DE2533995A1 - DEVICE FOR MONITORING A DIGITAL FLIGHT CONTROLLER - Google Patents

Description

Patent attorneys
DIPL.-PHYS. JÜRGEN WEISSE DIPL.-CHEM. DR. RUDOLF WOLGAST

D 562o Velbert 11 - Langenberg, Bökenbusch 41 P.O. Box 11 o3 86 Telephone (o2127) 4ol9 Telex 8516895

Patent registration Bodenseewerk Geräteechnik GmbH, 777 Überlingen / Bodensee

Device for monitoring a digital flight controller

The invention relates to a device for monitoring a Digital computer in a flight controller, containing: a check word memory, a check word input, controlled by the computer check words can be activated by the computer program, a comparator in which a test word is applied to the test word input the test word stored in the test word memory is compared with dsm and an error signal is given in the event of deviations, and an error signal memory which can be set by the error signal from the comparator.

With a flight controller, signals from measuring sensors, e.g. gyroscopes, are fed to a computer, which uses them to generate control signals for Elevator, rudder or aileron forms. It is known to carry out this signal processing with analog signals. at other flight controllers, the transducer signals are converted into digital form by means of an analog-to-digital converter and a Digital computer fed. This computer processes the digital information according to a specific program and initially supplies the control signal also in digital form

70980 7/0429

mm, Ο -

Shape. This control signal can then be passed through a digital-to-analog converter be converted back into an analog control signal, which controls a servomotor. With a flight controller is Proper functioning is vital, and a malfunction can lead to disaster. It is therefore known the encoder to be provided twice or three times. In the case of analog flight controllers, the signal processing also takes place in parallel in three separate channels, whereby the control signals are obtained by averaging or median formation. With flight controllers, where the signal processing takes place digitally, whereby the program runs cyclically in quick succession, it is known by in the Test pulses or test words built into the program ensure that the program is running correctly and that the computer is working properly to monitor. If the program is running correctly and the computer is working properly, at certain times of the computer sends a test pulse or a test word to a monitoring device (Supervisor). If this test pulse or the test word does not appear or the test word does not appear matches a stored check word, an error signal is generated given and the controller or the relevant channel of the controller switched off.

It is known to provide a 4-bit counter into which pulses are counted by a clock generator. The counter is through a reset pulse emitted by the comparator if the test words are identical at the test word input and in the test word memory resettable. If this reset pulse does not appear in time, because the check word does not appear at the check word input, the 4 bit counter over, and the overflow pulse sets the error signal memory. In addition, the error signal memory is set immediately when the check words at the check word input and on the signal memory do not match.

709807/0429

The known monitoring devices deliver per sampling period, i.e. for each sampling and processing of the measured variables in the Calculator, only one pulse or only one single unchangeable check word. However, from the appearance of this check word the error-free execution of the computer program cannot be concluded with sufficient certainty. It is conceivable that The check word is output correctly despite an error in the program or a defect in the computer. The well-known Monitoring device is therefore used for monitoring a digitally working plug regulator is only conditionally suitable. Care must also be taken that the monitoring device is as simple as possible, so that 'their probability of failure is several orders of magnitude lower than the probability of failure of the computer. So it is not possible, for example a correspondingly more complex monitoring device for better monitoring of the computer and the program to be provided.

The invention is based on the object of a monitoring device of the type defined at the beginning, the program or several optionally effective programs in their entire process to be monitored with a monitoring device that is as simple as possible.

According to the invention, this object is achieved in that the test word input for the parallel input of a two-part Word is set up, one half of which is used as a check word the test word stored in the test word memory at the comparator and its other half at the input of the check word memory is present, which after the comparison has been carried out to accept this half as a check word for the next comparison is controlled.

709807/0429

-4- 253339 S "

The monitoring device according to the invention thus allows the output to be repeated over and over again in the entire program sequence of words to be incorporated, with one half of this word as the actual test word with the one stored in the test word memory Checkword is compared while the other half the Check word determined for the next comparison. Included the check words can be varied and built into different programs. It is possible to get checkwords through arithmetic operations to form analogous to the arithmetic operations to be carried out with the measured variables in order to improve the function of the computer with regard to to control the arithmetic operation concerned. For example, the memory locations of the program memory can also be used be linked in a suitable manner in the computer to form a check word so that the correct check word only appears when the correct program is stored in the program memory. The monitoring device itself is included very simply structured. The check word specified in its memory is used by the computer program for the previous one Comparison given.

Also in a monitoring device according to the invention It is advantageous that a counter, into which a fixed frequency is counted, by an on equality of the check words on Test word memory and test word input generated reset signal can be reset to zero and that the error signal memory through an overflow pulse of the counter can be set.

The invention is explained in more detail below using an exemplary embodiment with reference to the accompanying drawings explained:

1 illustrates the mode of operation of the computer monitoring system according to the invention.

Figure 2 is a block diagram of one of the present invention monitoring device.

709807/0429 - 5 -

Fig. 3 illustrates in detail the structure of the invention monitoring device.

Fig. 4 is a flow chart of a computer program executed by the monitoring device of the present invention can be continuously monitored.

In Fig. 1, 1o denotes a computer. Via devices for self-detection of errors 12, the computer supplies test words in parallel to monitoring devices 14 and 16. Each of the monitoring devices controls a channel disconnector 18 or 2o ₇ , the two channel disconnectors being in series. The monitoring device is thus provided twice, and even if one monitoring device fails, the response of the other will in any case lead to the relevant controller channel being switched off.

In Fig. 2 is a monitoring device as a block diagram 14 shown. The monitoring device receives 22 words at an input from the computer 1o of the facility. One Half of each word is at an input 24 of a test word memory 26, while the other half of the word is applied to an input 28 of a comparator 3o. At a second entrance 32 of the comparator 3o is in the check word memory 26 stored test word. The program sends a validity signal to a sequence control unit 36 via an input 34 given. This sequence control unit 36 controls the check word memory 26 and the comparator 3o via channels 38 and 4o in such a way that that when a validity signal occurs, which a program monitoring process initiates, first of all, a comparison of the values present at the input 28 by the comparator 3o Half of the check word takes place with the check word stored in the check word memory 26 at the moment. Depending on the result this comparison becomes a reset command at an output

70S807 / 0A29

of the comparator 3o is generated or an error signal is generated at an output 44. The sequence control unit 36 then causes that the check word memory 26 is the other applied to input 24 Takes over half of the word and saves it for the next comparison.

In FIG. 2, a shutdown command from a shutdown command generator 48 is applied to an AND element 46. This shutdown command is switched through by a resettable timer 5o if the timer does not go through within a predetermined time Signal at the output 42 of the comparator 3o has been reset again. If the computer is working properly the correct check word appears at the right time, the half of which is connected to input 28 with the im Check word memory 26 matches stored check word, so that a reset signal appears at the output 42 of the comparator, by means of which the timer is reset to zero will. If no such check word appears, the timer is not reset, but returns after a specified time a switch-through pulse, whereby the switch-off command from the switch-off command generator 48 to a switch-off command spexcher 52 is switched through. The shutdown command then remains even if the timer 5o should be reset later. The shutdown command in shutdown command spexcher 52 opens the channel switch-off 18. In addition, a signal is given to the control unit 56 via line 54 and the error is the Pilot indicated. The shutdown command spexcher 52 can be reset again via line 58 from the operating device and thus the switch 18 can be closed.

If the comparison in the comparator 3o determines that the check words do not match, then the shutdown command spexcher Set directly via the output 44 and thus the switch 18 is opened.

709807/0429

A specific embodiment of a monitoring device according to the invention is in Pig. 3 shown.

The input 22 comprises eight data inputs 0Io ... 0l7 for an 8-bit word. The data inputs 0Io to 013 are as input 24 to the test word memory 26, a 4-bit latch. The data inputs 014 to 017 are as input 28 at the comparator 3o. The comparator 3o outputs a signal at the output 33 when the word at the data inputs 014 to 017 with the word at the Outputs ABC and D (corresponding to output 32 in Fig. 2) of the check word memory 26 match. The output 33 of the Comparator 3o is connected to an input of a NAND element 6o. At another input of the NAND gate 6o is a Control command Φ 1 that is supplied by the program and the Comparison initiates. At a further input of the NAND element 6o there is a clock and synchronization signal via line 62. If all three inputs of the NAND gate 6o are high, then the output of the NAND gate 6o is low, which is caused by an inverter 64 is inverted to H again. This signal is at a reset input 66 of a 4-bit counter 68. The 4-bit counter receives counting pulses with a constant frequency from an oscillator 7o. When the 4-bit counter 68 overflows, appears a pulse at an output 72, which sets a bistable multivibrator via an inverter 74, which the shutdown command memory 52 represents.

The output signal at output 33 is also via an inverter 76 at an input of a NAND gate 78. At the other input of the NAND gate 78 is the clock and Synchronization signal from line 62. If the checkwords at the inputs 28 and 33 do not match, the signal at the output 33 goes to L, so that when the clock is present and synchronizing signal both inputs of the NAND gate 78 go to H and its output to L. This is also over

- 8 709807/0429

Line 80, the bistable multivibrator 52 is set and the switch-off command is given, which is transmitted via the inverter 82 and line 84 the switch 18 opens.

The clock and synchronization signal is also at an input a NAND gate 86, on the other input of which a signal Φ 2 is given shortly after the signal Φ 1. If this Signal Φ 2 appears, both inputs of the NAND gate are at H and the output goes to L, which is through an inverter 88 is inverted back to H. This signal causes the check word present at the data inputs 0Io to 013 to be entered into the Checkword memory 26 is accepted.

The clock and synchronization signal on line 62 is made up of two signals at inputs 9o and 92 via inverters 94 and 9 6, respectively formed by means of an AND gate 98.

During each monitoring cycle, which is indicated by signals Φ 1 and

Φ 2 initiated and by the signals at inputs 9o and 92 is synchronized, an 8-bit word appears at the data inputs 0Io to 017. Of these, the ones at the data inputs to 017 present four bits represent the actual test word, which is associated with the test word stored in the test word memory 26 is compared, while the 4-bits present at the data inputs 0Io to specify the test word for the next monitoring cycle, which after the comparison has been carried out (Signal Φ 1) by the signal $ 2 in the check word memory is taken over.

For example, check words according to the table below can appear at the data inputs one after the other.

70980 7/0429

1 IO 0 1 Data input 3 4th 5 6th 7th 2 2 Check word 3 0 0 1 0 0 0 0 4th 0 1 0 0 0 0 0 1 5 0 1 0 1 0 1 0 0 0 0 1 1 0 1 1 1 0 0 1 0 0 0 1 1 0

Check word 6 = check word 1

During commissioning, the check word memory 2 6 is deleted via input 1oo. Therefore, bits 014 to 017 of the first check word must be zero. In addition, the last check word output by the program must also be in bits 0Io to 013 have a value of zero when the program then starts again.

In Fig. 4 is a flow chart of a program is shown, which with a monitoring device according to the invention can be monitored.

After the start, the program clock with the interrupt signals of a real-time clock. If there is a match ("Y"), a first Check word output (RESET-PASS), which is issued by the monitoring device is controlled. Since the check word memory 26 is set to zero at the beginning of the program, the must be sent to the Data inputs 014 to 017 pending bits have the value "zero" to have. This resets the 4-bit counter 68 to zero, As the next program step, the computer forms the mean value of the sensor signals converted from analog to digital. It will also checks whether the deviations of the sensor signals from the mean value are within the permissible tolerances. is if this is not the case (N), an incorrect check word is applied to the data inputs 104 to, whereby the shutdown instruction memory 52 is set via line 8o and the channel is switched off. If the measured sensor variables are within the tolerances,

709807/0429 - io -

- 1ο -

a new test word is given (RESET-PASS) - The bowler then carries out the calculation prescribed by the program with the measured sensor variables and supplies a control signal output. It is checked again whether the control signal output is within a permissible tolerance. If this is not the case {Ε) a "wrong" check word is given and the shutdown command memory 52 is set again. If the prescribed tolerances are observed (J), the program memory is then checked. As already indicated at the outset, this check can take place in such a way that a check word is formed by linking the various memory locations in the program memory. This check word is output and compared with the check word previously stored in the check word memory 26. If an error has been found in the program memory (N), this again leads to the output of an incorrect test word and thus to the setting of the switch-off command memory the program cycle starts from the beginning. If, for example, program steps are skipped due to an error in the computer or in the program, the first check word is not followed by the second but the third check word. Since one half of the first check word determines the corresponding other half of the second check word, the monitoring device detects non-compliance and causes a shutdown.

In this way, various programs and program loops can be which occur in the flight controller, with a single, very simply constructed monitoring device, a so-called Supervisor, are constantly monitored, and that during the entire course of the program. The likelihood of that despite

In the event of a faulty program run, the correct check words appear randomly in the correct sequence extremely low, so that the reliability of the

7Π9807 / 042 &

Monitoring results. Since the monitoring device anyway is constructed very simply from just a few components, the probability of failure of the monitoring device itself is also very low. Further security is achieved by doubling the monitoring device.

- 12 -

709807/0429

Claims (2)

Claims (\) Device for monitoring a digital computer in a flight controller, containing: a test word memory, a test word input to which test words can be switched from the computer, controlled by the computer program, a comparator in which a test word at the test word input with the one stored in the test word memory Test word compared and an error signal is given in the event of deviations, and an error signal memory which can be set by the error signal from the comparator, characterized in that the test word input (22) is set up for the parallel input of a two-part word, one half of which (104..107 ) as a test word with the test word stored in the test word memory (26) at the comparator (3o) and the other half (101..103) at the input (24) of the test word memory (26), which after the comparison is carried out to accept this half is controlled as a check word for the next comparison. 2. Apparatus according to claim 1, characterized in that a counter (68), into which a fixed frequency is counted, by a counter if the test words are identical in the test word memory (26) and test word input (28) generated reset signal can be reset to zero, and that the Error signal memory (52) by an overflow pulse of the Counter (68) can be set. 7Q9807 / 0A2 9 eerse \ fe