This invention relates to electrical control system monitors and more particularly to such monitors for use in applications where a failure in the system being monitored or the monitor itself must force the monitor output into a prescribed state.
With the advent of microprocessors, many control systems which were formally implemented with discreet logic are now being designed with microprocessor technology. Certain control system applications are quite critical and failure of the control system may result in the loss of human lives and/or extensive equipment damage. Such systems include railroad control and warning devices, aircraft electrical power control systems, and highway traffic control systems. Classical techniques which have been devised to detect faults within a control unit and cause a safe failure, for example, turning on all of the red lights at a traffic intersection if a unit fails, are not applicable to microprocessor systems. This is due to the complexity of microprocessor large scale integration devices and differences in the technology as compared to discrete circuits.
When a failure in an electrical system has the potential to expose life or property to extreme danger, it is essential that the system be closely controlled. Any failure in the system or the control unit should result in immediate corrective action. Various design techniques are available when designing an electrical system which contains highly reliable control functions. These techniques include back-up logic control circuits, voting schemes, and special data processing techniques.
In aircraft power distribution systems, the failure of a generator must be sensed by the control unit and an auxiliary generator must be switched into the system. In addition, it is desirable to construct a control unit which minimizes weight and size but still has sufficient computational power to perform self test fault detection functions. Once a fault in the control unit or the system being controlled occurs, a clear indication of the failure is required and a positive means for locking the failed device out of the system must be used.
The present invention seeks to provide a highly reliable electrical control system monitor and means for forcing a desired system response when a failure occurs in the monitor or the remainder of the system. A lock and key design approach has been utilized in which a sequence of data words are generated in response to the operational status of the system being monitored and these words are compared with a previously determined sequence of data words. If the generated data words do not have a preselected value, or are not produced in a preselected sequence, the output of the monitor will be forced into a predetermined state. Examples of control systems which utilize a lock and key approach can be found in copending commonly-assigned application Ser. No. 275,425, filed June 18, 1981, now U.S. Pat. No. 4,409,635 issued Nov. 11, 1983, and U.S. Pat. No. 4,107,253, issued Aug. 15, 1978 to Borg et al.