GB2135464A - Triplicate signal check circuit - Google Patents

Triplicate signal check circuit Download PDF

Info

Publication number
GB2135464A
GB2135464A GB08305054A GB8305054A GB2135464A GB 2135464 A GB2135464 A GB 2135464A GB 08305054 A GB08305054 A GB 08305054A GB 8305054 A GB8305054 A GB 8305054A GB 2135464 A GB2135464 A GB 2135464A
Authority
GB
United Kingdom
Prior art keywords
fault detection
fault
detection circuit
output
comparator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB08305054A
Other versions
GB2135464B (en
GB8305054D0 (en
Inventor
Peter James Hiner
Alan James Penn
Philip Graham Thomas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STC PLC
Original Assignee
Standard Telephone and Cables PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Standard Telephone and Cables PLC filed Critical Standard Telephone and Cables PLC
Priority to GB08305054A priority Critical patent/GB2135464B/en
Publication of GB8305054D0 publication Critical patent/GB8305054D0/en
Publication of GB2135464A publication Critical patent/GB2135464A/en
Application granted granted Critical
Publication of GB2135464B publication Critical patent/GB2135464B/en
Expired legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/22Arrangements for detecting or preventing errors in the information received using redundant apparatus to increase reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/24Testing correct operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Monitoring And Testing Of Exchanges (AREA)

Abstract

Signals including the clock pulses, for an electronic system, such as an electronically-controlled telephone exchange, must be highly secure. Hence it is usual to provide three (or even in some cases more than three) nominally identical signal sources with checks between the outputs therefrom to find faults where such exist. In the present arrangement there are three levels of such signal sources, in the arrangement described clock pulse generators, with one fault detection circuit (FD1, FD2, FD3) per level. Each fault detection circuit (e.g. FD1) has a comparator (C1) which compares the pulses from the other two pulse generation levels. This comparator gives an output per discrepancy, which sets a fault latch (FL1) via a fault filter (FF1) which only passes an output to the latch after a preset number of faults. This avoids false alarms due to transient faults, but can be dispensed with if this facility is not needed. The outputs of the fault detection circuits are passed to an alarm unit which determines from the inputs it receives from the fault detection circuits which pulse generation circuit is faulty. <IMAGE>

