This invention relates to electrical power systems and particularly to power systems for use in applications where a failure in the power system or its control unit must force the control unit output into a prescribed state. Control units used in such systems are also able to perform control functions for the circuit being driven by the power system and to force their control function outputs to a predetermined state when a failure occurs in the control unit or the system being controlled.
When a failure in an electrical system has the potential to expose life or property to extreme danger, it is essential that the system be closely controlled. Any failure in the system or the control unit should result in immediate corrective action. Various design techniques are available when designing an electrical system which contains highly reliable control functions. These techniques include backup logic circuits, voting schemes, and special data processing techniques.
In aircraft power distribution systems, the failure of a generator must be sensed by the control unit and an auxiliary generator must be switched into the system.
In addition, it is desirable to construct a control unit which minimizes weight and size but still has sufficient computational power to perform self-test fault detection functions. Once a fault in the control unit or the system being controlled occurs, a clear indication of the failure is required and a positive means for locking the failed device out of the system must be used.
The present invention seeks to provide a highly reliable electrical system and means for forcing a desired system response when a failure occurs in the control unit of the remainder of the system. In part, the objectives of this invention have been addressed by the prior art. For example, U.S. Pat. No. 4,107,253, Aug. 15, 1978, by Borg et al. discloses a railway signaling system safety and test device which generates an output voltage through the use of a read only memory and comparator circuit. However, that patent explicitly allows for the continued operation of the control unit once the correct operating conditions have been established, even if an intermittent fault has occurred. Therefore, under certain fault conditions, the output voltage could exhibit periodic cycling. Such an intermittent failure response is highly undesirable in certain applications. This invention provides a unique method of preventing such failure response modes by locking the failed system in a predetermined output state so that any future erroneous control signals are ignored by the system.
The control unit of the present invention comprises a microprocessor, digital comparator, read only memory, output means for producing control signals, and a feedback circuit which implements the locking feature of the system. These components cooperate to perform various self-test routines which evaluate the operating condition of the system components and generate an output voltage when all test results are satisfactory and each element of the system being controlled and the control unit is functioning properly. The control unit utilizes a sequential key word technique to provide a highly reliable means of failure detection.
The microprocessor software is divided into two categories: operational software which relates to the processing of data received from outside of the control unit; and a collection of self-test routines which exercise all aspects of the control unit to reveal both passive and active failures. Selection of a particular self-test routine to be performed is determined by a digitally encoded base word stored in the read only memory.
The memory has two outputs: data A, which is a collection of base words that determine the self-test routine to be performed by the microprocessor; and data B, which is a collection of key control words used to verify results of the self-test routine. To begin the self-verification process within the control unit, the microprocessor reads a base word from memory output data A. That base word indicates the particular self-test routine which is to be performed by the microprocessor. After the test routine is completed, the test results appear in the form of a digitally encoded key word at output data C of the microprocessor. This occurs at a fixed time (T.sub.L) after the microprocessor reads the base word.
A comparator then compares the key word appearing at the data C output of the microprocessor with the key word appearing at the data B output of the read only memory. If these key words are identical, the comparator output switches from a logic zero to a logic one. This change in logic state is sensed by a feedback circuit which indexes the read only memory, after a fixed time (T.sub.L), to the next base word (data A) and key word (data B). Once the memory has been indexed, the key words appearing at data B and data C are no longer identical, so the comparator output switches back to a logic zero.
The appearance of a second base word on data A triggers a new self-test routine within the microprocessor, which results in the appearance of a new key word at data C of the microprocessor after a fixed time (T.sub.L). If this new key word agrees with the current data B key word output, the comparator output again switches from a logic zero to a logic one and the feedback circuit subsequently indexes the read only memory to the next position. As long as the self-test routines continue to result in key words at data C which are identical to the key words at data B, the comparator output will continue to oscillate, remaining at logic one for a fixed time (T.sub.L), then shifting to logic zero to remain there for the same length of time.
This results in a square wave at the comparator output which is used by the output stage of the control unit to generate an output voltage signal (V.sub.X) which indicates that the control unit is functioning properly. The presence of output voltage signal V.sub.X enables the operational software output of microprocessor, allowing the control unit to perform its designated control functions in the total system.
Should any component fail, either in the microprocessor or in the other control unit circuitry, the net effect will be a loss of V.sub.X. A failure in the microprocessor will result in a corruption of data C or its timing. Likewise, a failure in the comparator, memory, or feedback circuit will affect data B, and hence the input signal to the control unit output circuitry. Since V.sub.X is generated from an active pulse train, a failure in the control unit output circuitry will also result in a loss of V.sub.X.
A power system constructed in accordance with the present invention incorporates a plurality of generators which can be switched in and out of the circuit by means of circuit breakers which are operated by a plurality of system control units. These control units would continually monitor the function of all aspects of the system and switch generators in and out of the circuit if a failure is found in a control unit or the system being controlled. Therefore the failed circuit would be locked out of the system while power output is continued. Manual intervention would be required to correct the failure.
Control units can also communicate with the circuit being driven by the power system by way of interface circuits which are designed to permit the control unit to test their operating condition through the self-test routines. If a failure is detected by the self-test routines, and the control unit outputs are locked, the information available at the data outputs could be used for maintenance purposes to locate the problem area.