- Email: [email protected]
A Fast and Fail Safe Comparator of Binary Data with Ternary Result and Status Output
Copyright ~ 2001 IFAC IFAC Conference on New Technologies for Computer Control 19-22 November 2001, Hong Kong
A FAST AND FAIL SAFE COMPARATOR OF BINARY DATA WITH TERNARY RESULT AND STATUS OUTPUT Joser von Stackelberg
Graumannsstieg 1 a 22885 Barsbiittel, Germany [email protected]
Abstract: In safety related computer control, redundancy is used to cope with errors of any kind . To detect errors, redundantly produced results must be compared imposing the responsibility for system safety on the comparators. Since comparison reduces the degree of redundancy, comparators are best implemented in form of hardware devices with fail safe behaviour. Currently available fail safe comparator circuits, however , constitute bottlenecks in safety related computing systems due to their low processing speeds. Moreover , in case of malfunctions, such comparators do not distinguish between comparison errors and comparator errors. To solve these problems, a novel fail safe comparator of two binary inputs is presented, which does not only indicate a result , but also its status. Built in a modified CM OS technology, it can match the execution speed of digital computers. In contrast to . all earlier designs of fail safe comparators, by employing ternary logic it provides three different output values, allowing to distinguish between the three indications "inputs equal and comparator working properly", "inputs unequal and comparator working properly" as well as "comparator malfunctioning" . The comparator consists of 37 modules. Its circuitry structure ensures triple error protection at any time. Keywords: Fail safe comparator, high speed comparator , ternary logic, result and status indication , safety related computing.
1. IT\TRODUCTIOl"
As a result of the progress in computer technology, but also with respect to sensors and actuators , it became possible to elegantly master even complex control and automation functions by software based solutions. The advantage of programmable digital equipment consists in the fact that there are always defined and reproducible machine states, and that desired changes in control sequences can be achieved without considerable manual effort. An important field in control engineering, however, that , with the exception of some individual solutions , has remained almost untouched by this development are safety related systems. In particular, when human lives ,
expensive equipment or the environment is to be protected, i.e., when a high degree of safety is required , semiconductor based computer technology cannot offer solutions matching the plentitude of applications found elsewhere. Primarily, this is due to the fact that the classical control components switches, relays, thermoswitches etc. have high probabilities of assuming a certain "natural" switching state in case of failure, namely the state of disconnection. This allows to design controllers performing safety related tasks in such a way that in case of component failures the entire controllers assume states being safe for persons and the processes controlled ( "fail safe principle" ). Semiconductor devices, the other hand, which are
578
practically used everywhere these days, assume unpredictable states such as short-circuits or complete disruptions in cases of defect. Therefore, it is impossible to associate an unambiguous error state with a semiconductor component. One way to solve this problem is to use redundant controller structures. In technical applications , this means that control components are replicated to fulfill the same task. Furthermore, switching to a state other than a safe one is subject to monitoring with majority or unanimity voting. Controlled devices or processes are brought to safe states in case of disagreement. Depending upon the number of components working concurrently, one speaks of single or multiple error protection. For instance, when three components are used and the failure of two is safelv and correctly tolerated , double error protectio~ is given. As the design of redundant controllers necessarily leads to parallel structures and parallel task processing, the generated results need to be monitored by comparators embedded at defined points between the modules working concurrently. Hence , the responsibility for system safety rests on the comparators. Since comparison reduces the degree of redundancy, comparators are best implemented in form of hardware devices with fail safe behaviour. Currently available fail safe logic families , of which comparator circuits can be built, constitute, however, bottlenecks in safety related computing systems due to their low processing speeds. The short outline of the only two presently marketed families of fail safe logic in the next section will show that they only allow for comparators working in the kHz range , whereas computing equipment is 3 to 5 orders of magnitude faster. Moreover , at their outputs, they only provide two values signifying either (1 ) inputs equal and comparator properly work-
mg , or (2) inputs unequal mg,
OT
comparator malfunction-
i.e., it is not differentiated between comparison errors and comparator errors. If these alternatives were distinguished they could be handled in more specific ways. To solve these two problems of insufficient speed and indiscriminate output information, a novel fail safe comparator of two binary inputs was developed, which does not only indicate a result , but also its functional status. Built in a modified CMOS technology, it works in the MHz range and can, thus , match the execution speed of digital computers. In contrast to all earlier designs of fail safe comparators, by employing ternary logic it
provides three different output values, allowing to distinguish between the three indications a inputs equal and comparator working properly, b inputs unequal and comparator working properly, and c comparator malfunctioning , These signal states may be sensed and further processed by conventional semiconductor circuits without any problems.
2. INDUSTRIAL FAIL SAFE MODULES By module we mean a unit capable of realising certain , mainly simple, logic functions (And , Or , Not). Fail safe modules are developed in special technologies which assure predictable behaviour of the outputs in case of any failure. Normally, such behaviour is equivalent to fall into the switched-off state. Galvanic separation of inputs and outputs is a common feature. There exist a few families of fail safe modules applying different principles of operation. Here we shall mention two of them Planar and MagLog, which are well established i~ the market.
