This invention relates to the field of control systems. More particularly, this invention relates to signal selection and consolidation apparatus, responsive to a plurality of redundant input signals, for supplying a single, reliable signal for use in apparatus such as a control or computational system.
In some situations, a control or computational system must exhibit a system reliability factor that exceeds that obtainable with a system which utilizes a single component to perform each system function. One common approach to such a problem is the replacement of one or more system components with a set of system components, each of which is capable of preforming the same system function as the replaced component. In this design approach, the system includes logic means for detecting a component failure and selecting an unfailed system component for operation within the system at any given time. In such a system, the set of components that perform a substantially identical function, and the signals such system components produce, are referred to as "redundant" since less than the full set of redundant components or signals are required for satisfactory system operation.
Depending on the system configuration and the desired reliability factor, redundancy can be implemented in a variety of manners. By way of illustration, a typical flight control or guidance system for an aircraft often includes one or more different types of sensors or transducers that supply data such as aircraft attitude and a computational unit which is responsive to the sensor signals for generating control signals to position the aircraft control surfaces. In such a control system, redundancy may be employed by utilizing sets of independent sensors to replace one or more of the different system sensors, or the system can be fully redundant, utilizing a set of independent sensors to replace each type of sensor and an equal number of computational units.
With respect to state-of-the-art redundant control systems, full redundancy is often implemented with the system being arranged as a number of separate "channels." For example, a triply redundant system is often arranged as three separate channels, each of which effectively constitutes a complete control system, with the system further including means for monitoring the operation of each redundant component to detect component failure or malfunction. By arranging the system in such a manner, fail/operational and fail/operational-fail/passive system operation can be achieved. In fail/operational operation when a particular redundant component fails, the system logic detects the faulty component and isolates it from the system so that the system continues to operate, utilizing unfailed components. In fail/operational/fail/passive operation, the system is fully operative upon the failure of a first redundant component and automatically enters a passive mode of operation upon the failure of a second redundant component. Generally, when a second failure causes such a system to enter the passive mode, the control signals are no longer utilized, e.g., supplied to the aircraft control surfaces, and manual control thereof is usually initiated.
In many situations, one or more of the redundant signals are time-varying or analog signals. It can be recognized in such a situation that, although the sensors or other apparatus supplying the redundant signals may be of an identical design, the redundant signals will not be perfectly identical. To supply the system with a "best" or "correct" signal, the signal selection logic or prior art redundant control systems generally includes apparatus for either selecting a particular one of the redundant signals for use within each of the system channels or apparatus for deriving or forming a signal on the basis of the signals supplied by the operational redundant components. In the art, combining the redundant signals to supply a derived signal is sometimes known as signal consolidation, a definition which will be adhered to herein. One common example of such signal consolidation is supplying a derived signal of a magnitude equal to the mathematical average of the redundant signals (i.e., the sum of the redundant signals divided by the number of redundant signals). With respect to the signal selection apparatus wherein a selected redundant signal is supplied to each channel of the system, " voting" is often employed wherein one of the redundant signals is selected according to some predetermined criteria (e.g., the median signal is selected).
Although prior art signal slection system are often satisfactory in applications in which the redundant components are of identical design and hence supply redundant signals of substantially the same accuracy or precision, situations can arise in which it is advantageous or necessary to utilize a set of redundant components in which one or more of the components supplies more precise or more reliable information than the remaining redundant components. For example, in an aircraft flight control system, pitch attitude information can be supplied from a number of various sources including inertial navigation systems and conventional vertical gyros. Although the attitude information supplied by an inertial navigation system is more precise or accurate than attitude information supplied by vertical gyros (and maintains such accuracy over a longer period of time), the coat of a redundant set of inertial navigation systems is generally prohibitive. In this and similar circumstances, it would be desirable to utilize a single precise instrument such as an inertial navigation system and less precise instruments such as the vertical gyros to constitute a redundant set of sensors. More explicitly, it would be desirable to provide signal selection and consolidation apparatus that provides the control system with the precise signal supplied by the inertial guidance system whenever such system is operational and provides the control system with a signal representative of the information provided by the vertical gyros whenever the inertial guidance system is inoperative.
Prior art signal selection apparatus is not emenable to such a situation since such prior art apparatus effectively treats each redundant signal with equal deference. For example, if a prior art signal selection system is utilized wherein signal consolidation is effected by deriving a signal that is the average of the applied redundant signals, full advantage of the precise information supplied by the precision component will not be achieved. On the other hand, if prior art signal selection apparatus using "voter" techniques are utilized, a signal supplied by one of the less precise redundant sensors will often be selected rather than the signal supplied by the more precise sensor.
Furthermore, significant problems have been encountered with respective prior art signal selection and consolidation apparatus. First, it is generally both necessary and desirable to prevent abrupt changes in the signal level being supplied to a control system when one of the redundant components fail. For example, in many instances, the signal being supplied to the system at the time a redundant sensor fails is of substantially different magnitude than the signal which is to be supplied immediately after such sensor failure. With respect to systems such as aircraft flight control systems, an abrupt transition between the signal supplied prior to component failure and the signal supplied subsequent to component failure often cannot be tolerated by the control system and can well have catastrophic results. Although prior art signal selection and consolidation apparatus often includes means for equalizing the signal provided immediately following a component failure with the signal provided at the time such failure occurs, such means have not proven entirely satisfactory and oftentime overall system performance is degraded.
A second related problem exists will respect to monitoring the redundant signals to detect failure of one of the redundant components. Specifically, this problem relates to establishing the criteria upon which the apparatus will declare a particular component inoperative. For example, the signals supplied by a redundant set of sensors are often compared with one another and the failure of the particular component declared when the discrepancy between the signal supplied by that component and the redundant signal supplied by another of the redundant set exceeds a predetermined threshold. In such systems, nuisance disconnects and mode cycling can be experienced if the comparative thresholds are too tight. On the other hand, wide comparative thresholds can permit undesirably large signal transitions to be applied to the system if a sensor suddenly fails and generates such a signal transition or "step input." Such step inputs are in addition to and can have the same effect on a control system as a previously described abrupt signal transitions.
This problem is especially relevant in situations in which one of the redundant components supplies more precise information than the remaining redundant components. Specifically, it can be recognized that in such a situation it is advantageous to utilize a rather wide comparative threshold in determining whether the precise component has failed since, in all probability, the signal supplied by such a precise component is as accurate as those signals provided by the less precise components even when substantial signal deviation occurs between the signal provided by the more precise component and the signals supplied by the less precise components. On the other hand, such precise components are also subject to a failure mode wherein an abrupt signal transition of substantial magnitude is generated. In this respect, prior art signal selection and consolidation apparatus, designed to operate with sets of substantially identical redundant components, are not configured to utilize the precise signal over a range in which the signal is likely to be as accurate as the signal supplied by the less precise components while simultaneously preventing a step input that can be generated by the sensor during certain failure modes from reaching the system.
Accordingly, it is an object of this invention to provide signal selection and signal consolidation apparatus for use in applications wherein one component of a set of redundant system components supplies a more precise signal than the remaining components of the set of redundant components.
It is a further object of this invention to provide such signal selection and consolidation apparatus wherein the signal supplied does not exhibit an abrupt change in magnitude upon the failure of one of the redundant components.
It is another object of this invention to provide signal selection and signal consolidation apparatus for use with a set of redundant signal sources wherein one of the redundant signal sources provides more precise information than the remaining redundant signal sources such that the signal supplied by the precise sensor is supplied as an output signal during periods of time in which the precise sensor is operational.