Fly-by-wire (“FBW”) aircraft flight control systems are increasingly becoming the preferred type of flight control system for modern aircraft. The FBW type of control system replaces the relatively heavier and more error prone mechanical and hydro-mechanical types of flight control systems.
A FBW flight control system commonly comprises a computer system interposed between: (1) the flight control inputs given both automatically by various aircraft component sensors and subsystems such as the autopilot and manually by the pilots via, e.g., sidestick or yoke controllers, switches, levers, etc.; and (2) the aircraft flight control surfaces and other devices that ultimately control the operation and direction of the aircraft in flight. That is, the inputs from the pilots and the sensors are not connected directly to the aircraft flight control surfaces to be controlled (e.g., ailerons, rudder, elevators, spoilers, slats, flaps, etc.). Instead, the pilot and sensor inputs are routed to a computer system (e.g., typically comprising more than one computer or data processor device for safety redundancy purposes) that contains the flight control logic which interprets the sensor and pilot inputs and outputs flight control surface position commands that move the aircraft flight control surfaces according to control laws (“CLAWS”) stored in the computer system to effect changes in the aircraft's pitch, roll, yaw, altitude, etc., for example. In the alternative, the computer system can be replaced partly or entirely with analog electronic circuits to achieve the same result. However, the clear trend is to use digital computers that contain the control laws and the input and the output processing logic and which are interposed between the various inputs and the output actuators associated with their respective aircraft flight control surfaces.
FBW control systems represent a relatively large weight savings (and, thus, significantly reduced fuel costs) on the aircraft as compared to the traditional mechanical or hydro-mechanical flight control systems. This is due to the relatively heavy and bulky cables and associated mechanical components of the traditional systems being replaced by wires and relatively simple actuators. Other advantages of FBW systems include a reduction in the workload of the pilots, reduced maintenance time and costs, and increased flight safety as the flight control laws and overall flight envelope can be more precisely tailored to the pilot sidestick or yoke control input devices and the sensor input signals. The FBW control system also commonly allows for “automatic pilot” operation of the aircraft in certain flight situations as the flight control computer is typically responsive to various sensor inputs and directs the aircraft flight control surfaces according to the control laws—all without pilot input or involvement.
However, FBW flight control systems are not without their drawbacks. The older mechanical and hydro-mechanical flight control systems tended to fail gradually over time. This made it relatively easy to identify and correct in advance for any such failures. In contrast, the computer-based FBW control systems tend to fail “completely” in that the computer-based system may suddenly “crash” and leave the pilots without the ability to control the aircraft. Thus, typically some type of redundancy is built into a FBW system for safety purposes. For example, three or four computers may be used that are redundantly connected (e.g., in a “triplex” or “quadruplex” configuration) and may even be of different hardware and/or software design to avoid a multiplicity of computer failures at any one time due to a single type of problem. That way if one of these “primary” flight control computers fails, then two or three other “primary” flight control computers are likely still operational and at least one of them can control the aircraft. Also, redundant computers having reduced computer computational capacity (as compared to the “primary” flight computers) may be used to control the aircraft (albeit with perhaps reduced control capacity—typically known as “secondary” flight computers) in the event of failure of all of the “primary” flight computers. A FBW system may even have a mechanical flight control system as a backup in case of a failure of the flight control computers.
Each primary and/or secondary flight control computer may have at least two or more separate processor “channels” or “lanes,” where each channel or lane has a processor that processes the aircraft control laws. That is, each channel processor is responsive to the various aircraft input signals and provides corresponding flight control surface position command output signals to the actuators or other mechanisms associated with various aircraft flight control surfaces. Thus, the channel processors may be considered to be running in parallel. If the processor in each channel or lane is operating correctly, then the output signals from all of the channel processors should be identical. Any discrepancy in the output signals from the two or more channels or lanes may be interpreted as a failure of that particular flight control computer.
The processors within the channels may be of a different hardware and/or software design (e.g., dissimilar control law algorithms), to reduce the risk that a particular type of processor hardware or software failure will simultaneously affect the processors in all of the channels or lanes thereby rendering failure detection by comparison of outputted signals not possible as the failure could be identical in both channels or lanes.
While it common for the channel processors to have some type of testing performed on them at certain times during operation (e.g., at start up, periodically, pilot-initiated, etc.) to check if they are functioning properly, there is a type of error that is unknown and, if it occurs and left uncontained, could cause a dangerous condition for the aircraft. This type of unknown error is typically referred to as a software “residual” error, and is generally a type of unknown error in the software that embodies the aircraft flight control system control laws. Also, this type of error does not manifest itself in testing of the channel processors prior to being placed into operation on an aircraft. Instead, a residual error usually only manifests itself during actual aircraft operation. As such, it is of utmost importance to recognize the occurrence of such an error and to contain it as fast as possible.
In the past it has been known to have the channel or lane processors run dissimilar software as between each processor in an attempt to sense a residual software error. For example, it is known to use two different groups of software programmers to write the software code that implements the desired functionality of the channel processors—one group of programmers for each processor. This inherently results in two different sets of executable software code being developed, with the resulting two different sets of code being executed by the two channel processors.
It is also known to have one software code written for the two channel or lane processors. However, if the code is compiled by two different compilers, the result again is two different sets of code, which can be executed by the two channel processors.
In either case of the different software codes described above, the two channel or lane processors have their flight control surface position command output signals compared for any discrepancy or difference therebetween, and, thus for an abnormality in the form of a “residual” error. If such an abnormality exists, then steps can be taken, for example, to remove the exercise of control over the flight control logic by that flight control computer having the abnormality and replace it with one of the remaining operational redundant flight control computers within the overall FBW flight control system. Generally, because of the nature of the residual error embedded in the flight control software, no attempt is made to debug or fix the residual software error “on the fly” while the now defective flight control computer is still operational with the aircraft in flight.
What is needed is an improved aircraft flight control system that monitors various sensed actual input signal values and/or pilot commanded input signal values of each of more than one aircraft flight parameter using one of at least two different flight system computer channels or lanes to check for abnormal flight system computer operation in the form of a residual software error in the commanded output signal for each of the more than one aircraft flight parameter.