My point is that if you have two transistors and want to prevent misoperation due to one of them failing, control both of them actively, don't use any of them as always-on pieces of wire. You can build a cascode string as long as you like, but if the only actively-switched FET fails short-circuit for any reason, the cascode chain won't prevent the load from being turned on.

Return to the original circuit and fix the risk of excessive gate-source voltage by addressing that directly. With an inductive load like a solenoid, there is generally no compelling reason for ultra-fast switching transitions, so adding some resistance in the gate circuit to allow clamping the voltages without excessive current shouldn't be a difficult problem. In any case, once you have put a freewheeling diode across the load, you have fixed the overvoltage problem unless the diode goes open circuit (the FETs avalanche capability will handle any transient overvoltage due to inductance in the connections or forward recovery time of the freewheeling diode, and a second diode in parallel could be used for redundancy. In the TS's circuit such a freewheeling diode isn't used, but I have no idea if that is because he requires fast discharge of the inductance. A freewheeling diode will greatly increase the time for discharge of the inductance, relative any method allowing a higher voltage across the inductor.

 

That is two inputs and one output AND gate, the two npn bjts AND gate.

I know what an and gate is, and still don't see that in the original post/schematic. If both mosfets went to ground I'd say yes but they feed from M1 into M2. So if either one of them was failed open the relay wouldn't work. And that takes away the redundancy. Or I'm just plain stupid.

 

With lots of things it is much more important to be sure something is off when it is supposed than to be sure it can be turned on when it should be - e.g. motor on a table saw definitely needs to be off when you are changing the blade. I'm interpreting the TS's post in that way - OFF is more important than ON, hence two FETs in series so if either one fails short-circuit the other will still be able to turn the load off. That is why I maintain that both FETs must be actively switched, otherwise the circuit isn't redundant, just different.

One drawback to something that is redundant in this fashion is that a single failure can go completely undetected in normal operation so monitoring or regular inspection and test is required.

 

I know what an and gate is, and still don't see that in the original post/schematic. If both mosfets went to ground I'd say yes but they feed from M1 into M2. So if either one of them was failed open the relay wouldn't work. And that takes away the redundancy. Or I'm just plain stupid.

You only can treat it as the logical conception and not the real AND gate, that is only two MOSFETs are on(1), so the load will be on(1), and that is how the AND gate functional, the theory is the same as you use two switches to replace two MOSFETs.

 

See

 

25 posts and we still haven't had a response from the TS.

 

ebp, ScottWang, When I see the word redundant I automatically think, "if one fails there is another to do the job". That is what I've based my replies on. Like the old propeller airplane engines having to have 2 spark systems. That in a system it is more important that it never fails to turn on, not to make sure it doesn't turn off for maintenance. That is what "lock out" is for. Guess it's from my coming from a mechanical not electronic back round.

• Engineering
  (of a component) not strictly necessary to functioning but included in case of failure in another component.

 

"if one fails there is another to do the job"

That is OR gate conception, when anyone is high(1) then the output is high(1), so if anyone cutoff or floating, if the rest one still could work as high(1) then the output still is high(1).

If the TS want that function then he should be change to in parallel with two MOSFETs.

 

That is OR gate conception, when anyone is high(1) then the output is high(1), so if anyone cutoff or floating, if the rest one still could work as high(1) then the output still is high(1).

If the TS want that function then he should be change to in parallel with two MOSFETs.

Which is what I said in my first post.

 

"Fault tolerant" is perhaps a somewhat better general purpose term. In general, I think "redundant" is used to refer to the"OR" case far more often than the "AND" case.

 

There are plethora of MOSFETs in the markets capable for 30V gate-source and some even for 40V. Just simplest thing in life is to "take the bigger hammer"

 

While I'm no expert, that doesn't make sense to me. Wouldn't it be better, as far as redundancy goes, to put the mosfets in parallel? In series if one fails the other is just there, it can turn on but it can't conduct. Or am I missing something?

The actual circuit is a lot more complicated. This application has redundant control lanes which constantly check each other for proper control. This control is critical for safety and we wanted either lane to have the ability to turn it off (i.e. an OR function).

 

Everyone, thanks a lot for these responses. Sorry I haven't had a chance to check this post till now.

I should have made it clear that I'm not concerned with the failure modes of the mosfets. In my application there's a fairly complex control system and we are worried about failures in that system causing an erroneous output command, so we have multiple systems that check each other to make sure they're in agreement on what the I/O are doing. In this application we wanted either of two systems to be able to turn off this interface.

From what I've gleaned from all the responses, it seems like people agree that the top side mosfet can be damaged when they're both commanded off due to leakage. Does anyone not agree with this?

I'm aware of a number of way to fix this problem, however I was asking the question because we've already built a lot of these units and we haven't had any problems yet, and modifying existing HW is expensive so I just wanted to make sure this was definitely a problem and there was no reason this would actually be OK as is for some reason.

 

The actual circuit is a lot more complicated. This application has redundant control lanes which constantly check each other for proper control. This control is critical for safety and we wanted either lane to have the ability to turn it off (i.e. an OR function).

Then that begs the question, why have more than one mosfet? By having an "or" before the mosfets gate you eliminate one mosfet and possible damage to it.

 

The actual circuit is a lot more complicated. This application has redundant control lanes which constantly check each other for proper control. This control is critical for safety and we wanted either lane to have the ability to turn it off (i.e. an OR function).

Does your product have any kind of SIL or similar certification?

 

Then that begs the question, why have more than one mosfet? By having an "or" before the mosfets gate you eliminate one mosfet and possible damage to it.

Thanks for your input, however I really don't want to discuss the system design, that's not what the post is about.

To answer your question, we don't want a single part failure to turn on the interface. You're probably thinking the tranzorb in my picture could do that, but that's not how it's implemented in the real system, I just drew it that way. In the real system it's tied to 28V not ground. Again I really don't want to discuss that

 

The main question I had was concerning how a mosfet may be damaged by a floating source when in this arrangement. This product is for a high-reliability system and has to go through a lot of qualification testing etc.. I'm really just concerned to know if anyone has any reason they think the floating source can't break the high-side mosfet.

 

what happens when you hold the fets off and apply negative surge pulse on the output? I would imagine that could cause the fet to exceed Vgsmax.

 

A floating source (in your original circuit) will lead with a 50% probability to the breakdown of the gate oxide of the upper transistor. This is determined by the ratio of the leakage current of the transistors. If the leakage of the upper transistor is greater than that of the lower one, then a breakdown will occur. Use my last schema. In it the short-circuit of any one transistor will not break the functioning and the gate-type dialectric will be protected by a zener diode.
As I understand it, you did not understand what was written here for so long.

 

Thanks for the info. That's what I thought you were saying. I'm not sure I understand how leakage current varies with Vds if at all. If the lower transistor has lower leakage than the upper transistor, will it start to increase as the voltage between the two starts to float up? will the upper transistor leakage reduce as it's Vds gets smaller?

I understand the theory of what you're saying, it's just that we've built a bunch of these and haven't seen that failure yet, so I just want to make sure as much as possible that this failure can actually happen.