In the field of fault-tolerant systems, it has been a general practice to employ redundant circuitry. Thus, if one part of a redundant system fails, the other part of the redundant system is still available to perform the intended function of the system. Although such devices have served the purpose, they have not proved entirely satisfactory under all conditions of service because latent faults can develop in a portion of a redundant system that is not then in use. If, for example, in a redundant power source, one portion of the redundant system is currently in use while the other portion is serving as an unused backup, any error or fault condition in the backup portion would not normally be detected during system operation unless and until the backup portion is put into use. Since that would generally only happen when the first portion of the system failed, the presence of a latent fault could result in a catastrophic failure of the entire system. Thus, if one portion of a redundant system fails, and the backup portion of the redundant system already had an undiscovered fault, a failure of the entire system would result. Such a failure would defeat the purpose of redundancy. Latent faults essentially rob redundant systems of the advantages of uninterrupted operation for which such systems had been designed.
The performance of fault-tolerant systems is dependent upon redundant operations and circuitry. For example, critical power subsystems are supported by more than one energy path. However, whenever one path provides total support while the other path is unused, a small but nonetheless real possibility exists that an unknown, undetected fault exists in the path not currently in use. If the primary support channel fails subsequently, then this latent fault would cause failure of some or all of the load circuits downstream, resulting in the cessation of operation due to loss of system integrity.
One such prior art redundant power system is illustrated in FIG. 1. A critical load element 11, such as a power converter, is supported by two DC sources 13 and 15 via respective duplicate buses 17 and 19. Bus 17 includes isolation diodes 21 and 23. Bus 19 includes isolation diodes 25 and 27. Each isolation diode is connected at one electrode to load 11 and thus to the respective opposite bus 17 or 19. Isolation diodes 21, 23, 25 and 27 thereby permit load 11 to obtain power from one such bus or the other, and also protect against overload on one bus if the other bus fails. It is probable that one of the two sources 13 and 15 produces a higher voltage than the other, so that the higher voltage bus will then always be the one actually supporting load 11.
Bus 17 is also provided with protective fuses 29 and 31, while bus 19 is provided with protective fuses 33 and 35. Each fuse 29, 31, 33 and 35 is connected in series to a respective diode 21, 23, 25 or 27. Thus, diode 21 is connected between fuse 29 and load 11. Diode 23 is connected between fuse 31 and load 11. Diode 25 is connected between fuse 33 and load 11. Diode 27 is connected between fuse 35 and load 11. As can be seen in FIG. 1, the cathodes of diodes 21 and 25 are connected to each other and to load 11. Also, the anodes of diodes 23 and 27 are connected to each other and to load 11.
Incorporation of diodes 21, 23, 25 and 27, and of fuses 29, 31, 33 and 35, into respective buses 17 and 19, while providing valuable protection to the system of FIG. 1, also each provide a source of a possible failure. Any one or more of diodes 21, 23, 25 and 27 could fail open or could fail short-circuited. Also, any one or more of fuses 29, 31, 33 and 35 could fail open. Thus, there are 12 possible fault conditions for the apparatus of FIG. 1. Because redundant buses 17 and 19 are provided in FIG. 1, if a conducting diode or the fuse connected thereto fails open then the other bus will provide power to the load. While operation would continue uninterrupted, no indication of the failure would be recognized by the system of FIG. 1. Furthermore, if, for example, diode 25 fails while bus 17 is in use and bus 19 is serving as a back-up, that failure would likely go undetected. If a failure then occurs on bus 17, and bus 19 is already crippled by a disabling failure, the results could be catastrophic. Such a situation would deprive the user of an important benefit of utilizing a redundant or fault-tolerant system, and the ability of uninterrupted operation notwithstanding any presence of fault conditions.
If one or more of diodes 21, 23, 25 and 27 fails shorted, then the fault may propagate further. For example, in a telecommunications environment where equipment is connected to a central office battery via redundant building distribution buses, an external circuit exists between the two positive supply buses, and between the two negative supply buses of such a system. If that system is configured as shown in FIG. 1, and if, for example, diode 23 fails shorted, and if voltage source 15 has a higher voltage output than does voltage source 13, then a line overload may occur because source 15 will attempt, through the sneak path created by shorted diode 23 and the connections between the external distribution systems, to support any other loads connected to voltage source 13. As a result, either or both of fuses 31 and 35 may then clear and the system fail.