The present invention relates to an engine regulator, an engine and a method for regulating an engine. The present invention is intended in particular for use in aeroengines, in which flight-critical electronic and/or digital closed-loop control is used (so-called FADEC/enginesxe2x80x94full authority digital engine control) . The present invention is very particularly suitable for aeroengines which are used in single-engine aircraft or for propulsion systems with thrust vector control. The present invention furthermore relates to a regulator for safety-critical, very high reliability applications, for example for closed-loop control systems for use in aviation or in nuclear power stations, an actuating or propulsion system, and a method for regulating an actuating or propulsion system.
A two-channel configuration of the engine regulator is known for FADEC engines. This means that all those components which are essential for operation are duplicated. Such components are, in particular, important sensors and actuators for the engine assembly and controlled system, hardware for signal conditioning and signal conversion, and the actual processor units for carrying out the control method. This is equally applicable to two-channel regulators, which are used in safety-critical or very high reliability applications.
A two-channel regulator or engine regulator provides a redundancy level which is in principle sufficient even for safety-critical applications. With modern circuit technology, the risk of failure of both channels is negligibly low. However, there is a difficulty in reliably identifying failure of one channel. While, for example, with a three-channel regulator or engine regulator, it is possible to compare the actuating signals produced by each channel and to make a majority decision, it is not possible to identify just from a pure error between the actuating signals in a two-channel regulator which of the channels has a malfunction.
For these reasons, the prior art provides for essentially autonomous monitoring within each of the two channels in two-channel engine regulators. This means that the functional monitoring of each channel is carried out by way of plausibility checks in which the data from the respective other channel can admittedly be included for fault identification, but can have no authority in terms of fault Localization and fault reactions. Such plausibility checks and other channel -autonomous monitoring systems with high fault identification reliability are available for sensor systems, actuator systems and the hardware for signal conditioning and signal conversion.
Even with regard to the processor units, some fault situations can be monitored relatively easily and reliably. For example, a complete functional failure (crash) of a processor unit can be identified by providing a monitoring timer which is regularly reset by the processor unit. An alarm is triggered if the reset process does not take place before a time interval governed by the timer has elapsed. other malfunctions can be identified, for example, by bus monitoring logic.
However, there is a problem in that some processor unit faults can be identified only with difficulty. This relates in particular to malfunctions which occur only sporadically or when the processor is in specific operating states. Thus, for example, the resistance of metallization can increase gradually due to corrosion. Initially, this can lead to temporary faults which, for example, occur only when the processor supply voltage falls somewhat below the normal value, or rises above this value, in some flight situations or in particular operating states, such as during engine starting. Such faults, which may also be early indicators of a permanent failure, can lead with a relatively high degree of probability to dangerous malfunctions, and can be determined only with difficulty in two-channel engine regulators.
An object of the present invention is accordingly to avoid the above-mentioned problems, and to improve the operational safety in particular of a two-channel regulator or engine regulator, with little complexity. In particular, the present invention is intended to allow reliable identification of dangerous processor malfunctions.
According to the present invention, this"" object is achieved by an engine regulator or regulator having the features of claim 1 or 11, respectively, by an engine having the features of claim 8, and by a method for regulating an engine or an actuating or propulsion system and having the features of claim 9 or 19, respectively. The dependent claims relate to preferred refinements of the invention.
The present invention is based on the fundamental idea of comparing calculation results in one channel of the regulator or engine regulator firstly with a channel internal estimate of the correct results, and secondly with the results from the respective other regulator channel. Two checks are thus carried out, namely channel-internally for plausibility, and channel-externally by way of a comparison of results. This results in fault identification with similar reliability to that achieved with a three-channel regulator design being achieved without a third regulator channel.
The present invention provides that each regulator channel has at least two processor units, of which in each case one operates as a calculation unit for its own calculation process for each function to be checked, and another operates as a monitoring unit. The calculation unit and the monitoring unit carry out both the channel-internal plausibility check of the results of the calculation unit, and the comparison with the results from the other channel. This measure ensures that the two monitoring activities take place independently of any possible malfunction in the calculation unit or in the monitoring unit.
The presence of a number of processor units per channel provides the required computation performance. Even taking account of the expected growth in computation capacities, at least two processor units will be desirable per channel even in the future, in order to allow software with different criticality levels to be mutually separated. Subject to these boundary conditions, no additional hardware complexity is required for the solution according to the present invention. The present invention can have a particularly advantageous cost-effectiveness ratio in other constellations as well.
Thus, overall, the present invention ensures reliable identification of computer failures with the minimum possible effect on the capability to use the installed computation performance. Each processor unit in both regulator channels requires only a small portion of its computation capacity for its tasks as a monitoring unit. The vast majority of the computation capacity can be used by the processor unit to carry out complex control processes for other control loops or other functions, as a calculation unit.
Each monitoring unit preferably has a fault integrator which integrates errors determined during the comparisons, and thus integrates other indicator values for malfunctions. The integration rate is in this case preferably dependent on the severity of the error or malfunction. The error value determined by the fault integrator preferably decays gradually if no further malfunctions occur.
Any error determined during the comparisons is preferably reacted to only if both comparisons indicate a malfunction of the channel being monitored. This allows the respective faulty channel to be determined reliably.
In preferred embodiments, the checked calculation results are output data from the calculation units, actuating signals, or intermediate signals.
The present invention is preferably suitable for applications in which defects in a digital engine regulator can lead to xe2x80x9cdangerousxe2x80x9d engine or system malfunctions. This relates in particular to single-engine aircraft or aircraft with thrust-vector control since, in this case, inadvertent engine failure or an incorrectly controlled thrust vector can lead to loss of the aircraft. In other applications, for example multi-engine civil aircraft, there are generally xe2x80x9csafexe2x80x9d authority limitations for FADEC systems (for example speed limiter independent of the FADEC system). Although the use of the present invention is desirable for such applications, it is not absolutely essential.
An actuating or propulsion system comprises actuators, sensors and a regulator according to the present invention. The actuators, such as electromechanical actuating motors, pumps or the like, are used to control the system. The sensors, for example for measuring positions, temperatures, rotation speeds or the like, are used for detecting the system state (actual state), which is processed further in the regulator in order to form actuating signals. Such actuating or propulsion systems are used for safety-critical applications. These include, for example, the control system for an electromechanical aircraft door, the closed-loop control system for steady-state gas turbines and flight control systems which are used for aircraft navigation. Particularly in the case of highly safety-critical applications, which demand high functional availability, such as FADEC systems for single-engine aircraft, flight control systems or thrust-vector controllers, there is a dissimilarity between the processor modules in the two regulator channels.