2.1 HIMA Planar Logic This logic (HlMA, 1991 ; HIMA , 1992) is built by Paul Hildebrandt GmbH & Co. KG of Briihl, Germany. Its operation principle is to convert slowly varying input signals into alternating ones (modulation). The alternating signals are processed internally according to a module's function . The result, still an alternating signal , is then converted back into a slowly varying signal presented at the output (demodulation). Besides gates, this fail safe logic family includes a hold unit , a delay, input and output amplifiers. The modules are built of discrete elements , for which the behaviour can be more easily predicted than for integrated circuits. The settling time after input changes, however, is quite long, viz., 3 to 10 ms.
Conjunction If the input contacts of this circuit are closed (high state), transistors transfer the alternating signal from a generator to a transformer and further to the output. A rectifier and a capacitor provide constant voltage at the output. If at least one of the input contacts is open (low state) , transfer of the signal is not possible, and there is no alternating voltage coming to the transformer. So, the voltage at its secondary side becomes zero. The capacitor discharges after a while through a resistor and the input resistance of the next module. The output voltage is zero. The same
579
situation arises if any of the transistors fails. The type of failure does not matter (shorting or break). So, the module reacts in the same way both to zero input and to failures. Low level at the output denotes the fail safe state. The capacitors connecting successive stages are protected from shortings by resistors. Due to a special technology, shortings of resistors are eliminated. Shorting of the output to supply voltage is not possible due to the particular construction of the transformer and the lay-out of the circuit board. It should be clear that the use of alternating signals and the transformer assure fail safe behaviour. Any other standard element would not guarantee zero output in case of failure.
Disjunction All elements of the circuit implementing the Or function are passive. At each input three diodes are used in series. As long as not more than two of the diodes fail , the circuit remains operational. A resistor protects the diodes from shorting.
2.2 GT! MagLog 24
This Mag(netic) Log(ic) (GTI , 1993) is built by GTI Industrial Automation , Apeldoorn, The Netherlands. In it a toroidal core (such as in core memories) with a few windings coiled around plays an essential role. An additional simple circuit involves a transistor and a pulse modulator consisting of a winding on another core, a coil, and a diode. The cores (permalloy) have large hysteresis providing two stable states. A core with appropriate windings is capable of performing simple logic functions (And, Or, Not). It also separates the circuits Galvanically.
Operational Principle Logic high state is defined as a sequence of short pulses of 1 kHz frequency. Lack of pulses denotes low state. The pulses appearing at the input windings of the MagLog And gate are phase shifted. Since the windings are coiled in different directions, the pulses continuously re-magnetise the core, so positive and negative pulses appear at the output winding. Naturally, pulses only appear at the output if pulses are present at both inputs. Positive output pulses trigger a transistor which transfers them to the input of another module (second core). If one or both of the input sequences is missing, no output sequence appears. The Or function is obtained by coiling the two input windings in the same direction on a core, and connecting another winding of the opposite direction to the pulse generator. The output is then provided by a forth winding.
3. FAST FAIL SAFE COMPARATOR WITH TERNARY OCTPCT Since the two families of industrial fail safe modules outlined above offer far too slO\..- switching speeds as required by a feasible co-operation in environments characterised by integrated semiconductor circuits, a novel fail safe comparator (von Stackelberg and Halang, 1998) of two binary digits as depicted in Fig. 1 was designed , which combines high speed in the MHz range with a ternary output to indicate both comparison result and functional status. It consists of altogether 37 individual modules arranged in six stages with respect to functional operation, and four levels deep to implement fail safe behaviour. The individual modules are, to a certain extent, basic circuits of binary and ternary digital logic and, on the other hand, circuits especially designed for the purpose considered here. The comparator is operated with two voltages, viz., +1.5 V and +5 V relative to reference potential. As a digital circuit , there are only these three states determined by the operating voltages and zero potential - intermediate states do not occur. As customary in digital electronics, these voltage levels are associated with logical signal states. In this special case these are the ternary values: minus for the most negative voltage level, i.e., the reference potential 0 V, zero for the voltage level lying between the two extremes, i.e., for +1.5 V, and plus for the most positive voltage leveL i.e., for +5 V. As binary values are used: LOW for the more negative one of the two voltage levels applied to the circuit, which specifically may be 0 V or + 1.5 V, and HIGH for the more positive one, which specifically may be +5 V .
In the sequel , we shall use the terms mentioned above instead of the potentials at the inputs and outputs of the individual circuits and the comparator. In the first stage of the comparator, there are four anti valence gates as shown in Fig. 3, with each of their inputs wired together. This means that the signals at the inputs El and E2 of the comparator are evaluated four times. Since the input signals come from binary circuits whose "LOW" and "HIGH" are represented by the voltages 0 V and +5 V, the anti valence gates are also applied to these voltages. The result of such a gate is "LOW" if both inputs are the same, and "HIGH" if both inputs are different.
580
.~
. .... ;
.i
i~ i ~
-+~~
1-'
I_ ~
~ -...0
•
~
.i~
o
I
•
~•
-...0
.~ - ' ! .
b-I! LL --1 l '~
I . ----- -
I
• ,.0'
I
"'0
--- , 0 · · 1 !. . ,.
