Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
METHOD OF OPERATION OF A FAIL-SAFE SOLID STATE RELAY
Document Type and Number:
WIPO Patent Application WO/2017/205897
Kind Code:
A1
Abstract:
A method for operating a fail-safe programmable solid-state relay, the method comprising the steps of performing a set of self-tests at an initial start-up and cyclically during the powered state of the solid-state relay, wherein a self-test comprises continuously detecting and comparing a state of the at least one switch with an expected state therefor and wherein if any self-test within the set detects an unexpected state, substantially simultaneously therewith a failure flag is set in a non-volatile memory and the at least one switching circuits are set to a safe or default state; setting an integrity flag and an integrity count flag within the memory when all self-tests in the set are passed; and reading the failure flag from the memory at any subsequent start-up, wherein if the failure flag is not set, the integrity count flag is read and a set of self-tests is performed.

Inventors:
STUCKEY, David Martin (12A Harrison Crescent, Hawthorn, Victoria 3122, AU)
SEMKOW, Marc David (5358 Moreland Drive, Burnaby, BC V5G 1Z8, CA)
OWENS, Marie Lise (11245 Sunset Cove Rd, Halfmoon Bay, BC V0N 1Y2, CA)
EKONANTO, Heri (Areman, RT/RW 006/006 Desa TuguKecamatan Cimanggi, Kota Depok Provinsi Jawa Barat, 16951, ID)
GRAHAM, Brent (880 Mary Road, Gabriola IslandBritish Columbia, V0R 1X3, CA)
MAURO, David J. (11146 Scarborough Drive, North Delta, BC V4C 7R2, CA)
FARNSCHLAEDER, Udo Wilhelm (16 Bayview Culver Street, Gardens, 8001 Cape Town, ZA)
STRIKE, Michael Anthony (53 Grantleigh Drive, Darley, Victoria 3340, AU)
SMART, Alastair Malcolm (373 Balwyn Road, Balwyn North, Victoria 3104, AU)
SUMMONS, Keith Malcolm (5 Henry Street, Balwyn, Victoria 3103, AU)
Application Number:
AU2017/000126
Publication Date:
December 07, 2017
Filing Date:
June 05, 2017
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
DAVID STUCKEY INVESTMENTS PTY LTD (C/- Pitcher Partners, Level 19 15 William Stree, Melbourne VIC 3000, AU)
International Classes:
H01H47/18; H03K17/28
Domestic Patent References:
WO2013033765A12013-03-14
WO2017031527A12017-03-02
Foreign References:
US20120081824A12012-04-05
Other References:
JOHN J. KUMM ET AL.: "Assessing the Effectiveness of Self-Tests and other monitoring Means in Protective Relays", 1995 PENNSYLVANIA ELECTRIC ASSOCIATION RELAY COMMITTEE SPRING MEETING MATAMORAS, 25 May 1995 (1995-05-25), Pennsylvania, XP055442944, Retrieved from the Internet [retrieved on 20171107]
Attorney, Agent or Firm:
HOULIHAN , Elizabeth Eldred (Houlihan2, Level 1 70 Doncaster Roa, Balwyn North Victoria 3104, AU)
Download PDF:
Claims:
CLAIMS:

1. A method of operating a fail-safe programmable solid-state relay, wherein the relay comprises a base module; a configuration module; a control voltage module comprising at least one energy storage device; a controller module having at least two substantially electrically isolated microcontrollers operating in parallel, each microcontroller comprising an internal EEPROM memory, and at least one digital timer; and at least one switch module comprising at least one switching circuit, wherein the or each switching circuit has two switches, and at least one driver circuit; wherein the control voltage module is adapted to receive an applied control voltage or current and to permit pre-selection of an activation voltage or current level and a de-activation voltage or current level, the method comprising the steps of: a. performing a set of self-tests at an initial start-up and cyclically during the powered state of the solid-state relay, wherein a self-test comprises continuously detecting and comparing a state of the at least one switch with an expected state therefor and wherein if any self-test within the set detects an unexpected state, substantially simultaneously therewith a failure flag is set in a non-volatile memory and the at least one switching circuits are set to a safe or default state; b. setting an integrity flag and an integrity count flag within the memoiy when all self-tests in the set are passed; and c. reading the failure flag from the memoiy at any subsequent start-up, wherein if the failure flag is not set, the integrity count flag is read and a set of self-tests is performed.

2. The method of Claim 1 , wherein if any self-test detects an unexpected state, the at least one switching circuit is disabled by permanently disabling at least one of the driver circuits by blowing its fuse, whereby a safe or default state is achieved.

3. The method of Claim 1 , wherein the non-volatile memoiy comprises an Electrically Erasable Programmable Read-Only Memory (EEPROM).

4. The method of Claim 3, further comprising the step of permanently storing data produced by the method in at least one Random Access Memory (RAM) device, wherein the data comprises a value of the integrity count flag.

5. The method of Claim 4, wherein the RAM device further comprises a Ferroelectric Random Access Memory (FRAM) device, wherein the data is maintained when the relay is deactivated and wherein the data is subject to change during operation.

6. The method of Claim 1 , wherein the state of the at least one switching circuits is selected from at least one normally open switch, or at least one normally closed switch, or a combination thereof; and wherein determination of the state of the control voltage or current operates independently of the voltage or current of the at least one switching circuit.

7. The method of Claim 6, wherein the state of the at least one switching circuit comprises at least two normally open switches connected in series.

8. The method of Claim 6, wherein the state of the at least one switching circuit comprises at least two normally closed switches connected in parallel.

9. The method of Claim 6, wherein the state of the at least one switching circuit comprises a first set of at least two normally closed switches connected in series being connected in parallel to a second set of at least two normally closed switches connected in series.

10. The method of Claim 6, wherein the state of the at least one switching circuit is selected from up to sixteen sets of two normally open switches in series, or up to sixteen sets of two normally closed switches connected in parallel, or up to sixteen sets of a combination of two normally open swi tches in series and two normally closed switches in parallel .

1 1. The method of Claim 6, wherein the switches are potential-free.

12. The method of Claim 6, wherein the at least one energy storage device provides sufficient power to a portion of the microcontrollers, whereby when the applied control voltage or current decreases to a minimum voltage or current level, the ability of the microcontrollers to control the state of the normally open and/or the normally closed switches is substantially maintained.

13. The method of Claim 12, wherein the energy storage device comprises two supercapacitors.

14. The method of Claim 1, wherein the at least one switching circuit/s is in the form of at least two optically isolated metal oxide semi-conductor field effect transistors ("mosfets") connected in series, wherein the default state of one or more individual mosfet switches is periodically and continuously detected and compared with its expected state.

15. The method of Claim 1, wherein the at least one switching circuit/s is in the form of at least two optically isolated metal oxide semi-conductor field effect transistors ("mosfets") connected in parallel, wherein the default state of one or more individual mosfet switches is periodically and continuously detected and compared with its expected state.

16. The method of Claim 1, further comprising a display module whereon a selection of relay parameters is displayed.

17. The method of Claim 16, wherein an error code is recorded and is displayed on the display module or transmitted to an external device as required if the failure flag is set.

