The present invention relates to redundancy control, and more particularly to the fault tolerable redundancy control using majority voting logic.
In many of the cases where an apparatus required to have high reliability, such as an atomic power plant, is automatically controlled, a control system for the apparatus is made redundant. For example, in the case where an object to be controlled is controlled by a single control signal generated on the basis of the output signal of a single sensor, a signal processing system is formed in triplicate to form three control signals, and then a two-out-of-three majority logic operation (hereinafter referred to as a "2/3 logic operation") is performed for the above control signals to obtain the single control signal. Accordingly, even when a fault occurs in one of three signal processing systems, normal control can be insured provided that the remaining signal processing systems operate normally.
Such a majority logic control system can be formed by using relays or a semiconductor IC. Reference is made to "Electronics" Jan. 27, 1983 (McGRAW-HILL PUBLICATION).
In the case where the 2/3 logic control method is carried out, a fault in one of three control systems causes no trouble. However, there arises a problem when a fault further occurs in a second control system. That is, when the signals of two control systems are fixed by faults to energize (or de-energize) an object, the to-be-controlled object continues to-be energized (or de-energized) even if the remaining control system performing a normal operation indicates that the object is to be de-energized (or energized).
In the case where it is dangerous to continue energization of the to-be-controlled object, it is desired to stop the operation of the controlled object at the time of a fault so as to control the object to be on the safe side. Further, in the case where the to-be-controlled object is a safety device, it is desirable to ensure the safety by continuing the operation of the safety device when a fault occurs in a control system. Further, it is desirable to inform an operator of a fault position when a fault occurs, to make it possible to repair a faulty portion or replace parts.