This invention relates generally to electrical circuit components and, more specifically, to components that fail under fail-safe conditions.
As generally understood in the art, a vital component of a system is one that is configured to fail only under fail-safe conditions. For example, a vital relay in a control system operates under the closed circuit principle and thus is normally held energized with its front contacts closed. When the vital relay fails, the front contacts open. Failure, then, of a circuit that drives a vital relay de-energizes the relay, leaving the relay front contacts open. Logic elements such as xe2x80x9cANDxe2x80x9d gates often are required to be vital. Any failure of a vital xe2x80x9cANDxe2x80x9d gate must not result in a permissive, e.g. xe2x80x9conxe2x80x9d, output by the gate.
Although a system such as a vital relay driver circuit may contain non-vital elements, higher-level vital components within the system serve to render failure modes of the non-vital elements irrelevant to fail-safe operation of the total system. When input signals to a vital xe2x80x9cANDxe2x80x9d gate are independently vital, the gate performs a classic xe2x80x9cANDxe2x80x9d function in a fail-safe manner. However, when input signals to a vital xe2x80x9cANDxe2x80x9d gate are not independently vital, it must be confirmed that the signals are appropriate for vital xe2x80x9cANDxe2x80x9d gate input. Thus signals that are fail-safe from an xe2x80x9con/offxe2x80x9d standpoint but not with respect to frequency stability must be confirmed to have frequencies and duty cycles appropriate for vital xe2x80x9cANDxe2x80x9d gate input.
A vital xe2x80x9cANDxe2x80x9d gate may also operate in a fail-safe manner using independently generated non-vital signals as inputs, where it is assumed that simultaneous failures will not occur in the independent processes that generate the input signals. Such signals also must be confirmed to have frequencies and duty cycles appropriate for vital xe2x80x9cANDxe2x80x9d gate input. It is known to filter such signals using vital filters tuned to expected input signal frequencies. Physical filters are often used for this purpose. Where a larger system including the vital xe2x80x9cANDxe2x80x9d gate also includes computer or processor subsystems, it would be desirable to make use of such available digital resources in place of physical filters.
In one embodiment, a method for generating signals for input to a vital xe2x80x9cANDxe2x80x9d gate includes generating a plurality of independent signals for input to the xe2x80x9cANDxe2x80x9d gate and checking that each of the signals has a frequency and duty cycle within predetermined ranges. Upon a determination that one of the signals exhibits an inactive state or has a frequency or duty cycle outside the predetermined ranges, generation of another of the signals is stopped.
The method further includes cross-connecting a plurality of independent processors, using the independent processors to generate the independent signals, and using each of the processors to check that another processor signal has a frequency and duty cycle within predetermined ranges. One of the processors is caused to stop its own signal generation upon a determination that another processor signal asserts an inactive state or has a frequency or duty cycle outside the predetermined ranges.
The above-described method eliminates a need for physical filters where the input signals are generated independently by computer subsystems. Thus computer subsystems for performing other system tasks can be used also to perform the above-described filtering function.