18. The method of Claim 16, wherein the relay parameter displayed on the display module is the default state of each switch.

19. The method of Claim 1 , wherein the cumulative number of times the relay has been activated is recorded in the non-volatile memory.

20. The method of Claim 1, wherein a change in the safe or default state of the at least one switch is delayed by a pre-determined delay time.

21. The method of Claim 16, wherein the display module comprises at least one visual indicator/s selected from a light emitting diode/s, a multi -segmented display/s or a liquid crystal display/s, or combinations thereof.

22. The method of Claim 16, wherein the display module displays the state of each of the switching circuits, the control voltage level, the remaining time in the at least one digital timer, the overall state of the relay and/or a combination thereof.

23. The method Claim 16, wherein the parameters are selected from relay type, nominal voltage, switch configuration, cumulative number of start-up operations, or one or more predetermined time delay values.

24. The method of Claim 1, wherein the relay comprises a multiplicity of circuits each being duplicated, whereby a fail-safe state is achieved.

25. A non-transitory machine-readable storage medium, wherein the storage medium is executed by one or more processors of the programmable solid-state relay operated by the method of Claim 1.

Description:
METHOD OF OPERATION OF A FAIL-SAFE SOLID STATE RELAY

FIELD OF THE INVENTION

[0001] The invention generally relates to a method of operating a fail-safe solid-state relay. In particular, the invention relates to a method for operating a digitally controlled programmable solid-state relay, which may be used in railway applications. More particularly, the invention relates to a method of operating a fail-safe programmable solid- state relay, which may be used in retro-fitting an existing electromechanical relay. It will be convenient to hereinafter describe the invention in relation to this particular application. It should be appreciated, however, that the present invention is not limited to that application only.

BACKGROUND TO THE INVENTION

[0002j Relays are used extensively in the railway industry for the propagation of electrical signals through the railway signalling system and time delay relays are similarly used to delay the propagation of those electrical signals for a pre-determined period of time.

[0003] Such time delay relays commonly in use by railway systems around the world are generally based upon a resistor-capacitor circuit ("RC circuit") time delay. A storage capacitor is charged to a pre-set level and then discharged through a resistor.

[0004| In an RC circuit, the value of the time constant in seconds is equal to the product of the circuit resistance in Ohms and the circuit capacitance in Farads, i.e. τ = R x C. τ is the time required to charge the capacitor, through the resistor, to 63.2% of full charge or to discharge it to 36.8 % of its initial voltage.

[00051 Various delay circuits are known in the art. One approach by Ma, as disclosed in United States Patent No. 7,961 ,030, uses delay circuits that include a resistor and a capacitor in series. The time delay is related to the resistance of the resistor and the capacitance of the capacitor. [0006] In another approach by Darrow, which is disclosed in United States Patent No. 4,044,272, a fail-safe time delay circuit for providing a time interval is similarly described. The time delay circuit includes a resistance-capacitance charging network, which is connected to a direct current ("DC") supply source by a switching device. The potential charge developed on the capacitor powers an inverter to produce alternating current ("AC") signals having a given frequency. The AC signal is then fed to a multi-stage tuned amplifier, having a resonant circuit tuned to the given frequency. The amplified AC signals are applied to a voltage doubling network, which normally energizes a load and which maintains the load energized for no longer than the definite time interval after the opening of the switching device.

[0007] Hayden, in United States Patent No. 4,276,483, describes a timed switch utilizing a resistive capacitor relaxation oscillator. However, a drawback of this technique is that resistor and capacitor values are nominal only, which prevent an accurate prediction of the resultant time delay and circuits often require fine adjustments to achieve the desired time delay.

[0008] It has proved to be problematic in the art to develop practical RC circuits, which provide accurate and predictable timing, because the rate of current discharge from the capacitor is exponential rather than linear with time. Time delay relays typically utilize a fixed value capacitor and a variable resistor or potentiometer to select the desired delay period.

[0009] In practice, setting the time delay is usually one of trial and error. The methodology followed is to first set the potentiometer at some nominal value. The relay is then energized and the delay time is measured. The potentiometer is then adjusted, the relay reset and the delay time measured again. This process is repeated until the desired time delay is achieved or approximated.

[0010] A further drawback of the RC timing technique is that the values of these discrete components can be affected by both temperature and ageing.

[0011] One advantage offered by the present invention is that it does not rely upon the charge/decay rate of a timing capacitor to control the delay time. Further, the level of complexity, which was previously mandatory, has been substantially simplified. [0012] Schofield, in United States Patent No. 4,351,014 describes a fail-safe solid-state relay for AC devices, which employs triodes for alternating current ("TRIACs"). This approach cannot be applied to DC devices as the central component ("TRIAC") is limited to AC operation.

[0013] Koga et ah, in United States Patent No. 4,855,612, also provides a relay, which is operable to delay the transition of a plurality of switches using a capacitor as the timing means.

[0014] Existing electromechanical relays, such as those used by British Rail, for example, often experience a number of problems, such as high contact resistance, mechanical wear and tear, susceptibility to environmental conditions, variability of performance based on mechanical and material variation, for example, contact spring tension and the like.

[0015] In addition, non-time delay relays suffer from delays caused by their design.

[0016] The present invention seeks to overcome, or at least substantially ameliorate, at least some of the disadvantages and shortcomings of the prior art.

SUMMARY OF THE INVENTION

[0017] The present invention is directed to a method of operating a fail-safe programmable solid-state relay that has a fast response time.

[0018] According to one form of the invention, there is provided a method of operating a fail-safe programmable solid-state relay, wherein the relay comprises a base module; a configuration module; a control voltage module comprising at least one energy storage device; a controller module having at least two substantially electrically isolated microcontrollers operating in parallel, each microcontroller comprising an internal EEPROM memory, and at least one digital timer; and at least one switch module comprising at least one switching circuit, wherein the or each switching circuit has two switches, and at least one driver circuit; wherein the control voltage module is adapted to receive an applied control voltage or current and to permit pre-selection of an activation voltage or current level and a de-activation voltage or current level, the method comprising the steps of: a. performing a set of self-tests at an initial start-up and cyclically during the powered state of the solid-state relay, wherein a self-test comprises continuously detecting and comparing a state of the at least one switch with an expected state therefor and wherein if any self-test within the set detects an unexpected state, substantially simultaneously therewith a failure flag is set in a non-volatile memory and the at least one switching circuits are set to a safe or default state; b. setting an integrity flag and an integrity count flag within the memory when all self-tests in the set are passed; and c. reading the failure flag from the memory at any subsequent start-up, wherein if the failure flag is not set, the integrity count flag is read and a set of self-tests is performed.

[0019] In one embodiment of the method of the invention, an error code is recorded and is displayed on a display module or transmitted to an external device as required.

[0020] In another embodiment of the method of the invention, the initial start-up is determined by reading the integrity flag to determine if the integrity flag i s set.

[0101] In another embodiment of the method of the invention, if any self-test detects an unexpected state, at least one switching circuits is disabled by permanently disabling the at least one driver circuits by blowing its fuse, whereby a safe or default state is achieved.