Description

SPECIFICATION Triplicate Signal Check Circuit This invention relates to a system for generating data and controlling signals for an electronic system, such as a data processing system or an electronically controlled telecommunication exchange.
In such a system it is necessary for the signals including controlling pulse train or trains to be secure, which is usually done by replication, usually by triplication. The outputs of the signal circuits which in the case of the controlling pulse trains are the pulse generation circuits, are monitored such that if one output fails, then an alarm indication to that effect can be given. An object of the invention is to provide such a pulse generation system which is relatively simple and economical.
According to the invention, there is provided a fault detection system, for checking signals from n (where n is at least 3) nominally identical signal sources, which system includes n fault detection circuits each associated with one of the signal sources, and an alarm unit under the control of the fault detection circuits and which gives an output in response to a fault in the signals from any one of the signal sources, wherein each said fault detection circuit includes a comparator which compares nominally identical signals from the (n-1) sources other than the source with which that fault detection circuit is associated, wherein each said fault detection circuit also includes an output via which an indication is given if the comparator detects discrepancy between its (n-1) inputs, wherein the alarm unit receives the outputs from said fault detection circuit and in response thereto gives an alarm indication, which alarm indication identifies the signal source on the basis that if one of the sources is faulty the fault detection circuits associated with the (n-1) sources other than the faulty one give outputs to the alarm unit.
A pulse generation system in which a fault detection system which embodies the invention will now be described with reference to the accompanying block schematic drawing, in which the pulse generation circuit uses three pulse generation circuits, although a higher number could be used.
The arrangement described is used to check clock pulse signals from three physically and electrically separate sources, which should produce identical signals at all times, making due allowance for drift. The source signal discussed is used for the control of peripheral devices, and in the present example is used for clock pulses used directly or indirectly for the control of supervisory circuits on the now well-known TXE4A telephone exchange. The control signals reach the peripherals through 2-out-of-3 majority voting gates, involving source signals from the three levels shown. Where possible these signals are checked on return from the destinations so that failures in wiring and cabling can be detected as well as in the source itself.
A source signal from level 1 is connected to the check circuits on levels 2 and 3, and so on. When none of the signals are changing, fault latches are clocked and a comparison made via exclusive 'or' gates: (a) between levels 1 and 3 by the check circuits on level 2, (b) between levels 1 and 2 by the check circuits on level 3.
The physical unit in which the check circuit installed is preferably dedicated to that purpose only.
If a fault occurs on level 1, a consistent discrepancy is found by the check circuits on levels 2 and 3 due to their independent comparison of level 1 with levels 3 and 2 respectively. The fault latches on levels 2 and 3 are then set. Note that in the system described a transient discrepancy is ignored due to fault filters which allow a fault condition to activate the alarm logic only after a preset number of faults have occurred in a given time. Naturally if this facility is either unnecessary or undesirable the fault filters are not installed.
In TXE4A the fault latches each operates a relay such as A via a relay driver such as RD1, and contacts of these relays form a logical 'and' function to operate a further relay (e.g. L1).
Contacts of this relay operate a maintenance panel lamp and other contacts independently operate the rack lamp and extend a condition to the alarm system. These relays could if desired be replaced by electronic circuitry.
Maintenance is started by monitoring the fault detection unit of level (x+ 1 ) (by convention). In this case, it is level 2, and can be carried out with confidence, in that level 3 has also identified the fault completely independently. A similar argument can be applied in rotation to levels 2 and 3.
We now refer to the accompanying drawing, in which the three pulse generation circuits LEVEL 1, LEVEL 2 and LEVEL 3, can be seen on the left hand side. Each such circuit has an output TP, taken in the system described via an inverter, which extends to the controlled equipment, and another output to the appropriate one of the fault detectors FD1, FD2, FD3. Thus output S(A) from Level 1 goes to FD2 and FD3, output S(B) to FD1 and FD3, and output S(C) to FD1 and FD2.
We now consider fault detection circuit FD1, the others being similar. The two inputs S(B) and S(C) are applied, via in the system described, via invertors to the inputs to a comparator C1, which gives an output if the two inputs S(B) and S(C) differ. Such a discrepancy is a fault condition, the comparator output which represents this is applied via a fault filter FF1 to a fault latch FL1.
FF1 is a buffer arrangement which only passes on a fault indication if a preset number of consecutive pulses generate such indication. This is to avoid the risk of a transient condition being wrongly interpreted as a fault. As already indicated, the fault filters are omitted if they are either unnecessary or undesirable.
When the fault indication reaches the latch FL1, the condition of the latch is reversed and the associated relay driver RD1 is operated from the latch's K side via the gating show. The OR gate's other inputs enable other fault signals to be dealt with by the circuit shown. However, the origins of those other fault signals are not shown as they are not relevant to the present invention.
Thus it will be seen that if a fault occurs on any one of the three levels, the fault detection circuits of the other two levels will both give outputs, which outputs go to the rack alarm unit. This has three input relays A, B and C, so that when a fault occurs two of these relays operate. The alarm unit also includes three level-identifying relays L1, L2 and L3, and from the controlling contacts it will be seen that a Level 1 fault operates relay L1, a Level 2 fault operates relay L2 and a Level 3 fault operates relay L3. There is also a redundant check relay AA, which operates in response to a fault indication from any one of the fault detection circuits. These relays L1, L2 and L3 and AA control indicator lamps (not shown) to identify the level on which a fault has occurred.Note that if, due to faulty operation in one of the circuits FD1, FD2 or FD3 only one of these circuits gives an output, then the relay AA would indicate such fault.
Some dormant faults are now listed and the treatment of each discussed. Total failure of the alarm unit is not considered but independent failures of each relay are assumed to occur.
(1) Failure of one of the check circuits.
(2) Failure of one of the relays A to C.
(3) Failure of one of the relays L1 to L3.
(4) Failure combinations.
(1 ) Failure of One of the Check Circuits If only one check circuit is generating a fault condition to the alarm unit, a 'level' alarm (e.g.
Level 1) cannot be raised, as this needs two check circuit conditions.
To this end a "redundant" check is done by relay AA, which responds to a fault condition from any of the three levels. During normal maintenance, the additional alarm is not needed for diagnosis, but its presence is expected and corrective action is taken if a visual check shows the alarm indication to be absent. Such a fault condition is due either to a genuine level fault (e.g. in Level 1) which is not detected by another check circuit (e.g. Level 3), or a fault on the check circuit which raised the alarm (e.g. Level 2). In either case, the check circuit is replaced. In the first case, if the check circuit is independent of the control circuit, it can be replaced before the primary fault is cleared, so that other possible causes such as wiring can be eliminated. In the second case, maintenance action identifies it as the only fault.
(2) Failure of One of the Check Relays A to C The symptoms are as in (1), and maintenance action identifies the fault as associated with the alarm unit.
(3) Failure of One of the Level Relays L1 to L3 The symptoms are as in (1), and further analysis reveals the integrity of relays A to C and distinguishes the fault from (2) but, in practice, no effective differences exist.
(4) Failure Combinations within Check Circuits System failure is defined as failure of 2-out-of3 levels of control logic. Thus failure of the check circuits themselves do not constitute system failure, but allows an 'at risk' situation to develop.
The sequence of events that leads to system failure is illustrated by an example:
(i) check circuit Level 2 fails unable to raise alarm (ii) check circuit Level 3 fails (iii) control logic Level 1 fails (dormant) (iv) control unit Level 2 fails-system failure.
These sequences are order and/or level dependent: (i) must be a dormant failure of any level of check circuit-(one of 3 levels, e.g. 2) (ii) must be a dormantfailure of one of the other two levels (e.g. 3) (iii) must be a failure of the third level of control logic (e.g. 1)-now dormant (iv) must be a failure of identical signal(s) in the control logic of one of original two levels (i and ii).
Thus the combination of the four stages of failure have ever decreasing probabilities, when the conditions described above are met. If these stages of failure are interspersed with other failures, the probabilities are even lower. In the telephony environment, only the first two stages of failure are normally taken into account as any subsequent failure probabilities are assumed to be too low for consideration to be necessary.

Claims (6)

1. A fault detection system, for checking signals from n (where n is at least 3) nominally identical signal sources, which system includes n fault detection circuits each associated with one of the signal sources, and an alarm unit under the control of the fault detection circuits and which gives an output in response to a fault in the signals from any one of the signal sources, wherein each said fault detection circuit includes a comparator which compares nominally identical signals from the (n-1) sources other than the source with which that fault detection circuit is associated, wherein each said fault detection circuit also includes an output via which an indication is given if the comparator detects discrepancy between its (n-1) inputs, wherein the alarm unit receives the outputs from said fault detection circuit and in response thereto gives an alarm indication, which alarm indication identifies the signal source on the basis that if one of the sources is faulty the fault detection circuits associated with the (n-1) sources other than the faulty one give outputs to the alarm unit.
2. A system as claimed in claim 1, wherein the signals to be checked are the controlling pulse train or trains for an electronic system, and wherein there are three nominally identical pulse generation circuits from any one or more of which the electronic system can be controlled.
3. A system as claimed in claim 2, wherein each said fault detection circuit includes a fault filter connected to the output of the comparator and arranged to give an output only after a preset number of consecutive faults have been detected, wherein the output of the fault filter is applied to a fault latch so that the condition of the latch is changed after said preset number of faults has been detected, and in which the output of the fault detection circuit is derived from the output of the latch.
4. A fault detection system, substantially as described with reference to the accompanying drawing.
New Claims or Amendments to Claims Filed on 22 December 1983.
New or Amended Claims:
5. A fault detection system, for checking clock pulse signals from three nominally identical clock pulse signal sources, which system includes three fault detection circuits each associated with one of the signal sources, wherein each said fault detection circuit includes a comparator which compares nominally identical signals from the two sources other than the source with which that fault detection circuit is associated, wherein each said fault detection circuit also includes an output via which an indication is given if the comparator detects discrepancy between its two inputs, wherein the alarm unit includes three switching devices each associated with one of said fault detection circuits and settable to an operated condition if the associated fault detection circuit gives an output and wherein the alarm unit also includes coincidence detection means associated with each said fault detection circuit and so controlled by the switching means of the other two fault detection means, whereby when a said signal source fails the two fault detection means not associated therewith to cause the appropriate one of the coincidence means to operate.
6. A system as claimed in claim 5, wherein each said switching means is a relay controlled via a relay driver from the comparator of the associated fault detection circuit, and wherein each said coincidence detection means includes contacts associated with the relays of the other two fault detection circuits.
GB08305054A 1983-02-19 1983-02-19 Triplicate signal check circuit Expired GB2135464B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB08305054A GB2135464B (en) 1983-02-19 1983-02-19 Triplicate signal check circuit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB08305054A GB2135464B (en) 1983-02-19 1983-02-19 Triplicate signal check circuit

Publications (3)

Publication Number Publication Date
GB8305054D0 GB8305054D0 (en) 1983-03-30
GB2135464A true GB2135464A (en) 1984-08-30
GB2135464B GB2135464B (en) 1986-07-02

Family

ID=10538488

Family Applications (1)

Application Number Title Priority Date Filing Date
GB08305054A Expired GB2135464B (en) 1983-02-19 1983-02-19 Triplicate signal check circuit

Country Status (1)

Country Link
GB (1) GB2135464B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1209304A (en) * 1966-11-10 1970-10-21 Automatic Telephone & Elect Improvements in or relating to electrical pulse monitoring circuits
GB1521971A (en) * 1974-10-29 1978-08-23 Standard Telephones Cables Ltd Phase locked oscillators

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1209304A (en) * 1966-11-10 1970-10-21 Automatic Telephone & Elect Improvements in or relating to electrical pulse monitoring circuits
GB1521971A (en) * 1974-10-29 1978-08-23 Standard Telephones Cables Ltd Phase locked oscillators

Also Published As

Publication number Publication date
GB2135464B (en) 1986-07-02
GB8305054D0 (en) 1983-03-30

Similar Documents

Publication Publication Date Title
US4583224A (en) Fault tolerable redundancy control
US4305556A (en) Railway control signal dynamic output interlocking systems
US4270715A (en) Railway control signal interlocking systems
US4517673A (en) Computer-based interlocking system
US4322580A (en) Clock selection circuit
EP0329774A1 (en) Fault-tolerant output circuit
US6367031B1 (en) Critical control adaption of integrated modular architecture
US4897640A (en) Method and electrical circuit for the reliable detection of process states within freely couplable units
EP0770942A2 (en) Arrangement to record and/or process signals from electrical components which fulfil technical security purposes or conditions for the apparatus of the installation
GB1565307A (en) Fail-safe outpot unit for a data processing installation
US4562035A (en) Logic safety system
GB2135464A (en) Triplicate signal check circuit
US5671348A (en) Non-vital turn off of vital output circuit
JP3802895B2 (en) Parallel output type electronic interlocking device with a fail-safe majority logic circuit
SU1103373A1 (en) Majority-redundant device
SU1721608A1 (en) Three-channel computing system failure display panel
JPS5812062A (en) Output device for parallel electronic computer system
SU1691819A1 (en) Radioelectronic installations diagnostic device
SU661551A2 (en) Device for switching over channels of computing system
JP3259446B2 (en) Digital relay operation test circuit
KR19980020949A (en) Interlocking system control device and method of railway
JPS5872226A (en) Clock switching circuit
JPS63136226A (en) Console panel for information processor
JPS62271101A (en) Control circuit
JPH04266369A (en) Group management controller of elevator

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee