The safe operation of aircraft obviously depends upon reliable flight critical actuation control systems. Therefore, it is desirable to provide a high level of fault tolerance in such systems. Fault tolerance of systems in general can be classified based on the outcome of a failure in the system. A "fail operational" system may be defined as one in which a first failure in the system will not affect the operation of the system, i.e. the system remains fully operational following a first failure. A "fail passive" system may be defined as one in which a first failure will result in an inoperable state of the system but not in a freezing of the system or runaway operation of the system. In a system which has neither fail operational nor fail passive fault tolerance, a first failure can be catastrophic. Modern flight critical aircraft control systems typically require built-in fault tolerance that operates automatically to detect failures and maintain operation of the control system by correcting or reconfiguring the system to isolate the failure and its effect.
Virtually all known flight critical control systems incorporate some degree of fault tolerance by the use of redundant components. An example is the type of dual, or tandem, hydraulic actuator disclosed in U.S. Pats. No. 4,807,516, granted Feb. 28, 1989, to one of the present applicants, Imre J. Takats; and No. 4,887,214, granted Dec. 12, 1989, to said applicant and George W. Aziz. The actuator has two redundant halves coupled to a flight control surface through a common actuating rod. The two halves of the actuator are preferably operated by separate hydraulic systems. Each half of the actuator is controlled by its own electrohydraulic servovalve. Each of the servovalves may be controlled by signals applied to either of two redundant actuating coils.
The control systems disclosed in the above-cited patents include four control channels, one linked to each of the servovalve actuating coils. Control signals are generated by each channel as a function of a flight control signal from a flight control computer and a feedback signal indicative of the position of the hydraulic actuator rod. Two of the channels are primary channels and control the operation of the valves during normal operation of the system. The other two channels are .secondary channels and control the valves in a fail operational mode of the system. In the event of a failure in a primary channel, its associated valve coil, or a feedback signal generating device associated with the channel, the primary channel can be switched out and the control of the valve switched over to a secondary channel. Thus, each half of the tandem actuator can continue to operate after a failure or malfunction in a primary control channel or one of its associated elements. In other words, the system is potentially fail operational.
In order to realize the fail operational capabilities of the control systems described above and other types of fail operational systems, it is necessary to detect the failure and accomplish the switching of control from the failed channel to an operational channel. One approach is for each channel to detect its own failure and signal its redundant channel to take over operation. A drawback of this approach is that the failed channel may not be capable of recognizing its own failure. This leads to the potentially serious problem of undetected failures.
A number of known flight control systems have addressed the problem of undetected failures by providing for force voting of the actuator operation. In other words, the effect of the failed channel is overcome by brute force. For example, movement of a piston in a desired direction may be accomplished by three or more separate forces controlled by a corresponding number of channels. If one of the channels fails, it may resist movement of the piston in the desired direction. One of the remaining operational channels opposes the failed channel to nullify its effect, and the other operational channel or channels continue to provide movement in the desired direction. This type of system is fail operational relative to a first failure. However, when the system has only three channels and the first failure remains undetected, the next undetected failure can result in loss of, or errors in, actuator operation. If there is a first undetected failure and a second detected failure, there may be failure transients (delays in the reconfiguration of the system) large enough to be unacceptable. In addition, the method of force voting generally adds to the mechanical complexity of a system and to the weight and cost of the actuator. Provision of four, rather than three, channels increases the fault tolerance by making the system fail operational relative to a first failure and fail passive relative to a second failure, but adds to the complexity, weight, and cost of the system.
A related known approach is electrical flux summing of the control signals from a plurality of channels. When an undetected failure occurs, flux summing results in an electromagnetic version of mechanical force voting. For example, an electric force-motor may be provided with three or more coils controlled by a corresponding number of channels. The results of a failure in this type of system and the problems associated with the system are substantially the same as the results and problems discussed above in connection with mechanical force voting systems.