opamp modules.
[00102] Failure of the opamp based gain stage or comparator (OC2 or comparators in the window detector) in open mode or saturation mode will result in the corresponding chain to be switched. Failure of the comparator in short mode or output stuck at zero mode will result in non-isolation of the particular chain in the eventuality of another failure in the particular chain. If these failures are to be tolerated, this circuit can be duplicated using redundancy as a triple mode redundant circuit for majority voting. This can help in preventing a failure of the FDIR system from affecting the functional chain.
[00103] Further, the entire re-usable driver side schematic for an 'M' sequencing command system (where M= total number of commands 'm x n') is illustrated in Figure 5. The figure illustrates how the 'n' ARM commands and 'm' command drivers can be used to safely operate the 'M' commands, with reduced number of drivers and hardware elements, than a conventional system. The sequencing chain with FDT can be implemented for a system where four or more sequencing commands are to be executed in any safety critical application without compromising reliability and ensuring faults are detected and properly isolated.
[00104] A system of optimizing the usage of relay drivers and digital block (FPGA/ Microcontroller) pins is highlighted in this Figure-5.
[00105] As mentioned above, separate FPGA/ microcontroller circuits are used for generation of command and command complement both being logic HIGH when commanded. Similarly, the conventional scheme makes use of 2M relay drivers and 2M FPGA/ microcontroller pins per chain for interfacing the commands to functional relays or solid-state switches for 'M' commands. Hence an N-redundant system i.e. a system having N redundant elements or chains required '2MN' drivers. Implementing an FDIR system for this conventional method would thereby result in a large overhead of additional components, which is not cost effective and adds penalty in applications where weight and size is of constraint. Accordingly, the present invention provides a switching system where relay drivers and pins can be used for commanding several functions while ensuring fault detection for individual drivers, relay coils or driver input pins.
[00106] An independent 'ARM' command is provided for each set of 'm' commands. 'n' such ARM commands are provided such that the switch matrix of 'm x n' will service all M commands. Hence, we have
M = m x n,
[00107] where 'M' is the total number of commands to be serviced, 'm' is the number of commanding drivers and 'n' is the number of ARM drivers.
[00108] The advantage of the present system of re-using relays is in reduction of hardware elements with enhanced fault detection capability as highlighted in the previous section. For the most optimized configuration, to deal with the largest number of commands possible, m n. (This condition of mn is not always applicable as it depends on M. For m x n, choose 'm' and 'n' such that 'm' is near to n for the most optimized configuration. Other considerations shall also include the number of simultaneous commands to be executed).
[00109] It shall be noted that this system requires four drivers to be ON for a single command (one each for command and command bar and one each for ARM and ARM complement function). This is an overhead for systems where the total number of commands to be implemented is less than 4. For any sequencing system where more than 4 commands are to be issued, this proposal provides significant hardware reduction with enhanced fault detection capability. It is possible to reduce the circuits required for the ARM function by eliminating ARM complement function, however for ease of understanding and improved fault tolerance, this ARM complement break is retained in this proposal.
[00110] It shall be noted that for simultaneous operation of commands, commanding sequence shall be ensured through one ARM function at a time, by utilizing all the CMD drivers connected to that particular ARM. This is essential to ensure no inadvertent command is posted and also ensures the current through each driver is within its capability.
[00111] As seen in Figure-5 for CMD-11 to be ON, drivers C1, C1', ARM_1 and ARM_1' have to be ON. For the second command to be ON, C1, Cl', ARM_2 and ARM_2' can be turned ON. ARM and ARM complement switches are controlled by drivers from the FPGA/ Microcontroller in the same way as command and command complement drivers. These drivers also are covered in the FDI circuit as detailed in Figure-3.
[00112] Table-3 provides a comparison of the number of different circuit elements for executing 100 commands between the conventional scheme and present configuration for the driver block. For the present architecture, m=n=10 is chosen to meet the requirements of 100 commands.
Table-3: Comparison between conventional scheme (without FDIR) and present system (with FDIR) for executing 100 commands.
No Parameter Conventional
scheme
(without FDIR) Present system
(with FDIR) Remarks
1 Number of
relay drivers and driver pins per chain 200 (100 for command and100 for
command complement) 2(m+n) +2 for onboard operated battery ON/OFF +2 for onboard operated ARM = 44 Reduction in
number of relay
drivers and driver
pins - ~5 times
(~80%) reduction
2 No. of FPGAs/
Microcontrollers per chain 2 (1 for command and 1 for command
complement)


