[go: up one dir, main page]

CN113918368B - Safety output circuit with physical disconnection mode and implementation method - Google Patents

Safety output circuit with physical disconnection mode and implementation method Download PDF

Info

Publication number
CN113918368B
CN113918368B CN202111169489.1A CN202111169489A CN113918368B CN 113918368 B CN113918368 B CN 113918368B CN 202111169489 A CN202111169489 A CN 202111169489A CN 113918368 B CN113918368 B CN 113918368B
Authority
CN
China
Prior art keywords
circuit
output
self
watchdog
cpu module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111169489.1A
Other languages
Chinese (zh)
Other versions
CN113918368A (en
Inventor
郭宝元
金丽美
肖茂波
姜波
范俊成
王玮琦
王国锋
刘运涛
杨浩
李堃
赵晨曦
刘志刚
仝大永
年旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Railway Signal Co Ltd
Original Assignee
Shenyang Railway Signal Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Railway Signal Co Ltd filed Critical Shenyang Railway Signal Co Ltd
Priority to CN202111169489.1A priority Critical patent/CN113918368B/en
Publication of CN113918368A publication Critical patent/CN113918368A/en
Application granted granted Critical
Publication of CN113918368B publication Critical patent/CN113918368B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Safety Devices In Control Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

一种具有物理断开方式的安全输出电路及实现方法,属于安全输出电路技术领域,包括熔断器、动态驱动电路、回采模块、CPU电路、看门狗电路、自我防护电路,其中CPU电路与动态驱动电路相连,驱动动态驱动电路;动态驱动电路通过回采模块与CPU电路相连,CPU电路采集动态驱动电路输出;CPU电路与看门狗电路相连,为看门狗电路提供喂狗信号;看门狗电路与自我防护电路连接,自我防护电路输出端两个端子分别与电源、地相连;熔断器安装于电源通路上。通过熔断熔断器的物理断开方式去除非预期情况的输出,以保证动态驱动电路实现固有“失效—安全”。

A safety output circuit with a physical disconnection mode and an implementation method, belonging to the technical field of safety output circuits, includes a fuse, a dynamic drive circuit, a recovery module, a CPU circuit, a watchdog circuit, and a self-protection circuit, wherein the CPU circuit is connected to the dynamic drive circuit to drive the dynamic drive circuit; the dynamic drive circuit is connected to the CPU circuit through the recovery module, and the CPU circuit collects the output of the dynamic drive circuit; the CPU circuit is connected to the watchdog circuit to provide a dog feeding signal for the watchdog circuit; the watchdog circuit is connected to the self-protection circuit, and the two terminals of the output end of the self-protection circuit are respectively connected to the power supply and the ground; the fuse is installed on the power supply path. The output of unexpected situations is removed by the physical disconnection method of the fuse, so as to ensure that the dynamic drive circuit realizes inherent "failure-safety".