• . : - .. ,
0--.,
.. ,:
:
I IL
: I~ . ~' ·o'
• .::;c..
I
--
_ _ _
!
~" . L._J
- .!
-.-,-. - -
'= : _~..,
i
_ 1 I
i
I
I I
le' 1
1
0
.,
,:!!C>-l
!
I
n : ~. i
--~.
I.i
__ I
I
- - - - ':~~.. =-J'~i:L'"~'-- . -. -Ir· [. .; !
c·
,_
··1
!~' ! -,,-
1
I
7s-
;
I
i ,- ~ I
f
.
1
F~LI~-i"" I
>
:
I
-, - -r - i tI -+ " I 1-.. 1"". 1•. -1.... - _ -. --1 '----+1- - - L i
I' --"
!
-
- ,,-
~ ~Ll_~i~~~--~~--ri-
I
.
--- . ....
....
I,
'-.
~ r;c ~ : ~L~::-'~ ' _
...=-
I
~
_ _ _ _ _~-. O( .. n l ..
. J _ _
-~--I
-,..-
I
-
·· 1·
j(AOOO
1 j .1 I - 1 "1
,
i : !"
1
t.
."
0-'-' - ':!.'::~:V
: iI :. .( I
i • i I..: !
I.. , ' .
0 '"
1
[.
, ~' !
i
::.
Fig. 2. Structure of the fail safe comparator signal, and different signals at the comparator's inputs result in "minus" . Again , the four conjunction gates of the second stage are connected in parallel to have the result of the operation available four times.
El
-
RI
I
---. 1
•
:......J
__..
-- --_ .
I I I
MI
•I
I 1
-.I
...-,~
! t->
1, -
---, >----. t ~ _1
I i i
M9 1
•
I
..........,i
----_
MS
•! I!
M2
--
I
•
..!
·· l ~M6
i
....
•
A
• -
I~ ---.J t .
I
•I
-.J:<
..
Me
I
I
I
•
M4
••
M7
I
-_ .... - I +-
-
,
I
M3
..
"
•
• i
I
•
I-
-.•
..
1 '----'
I
.
,
...L- ......
I•
MI2
< , 11. r- ! .l ~ --'I'
-< - ~
----
I
1
!
-
•
1011
E2
-
--
:.:
.
E3
.. .
~ ,
l- " ;.---.-- . . . -----1' -_.. ---r - --1n .
~----"~ .
•
R2
· - wr~
Mll
f ~
I
J. •
I
~
I
.
...
"
,.
Fig. 3. Binary anti valence gate The resulting states "LOW" and "HIGH" are fed into four parallel ternary conjunction gates (Fig. 4) of the second stage. There , the "LOW" signal corresponds to "minus" and the "HIGH" signal corresponds to "plus". The result of ternary conjunction is "minus" , if all of its inputs are "minus" , and "plus" if all of its inputs are "plus" . In all other cases, the outputs supply the signal "zero". Since ternary negations are attached at the conjunction gates ' outputs of the second stage, the results of the third, fourth and fifth stages assume the following values: "plus" is yielded if both inputs of the comparator recognise the same
Fig. 4. Ternary conjunction gate In the third stage of the comparator four identity gates as depicted in Fig. 5 are arranged in parallel , too. The function of an identity element is just to convey the digital signal at its input to its output. However , since the comparator 's identity gates are attached to the + 1.5 V potential with their negative supply voltage connections. and ternarY signals are present at their inputs , there is a shift in signals: "plus" at the inputs becomes "plus" at the outputs, and both "zero" and "minus" at the 581
E
,
i
I
___
•
M1
R1
.1
.l..
~M3
~
. --:
-----.. ..--"~ " R1 i
M3
I
~
!
+--
E
~ - M2
M4
• •
I K-!,
•
!
•
, f--
•
~
M2
i
•
A
•
L A
Fig. 5. Ternary identity gate with shift of signal Fig. 7. Ternary identity gate without shift of signal :
I
.
;
I
i
MS
Ml0
i
M9
li cid:6~ .I I
I ~- . .
L"-:
r-.~
.... _.
t
;
1_ 1
Mll ~
;
I
-.- • . ••
I
•
..
A -
-- j ~ :
I',:!,: .. '" !M7' Ma I
Ml
M4
<
-.
M2
M 12 !
I
,,1 , "'1
R2
, -
g1e '~
~ '-1
....i
Fig. 6. Switch function inputs become "zero" at the outputs. The reason for this is to generate the ternary signals demanded at the output of the comparator from the binary signals at its input . Depending upon the comparator 's input signals, the following states result at the outputs of the identity elements: if both comparator inputs recognise the same signal, "plus" is present at the outputs of the identity elements of the third stage; if both comparator inputs recognise different signals, "zero" is generated . The "zero" signal from the second stage's conjunction gates indicating a disturbance in the first stage of the comparator is evaluated in the fourth stage and is irrelevant on this signal path. Switch functions (Fig. 6) are employed in the fourth stage of the comparator. A switch is a basic ternary circuit switching the signal present at its "signal" input to its output in case it detects a "zero" signal at its "gate" input . If the input at "gate" is not equal to "zero", "zero" is presented at the output. Since the switch gates used in the comparator have a ternarily negating output, a "minus" signal at their "signal" inputs is transformed to "plus" at the outputs when the "gate" inputs detect "zero". Therefore, a "zero" generated at the output of a conjunction gate in the second stage leads to a "plus" at the output of the corresponding switch gat e in the fourth stage.
