# Design and Analysis of 2003 Static Voter for SMT function in an Adjustable Speed Electrical Power Drive System 

C. Summatta and S. Deeon<br>Department of Electrical Engineering, Faculty of Engineering, Pathumwan Institute of Technology, 833 Rama 1 Road, Wangmai District, Pathumwan, Bangkok 10330 Thailand 5801021904@pit365.pit.ac.th


#### Abstract

In fail-safe systems, a 2-out-of-3 voter is responsible for processing the monitoring of failures of the sensor unit in the system. When a failure has occurred and the outputs directly drive the vital units, there may be some injuries, loss or damages, such as in a nuclear reactor shutdown, railway signalling systems, industrial compression systems, or electric motor drive systems. This paper presents an innovatively designed and developed 2 -out-of- 3 static voter that detects the signal with a window comparator circuit related to the safety system for the detection of false signals. The voting function is mainly one diode and four optoelectronic switches, which reduces the number of devices, resulting in a lower failure rate. Failure of the voter is detected and corrected by the window comparator with digital switching levels, which is a very simple circuit that is used with low voltage and fast varying input. Furthermore, the analysis of the performance was conducted for IEC 61800-5-2 in an adjustable speed electrical power drive system, with the simulation of the failure rate of electronic equipment, mean time to failure, failure mode and effects analysis (FMEA), and the experimental circuit.


Index Terms-2-out-of-3; Fail-Safe; FMEA; Static Voter.

## I. InTRODUCTION

During the processing of fail-safe systems, such as railway signalling systems, nuclear reactor shutdowns, industrial compression systems, and electric motor drive systems, when a failure happens, there will likely be some injuries, loss or damage. Thus, these systems demand high detection of accuracy and thus require 2-out-of-3 (2003) processing, or Triple Module Redundancy (TMR), that detects the error of the 2 out of 3 detectors that shuts down the systems. From the previous research, the 2 -out-of- 3 voter has been studied and applied in critical security tasks such as the application of transistor circuits for the shutdown of a nuclear reactor, in which the major factor responsible for the design was the use of transistor trip circuit [1]. In the application of the triplicated majority voting to integrated circuits [2], a hardware voter can be implemented with logic gates as twolevel AND-OR in CMOS VLSI technology [3-5]. TripleModular Redundancy is the simplest and most effective fault tolerant design method for ICs, in which the systems can multiply in series [5-6]. The 2003 architecture can be used in fault diagnosis on the basis of vital computer systems [7]. This article summarises the major methods to control the effects of single random faults: composite failsafe, reactive fail-safe, and inherent fail-safe. The detection of faults is one of the key factors during fail-safe design to
avoid the effects of single faults [8]. In paper [9], two novel voting circuits, a dynamic voter and a static voter, with reliability and safety that satisfy the EN 50129 standards are proposed.

A window comparator is a safety circuit that checks the DC signal level from the input with voltage hysteresis properties that has an upper limit and a lower limit, in which the level is between both limits. The design uses a transistor that is based on AND logic [10-13], which is an application used in fail-safe information processing. The circuit prevents faulty signals from various problems and detects the voltage level, in which only the voltage inside the window will operate. Moreover, a window comparator with op-amp or module ICs is comprised of two separate comparators and the AND gate, which features two different threshold inputs, an upper threshold and a lower threshold [14]. The output is "high", and the input signal is between the upper and the lower threshold voltage, which is "low" in contrast. The paper [15] proposed the technique of logic gates with input hysteresis for a Schmitt trigger circuit for the window comparator, which used eight transistors for construction and is very compact. In paper [16], a window comparator circuit with an XOR gate and potential divider circuit, which can be used in low voltage and fast varying input, was proposed. In paper [17], a window comparator circuit with digital ICs, which used the properties of the threshold voltage characteristics, was presented. For the analysis of the performance results for a 2 -out-of-3 voter, there are two preferred approaches. Markov's method is IEC 61165 , which uses sequences of random variables in the future, which are determined by the present variable. The other method is the IEC 60812 [18] failure mode and effects analysis (FMEA), which is a procedure for the analysis of a system that is used to identify the potential failure modes as well as their causes and effects on system performance.
This paper proposes the design and implementation of a 2-out-of-3 static voter with a digital window comparator for an adjustable speed electrical power drive system and analysis of its performance with the simulation of the failure rate of electronic equipment, mean time to failure, failure mode and effects analysis (FMEA), and the experimental circuit.

## II. CONCEPTS AND DESIGN

## A. The adjustable speed electrical power drive system

This research was applied to an adjustable speed electrical power drive system suitable for use in safety-
related applications described in this research and includes the safe motor temperature (SMT) safety function [19]. Three PTC sensors are attached to the motor windings in each phase triggered by three redundancy feedback signals through an electronic processing and the 2003 voter. The fail-safe relay drive based on the ISO 13849-2 [20] was required. Also, this system required safety integrity level 3 (SIL3) [21-22], in which the SMT safety function prevents the motor temperature from exceeding a specified upper limit, as shown in Figure 1.


Figure 1: The adjustable speed electrical power drive system
In this paper, the SMT safety function is implemented with the 2 -out-of-3 voter to achieve the hardware fault tolerance. This consists of three main parts: three electronic processing circuits, the 2003 voter and the window comparator circuit, as shown in Figure 2.


Figure 2: The SMT function implemented with the 2 -out-of- 3 voter

## B. The $2 o o 3$ voting logic design

The 2003 voting logic design comprises three AND logics and OR logics based on Equation 1. For detecting the error of 2 out of 3 detectors, the voter consists of six switches and the system shutdown, following the logic equations.

$$
\begin{equation*}
O U T=A B+B C+C A \tag{1}
\end{equation*}
$$

The likelihood of errors and failures increases as more components are used. Therefore, reducing the number of devices will result in decreased errors and failures. Therefore, in order to improve the reliability of the voting circuit, the criteria for voting should be simplified, as shown in Equation 2.

$$
\begin{equation*}
O U T=A B+C(A+B) \tag{2}
\end{equation*}
$$

In Equation 2, the voter consists of two AND logics and one OR logic, which is fewer logics than those in (1), so there are few components and simpler circuits. The voter can be designed, as shown in Figure 3.

The proposed voter consists of one diode and four
switches to carry out the logic operation function. In this design, the AND logic is achieved by cascade, and the OR logic is designed by connecting the two networks in parallel connected diodes. The logic is controlled by the states of the switches.


Figure 3: The 2003 voting logic design comprises two AND logics and one OR logic

The condition of 2003 for error detection of 2 out of 3 detectors is shown in Figure 4. The $S_{1}, S_{2}, S_{3}$ and $S_{4}$ are controlled by the electronic processing circuits $\mathrm{A}, \mathrm{B}$ and C . In the case of only the A or B or C process, the output signal is not generated. In the case of the AB or AC or BC process, the output signal is generated. These cases are as follows: $A B V_{D D}$ through $S_{1}$ and $S_{3}, A C V_{D D}$ through $S 1$ and $S 4$, and $B C V_{D D}$ through $S_{2}$ and $S_{4}$, respectively. The $V_{D D}$ can be delivered through all switches to OUT in the case that all input signals are correct and the voting result is accurate.


Figure 4: The condition of 2-out-of-3 voter to generate the output signal

## C. The window comparator circuit with digital switching

 levelsThe window comparator circuit with digital switching levels uses differential threshold voltages. The input value is in the range between the threshold levels; therefore, the output logic is " 1 ". If the input voltage is higher or lower than the range, the output logic is " 0 ". The proposed circuit consists of a Schmitt trigger inverter and the AND gate as shown in Figure 5.


