The use of electronic control circuits is widespread in the prior art, and is becoming even more widespread as the cost and size of electronic components decreases and as the power of those components increases. Such circuits have been used to control devices as varied as microwave ovens, industrial robots, chemical processing facilities, industrial furnances, medical life-support systems, and spacecraft, such as the Space Shuttle. As the responsibility entrusted to such circuits increases, so does the need that such circuits be fail-safe. For example, if the control circuit of a large industrial furnance used an electric power plant fails to cut-off the supply of fuel to the burner of that furnance after its flame has gone out, an explosion could result that would do millions of dollars worth of property damage and that could kill many lives. Thus it is important to design electronic control circuitry that is fail-safe, so that if it fails, it will do so in a manner that is safe.
A good example of a fail-safe control circuit in the prior art is disclosed in U.S. Pat. No. 3,958,126 issued to Jack Bryant and having the same assignee as the present application. This control circuit regulates the supply of fuel to a burner by means of solenoids that require electric power to keep their respective fuel valves open. Thus, if, for any reason, power is removed from such solenoids, the burners fuel lines will be shut off, as safety requires. In the Bryant circuit, power is supplied to these solenoids through the normally open contacts of an electromechanical relay. This is much safer than supplying power to such solenoids through solid state relays, since it is more common for solid state relays to short circuit, which would keep fuel valves dangerously open, than it is for mechanical relays. The Bryant circuit further includes a relay actuating circuit, comprising a switching transistor, two capacitors, two diodes, and a resistor, associated with each of its fuel line control relays. Each relay actuating circuit supplies power to its associated relay only when that actuating circuit is supplied with a fail-safe signal having a certain minimum frequency. This fail-safe signal is generated only when the control circuit determines that it is safe to keep the fuel valves open. The requirement of a fail-safe signal that varies at a minimum frequency further increases the fail-safe nature of the Bryant circuit, since it is less likely for circuitry to fail in a manner that generates a continuously varying signal then it is for it to fail in a manner that produces either a high or a low signal level.
Although circuitry of the type disclosed in the Bryant patent provides significant fail-safe features, it nevertheless leaves room for improvement. For example, it is possible for some types of electronic components to fail in a manner which causes them to generate a signal that varies, either continuously or intermittently, above the minimum frequency necessary to operate a relay actuating circuit of the type shown in the Bryant patent. Thus such actuating circuits can be caused to misoperate in a dangerous fashion by a broad range of possible erroneous signals.