In the fifth stage of the comparator there are three different circuits, a conjunction gate, four identity gates (Fig. 7) and differential voltage switches (Fig. 8) each. The conjunction gate 's task is to gather the signals produced in the third stage for the comparison states, and to direct them to the comparator's output , which means that "plus" signal is presented at this output for the state "equality detected by comparison and comparator in proper order" only when all four identity gates of the third stage indicate "plus" . The identitv gates of the fifth stage fulfill the same task as th"e identities in the third stage, and with each identity gate of the fifth stage the output signal of a conjunction gate in stage two is associated as well. The reason for this is to appropriately prepare the signals generated by the conjunction gates for the differential voltage switches connected behind the identity gates, as the differential voltage switches set , upon detecting different digital signals at their inputs, their outputs to the higher one of the two input signals, respectively. Both outputs are set to "minus" for equal input signals. The differential voltage switches close a feedback loop between the comparator output and the conjunction gates of the second stage to check the output conjunction gate for proper functioning . There is a resistor in the sixth stage of the comparator located between the output of the collective conjunction gate of stage five and the output of the comparator to provide correct measuring conditions for the differential voltage switches even when a threshold switch is in conducting state. The function of the threshold switches (Fig. 9) is to put the output of the comparator to "minus" reference potential if the input signal exceeds a given value relative to the reference potential. The inputs of the threshold switches are driven by the four outputs of the switches in the fourth stage and by the four times two outputs of the differential voltage switches of the fifth stage. Fail safe behaviour of the comparator is achieved as a result of combining the following measures.
582
. :1'.".':'::.
,
resistance state. These measures ensure that the comparator always provides either the correct comparison result, or that it correctly signals the comparator to be out of order. which holds under the condition that not all four equal modules in one stage show the same error. This applies analogously with regard to the devices of the differential voltage switch and threshold switch modules, too.
u:
.,
-~
·-ue '
IUS
0' "
-
-----_ ,
MUI
-
_~
. :f--'
It."'"
.....
~"9
..
OS:t--
02
RJO
~06:t-= 0) 10 ' :_. __ .Y 01'-1
~7
-
r-......
·
-~
· .. r·
,IIO
•
.-- -"'1
."
--'
~
'U'
4. SIM"CLATION RESULTS
J ~ -;
t
R:3
~
RJ.
Fig. 8. Differential voltage switch ••
A
-I R1
~L ~ i R2
!
E i
R3
Tl
JT; i
1
! R4 ;
t,-.*--- ! M3
:
Fig. 9. Threshold switch (1) Each function is provided four times, viz. , in four levels in stages one through six. (2) With their signal comparison between the second and the fifth stage, the differential voltage switches constitute a form of functional monitoring which provides a plausibility check between the comparator and the result of the initial Boolean operation on its inputs. (3) The modules with the differential voltage switches and the threshold switches are identically replicated four times, since their function is not monitored further. Hence, each device in each module is present four times. Devices whose low resistance state leads to the safe state of the comparator output signal are connected in paralleL while devices whose high resistance state represents the safe state for the comparator output signal are connected in series. (4) By means of a resistor each input of each module is placed to that potential which constitutes the safe state for the comparator output if the corresponding controlling signal fails . This case could occur, for instance, when a previous output assumes high
A simulation model of the comparator was created with the tool MicroSIM PSPICE. Since presently it is not possible to simulate a ternary circuit in digital simulation mode - ternary logic is still not very well known - all simulations were run in analogue mode as transient analyses. As input signals to the comparator two pulses with the parameters 1 ns rising time, 1 ns falling time, 9 ns pulse width , and 20 ns period were defined. The second pulse arrives 4 ns after the first one. The simulation results show that the signals at the comparator's inputs have to be stable for at least 2 ns to obtain a correct output signal. The temporal behaviour of the comparator is only to a lesser degree determined by the propagation delays being less than 0.5 ns, but more by the charging processes of the gate capacities and by uncontrolled oscillations upon signal changes, mainly caused by the longitudinal transistors typical for ternary circuits. The comparator has been simulated in different cases, such as varying the level stability of the power supplies and the input signals as well as the limits of the output current.
5. REFERENCES GTI Industrial Automation (1993). An Introduction to MagLog 24 Inherently Fail-Safe Logic Technology. Eliminating the Unexpected. Apeldoorn. Paul Hildebrandt GmbH & Co. KG (1991). Main Catalogue - The HIMA-Planar System. Brochure HK 91.11. BriihL Paul Hildebrandt GmbH & Co. KG (1992). Fail-Safe Electronic Controls - The HIMAPlanar System. Brochure TI 92.08. Briihl. Stackelberg, J. von, and W.A. Halang (1998). Ausfallsicherheitsgerichteter Binarstellenvergleicher mit Ergebnis- und Zustandsanzeige. German patent registration no. 19857396.0.
