Fail-safe controls are designed to remain operational even though the controls may suffer certain types of failures. Such controls are typically used where severe consequences could result if a failure were to happen. The severe consequences are often in the form of a possibility or even a likelihood of harm to nearby humans or livestock, damage to expensive equipment or other capital assets, expensive legal liability, and the like.
Fail-safe controls typically achieve their fail-safe operation by including redundant components at vulnerable points. However, fail-safe controls often suffer deceptive vulnerabilities due to complexities involved with voting between redundant components when the redundant components provide opposing indications, with providing sensing signals and power that do not suffer from vulnerabilities, and with addressing the possibility of multiple failures from a single cause. Fail-safe controls tend to be undesirably expensive when compared to non-fail-safe counterparts due to the extra component and design complexities, and designers are often encouraged to mitigate the expense at the risk of introducing vulnerabilities, many of which may be difficult to appreciate prior to the occurrence of an actual event that leads to one or more actual failures.
One characteristic of fail-safe controls which leads to unwanted complexity is that the controls simultaneously address four different scenarios. For a true-OK scenario, the control system accurately indicates that a condition being monitored is in a state that permits continued operation of the system being controlled. In a true-Not-OK (NOK) scenario, the control system accurately indicates that the monitored condition is in a state where operations of the system being controlled should be curtailed. If no component failures occur, a properly designed control system operates only within these two scenarios, and if the control system need not be fail-safe, then no additional scenarios need be accommodated by the control system design.
However, for fail-safe operation, failures which lead to inaccurate indications should be considered. In a false-OK scenario, the control system inaccurately indicates that the monitored condition permits continued operation. In other words, the control system indicates that the system can continue operation when in fact the system should curtail operations. In a false-NOK scenario, the control system inaccurately indicates that the monitored condition signifies curtailed operation. In other words, the control system indicates that the system should curtail operations when in fact no reason exists for curtailed operation. For systems which employ fail-safe controls, the false-OK scenario is often deemed intolerable, while the false-NOK scenario is deemed to be unwanted but tolerable.
Fail-safe systems use sensors to monitor conditions which signify continued operation or curtailment. Often, the sensors are distributed to a number of diverse locations. Too often, prior art controls rely upon a common controller or other device to provide a common power source which drives a current loop passing through all sensors and/or monitors sensor outputs. If the current loop opens, due to the operation of any single sensor in the common loop, then the common controller detects the event and provides one or more signals leading to an indication of the event.
The use of a common controller is undesirable for fail-safe operation. A vulnerability is often introduced by concentrating functionality at a common point, such as a common controller. If the output indication function is routed through a common point, then failure of the common point can often lead to the intolerable false-OK scenario.
In conventional applications, a common power source is used for all sensors in a current loop. In some applications, the common power source introduces an intolerable false-OK vulnerability. In other applications, the common power source merely introduces a false-NOK vulnerability with respect to the absence of power due to an unwanted power-loss, but couples all sensors together in a manner that introduces an intolerable false-OK vulnerability to ground voltage rises or transient spikes and other typical power anomalies. The false-OK scenario may occur due to a reduced effectiveness of sensor redundancy by making multiple sensors susceptible to simultaneous failures from a single cause.
Fail-safe controls are beneficial in a diverse range of applications. One application to which one preferred embodiment of the present invention is directed concerns the control of very large, concentrating solar collectors that track the movement of the sun. The above-listed related patents discuss examples of such solar collectors which may have a very large surface area, e.g., 1500-2500 ft2, mounted on a common tower. When wind hits this very large surface area, tremendous destructive forces are transmitted to the tower. Significant cost savings may be realized by using a moderately strong tower that will withstand all but the gale-force wind conditions that occur only rarely. In the rare occurrence of a gale-force wind, the solar collectors are desirably placed in a wind stow attitude, where the collectors present a relatively small surface area to the wind and therefore transmit greatly reduced forces to the mounting tower. In this application, fail-safe operation is desirable because failure to go into the wind stow attitude in high wind conditions risks expensive equipment damage at the least, and quite possibly to jeopardizing human health and safety and to expensive legal liabilities.