The present invention relates to a method and a device for controlling maneuvering units of an aircraft.
The invention finds applications notably in the secured control of maneuvering units such as rudders, elevators, air-brake flaps, incidence-adjustable stabilizers as well as brake systems acting on the landing gear, for example.
On an aircraft, a certain number of maneuvering units are considered as critical in order to provide security on the course of the craft, both on the ground and in flight. The control system for these units should have a high degree of reliability and availability. In other words, the control should be protected even in the case of failure of one or more components of the system, in order to ensure at least continuation of flight and landing.
For this purpose, at least one main control system and one backup control system are generally associated with each critical maneuvering unit.
On a number of craft, an electrical main control system is used, associated with a mechanical backup system. For instance, this is the case for aircraft of the Airbus A320, A330 or A340 type. On these craft, the backup control for the adjustable horizontal plane as well as for steering is of the mechanical type. More specifically, electrical input actuators drive the mechanical inputs of actuators associated with the adjustable horizontal plane, and of steering actuators, via a linkage system.
In addition to the lack of accuracy from which might suffer a control including a linkage system, mechanical controls require frequent maintenance in order to ensure the absence of any hidden failure.
On the aircraft of the aforementioned type, there is also a backup control of the hydraulic type used for the braking system. In the backup braking system, the brake pedals, which may be actuated by the pilot, act on master cylinders which control the brake shoes via a low pressure hydraulic circuit.
Such a backup system is not free from any damage such as a leak of the hydrostatic transmission and therefore also requires frequent checking. In order to avoid the constraints of mechanical or hydraulic backup control systems, an electrical backup control may also be provided. As an example, on the A320, A330 and A340 aircraft mentioned earlier, transmission of steering commands between the steering unit and the control surface actuators is provided via a plurality of computers. The computers are part of two computing units called primary and secondary units, one of which may be considered as a backup unit. The computers of both computing units are of different design and origin in order to reduce the risk of a design error common to both units.
Each computer is designed in order to be able to detect by itself any fault which would affect its own operation. For this purpose it has a duplex structure of the control/monitoring type, with a control line which establishes control signals for the actuators of control surfaces and a monitoring line which monitors the control line. In the case of any disagreement between both lines, the corresponding computing unit assumes an inactive state so that the second computing unit may assume control of the control surfaces.
Document FR-A-2593774 describes a control device of a control surface wherein the traditional mechanical backup control is replaced by an electro-optical backup system. In this device, the operation of the backup system is independent of the main electrical control system. However, it is not active in the case of normal operation of the main system.
In order to guarantee proper operation of such a device, two solutions are may be contemplated a priori. As the backup system is not active in normal flight, a first solution consists of performing regular tests on the ground, notably during maintenance services. A second solution, retained in the document, consists of providing the backup system with a duplex structure as described earlier, i.e., a structure of the control/monitoring type. Thus, in the case of a failure of the control channel of the backup system, the fault may be detected by the monitoring channel of the backup system.
The second solution enables any failure of the backup control system to be detected in flight, but increases its complexity considerably.
Generally, control devices known in the state of the art, have difficulties related to reliability and/or maintenance requirements of the backup control systems. These difficulties are overcome at least partly, by providing each backup system with a structure enabling its own self-contained control in flight. However, such structures are very expensive and complex.
The object of the invention is to provide a method and a device for controlling maneuvering units, for an aircraft, which do not have the difficulties mentioned above.
In particular, one object is to provide such a device which enables a high level of reliability to be attained whilst having a relatively simple and not very expensive structure as compared with known devices.
Another object is to guarantee proper operation of the device while avoiding ground test and maintenance procedures for backup controls.
Finally, one object is to preserve large autonomy of the main and backup controls.
In order to achieve these objects, the invention more specifically relates to a device for controlling maneuvering units of an aircraft including:
controlling means, which may be actuated by a pilot for issuing maneuvering commands,
at least one central computing unit capable of establishing control signals for at least one maneuvering unit from said maneuvering commands, each central computing unit being provided with its own failure detection system.