583
A FAST AND FAIL SAFE COMPARATOR OF BINARY DATA WITH TERNARY RESULT AND STATUS OUTPUT Joser von Stackelberg
Graumannsstieg 1 a 22885 Barsbiittel, Germany [email protected]
Abstract: In safety related computer control, redundancy is used to cope with errors of any kind . To detect errors, redundantly produced results must be compared imposing the responsibility for system safety on the comparators. Since comparison reduces the degree of redundancy, comparators are best implemented in form of hardware devices with fail safe behaviour. Currently available fail safe comparator circuits, however , constitute bottlenecks in safety related computing systems due to their low processing speeds. Moreover , in case of malfunctions, such comparators do not distinguish between comparison errors and comparator errors. To solve these problems, a novel fail safe comparator of two binary inputs is presented, which does not only indicate a result , but also its status. Built in a modified CM OS technology, it can match the execution speed of digital computers. In contrast to . all earlier designs of fail safe comparators, by employing ternary logic it provides three different output values, allowing to distinguish between the three indications "inputs equal and comparator working properly", "inputs unequal and comparator working properly" as well as "comparator malfunctioning" . The comparator consists of 37 modules. Its circuitry structure ensures triple error protection at any time. Keywords: Fail safe comparator, high speed comparator , ternary logic, result and status indication , safety related computing.
1. IT\TRODUCTIOl"
As a result of the progress in computer technology, but also with respect to sensors and actuators , it became possible to elegantly master even complex control and automation functions by software based solutions. The advantage of programmable digital equipment consists in the fact that there are always defined and reproducible machine states, and that desired changes in control sequences can be achieved without considerable manual effort. An important field in control engineering, however, that , with the exception of some individual solutions , has remained almost untouched by this development are safety related systems. In particular, when human lives ,
expensive equipment or the environment is to be protected, i.e., when a high degree of safety is required , semiconductor based computer technology cannot offer solutions matching the plentitude of applications found elsewhere. Primarily, this is due to the fact that the classical control components switches, relays, thermoswitches etc. have high probabilities of assuming a certain "natural" switching state in case of failure, namely the state of disconnection. This allows to design controllers performing safety related tasks in such a way that in case of component failures the entire controllers assume states being safe for persons and the processes controlled ( "fail safe principle" ). Semiconductor devices, the other hand, which are
578
practically used everywhere these days, assume unpredictable states such as short-circuits or complete disruptions in cases of defect. Therefore, it is impossible to associate an unambiguous error state with a semiconductor component. One way to solve this problem is to use redundant controller structures. In technical applications , this means that control components are replicated to fulfill the same task. Furthermore, switching to a state other than a safe one is subject to monitoring with majority or unanimity voting. Controlled devices or processes are brought to safe states in case of disagreement. Depending upon the number of components working concurrently, one speaks of single or multiple error protection. For instance, when three components are used and the failure of two is safelv and correctly tolerated , double error protectio~ is given. As the design of redundant controllers necessarily leads to parallel structures and parallel task processing, the generated results need to be monitored by comparators embedded at defined points between the modules working concurrently. Hence , the responsibility for system safety rests on the comparators. Since comparison reduces the degree of redundancy, comparators are best implemented in form of hardware devices with fail safe behaviour. Currently available fail safe logic families , of which comparator circuits can be built, constitute, however, bottlenecks in safety related computing systems due to their low processing speeds. The short outline of the only two presently marketed families of fail safe logic in the next section will show that they only allow for comparators working in the kHz range , whereas computing equipment is 3 to 5 orders of magnitude faster. Moreover , at their outputs, they only provide two values signifying either (1 ) inputs equal and comparator properly work-
mg , or (2) inputs unequal mg,
OT
comparator malfunction-
i.e., it is not differentiated between comparison errors and comparator errors. If these alternatives were distinguished they could be handled in more specific ways. To solve these two problems of insufficient speed and indiscriminate output information, a novel fail safe comparator of two binary inputs was developed, which does not only indicate a result , but also its functional status. Built in a modified CMOS technology, it works in the MHz range and can, thus , match the execution speed of digital computers. In contrast to all earlier designs of fail safe comparators, by employing ternary logic it
provides three different output values, allowing to distinguish between the three indications a inputs equal and comparator working properly, b inputs unequal and comparator working properly, and c comparator malfunctioning , These signal states may be sensed and further processed by conventional semiconductor circuits without any problems.
2. INDUSTRIAL FAIL SAFE MODULES By module we mean a unit capable of realising certain , mainly simple, logic functions (And , Or , Not). Fail safe modules are developed in special technologies which assure predictable behaviour of the outputs in case of any failure. Normally, such behaviour is equivalent to fall into the switched-off state. Galvanic separation of inputs and outputs is a common feature. There exist a few families of fail safe modules applying different principles of operation. Here we shall mention two of them Planar and MagLog, which are well established i~ the market.
