1. Field of the Invention
The invention relates to automatic flight control systems utilizing digital flight control computers, particularly with respect to utilizing redundant dissimilar digital data processing to reduce safety hazards resulting from generic faults in the software or the processors.
2. Description of the Prior Art
Automatic flight control systems are constrained by Federal Air Regulations to provide safe control of the aircraft throughout the regimes in which the automatic flight control system is utilized. Any failure condition which prevents continued safe flight and landing must be extremely improbable. Present day regulations require a probability of less than 10.sup.-9 failures per hour for flight critical components. A flight critical portion of an automatic flight control system is one, the failure of which will endanger the lives of the persons aboard the aircraft. Generally, the safety level of components of the system is determined by analysis, testing and field history procedures familiar to those skilled in the art. Such procedures are often referred to as verification and validation. Analysis of non-critical flight control system elements, however, typically need only be performed to at most a level of 10.sup.-7 failures per hour. For example, components of an automatic flight control system utilized in automatically landing the aircraft may be designated as flight critical, whereas, certain components utilized during cruise control may be designated as non-critical.
Automatic flight control systems utilizing analog computers and components had been prevalent in the art wherein it had been completely practical to perform the verification and validation procedures to certify conformance of such systems to the safety requirements of the Federal Air Regulations. Traditionally, such analog systems utilized independent control of the aircraft axes by providing, for example, independent pitch and roll control channels. Certification analysis was facilitated by the axis independent control. A hardover failure, for example, in the pitch or roll axis affected only that axis.
A known technique for enhancing automatic flight control system reliability is that of dual redundancy. Dual redundancy is the utilization of two identical channels with cross channel monitoring to detect a failure in one of the channels. Although such systems are effective against random faults, cross channel monitoring does not provide effective detection of generic faults. A generic fault is defined as a fault that is inadvertently designed into a component such that all like components generically have this fault and respond in a like but defective manner. When identical components having a generic fault are in respective redundant channels, the cross channel monitoring detects the same although erroneous output from both channels and therefore does not detect the error. Such generic faults are also denoted as design errors. In the prior art, in order to satisfy the Federal Air Regulations, the absence of generic faults was traditionally proven by analysis and testing to the required level.
Such prior art dual redundant systems with identical channels provided fail passive performance with respect to random faults. When the cross-channel monitoring detected different outputs from the two channels, the dual channel automatic flight control system was disengaged thereby failing in a passive manner. In order to effect fail operational performance with respect to random faults, two such dual redundant channel pairs were conventionally utilized whereby a miscomparison in one pair would result in shut down of that pair with the other channel pair remaining in operation. The occurance of a second random fault in the remaining channel pair would effect passive shut down of the system. For the reasons discussed above, such multiply redundant systems were ineffectual in detecting generic faults.
In present day technology, stored program digital computers are supplanting the analog computer of the prior art technology. It has generally been found that a digital computer including the hardware and software is of such complexity that the verification and validation analysis for certification in accordance with Federal Air Regulations is exceedingly more time consuming, expensive and difficult than with the analog computer. The level of complexity and sophistication of the digital technology is increasing to the point where analysis and proof of certification to the stringent safety requirements is approaching impossibility. Such digital systems possess an almost unlimited number of unique failure modes and indeterminable effects. To further exacerbate the difficulty, current day digital flight control computers perform all of the computations for all of the control axes of the aircraft in the same black box unlike in the analog computer approach where the control of the aircraft axes was provided by separate respective black boxes. It is appreciated that modern aircraft are stressed to withstand hardovers in the pitch axis or the roll axis but not in both axes simultaneously.
A further problem engendered by the introduction of the programmed digital computer technology into automatic flight control systems is that the extensive software required is susceptible to generic design errors. An error can arise in the definition phase of software preparation as well as in the coding thereof. A generic design error can occur in the attendant assembler or compiler as well as in the micro-code for the processor. In the prior art, in order to satisfy the stringent safety requirements of the Federal Air Regulations, exhaustive verification and validation was often utilized to prove the absence of such generic design faults in the software as well as in the processor hardware to the required level. It is appreciated that such verification and validation procedures are exceedingly time consuming and expensive. Software based redundant systems have the unique characteristic attribute of being precisely identical. Accordingly, a generic fault in, for example, detail program code or processor hardware may result in a unique set of otherwise benign time-dependent events precipitating precisely the same hazardous response in all redundant systems at precisely the same time. Thus the unique aspect of software systems to be precisely identical exacerbates the problems with generic faults in such systems.
For the reasons given above, it is appreciated that redundant identical channels of digital data processing with cross channel monitoring may not detect hardware and software generic design errors so that reliability can be certified to the required level. Furthermore, with the increasingly complex and sophisticated digital processing being incorporated into automatic flight control systems, it is approaching impossibility to prove by analysis the absence of such generic errors to the levels required by the Federal Air Regulations. It is appreciated that in a digital flight control channel, including a digital computer, sensors, input and output processing apparatus, and control servos, all of the processing for all aircraft axes are performed in the same computer and critical as well as non-critical functions are controlled by the same channel. Thus, the entire channel must be certified in accordance with the "extremely improbable" rule discussed above with respect to flight critical aspects of the system. Thus, even those portions of the system utilized for performing non-critical functions must be certified to the same level as the critical portions since the non-critical portions are within the same computation complex as the critical portions.
In order to overcome these problems, the automatic flight control technology has only recently advanced to the concept of dissimilar redundancy. In dissimilar redundancy, as currently utilized, dual dissimilar processors perform identical tasks utilizing dissimilar software with cross channel monitoring to detect failures. With this approach, a generic error designed into the processor or software of one channel will not exist in the processor or software of the other channel and the cross channel monitoring will detect the discrepancy. The remainder of the channel may then be readily analyzed to the safety levels required by the Federal Air Regulations. The dissimilar computation apparatus and software, however, need not be subject to the analysis, that, as described above, is currently approaching impossibility.
Such a prior art dual dissimilar processor system would be fail passive with respect to both random and generic faults. A random or generic fault occuring with respect to one of the dissimilar processors would be detected by the cross-channel monitoring and the dual dissimilar processor system passively disengaged.
None of the prior art system configurations discussed above provide fail operational performance with respect to generic faults. The utilization of multiple dual redundant systems with similar processing elements fails to detect generic faults for the reasons discussed above. A mere replication of dual channel subsystems utilizing dissimilar processing elements would result in a fail passive capability rather than the fail operational performance that such a system configuration would be expected to provide. This is because a generic fault detected in one dual subsystem causing that subsystem to be disengaged would be present in the corresponding element in the other subsystem also resulting in disengagement thereof. Thus this dual-dual dissimilar configuration instead of providing fail operational performance, as is expected from this system arrangement, results in a fail passive system which is the property otherwise obtainable from one half the system.