[Even if command and complement are
implemented in one FPGA, to meet the
requirement of 100 commands, 200 pins are required and hence FPGA with even greater pin out
will be required] 1 (No compromise on safety as ON command is logic HIGH and ON command complement
is logic LOW) Reduction in logic
hardware used
(50% reduction)
3 Number of opto couplers and series input/ output SMD resistors for driver/ coil/ pin
failure detection per chain
Number of
opamp for and
comparator circuits per
chain NOT
APPLICABLE 40




1 quad opamp, l quad comparator,1 transistor and associated passives- (If additional fault
tolerance of the FDI
opamps and comparator are to be considered, then we can implement this in TMR) Minimal overhead
(as SMD devices of
good reliability are available) and hence this is an improvement over existing design.
4 Detectability of
relay driver/ relay coil / driver input
pin failures in
open or short
mode NO YES Improved fault
tolerance for
present system

[00113] The below description now highlights the need of onboard operated battery ON/OFF and onboard operated SAFE/ ARM with reconfiguration.
[00114] The above table-3 (first row) highlights that 2 additional drivers each are used for onboard operated battery ON/OFF and onboard operated SAFE/ARM per chain. The number of MOSFET switches used for onboard operated battery ON/OFF and onboard operated SAFE/ ARM is listed in Table-6 below.
[00115] These drivers are used to ensure that a consistency check is performed among the N-redundant chains prior to an actual command execution. This will ensure that a single unhealthy chain is not possible to issue a command inadvertently. These drivers are operated along with the ARM and command drivers for a particular function.
[00116] A quad redundant configuration for connecting the load to the energy source without reconfiguration capability is illustrated in Figure 6. Further, there are three ways of configuring the consistency check module as illustrated in Figures 6A, 6B and 6C. Figure-6A shows a system where at least two among the N breaks must agree in the N-redundant chain configuration. Figure-6B shows a system where all of the N chains should agree for issuing a command. In this case, the reconfiguration break which is in parallel to a particular chain's break will close, if the corresponding chain has failed. Figure-6C shows the system where a majority of the chains must agree. This is illustrated for a dual redundant, triple redundant and quad redundant system.
[00117] These onboard operated breaks can be implemented either using relays or transistor switches with series redundancy. For better hardware integration in meeting the current requirement of simultaneous operated commands, reliability and compactness of design, it is preferable to use MOS transistor switches for such an application. The size advantage of MOS transistor switches for pulsed operations and continuous operations also ensure that these elements can be made common to all commands.
[00118] The reconfiguration breaks are provided to operate even with failures in N-1 chains and enable a single healthy chain from continuing operation. In case of failure in (N-1) chains, the reconfiguration breaks will be commanded to execute the command from the single available healthy chain. Solid state transistor switches are preferable as reconfiguration breaks. Series redundancy can be provided for these reconfiguration breaks so that a failure of a single reconfiguration break will not compromise a chain's consistency check.
[00119] In Figure-6A, the reconfiguration breaks will be commanded to operate when all of the (N-1) parallel breaks fail. This can be known from the monitorings (MON-1 and MON-2). MON-1 will indicate the relay supply voltage (in driver block) or the battery voltage (in battery module) when ground command is issued. MON-2 will be obtained only when a valid sequencing command is issued. If voltage monitoring is not obtained at MON-2 on commanding, it is assumed that all of the N-1 parallel breaks have failed, and the reconfiguration breaks will be operated. The reconfiguration breaks will also be operated if the isolation command of other chains have acted.
[00120] In Figure-6B, the reconfiguration breaks which are in parallel to a particular chain's breaks will be commanded if anyone of the other corresponding parallel chains fail. The failure of the chain can be identified by knowing which monitoring voltage is not available.
[00121] In Figure-6C, the reconfiguration breaks will be commanded if MON-2 voltage is not obtained when a command is issued, and the corresponding chain is still healthy.
[00122] The total number of MOS transistor switches required for onboard operated battery ON/OFF and SAFE/ARM function assuming two breaks in series is 8 per chain for a quad redundant system, 6 per chain for a triple redundant system and 4 per chain for a dual redundant system (this is detailed in table 6).
[00123] The total number of MOS transistor switches required for reconfiguration breaks is 2 per chain (in series) for SAFE/ ARM breaks and 8 per chain for load side reconfiguration in series-parallel configuration to take care of requirement of simultaneous commands (this is detailed in table 6).
[00124] The comparison between MON-1 and MON-2/MON-A/MON-B etc., can be done using either an analog circuits or after digital conversion within the FPGA/Microcontroller. The validity of the command or the chain can be ensured from the health of the FPGA/Microcontroller/Hardcore comparator status (OC1) or the output of comparator OC2, which indicates the health of the relay drivers/ pins/ relay coils.

[00125] The implemented system for a quad redundant commanding system with the methodology of onboard contact health monitoring and reconfiguration of safety breaks to command other squibs/ pyros or loads of very low resistance is illustrated in figures 7 and 8.
[00126] The system consists of a ground operated battery ON/OFF, onboard operated Battery ON/OFF consistency check module with reconfiguration as detailed above and the onboard operated safety breaks with FDIR per command in command, command-complement format.
[00127] It is assumed that the consistency check module is similar to Figure-6A where at least two chains have to agree. A quad redundant system is also assumed for analysis. The FDIR system consists of a common opto ICA whose primary side is connected to the safety break as shown in Figure-7 and 8. The secondary output of this opto is termed as 'YA'. A resistor 'R3' is provided in each line (after CMD break), which is used to provide the path to this opto primary diode in case of command break stuck at Normally Open (NO) condition.
[00128] An opto coupler ICB whose primary diode is connected to the test voltage circuit and also to the Normally Closed (NC) point of all command relays as shown in Figure-7 and 8 is used for FDIR. The secondary output of this opto is termed as 'ZA'.
[00129] Opto couplers (whose outputs are designated as X1, X2....., XP's) are also provided at each load side through series resistors so as to limit the load side current well below (at least an order below) the No Fire Current in the event of a break failure.
[00130] Now, as seen in Figure-7 and 8, the health of the load (resistance of pyro squibs) can be assessed prior to operation in ground by removing the shorting plug between the Normally Closed contact of the command bar relay and the load return. During this time, the opto in the load side can be kept disconnected by removing the plug (mentioned as 'opto plug' in figure).
[00131] After carrying out resistance measurement of the load as part of ground checks, the opto mating plug and load shorting plugs can be mated for final configuration. This will still ensure that sensitive loads like pyro squibs are in shorted condition till operation and also ensures the opto primary is protected from other stray voltages as well.
[00132] The secondary outputs of these optos are named as X1, X2....., XP, where 'P' is the total number of load elements per chain.
[00133] The voltage VTEST can be either the battery voltage or a voltage of a few cells of the same battery. Here we assume VTEST is equal to the voltage of two Lithium ion cell as ~8V. VTEST is connected to the opto ICA through another relay RLA and to the midpoint of command, command bar relays through relay RLB only prior to the actual functioning to ensure the relays are healthy.
[00134] For a typical circuit, the squib resistance along with line impedance is 2Ω and the series resistor (R2) is 0.5Ω to 1Ω. The resistor R3 is chosen as 2kΩ in each path. The resistor R1 is chosen as 500Ω, so as to limit the current through ICA opto primary within 11mA if all the command breaks were to inadvertently be stuck at NO (If only one command break were to be stuck at NO, then the current through the opto primary would be 2.5mA).
[00135] The series resistor Rx is chosen to be 5.2kΩ (4.7kΩ - 5.6kΩ), so as to ensure the opto primary currents of optos in parallel to the load is limited within 5mA. The series resistor Ry is chosen as 100Ω and Rz is chosen as 10Ω, which limits the current through the squib well below (at least an order below) the No Fire Current in the event of a command bar break failure.
[00136] It is proposed to actuate RLA and RLB prior to actual functioning commanding and to keep these relays in open condition during actual commanding which ensures that VTEST is not connected to the load path during commanding.
[00137] The output 'YA' and `ZA' along with X1, X2....., XP, can be used to identify a fault in the relay or MOSFET contacts and isolate the chain in case of anomaly. This is detailed in Table-4 for both the normal as well as anomalous situation.

