Many types of control systems are used to operate apparatus which has the potential for causing harm or injury if various parameter levels are outside of predetermined ranges. A simple example is the automobile whose engine will be severely damaged if the oil pressure is too low or the coolant temperature is too high. In this situation the system relies on the good judgment of the driver to stop the auto as soon as the warning light or gauge indicates the problem. In some systems too, it is desirable to simply monitor operation of various aspects of a system.
In many of these systems however, human monitoring of the apparatus parameters may be unacceptable because the apparatus is intended to operate automatically, or because the result of improper, that is to say human, monitoring may result in serious damage or injury. Neither is it desirable to rely on the control system to monitor every one of these parameter levels and shut down the system when needed because this adds substantial complexity to the controller. Also, the control system can on occasion fail, for example because of power outages. Instead, in most systems these parameters are used to directly control interlock switches which open if the parameter level is outside of the predetermined range. In these systems, the interlock switches are typically arranged in a series circuit which passes the current for operating the apparatus (and parts of the control system as well in many cases) so that if any of the parameter levels are outside the range specified for it, the apparatus will not receive power and cannot operate. Examples of these series circuits of interlock switches are found in a number of different types of apparatus and their controls, including as one example burner systems and controls. In burner controls, the interlock switch series circuit is used to control power which operates the fuel valves. If any of the burner system parameters are outside the specified ranges, power is not available to the fuel valves, with the result that the burner cannot operate.
One problem which arises in these systems is determining the cause of a malfunction. If an interlock switch opens, power to the system is interrupted of course, but the problem can be in any of the parameters controlling the interlock switches or in other aspects of the system. For example, in burner systems flame failure does not control an interlock switch. In this particular situation, the control system itself interprets the flame sensor signal and shuts down the fuel valves when flame is detected as absent. When the shutdown is caused by an open interlock switch, by the time a repairer arrives to correct the problem, the original cause of the shutdown may no longer exist. As one example of this situation, a low fuel pressure parameter which opens an interlock switch may have been restored within a few seconds and thus will not be apparent to the repairer. Even when latching interlock switches are used, on occasion a second fault may occur after the first fault and before the diagnostic procedures can be started. It is then difficult to determine the cause of the original shutdown. Early annunciators for use with these switch strings simply showed current status of the switches, which was not always adequate for easy troubleshooting.
In order to simplify and improve troubleshooting of malfunctions in these systems, improved annunciators have been designed which record the status of each of the interlock switches in the interlock switch string at the time a fault is detected. Thus for example, U.S. Pat. No. 4,295,129 (Cade) describes a circuit connected to individual interlock switches and the main and pilot valve actuators, to detect abnormal conditions by sensing the status of the fuel valves and to record the identity of the first interlock switch or fuel valve to open at the time the abnormal condition was detected. U.S. Pat. No. 3,967,281 (Dageford) attempts to determine the earlier of two detected failures and record the identity of the switch which first opened. These will typically be related, but may happen in either order, and an indication of the earlier allows easier detection of the underlying problem.
Frequently, knowledge of the current status is helpful during troubleshooting. A problem with the present systems is that it is not possible during troubleshooting, without losing the first out status, to determine the current status of the switches without individually testing or inspecting them. While such individual testing or inspecting is possible, it is laborious when a large number of switches are involved. Furthermore, the current states of these switches may change during the troubleshooting, resulting in further troubleshooting problems.
It frequently is undesirable to build a high level first out fault detection directly into the controller for the system. There may be system configuration advantages in separating the switch status annunciator functions from the control functions. For example, the interlock switches may be physically located at some distance from the controlled system. Or the control system may have a deliberate modular design to accommodate users who may not need a high level of fault detection. In such systems, it is frequently convenient to use a simple serial communication path between the annunciator and the controller. Such a communication path is easy to install, and the transceivers which implement its use are cheap and allow reliable communication. Frequently, such a path will be shared by a number of modules, say other controllers, if a number of independent systems are involved, or a display module which may have yet a third physical location.
In such a system, fault detection, as opposed to switch status information, is still typically included in the controller, since this dramatically improves the reliability and speed of the controller in responding to fault conditions as they occur. However, the use of a shared serial communication path means that the annunciator for a particular interlock switch series circuit may not receive notification of a fault until some time after the fault has actually occurred. Since this time between fault detection and notification to the annunciator may be appreciable in certain instances, say on the order of hundreds of milliseconds, switch status may have changed and the first out information then provided by the annunciator will be incorrect. Inaccurate first out information has the potential to dramatically worsen the problem of fault diagnosis. Accordingly, there is a motivation to improve the accuracy of first out information provided in the situation described.
There are also situations where switch status may be desired even though a fault has not occurred. For example, during startup or shutdown of an installation, switches in a series circuit may be scheduled to close or open at particular stages, and certain installations may find it useful to log this information even though no fault has been sensed.