WO 01/35432 PCT/USOO/30799 1 FAIL-SAFE, FAULT-TOLERANT SWITCHING SYSTEM FOR A CRITICAL DEVICE FIELD OF INVENTION This invention relates to a fail-safe, fault-tolerant switching system for a critical device. BACKGROUND OF INVENTION Fail-safe devices are used where risk of personal injury or damage to property can occur. For example, air brakes on large trucks are released by force of air pressure against strong actuators. Any failure of the air pressure system releases the springs to apply the brakes so the system "fails safe". In railroad trains a "vital relay" is used to monitor the presence of a vehicle to control separation between trains. When less than the required separation is sensed the power to the relay is cut off and "fail safe" gravity force is relied upon to close contacts and provide a warning signal. The use of ever more sophisticated electronic and computer controlled systems such as in personal rapid transit (PRT) systems has given rise to more sophisticated requirements for fail-safe operation. PRT systems are driverless, automated, small, passenger vehicles that operate on guideways. In addition, fault-tolerant operation to permit continued operation of partially disabled but still safe vehicles is an important consideration. PRTs for example must always be operated fail-safe but need some fault tolerance so that faulty vehicles are not simply stopped, interfering with operation of other vehicles when the fault WO 01/35432 PCT/USOO/30799 2 can be tolerated to at least move the vehicle from the guideway to a maintenance area. PRT is but one instance where fail-safe, fault-tolerant systems are needed. This gave rise to switching circuits with a number of switches to provide fail-safe operation: one switch is generally not enough because a switch, be it mechanical or semiconductor, can fail in either the closed or open mode. Thus the outcome is not predictable and failure to a safe state is not assured. Two or more switches connected in series will increase reliability and are safe if a defective switch can be detected. Two or more switches in parallel provide redundancy but do not improve reliability. BRIEF SUMMARY OF THE INVENTION It is therefore an object of this invention to provide an improved fail-safe switching system. It is a further object of this invention to provide an improved fail-safe switching system which is inherently fault-tolerant to some faults. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is simple, reliable, and uses few and conventional parts. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be self-tested with fault tracing down to individual switching elements. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can be monitored and controlled to reconfigure for fault tolerant operation for additional faults.
WO 01/35432 PCTIUSOO/30799 3 It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which uses fuses to override faults due to switching devices that have failed in the closed mode. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which reduces the probability of failure in an unsafe mode. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which can work around a single fault. It is a further object of this invention to provide such a fail-safe, fault-tolerant switching system which is resistant to common mode failures. This invention results from the realization that a truly fail-safe, fault-tolerant switching system for a critical device can be achieved using two parallel networks each including a fuse device and two switch devices in series with the critical device connected between the networks at the junction of a switch device and fuse device in each network so that the system is entirely fail-safe and fault-tolerant through its inherent operation supplemented by automatic monitoring and control of the switching devices. This invention features a fail-safe, fault-tolerant switching system for a critical device including a first pair of terminals for connection to a power source, a first network including a first fuse device, first switching device and third switching device connected in series between the first pair of terminals and a second network in parallel with the first network including a second fuse device, second switching device and fourth switching device connected in series between the first pair of terminals. There is a second pair of terminals, one between the first and third WO 01/35432 PCT/USOO/30799 4 switching devices and one between the second and fourth switching devices for connection to the critical device for fail-safe current removal from the critical device when first and second switching devices are open and the third and fourth switching devices are closed, the first, second, third and fourth switching devices are open, the first and second fuse devices