Table-4: FDIR system for switch contacts in pyro/ squib load side

Command
break Command
bar break Condition YA ZA Xi Remarks
Healthy Healthy Functionally Not commanded (RLA and RLB closed) HIGH LOW HIGH Normal
Functionally Commanded (RLA and RLB open) HIGH HIGH LOW
Stuck at NC Healthy Not commanded
(RLA and RLB closed) HIGH LOW HIGH Failure detected when commanded
Commanded (RLA and RLB
open) HIGH HIGH HIGH
Stuck at
NO Healthy Not commanded (RLA and RLB closed) LOW LOW HIGH Failure detected when not
commanded
Commanded (RLA and RLB open) HIGH HIGH LOW
Healthy Stuck at NC Not commanded (RLA and RLB closed) HIGH LOW HIGH Failure detected when commanded
Commanded (RLA and RLB open) HIGH HIGH HIGH
Healthy Stuck at NO Not commanded (RLA and RLB closed) HIGH HIGH HIGH Failure detected when not
commanded
Commanded (RLA and RLB open) HIGH HIGH LOW
Stuck at
NO Stuck at NO Not commanded (RLA and RLB closed) LOW LOW HIGH Failure detected when not
commanded
Stuck at NC Not commanded (RLA and RLB closed) LOW LOW HIGH Failure detected
Commanded (RLA and RLB open) HIGH HIGH HIGH
Stuck at
NC Stuck at NO Not commanded (RLA and RLB closed) HIGH HIGH HIGH Failure detected
Commanded (RLA and RLB open) HIGH HIGH HIGH
Stuck at NC Commanded (RLA and RLB open) HIGH HIGH HIGH Failure detected when commanded

[00138] Hence, the failure of command and command bar relays can be detected in all these circumstances and hence the faulty chain can be isolated.
[00139] The system presented requires only 'P+2' optos for failure detection per chain. One opto is sufficient to detect the failure of the command relays or MOSFETs in Stuck at NO/ short condition. Another one opto is sufficient to detect the failure of command bar relays in NO condition. 'P' optos are required for 'P' loads (One for each load) for detecting the failure of MOSFETS/relays in Open / Stuck at NC condition.
[00140] Figures-7 and 8 are used for loads like pyros where the resistance including series resistance and line resistance is within 4Ω - 5Ω and where safety constraints exist such that the measurement current through the squib shall be limited within l0mA.
[00141] Figures-9 and 10 are useful for the case of loads like valves or resistances which are higher (of the order of tens of ohms to hundreds of ohms) and that do not have safety constraints on measurement current. It can be seen in Figures 9 and 10 that the opto coupler ICB is not used. Instead, the test voltage is applied through RLB to the opto in parallel to the load which is sufficient to detect command bar relay contact fault. This is detailed in Table-5 below.
[00142] For Figures-9 and 10, the design has been done for increased opto primary currents of l0mA- 15mA for the optos across the load, when commanded. Hence R3 is chosen as 5kΩ, Rx can be chosen as 1kΩ. R1 is chosen to be 300Ω and Ry is chosen to be 10Ω. The load assumed is a valve of nominal 40Ω resistance and series resistance (R2) of 2Ω. The nominal current required for valve operation is 0.75A and voltage is around 28V.