According to the invention, the device further includes at least one electronic module associated with a maneuvering unit, and capable of also establishing control signals for this maneuvering unit from said maneuvering commands. The electronic module lacks any failure detection system of it own, but is connected to a central system for detecting failures.
Each electronic module is preferably associated with a single maneuvering unit, but may be associated with several maneuvering units.
The term xe2x80x9cmaneuvering unitxe2x80x9d means any unit capable of steering the course of the aircraft in flight or on the ground. In particular, these are units such as mobile surfaces or braking mechanisms.
As the local electronic modules lack any failure detection systems of their own, they may have a simplified structure as compared with traditional backup systems. The existence of a central failure detection system, which may be common to a large number of backup modules, allows them to be relieved from the requirements of proper operation tests performed on the ground.
In a particular embodiment, the central computing unit is programmed in order to establish the control signals according to a law, a so-called elaborate law, and each electronic backup module is programmed according to at least one law, a so-called simplified law, different from the elaborate law and simpler than the latter.
The electronic modules which may elaborate control signals according to simple proportional laws for example, have a particularly reduced size. They may then easily be distributed within the aircraft, according to the maneuvering units which they control, for example near the actuators of these units.
The central computing unit may optionally be intended for a single maneuvering unit, however, in a preferred embodiment of the invention, the central unit is associated with a plurality of the maneuvering units of the aircraft or even all of them.
According to an advantageous enhancement of the invention, the central failure detection system may be one of the computers of the central computing unit. With this, the failure detection function may be achieved in a very economical way. In this case, the electronic modules may, for example, establish control commands without their being directed towards the actuators of the maneuvering unit during normal operation of the central computing unit. However, established control commands may be forwarded to at least one of the computers of the central unit so that this computer may check compliance of these commands either continuously or not.
In order to increase the reliability of the central computing unit, the latter may include at least two redundant computers. The redundant computers are preferably of different design and origin.
Moreover, the computers may have a duplex type structure by being provided with a first computing channel, called a control channel, and with a second computing channel, called a monitoring channel. The monitoring channel is a part of the own failure detection system of the central computing unit.
In order to prevent an operational perturbation from being transmitted over a possible link existing between the backup electronic modules and the central computing unit, used as a failure detection system for the modules, this link may include galvanic insulation means such as opto-coupler means, transformer means, or filter means. The link may also be made with an optical fiber in order to avoid any electrical connection between the modules and the central computing unit. Furthermore, it is possible to assign only one of the computers of the central computing unit to the detection of failures in the backup modules, so that a possibly transmitted perturbation only affects this single computer. Another possible precaution finally consists in providing an interruption in the monitoring of the backup electronic modules during certain phases of flight such as taking-off or landing.
In particular, the device described above may be used for controlling at least one maneuvering unit selected from:
a control surface of the aircraft,
an adjustable inclined plane of the aircraft, and
a braking system of the aircraft.
The invention also relates to a method for controlling maneuvering units of an aircraft which may be implemented by means of the described device. The method consists of:
establishing first control signals for a plurality of maneuvering units by means of at least one central computing unit provided with its own failure detection system,
establishing second control signals by means of a plurality of backup electronic modules associated with a plurality of maneuvering units, respectively,
checking for proper operation of at least one computer of the central computing unit and forwarding first control signals to maneuvering units when proper operation is ascertained, and
forwarding the second control signals to the maneuvering units associated with the electronic modules, respectively when a malfunction of the central computing unit is ascertained.
As mentioned earlier, checking for proper operation of the electronic modules may be performed by a computer, preferably a single computer from the central computing unit. Checking may be performed either continuously or periodically.
Other features and advantages of the invention will become apparent from the description which follows with reference to the figures of the appended drawings. This description is given as purely illustrative and non-limiting.