This invention relates to control systems, and more particularly, a digital control data processing and display method and apparatus which verify data processing accuracy by receiving output information developed from system data input information in accordance with a first operational function, computing a derived version of the control data input information in accordance with a second operational function, and determining whether the difference between the derived version of and the actual input information exceeds a preassigned operational tolerance.
There have been known heretofore methods and apparatus for verifying the operational status of digital control systems designed specifically for flight guidance applications.
In particular, U.S. Pat. No. 4,130,241 of Meredith et al. describes an aircraft control system which comprises at least one computer that includes a redundant pair of digital processing channels. Each channel processor separately computes output information corresponding to a control signal which is compared to and averaged with the control signals developed by the other channel processors. The average signal is transmitted by the computer to actuate the movable aerodynamic control surfaces of the aircraft.
Identical input information is applied to both processors in each computer. In an attempt to detect software processing errors, one of the channel processors is configured to convert the input information into the two's-complement digital word format. Despite this difference in digital word format, the input information is processed by both channel processors in accordance with the same operational function. A disadvantage inherent in the system of Meredith, et al. which employs only one computer is that it is incapable of determining the particular processing channel in which a single mode error occurs and, therefore, must cease operation whenever an error of any type occurs.
U.S. Pat. No. 3,688,099 of Buscher describes an automatic flight control system which includes a redundant pair of digital computers. The operational status of the control system is verified by means of a regimen of tests which are performed in a specified sequence. Each computer develops control signal output information in response to sensor input information in accordance with a known program. The operational integrity of the digital processors in each computer is verified in part by processing a known input in accordance with a known program and comparing the computed output signal to the expected output signal. A computed output signal which differs from the expected output signal indicates that either a software or hardware anomaly exists within that particular computer. The system of Buscher suffers from the disadvantage of requiring the use of an external test signal and a single test program which is used in an attempt to determine the accuracy of all possible operational functions. The system also appears to be ineffective in detecting latent software programming errors in a given operational function program.
U.S. Pat. No. 4,030,074 of Giorcelli describes a system for checking two substantially identical data processors operating in parallel. Each data processor includes a general purpose computer and an associated memory which is interconnected to the memory of the other data processor. The system circuitry monitors and compares the result computed by both data processors after each processing step. If a discrepancy exists, the computers regress to the last step which checked out correctly, recompute the step in which the discrepancy originated, and discontinue the operation of the entire system if the discrepancy appears a second time. This system is also incapable of isolating the data processor which has malfunctioned.
U.S. Pat. No. 4,270,168 of Murphy et al. describes a fail-operational, fail-safe multicomputer control system which incorporates two substantially identical computers operating in parallel. Each computer provides for feedback test comparison between the calculated commands and the actual electrical current or voltage signal to which such commands correspond. An error checking system of this type suffers from the disadvantage of requiring a separate command evaluation standard for each possible control signal to determine whether a processing error has occurred.
U.S. Pat. No. 4,101,958 of Patterson et al. describes a method and an apparatus for effecting redundant control data transfer between computation channels in a digital automatic flight control system. Each one of selected control data is identified by an identifying label or tag which corresponds to the address of the memory location where the datum value is stored. The particular datum value is retrieved by a search of the memory for the desired tag and transferred to the desired system location. The Patterson et al. patent neither teaches nor suggests the use of an identifying tag in connection with error detection or display apparatus of any type.
U.S. Pat. No. 4,217,486 of Tawfik et al. describes a digital flight guidance system comprising a pair of processors which operate in one of three configurations. These configurations include (1) the parallel processing of the same input information and comparing the resultant output information, (2) the redundant processing of critical information in both processors and the processing of noncritical information in only one of the processors, and (3) the processing of all operational functions in a first processor and the performance monitoring of the response of the aircraft with a second processor to detect abnormal operation of the first processor. These three system configurations suffer from the disadvantages of, respectively, not isolating the channel in which an error occurs, not providing redundant checking of all control functions, and not determining the existence of an error until after a control signal has been executed
U.S. Pat. No. 4,096,989 of Tawfik describes a monitoring apparatus for redundant control systems of the above-described type of Tawfik et al. This apparatus includes means for preventing the monitoring apparatus from assuming an operational condition which does not respond to a detected control system failure. This system does not contemplate the detection of digital data processing errors.
There also have been known control system apparatus which project a display symbol in the form of a light image that conveys information concerning the status of an operational state of the system. Such display symbols include pointers and other characters whose position on or direction of movement across the display screen conveys to the observer information about a particular operational state.
A prior means for determining whether the display symbol conveys the correct information includes the use of a test program which is executed while the control system is off-line. The test program applies known input information to the data processing apparatus which produces output command information in accordance with a known operational control function. A display symbol generator responds to the output command information by projecting a preassigned pointer symbol at a known location on the display screen. A photodetector positioned at the known location receives the light emitted from the pointer symbol and thereby acknowledges the nominal performance of the control system after a successful execution of the test program.
This method of verifying the operational status of a control data processing and display system is capable of neither verifying the status of the system in real time operation nor providing an adequate test for detecting latent software design defects which arise during the execution of a particular control operational function.