Many control systems operate in response to sensors of various types. As an example, a helicopter automatic flight control system responds to attitude and heading gyros as well as altimeters, and to attitude rate gyros and accelerometers in order to control the maneuvering of the aircraft. The control of the aircraft, when an automatic flight control system is in use, is therefore dependent upon the signals provided to the flight control system by the various sensors (gyros, rate gyros and accelerometers, etc.). In the event of failure of a sensor, an undesirable disturbance in the aircraft flight could result. In some cases, the disturbance may be abrupt or tumultuous, and in other cases the disturbance may be gradual. For instance, if a heading gyro failed at a given setting while the aircraft were on heading hold, the effect would not be noticed until a substantial perturbation (such as a wind gust) was observed to throw the aircraft off heading, or until the pilot desired to change heading; otherwise, the only observable result would be a slow drift of the aircraft off its desired heading. On the other hand, if the heading gyro failed by provision of a maximum output signal, the aircraft would begin to maneuver immediately in an opposite direction as the automatic flight control tried to correct the apparent heading error.
Any sensor failure in an aircraft automatic flight control system requires pilot response to react to the change in aircraft maneuvering as well as to monitor any error-indicating alarms for disengagement of the faulty system. In many cases, the mere disengagement of the faulty system can cause a reverse maneuvering effect (as a hard error in one direction is immediately converted to a zero error, or the like). Similarly, if the pilot reacts to the disturbance by introducing a countermanding input through the pilot controls, disengagement of the faulty system will leave a undesirable pilot command uncompensated, causing a further disturbance.
At times, such as hovering a few feet above the ocean, such failures in an aircraft control system can be disastrous. For instance, failure of a radar altimeter in such a case could cause the aircraft to actually contact the water surface.
In order to overcome difficulties with such sensors, it has been known to use a pair of sensors of an identical type (redundant sensors) the outputs of which are compared, a failure or fault being indicated in the event that the outputs of the two sensors fail to track within a tolerance limit of each other. However, this not only requires additional sensors but additional signal processing channels for each of the sensors. Furthermore, there are conditions in which two sensors of the same type are likely to fail at the same time, thereby providing the same erroneous output signal so that they are within the prescribed tolerance of each other and therefore the comparison is not indicative of failure of either of them. Such a case can exit if the Pitot-static tube protection covers are not removed from both Pitot-static tubes of an aircraft before the beginning of a flight: both airspeed sensors would be indicating the same (zero) airspeed, and no fault would be indicated.
In an attempt to reduce the hardware required by redundant comparison, and to overcome some of the shortcomings of redundant comparisons, attempts have been made in the past to utilize a form of sensor activity monitoring. This activity monitoring known to the art has taken the derivative of a sensor's output and examined it to see if it had some amount of change on it. In the event that the rate of change of the sensor output with respect to time becomes excessive in view of the permissible aircraft maneuver in the axis which the sensor detects, a fault can be indicated. However, any spurious noise in the sensor output is amplified by virtue of differentiation of the sensor output signal, which leads to nuisance fault indications (indications of excessive rate when there really is none) due to noise. For this reason, the tolerance or sensitivity of such a fault detector has to be significantly reduced, even to the point where bonafide faults of a lesser magnitude are not even detectable. Furthermore, since many sensors are operable in normal, permissible maneuvers (such as level flight at a constant heading and speed on a calm day), such detectors cannot be monitored to sense the lack of a minimum amount of activity as an indication of fault, since zero is permissible over relatively long periods of time.