Changing technology in the electronics field is driving the design of avionics systems, as well as other electronics applications, towards increased performance, functionality, and sophistication. As avionics systems become more complex, it becomes more difficult to analyze an entire system to provide a clear perspective of system behavior in the presence of faults. This difficulty in analyzing system behaviour affects the areas of system design, testing, and maintenance.
In avionics systems, failure propagation and fault isolation are two important aspects of system behavior. Failure propagation refers to the effect on overall system performance of a system component failure. Fault isolation refers to the process of locating a failed system component. A failed component normally creates a failure indication on the flight deck of an aircraft, commonly referred to as a flight deck effect. The flight deck effect is thus the clue to the faulty component. These same types of failure analyses must be performed in other electronics systems that share certain common characteristics with avionics systems.
Avionics systems are designed as and built from subsystems. The subsystems are interconnected by signal carrying buses, connected to power sources, etc. Most subsystems contain one or more Line Replaceable Unit(s) (LRU). By design, each LRU performs a specific task and is engineered to meet specific specification requirements.
Avionics subsystems were at one time relatively simple and tended to function somewhat independently of other subsystems. System operational characteristics and behavior in the event of equipment failures could be analyzed by a few engineers using available analytical and test tools. With the advent of digital avionics, subsystems have become more complex, more integrated with, and more inter-dependent upon one another. The engineering resources required to analyze and test these integrated systems are far greater than were required for the earlier, simpler systems.
One of the complex and challenging tasks facing modern avionics design/development engineers is that of defining all significant effects on the avionics system of one or more equipment failures. A comprehensive analysis requires the consideration of multiple avionics system operating configurations. Massive software simulation and/or hardware test systems are often developed to assist engineers in performing the required design and system validation analyses. The software simulation and hardware test systems are essentially an attempt to duplicate the entire avionics system. In order to analyze such a software simulation system in real-time, one or more large mainframe computers are required. Generally, such simulation systems utilize conventional programming language, e.g., FORTRAN or PASCAL. The use of these languages contributes to the immense size of the simulation systems.
One of the tasks for which these software simulations or test systems may be used is to assess failure effects of simulated system faults. These simulation and test systems take a long time to develop and the results they provide may come late in a development program when indicated system changes are costly to make.
When an avionics system design is completed, all of the development information and performance requirement information are integrated into a package of avionics system documentation that describes an "as-built" system. The documentation includes LRU specifications, signal bus connections, power source information, etc. The avionics system documentation is later used as a reference tool by the maintenance crews responsible for the maintenance and repair of the avionics system. Such comprehensive system documentation is not available until the system is completed, i.e., until LRU designs and interconnections are finalized.
Modern avionics systems are designed to identify to the maintenance crew the faulty LRU(s) in the event of equipment failure(s). Many subsystems include self-diagnostic capabilities. An LRU fault may be flagged by a light on the LRU itself, or an indication on an overall system operation indicator. Sometimes, replacing the identified LRU does not clear the fault indication. When this occurs it may be necessary for the maintenance crew to manually trace and isolate the fault using test equipment and system design information provided in the maintenance manuals. Fault isolation may also be performed when no fault identification is provided by the avionics system but a fault is otherwise apparent.
During a fault isolation analysis, the failure response, i.e., flight deck effect, is traced "backwards" to a source LRU that may have caused the flight deck effect to be generated. During the analysis, the aircraft operating configuration at the time the flight deck effect was generated must be taken into account when the system analyst refers to the system documentation. As with the failure propagation simulation, manually isolating faults may be a time-consuming and difficult process.
Certain characteristics that are inherent in complex avionics systems have heretofore precluded efficient comprehensive analysis of system failure response. These characteristics include: the existence of multiple component levels in a system; the use of redundant signal sources; LRU behavior response based on system mode and external conditions; and the need for extremely fast system response to failures, generally on the order of tenths of seconds. These characteristics produce a system that is difficult to physically test and to model for design, testing and maintenance purpose. Other complex electronic systems including some or all of these characteristics suffer from the same testing and modeling problems as avionics systems.
The effect of multiple component levels on failure analysis is illustrated by the fact that an indication that an LRU has failed may be generated due to a fault elsewhere in the system. The LRU, or a signal output by the LRU, may fail because of a power failure to the LRU, an input bus physical failure, an input signal failure, a failed LRU component, etc. The system complexity suggests that if an LRU is only suspected of being in a failed state, it is preferable to first determine the exact source of the failure rather than immediately replacing the LRU in an attempt to rectify the problem.
One reason for the signal source redundancies in avionics systems is the high level of functional availability required in aircraft operation. As an example of the use of signal source redundancy, important LRU signals are usually generated by more than one source, e.g., a left and right source. The LRUs that receive multiple signals must be provided with a way of selecting an initial signal source, determining when the signal source has failed, and selecting an alternate source. In instances where there are more than two signal sources, e.g., left, center, and right sources, a hierarchy of source selection is required. Source selection may be automatically controlled by hardware or software that is a part of an LRU or the avionics system. Additionally, for certain subsystems, the source selection is performed manually by the flight crew in response to a flight deck effect. In order to comprehensively test avionics system behavior, it is necessary to test the system response in a variety of operating configurations that are each defined by a set of initial source selections.
An LRU's behavior may be highly dependent upon system mode and external conditions. The system mode describes the aircraft's flight trajectory. The trajectory includes take-off, climb, cruise, descend, land, and go-around modes. Each mode is further described by pitch, roll, and throttle, i.e. power, characteristics. External conditions include altitude, speed, etc. Thus, besides having certain behavioral characteristics based on input source selection, an LRU's behavior may also be contingent on the system mode and/or external conditions.
Present avionics design systems and automated test equipment usually do not provide tools for testing the effects of LRU design modifications on the overall system prior to system completion. Further, once an avionics system design is completed, it is a time consuming and tedious process to simulate the propagation of a failure or to isolate a fault in the avionics system using system documentation and test equipment. Until now there were no simulation or test systems that could satisfy in a timely manner the needs of both design/development engineers and airline maintenance personnel in the area of failure analyses. The present invention is directed toward overcoming the problems in design, testing, and maintenance of avionics systems as described above, as well as other problems in the prior art.