1. Field of the Invention
The present invention relates to "fail safe", or "fail passive" and "fail operational" systems such as those used to provide position and attitude information to the flight control system of an aircraft and more particularly to such systems which are also safe from "common mode" failures.
2. Description of the Prior Art
Systems for providing information indicative of position (for example, deviations from an ILS beam or altitude, latitude and longitude) and indicative of attitude (for example, the RF signals from an ILS or the signals from gyros and accelerometers indicative of pitch, roll and yaw) for use in vehicles such as aircraft, are well known in the art. Traditional systems employ gyroscopes and accelerometers while more recent systems use transmitted information from several satellites. Since high performance aircraft need a high degree of integrity including accuracy and dependability, and since in some situations, for example, "precision approaches", two or three unique data sources are required to meet certification, "fail safe" and "fail operational" systems have been devised. "Fail safe" systems employ two redundant sensing systems whose outputs are checked against each other and if they are not the same, a failure is known and both outputs are discarded. "Fail operational" systems employ three or more redundant sensing systems and an associated algorithm to compare the outputs of the sensing systems and detect when one of them differs from the others. When this occurs, the erroneous output is discarded but the outputs of the other sensing systems may be used to control the aircraft. Prior art fail operational systems are generally classified as either:
1) Triplex system with three or more sensing systems each producing an output indicative of the same condition. The outputs of the sensing systems are checked against each other and if one differs from the others it is discarded and the other outputs are used. An example of such a system may be found on the Boeing 747.
2) Dual-dual systems with two or more pairs of sensing systems each sensing system producing an output indicative of the same condition. The outputs of the sensing systems of each pair are checked against each other and if they are not the same, then the output of that pair is discarded and the output from the other pair or pairs is used. As an example, such a system may be found on the Douglas MD-11.
Furthermore, in Category IIIb decision approaches, (unpiloted landing), only fail operational systems can be used thus requiring at least three data sources.
Many fail safe and fail operational systems are vulnerable to a "common mode" failure i.e. a problem that effects all of the sensors in the same manner so that their outputs are all in error by the same amount. When this occurs, the comparison of the outputs may indicate the signals are valid when in reality none of the signals can be relied on.