MONITORING SYSTEM AND METHODS FOR A DISTRIBUTED AND RECOVERABLE DIGITAL CONTROL SYSTEM
First Claim
1. A monitoring system for a recoverable digital control system, the monitoring system comprising:
- a first monitoring plane internal to one or more computing units in the control system, the first monitoring plane comprising;
a first internal monitor comprising a self-checking, lock-step-processing monitor with integrated rapid recovery capability; and
a second internal monitor comprising one or more reasonableness monitors that compare an actual effector position with a commanded effector position; and
a second monitoring plane external to the computing units, the second monitoring plane comprising;
a first external monitor comprising a pre-recovery computing monitor; and
a second external monitor comprising a post recovery computing monitor.
1 Assignment
0 Petitions
Accused Products
Abstract
A monitoring system and methods are provided for a distributed and recoverable digital control system. The monitoring system generally comprises two independent monitoring planes within the control system. The first monitoring plane is internal to the computing units in the control system, and the second monitoring plane is external to the computing units. The internal first monitoring plane includes two in-line monitors. The first internal monitor is a self-checking, lock-step-processing monitor with integrated rapid recovery capability. The second internal monitor includes one or more reasonableness monitors, which compare actual effector position with commanded effector position. The external second monitor plane includes two monitors. The first external monitor includes a pre-recovery computing monitor, and the second external monitor includes a post recovery computing monitor. Various methods for implementing the monitoring functions are also disclosed.
-
Citations
20 Claims
-
1. A monitoring system for a recoverable digital control system, the monitoring system comprising:
-
a first monitoring plane internal to one or more computing units in the control system, the first monitoring plane comprising;
a first internal monitor comprising a self-checking, lock-step-processing monitor with integrated rapid recovery capability; and
a second internal monitor comprising one or more reasonableness monitors that compare an actual effector position with a commanded effector position; and
a second monitoring plane external to the computing units, the second monitoring plane comprising;
a first external monitor comprising a pre-recovery computing monitor; and
a second external monitor comprising a post recovery computing monitor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for independently monitoring multiple command computations across multiple redundant computing units, the method comprising:
-
sorting fresh and valid effector position commands from the computing units by magnitude;
computing a blended command by averaging two sorted input commands closest to a median of all the input commands;
discarding any outlying input commands from the blended command computation;
comparing each input command from a computational element of a computing unit with the blended command; and
triggering a rapid recovery of any errant computational element when a difference between the blended command and an effector position command computation is outside a predetermined window limit.
-
-
19. A method for monitoring integrity of a previously recovered computational element in a digital control system, the method comprising:
-
monitoring the recovered computational element using a variable time magnitude monitor in which an extended monitor window narrows with time;
allowing the recovered computational element to return to a viable state in a blended command computation if a difference between an input command from the computational element and a blended command remains within the extended monitor window for an allocated recovery time; and
discarding an input command from the recovered computational element if the input command falls outside of the extended monitor window until a system restart or power cycle.
-
-
20. A method for time magnitude monitoring comprising:
-
comparing a blended command output with a computed effector command;
disregarding the blended command output when deviations between the blended command output and the computed effector command exceed an established limit for a specified time;
selecting a blended command output from a plurality of blended command outputs;
comparing the selected blended command output with an effector position feedback signal; and
initiating an actuator shutdown command when deviations between the selected blended command output and the effector position feedback signal exceed an established limit for a specified time.
-
Specification