[0021 ] In another embodiment of the method of the invention, the setting of the integrity count flag comprises setting a value. The value of the integrity count flag is preferably used to select the one or more self-tests comprised in the subset of self-tests, wherein the selected self-tests further preferably comprise a sequential non-overlapping subset of tests.

[0022] In a preferred form of the method of the invention, when the value of the integrity count flag reaches its maximum, it is set to 1.

[0023] In still another preferred embodiment of the method of the invention, the non-volatile memory comprises an internal Electrically Erasable Programmable Read-Only Memory (EEPROM). [0024] According to another embodiment of the method of the invention, the method further preferably comprises pennanently storing data in at least one Random Access Memory (RAM) device. The data stored in the RAM device preferably comprise a value of the integrity count flag. The RAM device preferably comprises a Ferroelectric Random Access Memory (FRAM) device for permanently storing data, wherein the data stored in the FRAM preferably comprises a val ue of the integrity count flag.

[00251 The EEPROM and FRAM perform the same function which is to store data, which data must be preserved between start-ups. Upon the initial start-up, the FRAM is a mirror image of the EEPROM. As the relay begins processing after start-up, the data stored in FRAM is updated; however, only that data which is vital is written to EEPROM. This results in the vital data being identical and it is cross-checked in EEPROM and FRAM to see that it is identical, but non-vital data may not be cross-checked. This is done in order to substantially alleviate the problem with EEPROM taking a relatively long time to read/write compared to that taken by FRAM. A time limit for start-up to complete is preferably set at 50 mS. Accordingly, it is most preferred that the amount of data being written to EEPROM is minimised.

[0026] In one embodiment of the system of the invention, the processor determines an initial start-up by reading the integrity flag to determine if the integrity flag is set.

[0027] In another embodiment of the system of the invention, after reading the setting of the integrity count flag, the processor sets an integrity count flag value. The integrity count flag value is preferably used to select the at least one self-tests comprised in the subset of self- tests. The selected self-tests preferably comprise a sequential non-overlapping subset of tests.

[0028] In yet another embodiment of the method of the invention, when the value of the integrity count flag value reaches its maximum, the processor resets the integrity count flag value.

[0029] In a preferred embodiment of the present invention, the state of the at least one switching circuit is selected from at least one normally open switch or at least one normally closed switch, or a combination thereof; wherein determination of the state of the control voltage or current operates independently of the voltage or current of the at least one switching circuit. More preferably, the at least one switching circuit comprises at least two normally open switches connected in series.

[0030] In yet a further preferred form, the state of the at least one switching circuit compri ses at least one normally open switch and one normally closed switch connected in series.

[00311 In yet a further preferred form, the state of the at least one switching circuit comprises at least two normally closed switches connected in parallel.

[0032j More preferably, the state of the at least one switching circuit comprises a first set of at least two normally closed switches connected in series being connected in parallel to a second set of at least two normally closed switches connected in series.

[0033] In a most preferred embodiment, the state of the at least one switching circuit is selected from up to sixteen sets of two normally open switches in series, or up to sixteen sets of two normally closed switches connected in parallel, or up to sixteen sets of a combination of two normally open switches in series and two normally closed switches in parallel.

[0034] For reliability purposes, the at least one energy storage device located in the control voltage module of the relay provides sufficient power to a portion of the microcontrollers, whereby when the applied control voltage or current decreases to a minimum voltage or current level, the ability of the microcontrollers to control the state of the normally open and/or normally closed switches is substantially maintained, even in the case of a temporary power interruption. In addition, the energy storage device/s acts as a power buffer to provide sufficient time for the microcontrollers to transition from the activation mode to the deactivation mode and accordingly, to shut down safely. The energy storage device/s is preferably selected from at least one supercapacitor. In a preferred embodiment, the energy storage devices comprise two supercapacitors.

[0035] In still another embodiment of the method of the invention, the relay further comprises a displ ay module on which the default state of each switch is displayed.

[0036] In another preferred embodiment, the display module is used for communicating when an indication of a failure flag is set.

[0037] Preferably, one or more relay parameters selected from voltage, time delay, relay type or error code, or a combination thereof is exhibited on the display module.

[0038] In another preferred form, the invention provides a non-transitory machine-readable storage medium, which when executed by one or more processors of a solid-state relay, causes the relay to implement the method of: a. performing a set of self-tests at an initial start-up and cyclically during the powered state of the solid-state relay, wherein a self-test comprises continuously detecting and comparing a state of the at least one switch with an expected state therefor and wherein if any self-test within the set detects an unexpected state, substantially simultaneously therewith a failure flag is set in a non-volatile memory and the at least one switching circuits are set to a safe or default state; b. setting an integrity flag and an integrity count flag within a memory when all self- tests in the set are passed; c . reading the failure flag at any subsequent start-up, wherein if the failure flag is not set, the integrity count flag is read and a set of self-tests is performed.

[0039] In one embodiment of the machine-readable storage medium, the initial start-up is determined by reading the integrity flag to determine if the integrity flag is set.

[0040] In another embodiment of the machine-readable storage medium, the setting of the integrity count flag comprises setting a value. The value of the integrity count flag is preferably used to select the at least one self-tests comprised in the subset of self-tests, wherein the selected self-tests preferably comprise a sequential non-overlapping subset of tests.

[0041] In still another preferred embodiment of the machine-readable storage medium, when the value of the integrity count fl ag reaches its maximum, it is reset to 1.

[0102| In yet another preferred embodiment of the machine-readable storage medium, if any self-test detects an unexpected state, the at least one switching circuits is disabled by pennanently disabling at least one of the dri ver circuits by blowing its fuse, whereby a safe or default state is achieved. [00421 In yet another embodiment of the machine-readable storage medium, the non-volatile memory comprises a read-only memory. The read-only memory more preferably comprises an EEPROM.

[00431 In another embodiment of the machine-readable storage medium, the relay pennanently stores data in at least one RAM device. The data stored in the RAM device preferably comprises a value of the integrity count flag.

[0044] Historically, only normally open switches are utilised by the signalling system to control safety-related functions due to the failure mechanisms inherent in electromagnetic relays. In another form, the invention provides a means whereby normally closed switches are utilised to control safety-related functions by enforcing the closed state of a switch even when one or more of the components comprising the switch have failed in the open state.

[0045] The fail-safe programmable solid-state relay of the present invention finds particular application in railway signalling and switching applications, although it is not limited to such applications.

[0046] Accordingly, the present invention also extends to a method of installing the fail-safe programmable solid-state relay of the invention in new railway signalling and switching applications, or to a method for retrofitting existing railway signalling and switching applications.

