These flight control systems are at the interface between the flying means (joystick, rudder bar, etc.) and the various mobile flight surfaces of the aircraft (such as the vertical, horizontal rudders, the ailerons, the stabilizers, etc.).
Modern airliners possess “fly by wire”-type flight control systems in which mechanical actions on the flying means are converted into signals transmitted to actuators controlling the movement of the flight surfaces, these commands being transmitted to the actuators by advanced computers.
These commands are calculated according to several types of laws. One of these laws, called normal law, is an assisted-flying law that reprocesses the flying instructions provided by the flying means in order to optimize the flying conditions (comfort of the passengers, stabilization of the airplane, protection of the flight domain, etc). Another law, known as direct law, is a law that only retranscribes the instructions for movement of the airplane transmitted by the electrical flight controls without reprocessing of these signals intended to improve flying performances.
There already is known, as illustrated on FIG. 1, a flight control system 1 comprising a control module 2 having two sets of computers 4 and 5 so as to determine the control commands to be transmitted to actuators 3.
Set 4 comprises two computers 4-1 and 4-2 capable of calculating the control of actuators 3 established according to the normal and direct control laws (these computers are called primary computers) and a computer 4-3 only capable of calculating this control established according to the direct law (this computer is called secondary computer).
Set 5 comprises a primary computer 5-1 and two secondary computers 5-2 and 5-3.
All these computers are installed in an avionic bay and communicate with the actuators via direct point-to-point analog links.
The actuators are connected to one or two computers, with in the case of two computers a “master/hold” architecture; the master computer ascertains the validity of the control signal transmitted to the actuator which ensures the integrity of the device. When the master computer breaks down, the computer “on hold” takes over, which ensures that a computer is always available.
In order to ascertain the validity of its command, each computer has a dual calculation unit structure (it concerns dual-path computers also called “duplex” computers), not illustrated on FIG. 1.
The first unit is a control (COM) unit which implements the processing necessary for carrying out the functions of the computer, namely determining a control signal to an actuator.
The second unit is a surveillance or monitoring (MON) unit which for its part performs the same types of operations, the values obtained by each unit then being compared and, if there is a discrepancy that exceeds the authorized tolerance threshold, the computer is automatically disabled. It then becomes inoperative and is declared out of order so that another computer can substitute for it in order to implement the functions abandoned by this out-of-order computer.
In this way each computer is designed to detect its own breakdowns and to inhibit the corresponding outputs, while indicating its condition.
The hardware of the primary and secondary computers is different so as to minimize the risks of simultaneous failure of the set of computers (hardware dissimilarity).
Moreover, the hardware of the two paths (COM and MON) of each computer is identical, but for reasons of security the software of these two paths is different so as to ensure a software dissimilarity.