are open and the first and second switching devices are open and the third and fourth switching devices are closed and the first and second fuse devices are intact; the first switching device has failed ON and the second switching device is open and the third and fourth switching devices are closed and fuse 1 is caused to open due to short circuit path through the first and third switching device and the second fuse device is intact; the first switching device is open and the second switching device has failed ON and the third and fourth switching devices are closed and fuse 1 is intact and fuse 2 is caused to open due to a short circuit path through the second and fourth switching device; the first, second, third and fourth switching devices are open, the fault-tolerant operation occurs through the first fuse device, first switching device and fourth switching device, or the second fuse device, second switching device and third switching device. In a preferred embodiment there may be a unidirectional current flow circuit interconnected between the second pair of terminals and the critical device for permitting current flow in one direction. The unidirectional current flow circuit may include a diode bridge. There may be a first monitor circuit for monitoring the first switching device, a second monitor circuit for monitoring the second switching device, a third monitor circuit for monitoring the third switching device, and a fourth monitor circuit for monitoring the fourth switching device. There may WO 01/35432 PCT/USOO/30799 5 be a controller responsive to the monitor circuit for selectively operating the switching devices. BRIEF DESCRIPTION OF THE DRAWINGS Other objects, features and advantages will occur to those skilled in the art from the following description of a preferred embodiment and the accompanying drawings, in which: Fig. 1 is a schematic diagram of a fail-safe, fault-tolerant H switch according to this invention; Fig. 2 is a view similar to Fig. 1 including monitoring devices and a controller for monitoring and controlling the operation of the individual switches; Fig. 2A is a view, similar to Fig. 2, in which a diode bridge is connected across a polarized load; Figs. 3-7 are flow charts explaining the operation of the controllers and monitors; and Fig. 8 is a diagram depicting the desired behavior of the H switch according to this invention. DETAILED DESCRIPTION OF PREFERRED EMBODIMENT There is shown in Fig. 1 a basic H switch 10 including four switches: switch 1 12, switch 2 14, switch 3 16, and switch 4 18, and two fuses, fuse 1 20, and fuse 2 22. The switch is arranged in an "H" shape with the critical load 24 in the middle. The switches may be conventional switches, relays, or semiconductor WO 01/35432 PCT/USOO/30799 6 devices. A first network 26 including fuse 1 20, switch 1 12 and switch 3 16, is connected between a pair of terminals 28 and 30 which in this embodiment are connected to a positive power supply and ground, respectively. The second network 32 including fuse 2 22, switch 2 14 and switch 4 18, is connected in parallel with network 26 between terminals 28 and 30. A critical device 24 is connected between terminal 34 which is located between switch 1 12 and switch 3 16, and terminal 36 which is located between switch 2 14 and switch 4 18. This basic configuration of four switches has sixteen combinations. Two of them allow the device to be energized. This relies on the fact that the device can be driven with current flowing either left to right or in a right to left fashion through the critical device 24. Four combinations turn on only one switch and may be used in a self-test circuit; three combinations are safe states; and the seven other combinations blow a fuse and revert to one of the others. The following contains this information in more detail. Note that the two energized modes are complementary. This protects against common mode failures and thus decreases probability of failing in an unsafe state. TABLE I SWITCH 4 SWITCH 3 SWITCH 2 SWITCH 1 MODE off off off off Safe 1 off off off on Self-test 1 off off on off Self-test 2 off off on on Safe 2 off on off off Self-test 3 off on off on Blow fuse off on on off Energized 1 off on on on Blow fuse on off off off Self-test 4 on off off on Energized 2 WO 01/35432 PCT/USOO/30799 7 on off on off Blow fuse on off on on Blow fuse on on off off Safe 3 on on off on Blow fuse on on on off Blow fuse on on on on Blow fuse The two states which actually allow the brakes to be released are (1) Switch 1 and Switch 4 on and Switch 2 and Switch 3 off; and (2) Switch 2 and Switch 3 on and Switch 1 and Switch 4 off. This assumes that the critical load 24 is not polarized. Such is the case when it is a solenoid, for example. External circuitry functions to control the H