The invention relates to a device for despatching a secure output command. This type of device is used in applications requiring high security monitoring such as, for example, applications of transport of people.
For the transport of people, such as by train, subway, tramway or self-steered bus, it is necessary to exhibit maximum security in order to have authorization to travel. Among the security arrangements implemented, a particular arrangement consists in the use, for any logic level corresponding to a command, of a security level, that is to say one which is not dangerous in the event of malfunction. The security level is generally the zero level corresponding moreover to an absence of voltage or current. One speaks of the permissive state and the restrictive state. The permissive state corresponds to a command in a state that is nonsecure but necessary for operation, for example, request for traction or release of the brakes. The restrictive state prohibits certain operating actions or brings about actions whose effect is secure, for example stoppage of traction or triggering braking, and in particular in case of absence of energy so as to make the passengers secure whatever happens.
In order to guarantee fully secure operation in the event of failure of any one of the components of the command system, any fault must result in the setting of a restrictive state. In order to ensure such security setting, the mere failure of a component must bring about either a setting of the command to the restrictive state, or a detection of malfunction which globally sets all the outputs into a restrictive state.
With this aim, each command despatch device is furnished with a so-called security output device which serves, on the one hand, to despatch a power command and, on the other hand, to verify that the signal is indeed in a restrictive state when a restrictive state is requested. The monitoring of the security outputs makes it possible to guarantee that a command device will not command an action wrongly. The principle is to operationally command an output and to verify its state in a secure manner. In the event of a problem, a secure energy supply is cut, thus forcing all the command signals into a security state.
Static security relays for producing such a command interface monitored securely are known in particular from French patent application FR-A-2 704 370. According to this document, the power command is transmitted by way of a transformer with four windings, including primary and secondary windings for state verification and primary and secondary power windings. The primary state verification winding receives a monitoring signal which is read by the corresponding secondary winding. When a command is in a permissive state, the primary power winding of this same transformer receives considerable energy destined for the secondary power winding. When the primary power winding receives this energy, the transformer becomes saturated and the secondary monitoring winding is no longer capable of receiving the signal despatched by the primary monitoring winding. Such a device is sufficiently effective for the function requested. However its main drawback is that it is rather bulky and consumes appreciable energy.
The invention aims to provide a compact device for despatching a command. For this purpose, the invention proposes a novel type of output stage. A monitoring signal is despatched on the power conductors. The monitoring signal is recovered by way of an optocoupler linked to the conductor.