The present invention relates generally to signal selection and fault detection within the control systems art. More particularly, the invention concerns a system for detecting an unannounced failure in the outputs of dual redundant condition sensors and for providing a suitable substitute for the failed signal so that an associated control system remains operational.
In control systems, and particularly in control systems in the aviation art, redundant channel signal processing is frequently used to increase the reliability and safety of the system. For example, it is known to usen three separate sensors to sense the same aircraft parameter to provide redundant signals that are processed by circuitry that selects that signal, or a combination of signals, which is most likely to be representative of the actual aircraft parameter. Examples of such signal selection systems are described in U.S. Pat. No. 4,276,648 to Tomlinson and U.S. Pat. No. 4,472,806 to Blair.
A high degree of system reliability is particularly important in the autoland system the control the automatic landing of an aircraft. It is particularly desirable that these systems have fail operative characteristics to assure safe landing of the aircraft under all conditions. Heretofore, such fail operative characteristics have been implemented using either unmonitored sensors arranged in three independent channels or by using dual fully- or self-monitored channels. Each of these options necessarily adds to the complexity and cost of the autoland system.
U.S. Pat. No. 3,881,670 to Doniger discloses an alternative approach for providing fail operative characteristics to a redundant aircraft control system. In the desired system, the output signals from a pair of unmonitored condition sensors are applied to an averaging voter/monitor along with a third signal that derived by integrating the output of another sensor that is on board the aircraft. This approach has several disadvantages. First, the output of the averaging voter is used as the system output under both normal and failure conditions. Consequently if the fault detection circuitry is not quick to reject a failed channel, the system output will erroneously follow the failed channel. Secondly, the integrator that produces the third input to the averaging voter is slaved to the voter output to eliminate integrator drift. As a result, this third input signal is also susceptible to erroneous influence in the event that the signal from a failed channel is averaged into the final output of the system.
The present invention provides an arrangement that overcomes the above-described disadvantages and achieves triple functional redundancy using the outputs of two unmonitored condition sensors and one or the other of two auxiliary signals as the inputs to a midvalue selector. These two auxiliary signals are synthesized from the output of a third, distinct sensor and are alternately applied to the midvalue selector in accordance with the operational condition of the two unmonitored sensors, i.e., depending upon whether these sensors are operating normally, are suspected to have failed, or have failed.