2.1 HIMA Planar Logic This logic (HlMA, 1991 ; HIMA , 1992) is built by Paul Hildebrandt GmbH & Co. KG of Briihl, Germany. Its operation principle is to convert slowly varying input signals into alternating ones (modulation). The alternating signals are processed internally according to a module's function . The result, still an alternating signal , is then converted back into a slowly varying signal presented at the output (demodulation). Besides gates, this fail safe logic family includes a hold unit , a delay, input and output amplifiers. The modules are built of discrete elements , for which the behaviour can be more easily predicted than for integrated circuits. The settling time after input changes, however, is quite long, viz., 3 to 10 ms.
Conjunction If the input contacts of this circuit are closed (high state), transistors transfer the alternating signal from a generator to a transformer and further to the output. A rectifier and a capacitor provide constant voltage at the output. If at least one of the input contacts is open (low state) , transfer of the signal is not possible, and there is no alternating voltage coming to the transformer. So, the voltage at its secondary side becomes zero. The capacitor discharges after a while through a resistor and the input resistance of the next module. The output voltage is zero. The same
579
situation arises if any of the transistors fails. The type of failure does not matter (shorting or break). So, the module reacts in the same way both to zero input and to failures. Low level at the output denotes the fail safe state. The capacitors connecting successive stages are protected from shortings by resistors. Due to a special technology, shortings of resistors are eliminated. Shorting of the output to supply voltage is not possible due to the particular construction of the transformer and the lay-out of the circuit board. It should be clear that the use of alternating signals and the transformer assure fail safe behaviour. Any other standard element would not guarantee zero output in case of failure.
Disjunction All elements of the circuit implementing the Or function are passive. At each input three diodes are used in series. As long as not more than two of the diodes fail , the circuit remains operational. A resistor protects the diodes from shorting.
2.2 GT! MagLog 24
This Mag(netic) Log(ic) (GTI , 1993) is built by GTI Industrial Automation , Apeldoorn, The Netherlands. In it a toroidal core (such as in core memories) with a few windings coiled around plays an essential role. An additional simple circuit involves a transistor and a pulse modulator consisting of a winding on another core, a coil, and a diode. The cores (permalloy) have large hysteresis providing two stable states. A core with appropriate windings is capable of performing simple logic functions (And, Or, Not). It also separates the circuits Galvanically.
Operational Principle Logic high state is defined as a sequence of short pulses of 1 kHz frequency. Lack of pulses denotes low state. The pulses appearing at the input windings of the MagLog And gate are phase shifted. Since the windings are coiled in different directions, the pulses continuously re-magnetise the core, so positive and negative pulses appear at the output winding. Naturally, pulses only appear at the output if pulses are present at both inputs. Positive output pulses trigger a transistor which transfers them to the input of another module (second core). If one or both of the input sequences is missing, no output sequence appears. The Or function is obtained by coiling the two input windings in the same direction on a core, and connecting another winding of the opposite direction to the pulse generator. The output is then provided by a forth winding.
3. FAST FAIL SAFE COMPARATOR WITH TERNARY OCTPCT Since the two families of industrial fail safe modules outlined above offer far too slO\..- switching speeds as required by a feasible co-operation in environments characterised by integrated semiconductor circuits, a novel fail safe comparator (von Stackelberg and Halang, 1998) of two binary digits as depicted in Fig. 1 was designed , which combines high speed in the MHz range with a ternary output to indicate both comparison result and functional status. It consists of altogether 37 individual modules arranged in six stages with respect to functional operation, and four levels deep to implement fail safe behaviour. The individual modules are, to a certain extent, basic circuits of binary and ternary digital logic and, on the other hand, circuits especially designed for the purpose considered here. The comparator is operated with two voltages, viz., +1.5 V and +5 V relative to reference potential. As a digital circuit , there are only these three states determined by the operating voltages and zero potential - intermediate states do not occur. As customary in digital electronics, these voltage levels are associated with logical signal states. In this special case these are the ternary values: minus for the most negative voltage level, i.e., the reference potential 0 V, zero for the voltage level lying between the two extremes, i.e., for +1.5 V, and plus for the most positive voltage leveL i.e., for +5 V. As binary values are used: LOW for the more negative one of the two voltage levels applied to the circuit, which specifically may be 0 V or + 1.5 V, and HIGH for the more positive one, which specifically may be +5 V .
In the sequel , we shall use the terms mentioned above instead of the potentials at the inputs and outputs of the individual circuits and the comparator. In the first stage of the comparator, there are four anti valence gates as shown in Fig. 3, with each of their inputs wired together. This means that the signals at the inputs El and E2 of the comparator are evaluated four times. Since the input signals come from binary circuits whose "LOW" and "HIGH" are represented by the voltages 0 V and +5 V, the anti valence gates are also applied to these voltages. The result of such a gate is "LOW" if both inputs are the same, and "HIGH" if both inputs are different.
580
.~
. .... ;
.i
i~ i ~
-+~~
1-'
I_ ~
~ -...0
•
~
.i~
o
I
•
~•
-...0
.~ - ' ! .
b-I! LL --1 l '~
I . ----- -
I
• ,.0'
I
"'0
--- , 0 · · 1 !. . ,.
• . : - .. ,
0--.,
.. ,:
:
I IL
: I~ . ~' ·o'
• .::;c..