Table-5: FDIR system for switch contacts in load side (load of few tens of ohms to hundreds of ohms)
Command
break Command
bar break Condition YA Xi Remarks
Healthy Healthy Not commanded (RLA and RLB closed) HIGH HIGH Normal
Commanded (RLA and RLB open) HIGH LOW
Stuck at
NC Healthy Not commanded (RLA and RLB
closed) HIGH HIGH Failure detected when commanded
Commanded (RLA and RLB open) HIGH HIGH
Stuck at NO Healthy Not commanded (RLA and RLB
closed) LOW HIGH Failure detected when not commanded
Commanded (RLA and RLB open) HIGH LOW
Healthy Stuck at NC Not commanded (RLA and RLB
closed) HIGH HIGH Failure detected when commanded
Commanded (RLA and RLB open) HIGH HIGH
Healthy Stuck at NO Not commanded (RLA and RLB
closed) HIGH LOW Failure detected when not commanded
Commanded (RLA and RLB open)
HIGH LOW
Stuck at NO Stuck at NO Not commanded (RLA and RLB closed) LOW LOW Failure detected when not commanded
Stuck at NC Not commanded (RLA and RLB
closed) LOW HIGH Failure detected
Commanded (RLA and RLB open) HIGH HIGH
Stuck at
NC Stuck at NO Not commanded (RLA and RLB closed) HIGH LOW Failure detected
Commanded (RLA and RLB open) HIGH HIGH
Stuck at NC Commanded (RLA and RLB open) HIGH HIGH Failure detected when commanded

[00143] Reconfiguration breaks (made of transistor switches) are implemented in the command breaks side as well. These ensure that even after N-1 chains have failed other squibs of other chains for the same function can still be commanded. Hence 1 squib failure and N-1 chain electrical failures can be handled.
[00144] Due to the usage of MOSFET based switches and opto couplers, sneak circuit protection diodes are used to ensure that other loads are not operated inadvertently due to a particular command operation.
[00145] Table-6 highlights the comparison between the conventional scheme and present system in the number of safety breaks/ switches required for implementing the load side functionality for 100 commands per chain.
Table-6: Comparison between conventional and present system for a quad chain system in the number of safety breaks/ switches in load side for 100 commands per chain
No Parameter Conventional
scheme
(without FDIR) Present system
(with FDIR) Remarks
1 Number of safety
breaks (after battery ON/OFF and after
SAFE/ ARM) required for
functional command
execution per chain 100 four pole
relays for
command, 100 four pole relays for command
complement
function 100 two pole relays
/ 200 MOSFET transistor switches for commands and 100 two pole relays for command complement functions (along with SRM and shorting capability) Significant reduction in the size and weight due to smaller size of relays. The functionality of SRM is also clubbed with command complement breaks.
2 Number of ground operated battery ON/ OFF per chain 2 four pole relays (Assuming a
maximum of 6 contacts are
functionally
available - 240A simultaneous
requirement can be met) 2 four pole relays (Assuming a maximum of 6 contacts are
functionally available - 240A simultaneous
requirement can be met) No change
3 Number of ground
operated SAFE/ ARM per chain 2 two pole
relays (Assuming
redundancy is
provided per chain) 2 two pole relays
(Assuming redundancy is provided per chain) No change
4 Number of onboard operated
battery ON/OFF
(for consistency check) Not applicable 8 MOS switches (4 x
2 for additional protection) for overall chain Added safety. Only
four are required as a minimum configuration.
However, one more
is provided in series
to prevent inadvertent operation
in the case of short
mode failure.
5 Number of onboard operated SAFE/ARM (for
consistency check) Not applicable 8 MOS switches (4 x
2 for additional
protection) for
overall chain
6 Number of
reconfiguration
breaks in driver block Not applicable 2 MOS switches Added safety
7 Number of
reconfiguration breaks in battery
block Not applicable 4 (Two in series and
two in parallel) for
the path related to
loads of the same
chain. Additional 4 (two in series and two in parallel) for the path related to loads of the other chain Added safety
8 Ability to
command other squibs from the
other chains for
the same function in case of (N- 1) chain failure
condition NO YES (all other squibs can be commanded
through reconfiguration) Improved fault
tolerance for
present system
9 Ability to consider
(N-I) electrical
failures and
another 1 squib failure NO YES Improved fault
tolerance for
present system
10 Number of
optos for
FDI Not applicable Optos required -
No. of loads/
commands + 2 =
100+2 =102 Hardware overhead
is minimal due to use of SMD devices, but this provides end to end fault tolerance and improved reliability

