Numerous applications exist in which redundant computers are employed to assure extremely high reliability in operation. One such application is the flight control system on a modem commercial aircraft, such as the Boeing Model 777. Here, a fly-by-wire flight control system replaces the mechanical systems used on other aircraft. The commands for this system are generated by three redundant asynchronous digital Primary Flight Computers (PFC's), which are referred to as channels. Each channel transmits its command output onto a digital databus. The commands on the databus are directed to actuators which in turn move various flight control surfaces. Some flight control surfaces have two or three actuators connected together with each actuator controlled by a different channel. This requires that all channel commands to that surface be identical so that the actuators do not engage in a "force fight". The commands do not naturally track as closely as required because the PFC channels are not synchronized and, as such, will have somewhat different output commands in normal operation.
A PFC command fault of significant magnitude must be removed quickly to avoid unacceptable airplane transients. Fault monitoring may require a significant amount of time to differentiate between an actual fault and normal differences between channels or a transient that will soon disappear. A monitoring system which acts too quickly to detect a fault condition may, therefore, incorrectly and unnecessarily cause a PFC disconnection.
Were redundancy not required for system reliability, an "ideal" control system would utilize a single computer to drive all systems so that there would be no command differences and perfect tracking. An "ideal" monitor for such a system would immediately stop or limit the magnitude of a fault in the event of computer failure, without ever tripping falsely.
One method that has been known to the art to eliminate differences between redundant channel commands is to use timing synchronization techniques to assure that all computations start at the same time and use the same input data and computation sequence in order that all command outputs track. Such a system requires synchronization control between computations. A concern about synchronization is that it may invoke a fault that could propagate errors into all computations and commands, i.e., be generic to the system. A further problem is that the synchronization might fail and therefore another operational mode must be available to continue with failed synchronization.
An additional concern with digital computations in commercial aircraft applications is that designers tend to use commercially available Central Processor Units (CPU) due to their ready availability and versatility. However, commercial CPUs may not have been completely analyzed for all possible operations to determine if some inherent design flaw exists. This could result in an incorrect output command at the same time from all CPUs of one type, making fault detection difficult or impossible since all computations indicate an incorrect result and no comparison with a correct command is possible. The databus voter design avoids this problem since it is simple enough to be analyzed and tested to eliminate such flaws. The databus voter operation is exact and therefore can be easily monitored and disconnected if it fails.