Figure 5: The window comparator circuit with digital switching levels
If the input logic is " 0 " or " 1 ", it can make the output logic " 0 " only and cannot generate the signal logic " 1 " under such conditions. If the input logic " 1 " through the inverter is logic " 0 ", the AND gate will receive a signal that both legs are " 0 " and " 1 ", respectively, and the $\mathrm{V}_{\text {out }}$ is logic " 0 ". If the input logic " 0 " through the inverter is logic " 1 ", the AND gate receives a signal that both legs are logics " 1 " and " 0 ", respectively, and the $\mathrm{V}_{\text {out }}$ is logic " 0 ".


Figure 6: The voltage waveforms and window boundary
The CMOS Schmitt trigger inverter and TTL AND gate have different switch levels, and the circuit has a window boundary between both threshold voltages, The threshold
voltages in fact operate when CMOS is $0.5 \mathrm{~V}_{\mathrm{CC}}$ and TTL is 1.5 V . The window boundary can be defined by Equation 3 and the voltage waveforms are shown in Figure 6.

$$
\begin{equation*}
V_{T_{-} \text {тTL }}<V_{\text {in }}<V_{T_{-} \text {смоя }} \tag{3}
\end{equation*}
$$

In the application, the voltage level can be expanded by using the voltage divider, which has the voltage range as shown in Equation 4.

$$
\begin{equation*}
V_{T_{-} T T L}\left(\frac{R_{1}+R_{2}}{R_{2}}\right)<V_{\text {in }}<V_{T_{-} \text {CMOS }}\left(\frac{R_{1}+R_{2}}{R_{2}}\right) \tag{4}
\end{equation*}
$$

D. The 2-out-of-3 static voter with digital window comparator for safe motor temperature function of an adjustable speed electrical power drive system
From the above mentioned, we can design the 2-out-of-3 static voter with a digital window comparator circuit for a safe motor temperature function by dividing the design into three parts. The electronic processing uses the comparator to compare the voltage rating given to the voltage, which varies with the PTC resistance. The 2003 voter in the application uses an Opto-coupler switch to reduce the problem of mechanical switches and facilitate easy calculation of reliability values. Signal detection failure of the voter guessing by the window comparator circuit guessing that application, the resistance of the transistor represents the resistance $R_{1}$. By setting the 5 V supply voltage to the voltage level of the Schmitt trigger inverter input at 1.8 V , the resistance $\mathrm{R}_{1}$ is 150 ohms. The 2 -out-of- 3 static voter with digital window comparator for safe motor temperature function of adjustable speed electrical power drive system is shown in Figure 7.


Figure 7: The 2-out-of-3 static voter with digital window comparator for safe motor temperature function in an adjustable speed electrical power drive system.

## III. ReSUlts and Discussion

The performance analysis for IEC 61800-5-2 of the adjustable speed electrical power drive system was conducted with the simulation of the failure rate of electronic equipment, mean time to failure, failure mode and effects analysis (FMEA) and the experimental circuit.
This system consists of individual components, thus to attempt to derive the failure characteristics of the system from the characteristics of the components and the system structure, a model of computation and model verification are required. The models are based on inspection of the system and on assumptions about system behaviour.

For the difference of how the design compares to the original method regarding calculated failure rate value, this paper focuses on comparison of an older voter and the new 2003 voter. The finding of a failure rate of electronic equipment can use the Military Handbook "Reliability Prediction of Electronic Equipment" (MIL-HDBK-217F) [23], as shown in Table 1.

