This invention relates to flight control systems (Flight Control Systems) present in aircraft.
These flight control systems are at the interface between the flying components (control stick, rudder bar, etc.) and the various movable flight surfaces of the aircraft (such as the rudders, elevators, ailerons, stabilizers, etc.).
Modern airliners have flight control systems of “fly by wire” type in which mechanical actions on the flying components are converted into signals transmitted to actuators controlling the movement of the flight surfaces, these commands being transmitted to the actuators by advanced computers.
These commands are computed according to several types of laws. One of these laws, called normal law, is an assisted flying law that reprocesses the flying instructions provided by the flying components in order to optimize flying conditions (passenger comfort, stabilization of the airplane, protection of the performance envelope, etc.). Another law, referred to as direct law, is a law that only retranscribes the instructions for movement of the airplane transmitted by the electrical flight controls without reprocessing these signals with a view to improving flying performance.
There already is known, as illustrated on FIG. 1, a flight control system 1 comprising a control module 2 having two sets of computers 4 and 5 in order to determine the control commands to be transmitted to actuators 3.
Set 4 comprises two computers 4-1 and 4-2 able to compute the control of actuators 3 established according to the normal and direct control laws (these computers are called primary computers) and a computer 4-3 only able to compute this control established according to the direct law (this computer is called secondary computer).
Set 5 comprises one primary computer 5-1 and two secondary computers 5-2 and 5-3.
All these computers are installed in an avionic bay and communicate with the actuators via direct point-to-point analog links.
The actuators are connected to one or two computers, with in the case of two computers a “master/standby” architecture, the master computer ascertains the validity of the control signal transmitted to the actuator which ensures the integrity of the device. When the master computer breaks down, the “standby” computer takes over, which ensures that a computer is always available.
In order to ascertain the validity of its command, each computer has a structure with a dual computation unit (it is a matter of dual-track computers also called “duplex” computers), not illustrated on FIG. 1.
The first unit is a control unit (COM) which implements the processing necessary for performance of the functions of the computer, namely to determine a control signal to an actuator.
The second unit is a monitoring or checking unit (MON) which for its part carries out the same types of operations, the values obtained by each unit then being compared and, if there is a deviation that exceeds an authorized tolerance threshold, the computer is automatically disabled. It then becomes inoperative and is declared faulty so that another computer may take its place in order to implement the functions abandoned by this faulty computer.
Each computer thus is designed for detecting its own failures and inhibiting the corresponding outputs while signaling its condition.
The hardware of the primary and secondary computers is different so as to minimize the risks of simultaneous failure of all the computers (hardware dissimilarity).
In addition, the hardware of the two tracks (COM and MON) of each computer is identical but for reasons of safety, the software packages of these two tracks are different so as to ensure a software dissimilarity.