The ultimate solution for amateurs who have a small garden is to position their antennas and transmitter elsewhere and operate them remotely. The UK Ofcom terms and conditions current in 2016 permit amateurs to operation radio transmitters via the internet provided that:-
- The amateurs are fully licensed;
- The communication links are adequately secure;
- Any communication links used to control the Radio Equipment are failsafe such that any failure will not result in unintended transmissions or any transmissions of a type not permitted by the Licence.
There are other risks associated with unattended operation that also have to be addressed by the remote system, which means any arrangement has to have an extremely low probability of a dangerous failure occurring during its lifetime.
A failsafe or fail-secure device is one that, in the event of a specific type of failure, responds in a way that causes no harm, or at least minimum harm to other devices or personal. Zero risks can never be achieved, but non-tolerable risks must be reduced ‘As Low As Reasonably Possible’ (ALARP). Fortunately detailed guidance on the design procedures for safety related systems is given in IEC 61508 parts 1 to 7, with part 1 covering the general requirements.
The North Cheshire Radio Club has good facilities which are only accessible on Sunday evenings. The following study has therefore been carried out to demonstrate how to perform a detailed Safety Case using the remote operation of the Radio Club equipment as a concrete example. The study found that:-
- None of the transmitters or proprietary control equipment currently available on the market in 2015 have been designed in accordance with IEC 61508 for safety related equipment and hence are not inherently failsafe. However it is relatively easy to build an overarching transmitter monitoring system with the required redundancy and reliability to enable the overall system to meet the Ofcom failsafe requirements. A basic specification for the Independent Transmitter Monitoring System has been included in the hazop document below.
- There were a considerable number of other safety issues identified. The manner in which they can be addressed has been described using the Radio Club equipment as a practical example.
The design process therefore begins with a description of the ‘Overall Scope’, followed by a ‘Hazard and Risk Analysis’, leading to the ‘Overall Safety Requirements’.
Formal hazard identification meetings were held at the Radio Club in order to draw up an exhaustive list of potential risks and pitfalls. These are presented in a Hazard Close Out Table which lists the Hazards, Causes & Contributory Factors, Consequences, Mitigation, and Close Out Statements.
The hazop document is presented in the form of a Safety Case Study which can be down loaded by clicking on the following link hazop.pdf . This document also contains the basic specification for the Independent Transmitter Shut Down System.
A rough estimate has shown that it would cost in excess of £3500 to fully implement a remote installation and the accompanying safety work. This is beyond the present financial means of the Club. However we have produced a draft design of the independent transmitter monitoring system, supported by calculation sheets showing the method of estimating the wrong side failure rates of the subsystems as a guidance for others. Details of the draft design are given in the following sections.
Basic Specification of the Independent Transmitter Monitor System
Its functions are:-
- To trip and turn off the power to the transmitter if it transmits continuously for more than 4 minutes.
- To trip and remove the power from the transmitter equipment and control system if the temperature of the cubicle walls reach 40°C.
- To trip if the mains supply is interrupted.
- To require a manual reset if tripped.
It was judged that the ‘failure modes’ leading to ‘uncontrolled transmissions’ and to ‘over temperature’ were ‘critical’ and hence their likelihoods needed to be made ‘remote’. This meant that their wrong side failure rates should not be more than once in 10E5 years (i.e. 1000 000 000 hours).
Note: The transmitter would normally have its ‘time-out time’ set to 3 minutes to avoid invoking this ‘transmitter monitor shut down system’. However the transmitter relies on complex software and the time out feature is not claimed to be failsafe. Hence the need for a shut-down system with sufficient in-built redundancy to achieve the very low wrong side failure rate required for the safety related function of ensuring the transmitter can be turned off remotely.
It is shown in section 17 of the hazop.pdf document that the reliability of the transmitter monitor shut down system could be achieved with a triple redundant design.
- The first subsystem is a power switch controlled via a mobile phone. The failure rate is dominated by the drop out rate of the mobile phone messaging system. It has been shown in section 17-B1 of the hazop.pdf document that the network can be prescribed to have a reliability of 0.99 (Note: ‘0’ means zero reliability and ‘1’ means perfect reliability).
- The second subsystem is a relay in a latching circuit which has a time out circuit reset via a contact on the transmitter power amplifier control relay. A manually operated push button is used to set the circuit. The arrangement is to be designed to have a wrong side failure rate of not more than 0.000 01 failures per hour.
- The third sub system is another relay in a latching circuit which has a time out circuit reset via another circuit which detects the absence of RF power in the feeder. A manually operated push button is used to set the circuit. The arrangement is to be designed to have a wrong side failure rate of not more than 0.000 01 failures per hour.
- Two thermostatic switches designed to trip at 40°C are to be used to monitor the temperature of the cabinet walls. They are to be be wired in series and arranged to interrupt the mains supply and thus trip the two relays used in the time out circuits. It is shown in section 17-B2 of the hazop.pdf document that this configuration can achieve the required reliability.
Transmitter Monitor Unit Design Description
The basic block schematic is shown in Fig.1. It features two independent time out circuits (Timer-1 and Timer-2) which are reset when the transceiver returns to the receiving mode.
The TS-480HX transceiver can be switched between two antenna outputs. The voltages on the two co-axial feeders are therefore detected by two independent RF probe type circuits of the form shown in Fig.2, and the counter is reset by the absence of RF on which ever antenna happens to be in use. Each probe is rated to detect RF power from 4 to 400 Watts into a nominal 50 Ω antenna impedance, over the frequency range 1MHz to 30MHz. The probe circuits use a capacitive divider to reduce the power loss in the resistors which limit the current in the diodes. A 3.68MHz oscillator is provided to facilitate the testing of the probes and the Timer-2 circuit. Two relays are used to switch the probe circuit between the antenna input and the test signal. The relays are wired so that a failure to operate is either detected by the lack of a test signal during testing, or by the loss of the transmitter output connection to the antenna. The probe circuits and the testing circuit are housed together in their own aluminium enclosure to help screen the RF from the rest of the monitor circuit.
Timer-1 is based on the cmos CD4060 14-stage ripple counter. It is held in the reset condition which forces all the outputs to be zero when the transmitter is in the receiving mode. It will time-out by counting up to 16384 pulses (214) whereupon the chosen output goes high and de-energises the relay to stop the transmission. The frequency of the pulses are determined by two resistors and a capacitor in associating with an oscillator circuit made up from two inverters within the chip.
Timer-2 is based on the cmos CD4020 14-stage ripple counter which is similar in function to the CD4060 chip but does not contain the inbuilt oscillator stage. The oscillator is therefore constructed using two inverter stages of a CD4069 Hex inverter. The CD4020 is used instead of another CD4060 chip to avoid common mode failures in these key items. The oscillator components are chosen to give a time out period of approximately 3.5 minutes so that they fall comfortably between the 3 minutes of the transmitter time-out setting and the 4 minutes chosen for the backstop. This avoids the need for select-on-test components.
The Logic stage interfacing the probe signals to the second timer has been added to simplify the testing. In normal operation whichever of the two probe circuits that is in use can control the timer. However when in the testing mode both probe signals have to be present to allow the counter to time out. The test is invoked by switching 12V onto the test relays and the 3.68MHz oscillator to activate the probe circuits. This also switches the logic circuit into the test mode via a transistor interface to the 9V timer board.
The timer outputs are interfaced to their respective relays by ‘open’ collector transistors. The relays are arranged to stay de-energised if their supplies are interrupted and to require a manual reset.
The overall estimated failure rate for Timer-1 is 1.24E-6 failures per hour, and for Timer-2 is 1.78E-6 failures per hour. This is well within the target figure of 10E-6 failures per hour for each timer. This leaves an allowance for soldering joint failures that were not quantified in the analysis.
It is recommended that the monitor unit is tested before use, and every 1 to 2 months if in continual operation. This involves switching on the test, resetting the relays and checking that they both trip between 3 to 4 minutes after being reset.
Detailed Circuit Schematics & BOMs
The following documents can be downloaded by clicking on them:-
- Remote Transmitter Operation Safety Case – hazop.pdf
- Detailed Circuit Description and Failure Rate Analysis – monitor_design.pdf
- Transmitter Monitor Schematic – trx_monitor.pdf
- Transmitter Monitor Bill Of Materials – trx_monitor_BOM.pdf
- Probes & Test Circuit Schematic – probes.pdf
- Probes & Test Circuit Bill Of Materials – probes_BOM.pdf
- Timers Schematic – timers.pdf
- Timers Bill Of Materials – timers_BOM.pdf
A detailed design of the Independent Transmitter Monitor System has been produced in draft form and the failure rate estimates show that it would meet the target of not more than 1 Wrong Side Failure per 1000,000,000 hours of operation. In theory there is no difference between theory and practice, but in practice there always is! Key parts of the design have been checked by simulation but the Radio Club intends to build a prototype to thoroughly check the design. The results and pictures of the assembly will be posted on the web site in due course.