This invention relates to electrical systems.
The power supply in aircraft is provided by several generators to ensure that sufficient power is available for flight-critical equipment in the event that one of the generators should fail. When one of the generators fails it is necessary to switch vital equipment that was supplied by the failed generator to supply by a working generator with minimum interruption to the power supply. Although the power generators can tolerate some overloading for short periods, if the generators are overloaded suddenly, excessively or for prolonged periods, it could cause permanent damage to the generator. The generators are, therefore, provided with protection circuits that shut the generator down if it is seriously overloaded. In order to prevent the working generator being overloaded when the new loads are connected, it is necessary to disconnect, or shed, some of the non-critical loads connected to the working generator before the vital equipment is transferred to it.
The control of power supply to the different items of equipment is generally controlled by a processor receiving inputs from the generators and providing outputs controlling the supply of power to the equipment such as via relays or the like. The outputs are provided as a result of an algorithm or other program computed by the processor during normal operation of the generators. The processor re-computes the system commands at regular intervals, that is, at every processing cycle or at multiples of every processing cycle. If one of the generators should fail, this would be signalled to the processor causing it to run a different, load-shedding algorithm so that appropriate items of equipment are shut down to enable power to be supplied to the flight-critical equipment.
The problem with this arrangement is that there is a time delay before the processor instructs load shedding, which can be equal to that of the processing cycle. Because of this delay, overloading of the working generator can only be avoided by delaying the switching of the critical equipment from the failed generator to the working generator until after the processor has had time to shed the load. The vital equipment is, therefore, deprived of power for a considerable period. Although this delay can be reduced by using high speed processors, the delay is still appreciable.
One alternative way of producing a more rapid response is to interrupt the processing cycle of the processor immediately a fault is detected, suspending the normal program and executing the new load-shedding program with minimal delay. Although this can reduce the delay, the interrupt is non-deterministic since it can occur at any point in the processor program. This makes it difficult to prove that the interrupt will always be serviced correctly and that, after servicing the interrupt, the processor will always return to its normal program in an orderly manner, whatever point the interrupt occurs in the processing cycle.
There are other systems, as well as aircraft power systems, where it is desirable to be able to respond reliably to change in an external stimulus more rapidly than the processing time of a program.