BRIEF DESCRIPTION OF THE DRAWINGS

[0047] The accompanying drawings, which are incorporated in and constitute a part of this Specification, illustrate various implementations of the invention and, together with the description, serve to explain the advantages and principles of the invention. In the drawings:

[0048] Figure 1 is a block diagram of a programmable solid-state relay which is operated by a preferred method of the invention ;

[0049] Figure 2 illustrates a porti on of the base module of the relay;

[0050] Figure 3 illustrates a typical configuration module; [0051] Figure 4 is a schematic of the control voltage module; [00521 Figure 5 is a block diagram of the controller module;

[0053] Figure 5A illustrates interfaces between the controller module and other modules of the relay;

[0054] Figure 5B is a block diagram of the internal structure of one the microcontrollers in the controller module;

[0055] Figure 6 is a block diagram of a representative portion of the switch module of the relay;

[0056] Figure 6A is a block diagram of the switch driver circuit of the relay; [0057] Figure 7 is a schematic of the display module;

[0058] Figure 8 is a diagram illustrating the relationships between the switches and the various levels of control voltages applied to the relay;

[0059] Figure 9 is a timing diagram illustrating some of the various time delays available;

[0060] Figure 10 is a flowchart illustrating the main loop, integrity test and failsafe loop; and

[0061] Figure 1 1 presents a flowchart of the process by which the relay transitions between the activated and deactivated.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT

[0062] The following detailed description of the invention refers to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings and the following description to refer to the same and like parts. Dimensions of certain parts shown in the drawings may have been modified and/or exaggerated for the purposes of clarity or illustration. [0063] The invention is used to control the propagation of an electrical signal. Various parameters, including parameters of one or more input signals are monitored and when these parameters satisfy pre-detennined conditions, the state of one or more switches is set or reset for a pre-determined time, or until one or more parameters change to another pre-determined value.

[0064] The present invention incorporates the use of a transistor or some other solid-state- based switching circuit instead of the mechanical-type contact. The present inventors have surprisingly found that by retrofitting the present time delay relay to circuits employing existing electromechanical relays, the function of existing relays can be substantially emulated. In this way, the relay of the present invention offers the ability to detect component failures and thereby substantially prevent unsafe switch states from occurring.

[0065] Various indicia are provided to show the operating state of the switches.

[0066] Upon detection of a switch fault, the system is set to a known state and fault indicia are indicated.

[0067] The system is based around a control module having at least two substantially electrically isolated microcontrollers operating in parallel, as illustrated in Figure 5A, to provide diversity, implement system logic and to provide high accuracy and repeatable timing and control.

[0068] The solid-state time-delay relay comprises a combination of hardware and software logic implemented in the operation of the microcontrollers. Whilst the hardware supports the implementation of the software logic, it can and will be described herein in isolation from it.

[0069] The present invention provides for the implementation of up to two independent relays, i.e. single or dual relays. As the two relays are identical, only a single relay together with the common circuitry will be detailed, where appropriate. Where details regarding a dual relay are described, the two relays are referred to as relay A and relay D.

[0070] Referring to Figure 1 , which depicts a block diagram of one preferred embodiment of the solid-state relay 10 of the present inventi on, the rel ay 10 comprises a base module 20, a configuration module 30, a control voltage module 40, a controller module 50, a switch module 60 and a display module 70.

[0071] Figure 2 depicts a portion of the base module 20 employed for installing the relay 10 onto a plugboard and interfacing the railway industry connectors 21 with electronic industry connectors 23. The base housing (not shown) is configured to mechanically mate with the plugboard. Signals present on the railway industry style connectors 21 are routed by the base printed circuit board 22 to electronic industry connectors 23.

[0072| Figure 3 depicts a typical configuration module 30, which functions to route the various plugboard signals present on specified pins on a connector of the base module 31 to specified pins (not shown) on a connector of the control voltage module 32 via the configuration module printed circuit board 33. Various configuration modules 30 are available corresponding to the various plugboard pin assignments.

[0073] This arrangement allows for a consistent signal/pin naming convention to be implemented in the remaining modules 30, while maintaining plug compatibility with many existing electromechanical relays.

[0074] The control voltage module 40, as shown in more detail in Figure 4, is used to detect, select and condition the control voltage, protect the relay 10 against over-current and over- voltage conditions, and to provide temporary power to the controller module enabling the relay to continue to function when the applied control voltage decreases below the minimum voltage level required for the microcontroller to function reliably.

[0075] In one embodiment, the relay 10 is configured as a single relay and the control voltage, appearing on the plugboard across terminals Rl and R2, is re-routed by the configuration board 33 to appear as signals RI IN and R2 IN.

[0076] In another preferred embodiment, the relay 10 is configured as a dual relay and the control voltage for relay A, appearing on the plugboard across terminals Rl and R3, is similarly re-routed by the configuration board 33 to appear as signals RI IN and R3 IN and the control voltage for relay D, appearing on the plugboard across terminals R2 and R4 is similarly re-routed by the configuration board 33 to appear as signals R2 IN and R4 I . [0077] Over-voltage and over-current protection is illustrated at 42, where inputs RI T , R2 IN, R3 IN and R4_1N are equipped with fuses F201, F2202, F2033 and F2044 for over- current protection. Fuses are required on both legs of the circuits in order to protect the relay when it is configured as a neutral relay.

|0078] Metal oxide varistors (RV201), (RV202) and (RV203), mounted across the control voltage inputs, protect the relay 10 against excessive transient voltages. When the control voltage increases to the clamping voltage level of the metal oxide varistor ("MOV"), the MOV begins to conduct, creating a low resistance path and allowing current to flow between the control voltage input connections, while maintaining the control voltage at the level of the clamping voltage. As the magnitude of the over-voltage condition increases, the magnitude of the shunted current also increases. When the value of the shunted current reaches the rated fuse value, the fuse will open, isolating the relay 10 and protecting it from any damage, which may be caused by the over-voltage condition.

[0079] It will be appreciated by the person skilled in the art that alternatives to metal oxide varistors, such as transient-voltage-suppression diodes and spark gaps, are available, which could be substituted for the MOVs.

[0080] It will be further appreciated that alternatives to fuses, such as positive temperature coefficient thermistors ("PTCs"), are available, which could be substituted for the fuses mentioned herein.

[0081] Control voltage polari ty selection 42, where an arrangement of Diodes D201 through D210, along with RV203 allows the relay 10 to be configured as either a biased relay or neutral relay, as well as either a single relay or a twin relay, as determined by the placement of these components as summarised in the Table below:

D203

D201

D205

D207

[0082| The output from this section provides the input to the voltage regulator 43. For example, where it is desired to configure the relay 10 as a twin neutral relay, Diodes D201 through D210 are installed and RV203 is omitted, creating a full wave bridge rectifier circuit, such that a positive voltage will appear on outputs ADC A, ADC D and VPSU, regardless of the input voltage polari ty.

[0083] Conversely, where it is desired to configure the relay 10 as a single biased relay, RV203 is installed, only Diodes D202 and D205 are installed with Diodes D209 and D210 being replaced with 0Ω jumpers, which effectively eliminates the full wave bridge rectifier circuit, such that a positive voltage will only appear on outputs ADC A and VPSU, when R1_IN is positi ve with respect to R2_1N.