switch 10 in the following manner. The external circuits in a deenergized mode disable all switches and monitor them to see if either switch 1 or 2 is shorted. If they are not, switches 3 and 4 are turned on. This is a safe state. If a request in the deenergized state is made, a self-test is performed on the switches. This self-test runs through a check to see if each of the switches can be turned on and off. It then makes a determination as to whether the H switch can be energized safely and if so, in which energized mode. This will be understood more readily by the explanation which follows. Besides the protection the fuses give for illegal combinations of the four signals, they also allow the controller to change the failure of the top two switches from failed closed to failed open. This is accomplished by closing the switch in the same leg intentionally. Failed open is much easier to deal with than failed closed for a fault-tolerant system. The four switches are monitored by four monitors, Fig.
WO 01/35432 PCT/USOO/30799 8 2: monitor 1 40, monitor 2 42, monitor 3 44, and monitor 4 46. In this embodiment each of the monitors is implemented as shown with respect to monitor 1 40, by an opto-isolator 48 and resistor 50. Using opto-isolators allows controller 52 to be electrically isolated from the critical load. This electrical isolation can be made complete if the actual switches are implemented by solid state relays. This reduces the chance for the monitors to negatively impact the critical device and enhances reliability of the circuit. System safety is not reduced significantly by the presence of the monitors because in normal operation their current is limited by the series resistors 50 to a fraction of that needed to operate the solenoid. As the resistors can only fail in the open state, they cannot energize the solenoid. Controller 52 may be a microprocessor such as a Motorola 68040 programmed to function as described with respect to the following discussion and Figs. 3-7. H switch 10 can have any switch fail open or closed and still operate in the fail-safe manner. One procedure that controller 52 can implement is the following. At the time that controller 52 is required to disengage the brakes, a self-test is run that checks each switch's ability to turn on and off. If switch 1 has failed open the H switch will turn on switches 2 and 3 and switches 1 and 4 will turn off and the critical device will be engaged. If switch 1 had failed closed, the H switch would turn on switches 2 and 3 and switches 1 and 4 would turn off. This would blow fuse 1 in line with switch 1 and the critical device would be engaged. The similar procedure could be made for switch 2 failure modes. If switch 3 fails open, then the system will turn on switch 1 and switch 4 and turn off switches 2 and 3 so that the critical device will be engaged. If switch 3 fails closed, operation is still WO 01/35432 PCT/USOO/30799 9 possible by turning on switches 2 and 3 and turning off switches 1 and 4 whereupon the critical device will again be engaged. A similar procedure can be made for switch 4 failure modes. If multiple failures are found then all four switches can be turned off and the critical device can be disengaged. When the controller is requested to apply the brakes, switches 1 and 2 are turned off and switches 3 and 4 are turned on. If for any reason it detects a second fault in either switch 1 or 2, such that they stay on when they should not, then all four switches are opened. Critical device 24a, Fig. 2A, may include a polarized load requiring unidirectional current flow. Diode bridge 25 includes ac terminals 35 and 37 connected to terminals 34 and 36, respectively. Critical device 24a is connected to polarized terminals 39, which is positive, and 41, which is negative, of diode bridge 25. Thus, irrespective of whether the operational switch state is switch 1 and switch 4 closed, or switch 2 and switch 3 closed, polarized critical load 24a will always have a positive potential on its positive terminal and a negative potential on its negative terminal. In this way, diode bridge 25 does not compromise the fail safe aspect of the circuit to reliably remove current from polarized critical device 24a, while maintaining unidirectional current through the load. The following describes the use of the switch and monitoring function to perform highly reliable control of a brake system on a PRT vehicle. The brake is applied when no current flows through the brake actuator and this is the safe state for the system. By combination of the switch components, monitoring circuits and WO 01/35432 PCT/USOO/30799 10 process steps in the control logic the function removes the brakes when a request ON is made so that the vehicle is permitted to move and reliably applies the brakes