Table 1
The Failures of Electronic Equipment

| No | Notation | Components | Failure rate $\left(10^{-6} \mathrm{~h}\right)$ |
| :---: | :---: | :---: | :---: |
| 1 | $\lambda_{P}$ | Opto-coupler | 0.08160 |
| 2 | $\lambda_{D}$ | Diode | 0.01213056 |

The number and type of equipment affects the failure rate. The old 2003 voter used six opto-couplers, the new 2003 voter used four opto-couplers and one diode. The failure rate of the 2003 voter device can be calculated by the sum of the failure rate, as shown in Equation 5 and 6:

$$
\begin{align*}
& \lambda_{\text {old_2oo3 }}=0.4896 \times 10^{-6} \mathrm{hr}  \tag{5}\\
& \lambda_{\text {new_2oo3 }}=0.3385 \times 10^{-6} \mathrm{hr} \tag{6}
\end{align*}
$$

The overall failure rate, as shown in Equation 7 and 8, shows that the decrease in the number of devices results in a lower failure rate. The mean time to failure [24] is the approximation of reliability at a time or inverse of failure rate, as shown in Equation 7 and 8:

$$
\begin{align*}
& M T T F_{o l d \_2 o o 3}=2,042,483 \mathrm{hr}=233.16 y  \tag{7}\\
& \text { MTTF }_{n e w \_2 o o 3}=2,953,947 \mathrm{hr}=337.2 y \tag{8}
\end{align*}
$$

The MTTF is an inverse of the failure rate, so that when the failure rate is lower, the average time to failure will increase. The proposed method has a reliability value that is 1.446 times that of the original model.

Failure of semiconductor devices [25] in storage or dormant operations is a result of latent manufacturing defects that have not been detected during the semiconductor device screening tests. Failure is a result of manufacturing defects such as wire connections, contamination, contact material, loss of compression or slipping, resulting in an open circuit. Interpretation of failure data by the Reliability Analysis Center (RAC) includes the failure of the following failure modes: General purpose
diode short, $49 \%$, open $36 \%$, parameter change $15 \%$, Optoelectronic sensor short $50 \%$, and open $50 \%$.

The international standard IEC 60812 [18] (Analysis techniques for system reliability - Procedure for failure mode and effects analysis, or FMEA) is a systematic procedure for the analysis of a system to identify the potential failure modes, their causes, and their effects on system performance. Regarding the adjustable speed electrical power drive systems that the FMEA accepted by IEC 61800-5-2 [19], the simulation tests should be carried out to determine the worst case. The express fault models, fault exclusions and rationale in this paper are based on IEC 61800-5-2 Annex D (Fault lists and fault exclusions).

The IEC 61800-5-2 Annex D.12-Discrete semiconductors used two faults considered as an open-circuit of any connection and as a short-circuit between any two connections. The IEC 61800-5-2 Annex D.13-Optocouplers used three faults considered as an open-circuit of an individual connection, and as a short-circuit between any two input connections and a short-circuit between any two output connections. This test used a computer simulation program and the experimental circuit is as shown in Table 2 and 3.

As shown in Table 2, the results of the single failure test of the proposed circuit according to the aforementioned standard indicate that no fail-dangerous occurred. Table 3 provides the results of the double failure test, which show that no fail-dangerous occurred.

In Table 2 and 3, it can be seen that the output of the circuit must pass through a window comparator circuit, which will detect the voltage level in the range of 1.3-2.5 v. Failure in any voter, if it is a short circuit, indicates that the voltage at the input side of the windows comparator circuit is lower than 1.3 v . If the open circuit failure of the window comparator is higher than 2.5 v , then no serious consequences occurred. Any of the voter failures will not affect the output of the window comparator.


Figure 8: The experimental circuit


Figure 9: The signal measurements of the windows comparator circuit under normal conditions


Figure 10: The signal measurements of the windows comparator circuit under fail conditions

