1. Field of the Invention
A similar-redundant signal system employs a plurality of identical signal paths, commonly called channels, each of which includes elements such as sensors, amplifiers, computers and servo actuators serially connected to form the signal path. The several channels operate in parallel so that so long as at least one channel is operating correctly, the system will continue to operate adequately, thus providing a high degree of security against failure.
In such a system it is possible to detect failures by comparing nominally equivalent signals in the different channels of the system.
2. Description of the Prior Art
FIG. 1 of the accompanying drawings illustrates in simplified diagrammatic form part of a prior art similar-redundant signal system employing such a failure detection arrangement.
Referring to FIG. 1, the system includes three identical channels A, B and C each of which includes a sensor 1A, 1B or 1C whose output is fed to a computing element 3A, 3B or 3C whose output is in turn fed to the next element (not shown) in the channel, and so on to each element of the channel in turn.
The outputs of the three sensors 1A, 1B and 1C are fed to a first comparator 5 and the outputs of the three computing elements 3A, 3B and 3C are applied to a second comparator 7, the outputs of the further unillustrated elements being similarly fed to further respective comparators (not shown).
Each comparator such as 5 or 7 compares its input signals and if one of these signals becomes significantly different from the others, appropriate remedial action is taken. It will be appreciated that the appropriate remedial action will depend on the system configuration and design philosophy. Thus, whereas in some cases detection of a failure will require isolation of the failed channel leaving the remaining channels in operation, in other cases a failure might temporarily be tolerated unless and until a further failure occurs elsewhere in the system. In a system having only two channels, the only possible action may be merely to give warning of the fault.
It will be appreciated that the sensors 1A, 1B and 1C will ideally be identical to each other, as will computing elements 3A, 3B and 3C and other corresponding elements in the system, in order that the signal comparison process can operate most effectively. The reason for this is that, in normal operation (i.e. without any failure), the similar-redundant signals which are being compared will then be identical to each other, and therefore a failure in any of the channels can be detected by a very small difference only between signals. In other words the failure detection theshold of the comparison process can be very small if the similar-redundant signals are closely matched to each other in normal operation.
However, in practice, the sensors, computing elements etc. are merely nominally identical and exhibit differences with respect to each other, without any failures having occurred, as a result of manufacturing tolerances or differing environmental effects on the channel elements.
Because of such variations the failure detection thresholds in the comparison processes need to be increased in order to eliminate the possibility of false failure indications in normal operation. Clearly an increase in these failure detection thresholds is detrimental to the ability of the comparison process to detect failures quickly and without undue disturbance to the system as a whole.