System Manual
2018 Cervis, Inc.
23
Appendix C: MU-9X15 Safety Circuit
Figure 13. MU-9X15 MLC Safety Circuit Logic Diagram
Figure 13 illustrates a high-
level view of the system’s safety architecture. This architecture is
based around redundant enable signals that are generated by separate hardware circuits. The
microprocessor generates an enable signal to K14 when all conditions are met and the user
activates the start sequence. The watchdog circuit generates an independent enable signal to
K15 as long as the microprocessor generates the proper signaling to the watchdog. Additionally,
these two independent enable signals are ANDed together to enable an internal 12V bus that
provides coil power to all relays*. The system is not capable of any relay closures until both
watchdog and microprocessor enables are asserted. The loss of either signal immediately
causes the MLC path to open and all output relays to de-energize.
If there is a software fault in the microprocessor, the watchdog will not assert its enable output,
which will cause K15 to open. Additionally, this will disable the internal 12V bus resulting in all
relay outputs returning to their non-active state regardless of what the microprocessor is
commanding.
If there is a fault in the watchdog circuit that causes its output to never assert, the unit will be
safe as the MLC path cannot close because K15 will be open and the internal 12V bus will be
disabled. If the fault causes the watchdog circuit to never de-assert (perhaps the contacts on
K15 weld closed), the system is still safe because the microprocessor has independent control
of K14 that can break the MLC path and internal 12V bus.
This architecture has been devised such that any one fault will not cause loss of control of the
MLC path.
*Except the K13 H/L relay because it is necessary to operate the H/L when the MLC is open.