Table 2
FMEA of Single Failures in the 2003 Voter Circuit

| Devices | Failure mode | Effect of failure | Potential effects |
| :---: | :---: | :---: | :---: |
| Opto ${ }_{1}$ | Open-circuit | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between input connections | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between output connections | OUT $=\mathrm{B}+\mathrm{C}$ | $\Delta$ |
| $\mathrm{Opto}_{2}$ | Open-circuit | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between input connections | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between output connections | OUT $=\mathrm{C}+\mathrm{AB}+\mathrm{AC}$ | $\Delta$ |
| $\mathrm{Opto}_{3}$ | Open-circuit | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between input connections | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between output connections | OUT $=\mathrm{A}+\mathrm{AC}+\mathrm{BC}$ | $\Delta$ |
| $\mathrm{Opto}_{4}$ | Open-circuit | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between input connections | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit between output connections | OUT $=\mathrm{B}+\mathrm{A}$ | $\Delta$ |
| D | Open-circuit | The voter changed to 2002 | $\Delta$ |
|  | Short-circuit | OUT $=\mathrm{B}+\mathrm{AC}$ | $\Delta$ |
| Remark: $\Delta$ : no significant consequences $\boldsymbol{\Delta}$ : abnormal condition |  |  |  |

Table 3
FMEA of Double Failures in the 2003 Voter Circuit


A fail-safe window comparator was proposed as shown in Figure 5, and its design concept is based on an AND logic circuit dependent on the digital switching levels, which are determined by the values of resistances and input voltages of each AND input. When AND inputs are within the predefined voltage width, the output of the AND gate is
provided as the output of the fail-safe window comparator. This digital fail-safe window comparator can be applied to 2003 static voters in the safe motor temperature function, with testing of circuits by simulation in various failure modes as shown in Figure 8. Figure 9 shows the signal measurements of the input and output sides of the windows
comparator circuit under normal conditions. In Figure 10, signal measurements of the input and output sides of the windows comparator circuit under fail conditions can be seen.

## IV. CONCLUSION

This paper presents a new 2-out-of-3 static voter with a digital window comparator for an adjustable speed electrical power drive system suitable for use in safety-related applications described in this paper, which includes the safe motor temperature safety function. The new voter circuit has fewer components and is more reliable than the original voter. Furthermore, the reliability results of the proposed voter show that its MTTF is approximately 337 years, which is a reliability value 1.446 times that of the original model. Furthermore, the analysis of its performance with failure mode and effects analysis (FMEA), showed that in the single failure test of the proposed circuit according to the IEC 16800-5-2 standards, no fail-dangerous occurred. In the double failure tests, it was also seen that no fail-dangerous occurred. When the motor temperature is higher than the predetermined temperature and no parts of the electronic processing circuit malfunction, the output signals with the window comparator are provided to the filter and a DC signal is eventually output as the 2003 temperature detection results in a fail-safe manner.

## ACKNOWLEDGMENTS

The researchers would like to thank the Department of Electrical Engineering, Rajamangala University of Technology Lanna Lampang and the Department of Industrial Electrical Technology, Nakon Phanom University for their support of this work.

