There are many types of operating systems that control loads of a critical nature. During an operating sequence for a system, certain loads may be energized, while other loads may be deenergized. Any unintentional change in state of a critical load due to momentary power changes within the system may be very undesirable. They may be undesirable from a point of view of overall physical safety, as well as undesirable from a standpoint of a possibility that economic damage may occur. It is desirable for the associated control system to respond as quickly as possible to any momentary changes in energization in order to properly react to avoid both physical damage which may be injurious to people or equipment, and to losses of equipment or product to avoid economic damage.
In recent years it has become common to provide control systems with microcomputers as the primary control or "brain" for the system. As microcomputers become more and more powerful, they are capable of monitoring and doing more work at a financially justifiable cost. As such, microcomputers take on very sophisticated control and safety functions. As microcomputers are required to do more and more work, the time that it takes them to process a signal increases. This increase in processing time may reach a point where the overall control system may be unable to respond to momentary changes in power within the system in a safe way, at least as far as certain critical loads are concerned.
An example of a system that has critical loads and microcomputer control is a fuel burner or flame safeguard control system. One type of critical load in this type of system is the fuel valve that supplies fuel to a burner. If the fuel valve is being controlled by a microcomputer controlled system that has a delay to process control data, a delay of a few hundreds of milliseconds can occur. This is a sufficiently long period of time for improper energization of a fuel valve. More specifically, if a fuel burner is in operation and momentarily has a power loss due to a line power loss, a momentary limit switch action, a poor solder connection, or any other cause, the fuel valve will start to close. If the fuel valve is then re-energized, fuel again starts flowing into the fuel burner, but the flame may have started to go out. A larger than normal amount of unburnt fuel accumulates. When it does reignite due to contact with a flame or a hot refractory, a "puff-back" or explosion occurs as this excess fuel burns. The severity of this explosion can be minor, but it can cause damage and certainly a hazard to the equipment, as well as, any personnel in the vicinity of the equipment. If the control system is properly designed, the system will note that the fuel valve has cycled and will take appropriate action, but the damage due to the momentary cycling of the fuel valve will have already taken place by this time.
It is thus apparent that some unsafe conditions can exist where a momentary operation of a critical load is caused by any of a number of different kinds of events, and with a control system that is too slow to respond in a safe manner. In the example given above, a safe control function would be to keep the fuel valve deenergized once it is momentarily deenergized. This would prevent any further fuel from entering a hot combustion chamber. This might mean a shut down of the system, but at least it would be a safe shut down of the system.