1. Technical Field
Embodiments of the invention relate generally to power supplies. Particular embodiments relate to safe state retention in vital (fail-safe) power supplies.
2. Discussion of Art
Power supplies are electronic/electrical circuits that supply electric power to one or more electric loads. The term “power supply” is most commonly applied to devices that convert one form of electrical energy to another, and is used in that sense herein. For example, an AC power supply typically receives electrical power at input values of voltage, current, and frequency. The received electrical power excites a transformer, which then produces power at output values of voltage, current, and frequency.
A simple conventional power supply can include a transformer core, a primary winding, and a secondary winding that is electrically isolated from the primary winding. When current is supplied to the primary winding, the primary winding supplies a corresponding magnetic field to excite the transformer core. In case the primary winding is supplied with varying current, then the transformer core is excited by a varying magnetic field, which in turn excites a varying current in the secondary winding. In case of a failure condition in a load powered from the secondary winding, there is no provision to disable the transfer of power to the secondary winding from the primary winding.
Therefore, at least in safety-critical applications, it has generally been considered desirable to design power supplies as vital devices. “Vital” or fail-safe electronic/electrical circuits or devices are designed to isolate the device output from failures internal to the vital circuit or device. For example, many vital devices require input power for normal permissive operative. When input power is removed, for example in response to a circuit failure, a vital circuit assumes a “safe state” in which power cannot pass from the primary circuit to the secondary circuit. No single failure, or combination of latent failures and a single failure, may prevent the system from reaching the safe state. All combinations of possible failures must be considered.
A standard design practice for vital circuits is “safe state retention”: once a vital system enters a safe state, it must remain in that safe state indefinitely. In order to remain in the safe state indefinitely, the system must be held in the state by some inherent (physical) properties that permanently block exiting the state once the system has entered that state.
In a known system, when a failure is detected, the system enables a short across its power input in order to blow a fuse, and thus, remove power to the system. Such systems are difficult to maintain and test. In another known system, primary circuit power is supplied through the contacts of a vital relay. On activation of a fault detect circuit, power is removed from the vital relay to establish a safe state. These systems are relatively large, expensive, and can only be tested by taking the system off line. In a third known solution, a system includes two processors that must cooperate to enable system operation. If either processor detects a problem, both processors attempt to overwrite their program memory, thereby permanently removing their ability to enable operation, at least until serviced by a technician. However, it is impossible to prove that a latent failure is not blocking a processor from overwriting the critical part of its memory, without actually overwriting the critical part of its memory. Moreover, this solution does not address failure cases where simply supplying voltage to an output (as by, for example, shorting past or through the processors) can cause an unsafe condition.
In view of the above, it is desirable to develop a vital power supply with safe state retention, which can be tested and reliably restored from test condition. It is even more desirable to develop a vital power supply with safe state retention, where the mode of safe state retention can be validated at the design stage, without endless or infeasible analysis of possible non-catastrophic electrical faults.