## References

[1] E. J. Wade and D. S. Davidson, "Application of Transistors to Safety Circuits," IRE Transactions on Nuclear Science, vol. 5, issue 2, pp. 44-46, Aug. 1958.
[2] H. D. Goldman and J. Rom, "Considering Solder Connections, Does Triplicated Majority Voting Apply to Integrated Circuits," IEEE Transactions on Computers, vol. C-17, pp. 990-992, Oct. 1968.
[3] M. Radu, D. Pitica and C. Posteuca, "Reliability and failure analysis of voting circuits in hardware redundant design," in Symposium on Electronic Materials and Packaging, 2000, pp. 421-423.
[4] M. Radu, D. Pitica, C. Posteuca, "Complex reliability evaluation of voters for fault tolerant designs," in International Symposium Quality Electronic Design, 2001, pp. 331-336.
[5] S. Almukhaizim and O. Sinanoglu, "A Hazard-Free Majority Voter for TMR-Based Fault Tolerance in Asynchronous Circuits," in 2nd International Design and Test Workshop, 2007, pp. 93-98.
[6] M. Hamamatsu, T. Tsuchiya and T. Kikuno, "On the Reliability of Cascaded TMR Systems," in IEEE 16th Pacific Rim International Symposium on Dependable Computing (PRDC), 2010, pp. 184-190.
[7] J. Lin, P. Tan, W. He, J. Chu and Z. Chen, "A safety-related digital input system based on the analysis of the architectural constraints," in IEEE International Conference on Service Operations, Logistics and Informatics, 2011, pp. 507-511.
[8] W. Xue, Y. Zhao, J. Xiao, and M. Zhang, "The research and application of fail-safe technologies in rail transit train operation control system," in 10th International Conference on Reliability, Maintainability and Safety (ICRMS), 2014, pp. 1100-1104.
[9] Z. Wang, C. Geng, X. Chen, D. Wang, H. Huang AND Y. Yang, "Design and analysis of two novel 2-out-of-3 voters," in International Conference on Information Science, Electronics and Electrical Engineering (ISEEE), 2014.
[10] K. Futsuhara, and M. Mukaidono, "A Realization of Fail-safe Sensor Using Electromagnetic Induction," in Conference on Precision Electromagnetic Measurements CPEM 88 Digest, 1988, pp. 99-100.
[11] K. Futsuhara, and M. Mukaidono, "Application of Window Comparator to Majority Operation," in The Nineteenth International Symposium on Multiple-Valued Logic, 1989, pp. 114-121.
[12] M. Sakai, M. Kato, K Futsuhara, and M. Mukaidono, "Application of Fail-safe Multiple-valued Logic to Control of Power Press," in International Symposium on Twenty-Second Multiple-Valued Logic, 1992, pp. 271-350.
[13] S. Deeon, Y. Hirao, and K. Futsuhara, "A Fail-safe Counter and its application to Low-speed Detection," Transaction of Reliability Engineering Association of Japan, vol.33, No.3, pp. 137-146, 2011.
[14] J. M. Fiore, Operational Amplifiers \& Linear Integrated Circuits: Theory and Application/3E, Version 3.0.1, 2016.
[15] V. A. Pedroni, "Low-voltage high-speed Schmitt trigger and compact window comparator," Electronics Letters, Volume: 41, Issue: 22, pp. 1213-1214.
[16] P. Sagar, and M. Panicker P. R., "A Novel High Speed Window Comparator Circuit," in International Conference on Circuit Power and Computing Technologies (ICCPCT), pp. 691-693.
[17] C. Summatta, and S. Deeon, "A Window Comparator Circuit with Digital Switching Level," in The 9th International Conference on Sciences, Technology and Innovation for Sustainable Well-Being (STISWB 2017), China, pp. 74-78.
[18] IEC 60812, Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) Second edition 2006-01, 2006.
[19] IEC 61800-5-2, Adjustable speed electrical power drive system-Part5-2: Safety requirements-Functional, 2007.
[20] ISO 13849-2, Safety of machinery - Safety-related parts of control systems - Part 2: Validation, 2003.
[21] C. Summatta, W. Khamsen, A. Pilikeaw and S. Deeon, "Design and Analysis of 2-out-of-3 Voters Sensing in Electrical Power Drive System," in Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTICON 2016), Thailand, 2016.
[22] C. Summatta, W. Khamsen, A. Pilikeaw and S. Deeon, "Design and Simulation of Relay Drive Circuit for Safe Operation Order," in Conference on Mathematics, Engineering \& Industrial Applications 2016 (ICoMEIA 2016), Thailand. 2016.
[23] MIL-HDBK-2 17F, Military handbook reliability prediction of electronic equipment, U.S. Department of Defense, 1991.
[24] M. Krasich, "How to estimate and use MTTF/MTBF would the real MTBF please stand up?," in Reliability and Maintainability Symposium, Jan. 2009, pp. 353-359.
[25] J. C. Whitaker, The electronics handbook, 2nd ed., Taylor \& Francis Group, LLC, 2005, pp. 687-693.