[0084] Signal ADC A is fed into port AA of Microcontroller A and thereby to the analogue to digital converter shown in Figure 5B for processing. Similarly, signal ADC D (not shown) is fed into port DA of Microcontroller D and thereby to the associated analogue to digital converter for processing. This arrangement allows for the independent activation of either relay A or relay D, when the relay 10 is configured as a dual relay.

[0085] The power supply section 43 is shown generally in Figure 4. Transistor Q201, along with Resistors R201 , R202, R203 and Zener diode DZ201, are used to maintain the voltage regulator U201 in the off-state until the power supply input voltage is sufficient to ensure that a steady, regulated and clearly defined DC voltage level can be generated and maintained by the regulator. Capacitor C200 filters out any AC component appearing on the input voltage. Voltage regulator U201 , in conjunction with inductor L201, capacitor C202 and diode D21 1, provides a stable, regulated DC voltage for operation of the digital circuitry of the relay 10.

|0086| An energy storage device 43 is presented in the form of a supercapacitor at C204.

Resistor R216 and diode D210 control the charging/discharging of the energy storage device. [0087] It is noted that while the voltage regulator 43 circuitry is depicted as a step-down switching voltage regulator, alternative devices, such as linear voltage regulators, are also available to provide the stable, regulated DC voltage required for operation of the digital circuitry of the relay.

[0088] The control voltage detection circuits for Microcontroller A and Microcontroller D are illustrated at 44 and 45 in Figure 4, respectively. As both circuits are similar, only the circuit for Microcontroller A is discussed here.

[0089] The control voltage derived from the plugboard is rectified by bridge diode U203, regulated by zener diode DZ204 and used to control Optoisolator U206. Resistors R204 and R205 limit the current applied to the input of the Optoisolator U206. The Optoisolator U206 provides signal EN PWR A to Microcontroller A 501 when a voltage greater than the zener voltage of DZ204 is applied to the plugboard, thereby providing an indication to Microcontroller A 51 that a control voltage has been detected.

[0090] The voltage isolation circuitry 46 is generally illustrated in Figure 4 and includes DC to DC converter U202, which works in an analogous fashion to the power supply section 43 to provide power signals VCC l and GNDO. This arrangement ensures electrical power supply isolation of the two microcontrollers on the controller module 50.

[0091] The controller module 50, which provides the means by which the operation of the relay 10 is controlled is illustrated generally in Figure 5 and comprises at least two microcontrollers identified in the various figures as Microcontroller A 501 and Microcontroller D 502.

[0092| While the circuitry illustrated is based upon the 8-bit Atmel ATMEGA324PA microcontroller, there is a wide range of other microcontrollers, which could be substituted without significantly affecting the capabilities of the relay 10.

[0093] As shown in Figure 5, all communications between Microcontroller A 501 and Microcontroller D 502 is achieved via optoisolators, Optoisolator AD 537 and Optoisolator DA 536. [0094] Microcontrollers 501 and 502 interface with the various other modules in relay 10 through four I/O Ports as depicted in block diagram Figure 5A. Microcontroller A 501 interfaces with a number of dedicated devices comprising controller module 50 including non-volatile FRAM A 527, real time clock circuit (RTC A) 539 and wireless communication circuit (Wireless Comms A) 541 , as well as a universal serial bus interface (USBA) 543 for hardwired communication with systems external to relay 10. Microcontroller D 502 is similar.

|0095] Microcontroller A 501 interfaces to these modules via Port AA 503, Port AB 505, Port AC 507 and Port AD. Similarly, Microcontroller D interfaces to these modules via Port DA 504, Port DB 506, Port DC 508 and Port DD 510.

[0096] Additional details of the internal structure of the microcontroller are illustrated in Figure 5B. As Microcontroller A and Microcontroller D are very similar, only Microcontroller A is illustrated here.

[0097] Microcontroller A comprises a central processing unit (CPU) 520, programmable non-volatile memory (Flash) 521 , Static Random Access Memory (SRAM) 522 and Electrically Erasable Programmable Read-Only Memory (EEPROM) 523.

[0098] Analog to digital conversion circuitry (A/D Converter) 524 is provided to digitise analog signals received via Port AA 503. Calibration of the A/D Converter 524 is performed through the use of the internal bandgap reference 525.

[0099] A serial peripheral interface Master/Slave (SPI) 526 is provided for communication with devices external to the relay 10 via Port AB 505. Port AB also provides a serial interface for the FRAM 527 also located on controller module 50, which is utilised to overcome lifecycle issues associated with the EEPROM 523 internal to the microcontrollers.

[0100] Data destined for the switch modules and display module are output on Port C with individual module selection performed by decoding the signals output from Port A, which latches the signals from Port C on the target module.

[0101] Inputs from the switch modules are received on Port AB 505 and Port AD 509. Port AB 505 also provides the connection to the USBA port 543 for an SPI connection to an external system for downloading/uploading the EEPROM image and/or other data.

[0102] Diverse means are utilised for communications with Flash 521 and SRAM 522 directly interfacing with CPU 520 for improved speed, EEPROM 523 interfaces with CPU 520 via internal Bus 550 and FRAM 527 via Port B 505.

[0103| A programmable universal synchronous/asynchronous receiver/transmitter (USART) circuit, USARTO 527 is provided for communication with devices internal to the relay 10 via Port AA 503.

[0104] In addition to a 16-bit timer counter (TC I) 529, two 8-bit timer counters (TCO) 528 and (TC2) 530 are also provided.

[0105| An external crystal (XTALA) 531 also on controller module 50 provides input to the clock generator circuit 532. A watchdog oscillator 533 develops the timing parameters for the watchdog timer 534 from the clock generator circuit 532.

[0106] Power supervision circuit 535 continuously monitors VCC0 and GndO, causing watchdog timer 534 to invoke a timeout if the voltage drops below a specified value.

[0107] Microcontroller 51 uses various software flags to determine if this is the first time that it has powered up. If the power-up flag has not been set, then a comprehensive set of integrity tests are performed to confirm correct functionality. If an error is detected, the relay sets a failure flag, commands all switches to their safe state, records the error type in EEPROM 101 and FRAM 55, displaying it on the display module 70.

[0108] If, upon start-up, it is detected that this is not the first time that the relay has been powered up, then only a subset of the integrity tests is performed, as described below.

[0109] Display 70 in Figure 7 may be used to communicate when a relay failure has been detected. The display 70 may also be used to exhibit one or more relay parameters, such as nominal voltage, time delay or relay type, usage history or a combination thereof.

[0110] It is desirable that the start-up time be as short as possible in order for the relay to respond quickly to inputs from the overall signalling system. To accomplish this, all subsequent start-up sequences will execute a subset of the integrity tests if no errors have been detected. For example, during the second start-up, integrity tests 1 through 4 may be executed and an integrity test number flag set. The next start-up will read this integrity test number flag and execute integrity tests 5 through 9, eventually cycling back to integrity tests 1 through 4.

