GB1560554A - Control systems - Google Patents

Control systems Download PDF

Info

Publication number
GB1560554A
GB1560554A GB9643/76A GB964376A GB1560554A GB 1560554 A GB1560554 A GB 1560554A GB 9643/76 A GB9643/76 A GB 9643/76A GB 964376 A GB964376 A GB 964376A GB 1560554 A GB1560554 A GB 1560554A
Authority
GB
United Kingdom
Prior art keywords
computers
control
lanes
signals
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
GB9643/76A
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Smiths Group PLC
Original Assignee
Smiths Group PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Smiths Group PLC filed Critical Smiths Group PLC
Priority to GB9643/76A priority Critical patent/GB1560554A/en
Priority to FR7706985A priority patent/FR2344063A1/en
Priority to FR7706984A priority patent/FR2344074A1/en
Priority to DE19772710517 priority patent/DE2710517A1/en
Priority to DE19772710466 priority patent/DE2710466A1/en
Priority to US05/776,448 priority patent/US4130241A/en
Publication of GB1560554A publication Critical patent/GB1560554A/en
Expired legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course or altitude of land, water, air, or space vehicles, e.g. automatic pilot
    • G05D1/0055Control of position, course or altitude of land, water, air, or space vehicles, e.g. automatic pilot with safety arrangements
    • G05D1/0077Control of position, course or altitude of land, water, air, or space vehicles, e.g. automatic pilot with safety arrangements using redundant signals or controls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • G06F11/1645Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware

Description

(54) CONTROL SYSTEMS (71) We, SMITHS INDUSTRIES LIMITED, a British Company of Cricklewood, London NW2 6JN, do hereby declare the invention, for which we pray that a patent may be granted to us, and the method by which it is to be performed, to be particularly described in and by the following statement: This invention relates to control systems, and in particular to control systems utilizing digital processing techniques.
The invention is especially concerned with failure-survival control systems of the kind in which two or more control lanes, each capable of providing the control output required of the system, are operated together so as to provide a degree of redundancy that is utilized to ensure continued correct control in spite of the occurrence of a fault or failure in the system.
Systems of this kind have been used for controlling flight of aircraft, and in this context have more usually involved the processing of data in analogue form in each of three or more lanes, and comparison between the output signals of the lanes for determining the existence of a fault or failure in any of them. Such a system possesses a high degree of integrity against malfunction arising from component failure, because the probability of a majority of the lanes suffering failures at exactly the same time (and thus generating consistent, incorrect output signals) is of an extremely low order of magnitude.
Correct operation of each lane, however, depends not only upon the functioning of the equipment in the lane, but also upon the supply of valid data to it. For this reason a set of sensors, usually equal in number to the number of control lanes, is provided for each item of input data. The sensors of each set supply nominally-identical signals representative of the value of the relevant item of data to the respective control lanes, but there are inevitable slight differences between these signals arising from the manufacturing and operating tolerances that will exist between the difference sensors of the set. Thus if no remedial action were taken in the system to equalize the data signals used in the different control lanes, the output control signals of these lanes would in general always be different from one another.Although these differences between the output signals of the control lanes might not be large enough to exceed the threshold for detection of a fault or failure, existence of them could very easily prejudice appropriate detection of a real fault or failure within a lane, or make the detection process too sensitive to minor, unimportant differences between the lanes.
In order to achieve equalization and avoid the undesirable consequences of slight differences between the nominally-identical sensor-signals, use may be made of amalgamation techniques. In these an amalgamate signal is derived in each lane in respect of each set of sensors, the amalgamate having a value (for example, the mean or a median value) intermediate the sensor-signal values. Any sensor signal differing by more than some prescribed amount and outside the acceptable tolerance range, is automatically excluded from the amalgamation process, and thereby cannot affect lane operation.
Amalgamation of the various sets of input-data signals, and the computation from the resultant intermediate-valued amalgamate signals of the appropriate control demand in each lane, can be readily carried out using digital processing. However, the application of digital processing techniques to plural-lane control systems introduces a new problem in the detection of malfunction. Digital computing or other processing techniques involve the use of complex arrangements of logic circuits (such as NAND-gates, NOR-gates and shift registers), and there is a risk that in implementing the required design of a digital system in terms of these logic circuits and their interconnections, additional unintended logical functions may be created. Since these spurious functions do not arise as an intentional part of the design, there is no provision in the design for system operation involving them.More particularly, there is the possibility that some particular digital data-representations will interact with certain instructions in the program that controls operation of the process, in an unexpected and unpredictable manner. Consequently there is the risk of a malfunction arising, not as a result of any fault or component failure, but rather as a result of a latent design defect either alone or in combination with the effect of component tolerances. All control lanes having the same design and operational program would in general be subject to the same malfunction, and so comparison between them would not be capable of revealing the existence of the malfunction; such malfunction, affecting all the lanes in the same way, is termed as a common-mode failure.
An analogue system can be tested to eliminate unexpected results by checking its operation for various values of each input signal from one extreme to the other, and then relying on the linearity of the system to infer the results in respect of intermediate values. In contrast, with a digital processing system the discontinuous nature of the digital signals involved limits the inference that can be drawn about its behaviour in respect of any one combination of digital data and program, from its behaviour in respect of any other combination. Thus, normally, the only sure way of providing a digital system with an acceptable level of confidence in its operation would be to check every possible combination of digital data and program instruction. However, these combinations can number many millions, and such testing would therefore in general occupy a prohibitive length of time.
It is an object of the present invention to provide a plural-lane control system utilizing digital processing techniques, that embodies safeguards against common-mode failure so as to enable the need for testing of the system to be significantly reduced.