Description

Safety output circuit with physical disconnection mode and implementation method
Technical Field
The invention belongs to the technical field of safety output circuits, and particularly relates to a safety output circuit with a physical disconnection mode and an implementation method thereof.
Background
The dynamic working mode is a very effective fault detection and safety protection measure commonly adopted in railway signal systems, particularly in the aspects of design and realization of a collecting unit circuit, a driving unit circuit and a control circuit thereof, the dynamic working mode can play a role in protecting static faults, particularly control output error retention, and inherent failure-safety to a certain extent.
In fact, among the various faults that lead to erroneous outputs, the "error retention" of the outputs is a condition that is not negligible and that is easily occurred, which is unique to the computer control system.
The "dynamic driving" is a driving method in which, when a driving control of a non-limiting "dangerous side" is given, a software is required to alternately give an "ON" and an "OFF" control command to a driving circuit at a certain cycle. Different from a static driving mode, the dynamic driving circuit realizes the conversion and isolation of a dynamic logic level pulse sequence and a static driving level, and the key of dynamic driving is mainly the mode and the safety of the conversion in a driving unit circuit. Since the dynamic driving mode is essentially a driving mode with an inherent "fail-safe" property for static faults, it is usually achieved that some inherent "fail-safe" technical measure is adopted, so that the driving unit circuit gives an effective driving output (level) only when a pulse sequence of a certain frequency or some alternating signal is input, and any inconvenient static level/current input (fixed ON or fixed OFF) is ineffective for it, and thus is safe.
The random faults of the hardware of the digital computer are usually static faults, and in a non-complex driving program, the possibility of continuous and regular pulse output caused by software bug is extremely low, so that a dynamic driving mode is the most thorough method for protecting the driving circuit, including 'error retention', from any software and hardware faults which lead to 'fixed ON' or 'fixed OFF', and particularly has good safety protection capability for lightning strokes, even the extreme cases of the invasion of traction current and the like which can cause simultaneous breakdown of multiple subsystem and multistage control devices. The dynamic driving mode is also used for controlling a rejection mechanism for forcing the system to a safe state, and usually drives a relay for switching on the control power supply of the system when the system is normal, and cuts off the control power supply once the pulse driving is stopped.
The key element for implementing the dynamic driving mode is that a pulse-level (intrinsic) "fail-safe" circuit can be implemented. The circuit converts the driving pulse sequence of the logic voltage standard given by the computer into the energy driving level of the relay voltage standard in a failure-safety mode, and finally, the safety control of the safety relay is realized. Because the pulse driving mode is generally poor in anti-interference capability, and the mode of timing readback detection cannot achieve complete and effective monitoring on the interference effect of the pulse with higher frequency, the possibility that the circuit is malfunction due to interference violation discovery exists in theory, and therefore the anti-interference capability of the front-stage pulse driving circuit is strictly required.
Railway signals and the like have strict requirements on safe output, and once judging that the output is inconsistent with the expected output, the requirements cannot be solved by means of re-judging, restarting and the like. The CPU error and the two-point fault of the dynamic driving circuit, the power supply pulse interference and the fault of the dynamic driving circuit can output the safe output error, so that the dynamic driving circuit can not realize failure-safety.
Disclosure of Invention
Aiming at the problem that a dynamic circuit cannot realize failure-safety in the prior art, the invention provides a safety output circuit with a physical disconnection mode and an implementation method thereof, and the output of unexpected conditions is removed through the physical disconnection mode of a fuse so as to ensure that the dynamic driving circuit realizes inherent failure-safety.
The invention adopts the following technical scheme:
A safety output circuit with a physical disconnection mode comprises a fuse, a dynamic driving circuit, a stoping module, a CPU module, a watchdog circuit and a self-protection circuit, wherein the CPU module is connected with the dynamic driving circuit to drive the dynamic driving circuit, the dynamic driving circuit is connected with the CPU module through the stoping module, the CPU module collects output of the dynamic driving circuit, the CPU module is connected with the watchdog circuit to provide a watchdog feeding signal for the watchdog circuit, the watchdog circuit is connected with the self-protection circuit, two terminals at the output end of the self-protection circuit are respectively connected with a power supply and a ground, and the fuse is arranged on a power supply channel.
Further, the self-protection circuit is composed of a relay resistor, an input end coil of the relay is connected with an output signal of the watchdog circuit, an output end of the relay is a normally open contact, one end of the relay is connected to the fuse, and the other end of the relay is grounded.
The implementation method of the safety output circuit with the physical disconnection mode comprises the following steps:
1) The self-protection circuit is connected with the CPU module through the watchdog circuit;
2) The CPU module judges the working states of the CPU module and the dynamic driving circuit through the self-checking or stoping module, and provides different dog feeding signals for the watchdog circuit;
3) The watchdog circuit inputs a watchdog feeding signal output by the CPU module, and outputs a signal for the self-protection circuit;
4) The self-protection circuit controls whether the fuse is fused or not through the output node;
5) The one-time output process ends.
Further, in the step 2), if the CPU module judges that the circuit is faulty through the self-checking or stoping module, the output of the feeding dog signal is terminated, the high level is output by the watchdog circuit, the self-protection circuit is enabled, the power supply and GND are short-circuited, the fuse is fused, the safety output port has no output level, and the one-time output process is ended.
Further, in the step 2), if the CPU module determines that the circuit is normal through the self-checking or stoping module, the CPU module generates a watchdog signal, and provides the watchdog circuit with the watchdog signal, the watchdog circuit outputs a low-level signal, the output node of the self-protection circuit remains disconnected, and the one-time output process is ended.
Further, in the step 3), after the watchdog circuit outputs a high level to drive the relay coil, the normally open contact of the relay is conducted, and the fuse in the power circuit is blown by short circuit, so that no output of the circuit is ensured.
The invention has the following beneficial effects and advantages:
According to the dynamic driving circuit with the physical disconnection mode, the output of unexpected conditions is removed through the physical disconnection mode of the fuse, and the fuse is actively blown to solve the problem that the safety output is inconsistent with the expected output after circuit faults caused by power supply interference and the like, so that the safety is high.
Drawings
FIG. 1 is a schematic block diagram of a dynamic secure output circuit;
FIG. 2 is a flow chart of a method for implementing a dynamic safety output circuit with a physical disconnection mode according to the present invention;
fig. 3 is a schematic diagram of a self-protection circuit.
Detailed Description
The invention will be described in further detail with reference to the drawings and the detailed description.
As shown in FIG. 1, in order to obtain working conditions (normal working or damage) of a safety output circuit, the invention provides the safety output circuit with a physical disconnection mode, which comprises a fuse, a dynamic driving circuit, a stoping module, a CPU module, a watchdog circuit and a self-protection circuit, wherein the CPU module is connected with the dynamic driving circuit to drive the dynamic driving circuit, the CPU module is connected with the stoping module to collect output of the dynamic driving circuit, the CPU module is connected with the watchdog circuit to continuously provide a dog feeding signal for the watchdog circuit, the watchdog circuit is connected with the self-protection circuit, two terminals of the output end of the self-protection circuit are respectively connected with a power supply and a ground, and the fuse is arranged on a power supply circuit.
The CPU module judges the state of the circuit tool through the self-checking and stoping module, and controls whether the fuse is fused or not through the watchdog circuit and the self-protection circuit.
As shown in fig. 3, the self-protection circuit is composed of a relay resistor, an input coil of the relay is connected with an output signal of the watchdog circuit, an output end of the relay is a normally open contact, one end of the relay is connected to the fuse, and the other end of the relay is grounded.
As shown in fig. 2, the present invention further provides a method for implementing a dynamic driving circuit with a physical disconnection mode, which includes the following steps:
1) The self-protection circuit is connected with the CPU module through the watchdog circuit;
2) The CPU module judges the working states of the CPU module and the dynamic driving circuit through the self-checking or stoping module, and provides different dog feeding signals for the watchdog circuit;
3) The watchdog circuit inputs a watchdog signal for the CPU module to output a low-level (opposite to a self-protection circuit enabling signal) signal for the self-protection circuit;
4) The self-protection circuit controls whether the fuse is fused or not through the output node;
5) The one-time output process ends.
In step 2), if the CPU module judges that the circuit is faulty through the self-checking or stoping module, the output of the feeding dog signal is stopped, the watchdog circuit outputs a high level, the self-protection circuit is enabled, the power supply and GND are short-circuited, the fuse is fused, the safety output port has no output level, and the one-time output process is finished.
In step 2), if the CPU module judges that the circuit is normal through the self-checking or stoping module, the CPU module generates a dog feeding signal and provides the dog feeding signal for the watchdog circuit, the watchdog circuit outputs a low-level signal, an output node of the self-protection circuit is kept disconnected, and the one-time output process is finished.
As shown in fig. 3, the self-protection circuit is composed of relay resistors, when the watchdog circuit outputs high level to drive the relay coil, the relay node is conducted, and the fuse in the power circuit is short-circuited, so that no output of the circuit is ensured.

