I. Field of the Invention
The present invention relates to a fault tolerant automatic control system for a dynamic device (e.g. an airplane), wherein the fault tolerant control system utilizes analytic redundancy. More particularly, the present invention relates to a fault tolerant control system including (i) a coordinate transforming diffeomorphism and (ii) a feedback control law (algorithm), which produce a control system model that is linear time invariant (the feedback control law which renders the control system model linear invariant is hereinafter termed xe2x80x9ca feedback LTI""ing control lawxe2x80x9d) so that sensor/actuator failures are easily identified and the automatic control algorithm may be reconfigured based on the detected failures. For example, in the field of automatic flight controls, a vertical gyro sensor failure may be easily identified by reference to the transformed system model, and the automatic flight control algorithm may be executed while disregarding the vertical gyro sensor output, thus reconfiguring the flight control algorithm for safe operation. In general, the invention pertains to the automatic control of parameter-dependent dynamic systems (such as an aircraft in flight) in the face of a failure of any one of the actuators or sensors of the control system. In particular, the fault tolerant automatic control system is capable of performing the functions of automatic failure detection and control system reconfiguration for a system whose dynamic behavior depends on the parameters of the system, such as an airplane dependent on air speed, altitude, etc.
II. Related Art
Many aircraft crashes could have been prevented or minimized if the pilots (or autopilots) were able to identify the nature of an aircraft component failure and to properly reconfigure the aircraft controls to overcome the detected failure. The crash of a United Airlines DC-10 near Sioux City on Jul. 19, 1989 is an example of such control system reconfiguration. A tail engine fan disk failure severed all three hydraulic control systems, damaging the rudder and leaving the pilots with only engine throttle control. By effectively reconfiguring their controls and using only the throttle as a control actuator, the pilots were able to guide the plane to a semi-controlled crash wherein only 111 of the 296 people on board were killed. Had the pilots not accomplished this control system reconfiguration, it is most likely that all aboard would have perished.
A similar circumstance occurred with the loss of a rear cargo door of an American Airlines DC-10 near Windsor, Ontario. Rapid decompression distorted the cabin floor, trapping elevator control cables. The highly-experienced captain of the aircraft had recognized the potential for pitch control by thrust in the tri-jet configuration and had practiced for just such an eventuality in a flight simulator. Faced with the real event, he recovered his aircraft with no casualties. An identical accident occurred on a Turkish aircraft near Paris in 1974 which was a total loss. The captain of the Turkish aircraft did not recognize and apply control system reconfiguration. However, the ability to reconfigure the control system and save the aircraft should not be dependent solely on the experience of the pilot.
Another approach to flight control system fault detection and avoidance involves hardware redundancy. For example, by having three identical flight control components, voting among the components may yield a simple and reliable means of selecting the functional components and ignoring the failed components. However, hardware redundancy is expensive and requires much additional lift, and reduce available payload, volume, and weight. For unmanned air vehicles (UAVs), and for general aviation aircraft, such hardware redundancy cannot be afforded.
In addition, many other applications cannot afford the cost, size, and weight which accompanies hardware redundancy. For example, multi-link robotic manipulators exhibit dynamic behavior dependent on link configuration. The dynamic response with the links fully extended will be, for example, different from the case where all links are retracted. For manipulators, the parameters upon which the dynamics depend are link configuration. The need for compactness and the environment in which manipulators are used do not permit the necessary real estate for including multiply-redundant hardware.
As previously discussed, an important issue is the parameter-dependent nature of most control systems. For instance, an aircraft flying at steady speed and altitude is an example of a linear time invariant system since the dynamic behavior of the aircraft in response to small disturbances about this operating condition may be well described by a mathematical model which is linear and has constant parameters. Aircraft, however, typically operate over a large range in parameters such as altitude, speed, mass, center of mass location, etc. A mathematical model of the aircraft dynamics must necessarily include the effects of these and other parameters in order to accurately describe the dynamic behavior of the aircraft due to external disturbances and control inputs for any combinations of these parameter values. Often, an adequate mathematical model in such a case is linear, but parameter dependent, with the parameters varying over wide ranges. As previously discussed, a multi-link robotic manipulator is another example in the class of linear parameter-dependent systems. Existing fault tolerant control systems which have good design and synthesis attributes are limited in application to linear time invariant systems, and are not directly applicable to the more common linear parameter-dependent systems.
What is needed then is an automatic control system which reliably and effectively detects a control component failure and reconfigures the control system algorithm to overcome or mitigate the detected component failure for systems whose dynamics are not necessarily LTI.
The present invention relates to apparatus and method for reliably and effectively detecting a control system component failure, and for reconfiguring the control system algorithm to overcome or mitigate the detected component failure. The present invention provides analytic redundancy by comparing measured system behavior with expected system behavior and detecting failures based on this comparison. After failure detection, the control system algorithm is reconfigured to ignore or compensate for the failed component.
According to a first aspect of the present invention, a fault tolerant control system for a dynamic device having a sensor and a predetermined control algorithm includes means for receiving a status signal from the sensor. Processing means are provided for (i) transforming the sensor status signal and a predetermined reference signal into a linear time invariant coordinate system, (ii) generating a sensor estimate in the linear time invariant coordinate system based on the transformed sensor status signal and the transformed reference signal, (iii) transforming the sensor estimate into a physical coordinate system, (iv) detecting an error in the sensor status signal based on the transformed sensor estimate and the sensor status signal, and (v) reconfiguring the predetermined control algorithm based on the detected error.
According to a further aspect of the present invention, a fault tolerant aircraft flight control system for detecting a failure in at least one of a flight control sensor and a flight control actuator, and for reconfiguring the flight control system to minimize the detected failure includes input means for receiving a status signal indicating status of at least one of a flight control sensor and a flight control actuator. A processor is provided for (i) comparing the received status signal to a predetermined flight control reference signal and providing a flight control adjustment signal based on the comparison, (ii) transforming the status signal, the reference signal, and the adjustment signal into a linear time invariant coordinate system, (iii) determining an expected response of the at least one of a flight control sensor and a flight control actuator based on the transformed signals in the linear time invariant coordinate system, and generating an expected response signal corresponding thereto, (iv) transforming the expected response signal from the linear time invariant coordinate system to a physical coordinate system, (v) comparing the transformed expected response signal to the received status signal and generating an error signal corresponding thereto, (vi) determining that a failure has occurred in the at least one of a flight control sensor and a flight control actuator based on the error signal, and (vii) generating a reconfigure signal to reconfigure the flight control system to minimize the effect of the detected failure.
According to a further aspect of the present invention, a fault tolerant process for a dynamic device having a sensor and a predetermined control algorithm includes the steps of (i) inputting a status signal from the sensor, (ii) transforming the sensor status signal and a predetermined reference signal into a linear time invariant coordinate system, (iii) generating a sensor estimate in the linear time invariant coordinate system based on the transformed sensor status signal and transformed reference signal, (iv) transforming the sensor estimate into a physical coordinate system, (v) detecting an error in the sensor status signal based on the transformed sensor estimate and the sensor status signal, and (vi) reconfiguring the predetermined control algorithm based on the detected error.