1. Field of the Invention
The present invention relates to a safety control apparatus for an internal combustion engine. More specifically, the invention relates to a safety control apparatus for a reciprocating engine and, more concretely, to a safety control apparatus for a reciprocating engine employed in a small aircraft.
2. Description of the Related Art
In general, a control system for an engine for an aircraft is controlled by a computer. The control system for an engine for an aircraft must maintain a high degree of safety and is, generally, constituted or a redundant system equipped with a pair of computer control systems and an observation circuit for changing over the pair of control systems.
As for the failure rate for the engine for an aircraft, it must satisfy very stringent criteria, since the engine is heavy and seriously affects the center of gravity of aircraft and, hence, affects the controllability of aircraft. In particular, the probability of serious troubles in the engine must be less than 1/1,000,000,000. In practice, however, such a stringent criterion cannot be accomplished by a simply constructed pair of systems relying upon computer systems using relatively cheap control CPUs.
In the computer systems using a relatively cheap control CPU, it may often happen that a normal state signal is output to an observation circuit despite the fact that the CPU is malfunctioning and is sending an abnormal output to the actuator. The state where a normal signal is output to the observation circuit during the abnormal condition is called a false normal state. In practice, the probability of generation of such a false normal state becomes higher than the probability of a serious problem. In a computer system for aircraft, therefore, the false normal state must be separately detected and the control system must be changed over to maintain a high degree of safety.
In an engine controller for a large aircraft that uses a gas turbine engine, a rotational speed sensor for detecting the rotational speed of the gas turbine is provided in order to enhance safety for the false normal state. The rotational speed sensor detects the overrunning of the gas turbine and, when overrunning of the gas turbine is detected, the rotational sensor renders the decision that one control system is in the false normal state and changes the control system over to another control system.
Here, the gas turbine engine used for large aircraft uses a continuous combustion system which makes it possible to execute computation control relying upon the detected parameters by regarding the system as a model and, hence, makes it possible to execute the control in a continuous manner. In the case of the gas turbine engine, therefore, a false normal state in the control system caused by the overrunning of the engine can be easily detected.
However, in a reciprocating engine used, for example, in a small aircraft, the combustion takes place intermittently, and it is difficult to express the process of combustion in the form of a mathematical expression. Therefore, the engine has been intermittently controlled relying chiefly upon the timing control. At the moment when the overrunning of the engine is detected, therefore, it is too late and the engine may have been damaged already. Therefore, a controller for reciprocating engines has not been fully furnished with countermeasure against the false normal state.