when a request-OFF is made. The application also tolerates a hardware failure, by reconfiguring automatically on detecting a fault to permit the brakes to be removed and the vehicle moved, and provides the same level of reliability in being able to re-apply the brakes when commanded. The switch monitor and control functions collectively provide a highly reliable Control Function. The Control Function can be commanded two states: ON or OFF. In this application OFF applies the brakes, ON releases them. The control Function will go to one of four states in consequence of the external states being applied. State 1: Off State, applies indefinitely in response to the external command maintaining an OFF state. State 2: Self-Test, Transition to On, occurs in response to the external command transitioning from an OFF state to an ON state. This state is transient, and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal ON states will be selected based on health of the hardware elements, or a permanent OFF state if it is determined that an excessive number of hardware failures exist. State 3: ON State, applies indefinitely following a successful Self-Test, in response to the external command maintaining an ON state. State 4: Self-Test, Transition to OFF, occurs in response to the external WO 01/35432 PCT/USOO/30799 11 command transitioning from an ON state to an OFF state. This state is transient and of short duration compared to the system responsiveness. During this state the output is effectively off. The outcome determines which one of the two different hardware internal OFF states will be selected, based on health of the hardware elements. The following description of states refers to the flow diagrams in Figs. 3-7. The point of entry for the process is arbitrarily defined as State 1, the OFF state. Switches 1, 2, 3 and 4 are referred to as Sl, S2, S3, S4, Monitors 1, 2, 3 and 4 as M1, M2, M3 and M4. (1) State 1 is predominantly satisfied by having switches SI and S2 deactivated, and switches S3 and S4 activated. This applies a short-circuit via ground to the two ends of the load (Brake actuator) to insure it is de-energized. Alternately, and only as a consequence of determining a fault condition via prior testing, all four switches, S1, S2, S3 and S4 will be deactivated to reduce the probability of inadvertently setting up a path of conduction. (2) When the External Sequence transitions from the off-state to the on state a self-test-transition-to-ON process is initiated. This process is an orderly fixed sequence and takes a fixed time-period. Interrupting the sequence by de asserting the external state and mid-self-test is to be avoided via logic. For the PRT brake application, the self-test took less than 100msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, typically 100 seconds. (3) Initially all switches S1 through S4 are deactivated. From this state WO 01/35432 PCT/USOO/30799 12 all switches can be individually checked as a serial sequence. This is done by turning on each switch singularly, and verifying operation through the use of the monitors M1 through M4. During this process the load is not energized. It is possible, as a consequence of a fault, that activating one switch will provide a path via a fault and the load will be momentarily energized. For the function of brake control on PRT, the time constant of the load (brakes) was significantly longer than the event of being momentarily energized, such that no consequence propagated from this brief event. (4) SI is activated, which will cause M1 to be OFF. If M1 remains ON, then a fault has occurred, which is assumed to be that SI has failed open-circuit. The outcome of this test is logged for switch S1, functional (OK), or failed open circuit (OC). (5) Sl is deactivated. All switches are now in a deactivated state. (6) S2 is activated, which will cause M2 to be OFF. If M2 remains ON, then a fault has occurred, which is assumed to be that S2 has failed open-circuit. One of two states is logged for switch S2, functional (OK) or failed open-circuit (OC). 7) S2 is deactivated. All switches are now in a deactivated state. 8) S3 is activated, which will cause M3 to be OFF. If M remains ON, then a fault has occurred, which is assumed to be that S3 has failed open-circuit. One of two states is logged for switch S3, functional (OK), or failed open-circuit (OC). 9) S3 is deactivated. All switches are now in a deactivated state.