According to the present invention there is provided a control system having provision for failure-survival and including at least two control lanes for processing normally identical data digitally to derive nominally-equivalent control outputs that are compared with one another for determining the existence of a failure, wherein it is arranged that different digital representations of the same normally-identical data are used in the processing of the same data in the two lanes.
With a plural-lane control system utilizing different digital-data representations as between two lanes, there is the advantage that even if a digital data-representation in one of the lanes causes an adverse interaction in that lane, the other lane will not be subject to the same malfunction. This is because the other control lane will not contain the same representation of that data value, so one of the causes of the interaction will be absent from this other control lane. Consequently, both lanes will not be subject to the same malfunction simultaneously.
The same values of data may be represented in the different lanes by digital representations that differ from one another in sense. The difference in sense, which may be the only difference, or only one of a plurality of such differences utilized, may be readily achieved simply by reversing in respect of one, or some only, of the lanes, the lead connections or polarity with which signals from transducers and other sources are supplied to the lanes. The representational-differences between the lanes may instead, or in addition, be based on the existence of a proportional relationship. More specifically, a constant ratio, for example 1:2, may exist between the representation of each item of data in one lane and the representation of the same item in the other lane.
Each lane may include a digital processor that derives the intermediate values or amalgamates appropriate to the different items of input data, and computes from them the appropriate, digital demand-signal. This signal may be converted into analogue form and used in combination with feedback signals to derive, in the normal way, the required output-command control. However, the feedback data may also be processed digitally and reference is in this respect directed to co-pending cognate Patent Application Nos. 30482/76 and 21803/77. (Serial No. 1560555).
Two control systems in accordance with this invention for flight control of an aircraft will now be described, by way of example, with reference to the accompanying drawings, in which: Figures I and 2 when placed side by side, together provide a block schematic diagram of a first of the two flight-control systems; and Figure 3 is a block schematic diagram of the second flight-control system.
The first system to be described is part of a quadruplex flight-control installation replacing the conventional mechanical linkages between the pilot's controls and the moveable aerodynamic-control surfaces (namely, elevators, ailerons and rudder) of the aircraft. Movements of the pilot's controls are sensed by electrical transducers that generate electrical signals representative of these movements, and the positions of the control surfaces and the motions of the aircraft are similarly sensed to produce two more groups of signals. The three groups of signals are supplied to servo-computers which derive from them the electrical command signals appropriate for actuation of the aircraft controlsurfaces in accordance with the pilot's demands in pitch, bank and yaw.The pilot's controls and the control surfaces are thus linked solely by electrical circuits, and the control and safety of the aircraft is very dependent on the integrity of these circuits.
Referring to Figures 1 and 2, the elevator surfaces 10 of the aircraft are driven by two hydraulic rams 11 and 12 that are coupled together and to the elevator surfaces 10 by a common link 13. Hydraulic fluid is supplied to the rams 11 and 12 via respective spool-valves 14 and 15 which are intercoupled mechanically via a link 16, and which are positioned by two sets of three servo-valve actuators 17 to 19, and 20 to 22, respectively. A set of three actuators is provided to drive each valve 14 and 15 so that if one of the three (or its control circuitry) fails, disconnection of that actuator is unnecessary, since the rernaining two actuators of the set, together with the three actuators of the other set, have sufficient power or authority between them to resist and overcome conflict from the 'failed' actuator.
The position of the linkage 13 is sensed by four transducers 23 to 26, each of which supplies an analogue signal in accordance with this position to a respective one of four flight-control computers 27 to 30. The control computers 27 to 30 also receive nominally-identical analogue signals in accordance with pitch-demands signalled from four transducers 31 to 34 respectively, that are coupled to the pilot's controls (not shown). Other nominally-identical analogue signals, in this case in accordance with motion of the aircraft, in particular the rate of change of altitude, are supplied to the computers 27 to 30 from four sources 35 to 38 in the appropriate instrumentation of the aircraft.
The four control computers 27 to 30 derive from the input and feedback data conveyed by the analogue signals, command signals appropriate for application to the actuators 17, 18, 21 and 22 to control the elevator-surfaces 10 in accordance with the pilot's pitch-demand.
To this end each computer 27 to 30 includes an analogue-to-digital converter 100 which receives the input signals supplied to that computer, in cyclic succession from an individual multiplexer 101, and which supplies the corresponding digital representations to a digital processing unit 102 of the computer. The unit 102 of each computer receives not only digital representations of the input and feedback data from the converter 100 of that same computer, but also nominally-identical digital representations of the same data from the converters 100 of the other three computers.Each unit 102 acts in accordance with a stored program to compute a digital command dependent on the input and feedback data, and for the purposes of the computation the value of each item of data used is derived in accordance with a process of amalgamation of the set of four nominally-identical representations supplied in respect of that item. More particularly, each unit 102 is programmed to determine for each set of four digital representations whether any one of the set differs in value from the others by more than an amount prescribed in relation to the acceptable operational-tolerances applicable to that item of data, and if not to derive for use in the computation of the digital command a digital representation having a value (for example the mean or the median) intermediate the extremes of the range of the four signalled values.If any one of the signalled values differs by more than the prescribed amount from the others it is excluded from the derivation of the intermediate-value representation.
A signal in accordance with the digital command computed by the unit 102 of each control computer 27 to 30, is sup lied via a respective digital-to-analogue converter 103 to a sample-and-hold circuit 104, and also directly to two digital-data transmitters 105 and 106.
The output of the circuit 104 is compared in an amplifier 107 with a representation of the setting of the two spool valves 14 and 15. In the latter respect, there are four transducers 39 to 42 coupled to the link 16 for supplying to the amplifiers 107 of the four computers 27 to 30, respectively, analogue signals representative of the setting of the spool valves 14 and 15 (and thus of the rate of movement of the rams 11 and 12). The output signals of the amplifiers 107 of the four computers 27 to 30, which are each accordingly representative of the error in position of the spool valves 14 and 15, are applied to the actuators 17, 18, 20 and 21 respectively, in the sense to correct this error and thereby cause the rams 11 and 12, to drive the elevator surfaces 10 via the link 13 at a rate appropriate to satisfy the pilot's demand in pitch.
The output signals of the digital-data transmitters 105 of the control computers 27 to 30 are supplied to individual digital-data receivers 110 to 113 of a digital monitor-computer 43, whereas the output signals of the transmitters 106 of the four control computers 27 to 30 are supplied to corresponding digital-data receivers 110 to 113 of a digital monitor-computer 44. The digital signals received by the receivers 110 to 113 in each computer 43 and 44 are compared to detect whether any one of them is significanly inconsistent with the others and whether any of them has a rate of change significantly inconsistent with the others. To this end, each computer 43 and 44 includes a digital-processing unit 114 which acts according to a stored program to compare the four signals with one another and to derive a representative signal from them.This representative signal has a value in accordance with an amalgamate (mean or median value) of the four signals (but with any detected in the comparison process as being inconsistent with the others or having an excessive rate of change, excluded). This representative signal is supplied via an individual digital-toanalogue converter 115 to a sample-and-hold circuit 116 for comparison in an amplifier 117 with a representation of the setting of the two spool valves 14 and 15. In the latter respect two transducers 45 and 46 corresponding to the transducers 39 to 42 are coupled to the link 16 for supplying to the amplifiers 117 of the two computers 43 and 44, respectively, analogue signals representative of the setting of the spool valves 14 and 15.The resultant error-signals are supplied to the actuators 19 and 22 respectively, in the same way as the error signals from the amplifiers 107 of the computers 27 to 30 are supplied to the actuators 17, 18, 20 and 21.
In the event that there is a component failure in any one of the four control computers 27 to 30 causing that computer to generate a control signal inconsistent with the control signals generated by the other three computers, then, as referred to above, that control signal is detected by the processing units 114 and excluded from the computations they perform.
Consequently the control signals supplied to the actuators 19 and 22 will in general be in accord with the control signals supplied to three of the four actuators 17, 18, 20 and 21.
Control of the setting of the,spool-valve 14 or 15 from the faulty control computer will thus be overridden by the other control computer and the monitor computer which act in accord with one another to control that same valve, and their operation in this respect will be aided by the two control computers and the monitor computer controlling the other valve.
The probability of more than one of the computers 27 to 30 suffering the same component failure simultaneously is very low, and is within the normally-accepted limits for failure-survival. However, there remains the possibility that some particular value of input signal will generate a digital representation in the control computers 27 to 30 which, in conjunction with the programmed sequence of operations within the digital-processing units 102 will cause malfunction of each of them. Such malfunction might arise, for example, because the process of implementing the written computer program in terms of the logic embodied in the control computers 27 to 30, introduces an unpredictable and spurious interaction between the program and the data derived from the input signals.
The control computers 27 to 30 will each typically involve several thousand electrical circuits and an instruction program used in the computer will typically involve many thousand steps of calculation. If any one circuit operates incorrectly during any one calculation, the result of the entire computation prescribed by the instruction program will be erroneous. It has been found in practice that there is a possibility of erroneous computer-operation in this way even though the computer has apparently in all other respects been designed correctly and the signals appropriate to correct operation have been supplied to it.This may arise for example in circumstances in which the complex array of circuit interconnections within the computer give rise to an interaction between circuits which was not intended in the design, but which occurs in the event that one particular combination of binary data signals is supplied under the control of one particular program instruction when the computer circuits happen already to be in one particular combination of electrical states. These particular circumstances will be one of many millions of possibilities, making it impossible to test the design fully for such an interaction. Response of the system to this kind of circumstance is referred to as "pattern sensitivity" (meaning that the design is sensitive to one particular pattern, or combination of binary signals), but may be otherwise referred to in terms of a "context-dependent failure".
In the case of the system shown in Figures 1 and 2, all four control computers 27 to 30 are of the same design, and operate on the same program, so all four control computers 27 to 30 would be subject to any context-dependent failure simultaneously and in the same way.
Such failure would not be detected by the monitor computers 43 and 44.
Safeguards against the possibility of a common-mode malfunction arising in this way are incorporated into the system of Figures 1 and 2. In this respect the input signals applied to the control computers 29 and 30 are applied in the opposite sense to the input signals applied to the control computers 27 and 28. To this end, the connections of the transducers 25, 26, 33 and 34, and of the sources 37 and 38, to the control computers 29 and 30 are reversed (indicated diagrammatically by crossover-line pairs R) as compared with the connections (indicated by uncrossed-line pairs D) of the transducers 23, 24, 31 and 32, and the sources 35 and 36, to the computers 27 and 28. This ensures that the binary numbers used to represent the same magnitude in the two pairs of computers 27 and 28, and 29 and 30 are different.The manner in which the difference arises may be demonstrated by considering the eight-digit 'twos-complement' binary number system set out in part in Table I.
Inspection of Table I illustrates that reversal of sign without change of magnitude is accompanied by a change in at least one of the binary digits of the representation. For example, even the binary representations +64 and -64 differ from one another in the value of their first digits. Comparable circumstances apply with any other binary notation used.
TABLE I 01111111 = +127 01111110 = +126 01111101 = +125 01000001 = +65 01000000 = +64 00111111 = +63 00000001 = +1 00000000 = 0 11111111 = -1 11000001 = -63 11000000 = -64 10111111 = -65 100000001 = - 127 10000000 = -128 Thus although the control computers 27 to 30 all receive and operate on nominallyidentical input and feedback data, the control computers 29 and 30 operate with combinations of binary digits which are different from those in the control computers 27 and 28. The difference of even one digit involved in the reversal of sign, is sufficient to ensure that any freak pattern that might give rise to context-dependent failures in the individual computers 27 to 30 does not occur in all four computers 27 to 30 simultaneously, and so does not lead to a common-mode failure of the whole system.
Compensation for the reversals of sign to the control computers 29 and 30, is made by reversals (R) introduced into the analogue signal connections from the transducers 41 and 42 to the amplifiers 107 of the computers 29 and 30, and from those amplifiers 107 to the actuators 20 and 21; these contrast with the direct, uncrossed connections (D) from the transducers 39 and 40, and to the actuators 17 and 18, in relation to the amplifiers 107 of the computers 27 and 28.The amalgamation programs performed in the units 102 of the control computers 27 to 30, and in the units 114 of the monitor computers 43 and 44, compensate automatically for the reversal of sign effective between one pair and the other of the compared digital representations; the amalgamate derived in each case is attributed the appropriate sign to maintain the difference of digital representation as between the different pairs of computers 27 to 30.
A context-dependent failure is most likely to manifest itself in each computer 27 to 30 in either of two ways: either in an abrupt change in the program cycle of the computer (for example, trapping the computer in a 'loop' of instructions); or in an obviously incorrect output command (such as a demand for the elevators to move suddenly to one extreme of their range of movement).
The digital-processing units 102 of the control computers 27 to 30 each complete one cycle of instructions, and thus regenerate their output commands, at intervals of between 10 and 20 milliseconds. Each digital processing unit 114 of the monitor computers 43 and 44 completes a related program of instructions, to compare and check the output commands of the control computers 27 to 30 and to regenerate its own output command, in the same interval of time. Thus any sudden change in program execution arising from a context-dependent failure in any of the control computers 27 to 30, results in the computer or computers involved departing from synchronizm with the monitor computers 43 and 44.
The monitor computers 43 and 44 continously monitor whether there is any synchronizm of operation between themselves and the individual control computers 27 to 30; any detected loss of synchronizm affecting the two control computers 27 and 28, or 29 and 30, simultaneously, is treated as indicative of a common-mode failure as between that pair. The monitor computers 43 and 44 also monitor the rate of change of the control commands supplied from the control computers 27 to 30, and, if either pair of these calls for an excessive rate of change, then this again is indicative of a common-mode failure of the relevant pair. The output signals from the 'failed' control computers 27 and 28, or 29 and 30, are thereafter, in accordance with the monitor-computer program, disregarded in the generation of the control signals supplied to the actuators 19 and 22.Thus the control exerted by the 'failed' pair of computers via the actuators 17 and 18, or 20 and 21, is overridden by the other four actuators. It will be appreciated that the monitor computers 43 and 44 themselves could be subject to context dependent faults, and as the signals applied to, and the programs executed by, the two monitor computers are identical, context dependent faults could arise in them simultaneously. This does not affect the integrity of the whole system, since the control computers 27 to 30 are not simultaneously subject to such faults, and the control exerted by the 'failed' pair of monitor computers via the actuators 19 and 22 is over-ridden by the control exerted by the control computers via the actuators 17, 18, 20 and 21.
It is possible for a context-dependent failure to result in an incorrect output coinmand neither excessively different from a correct output command nor having an excessive rate of change, and therefore not detected by the monitor computers 43 and 44. However, in general the resultant differences between the command signals generated by the two pairs of control computers would not be large, and would not have serious consequences.
Furthermore, since the failure would be due to a freak pattern of digits it is to be expected that this condition would be transient, and clear within a few seconds.
The computers 27 to 30 and 43 and 44 are used in the control of the ailerons and rudder, as well as of the elevators. More particularly there is time sharing of the major part of each of these computers between the three control functions, the only units not involved in the sharing being the sample-and-hold circuits 104 and amplifiers 107 of the computers 27 to 30 and the corresponding sample-and-hold circuits 116 and amplifiers 117 of the computers 43 and 44.
The invention is applicable beyond the context of the quadruplex, double-failure survival, system described above with reference to Figures 1 and 2. In this respect, and by way of further example, a monitored-duplex, single-failure survival system, embodying the invention is illustrated in Figure 3.
Referring to Figure 3, the elevator surfaces 200 of the aircraft are in this case controlled from two digital computers 201 and 202. The computers 201 and 202 receive nominallyidentical input signals from transducers 203 and 204, respectively, driven from the pilot's controls, and also from sources 205 and 206, respectively, from the aircraft instrumentation.
The signals to the computer 202 are supplied via connections that are reversed (R) as compared with those (D) to the computer 201.
The output command signals of the computers 201 and 202 are supplied to individual actuators 207 and 208 that drive the elevator surfaces 200, and also to a common monitor computer 209. The computer 209 receives input signals from a transducer 210 and a source 211 corresponding to the transducers 203 and 204 and sources 205 and 206. These signals, however, are supplied to the monitor computer 209 via individual divide-by-two circuits 212 and 213.
Feedback from the elevator surfaces 200 is provided, in opposite senses, to the computers 201 and 202 from transducers 214 and 215, whereas feedback to the computer 209 is supplied via a divide-by-two circuit 217.
The monitor computer 209 performs the same digital computations as those performed by the computers 201 and 202, and in parallel with them. However the input and feedback-signal magnitudes involved are only half those used (in opposite senses) in the computers 201 and 202, so that there are different digital patterns operative at any one time in the three computers. The possibility of there being a context-dependent failure simultaneously in two or more of the computers 201, 202 and 209, with consequent common-mode failure, is accordingly averted.
The monitor computer 209 checks whether the output commands of the control computers 201 and 202 are in accord with its own output. In the event of significant disagreement, there is a disconnection of the relevant control computer 201 or 202.
The computers 201, 202 and 209 perform the digital computations appropriate for amalgamation of both the input and feedback signals; the interconnections for exchange of digital data in this respect between the three computers are omitted from Figure 3. The digital representations are processed to derive the amalgamates and then to compute the output commands.
WHAT WE CLAIM IS: 1. A control system having provision for failure-survival and including at least two control lanes for processing nominally-identical data digitally to derive nominallyequivalent -control outputs that are compared with one another for determining the existence of a failure, wherein it is arranged that different digital representations of the
**WARNING** end of DESC field may overlap start of CLMS **.

Claims (11)

**WARNING** start of CLMS field may overlap end of DESC **. excessive rate of change, then this again is indicative of a common-mode failure of the relevant pair. The output signals from the 'failed' control computers 27 and 28, or 29 and 30, are thereafter, in accordance with the monitor-computer program, disregarded in the generation of the control signals supplied to the actuators 19 and 22. Thus the control exerted by the 'failed' pair of computers via the actuators 17 and 18, or 20 and 21, is overridden by the other four actuators. It will be appreciated that the monitor computers 43 and 44 themselves could be subject to context dependent faults, and as the signals applied to, and the programs executed by, the two monitor computers are identical, context dependent faults could arise in them simultaneously.This does not affect the integrity of the whole system, since the control computers 27 to 30 are not simultaneously subject to such faults, and the control exerted by the 'failed' pair of monitor computers via the actuators 19 and 22 is over-ridden by the control exerted by the control computers via the actuators 17, 18, 20 and 21. It is possible for a context-dependent failure to result in an incorrect output coinmand neither excessively different from a correct output command nor having an excessive rate of change, and therefore not detected by the monitor computers 43 and 44. However, in general the resultant differences between the command signals generated by the two pairs of control computers would not be large, and would not have serious consequences. Furthermore, since the failure would be due to a freak pattern of digits it is to be expected that this condition would be transient, and clear within a few seconds. The computers 27 to 30 and 43 and 44 are used in the control of the ailerons and rudder, as well as of the elevators. More particularly there is time sharing of the major part of each of these computers between the three control functions, the only units not involved in the sharing being the sample-and-hold circuits 104 and amplifiers 107 of the computers 27 to 30 and the corresponding sample-and-hold circuits 116 and amplifiers 117 of the computers 43 and 44. The invention is applicable beyond the context of the quadruplex, double-failure survival, system described above with reference to Figures 1 and 2. In this respect, and by way of further example, a monitored-duplex, single-failure survival system, embodying the invention is illustrated in Figure 3. Referring to Figure 3, the elevator surfaces 200 of the aircraft are in this case controlled from two digital computers 201 and 202. The computers 201 and 202 receive nominallyidentical input signals from transducers 203 and 204, respectively, driven from the pilot's controls, and also from sources 205 and 206, respectively, from the aircraft instrumentation. The signals to the computer 202 are supplied via connections that are reversed (R) as compared with those (D) to the computer 201. The output command signals of the computers 201 and 202 are supplied to individual actuators 207 and 208 that drive the elevator surfaces 200, and also to a common monitor computer 209. The computer 209 receives input signals from a transducer 210 and a source 211 corresponding to the transducers 203 and 204 and sources 205 and 206. These signals, however, are supplied to the monitor computer 209 via individual divide-by-two circuits 212 and 213. Feedback from the elevator surfaces 200 is provided, in opposite senses, to the computers 201 and 202 from transducers 214 and 215, whereas feedback to the computer 209 is supplied via a divide-by-two circuit 217. The monitor computer 209 performs the same digital computations as those performed by the computers 201 and 202, and in parallel with them. However the input and feedback-signal magnitudes involved are only half those used (in opposite senses) in the computers 201 and 202, so that there are different digital patterns operative at any one time in the three computers. The possibility of there being a context-dependent failure simultaneously in two or more of the computers 201, 202 and 209, with consequent common-mode failure, is accordingly averted. The monitor computer 209 checks whether the output commands of the control computers 201 and 202 are in accord with its own output. In the event of significant disagreement, there is a disconnection of the relevant control computer 201 or 202. The computers 201, 202 and 209 perform the digital computations appropriate for amalgamation of both the input and feedback signals; the interconnections for exchange of digital data in this respect between the three computers are omitted from Figure 3. The digital representations are processed to derive the amalgamates and then to compute the output commands. WHAT WE CLAIM IS:
1. A control system having provision for failure-survival and including at least two control lanes for processing nominally-identical data digitally to derive nominallyequivalent -control outputs that are compared with one another for determining the existence of a failure, wherein it is arranged that different digital representations of the
same nominally-identical data are used in the processing of the same data in the two lanes.
2. A control system according to Claim 1 wherein it is arranged that the same values of data are represented in the said two lanes by digital representations that differ from one another in sense.
3. A control system according to Claim 2 wherein the signal-supply connections to one, or some only, of the lanes are reversed as compared with those to the other lane or lanes.
4. A control system according to Claim 2 including signal-supply means for deriving nominally-identical analogue signals for supply to the said two lanes, each of these lanes including analogue-to-digital conversion means for converting the signals received by the respective lane into digital representations dependent in both magnitude and sense upon the received signals, and wherein the said signal-supply means includes means to apply the said nominally-identical signals for reception in opposite senses by the said two lanes.
5. A control system according to any one of the preceding claims wherein it is arranged that the digital representations used to represent data in a first of the lanes are in constant proportion to the digital representations used to represent the same data in a second of the lanes.
6. A control system according to Claim 5 including means for deriving nominallyidentical analogue signals for supply to the first and second lanes for processing digitally therein in accordance with the signal magnitude received by the respective lane, and means for attenuating the analogue signals supplied to said second lane as compared with those supplied to said first lane.
7. A control system according to any one of the preceding claims wherein there are a plurality of pairs of control lanes, and it is arranged that the digital representations used differ only as between the different pairs of lanes.
8. A control system according to any one of the preceding claims wherein there are at least three control lanes and wherein it is arranged that different digital representations are used in the processing of the same data as between the said three lanes.
9. A control system according to any one of the preceding claims wherein the said two control lanes are arranged to drive a common control output and wherein it is arranged that nominally-identical feedback data is derived from said common output for application in the said two lanes, and that different digital representations are used for processing the feedback data in different ones of said two lanes.
10. A control system substantially as herebefore described with reference to Figures 1 and 2 of the accompanying drawings.
11. A control system substantially as herebefore described with reference to Figure 3 of the accompanying drawings.
GB9643/76A 1976-03-10 1976-03-10 Control systems Expired GB1560554A (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
GB9643/76A GB1560554A (en) 1976-03-10 1976-03-10 Control systems
FR7706985A FR2344063A1 (en) 1976-03-10 1977-03-09 AT LEAST TWO-WAY DIGITAL CONTROL CIRCUIT
FR7706984A FR2344074A1 (en) 1976-03-10 1977-03-09 DIGITAL SAFETY CONTROL CIRCUIT
DE19772710517 DE2710517A1 (en) 1976-03-10 1977-03-10 CONTROL SYSTEM WITH TWO OR MORE CHANNELS
DE19772710466 DE2710466A1 (en) 1976-03-10 1977-03-10 CONTROL SYSTEM FOR ERROR MONITORING
US05/776,448 US4130241A (en) 1976-03-10 1977-03-10 Control systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9643/76A GB1560554A (en) 1976-03-10 1976-03-10 Control systems

Publications (1)

Publication Number Publication Date
GB1560554A true GB1560554A (en) 1980-02-06

Family

ID=9875968

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9643/76A Expired GB1560554A (en) 1976-03-10 1976-03-10 Control systems

Country Status (3)

Country Link
DE (1) DE2710466A1 (en)
FR (1) FR2344074A1 (en)
GB (1) GB1560554A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2125189A (en) * 1982-07-20 1984-02-29 Lucas Ind Plc Automatic control for a limiting device using duplicated control circuits
GB2168818A (en) * 1984-12-20 1986-06-25 United Technologies Corp Establishing synthesis validity between two signal sources in a turbine control system
GB2172722A (en) * 1985-03-22 1986-09-24 United Technologies Corp Backup control system (bucs)
US4890284A (en) * 1988-02-22 1989-12-26 United Technologies Corporation Backup control system (BUCS)
US5128943A (en) * 1986-10-24 1992-07-07 United Technologies Corporation Independent backup mode transfer and mechanism for digital control computers

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE2701925C3 (en) * 1977-01-19 1981-10-15 Standard Elektrik Lorenz Ag, 7000 Stuttgart Vehicle control with two on-board computers
DE2701924B2 (en) * 1977-01-19 1981-03-19 Standard Elektrik Lorenz Ag, 7000 Stuttgart Control device for track-bound vehicles
DE2939935A1 (en) * 1979-09-28 1981-04-09 Licentia Patent-Verwaltungs-Gmbh, 6000 Frankfurt SECURE DATA PROCESSING DEVICE
DE3906846C2 (en) * 1989-03-03 1994-02-17 Bodenseewerk Geraetetech Redundant computer arrangement for control systems
DE3928456A1 (en) * 1989-08-29 1991-03-07 Nord Micro Elektronik Feinmech METHOD AND CIRCUIT ARRANGEMENT FOR FORMING AN EVALUATION SIGNAL FROM A MULTIPLE NUMBER OF REDUNDANT MEASURING SIGNALS

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US2861744A (en) * 1955-06-01 1958-11-25 Rca Corp Verification system
US3320598A (en) * 1962-10-04 1967-05-16 Ampex Self-clocking complementary redundant recording system
US3931505A (en) * 1974-03-13 1976-01-06 Bell Telephone Laboratories, Incorporated Program controlled data processor

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2125189A (en) * 1982-07-20 1984-02-29 Lucas Ind Plc Automatic control for a limiting device using duplicated control circuits
GB2168818A (en) * 1984-12-20 1986-06-25 United Technologies Corp Establishing synthesis validity between two signal sources in a turbine control system
US4722061A (en) * 1984-12-20 1988-01-26 United Technologies Corporation Establishing synthesis validity between two signal sources
GB2172722A (en) * 1985-03-22 1986-09-24 United Technologies Corp Backup control system (bucs)
GB2172722B (en) * 1985-03-22 1989-06-28 United Technologies Corp Backup control system (bucs)
US5128943A (en) * 1986-10-24 1992-07-07 United Technologies Corporation Independent backup mode transfer and mechanism for digital control computers
US4890284A (en) * 1988-02-22 1989-12-26 United Technologies Corporation Backup control system (BUCS)

Also Published As

Publication number Publication date
DE2710466A1 (en) 1977-09-15
FR2344074A1 (en) 1977-10-07

Similar Documents

Publication Publication Date Title
US4130241A (en) Control systems
US4370706A (en) Controller for a dual servo system
EP0110885B1 (en) Autopilot flight director system
US3688099A (en) Automatic control system with a digital computer
US4622667A (en) Digital fail operational automatic flight control system utilizing redundant dissimilar data processing
US7017861B1 (en) Control system for actuators in an aircraft
US5550736A (en) Fail-operational fault tolerant flight critical computer architecture and monitoring method
US4115847A (en) Automatic flight control system with operatively monitored digital computer
US4270168A (en) Selective disablement in fail-operational, fail-safe multi-computer control system
US20060200278A1 (en) Generic software fault mitigation
US4345191A (en) Two/one (2/1) fail operational electrohydraulic servoactuator
US4665522A (en) Multi-channel redundant processing systems
JPS6122803B2 (en)
GB1560554A (en) Control systems
GB2140173A (en) Dual-actuator monitor
GB1560555A (en) Control systems
JPS6091415A (en) Digital controller
JPS5833701A (en) Backup system of n:1 for dispersed hierarchy system
Maheve et al. System Safety Enhancement using Fault Tree Models
JPH04109303A (en) Adjustment controller
JPS5847058B2 (en) Multiple system switching control method
Goble High availability systems for safety and performance—the “coverage” factor
JPS61148539A (en) Information processor
Williams et al. Redundant and voting systems
Sudduth 4 DIGITAL SAFETY SYSTEMS FOR NUCLEAR POWER PLANTS

Legal Events

Date Code Title Description
PS Patent sealed [section 19, patents act 1949]
PCNP Patent ceased through non-payment of renewal fee

Effective date: 19960602