Remote Transmitter Operation

Ofcom Conditions

The ultimate solution for amateurs who have a small garden is to position their antennas and transmitter elsewhere and operate them remotely. The UK Ofcom terms and conditions current in 2016 permit amateurs to operation radio transmitters via the internet provided that:-

There are other risks associated with unattended operation that also have to be addressed by the remote system, which means any arrangement has to have an extremely low probability of a dangerous failure occurring during its lifetime.

Compliance

A failsafe or fail-secure device is one that, in the event of a specific type of failure, responds in a way that causes no harm, or at least minimum harm to other devices or personal. Zero risks can never be achieved, but non-tolerable risks must be reduced 'As Low As Reasonably Possible' (ALARP). Fortunately detailed guidance on the design procedures for safety related systems is given in IEC 61508 parts 1 to 7, with part 1 covering the general requirements.

The North Cheshire Radio Club has good facilities which are only accessible on Sunday evenings. The following study has therefore been carried out to demonstrate how to perform a detailed Safety Case using the remote operation of the Radio Club equipment as a concrete example. The study found that:-

The design process therefore begins with a description of the 'Overall Scope', followed by a 'Hazard and Risk Analysis', leading to the 'Overall Safety Requirements'.

Formal hazard identification meetings were held at the Radio Club in order to draw up an exhaustive list of potential risks and pitfalls. These are presented in a Hazard Close Out Table which lists the Hazards, Causes & Contributory Factors, Consequences, Mitigation, and Close Out Statements.

The hazop document is presented in the form of a Safety Case Study which can be down loaded by clicking on the following link hazop.pdf . This document also contains the basic specification for the Independent Transmitter Shut Down System.

Summary

A rough estimate has shown that it would cost in excess of £3500 to fully implement a remote installation and the accompanying safety work. This is beyond the present financial means of the Club. However we have produced a draft design of the independent transmitter monitoring system, supported by calculation sheets showing the method of estimating the wrong side failure rates of the subsystems as a guidance for others. Details of the draft design are given in the following sections.

-- Return to Main Index. --

Basic Specification of the Independent Transmitter Monitor System

Its functions are:-

It was judged that the 'failure modes' leading to 'uncontrolled transmissions' and to 'over temperature' were 'critical' and hence their likelihoods needed to be made 'remote'. This meant that their wrong side failure rates should not be more than once in 10E5 years (i.e. 1000 000 000 hours).

Note: The transmitter would normally have its 'time-out time' set to 3 minutes to avoid invoking this 'transmitter monitor shut down system'. However the transmitter relies on complex software and the time out feature is not claimed to be failsafe. Hence the need for a shut-down system with sufficient in-built redundancy to achieve the very low wrong side failure rate required for the safety related function of ensuring the transmitter can be turned off remotely.

It is shown in section 17 of the hazop.pdf document that the reliability of the transmitter monitor shut down system could be achieved with a triple redundant design.

Transmitter Monitor Unit Design Description

The basic block schematic is shown in Fig.1. It features two independent time out circuits (Timer-1 and Timer-2) which are reset when the transceiver returns to the receiving mode.

Basic Block Schematic
Fig.1 Independent Transmitter Monitoring System - Basic Block Schematic

The TS-480HX transceiver can be switched between two antenna outputs. The voltages on the two co-axial feeders are therefore detected by two independent RF probe type circuits of the form shown in Fig.2, and the counter is reset by the absence of RF on which ever antenna happens to be in use. Each probe is rated to detect RF power from 4 to 400 Watts into a nominal 50 Ω antenna impedance, over the frequency range 1MHz to 30MHz. The probe circuits use a capacitive divider to reduce the power loss in the resistors which limit the current in the diodes. A 3.68MHz oscillator is provided to facilitate the testing of the probes and the Timer-2 circuit. Two relays are used to switch the probe circuit between the antenna input and the test signal. The relays are wired so that a failure to operate is either detected by the lack of a test signal during testing, or by the loss of the transmitter output connection to the antenna. The probe circuits and the testing circuit are housed together in their own aluminium enclosure to help screen the RF from the rest of the monitor circuit.

Probe Circuit
Fig.2 RF Probe Circuit

Timer-1 is based on the cmos CD4060 14-stage ripple counter. It is held in the reset condition which forces all the outputs to be zero when the transmitter is in the receiving mode. It will time-out by counting up to 16384 pulses (214) whereupon the chosen output goes high and de-energises the relay to stop the transmission. The frequency of the pulses are determined by two resistors and a capacitor in associating with an oscillator circuit made up from two inverters within the chip.

Timer-2 is based on the cmos CD4020 14-stage ripple counter which is similar in function to the CD4060 chip but does not contain the inbuilt oscillator stage. The oscillator is therefore constructed using two inverter stages of a CD4069 Hex inverter. The CD4020 is used instead of another CD4060 chip to avoid common mode failures in these key items. The oscillator components are chosen to give a time out period of approximately 3.5 minutes so that they fall comfortably between the 3 minutes of the transmitter time-out setting and the 4 minutes chosen for the backstop. This avoids the need for select-on-test components.

The Logic stage interfacing the probe signals to the second timer has been added to simplify the testing. In normal operation whichever of the two probe circuits that is in use can control the timer. However when in the testing mode both probe signals have to be present to allow the counter to time out. The test is invoked by switching 12V onto the test relays and the 3.68MHz oscillator to activate the probe circuits. This also switches the logic circuit into the test mode via a transistor interface to the 9V timer board.

The timer outputs are interfaced to their respective relays by 'open' collector transistors. The relays are arranged to stay de-energised if their supplies are interrupted and to require a manual reset.

Failure Rates

The overall estimated failure rate for Timer-1 is 1.24E-6 failures per hour, and for Timer-2 is 1.78E-6 failures per hour. This is well within the target figure of 10E-6 failures per hour for each timer. This leaves an allowance for soldering joint failures that were not quantified in the analysis.

Test Procedure

It is recommended that the monitor unit is tested before use, and every 1 to 2 months if in continual operation. This involves switching on the test, resetting the relays and checking that they both trip between 3 to 4 minutes after being reset.

Detailed Circuit Schematics & BOMs

The following documents can be downloaded by clicking on them:-

Conclusions

A detailed design of the Independent Transmitter Monitor System has been produced in draft form and the failure rate estimates show that it would meet the target of not more than 1 Wrong Side Failure per 1000,000,000 hours of operation. In theory there is no difference between theory and practice, but in practice there always is! Key parts of the design have been checked by simulation but the Radio Club intends to build a prototype to thoroughly check the design. The results and pictures of the assembly will be posted on the web site in due course.

-- Return to Main Index. --