Many systems employ redundancy to preserve system functionality should a particular component fail. Often however, redundancy by itself is not sufficient, and the system must have the ability to “detect” (e.g., recognize the occurrence of), “isolate” (e.g., identify the source of), and “accommodate” (e.g., respond to, the failure (fault)). For some faults, detection and isolation are one and the same. For example, a processor can fail a memory check, and a servo valve can reveal a short or open via a current check.
Some other categories of faults, however, are more difficult to detect, isolate, and accommodate. For example, modern gas turbine aircraft engines are frequently equipped with a pair of sensors (transducers) for each parameter (e.g., temperature) to be measured. Each sensor produces a signal indicative of the value of the sensed parameter. Due to measurement inaccuracies, the indicated value can deviate from the true (actual) value of the parameter. The amount of this deviation (error) depends in part on the condition, i.e. state or health, of the sensor. If the sensed values for a parameter agree, i.e. are relatively close to one another, then it is generally assumed that both sensors are healthy, and either one may be used as an estimate of the actual value. Alternatively, an estimate may be produced by averaging the two values. However, if the sensed values do not agree, one or both sensors may have failed. To produce the best estimate of the actual value of the parameter, it is desirable to detect and isolate a fault. Some sensor faults can be detected and isolated by comparing each sensor signal to an expected range and an expected rate of change.
Various other approaches for detecting, isolating, and accommodating sensor faults presently exist. One such approach uses knowledge of the most likely failure modes for that type of sensor and attempts to determine whether one sensor is more likely than the other to have failed.
Another approach compares the potential consequences of selecting each one of the sensor magnitudes as the estimate of the actual magnitude, should the selected sensor be the erroneous one. The sensor magnitude having the least hazardous potential consequences is selected, i.e. select “safe”. For example, the consequences of picking an erroneously low magnitude engine speed signal may include catastrophically overspeeding the engine. The consequences of picking an erroneously high magnitude signal are usually limited to an engine performance loss due to unnecessarily limiting engine speed. By this logic, the obvious choice for a select “safe” strategy is to choose the high signal.
Yet another approach incorporates a model that provides an analytical third sensor to help detect and isolate sensor faults. For example, real-time engine models are available that are suitable for incorporation in the engine control system's embedded software. (See Kerr, L. J., Nemec T. S., and Gallops G. W., 1992, “Real-time Estimation of Gas Turbine Engine Damage Using a Control Based Kalman Filter Algorithm,” Journal of Engineering for Gas Turbines and Power, vol. 114, no. 2, pp. 187–195). The actual value of the parameter may be estimated, for example, by determining the mean or the median of the three sensors.
Additionally, the actual value may be estimated using a parity space method that examines the relative differences between each of the three sensed magnitudes. (See Patton, R. J., and Chen, J., 1992, “Review Of Parity Space Approaches To Fault Diagnosis Applicable To Aerospace Systems,” Proc. AIAA Guidance, Navigation And Control Conference, AIAA-92-4538). In a traditional parity space implementation, however, the system compares the relative difference information to a fault threshold and characterizes the health of each sensor as either valid or faulty. Thus, if one sensor disagrees with the others, but the relative differences do not exceed the fault threshold, the sensor is considered valid. On the other hand, if the relative differences become large enough that the fault threshold is exceeded, the sensor is considered faulty. Sensors characterized as valid are used to estimate the actual magnitude of the parameter. Sensors characterized as faulty are not used in the estimation.
U.S. Pat. No. 6,073,262 to Larkin et al. describes an example system that uses fuzzy logic to generate an estimate of a value of a parameter based on three redundant signals, with one of the redundant signals being, for example, an output of a model. The system generates three difference signals corresponding to the differences between each pair of the three redundant signals. Then, the three difference signals are converted to three corresponding “fuzzy” inputs based on a plurality of fuzzy membership functions. Next, each fuzzy logic rule of a plurality of fuzzy logic rules is evaluated, based on the fuzzy inputs, to generate a rule output value. Additionally, for each fuzzy logic rule, a degree of fulfillment of the fuzzy logic rule is generated. Finally, the plurality of rule output values and the plurality of degrees of fulfillment are used to generate an estimate of the value of the parameter.