In any control system it is often desired to have an emergency deactivating signal that prevents system deterioration, possible destruction and bodily harm to the users. Obviously, propagation of such a fault signal should be highly reliable and available at all times, even after long periods of inactivity (or, possibly, when the fault signal has never been activated before it is required).
The fault signal can be used by the overall system controller that is able to act in order to prevent harmful consequences; the actions may include disconnection of the load, immediate cessation of charging of the batteries, or other actions.
It is also desirable for this fault signal to act quickly.
At the same time, it is desirable that the circuits relating to fault signals consume as little energy as possible, especially in the inactive or quiescent state.
Moreover, it is desirable that a system consisting of many individual modules provides an ability for any one module to bring about the common emergency signal.
It is not easy to accomplish simultaneously each of the design goals just mentioned. But however difficult such an accomplishment might be as a general matter, it is particularly difficult when the modules being monitored are at different voltage potentials from each other. When modules being monitored are at differing voltage potentials, then the monitoring circuits are required to be galvanically isolated from each other. One example of a real-life situation where modules being monitored are at differing voltage potentials is the case of a large battery constructed from a series string of modules, in which each module is itself constructed from series-connected cells.
For a fuller appreciation of the invention it will be helpful to review briefly some of the prior art.
Two galvanic isolation circuits 21 and 31 are shown in FIG. 1.
Circuit 21 relies upon a transformer 23, 24. A time-varying signal 22 such as an AC current arrives at primary winding 23. Induced current at secondary winding 24 is rectified at 25 and smoothed by capacitance 26. Importantly the transformer windings are galvanically isolated from each other, so the input and output of circuit 21 have no common voltage reference. Time plot 27 models the output which rises quickly at 28 and which decays more slowly at 29, in part because the circuitry receiving the output of circuit 21 (which circuitry is omitted for clarity in FIG. 1) is likely of relatively high impedance.
Circuit 31 uses an optical isolator 33, 34. A current 32 such as a step function current arrives at light-emitting diode (LED) 33. Some of the resulting emitted light impinges upon phototransistor 34, turning on the transistor 34. The transistor 34 defines a voltage divider with resistor 40, giving rise to an output voltage for circuit 31. Importantly the LED and phototransistor are galvanically isolated from each other, so the input and output of circuit 31 have no common voltage reference. Time plot 37 models the output which rises quickly at 38 and which decays more slowly at 39, in part because the circuitry receiving the output of circuit 31 (which circuitry is omitted for clarity in FIG. 1) is likely of relatively high impedance.
It is typical that such circuits have a relatively fast turn-on, while turn-off is somewhat slow. Therefore, it is advantageous to utilize the fast-acting turn-on operation for indication of an emergency or fault-annunciation signal, rather than using the slower turn-off operation as indication of the emergency or fault-annunciation signal.
Investigators have proposed and have attempted to develop galvanically isolated signal couplers that make use of capacitive coupling. Other investigators have proposed galvanically isolated couplers comprised of spin valves which are based upon the phenomenon of GMR (giant magnetoresistance).
It is easy enough, using any of several kinds of galvanically isolated signal couplers, to devise approaches for collecting fault signals from modules that are at differing electrical potentials, for combining the fault signals, and for passing the combined fault signal to appropriate devices. One of the challenges comes, however, when one sets a more demanding goal of devising an approach which works reliably even in the face of one or more component failures or degradations.
Some component failure modes are easy to imagine and easy to model. Returning to circuit 31 of FIG. 1, imagine an open circuit at LED 33 or at phototransistor 34. Alternatively imagine some circuit fault that causes LED 33 to be constantly lit despite the presence of some fault condition “upstream” of LED 33. Or imagine a metallic short at or nearby to the transistor 34.
Other component failures are more subtle to describe and to model. An optoisolator such as the LED-phototransistor 33, 34 of FIG. 1 defines what is called a current transfer ratio (“CTR”) namely the ratio of output current (passing through transistor 34) to input current (passing through LED 33). The CTR is partly a function of the condition of the optical path providing optical coupling between the LED and phototransistor; the optical path has at least two interfaces each defined by distinct optical media, and each interface can change in its physical condition and properties over time. The CTR is also a function of the beta of the transistor, which also can change over time.
The other galvanic isolating coupler technologies just mentioned each have some analogous transfer ratio for a given implementation, and to the extent that the transfer ratio presents a risk of change over time, then this also counts as a category of component failure which the system designer would wish to be able to describe and to model. And, to state the obvious, the system designer will wish that an approach could be found that would permit high reliability even in the face of the various component failure modes.