Claims (2)

1. A safety output circuit with a physical disconnection mode is characterized by comprising a fuse, a dynamic driving circuit, a stoping module, a CPU module, a watchdog circuit and a self-protection circuit, wherein the CPU module is connected with the dynamic driving circuit and drives the dynamic driving circuit, the dynamic driving circuit is connected with the CPU module through the stoping module, the CPU module collects output of the dynamic driving circuit, the CPU module is connected with the watchdog circuit and provides a dog feeding signal for the watchdog circuit, the watchdog circuit is connected with the self-protection circuit, two terminals of the output end of the self-protection circuit are respectively connected with a power supply and the ground, the fuse is arranged on a power supply path, the self-protection circuit consists of a relay and a resistor, an input end coil of the relay is connected with the output signal of the watchdog circuit, one end of the relay is connected to the fuse, the other end of the relay is grounded, and after the watchdog circuit outputs high-level driving relay coil, the normally open contact of the relay is connected, the fuse in the power supply circuit is fused in a short way, and no output of the circuit is ensured.
2. The method for realizing the safety output circuit with the physical disconnection mode according to claim 1, wherein the method comprises the following steps:
Step 1), a self-protection circuit is connected with a CPU module through a watchdog circuit;
Step 2), the CPU module judges the working states of the CPU module and the dynamic driving circuit through the self-checking or stoping module, and different dog feeding signals are provided for the watchdog circuit;
step 3), the watchdog circuit inputs a feeding signal output by the CPU module, and the watchdog circuit outputs a signal for the self-protection circuit;
step 4), the self-protection circuit controls whether the fuse is fused or not through the output node;
Step 5), ending the one-time output process;
In the step 2), if the CPU module judges that the circuit is faulty through the self-checking or stoping module, the output of the feeding dog signal is stopped, the watchdog circuit outputs a high level, the self-protection circuit is enabled, the power supply and GND are short-circuited, the fuse is fused, the safety output port has no output level, and the one-time output process is finished;
in the step 2), if the CPU module judges that the circuit is normal through the self-checking or stoping module, the CPU module generates a feeding dog signal and provides the feeding dog signal for the watchdog circuit, the watchdog circuit outputs a low-level signal, an output node of the self-protection circuit is kept disconnected, and the one-time output process is finished.
CN202111169489.1A 2021-10-08 2021-10-08 Safety output circuit with physical disconnection mode and implementation method Active CN113918368B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111169489.1A CN113918368B (en) 2021-10-08 2021-10-08 Safety output circuit with physical disconnection mode and implementation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111169489.1A CN113918368B (en) 2021-10-08 2021-10-08 Safety output circuit with physical disconnection mode and implementation method