I
--
_ _ _
!
~" . L._J
- .!
-.-,-. - -
'= : _~..,
i
_ 1 I
i
I
I I
le' 1
1
0
.,
,:!!C>-l
!
I
n : ~. i
--~.
I.i
__ I
I
- - - - ':~~.. =-J'~i:L'"~'-- . -. -Ir· [. .; !
c·
,_
··1
!~' ! -,,-
1
I
7s-
;
I
i ,- ~ I
f
.
1
F~LI~-i"" I
>
:
I
-, - -r - i tI -+ " I 1-.. 1"". 1•. -1.... - _ -. --1 '----+1- - - L i
I' --"
!
-
- ,,-
~ ~Ll_~i~~~--~~--ri-
I
.
--- . ....
....
I,
'-.
~ r;c ~ : ~L~::-'~ ' _
...=-
I
~
_ _ _ _ _~-. O( .. n l ..
. J _ _
-~--I
-,..-
I
-
·· 1·
j(AOOO
1 j .1 I - 1 "1
,
i : !"
1
t.
."
0-'-' - ':!.'::~:V
: iI :. .( I
i • i I..: !
I.. , ' .
0 '"
1
[.
, ~' !
i
::.
Fig. 2. Structure of the fail safe comparator signal, and different signals at the comparator's inputs result in "minus" . Again , the four conjunction gates of the second stage are connected in parallel to have the result of the operation available four times.
El
-
RI
I
---. 1
•
:......J
__..
-- --_ .
I I I
MI
•I
I 1
-.I
...-,~
! t->
1, -
---, >----. t ~ _1
I i i
M9 1
•
I
..........,i
----_
MS
•! I!
M2
--
I
•
..!
·· l ~M6
i
....
•
A
• -
I~ ---.J t .
I
•I
-.J:<
..
Me
I
I
I
•
M4
••
M7
I
-_ .... - I +-
-
,
I
M3
..
"
•
• i
I
•
I-
-.•
..
1 '----'
I
.
,
...L- ......
I•
MI2
< , 11. r- ! .l ~ --'I'
-< - ~
----
I
1
!
-
•
1011
E2
-
--
:.:
.
E3
.. .
~ ,
l- " ;.---.-- . . . -----1' -_.. ---r - --1n .
~----"~ .
•
R2
· - wr~
Mll
f ~
I
J. •
I
~
I
.
...
"
,.
Fig. 3. Binary anti valence gate The resulting states "LOW" and "HIGH" are fed into four parallel ternary conjunction gates (Fig. 4) of the second stage. There , the "LOW" signal corresponds to "minus" and the "HIGH" signal corresponds to "plus". The result of ternary conjunction is "minus" , if all of its inputs are "minus" , and "plus" if all of its inputs are "plus" . In all other cases, the outputs supply the signal "zero". Since ternary negations are attached at the conjunction gates ' outputs of the second stage, the results of the third, fourth and fifth stages assume the following values: "plus" is yielded if both inputs of the comparator recognise the same
Fig. 4. Ternary conjunction gate In the third stage of the comparator four identity gates as depicted in Fig. 5 are arranged in parallel , too. The function of an identity element is just to convey the digital signal at its input to its output. However , since the comparator 's identity gates are attached to the + 1.5 V potential with their negative supply voltage connections. and ternarY signals are present at their inputs , there is a shift in signals: "plus" at the inputs becomes "plus" at the outputs, and both "zero" and "minus" at the 581
E
,
i
I
___
•
M1
R1
.1
.l..
~M3
~
. --:
-----.. ..--"~ " R1 i
M3
I
~
!
+--
E
~ - M2
M4
• •
I K-!,
•
!
•
, f--
•
~
M2
i
•
A
•
L A
Fig. 5. Ternary identity gate with shift of signal Fig. 7. Ternary identity gate without shift of signal :
I
.
;
I
i
MS
Ml0
i
M9
li cid:6~ .I I
I ~- . .
L"-:
r-.~
.... _.
t
;
1_ 1
Mll ~
;
I
-.- • . ••
I
•
..
A -
-- j ~ :
I',:!,: .. '" !M7' Ma I
Ml
M4
<
-.
M2
M 12 !
I
,,1 , "'1
R2
, -
g1e '~
~ '-1
....i
Fig. 6. Switch function inputs become "zero" at the outputs. The reason for this is to generate the ternary signals demanded at the output of the comparator from the binary signals at its input . Depending upon the comparator 's input signals, the following states result at the outputs of the identity elements: if both comparator inputs recognise the same signal, "plus" is present at the outputs of the identity elements of the third stage; if both comparator inputs recognise different signals, "zero" is generated . The "zero" signal from the second stage's conjunction gates indicating a disturbance in the first stage of the comparator is evaluated in the fourth stage and is irrelevant on this signal path. Switch functions (Fig. 6) are employed in the fourth stage of the comparator. A switch is a basic ternary circuit switching the signal present at its "signal" input to its output in case it detects a "zero" signal at its "gate" input . If the input at "gate" is not equal to "zero", "zero" is presented at the output. Since the switch gates used in the comparator have a ternarily negating output, a "minus" signal at their "signal" inputs is transformed to "plus" at the outputs when the "gate" inputs detect "zero". Therefore, a "zero" generated at the output of a conjunction gate in the second stage leads to a "plus" at the output of the corresponding switch gat e in the fourth stage.