FIG. 2 shows one approach for combining fault signals from any of several modules. In circuit 41 of FIG. 2, the phototransistors are placed in series. This may be termed a “wired AND” in which the phototransistors are “on” nearly all of the time, because the LEDs are lit nearly all of the time. Any one module signals a fault condition by turning its LED off, which turns off the associated phototransistor. The output of circuit 41, formerly pulled high by the “on” phototransistors, drops to a low level and this annunciates the detection of a failure.
With circuit 41, one particular failure mode, namely an open-circuit failure, will count as an annunciation. It will be a “false positive” but at least it will not risk later giving rise to a “false negative” during some actual detected fault.
Circuit 41 does not, however, deal with the risk of a closed-circuit failure. Thus for example if there were some circuit fault that causes LED 33 to be constantly lit despite the presence of some fault condition “upstream” of LED 33, then that fault would never get annunciated. Likewise if there were a metallic short at or nearby to the transistor 34, then upstream faults would not get annunciated.
Still another drawback to circuit 41 is that all of the opto-isolators must be activated all the time, thus consuming significant energy continuously. The alert reader will also note that the “active” state of the signal (the annunciation of a fault) is generated by the slow-acting turn-off action of the opto-isolator, mentioned above in connection with decay waveform 39 in FIG. 1.
The natural next step, having considered the wired-AND arrangement of circuit 41 (FIG. 2), is to consider a wired-OR arrangement. Such a circuit 51 is depicted in FIG. 3, where individual signals from every separate module are connected in “parallel” to each other, in a so-called wired-OR fashion. If any one opto-isolator is activated, then the output signal is activated.
It will be appreciated, however, that with circuit 51, one of the very common failure modes for an opto-isolator, namely the above-mentioned “open-circuit” failure, can lead to the circuit 51 being blind to a fault condition at one of the monitored modules.
More subtly, consider the consequences of a degradation (reduction) of the CTR of any one of the opto-isolators. Recall that each transistor in circuit 51 is obligated to bring about a voltage-divider result relative to the resistor 52. But nothing in circuit 51 provides for or guards against a gradual degradation of the CTR of any one of the opto-isolators of the circuit 51. Such degradation could lead to the circuit 51 being blind to a fault condition at one of the monitored modules.
For these reasons, the circuit in FIG. 3 is not suitable to highly reliable signal propagation.
FIG. 4 shows a variant 61 of the circuit of FIG. 3, having redundant signal paths. A detected fault, annunciated by an LED stimulation current at 62, turns on both transistors 70, 72, either of which brings about a trigger of OR gate 66, giving rise to failure annunciation output 69. This circuit 61, for all of its complexity and larger component count, fails nonetheless at its reliability goals, as will now be discussed.
If one were to define “reliability” as “surviving one circuit fault”, then circuit 61 would count as “reliable”, since either communications path (toward transistor 70 or toward transistor 72) could fail and yet the fault signaled at 62 would propagate to line 69.
But circuit 61, having survived one circuit fault, is henceforth no more reliable than the previously mentioned circuit 51 (FIG. 3) and will eventually fail at its purpose when some subsequent circuit fault happens.
A more robust definition of “reliabililty” in this context includes some notion of detecting a circuit fault so that a module can be replaced (remedying that circuit fault), ideally before some second circuit fault would be likely to have happened. Ideally the circuit continues to serve its overall purpose despite that circuit fault having occurred, so that even during the (non-zero) time interval that passes between detecting that circuit fault and remedying that circuit fault, the aggregation of fault reports can be carried out without interruption.
Put plainly, the approach of circuit 61 (FIG. 4) will overcome a single fault, but not two or more faults.
It will be helpful to develop some terminology to be employed in the present discussion. By “failure” or “fault” we may mean either of two things:                a detected condition within one module of a multi-module system, the condition being intended to trigger some corrective action such as disconnecting a charging current or disconnecting a load; or        a complete failure or a performance degradation as to some circuit component or circuit element in the failure monitoring system, detection of which may prompt replacement of a failed or degraded component in that monitoring system.        
The former may be referred to as “a module failure” or “a fault signal” and the latter may be referred to as “a circuit failure”.
It would be desirable if an approach could be devised which would permit propagation of fault signals from each of several modules, each at a different voltage potential from the others, the propagation of the signals being fast, the signals being logically combined so that the fault signal from any one of the modules is able to trigger the assertion of the combined signal, the approach minimizing consumption of energy particularly during quiescent and inactive states, the approach permitting very high reliability even in the face of possible degradation of particular circuit elements. It would be desirable if particular categories of possible degradation could be detected early on, permitting remediation at such time as overall circuit function has not been interfered with.