Publications (2)

Publication Number Publication Date
CN113918368A CN113918368A (en) 2022-01-11
CN113918368B true CN113918368B (en) 2025-07-08

Family

ID=79238343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111169489.1A Active CN113918368B (en) 2021-10-08 2021-10-08 Safety output circuit with physical disconnection mode and implementation method

Country Status (1)

Country Link
CN (1) CN113918368B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104527730A (en) * 2014-12-15 2015-04-22 合肥工大高科信息科技股份有限公司 Safety AND gate circuit for railway signal interlocking system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR930002226Y1 (en) * 1990-09-07 1993-04-26 현대전자산업 주식회사 Watch-dog circuit
JP2009053952A (en) * 2007-08-27 2009-03-12 Fujitsu Ten Ltd Cpu monitoring device and electronic control device
CN204279497U (en) * 2014-12-15 2015-04-22 合肥工大高科信息科技股份有限公司 A Safety AND Gate Circuit Used in Railway Signal Interlocking System
CN204945993U (en) * 2015-08-17 2016-01-06 浙江众合科技股份有限公司 A kind of watchdog circuit being applicable to Safety output
CN109510958A (en) * 2018-11-30 2019-03-22 惠州华科电器有限公司 Short-circuit protection circuit and short circuit protection system
CN113325779B (en) * 2021-06-07 2022-09-20 沈阳铁路信号有限责任公司 Reset signal safety output circuit and implementation method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104527730A (en) * 2014-12-15 2015-04-22 合肥工大高科信息科技股份有限公司 Safety AND gate circuit for railway signal interlocking system

Also Published As

Publication number Publication date
CN113918368A (en) 2022-01-11

Similar Documents

Publication Publication Date Title
WO2022142528A1 (en) Functionally safe switching value output module and diagnostic processing method
CN107482590B (en) A kind of driving of IGBT module and fault secure circuit
CN103337835B (en) A fault protection and self-resetting circuit for IGBT
CN102681907B (en) Multifunctional watchdog circuit
CN108183050B (en) High-safety switch control relay driving circuit
CN109962450A (en) Short circuit protection device
CN209344264U (en) Contactor Holding Circuit Controlled by PWM Signal in Battery Management System
CN209479429U (en) Contactor Hold Circuit Controlled by Battery Management System Level Signals
CN108347040B (en) Intelligent intermediate relay, protective relaying device and system
CN102866931B (en) Watchdog circuit for monitoring device for fault traveling wave of high-voltage transmission line
CN106597245A (en) IGBT fault monitoring device and method
CN115195814A (en) A station ground control system and a method for controlling a coded unit
CN103701087A (en) On-track monitoring method for space single event latchup effect
CN113918368B (en) Safety output circuit with physical disconnection mode and implementation method
CN101488102A (en) Control circuit of watchdog in embedded system
CN106410757A (en) Short-circuit protective circuit
CN210397210U (en) Follow-on four-wire fan's fault detection circuit
CN105425773A (en) Relay output channel diagnosis device and method for control system
CN107340763B (en) Electric power steering system based on external watchdog and control method thereof
CN105067927A (en) Servo driver brake resistor loop detection method
CN112140887B (en) Shutdown circuit for vehicle fault and vehicle with shutdown circuit
CN211481570U (en) Brake lamp control circuit and vehicle
CN115123339B (en) A coding unit for station ground control system
CN105320588A (en) Delay alarm circuit and method used for relay protective apparatus
CN105098719A (en) Error detecting apparatus and method with multiple protections

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant