The present invention relates generally to control systems and more specifically to high integrity control systems.
High integrity systems are critical to many control applications. Aircraft, for example, require certain systems to have very high integrity. An example of a high integrity system is an autopilot which controls the flight control surfaces of an aircraft. High integrity systems are necessarily more expensive due to the added complexity of design, testing, etc. Fortunately, not all aircraft systems are required to be high integrity. Some systems may be low integrity if they do not control critical functions or if they can be monitored by a high integrity system.
These limitations can cause many problems in a control system. For example, in a control system for an aircraft these limitations cause the flight deck to be fragmented and function as numerous independent systems which require much pilot attention and workload. The systems are unable to function as a thoroughly integrated control system. A reason for this is that the flight management system (FMS) (i.e. the brains of the aircraft) is not certified to high integrity standards. The highly complex nature of an FMS makes it nearly impossible for the FMS to be certified to high integrity. An FMS typically stores the entire flight plan of the aircraft from take-off to landing, communicates with numerous other systems, and contains a very large navigation data base used to guide the aircraft.
It is desirable for a pilot to be able to program the FMS and have the FMS control the aircraft from take-off to landing with little intervention by the pilot. However, this is not permitted if high integrity maneuvers(e.g. approach and landings) are required due to the low integrity status of the FMS. Consequently, pilots are required to activate and program many aircraft systems.
Prior systems have tried to solve these problems. One prior approach is to use high integrity global positioning system(GPS) units to monitor the trajectory of the aircraft as it is being flown using other navigation systems. If predetermined tolerances are exceeded, the GPS unit activates an alarm. The GPS units are programmed with the trajectory coordinates from either a ground station or a control panel. The problem with this arrangement is that false alarms may be activated if the coordinates in the navigation system database do not match the coordinates in the GPS.
Control systems would be improved by a system which allows high integrity navigation system monitor a low integrity system with reduced risk of false alarms.
Clearly there exists the need for an improved high integrity control system.