[00146] The design overhead is only with the requirement of the consistency block (onboard operated battery ON/OFF, onboard operated SAFE/ ARM), reconfiguration breaks and in the number of optos used for contact fault detection.
[00147] However, this portion of the circuit is common to all commands that can be accommodated in the battery module and driver module and hence is only a - minimal overhead. This system requires 26 MOSFET breaks (max) and 102 optos per chain for implementing a system with 100 pyros to be operated per chain.
[00148] When compared to the existing scheme, the number of relay contacts has been reduced by 50% and hence this provides for better functional integration. Furthermore, the test voltage is applied through a common relay to all opto coupler inputs only when the health of the contacts is to be ensured (Non-functional time). Thereafter, this test voltage is not connected to the opto coupler inputs.
[00149] The outputs X1 to Xn can be inverted and given to another analog circuit as in Figure-4 for comparing the outputs with the expected differential buffer signal Vx and Vy. Any mismatch is an indication of failure and can lead to isolation of the faulty chain.
[00150] The health of the ARM and ARM complement relay contact or solid-state load side circuit (which powers the relay coil of command drivers) can also be monitored using a similar configuration as Figure-8 and 9 to ensure no inadvertent commands are posted due to ARM and ARM complement contact stuck at NO / close mode failures during simultaneous commanding.
[00151] Advantageous features of the present invention:
a) Fault detection and isolation circuit has capability to detect faults of safety break (relay or opto isolated solid-state switches) drivers in open or short mode.
b) Fault detection and isolation circuit has the capability to detect faults in safety break circuits which include relay coil faults of electromechanical relays OR opto diode faults of opto isolated solid-state switches.
c) Fault detection and isolation circuit has capability to detect faults in commanding logic devices like ASICs / FPGAs / Microcontrollers / Microprocessor and isolate the chain from issuing an inadvertent command.
d) Fault detection and isolation circuit has capability to detect faults of load side relay contacts in closed (Operate) condition, which can be detrimental to the system safety and isolate the faulty chain from operation.
e) Reconfiguration capability for load commanding of other chains for each function in the event of N-1 chain failures.
f) Capable of monitoring contact stuck at Normally Open or Normally Closed faults in the load side without compromising galvanic isolation of relay breaks.
g) Detects and isolates failures of safety break contacts in closed or open condition by monitoring the status of a low strength source (opto coupler-based circuit) placed in the load line.
h) Prevents execution of inadvertent commands even under multiple (up to four) element failures in a particular quad chain.
i) It is an add-on to existing systems and enhances fault tolerance with minimal overhead. The overhead amounts to 40 optos for driver FDI detection in driver module, 102 optos for contact failure detection in load safety break module and 26 solid state switches / MOSFETs for consistency check and reconfiguration per chain, for operating 100 commands, which does not add size and weight constraints, considering the use of surface mount devices for the same, wherein the reuse of hardware elements in driver circuits for different commands, results in improvement by n/2 times (n is the number of arm or command drivers), which corresponds to 5 times (80%) reduction in safety break drivers and digital logic command pins if 100 commands are to be executed, thus optimizing space, weight and cost and still improving reliability, wherein this will also result in 2 times (50%) reduction in the number of contacts used for relays in the load side, wherein the additional EDT circuits can be accommodated within the same footprint as existing cards.
[00152] Application of the present invention:
a) An N-redundant safety critical chain for sequencing functions or staging functions of launch vehicles / human rated launch systems / industrial automated systems / nuclear reactors sequencing or any other application where sequencing break safety is safety critical.
b) Add-on circuit for detecting failures of safety breaks or safety break drivers with minimal hardware overhead.
c) Implementing hardware commanding solutions with minimal control circuitry through efficient and reliable re-use of hardware resources.
[00153] The foregoing description of the invention has been set merely to illustrate the invention and is not intended to be limiting. Since modifications of the disclosed embodiments incorporating the substance of the invention may occur to person skilled in the art, the invention should be construed to include everything within the scope of the invention. , Claims:
1. A fault detection isolation and reconfiguration system (100) for safety breaks and relay drivers in redundant systems, the fault detection isolation and reconfiguration system (100) comprising:
- a driver block (10) comprising:
o a driver side supply (11);
o a ground operated SAFE/ARM break (12) connected in series with the driver side supply (11);
o an onboard operated SAFE/ARM break (13) connected in series with the ground operated SAFE/ARM break (12);
o one or more reconfiguration break (14) connected in parallel with the onboard operated SAFE/ ARM break (13); and
o the driver module with FDIR (15) connected in series with the onboard operated SAFE/ ARM break (13) and one or more reconfiguration break (14),
- a battery module (20) comprising:
o a load side battery (21);
o a ground operated battery ON/OFF break (22) connected between the positive and negative terminals of the load side battery (21);
o an onboard operated battery ON/OFF break (23) connected in series with the ground operated battery ON/OFF break (22) at positive terminal of load side battery (21);
o one or more reconfiguration breaks (24) connected in parallel with the onboard operated battery ON/OFF break (22) at positive terminal of load side battery (21); and
o a current sensor (25) connected in series with the ground operated battery ON/OFF break (22) at negative terminal of load side battery (21),
- an onboard operated safety break with FDIR module (30) comprising one or more safety breaks connected in series, and
- one or more chain of one or more load connected across onboard operated safety break with FDIR module (30) and the battery module (20);
wherein, the module (30) is configured to operate one or more load on their own chain and on other than the own chains in the case of failures on other than their own chains.

