This invention relates to safety critical systems such as avionics systems and nuclear power monitoring systems and specifically to avionics systems with several data sources or avionics sensor systems providing data to displays or to data input/output concentrators containing comparators that check the validity of the data.
A number of safety critical system applications such as avionics and nuclear power monitoring require data input from two or more similar or identical sensor systems to ensure the validity of the data. The data from one sensor system is compared to the data from another sensor system in a data comparator to ensure the validity of the data.
For safety in critical avionics applications, critical data must be validated by the avionics system. The data from such sources as dual aircraft engine indicating systems (EIS), dual attitude heading system (AHS) and dual air data system (ADS) is provided to a primary flight display (PFD) and a multifunction display (MFD) or an input/output concentrator (IOC) containing data comparator functions. The data comparators in the PFD, MFD, or the IOC establish data reasonableness and validity by comparing the data from the dual sources. When a comparator indicates that the data from one source is significantly different than the other, pilots evaluate all their data sources for reasonableness and deselect the invalid or misleading source from their PFD and MFD. In a highly integrated avionics system, the integrity of the data to the data comparators must be considered.
Complex avionics systems require the introduction of multiple critical sensor data into an IOC device. New avionics systems may use as many as three or more AHS, three ADS, and three EIS sensor systems providing data to an IOC. The IOC sends the concentrated data from the multiple data sources to using systems on board the aircraft such as the primary flight display, the multifunction display, and a flight control system (FCS) on an Ethernet bus or other digital bus. The Ethernet bus itself is protected with a CRC (cyclic redundancy check) to protect against misleading critical data.
A failure mode in the IOC, the PFD, the MFD, or elsewhere may exist that may cause data from one sensor to masquerade as data from another sensor. For example the data from one ADS in a dual ADS system may be present at the second ADS input to a PFD well as its own input to the PFD. This potential failure has been a cause for concern to avionics system and flight control system designers for years. This concern has led to inputting some of the critical data from the dual ADS and the dual AHS directly to the FCS. This approach is no longer feasible with the new complex avionics systems with multiple sensor sources, data concentrators, and high speed data buses.
What is needed is a common sensor detector to detect failures where one sensor is masquerading as another and indicate the failure on a display in safety critical applications such as nuclear power plant monitoring and avionics systems. The common sensor detector should work with conventional systems as well as systems employing multiple sensors, data concentrators, and high speed data buses.