The traditional reliability of telecommunication systems that users have come to expect and rely upon is based in part on the systems' operation on redundant equipment and power supplies. Telecommunication switching systems, for example, route tens of thousands of calls per second. The failure of such systems, due to either equipment breakdown or loss of power, is unacceptable since it would result in a loss of millions of telephone calls and a corresponding loss of revenue.
Power plants, such as battery plants, address the power loss problem by providing the system with a secondary source of power, a battery, in the event of the loss of a primary source of power to the system. Battery plants operate generally as follows. Each battery plant includes batteries, rectifiers, circuit breakers and other power distribution equipment (for a block diagram of a representative power plant, see FIG. 1). The primary power source is produced by the rectifiers, which convert an AC mains voltage into a DC voltage, to power the load and to charge the batteries. The primary power source may become unavailable due to the loss of the AC mains voltage or the failure of the rectifiers. In either case, the batteries then supply power to the load. The circuit breakers provide protection from excessive current conditions caused by short circuits or other malfunctions in the load. Redundant rectifiers and batteries may be added to the battery plant to reduce the probability of total battery plant failure. The addition of the redundant components, however, does not address the problem of single-point failures. Internal shorts or other failures in critical areas may still disable the entire battery plant.
Since some single-point failures may remove the entire battery plant from service (thereby nullifying its internal redundancies), many applications use independent, redundant battery plants to further improve the availability of power to vital equipment. One method, for instance, employs two redundant battery plants to independently power two redundant sets of load equipment, thereby providing a fully redundant system (see FIG. 2). The failure of one battery plant will not affect the other battery plant, which will continue to provide power to its load. The load equipment powered by the failed battery plant, however, is no longer available to provide redundancy capability.
For certain critical applications, it is desirable to improve availability even further. Critical applications may require the availability of both redundant sets of load equipment, even when one battery plant fails. One way of providing this capability is to connect the output of each of the battery plants to both loads after ensuring that either battery plant is independently capable of powering both loads. Consequently, if one battery plant fails, the remaining battery plant will provide power to both sets of load equipment, thereby maintaining full system redundancy.
One problem with this architecture is that a short in either battery plant or in the feeds may cause all the circuit breakers to open, resulting in a loss of power to both loads. The entire system would then become unavailable. Another problem occurs when the rectifiers in one battery plant fails or the AC input is lost. The remaining battery plant may then provide charging current to the batteries in the failed battery plant. A similar situation may occur when one of the battery plants is recovering from a full battery discharge and its battery voltage is low. In both situations, current would then flow from one battery plant to the other. Depending on the resistances in the distribution network, the currents could cause some or all of the circuit breakers to open, resulting again in a loss of power to both loads.
Accordingly, what is needed in the art is an architecture for providing high availability while maintaining the independence of the battery plants, such that the failure of one battery plant does not result in deleterious effects on the rest of the system. Further, to maintain high availability, what is needed in the art is a technique for determining if devices used in the high availability architecture have failed.