WO 01/35432 PCT/USOO/30799 13 10) S4 is activated, which will cause M4 to be OFF. If M4 remains ON, then a fault has occurred, which is assumed to be that S4 has failed open-circuit. One of two states is logged for switch S4, functional (OK), or failed open-circuit (OC). 11) S4 is deactivated. All switches are now in a deactivated states. 12) Monitors M1 through M4 are next checked to verify they are all ON, signifying the correct bias across the switches S1 through S4, when de energized, which is the expected state. If any monitor, M1 through M3 is off, then a fault has occurred. The fault is assumed to be a short-circuit in the associated switch, SI through S4. It is most likely that the monitoring circuit for SI or S2 has failed if either of these switches is reported as being short-circuit, as the prior tests would have blown the affected fuse on a shorted switch, which consequently removes the short-circuit. 13) Having tested all four switches individually, a decision can be arrived at as to which of three desirable states the switches can be configured in: The predominant case is to energize switches SI and S4, which is applicable to fully-functional hardware, or hardware with a specific set of deduced faults. This activates the load. Certain faults can be withstood with the hardware by choosing the alternative path, energizing switches S2 and S3. This also activates the load, but reverses the current through-it compared with activating S1 and S4. In the application for PRT of a brake release function, the load was non-polarized and not affected by the direction of WO 01/35432 PCT/USOO/30799 14 flow of current. Specific combinations of hardware faults cannot be tolerated. The function reacts to these faults by holding all switches off and the brakes remain on. Determination of the appropriate load state is achieved by assessing the 24 possible states of the combination of all four switches in accordance with the following table: TABLE II State S1 S2 S3 S4 Outcome 1 OK OK OK OK Select S1,S4 2 OK OK OK OC Select S2,S3 3 OK OK OK SC Select Sl,S4 4 OK OK OC OK Select S1,S4 5 OK OK OC OC Select None 6 OK OK OC SC Select S1,S4 7 OK OK SC OK Select S2,S3 8 OK OK SC OC Select S2,S3 9 OK OK SC SC Select None 10 OK OC OK OK Select S1,S4 11 OK OC OK OC Select None 12 OK OC OK SC Select Sl,S4 13 OK OC OC OK Select Sl,S4 14 OK OC GC GC Select None 15 OK OC OC SC Select S1,S4 16 OK OC SC OK Select None 17 OK OC SC OC Select None 18 OK OC SC SC Select None 19 OK SC OK OK Select S1,S4 20 OK SC OK OC Select S2,S3 21 OK SC OK SC Select S1,S4 22 OK SC OC OK Select S1,S4 23 OK SC OC OC Select None 24 OK SC OC SC Select None 25 OK SC SC OK Select S1,S4 26 OK SC SC OC Select None 27 OK SC SC SC Select None 28 OC OK OK OK Select S2,S3 29 OC OK OK OC Select S2,S3 WO 01/35432 PCT/USOO/30799 15 30 OC OK OK SC Select None 31 OC OK OC OK Select None 32 OC OK GC OC Select None 33 OC OK OC SC Select None 34 OC OK SC OK Select S2,S3 35 GC OK SC GC Select None 36 GC OK SC SC Select None 37 GC GC OK OK Select None 38 GC GC OK GC Select None 39 GC GC OK SC Select None 40 GC GC GC OK Select None 41 GC GC GC GC Select None 42 GC GC GC SC Select None 43 GC GC SC OK Select None 44 GC OC SC GC Select None 45 GC GC SC SC Select None 46 GC SC OK OK Select S2,S3 47 GC SC OK GC Select None 48 GC SC OK SC Select None 49 GC SC GC OK Select None 50 GC SC OC GC Select None 51 GC SC GC SC Select None 52 GC SC SC OK Select None 53 GC SC SC GC Select None 54 GC SC SC SC Select None 55 SC OK OK OK Select S2,S3 56 SC OK OK GC Select S2,S3 57 SC OK OK SC Select None 58 SC OK GC OK Select None 59 SC OK GC GC Select None 60 SC OK GC SC Select None 61 SC OK SC OK Select S2,S3 62 SC OK SC GC Select S2,S3 63 SC OK SC SC Select None 64 SC OC OK OK Select None 65 SC GC OK GC Select None 66 SC GC OK SC Select None 67 SC OC GC OK Select None 68 SC GC GC GC Select None 69 SC GC GC SC Select None 70 SC GC SC OK Select None 71 SC GC SC GC Select None 72 SC GC SC SC Select None WO 01/35432 PCT/USOO/30799 16 73 SC SC OK OK Select S1,S4 74 SC SC OK OC Select S2,S3 75 SC SC OK SC Select None 76 SC SC OC OK Select S1,S4 77 SC SC OC OC Select None 78 SC SC OC SC Select None 79 SC SC SC OK Select None 80 SC SC SC OC Select None 81 SC SC SC SC Select None 14) If it is determined that the load can be made active, the appropriate switches are energized and State 3 commences. Failure of the load to be activated will be as a consequence of the prior tests and requires repair of the hardware to proceed. 