[0111] The clock circuitry 56 is crystal-based and provides a highly stable clock source for microcontroller A. When a recordable event, such as a switch failure, is detected either by Microcontroller A or Microcontroller D, bit 2 in the two-wire serial interface register (not shown) of the microcontroller ("TWC ") in Microcontroller A is set to disconnect PCO and PCI from Port C. PCO becomes the serial clock ("SCL") for the real-time clock circuitry 59 and PCI becomes the serial data ("SDA") for the real-time clock circuitry 59. Data from the real-time clock circuitry 59 are then serially input as signal SDA, where they are appended to the event data and stored in both FRAM and EEPROM memories.

[0112] The circuitry shown at 57 carries signals MOS1 A, SCK A and MISO A to a host computer for downloading/uploading operating system software or other data, as required.

[01131 The external communication section of the controller module is shown at 58 and comprises a transceiver U103, filter capacitors C34 and C35 and an antenna. Jumper JP7 allows the communication section of the controller module to be disabled when downloading/uploading operating system software.

[0114] The communications system is based upon the Open Platform Communications ("OPC") series of standards and specifications for industrial telecommunication and enables real-time relay data to be transmitted via a webserver to various client applications, such as workstations and mobile computing devices, which can then query individual relays or groups of relays, as well as receive and acknowledge relay alarms. It is envisaged that relay data can be stored in a secure cloud-hosted Structured Query Language ("SQL") database accessible by users at any time from any location. The SQL structure of the data also provides the ability for the operator's maintenance system to directly access information to aid in the generation of work orders, service requests, field inspections and the like.

[0115] It is further envisaged that the present solid-state time-delay relay will forward operational data to a central system and will become part of a mesh network. [0116] Figure 6 depicts the switch module 60 and illustrates several typical switch arrangements, which comprise a single typical normally open switch 61 and a single typical normally closed switch 62. The switch module 60 also incorporates a current sensing feature (not shown) utilizing a current sense amplifier (not shown) to measure the load current flowing through the switch.

[0117] Switches are arranged in stacks or columns A through D with switch contact pairs in rows 1 through 4. The relay is comprised of up to four switch modules, identified as SSRA through SSRD, with each module corresponding to a switch stack. The switches themselves are referred to according to their column and row, such that switch A12 refers to the switch on the SSRA switch module which, unless rerouted by the configuration module, is used to connect plugboard connection A 1 to plugboard connection A2.

[0118] With regard to the normally open switch 61, an input signal applied at Al I is selectably switched by optically coupled mosfets, U301 and U302, to output Α2 ΓΝ only when signal SW_A12_1 is asserted by Microcontroller A and signal SW_A12_2 is asserted by Microcontroller D.

[0119] It is to be noted and as will be apparent to the person skilled in the art, in accordance with generally accepted railway signalling principles, even-numbered plugboard connections to normally closed switches are positive with respect to the odd-numbered terminals and odd-numbered plugboard connections to normally open switches are positive with respect to the even-numbered terminals.

[0120| With regard to the optically coupled mosfets, U301 and U302, the signals SW_A12_1 asserted by Microcontroller A and signal SW_A12_2 asserted by microcontroller D, are derived from Figure 6A.

[0121] Octal D-Type Latch U342 stores data from Microcontroller A, appearing on data bus lines D1 A through D8 A.

[0122] With regard to signals SW A12 1 and SW A56 1 , Octal Darlington transistor array U343 together with resistors networks RN31 and RN32 assert the signals SW_A12_1 and SW A56 1 according to the state of the inputs D1 A through D8 A. The state of the latches is asserted by the signal LE SSRA from microcontroller A allowing the stored data to pass to the outputs.

[0123] The arrangement for the drive signals for the other optically coupled mosfets are derived similarly.

[0124] To ensure the output state of the Octal D-Type Latch U342 is known when the voltage VCCO from 43 is first applied, Q343 together with R342, DZ342, R343, and C342 comprise a time delay circuit that holds Octal D-Type Latch U342 outputs to a known state until sufficient time has passed.

[0125] In the event that any self-test detects an unexpected state, Microcontroller A will assert the signals SAFE1 or SAFE4, and in conjunction with transistors Q341, Q342 and R341, fuse F301 will be permanently blown.

[0126] With regard to 61 and 62 and to the condition of a blown fuse F301, the outputs from the Octal Darlington transistor array U343 will be disabled, which, in turn, will disable the signals SW_A12_1 and SW A56 1 , thereby setting the optically coupled mosfets, U301 and U321 to their safe or default state.

[0127] Similarly, in the event that any self-test determines an unexpected switch state, Microcontroller D will assert the signals SAFE3 or SAFE3 (not shown), and signal SW_A12_2 and SW_A56_2 will be disabled, thereby setting the optically coupled mosfets, U302 and U303 to their safe or default state.

[0128] With regard to when both optically coupled mosfets U301 and U302 are switched to close, Diode D301 will block current flow when A2 N is more positive than A1_N.

[0129] MOV RV301 is used to protect optically coupled mosfet U301 against excessive transient voltages at turn off due to any back electromotive force ("emf) generated when the relay is used as a low side switch for an inductive load, such as an electromechanical relay. Similarly, MOV RV302 is used to protect optically coupled mosfet U302 against excessive transient voltages at turn off due to any back emf generated, when the relay is used as a high side switch for an inductive load.

[0130] In the absence of any externally applied voltage between A 1 IN and A2_IN, the signals Al IN and A2 IN will remain potential free. In this condition, no current will flow to produce any potential difference within the relay circuit or on the signals AI T or A2 IN.

[0131] With regard to this condition, Resistor R309 provides a known state for AI I and A2_IN pair in the absence of any voltage across A1_IN and A2_IN. Software controllable pull-up resistors (not shown) internal to the controller module are used to provide a known default state for signal VA12 A which detected by Microcontroller A.

[0132] Similarly, Resistor R310 provides a known state for A 1 IN and Α2 ΓΝ pair in the absence of any voltage across Al ΓΝ and A2_IN. Software controllable pull-up resistors (not shown) internal to the controller module are used to provide a known default state for signal VA12 D which detected by Microcontroller D.

[0133] The presence of a voltage potential between A I IN and A2 IN of the correct polarity being A1_IN being more positive than A2_IN will give rise to a smaller voltage potential which is clamped by Zener Diode, DZ301 in conjunction with R301 and R302. The presence of this voltage is detected by an Optoisolator U303 in conjunction with R303, R304 and R309 to generate signal VA12 A which detected by Microcontroller A.

[0134] Similarly, the presence of a voltage potential between AI IN and A2_IN of the correct polarity being A1_1N being more positive than A2_IN will give rise to a smaller voltage potential which is clamped by Zener Diode, DZ302 in conjunction with R305 and R306. The presence of this voltage is detected by an Optoisolator U304 in conjunction with R303, R304 and R310 to generate signal VA12 D which detected by Microcontroller D.

[0135] With regard to when both optically coupled mosfets U301 and U302 are switched to close, current can flow from A1_IN to A2_IN when A1_N is more positive than A2_N.

[0136] With regard to this closed condition, the voltage potential between AI IN to A2 IN will collapse due to the closure of the U301 and U302 mosfets with the resultant detection being analogous to the absence of any externally applied voltage between AI IN and A2_IN.

