1. Field of the Invention
This invention relates to digital data processors particularly with respect to flight critical avionic equipment.
2. Description of the Prior Art
The stored program digital computer is in wide-spread usage in a variety of applications. Digital computers are utilized to implement complex banking and business systems as well as in the control of industrial processes. The digital computer is also finding wide-spread usage in the control of vehicles such as aircraft, spacecraft, marine and land vehicles. For example, in present day automatic flight control systems for commercial and military transports, the digital computer is supplanting the analog computer of prior art technology.
Automatic flight control systems are constrained by Federal Air Regulations to provide safe control of the aircraft throughout the regimes in which the automatic flight control system is utilized. Any failure condition which prevents continued safe flight and landing must be extremely improbable. Present day regulations require a probability of less than 10.sup.-9 failures per hour for flight critical components. A flight critical portion of an automatic flight control system is one, the failure of which will endanger the lives of the persons aboard the aircraft. For example, components of an automatic flight control system utilized in automatically landing the aircraft may be designated as flight critical, whereas, certain components utilized during cruise control may be designated as non-critical. In the prior art systems utilizing analog computers, the safety level of the components of the system had been determined by analysis and testing procedures familiar to those skilled in the art.
In the present day technology of digital automatic flight control systems, it is generally recognized that a digital computer including the hardware and extensive software required for a flight control system application program is of such complexity that the analysis for certification in accordance with Federal Air Regulations is exceedingly more time consuming, expensive and difficult than with the analog computer. The level of complexity and sophistication of the digital technology is increasing to the point where analysis and proof for certification to the stringent safety requirements is approaching impossibility. It is virtually impossible to identify all possible data paths in such systems and therefore conventional failure mode and effects analysis cannot effectively be utilized.
Present day automatic flight control systems utilize data channel redundancy and cross channel monitoring to enhance reliability. A failure in one of the channels is detected by the monitors and the system is disabled. Two dual redundant channels may be utilized for fail operative performance. If one pair is shut down, the other pair can continue with automatic control.
Present day digital computers are comprised of hundreds of thousands of discrete semi-conductor or integrated circuit bi-stable elements generically denoted as latches. A latch is a high speed electronic device that can rapidly switch between two stable states in response to relatively low amplitude, high speed signals. Latch circuits are utilized to construct most of the internal hardware of a digital computer such as the logic arrays, the memories, the registers, the control circuits, the counters, the arithmetic and logic unit and the like. Since present day digital computers operate at nanosecond and subnanosecond speeds, rapidly changing electronic signals normally flow through the computer circuits, such signals radiating electro-magnetic fields that couple to circuits in the vicinity thereof. These signals can not only set desired latches into desired states, but can also set other latches into undersired states. An erroneously set latch can unacceptably compromise the data processed by the computer or can completely disrupt the data processing flow thereof. Functional error modes without component damage in digital computer based systems is denoted as digital system upset.
Digital system upset can also result from spurious electromagnetic signals such as those caused by lightning that can be induced on the internal electrical cables throughout the aircraft. Such transient spurious signals can propagate to internal digital circuitry setting latches into erroneous states. Additionally, power surges, radar pulses, static discharges and radiation from nuclear weapon detonation may also result in digital system upset. When subject to such conditions, electrical transients are induced on system lines and data buses resulting in logic state changes that prevent the system from performing as intended after the transient. Additionally, such electromagnetic transients can penetrate into the random access memory (RAM) area of the computer and scramble the data stored therein. Since such transients can be induced on wiring throughout an aerospace vehicle, reliability functions based on the use of redundant electronic equipment can also be comprised.
The prior art systems utilizing analog computers are generally not susceptable to system upset caused by transient induced signals. When transients penetrate complex analog systems, data may temporarily change but will immediately return to the values that existed prior to the transient after the transient has occurred. Additionally, in digital systems, to eliminate the possibility of destroying or permanently scrambling program instructions stored within digital avionic equipment memories, software resides in read-only memory (ROM) so that even if the logic states of ROM elements are momentarily changed by a transient, they will return to proper values after the transient terminates.
In the prior art, erroneous results caused by digital system upset are often mitigated by re-running the program. This may not be possible in digital systems utilized to control critical functions in aerospace vehicles. For example, the control and logic state variables that may be destroyed during an upset may not be recoverable by a conventional restart procedure. A control state variable is a parameter that is developed over a long period of time having a history associated with it based on sensor data. Such variables are generally developed over long term maneuvering or control of the aircraft. For example, data that is processed through a long time constant filter or through an integrator can only be recovered by maneuvering the aircraft with respect to the same flight path over which the variable was developed. The loss of control state variables for performing flight critical functions can be dangerous. For example, loss of control state variables during a landing procedure can cause a catastrophic system response.
In the same manner, logic state variables utilized in critical functions can be irreversibly compromised by digital system upset. The logic state variables generally relate to the mode control of the system. For example, if the system is latched into the autopilot mode, the processing to be performed on the sensor data is established by the mode. If the mode in which the system is operating is lost during a critical maneuver, a catastrophic situation can be precipitated.
In the prior art utilizing channel redundancy with cross channel monitoring, generally a system that has suffered an upset will be shut down when the result of the upset is detected by the monitors.