Modern aircraft are increasingly equipped with fly-by-wire (FBW) systems that replace many mechanical flight control systems. Complex mechanical assemblies were commonly incorporated in older aircraft to transmit pilot inputs/commands to various flight control surfaces, e.g., the rudder, elevator, and ailerons, of the aircraft. FBW systems were designed to convert the pilot inputs/commands into electrical signals (e.g., via transducers) that when combined with other data control the flight control surfaces. For example, electronic sensors are attached to the pilot's controls. These sensors transmit electronic data to actuator control modules (ACEs), as an intermediate destination, and this sensor data is then sent to various flight control modules (FCMs). The FCMs combine this sensor data with other sensors that monitor the state of the aircraft in flight (e.g., inertial sensors and air-data sensors) and transmit computed commands back to the various ACEs. The ACEs receive the computed commands from the FCMs and generate output commands that move hydraulic actuators based on the received computed commands. Each hydraulic actuator is coupled to a moveable surface such that movement of the actuator moves the primary control surface.
FBW systems typically employ a digital processor that accepts control inputs from the cockpit controls, combines this with aircraft state information from other sensors (e.g., inertial and air-data sensors), and translates the control inputs into digital control signals for actuator controller units (i.e., ACEs). The output commands from the actuator controller units produce signals to physically move flight control surfaces. The actuator controller units may also obtain feedback data by monitoring various output parameters indicative of the operation and position of the flight control surfaces. In one example, the FBW system uses three computers, each with three or two computing lanes, to achieve a three-way or a two-way redundancy comparison. A computing lane is referred to as an independent avionics control system having a computing system that communicates electronically with sensors on the aircraft, communicates with sensors which process the pilot's commands or actions, and also communicates with and controls the aircraft's actuators. Each flight control computer (FCC), having multiple computing lanes, is capable of controlling the aircraft in its entirety.
One reason that FBW systems use more than one computing lane is to meet different requirements for verification rigor, for example, to detect a computing lane electronic failure by comparing one computing lane with another computing lane of dissimilar design. Various electronic systems used in airborne environments may be subject to different requirements for verification rigor based on the criticality of the system. Criticality may be characterized by integrity and availability. Most modern aircraft are equipped with an automatic flight control system (AFCS) that can maintain the heading, altitude, and airspeed of the aircraft, couple with various guidance sources, and in many cases, perform automatic landings. In addition, the most sophisticated aircraft today include a flight management system (FMS) that can navigate the aircraft along a pilot entered route or one of a plurality of pre-programmed routes from an origination point to a predetermined destination and can deliver the aircraft to a point at which an automatic approach and landing sequence can be commenced, with minimal intervention required from the pilot once the FMS is programmed and activated. Each of these systems has an associated criticality and is generally subject to verification rigor based on such criticality.
Redundancy is commonly used to augment verification rigor. For example, several redundant elements (e.g., multiple computing lanes) may be used in a critical system, and these redundant elements typically cross-compare outputs to determine any errors in one of the redundant elements and by-pass the redundant element having such error. One concern is with the occurrence of a generic fault, particularly for a highly critical functionality, such as FBW where the system is full-time (e.g., from “wheels-up” until “wheels-down”), in which an error or loss of function has significant consequences. A generic fault refers to a fault fundamental to all of the redundant elements for a particular aspect of function in a system.
Dissimilar redundancy, such as using similar functioning components from different manufacturers, is one technique for designing systems to meet a desired criticality and mitigate generic faults in systems incorporating hardware devices that are “complex” as defined by DO-254. The functionalities associated with complex hardware devices, such as programmable logic devices (PLDs) and application specific integrated circuits (ASICs), add difficulty to the implementation of dissimilar redundancy and require specific architectural treatment in the design and/or application of dissimilar redundancy. Additionally, dissimilar redundancy may be difficult to implement for complex communications paths within the FBW electronic system thereby necessitating architectural treatment to limit the potential fault effects and mitigate what would otherwise be a full-time exposure to critical fault scenarios in complex devices.
Accordingly, it is desirable to provide an FBW system that mitigates generic fault effects either architecturally or through dissimilarity of complex components. In addition, it is desirable to provide a method for mitigating generic fault effects in airborne electronic systems. Furthermore, other desirable features and characteristics of the present invention will become apparent from the subsequent detailed description of the invention and the appended claims, taken in conjunction with the accompanying drawings and this background of the invention.