The present invention relates generally to electrohydraulic actuation systems and specifically to a two/one (2/1) fail operational multi-redundant electrohydraulic actuation system.
Because aircraft are growing in size, weight and performance envelope, the loads which are imposed on flight control surfaces have long since increased beyond the point that simple mechanical advantage will permit direct operator control of the surface. In the past, partial boost systems have aided the aircraft pilot in controlling his machine much the same way as power-assisted steering or brakes aid an automobile driver. However, where in the event of failure of the power-assist, the loads imposed cannot be met by a pilot, then there is no advantage in having a power-assisted control surface over a completely hydraulic or electronic control system.
Many modern aircraft utilize what are referred to as fly-by-wire (FBW) controls for operation of aircraft control surfaces. Such a fly-by-wire system generally reduces control inputs by the pilot to one or more signals which are utilized to control an electrical, hydraulic, or combination electrohydraulic actuation stystem which ultimately moves the flight control surface the required amount. Obviously, in such a system, failure of any one component could have disastrous results.
Accordingly, it has become common to have several control channels and actuators such that if there is a failure in one channel/actuator system there is a second or backup system in order to maintain control of the aircraft until the problem can be corrected.
A typical one/one (1/1) fail-operational actuator system is shown in FIG. 1. Electric channels 1 and 3 provide control signals to electrohydraulic servoactuators "A" and "B", respectively. Redundant electric channels 2 and 4 provide comparison outputs to the monitor and shutdown logic system. The actual servoactuator outputs, 1 and 2, are compared in the monitor and shutdown logic circuit to the comparison outputs of electric channels 2 and 4, respectively, and in the event that there is a disparity between output 1 and electric channel 2 or output 3 and electric channel 4, monitor and shutdown logic "A" or "B" would shutdown servoactuator "A" or "B", respectively.
Thus, a failure of any one electric channel or any one servoactuator will result in the shutting down of either output 1 or output 2, hence the designation of a one/one (1/1) fail-operational actuator.
As can be seen, a failure in one of electric channel 1 or electric channel 2 or servo actuator A and one of electric channel 3, electric channel 4 or servoactuator B will result in total failure of the control system with possible loss of control of the aircraft.
One improvement upon the FIG. 1 one/one fail-operational actuator is shown in U.S. Pat. No. 3,505,929, issued Apr. 14, 1970 to Coppola, et al. Here, three active electrohydraulic actuators 2, 4, 6 and a single electronic actuator model 7 are provided along with an electronic comparator and suitable logic circuitry. One of the hydraulic actuators is considered to be an active channel and electronic control inputs are applied to it and the other two standby hydraulic actuators which move in concert with the single active channel but are not normally physically connected thereto. Detection of a failure in the active channel results in deactivation of the failed channel and immediate physical connection of one of the standby channels which assumes control. Failure of the now-active standby channel results in the last standby channel being activated accordingly. Therefore, this system can withstand as many as two channel failures with undegraded performance.
It can be seen that if the three electrohydraulic servo channels 2, 4 and 6 were monitored for a failure (as indicated by a position reading on one servoactuator which is substantially different from the position readings on the other two servo actuators) the system with two failures would be rendered inoperative (the logic assembly not knowing after a first failure, which of the remaining two electrohydraulic servo channels is good and which is failed in the event of a second failure). Therefore Coppola adds an electronic actuator model 7 which receives the same command signals as the electrohydraulic servo channels 2, 4 and 6 but utilizes electronic modeling to provide an output which is indicative of the positional output to be expected from a good electrohydraulic servo channel.
This modeled output is utilized in conjunction with the three position outputs from the servo channels which permits two failures to occur while still retaining the required degree of control. The logic circuitry utilizes "voting" among the three actuator position outputs and the modeled output such that the one output which differs from the remaining three outputs is considered failed and disconnected. Thus, regardless of whether the failed output is an actuator or a model channel, two failures can be tolerated and at all times two channels will remain for comparison (either two actuator channels or an actuator and a model channel). It should be pointed out that for this type of redundancy, three complete servoactuators are necessary as well as four electronic channels one of which including an electric model of the servoactuator.
It also has been found that it is extremely difficult to accurately model the position of a servoactuator because the position is dependent upon the aerodynamic loads, for example, imposed on the actuator and in most instances, these loads are extremely non-linear and vary greatly with aircraft speed, attitude and atmospheric conditions. Consequently, the modeling of servoactuator position requires rather sophisticated electronics in order to accurately model actuator position. Where the weight of a given aircraft takes away from its payload carrying capabilities, the penalty paid for carrying along three servoactuators and a complex computer model of a servoactuator may be unwarranted and accordingly a lesser redundancy in the control system is tolerated.
In U.S. Pat. No. 4,159,444 issued June 26, 1979 to Bartlett et al, a dual actuator system provides rate information which is compared with rate information geneated by a model and if one servoactuator channel differs substantially from the model and the other servoactuator channel the differing channel is disconnected as a failed channel. Specifically, in the FIG. 5 embodiment of the Bartlett et al patent, dual models and monitors are utilized which provide basically the redundancy outlined in the prior art discussed above with reference to FIG. 1 in the present specification. Failure of either the servoactuator or the model for that servoactuator results in the shut down of the servoactuator as failed.
Thus, there is a need for a two/one (2/1) fail-operational actuator (capable of tolerating two electric or one hydraulic failure and still maintain itself operational) with a minimum amount of additional weight and without complex position modelers.