1. Field of the Invention
The present invention relates to control systems. More particularly, this invention is a control system having a fault detection system that is particularly well-suited for aeronautical and industrial control systems.
2. Description of the Prior Art
Fault detection systems well-known in the prior art monitor the outputs of redundant control systems to ensure control signal integrity and reliability. Referring to FIG. 1, a signal P from a primary control system 11 may be unreliable when it differs significantly from a monitor control signal M generated by a duplicate control system 12, provided that both control systems 11 and 12 receive identical input data. If the primary and monitor systems normally generate identical outputs, differences between outputs P and M may indicate issues with one or both control systems. This difference D, which is equal to P minus M, can be readily computed by summing junction 15 in FIG. 1.
A prior art fault detector 13 generates an alarm signal A whenever primary control signal P differs from monitor control signal M by some critical threshold T.sub.c. This alarm signal A notifies plant 14 (which is the system being controlled) that the primary control signal P is potentially unreliable and should be disregarded.
Some difference D between primary control signal P and monitor control signal M is inevitable because of noise and other inaccuracies inherent in mechanical and electrical systems. When setting a critical threshold value T.sub.c for tolerable signal difference, then, it is desirable to select a value that is low enough to isolate all true alarm conditions yet high enough to prevent system noise from generating false alarm signals, called "nuisance trips". In practice, it is very difficult to set an optimal value for T.sub.c that is capable of ignoring brief but high-amplitude noise while detecting prolonged low-amplitude difference D between primary control signal P and monitor control signal M.
Various methods of implementing fault detector 13 are known in the prior art. One method, for example, monitors the difference between the primary and monitor control signals and generates an alarm whenever the difference between the two signals exceeds a magnitude threshold T.sub.m for a period of time T.sub.t. While such a system is responsive to low frequency error signals, the system is slow to respond to very high frequency error signals since the error condition must be observed for a period of T.sub.t seconds before triggering an alarm.
An improved fault detection system is disclosed in U.S. Pat. No. 4,509,110 issued to Levesque, Jr. et al. on Apr. 2, 1985, which is hereby incorporated by reference. The Levesque system uses an integrator to monitor the difference between primary and monitor signals over time. When the difference between the primary and monitor signals exceeds a magnitude threshold T.sub.m, the integrator increases its output value at a rate equal to the error signal. The system generates an alarm signal when the integrator output exceeds the time-magnitude threshold T.sub.m. When the difference between the primary and monitor signals does not exceed T.sub.m (i.e. when the observed error in the system is small or non-existent), the integrator output gradually decreases to zero at some constant rate. The system therefore considers both the magnitude and the duration of any difference between the primary and monitor control signals. A large difference between the signals will quickly generate an alarm signal, and a smaller difference will generate an alarm if observed for a sufficient period of time.
While the Levesque, Jr., et al. invention provides improvements over other prior art fault detection methods, it is still susceptible to nuisance trips from noise signals having a magnitude greater than the magnitude threshold T.sub.M. Nuisance trips may also occur from noise signals that do not instantaneously exceed the noise threshold if such noise signals have sufficient frequency or magnitude to exceed the constant decay rate of the integrator. Because differences between the primary and monitor control signals are flushed from the integrator at a constant rate, large difference signals may remain in the system for a long time.