In the fifth stage of the comparator there are three different circuits, a conjunction gate, four identity gates (Fig. 7) and differential voltage switches (Fig. 8) each. The conjunction gate 's task is to gather the signals produced in the third stage for the comparison states, and to direct them to the comparator's output , which means that "plus" signal is presented at this output for the state "equality detected by comparison and comparator in proper order" only when all four identity gates of the third stage indicate "plus" . The identitv gates of the fifth stage fulfill the same task as th"e identities in the third stage, and with each identity gate of the fifth stage the output signal of a conjunction gate in stage two is associated as well. The reason for this is to appropriately prepare the signals generated by the conjunction gates for the differential voltage switches connected behind the identity gates, as the differential voltage switches set , upon detecting different digital signals at their inputs, their outputs to the higher one of the two input signals, respectively. Both outputs are set to "minus" for equal input signals. The differential voltage switches close a feedback loop between the comparator output and the conjunction gates of the second stage to check the output conjunction gate for proper functioning . There is a resistor in the sixth stage of the comparator located between the output of the collective conjunction gate of stage five and the output of the comparator to provide correct measuring conditions for the differential voltage switches even when a threshold switch is in conducting state. The function of the threshold switches (Fig. 9) is to put the output of the comparator to "minus" reference potential if the input signal exceeds a given value relative to the reference potential. The inputs of the threshold switches are driven by the four outputs of the switches in the fourth stage and by the four times two outputs of the differential voltage switches of the fifth stage. Fail safe behaviour of the comparator is achieved as a result of combining the following measures.
582
. :1'.".':'::.
,
resistance state. These measures ensure that the comparator always provides either the correct comparison result, or that it correctly signals the comparator to be out of order. which holds under the condition that not all four equal modules in one stage show the same error. This applies analogously with regard to the devices of the differential voltage switch and threshold switch modules, too.
u:
.,
-~
·-ue '
IUS
0' "
-
-----_ ,
MUI
-
_~
. :f--'
It."'"
.....
~"9
..
OS:t--
02
RJO
~06:t-= 0) 10 ' :_. __ .Y 01'-1
~7
-
r-......
·
-~
· .. r·
,IIO
•
.-- -"'1
."
--'
~
'U'
4. SIM"CLATION RESULTS
J ~ -;
t
R:3
~
RJ.
Fig. 8. Differential voltage switch ••
A
-I R1
~L ~ i R2
!
E i
R3
Tl
JT; i
1
! R4 ;
t,-.*--- ! M3
:
Fig. 9. Threshold switch (1) Each function is provided four times, viz. , in four levels in stages one through six. (2) With their signal comparison between the second and the fifth stage, the differential voltage switches constitute a form of functional monitoring which provides a plausibility check between the comparator and the result of the initial Boolean operation on its inputs. (3) The modules with the differential voltage switches and the threshold switches are identically replicated four times, since their function is not monitored further. Hence, each device in each module is present four times. Devices whose low resistance state leads to the safe state of the comparator output signal are connected in paralleL while devices whose high resistance state represents the safe state for the comparator output signal are connected in series. (4) By means of a resistor each input of each module is placed to that potential which constitutes the safe state for the comparator output if the corresponding controlling signal fails . This case could occur, for instance, when a previous output assumes high
A simulation model of the comparator was created with the tool MicroSIM PSPICE. Since presently it is not possible to simulate a ternary circuit in digital simulation mode - ternary logic is still not very well known - all simulations were run in analogue mode as transient analyses. As input signals to the comparator two pulses with the parameters 1 ns rising time, 1 ns falling time, 9 ns pulse width , and 20 ns period were defined. The second pulse arrives 4 ns after the first one. The simulation results show that the signals at the comparator's inputs have to be stable for at least 2 ns to obtain a correct output signal. The temporal behaviour of the comparator is only to a lesser degree determined by the propagation delays being less than 0.5 ns, but more by the charging processes of the gate capacities and by uncontrolled oscillations upon signal changes, mainly caused by the longitudinal transistors typical for ternary circuits. The comparator has been simulated in different cases, such as varying the level stability of the power supplies and the input signals as well as the limits of the output current.
5. REFERENCES GTI Industrial Automation (1993). An Introduction to MagLog 24 Inherently Fail-Safe Logic Technology. Eliminating the Unexpected. Apeldoorn. Paul Hildebrandt GmbH & Co. KG (1991). Main Catalogue - The HIMA-Planar System. Brochure HK 91.11. BriihL Paul Hildebrandt GmbH & Co. KG (1992). Fail-Safe Electronic Controls - The HIMAPlanar System. Brochure TI 92.08. Briihl. Stackelberg, J. von, and W.A. Halang (1998). Ausfallsicherheitsgerichteter Binarstellenvergleicher mit Ergebnis- und Zustandsanzeige. German patent registration no. 19857396.0.
583