1. Field of the Invention
The invention relates to automatic flight control systems particularly with respect to redundant dissimilar digital data processing.
2. Description of the Prior Art
Automatic flight control systems are constrained by Federal Air Regulations to provide safe control of the aircraft throughout the regimes in which the automatic flight control system is utilized. Any failure condition which prevents continued safe flight and landing must be extremely improbable. Present day regulations require a probability of less than 10.sup.-9 failures per hour for flight critical components. A flight critical portion of an automatic flight control system is one the failure of which will endanger the lives of the persons aboard the aircraft. For example, components of an automatic flight control system utilized in automatically landing the aircraft may be designated as flight critical, whereas, certain components utilized during cruise control may be designated as non-critical. The safety level of the components of the system is determined by analysis and testing procedures familiar to those skilled in the art.
Automatic flight control systems utilizing analog computers and components had been prevalent in the art, wherein such systems utilized independent control of the aircraft axes. Traditionally, such systems utilized independent pitch and roll control channels. With such systems, it was completely practical to perform the analysis to certify conformance to the safety requirements of the Federal Air Regulations. Such certification was facilitated by the axis independent control.
A known technique for enhancing automatic flight control system reliability is that of dual redundancy. Dual redundancy is the utilization of two identical channels with cross channel monitoring to detect a failure in one of the channels. Although such systems are effective against random faults which effect only one channel, cross-channel monitoring does not provide effective detection of generic faults. A generic fault is defined as a fault that is inadvertently designed into a component such that all components generically have this fault and respond in a defective manner. When identical components having a generic fault are in respective redundant channels, the cross-channel monitoring detects the same although erroneous output from both channels and, therefore, does not detect the error. In order to satisfy the Federal Air Regulations in the prior art, the absence of generic faults was proven by analysis and testing to the required level. Generic faults are also denoted as design errors.
In the present day technology, stored program digital computers are supplanting the analog computer of the prior art technology. It has generally been found that a digital computer including the hardware and software is of such complexity that the analysis for certification in accordance with Federal Air Regulations is exceedingly more time consuming, expensive and difficult than with the analog computer. The level of complexity and sophistication of the digital technology is increasing to the point where analysis and proof for certification to the stringent safety requirements is approaching impossibility. To further exacerbate the difficulty, current day digital flight control computers perform all of the computations for all of the control axes of the aircraft in the same computer unlike in the analog computer approach where the control of the aircraft axes was provided by separate respective channels.
Additionally, in the design of a digital flight control system channel, it is desirable to utilize a single bus in a multiplexed fashion for interfacing the digital computer with the plurality of input devices that provide data to the computer, as well as with the plurality of output devices to which the computer provides signals. It is appreciated that a channel can have one or more active computers associated therewith coupled to and communicating via the single bus. A single bus architecture is simpler in hardware configuration, less bulky, and lighter weight than, for example, a dedicated parallel bus architecture, which qualities are significant for efficacious utilization in present day aircraft.
For the reasons given above, as is well appreciated in the art, redundant identical channels of digital data processing may be utilized responsive to respective separate sensor sets to enhance the safe performance of the system. As explained above, generic faults are not readily detectable by cross-monitoring of the identical channels. With the increasingly complex and sophisticated digital processing being incorporated into automatic flight control systems, it is approaching impossibility to prove by analysis the absence of generic faults to the levels required by the Federal Air Regulations. It is appreciated that in a digital flight control channel, including a ditial computer, sensors and Input/Output (I/O) apparatus, all of the processing for all aircraft axes are performed in the same computer and critical as well as non-critical functions are controlled by the channel. Thus, the entire channel must be certified in accordance with the "extremely improbable" rule discussed above with respect to flight critical aspects of the system. Thus, even those portions of the system utilized for performing noncritical functions, must be certified to the same level as the critical portions since the non-critical portions are within the same computation complex as the critical portions.
In order to overcome these problems, the automatic flight control technology has only recently advanced to the concept of dissimilar redundancy. In dissimilar redundancy, as currently utilized, two or more channels are provided with identical respective sensor sets utilizing, however, dissimilar data processing in one channel with respect to a redundant channel to perform identical functions. This is achieved either by dissimilar computers with respect to the hardware thereof, or by dissimilar software in the redundant computers or by both dissimilar hardware and dissimilar software. With this approach, a generic fault designed into the computer of one channel will not exist in the computer of the other channel and cross-channel monitoring will detect the discrepancy between the channels caused by the fault, the fault being in either hardware or software. The remainder of the channels may then be readily analyzed to the safety levels required by the Federal Air Regulations. The dissimilar computation apparatus, however, need not be subject to the analysis that, as described above, is currently approaching impossibility.
In the prior art utilizing dissimilar redundancy, each channel of the automatic flight control system included one digital processor and the system included cross channel monitoring to detect discrepancies between the channels. Each channel can also include plural active processors with cross processor monitoring to detect generic faults and design errors with respect to the processor hardware and software. Such an architecture, however, engenders problems which are further exacerbated when utilizing a single bus channel. For example, although cross computer monitoring can detect generic faults in the hardware or software of either processor because of the dissimilar data processing implemented with respect to the computers, one of the computers can contaminate the data of the other computer thereby preventing detection of the generic faults. Additionally, in a plural computer channel utilizing a centralized data handling system, a faulted central processor unit (CPU) can monopolize the system thereby causing total cessation of functionality. In a similar manner, the plural CPUs can monopolize the system to the exclusion of the Input/Output devices during the I/O cycles of the system. This problem is particularly severe in a single bus architecture where the faulted CPU monopolizes the bus to the exclusion of the other CPUs and the Input/Output devices. A further problem engendered by the single bus architecture is that a failure in an Input/Output device can reflect onto the bus in a manner as to cause total bus failure. Thus since failure of a noncritical Input/Output device could result in total failure of the critical functionality of the system, the prior art required that the non-critical I/O devices be analyzed to the same stringent safety level as the critical I/O devices.