15) If S1 and S4 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table: TABLE III S1 Fails OC Fail-off S1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Blow S1 fuse, fail-off S4 Fails OC Fail-off S4 Fails SC Continue 16) If S2 and S3 are activated, then for the duration that state 3 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table: TABLE IV WO 01/35432 PCT/US00/30799 17 SI Fails OC Continue SI Fails SC Blow SI fuse, continue S2 Fails OC Fail-off S2 Fails SC Continue S3 Fails OC Fail-off S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Blow S2 fuse, fail-off 17) The outcome is that the load is predominantly energized for the duration that the system is in state 3. There is a probability that a fault may occur that causes the load to be de-activated. The system should be aware that this has happened. In the application of the brake-release function for PRT, the event of having the brakes re-applied would cause the vehicle to stop and proceed through a set of diagnostics. These diagnostics included removing the command to release the brakes (ON to OFF) and re-applying the command to release the brakes (OFF to ON). The process re-invoked the Self-Test Transition to ON, at which point a different outcome to the appropriate switch configuration may be arrived at. For example, if the load was activated by switches S1 and S4 being active and a fault occurred that caused S1 to go open-circuit, the brake-release function would be de asserted and the PRT vehicle would stop. The command to release the brakes would be removed and re-applied. The Self-Test Transition to ON that occurs would deduce the need to activate switches S2 and S3 to energize the load and release the brakes. Hence this cycling event would permit the system to continue in the presence of a fault that had caused a temporary stoppage. 18) When the External Sequence transition from the on-state to the off state a 'self-test-transition-to-OFF' process is initiated. This process is an orderly WO 01/35432 PCT/USOO/30799 18 fixed sequence and takes a fixed \time-period. Interrupting the sequence by de asserting the external state mid-self-test is to be avoided via logic. For the PRT brake application, the self-test is less than 1 O0msec, compared with brake cycling which was controlled to occur at rates slower than once per 1.5 seconds, with typically greater than 100 seconds between trip start and ending times. 19) Initially all switches SI though S4 are deactivated, then switches S3 and S4 are activated. This two-step process insures no state-change conditions occur where switch combinations induce a transient short circuit path. 20) From this state the switches can be checked using the monitors MI and M2. If either monitor M1 or monitor M2 is in an Off state, it is indicative that either switch S3 or S4 has blown open-circuit, and another bias path exists to drive the output to ON. Immediately on occurrence of this case, all switches are deactivated. The response time is such that the corrective action takes less than 1 O0msec and is inconsequential. The outcome is that one of two states is determined to be appropriate to insure the load is de-energized (the brakes applied). 21) Predominantly, when all the hardware is functional, or in the presence of selective faults, the switches S1 and S2 will remain de-activated and the switches S3 and S4 will be activated, providing a short-circuit via ground across the load terminals. Alternately, on deduction of the above-described fault combinations, all four switches will remain de-activated to reduce the probability of inadvertently setting up a path of conduction. Both these conditions serve for state 1.
WO 01/35432 PCT/USOO/30799 19 22) If S3 and S4 are activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table: TABLE V SI Fails OC Continue SI Fails SC Blow SI fuse, continue S2 Fails OC Continue S2 Fails SC Blow S2 fuse, continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 23) If all switches are de-activated, then for the duration that state 1 is effective the occurrence of new faults will cause the switches to behave in accordance with the eight possible combinations defined in the following table: TABLE VI SI Fails OC Continue S1 Fails SC Continue S2 Fails OC Continue S2 Fails SC Continue S3 Fails OC Continue S3 Fails SC Continue S4 Fails OC Continue S4 Fails SC Continue 24) The outcome is that the load is always de-energized for the duration that the system is in state 1. There is probability that changes the state of the individual switches, and may induce a fuse to blow, but the load remains de energized. The function remains in this state until the next external transition from WO 01/35432 PCT/USOO/30799 20 OFF to ON, at which point the process as described and depicted in the flow charts is repeated. The operation of H switch 10 is depicted in summary in Fig. 8 where it can be seen that the desired behavior is off with the brake applied and then on when the brakes are removed and motion is permitted, as indicated by path 60, Fig. 8. There it can be seen that during the four states of the switch process the brakes are off in state 1 62, the off state, and in state 4 64, the self-test sequence transition to off, the brakes transition to on in state 2 66, and in state 3 68, they are in the on state. Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention. Other embodiments will occur to those skilled in the art and are within the following claims: What is claimed is: