In a full authority digital control system the control activity is commonly regulated by a digital data processor which is itself responsive to sensed and/or desired operating conditions. The number of these operating conditions may be large, and each of the individual conditions may fall within substantial ranges of values. The combinations and sequences of the operating values will then be very large indeed, so that it will not be possible to test the system over the whole of the combined operating conditions which it may encounter in use. The problem is increased by the relative ease with which a digital control system may be reprogrammed, so that extensive tests carried out with the system under control of a superseded program will no longer be valid.
UK Patent application 2105492A discloses a full authority digital control system in which control signals from a first digital computer are compared with limit signals which are generated by a second computer, which is responsive to at least some of the input signals supplied to the first digital computer. If the control signals from the first computer exceed limits set by the second computer, control of the system is switched to a third computer which is dissimilar to the first computer. In order to enhance the reliability of the second and third computers it has been proposed that the second computer shall be an analog computer and that the third computer shall be responsive to a limited number only of the input parameters of the first computer, and shall provide only a crude emergency control of the system.
Inability to predict the response of a full authority system under all operating conditions has led to reluctance on the part of authorities connected with airworthiness to approve such systems for use in aircraft, particularly since an inappropriate response of the system to a combination of conditions, cause malfunction of all apparatus controlled by the data processor. It will be apparent moreover that duplication of identically programmed computers will not overcome this problem, since each is likely to malfunction simultanteously and in the same way.
The present invention provides a control system having two digital computers each of which is capable of providing output control signals over a full range of input parameters, and in which the control signals from each computer are subject to rigorous checks. Specifically the invention provides that the output control signals from each digital computer is checked against a corresponding control signal provided by a separately-programmed dissimilar computer, and against a limit signal provided by a separately-programmed dissimilar computer. Additionally each limit signal is checked against a corresponding limit signal which is provided by a computer which is dissimilar and separately programmed from the computer providing the first-mentioned limit signal.