1. Field of the Invention
The invention relates to automatic flight control systems utilizing digital flight control computers, particularly with respect to reducing safety hazards resulting from generic design errors in the software or the processors.
2. Description of the Prior Art
Automatic flight control systems are constrained by Federal Air Regulations to provide safe control of the aircraft throughout the regimes in which the automatic flight control system is utilized. Any failure condition which prevents continued safe flight and landing must be extremely improbable. Present day regulations require a probability of less than 10.sup.-9 failures per hour for flight critical components. A flight critical portion of an automatic flight control system is such that the failure thereof will endanger the lives of the persons aboard the aircraft. For example, components of an automatic flight control system utilized in automatically landing the aircraft may be designated as flight critical, whereas, certain components utilized during cruise control may be designated as non-critical. Generally, the safety level of components of the system is determined by analysis and testing procedures familiar to those skilled in the art. Such procedures are often referred to as verification and validation.
Automatic flight control systems utilizing analog computers and components had been prevalent in the art wherein it had been completely practical to perform the verification and validation procedures to certify conformance of such systems to the safety requirements of the Federal Air Regulations. Traditionally, such analog systems inplemented independent control of the aircraft axes by utilizing, for example, independent pitch and roll control channels. Certification analysis was facilitated by the axis independent control.
A known technique for enhancing automatic flight control system reliability is that of dual redundancy. Dual redundancy is the utilization of two identical channels with cross channel monitoring to detect a failure in one of the channels. Although such systems are effective against random faults which affect only one channel, cross channel monitoring does not provide effective detection of generic faults. A generic fault is defined as a fault that is inadvertently designed into a component such that all components generically have this fault and respond in a defective manner. When identical components having a generic fault are in respective redundant channels, the cross channel monitoring detects the same although erroneous output from both channels and therefore does not detect the error. Such generic faults are also denoted as design errors.
In present day technology, stored program digital computers are supplanting the analog computer of the prior art technology. It has generally been found that a digital computer including the hardware and software is of such complexity that the verification and validation analysis for certification in accordance with Federal Air Regulations is exceedingly more time consuming, expensive and difficult than with the analog computer. The level of complexity and sophistication of the digital technology is increasing to the point where analysis and proof of certification to the stringent safety requirements is approaching impossibility. To further exacerbate the difficulty, current day digital flight control computers perform all of the computations for all of the control axes of the aircraft in the same computer unlike in the analog computer approach where the control of the aircraft axes was provided by separate respective channels.
A further problem engendered by the introduction of the programmed digital computer technology into automatic flight control systems is that the extensive software required is susceptible to generic design errors. An error can arise in the definition phase of software preparation as well as in the coding thereof. A generic design error can occur in the attendant assembler or compiler as well as in the micro-code for the processor. For example, an error in a microcircuit chip mask for the micro-code, as well as for the processor or associated components can propagate into all of the systems constructed using the mask. In the prior art, in order to satisfy the stringent safety requirements of the Federal Air Regulations, exhaustive verification and validation was often utilized to prove the absence of such generic design faults in the software as well as in the processor hardware to the required level. It is appreciated that such verification and validation procedures are exceedingly time consuming and expensive.
For the reasons given above, it is appreciated that redundant identical channels of digital data processing with cross channel monitoring may not detect hardware and software generic design errors so that reliability can be certified to the required level. Furthermore, with the increasingly complex and sophisticated digital processing being incorporated into automatic flight control systems, it is approaching impossibility to prove by analysis the absence of such generic errors to the levels required by the Federal Air Regulations. It is appreciated that in a digital flight control channel, including a Flight Control Computer, sensors, and Input/Output (I/O) apparatus, all of the processing for all aircraft axes are performed in the same computer and critical as well as non-critical functions are controlled by the same channel. Thus, the entire channel must be certified in accordance with the "extremely improbable" rule discussed above with respect to flight critical aspects of the system. Thus, even those portions of the system utilized for performing non-critical functions must be certified to the same level as the critical portions since the non-critical portions are within the same computation complex as the critical portions.
In order to overcome these problems, the automatic flight control technology has only recently advanced to the concept of dissimilar redundancy. In dissimilar redundancy, dissimilar processors perform identical tasks utilizing dissimilar software with cross channel monitoring to detect failures. With this approach, a generic error designed into the processor or software of one channel will not exist in the processor or software of the other channel and the cross channel monitoring will detect the discrepancy. In this prior art arrangement, the redundant computers are generally dissimilar in hardware and architecture, utilize dissimilar software, compilers or assemblers and often utilize different hardware and software design teams. In this prior art arrangement, each dissimilar computer requires its own full set of software for performing all of the flight control and flight director functions performed by the system, as well as requiring its own assembler or compiler and ancillary development apparatus and personnel. Such software and the like in modern sophisticated jet transports tend to be exceedingly extensive and consequently expensive. Multiple complete sets of dissimilar software for a system adds undesirably to the cost thereof. Additionally, in such systems, design changes to software or processor may result in a significant impact on the safety level of the system.