Flight control systems are constrained by Federal Air Regulations to provide safe control of an aircraft throughout the regimes in which the flight control system is utilized. Any failure condition which prevents continued safe flight and landing must be extremely improbable. Present regulations require a very low probability of failure per hour for flight critical components. A flight critical portion of a flight control system is one of these critical components, the failure of which endangers the lives of the persons aboard the aircraft. Generally, the safety levels of components of the system is determined by aircraft level analysis, known to those skilled in the art. Analysis of non-critical flight control system elements, however, typically are performed to a much lesser probability level of failures per hour than flight critical portions. For example, components of a flight control system utilized in landing aircraft may be designated as flight critical, whereas, certain components utilized during cruise control may be designated as non-critical.
Flight control systems utilizing analog computers and components had been prevalent in the art wherein it had become completely practical to perform the verification and validation procedures to certify conformance of such systems to the safety requirements of the Federal Air Regulations. A known technique for enhancing the reliability and fault tolerance of flight critical components is that of dual redundancy. Dual redundancy is the utilization of two identical channels with cross channel monitoring to detect a failure in one of the channels. Although such systems are effective against random faults, cross channel monitoring does not provide effective detection of generic faults. A generic fault is defined as a fault that is inadvertently designed into a component such that all like components generically have this fault and respond in like but defective manners. When identical components having a generic fault are in respective redundant channels, the cross channel monitoring compares the same, although erroneous output from both channels, and therefore does not detect the error.
Such prior art dual redundant systems with identical channels provided fail passive performance with respect to random faults. When the cross-channel monitoring detected different outputs from the two channels, the dual channel flight control system was disengaged thereby failing in a passive manner. In order to effect fail operational performance with respect to random faults, two such dual redundant channel pairs were conventionally utilized, whereby a miscomparison in one pair would result in shut down of that pair with the other channel pair remaining in operation. The occurrence of a second random fault in a remaining channel pair would affect passive shutdown of the system. For the reasons discussed above, such multiple redundant systems were ineffective in detecting generic faults.
In present day technology, digital computers are supplanting the analog computers of the prior art technology. It has generally been found that a digital computer, including the hardware and software, is of such complexity that the verification and validation analysis for certification in accordance with Federal Air Regulations is exceedingly more time consuming, expensive and difficult than with the analog computer. The level of complexity and sophistication of the digital technology is increasing to the point where analysis and proof of certification to the stringent safety requirements is approaching impossibility. Such digital systems possess an almost unlimited number of unique failure modes and, therefor, indeterminable effects. A further problem is encountered in that software is susceptible to generic design errors. A generic design error can occur in the attendant assembler or compiler as well in the microcode for the processor. Software based redundant systems have the unique characteristic attribute of being precisely identical. Accordingly, a generic fault in, for example, detail program code or processor hardware may result in a unique set of otherwise benign time dependent events precipitating precisely the same hazardous response in all redundant systems at precisely the same time. Thus, the unique aspect of software systems to be precisely identical exasperate the problems with generic faults.
For the reasons given above, it is appreciated that redundant identical channels of digital data processing with cross channel monitoring may not detect hardware and software generic design errors so that reliability can be certified to the required level. Furthermore, with the increasingly complex and sophisticated digital processing being incorporated into flight control systems, it is approaching impossibility to prove by analysis the absence of such generic errors to the levels required by the Federal Air Regulations.
In order to overcome these problems, the automatic flight control technology has advanced to the concept of dissimilar redundancy. In dissimilar redundancy, dual dissimilar processors perform identical tasks utilizing dissimilar software with cross channel monitoring to detect failures. With this approach, a generic error designed into the processor or software of one channel will not exist in the processor or software of the other channel and the cross channel monitoring will detect the discrepancy. Such a prior art dual dissimilar processor system would be fail passive with respect to both random and generic faults. A random or generic fault occurring with respect to one of the dissimilar processors would be detected by the cross channel monitoring and the dual dissimilar processor system passively disengaged.