[0137] During operation, any software designed to accompany the present relay will ensure that the state of each mosfet switch is checked periodically and continuously and is compared with its expected state. [0138] With regard now to the normally closed switch 62, it can be seen to operate in an analogous manner. An input signal applied at A6 1N is selectably switched by optically coupled mosfets U321 and U322 to output A5_IN only when signal SW_A56_1 is asserted by Microcontroller A and signal SW A56 2 is asserted by Microcontroller D.

[0139] Zener Diode, DZ321 in conjunction with R321 and R322 and with Optoisolator U323 in conjunction with R323, R324 and R329 work in an analogous manner to that of the normally open switch 61.

[0140] The presence of a voltage input by the user, which is subsequently controlled by the relay, at plugboard connection Α6 ΓΝ is detectable by the use of Optoisolator U223 in conjunction with resistor R329 to generate signal VA56 A, which is then fed to the controller module Microcontroller A for analysis.

[0141] Similarly, the presence of a voltage input by the user, which is subsequently controlled by the relay, at plugboard connection A6 IN is detectable by the use of Optoisolator U224 in conjunction with resistor R330 to generate signal VA56 D, which is then fed to the controller module Microcontroller D for analysis.

[0142] The switch module may also incorporate a current sensing feature (not shown) utilizing a current sense amplifier (not shown) to measure the load current flowing through the switch. The current sense amplifier (not shown) converts this load current to a small voltage, which is then amplified and forwarded to the controller module shown in Figure 5 for processing.

[0143] Pull-up resistors internal to the controllers are used to set the switch status input signals VA12 A and VA l 2 D to a known state in the absence of a voltage across the mosfets U301 and U302 comprising the normally open switch.

[0144] Pull-up resistors internal to the controllers are similarly used in the normally closed switch to set the switch status input signal VA56A and VA56 D to a known state in the absence of a voltage at the output of mosfets U322 and U322

[01451 Figure 6A depicts the switch driver circuit 63. If any self-test detects an unexpected state, the at least one switching circuits is disabled by permanently disabling at least one of the driver circuits 63 by blowing its fuse 301, whereby a safe or default state is achieved.

[0146] Figure 7 depicts the portion of the display module 70 corresponding to Microcontroller A, comprising the programming pushbuttons, a switch status LED array, a multiplexing decoding circuit, a 4-digit 7-segment display and a power supply status indicator.

[0147] The portion of the display module for entering specified relay parameters for controller A is shown generally at 71, comprising momentary pushbutton switches SW1 A, SW2 A and SW 3A, which set controller A signals MOSI A, MISO A and SCK A to a known state when pressed.

[0148] The portion of the display module for detecting the state of the pushbuttons read by Microcontroller D is similar.

[0149] The switch status LED array is arranged in the form of stacks A through D, corresponding to plugboard connection stacks A through D.

[0150] The portion 72 of the switch status LED array driven by Microcontroller A corresponds to the A stack of plugboard connections. Octal D-type flip-flop latch U9 stores data from Microcontroller A, appearing on data bus lines D1 A through D8 A, when Microcontroller A asserts signal LE LED A. Outputs from U9 control the illumination of LEDs A 12, A34, A56, A78, B12, B34, B56 and B78, according to the latched state of the inputs DI A through D8 A.

[0151] The portion of the switch status LED array, corresponding to the switch status LED array stacks B, C and D (not shown), is similar to data controlling the illumination of stacks A and B generated by Microcontroller A and data controlling the illumination of stacks C and D generated by Microcontroller D.

[0152] The portion of the display module for controlling the 7-segment displays driven by Microcontroller A is shown at 73 and provides a means for multiplexing and decoding the signals generated by Microcontroller A and is comprised of an octal D-type flip-flop U 12, a 3-line to 8-line decoder U10 and a BCD to 7-segment decoder Ul 1.

[0153] Decoder U12 stores the data from Microcontroller A appearing on data bus lines DI A through D8 A when Microcontroller A asserts signal LE_7SEG_A. Decoder U12 outputs signals A0_A, A1_A, A2_A and A3_A to Decoder Ul 1 which, in turn, generates signals A_A through to G_A for the illumination of the individual segments a through each 7-segment display SEG1_A, SEG2_A, SEG3 A and SEG4_A, shown at 74. Decoder U12 also outputs signal DOT A for the illumination of the decimal point indicator of each of the 7-segment displays.

|0154] Decoder U12 also generates signals TRAO A, TRAI A and TRA2 A, which are input to Decoder U10 to generate signals QA l A, QA2 A, QA3 A and QA4 A, which individually select 7-segment displays SEG1_A, SEG2_A, SEG3_A and SEG4_A, respectively, shown at 74.

[0155] The portion of the display module for controlling the 7-segment displays driven by Microcontroller D is similar.

[0156] The portion 75 of the display module for controlling the power supply status indication corresponding to Microcontroller A, comprises an indicator LED PSU A and a current limiting resistor R64. Signal LEDPWR A, generated by Microcontroller A, determines the illumination of LED PSU A.

[0157] The portion of the power supply status indication, corresponding to Microcontroller D, is similar.

[0158] Figure 8 depicts the various control voltage parameters and the response of normally open and normally closed switches in response to the control voltage levels. The skilled person will note that the plot for the normally closed switch has been intentionally displaced in both axes to aid readability and will also note that the values for all delay timer values are 0 for this figure.

[0159] When the level of the control voltage increases to the activation voltage level, the normally closed switches open and the normally open switches close. The switches remain in these states until the level of the control voltage decreases to the de-activation voltage level.

[0160] Figure 9 depicts some of the various timing delay parameters that are available in the solid-state relay.

[0161] The Legacy On delay begins when the control voltage level reaches the activation voltage level and can be set to accommodate any target external signalling equipment with a slow response time. This delay will prevent the switched signals reaching the target equipment before they are expected. The Legacy On delay can also be used simply to delay the opening of the normally closed switches, where it is desired to maintain the signals switched by the normally closed switches for a pre-determined period of time.

[0162] The Transition On delay begins with the opening of the normally closed switches and ensures that no normally open switch is closed, while any normally closed switch is also closed. Where no normally closed switches are provided, the Transition On delay can be set to O.

[0163] The Delay On delay provides a slow pick capability for the normally open switches to delay the signals switched by the normally open switches for a pre-determined period of time.

[0164] The On time is usually determined solely by the control voltage level and the programmed On time is effectively infinite. The On time usually terminates when the control voltage level decreases to the de-activation voltage level. The On time can, however, be programmed to be a shorter time period in order to set the maximum time that normally open switches can be closed. The On time can be used in circuits where a certain condition must be achieved within a specified time period. The solid-state relay of the present invention provides a time-out capability for such applications.

[0165| The Delay Off delay provides a slow drop capability for the normally open switches to maintain the signals switched by the normally open switches for a pre-determined period of time.

