1. Field of the Invention
This invention relates to a triple redundant control device and triple redundant control method which can be used in a power generation plant, for example.
2. Description of the Related Art
A known triple redundant control device, which includes three control units, is constructed so as to select a medium value (i.e. median) of three signals each of which is outputted from one respective control unit, and to output a control signal corresponding to the medium value. This is also called a triple redundant medium value selection system. A structure of a conventional triple redundant control device which adopts this triple redundant medium value selection system, which can be used for a power generation plant, for example, is shown in FIG. 14, whereby a control method corresponding to the control device will also be explained.
In FIG. 14, the conventional control device has three system control units 1, 2, 3 which composes a triple redundant system, that is, System A, System B and System C, and a medium value gate (MVG) 4 which chooses and outputs a median among three values each corresponding to an output from the respective control unit. Here, the middle signal level is selected from the three outputs of triple control units, and is outputted as a control command signal b. Moreover, when the control units 1, 2, 3 detect a failure by self-diagnostics, the control unit output failure signals a1, a2, a3, respectively. There is a two out of three selector circuit 5 which outputs a shut-down command signal g, such as a turbine trip command, provided at least two of the three systems output the failure signal. When the shut-down command g is outputted, operations of controlled equipment such as a turbo-generator is suspended.
Thus, in this conventional triple redundant control device, when one control unit fails and an output from the failed control unit drops below a normal output level range, that is, downscale has occurred, the medium value gate 4 selects and outputs the lower in signal level of the two signals from the two normally operating control units. Thus, as a result, the lower of the two signals outputted from the two normally operating control units is used as the control command b, and the control continues normally. Conversely, when one control unit fails and an output from the failed control unit increases above a normal output level range, that is, upscale has occurred, the medium value gate 4 selects and outputs the higher in signal level of the two signals from the two normally operating control units. Thus, the control continues normally.
When double failure of control units occurs, for example, when outputs of two control units are downscaled, the medium value gate 4 selects one of the downscaled signals, and normal control cannot be maintained. Thus, in this case when two failure signals of two control units are outputted, the two out of three selector circuit 5 outputs operation suspend command g to controlled equipment.
In the above-mentioned conventional triple redundant control device and method, when one control unit is separated and inspected, or when one control unit is in failure, one of the outputs from the other two control units is selected and the control is continued according to the selected one output. However, if one of the other control units is also inspected or in failure, the control of equipment is stopped even though one of the three control units is in a normal state, and thereby utilization rates of controlled objects decreases.