This invention relates to control system, and in particular to control systems utilizing digital processing techniques.
The invention is especially concerned with failure-survival control systems of the kind in which two or more control lanes, each capable of providing the control output required of the system, are operated together so as to provide a degree of redundancy that is utilized to ensure continued correct control in spite of the occurrence of a fault or failure in the system. Systems of this kind have been used for controlling flight of aircraft, and in this context have more usually involved the processing of data in analogue form in each of three or more lanes, and comparison between the output signals of the lanes for determining the existence of a fault or failure in any of them. Such a system possesses a high degree of integrity against malfunction arising from component failure, because the probability of a majority of the lanes suffering failures at exactly the same time (and thus generating consistent, incorrect output signals) is of an extremely low order of magnitude.
Correct operation of each lane, however, depends not only on the functioning of the equipment in the lane, but also on the supply of valid data to it. For this reason a set of sensors, usually equal in number to the number of control lanes, is provided for each item of input data. The sensors of each set supply nominally-identical signals representative of the value of the relevant item of data to the respective control lanes, but there are inevitable slight differences between these signals arising from the manufacturing and operating tolerances that will exist between the different sensors of the set. Thus if no remedial action were taken in the system to equalize the data signals used in the different control lanes, the output control signals of these lanes would in general always be different from one another. Although these differences between the output signals of the control lanes might not be large enough to exceed the threshold for detection of a fault or failure, existence of them could very easily prejudice appropriate detection of a real fault or failure within a lane, or make the detection process too sensitive to minor, unimportant differences between the lanes.
In order to achieve equalization and avoid the undesirable consequences of slight differences between the nominally-identical sensor-signals, use may be made of amalgamation techniques. In these an amalgamate signal is derived in each lane in respect of each set of sensors, the amalgamate having a value (for example, the mean or a median value) intermediate the sensor-signal values. Any sensor signal differing by more than some prescribed amount and outside the acceptable tolerance range, is automatically excluded from the amalgamation process, and thereby cannot affect lane operation.
Amalgamation of the various sets of input-data signals, and the computation from the resultant intermediate-valued amalgamate signals of the appropriate control demand in each lane, can be readily carried out using digital processing. However, the application of digital processing techniques to plural-lane control systems introduces a new problem in the detection of malfunction. Digital computing or other processing techniques involve the use of complex arrangements of logic circuits (such as NAND-gates, NOR-gates and shift registers), and there is a risk that in implementing the required design of a digital system in terms of these logic circuits and their interconnections, additional unintended logical functions may be created. Since these spurious functions do not arise as an intentional part of the design, there is no provision in the design for system operation involving them. More particularly, there is the possibility that some particular digital data-representations will interact with certain instructions in the program that controls operation of the process, in an unexpected and unpredictable manner. Consequently there is the risk of a malfunction arising, not as a result of any fault or component failure, but rather as a result of a latent design defect either alone or in combination with the effect of component tolerances. All control lanes having the same design and operational program would in general be subject to the same malfunction, and so comparison between them would not be capable of revealing the existence of the malfunction; such malfunction, affecting all the lanes in the same way, is termed a common-mode failure.
An analogue system can be tested to eliminate unexpected results by checking its operation for various values of each input signal from one extreme to the other, and then relying on the linearity of the system to infer the results in respect of intermediate values. In contrast, with a digital processing system the discontinuous nature of the digital signals involved limits the inference that can be drawn about its behaviour in respect of any one combination of digital data and program, from its behaviour in respect of any other combination. Thus, normally, the only sure way of providing a digital system with an acceptable level of confidence in its operation would be to check every possible combination of digital data and program instruction. However, these combinations can number many millions, and such testing would therefore in general occupy a prohibitive length of time.