Many types of systems have been developed for monitoring computer hardware that can create an unsafe condition if a failure occurs. An example is a burner control system in a furnace that is operated under the direction of units that are generically referred to as flame safeguard systems. In these types of systems, it is essential that if a certain failure occurs, the fuel valve to a fuel burner will close. The failure of a flame safeguard control system to operate properly can lead to a situation in which a fuel valve is left open when no flame exists, and a fuel-burning chamber can be loaded with fuel. This fuel can then be accidentally ignited causing an explosion. Before the introduction of microcomputers and microprocessors, the existing technology taught a flame safeguard system which utilized safety circuits that check for proper operation at the beginning of each burner cycle. This is commonly known as safe start check.
The conventional electromechanical and electronic types of control systems, including flame safeguard control systems, have been displaced by electronic control systems of the digital type that utilize microprocessors or microcomputers as the heart of the condition responsive control circuit means. One example which employs a microprocessor is U.S. Pat. No. 4,422,067 issued to Clark et al. The Clark et al patent discloses a dynamic self-checking circuit which monitors the status of a dangerous condition, such as a burner in a furnace, and continually performs self-tests to detect any malfunctions in the microprocessor hardware. The circuit operates by having a microprocessor regularly output a sequence of logic bits which indicate the operational status of each component of the microprocessor. A decoder receives the sequence of logic bits and will output a high signal if all the bits in the sequence indicate a certain operational status of the microprocessor. Between each generation of a high signal, the microprocessor outputs a preset low signal. If the microprocessor is operating properly, an alternating signal is output from the decoder, and this signal keeps a switch to the fuel valve energized. If the microprocessor malfunctions, the signal will no longer be alternating and the switch will de-energize.
A disadvantage of the Clark et al system is that not all system errors will be detected. It is possible that a bit path in the decoder may malfunction so that it constantly outputs a particular signal regardless of the signal it receives from the microprocessor. If the signal output from the stuck bit path represents the desired operation of a particular function of the microprocessor, the actual failure of this microprocessor function will not be detected. This could create a hazardous situation.
Because of the inherent danger in technologies such as burner controls, it is important that the safety control systems be reliable. However, the system should not be overly complicated or expensive in achieving this goal.