[0166] The Transition Off delay begins with the opening of the normally closed switches and ensures that no normally open switch is closed, while any normally closed switch is also closed. Where no normally closed switches are provided, the Transition Off delay can be set to O. [0167] The Legacy Off delay can be set to accommodate any target external signalling equipment with a slow response time. This delay will prevent the switched signals to the target equipment from being extinguished before they are expected. The Legacy Off delay can also be used simply to delay the closing of the normally closed switches, where it is desired to inhibit the signals switched by the normally closed switches for a pre-determined period of time.

[0168] As with other forms of the present invention, the configuration module 30 is used to re-route specified plugboard signals to specified pins on the electronic industry connectors 23.

[0169] In order to provide 'near' plug-in compatibility with a particular form of existing electromechanical relays, the slave control input is applied across plugboard connections D3 and D4, the slave verification inputs are applied across plugboard connections D5 and D6 and the slave relay is connected to plugboard connections R3 and R4. Further, to provide 'near' plug-in compatibility, plugboard connection Al (not shown) is driven to a logic high state by the controller module and the states of plugboard connections A2, A3 and A7 (not shown) are detected by the controller module to indicate the presence of any plugboard strappings installed across Al , A2, A3 and A7 (not shown). It should be noted that the nominal voltage of the slave relay must be the same as the nominal voltage of this slow release solid-state relay.

[0170| Alternatively, in one form, a normally open contact is connected to a voltage source of the same nominal voltage as the slave relay to provide the activation voltage to both the programmable relay and the slave relay. The current state of the at least one switches is maintained until a corresponding timer has expired, at which time, the state of the remaining at least one switches is set to corresponding, individually pre-determined subsequent states. As with relay operation upon activation, there are a plurality of pre-determined time values and a plurality of corresponding subsequent states for the remaining at least one switches during de-activation.

[0171] In use, the programmable relay is controlled by software running on the controller module to control the de-activation delay of the relay. When the relay is configured as a slow release relay, the release of an energised slave relay is delayed after the opening of a control contact and one or more of the switch modules are pre-detennined to function as slave relay control switches and one or more of the switch modules are pre-detennined to control the activation of one or more slave relays. Additionally, one or more of the switch modules are pre-determined to function as slave relay verification switches to confirm the state of the corresponding slave relay. When the relay is configured as a slow release relay, latching must be enabled, as described above.

[0172] When the control voltage applied to the relay decreases to the de-activation voltage level, the state of all switches is maintained in their last state by virtue of the latching function. When the slave control input becomes an open circuit, the timer is loaded with a first-time value and the timer started, as described above. As with the activation timing, multiple sequential timer values are preferably incorporated. When the last timer has expired, the relay is unlatched and the slave relay becomes de-energised.

[0173] Figure 10 presents a flow chart illustrating the main loop, integrity test and failsafe loop that can be used according to one preferred embodiment.

[0174| After sufficient control voltage has been applied to the relay, the power supply in the control voltage module has turned on and the microcontrollers initialised (a). The software first checks if the relay has ever failed in the past (b) and if it has ever failed, enters a failsafe mode (e).

[0175| If no failure histoiy is found, the relay configuration is loaded (c) and the lifecycle counter is incremented (d). The software then enters the main loop. An integrity test (1 ) is first performed to confirm correct relay operation, the processors are synchronised (2), current timer values read (3) and the current level of the control voltage is read (4). The state of any of the pushbuttons is then scanned (5) and the current state of all switches is read (6). The relay status is updated on the display module (7) and finally, the desired state of each of the switches is written to the switches themselves (8). The process then repeats indefinitely or until the control voltage drops to the deactivation voltage level and/or other such prerequisites for deactivation are satisfied.

[0176] If an error is detected while the main loop is executing, control diverts to the failsafe mode (e). The failsafe mode commands all mosfets to their default (safe) state (f) and updates the display module with an error code and relay status data (g). The relay will remain permanently in the failsafe mode, repeatedly commanding the mosfets to their default state and updating the display module. The means for exi ting failsafe mode is to reload the original EEPROM image from an external source.

[0177| Figure 10 also presents the integrity test section (h) in more detail. As stated earlier, it is desirable that the start-up time be as short as possible. To accomplish this, a full set of comprehensive integrity tests are performed upon the first start-up during manufacture and all subsequent start-up sequences execute a subset of the integrity tests.

[0178] If it is detected that it is not the first start-up, a first subset of integrity tests is perfonned during the first passage through the main loop. Each subsequent passage through the main loop triggers a subsequent subset of integrity tests to be perfonned. Once all integrity subsets have been successfully executed, the sequence begins again with the first subset of integrity tests. In this manner, the integrity of the relay is confirmed after several passages through the main loop, while minimizing start-up time. If an error is detected at any time during the integrity test process, the relay enters failsafe mode (e).

[0179] Figure 11 presents a flowchart of the process by which the relay transitions between the activated and deactivated states depending upon the detected level of the control voltage.

[0180] The control voltage check is performed at step (4) in the main loop. The pre-set activation voltage level (Vact) and de-activation voltage level (Vdact) are first read from the relay configuration data and then compared with the control voltage level (Vctrl) measured by the A/D converter internal to the microcontroller.

[0181 ] If the control voltage level is greater than or equal to the activation voltage level (and all other prerequisites, such as timer expiry) have been met, then the microcontroller may command all switches to be set to their non-default state.

[0182] If the control voltage level is less than or equal to the de-activation voltage level and all other prerequisites, such as timer expiry have been met, then the microcontroller may command all switches to be set to their safe or default state.

[0183] This controlled voltage check is performed with each passage of the main loop. It is not performed while the relay is in the failsafe mode. [0184] In summary, a fail-safe state of the programmable solid-state relay is obtained by the method of the invention comprising performing a set of self-tests at an initial start-up and cyclically during the powered state of the solid-state relay, wherein a self-test comprises continuously detecting and comparing a state of the at least one switching circuit with an expected state therefor; and wherein if any self-test within the set detects an unexpected state, substantially simultaneously therewith a failure flag is set in a non-volatile memory and the at least one switching circuits is set to a safe or default state, wherein at least one switching circuit is disabled by permanently disabling at least one driver circuit by blowing its fuse.

[0185] Further, the fail-safe programmable solid-state relay of the present invention comprises a multiplicity of circuits each being duplicated, whereby a fail-safe state is achieved.

[0186] Further advantages and improvements may very well be made to the present invention without deviating from its scope. Although the invention has been shown and described in what is considered to be the most practical and preferred embodiment, it is recognized that departures may be made therefrom within the scope and spirit of the invention, which is not to be limited to the details disclosed herein, but is to be accorded the full scope of the claims so as to embrace any and all equivalent devices and apparatus. Any discussion of the prior art throughout the specification should in no way be considered as an admission that such prior art is widely known or forms part of the common general knowledge in this field.

[0187] In this specification, the terms "comprises", "comprising" or similar terms are intended to mean a non-exclusive inclusion, such that an apparatus that comprises a list of elements does not include those elements solely, but may well include other elements not listed.

[0188] Throughout the specification the aim has been to describe the invention without limiting the invention to any one embodiment or specific collection of features. Persons skilled in the relevant art may realize variations from the specific embodiments that will nonetheless fall within the scope of the invention.