The present invention relates to flight control systems present in aircraft.
These flight control systems are at the interface between the piloting members (stick, rudder bar, etc.) and the various movable flight surfaces of the aircraft (such as the rudders, elevators, ailerons, stabilizers, etc.).
Modern airliners possess flight control systems of “fly by wire” type in which the mechanical actions on the piloting members are converted into signals transmitted to actuators controlling the displacement of the flight surfaces, these orders being transmitted to the actuators by advanced computers.
These orders are computed according to several types of flight laws. One of these laws, called the normal law, is an assisted piloting law which reprocesses the piloting setpoints provided by the piloting members so as to optimize the piloting conditions (comfort of the passengers, stabilization of the aircraft, protection of the flight domain, etc.). Another law, termed the direct law, is a law which merely retranscribes the aircraft displacement instructions transmitted by the electric flight controls without reprocessing these signals aimed at improving piloting performance.
As illustrated in FIG. 1, a flight control system 1 is already known, comprising a control module 2 exhibiting two sets of computers 4 and 5 so as to determine the control orders to be transmitted to actuators 3. These computers are duplex computers, that is to say they comprise two computation units, one unit operating in command mode while the second typically performs the same computations in monitor mode.
The set 4 comprises two computers 4-1 and 4-2 capable of computing the command of the actuators 3 which is established according to the normal and direct control laws (these computers are called primary computers) and a computer 4-3 solely capable of computing this command established according to the direct law (this computer is called the secondary computer).
The set 5 comprises a primary computer 5-1 and two secondary computers 5-2 and 5-3.
All these computers are installed in an avionics bay and communicate with the actuators via direct analogue point-to-point links.
The actuators are linked to one or two computers, with, in the case of two computers, a “master/standby” architecture, the master computer ensures the validity of the control signal transmitted to the actuator, thereby ensuring the integrity of the device. When the master computer develops a fault, the “on-standby” computer takes over, thereby ensuring that a computer is always available.
To ensure the validity of its order, each computer exhibits a structure with dual computation units (these are dual-channel computers also referred to as “duplex” computers), which is not illustrated in FIG. 1.
The first unit is a control unit (COM) which implements the processing operations required for carrying out the functions of the computer, namely determining a control signal to an actuator.
The second unit is a monitoring or surveillance unit (MON) which for its part performs the same types of operations, the values obtained by each unit then being compared and, if there is a discrepancy which exceeds the permitted tolerance threshold, the computer is automatically deactivated. It then becomes inoperative and is declared faulty so that another computer can substitute for it so as to implement the functions relinquished by this faulty computer.
Each computer is thus designed to detect its own faults and disable the corresponding outputs while signaling its state.
The hardware of the primary and secondary computers is different so as to minimize the risks of simultaneous failure of the whole set of computers (hardware dissimilarity).
Moreover, the hardware of the two channels, control and monitor or COM/MON, of each computer is identical but for safety reasons, the software of these two channels is different so as to ensure software dissimilarity.
The architecture of a known duplex computer, that is to say one composed of two computation units, operating in command/monitor mode is illustrated by FIG. 2. The first unit 2.1 is the control unit, whereas the second unit 2.2 is the monitoring unit. These two units are based on one and the same hardware. This hardware is typically composed of an electrical power supply 2.11, 2.21 receiving the energy required for its operation. A communication bus allows the exchange of data between a processor 2.12, 2.22 charged with the computations and a work memory 2.13, 2.23. This memory makes it possible on the one hand to store the programs carrying out the various computing functions required, typically the functions implementing the various laws, normal law or alternative law (alternate) and/or direct law which are used to control the flight surfaces. An input output module 2.15, 2.25 makes it possible to exchange data with the other computers. It also makes it possible to receive the data, typically position data, originating from the airfoils and the setpoints emanating from the piloting members. A watchdog makes it possible to exit from a software lockup through a resetting of the unit. The output unit also makes it possible to send the result of a command to the actuator of an airfoil. This sending is controlled by the relays 2.16 and 2.26 which make it possible to block the sending of a command when the computer is determined as being non-operational.
This computer operates according to the following principle. The control unit carries out the computation of the commands to be sent to an airfoil as a function of the setpoints received from the piloting members. This computation is carried out according to the law which is active for the computer. The associated monitoring unit carries out the same computation on the basis of the same data, using the same law. The computation is carried out by a different item of software implementing the same law so as to comply with the principle of software dissimilarity. The command computed must therefore be the same within the limits of rounding errors or other minor divergences introduced through the use of two different items of software. The result obtained by the control unit and that obtained by the monitoring unit are therefore compared and their difference is tested against a tolerance threshold. If the difference is greater than this tolerance threshold, the computer is declared non-operational and its outputs are deactivated. Another computer operating according to the same principle is then activated to take over control of the airfoil. It is noted that both units of the computer are deactivated while the fault usually affects only one of these two units. The availability of the system is ensured through the redundancy of the computers involving high redundancy in terms of computation units.
The architecture proposed is based on a set of flight control computers, or FCC, of the simplex type, that is to say which are composed of a single processing unit, rather than of two processing units. These computers allow the control of actuators acting on the airfoils. These actuators are controlled locally by a control unit called the FCRM (Flight Control Remote Module). These FCRMs are architectured according to the command/monitor model described above. They therefore consist of a control unit and of a monitoring unit. The control unit physically drives the actuator. The monitor duplicates the computations carried out by the control unit. The results of the two units are compared and in case of divergence, the actuator is deactivated. Typically, in this case a damped mode of operation of the actuator is forced. In this mode, the actuator plays the role of a passive damper on the airfoil. These remote controllers are involved in the control logic and therefore require this redundancy in order to ensure the safety level required.
The communication between the computers and the actuators is ensured by digital data buses. It is possible to use, for example, buses in a data network, such as an AFDX™ data network which is a bus and network developed by European avionics industries for Airbus, or a bus such as described in specification MIL-STD-1553 used in military avionics. Advantageously, each computer is linked by such a bus, or a set of such buses, to each actuator.
Certain of the computers are endowed with advanced functions, typically they are capable of computing the airfoil commands in accordance with the whole set of flight laws available. These computers are dubbed primary computers. They are used in priority. Other computers are endowed with simpler functions. Typically they are capable only of the direct law where the setpoints received from the piloting members are transmitted directly to the actuators. These computers are dubbed secondary and are typically used when all or some of the primary computers are non-operational. Advantageously, the various primary computers are endowed with different software ensuring the same functions so as to achieve software dissimilarity of the system. The secondary computers may be endowed with the same software which will nevertheless advantageously be dissimilar from the software used by the primary computer.
The safety afforded in the prior art by the use of duplex command/monitor computers is afforded in the architecture proposed through the definition of logic computer pairs used in command/monitor mode. Typically each computer participates in two command/monitor pairs. For one of the pairs it acts in command mode. For the other pair, it acts in monitor mode. Thus, typically, as many command/monitor pairs as computers involved are implemented. Each computation is then performed twice by each computer, a first time in command mode on behalf of the first command/monitor pair and a second time in monitor mode for the second command/monitor pair. This done, a fault with a computer invalidates the command/monitor pairs in which it participates, but the other computers continue to be active and used within the remaining command/monitor pairs. This approach is in contradistinction to the prior art where a fault with a unit of a duplex computer brings about the deactivation of the entire computer and hence of the second unit.