This invention relates to a system for monitoring the validity of electrical data applied to n functionally parallel-connected data channels according to a fixed criterion, all of these data originating from one and the same data source. In accordance with this system, the data channels no longer allow conclusions to be drawn as to the correctness of the data issued by the data source if the data, at least for a predetermined period of time, on more than m of n channels disagree. The invention also concerns the employment of such a system.
In safety practice it is known to forward the data acquisitioned at a system to be monitored on several functionally parallel-connected processing channels which latter may sometimes comprise data acquisition and/or monitoring, data processing and data transmission systems. Such inherently costly functionally parallel-connected channels are used above all in cases where the data to be dealt with comprise information on non-hazardous conditions or on conditions which, in a system generating the primary data, are hazardous to human beings.
In this context it is predetermined how the data arriving on the parallel channels at the channel end must exhibit a mutual relationship, so that it becomes possible to draw conclusions on correct or incorrect processing. For example, if a number n parallel-connected channels are provided, it may be preselected that identical data must appear on at least q channels, if conclusions as to the validity of the primary data--whatever they are--are justifiable. This may better be understood by way of a specific example. If five parallel-connected channels are provided and q is chosen to be three, then, basically, the following data configurations may appear on the five channels:
(1) Data identical on all five channels. In this case, processing is correct.
(2) Data on four channels identical and on one channel different. In this case processing is correct according to the four identical channels.
(3) Data on three channels identical and on two channels different. In this case processing is correct according to the three identical channels.
From the foregoing it becomes evident that such a system does not operate unequivocally without further safeguards. The reason for this is clear. With identical data on three or even on four of the five parallel channels, the data are interpreted as being in accordance with the primary data (i.e., the data on the three or four channels). It is quite possible, however, that the data on these three or four channels are wrong and that the data on the two, or the one, remaining channel are correct. This consideration leads to the qualification that, in such systems, q-times-faults must be excluded, and this means that q of n processing channels must not become faulty at the same time.
It is of course possible to prove by probability calculation that the appearance of such q-times-faults is so unlikely that elimination without real impairment of the safety of such installations is justifiable. This is especially true since, owing to increasing the speed of the system, the separate detection of faults in terms of time becomes possible even with narrow time spacing.
Under this aspect, the present invention aims at providing a system which, in a faultproof manner and on the basis of predetermined criteria, checks the data processed by the functionally parallel-connected channels as to their validity in relation to the primary data and, in accordance with the result, releases the processed data for further processing, e.g. feed-back to the primary-data generating system. Following fault detection, the data are treated as non-significant, until the fault is eliminated. In the case of feed-back to the monitored system which generates primary data, the latter is then made to change into a safe condition if necessary. To this end, the present invention is characterized in that the n channels are connected to a first q of n selective logic system, q being equal to n-m, the logic system being devised so as to issue data which correspond to data, simultaneously present, on at least q of n channels and that the output of the selective logic system is in each case taken to one of the channels of n channel-related comparison elements whose outputs are each connected to a respective marking unit, in order to register the deviation of data on the channels in comparison with the output of data of the first selective logic system in relation to particular channels. In accordance with the invention, all the marking units are connected to a second q of n selective logic system which is devised so as to produce a first signal if the marking units have registered the data on at least q channels as non-deviating data, and to produce a second signal if the marking units have not registered the data on at least q channels as non-deviating data. The output of the first selective logic system is connected to a modulating input of an oscillator whose output is modulated with the channel data and connected to the comparison elements, the marking units and the second selective logic system. These components cooperate in such a way that the first output signal of the second selective logic system appears as a signal corresponding to the modulated oscillator signal and the second output signal is a direct current signal. The oscillator output signal is applied to the above-mentioned units as the data carrier signal and, also as a test frequency signal. The comparison elements, marking units and the second selective logic system are designed in such a way that the appearance of an internal fault causes an output signal to be produced which is identical to that produced when deviating channel data are registered.