This invention relates generally to fault-tolerant circuits and, more particularly, to output circuits associated with fault-tolerant computers and industrial controllers. The concept of using multiple computational devices to maintain the integrity of a computer-controlled process has been known for some years. The computational devices perform each function separately and the results are compared to determine the "correct" one. A commonly employed configuration has three computational devices and the results are compared in a voting circuit, such that the best two of the three results is taken to be correct. When one of the three computational devices generates erroneous results, it is usually replaced promptly, to avoid the possibility of having two malfunctioning computational devices in operation at the same time. This voting concept may be applied to practically all operations performed by the computational devices, including accessing data storage locations and performing arithmetic or logical computations.
A different, but related problem is the design of output circuits to have a similar type of multiple redundancy. There are two basic types of output from computational devices used as industrial controllers. One type of output consists of "on" and "off" signals and is usually referred to as digital or binary. The second type of output is in the form of an analog signal, which might be used to control, for example, the position of a valve. The valve, in turn, can control a fluid flow rate, a pressure level, or some other physical parameter. Digital output signals are used in control processes to turn direct-current (dc) motors on and off, to open and close solenoid-actuated valves, and to perform various other functions.
In the design of fault-tolerant controllers, there is a distinction between digital outputs used to control direct-current circuits, and digital outputs used to control alternating-current (ac) circuits. The design of output circuits for ac control presents a number of problems not present in the control of dc circuits.
The primary design constraint for a fail-safe operation of a digital output circuit is that it should not fail to an ON state when the desired switching function is OFF. This may be achieved by connecting two redundant switches in series in an electrical circuit, and controlling the two switches with independently generated redundant control signals. If one of the switches fails to respond to an OFF signal, the circuit will still be opened by the other switch. Such a circuit is tested by opening one switch while the other is closed, and checking for an open circuit that should have resulted from the open switch. Then the other switch is opened while the first is closed, again checking for an open circuit. This kind of testing procedure is more difficult with ac switches because, typically, the solid-state devices used cannot be turned off at random. Also, the phase relationship between load voltage and load current varies with the type of load being driven, causing difficulty with test timing and measurement of the switch state.
An alternative approach to obtaining fail-safe operation of ac output circuits is to use only a single output switch, but in conjunction with a "crowbar" switch and a fuse in the ac circuit. The fuse and the single output switch are connected in series with a load being controlled. The crowbar switch is connected across the ac power lines, essentially in parallel with the load. When the output switch fails to open on command, the crowbar switch is closed, shorting out the power line and blowing the fuse to effect a disconnection of the load. Circuits of this general type have the advantage of using only one power-dissipating switch, and have been in use for some time, as exemplified by the protected ac output module for the General Electric Company Series Six programmable controllers.
One difficulty with ac output circuits employing a crowbar switch arrangement is that there is no non-destructive way to test the turn-on operation of the crowbar switch. Any turn-on test of the switch will blow the fuse and necessitate operator intervention. Ideally, there should be some way of testing the crowbar switch without blowing the fuse. The present invention achieves this goal, and provides other advantages in the operation of a fail-safe and fault-tolerant ac output circuit, as will be apparent from the following summary.