None of the prior art system configurations discussed above provide fail operational performance with respect to generic faults. Utilization of multiple dual redundant systems with similar processing elements fails to detect generic faults for the reasons discussed above. A mirror replication of dual channel subsystems utilizing dissimilar processing elements would result in a fail passive capability rather than a fail operational performance. This is because a generic fault detected in one dual subsystem causing that subsystem to be disengaged would be present in corresponding element in any other subsystem, also resulting in disengagement thereof. Thus, this dual dissimilar configuration instead of providing fail operational performance results in a fail passive system which is the property otherwise obtained from one half of the system.
U.S. Pat. No. 4,622,667 to Yount and entitled "Digital Fail Operational Automatic Flight Control System Utilizing Redundant Dissimilar Data Processing" describes an arrangement which provides fail operational performance for a first random or generic failure and fail passive performance for a second random or generic failure. An alternative embodiment in Yount provides fail operational performance for the first two random failures and fail passive performance for a third random failure and provides fail operational performance for the first generic failure and fail passive performance for the second generic failure.
The fail operational arrangement of Yount utilizes at least two independent flight control channels, each comprised of two lanes. Each lane is comprised of independent I/O. One lane in each channel includes a first digital data processor and the other lane includes a second data digital processor with an active third processor. The two lanes in each channel are cross monitored to detect disagreements between the outputs of the first and second processors and the outputs of the first and third processors. All the processors perform the same system tasks with respect to flight critical functions. The three processors in each channel provide dissimilar data processing with respect to each other. The two processors that do not have active third processors associated therewith in the respective subsystems provide dissimilar data processing with respect to each other.
The six processors of the two channels in Yount are arranged so that there are only three types of dissimilar data processing. When the cross monitoring in a channel detects a discrepancy between the outputs of the first and second processors, the output of the second processor is disabled and the active third processor continues servicing its channel. If the cross monitoring detects a discrepancy between the outputs of the first and second processors and the outputs of the first and third processors, the entire channel is disengaged. In effect, the third processor of the channel is substituted for the second processor when the second processor is detected to be defective, and if the substitution does not resolve the discrepancy, the channel is disengaged. In the alternative embodiment where the arrangement is fail operational for the first two random failures and fail passive for a third random failure and which is fail operational for the first generic failure and fail passive for the second generic failure, the arrangement utilizes three channels in a somewhat similar manner.
In another flight critical computer architecture, an internal monitoring mechanism of the MD-11 Flight Control Computer having a dual lane computer channel with two processors per lane is apparent, FIG. 2. The MD-11 Flight Control Computer is a dual lane computer 20 with two processors 21, 22 in lane 1 and two processors 23, 24 in a second lane. With the MD-11 Flight Control Computer, one of the processors 22 in one lane, is locked out so that it is unable to output flight critical commands. No comparison monitoring is performed with the locked out processor 22, so the MD-11 configuration is redundant in only one lane, i.e. the second lane. Therefore, each MD-11 flight critical computer incorporates a fail passive design since a single processor fault in the non-redundant lane can shut down the flight control computer. As shown in FIG. 2, processor 21 is the lone processor in the first lane. Processor 21 sets a revert for switch 30 if processor 21 detects a failure of processor 24 by way of monitoring device 27, so that the output of processor 23 is the command output 31. Processor 21 sets a revert disable for switch 29 if processor 21 detects, by way of monitoring function 25, that processor 23 has failed. If monitoring function 26 or 28 detects a failure of processor 21, command output 32 is disabled, as the locked out processor 22 is available only for non-critical tasks.
As described above, it can be seen that in order to obtain fail operational performance for a first random or generic failure, two channels are necessary with cross monitoring within such channels as shown in U.S. Pat. No. 4,622,667. Likewise, a single MD-11 flight critical computer does not provide redundancy in two lanes and therefore is only a fail passive design since a single processor fault in the channel can shut down the flight critical computer. As such, the need for a fail operational fault tolerant flight critical computer architecture for random and generic processor faults having an implementation within one channel exists.