2. The system (100) as claimed in claim 1, wherein the driver block (10) connects a digital logic commanding block mounted inside the driver module with FDIR (15) to one or more load side switches through one or more relay drivers.

3. The system (100) as claimed in claim 1, wherein the ground operated SAFE/ARM break (12) is configured to operate one or more relay drivers in a SAFE mode when no command is issued by the system (100) and in ARM mode when a command is issued by the system (100).

4. The system (100) as claimed in claim 1, wherein the ground operated battery ON/OFF break (22) is configured to turn OFF the battery module (20) when no command is issued by the system (100) and turn ON the battery module (20) when a command is issued by the system (100).

5. The system (100) as claimed in claim 1, wherein the onboard operated SAFE/ ARM break (13) and the onboard operated Battery ON/OFF break (23) are implemented by relays or transistor switches with series redundancy.

6. The system (100) as claimed in claim 1, wherein the onboard operated SAFE/ ARM break (13) and the onboard operated battery ON/OFF break (23) are implemented as consistency check logic blocks with other healthy chains in the system (100).

7. The system (100) as claimed in claim 6, wherein the onboard operated SAFE/ ARM break (13) and the onboard operated battery ON/OFF break (23) are further configured to route the power to one or more relay drivers and transistor switches if at least two or the majority of the chains coordinate with the issued command.

8. The system (100) as claimed in claim 1, wherein the one or more reconfiguration breaks (14) operate if all other chains failed and commands are still to be executed from a single healthy chain in the driver block (10).

9. The system (100) as claimed in claim 1, wherein the one or more reconfiguration break (24) operates if all other chains failed and commands are still to be executed from a single healthy chain in the load side.

10. The system (100) as claimed in claims 1 and 2, wherein the system (100) detects and isolates failure of the digital logic commanding block mounted inside the driver module with FDIR (15) when the block attempts to issue an inadvertent command and command complement.

11. The system (100) as claimed in claim 1, wherein the system (100) isolates up to (N-1) chain failures in an N redundant system and reconfigures the redundant system in the load side without single point failures.

12. The system (100) as claimed in claim 1 and 2, wherein the system (100) is configured to perform:
fault detection and isolation (FDI) of the chain based on detection of faults in relay drivers or transistor switch from the corresponding digital logic commanding block mounted inside the driver module with FDIR (15) and
fault detection, isolation and reconfiguration (FDIR) of the chain based on detection of faults in relay drivers or transistor switch on the load side.

13. The system (100) as claimed in claim 12, wherein the system (100) has an inbuilt fault detection and isolation (FDI) logic and implemented through an analog FDI circuit to perform fault detection and isolation (FDI) of the chain based on detection of faults in relay drivers or transistor switch from the corresponding digital logic commanding block mounted inside the driver module with FDIR (15).

14. The system (100) as claimed in claim 1, wherein the safety break is a relay or an opto isolated solid-state safety break.

15. The system (100) as claimed in claim 1, wherein the system (100) detects faults of safety break in open (OFF) or short (ON) mode.

16. The system (100) as claimed in claims 14 and 15, wherein the fault is
an isolated coil failure in open mode or short mode for relays, and/or
opto primary diode failure in open mode or short mode on the opto isolated solid-state safety break.

Documents