This invention relates to systems which incorporate redundant backups, and particularly, to arrangements that automatically respond to defect in one of a number of singly redundant equipment groups of devices that make up a system by reconfiguring the combination.
Such redundant groups of devices (or equipment groups) occur, for example, in space vehicles where it is important to make the system as fail-safe as possible. In a single redundancy system, each device (or piece of equipment) is present in duplicate. The devices may be in the form of ground sensors or their evaluating circuits, control apparatuses for firing of attitude control nozzles, or instruments for measuring the rotary speed of inertial wheels. If one of these devices fails, a redundant device must operate as quickly as possible. This becomes a problem, for example, where a satellite can make radio contact with a ground station only during certain limited time spans of its orbit. Between these time spans, when radio contact is impossible, the system must be certain to stabilize satellite functions at least enough not to endanger the mission. Adequate attitude control is of extreme importance in this connection. If possible, the satellite should not be completely lose its desired attitude. It should not tumble uncontrollably, nor must it spin too fast due to interference moments. The excess centrifugal forces caused by such fast spins could endanger the solar panels which extend from the space vehicle. Moreover, the speeds of the flywheels should not exceed their upper limits too much. Defects affecting these functions would endanger the entire mission of a satellite.
Therefore, the problem is to switch immediately to another intact device if one currently active device fails. Normally, at least the devices in operation are checked continuously by monitoring characteristic function parameters. For reasons of cost, this check does not have to cover all of the devices, it being sufficient to monitor only certain particularly critical function parameters. However, this raises a difficulty. A function parameter drifting out of a specific permissible range does not always indicate that the device furnishing this function parameter is in itself defective. The defect may occur in another device which is not be monitored. This can only be determined by more thorough and time-consuming trouble shooting which is possible only with the aid of the ground station. Accordingly, one cannot solve this problem by simply shutting off the device reporting the fault and replacing it with its redundant partner, because the device itself may not necessarily be defective at all.
An object of the invention is to overcome these difficulties.
Another object of the invention is to provide an arrangement which responds to a defect by turning on a definitely intact combination of devices to maintain the satellite in a stabilized attitude until the next radio contact with the ground station so that the actual error source can be sought and the defective device identified.