Multiple-voting fault detection system for flight critical actuation control systems

US 5,274,554 A
Filed: 02/01/1991
Issued: 12/28/1993
Est. Priority Date: 02/01/1991
Status: Expired due to Term

First Claim

Patent Images

1. A method of detecting faults in an aircraft control system having an actuator, and a plurality of control channels for r®

receiving control signals and processing said signals to generate output signals for driving said actuator, said method comprising;

in each said channel, generating a monitoring signal representative of actual operation of said actuator and a model signal corresponding to expected operation of said actuator, comparing said monitoring signal to said model signal, and determining an operating status based on results of said comparing;

communicating said monitoring signal and said model signal generated in a first one of said channels to a second one of said channels, and communicating said monitoring signal and said model signal generated in said second channel to said first channel;

in each one of said first and second channels, independently performing comparisons of said monitoring signal and said model signal communicated from the other of said first and second channels and said monitoring signal and said model signal generated in said one of said first and second channels to determine a fault status of each of said first and second channels; and

maintaining communication links between said channels, including a link between said first channel and said second channel; and

providing, in each of said first and second channels, a deactivating switch responsive to a fault status signal from the other of said first and second channels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control system includes a dual actuator (2) and primary and secondary controllers (20, 22), each of which has two control channels. In a normal mode of operation, the primary controller (20) controls both valves (32, 38) of the actuator (2). Each primary channel generates a model signal and a monitoring signal corresponding to expected and actual operation of the actuator, respectively. The two signals from each channel are communicated to the other channel. Each channel monitors itself as well as the other channel by comparing model and monitoring signals; and is also similarly redundantly monitored by the other channel of the controller (20). Each channel independently compares its own signals with the signals from the other channel. Each of the two channels has a deactivating switch responsive to a fault status signal from either of the two channels to thereby allow deactivation of a failed channel even when the failure in such channel prevents it from deactivating itself. The channels of the secondary controller (22) are similarly redundantly monitored by themselves and each other. Communication links are maintained between the primary channels, the secondary channels, and between the primary and secondary channels.

Citations

19 Claims

1. A method of detecting faults in an aircraft control system having an actuator, and a plurality of control channels for r®
- receiving control signals and processing said signals to generate output signals for driving said actuator, said method comprising;
  
  in each said channel, generating a monitoring signal representative of actual operation of said actuator and a model signal corresponding to expected operation of said actuator, comparing said monitoring signal to said model signal, and determining an operating status based on results of said comparing;
  
  communicating said monitoring signal and said model signal generated in a first one of said channels to a second one of said channels, and communicating said monitoring signal and said model signal generated in said second channel to said first channel;
  
  in each one of said first and second channels, independently performing comparisons of said monitoring signal and said model signal communicated from the other of said first and second channels and said monitoring signal and said model signal generated in said one of said first and second channels to determine a fault status of each of said first and second channels; and
  
  maintaining communication links between said channels, including a link between said first channel and said second channel; and
  
  providing, in each of said first and second channels, a deactivating switch responsive to a fault status signal from the other of said first and second channels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, in which said actuator is a dual actuator, and said channels include said first and second channels and two secondary channels;
    - andwhich comprises operating said first and second channels to drive said actuator in a normal operation mode; and
      
      , in response to a fault status signal from either of said first and second channels relating to either of said first and second channels, deactivating both of said first and second channels and essentially simultaneously signaling said secondary channels to activate to drive said actuator.
  - 3. The method of claim 2, further comprising, after signaling said secondary channels to activate:
    - determining, in said secondary channels, whether there is a no fault condition in either of said first and second channels; and
      
      signaling any of said first and second channels in which there is a no fault condition to reactivate to an active/standby status.
  - 4. The method of claim 3, in which the step of determining whether there is a no fault condition comprises comparing said output signals of said first and second channels and said secondary channels.
  - 5. The method of claim 1, in which said actuator is a dual actuator, and said channels include said first and second channels and two secondary channels;
    - andwhich further comprises communicating said monitoring signal and said model signal generated in each of said secondary channels to the other of said secondary channels;
      
      in each of said secondary channels, independently comparing said monitoring signals and said model signals generated in said secondary channels to determine a fault status of each of said secondary channels; and
      
      providing, in each of said secondary channels, a deactivating switch responsive to a fault status signal from the other of said secondary channels.
  - 6. The method of claim 5, comprising operating said first and second channels to drive said actuator in a normal operation mode;
    - and in said normal operation mode, communicating, from said secondary channels to said first and second channels, said fault statuses of said secondary channels.
  - 7. The method of claim 5, comprising operating said first and second channels to drive said actuator in a normal operation mode;
    - and, in response to a fault status signal from either of said first and second channels relating to either of said first and second channels, deactivating both of said first and second channels and essentially simultaneously signaling said secondary channels to activate to drive said actuator.
  - 8. The method of claim 7, comprising, in said normal operation mode, communicating, from said secondary channels to said first and second channels, said fault statuses of said secondary channels.
  - 9. The method of claim 7, further comprising, after signaling said secondary channels to activate:
    - determining, in said secondary channels, whether there is a no fault condition in either of said first and second channels; and
      
      signaling any of said first and second channels in which there is a no fault condition to reactivate to an active/standby status.
  - 10. The method of claim 9, in which the step of determining whether there is a no fault condition comprises comparing said output signals of said first and second channels and said secondary channels.
  - 11. The method of claim 10, comprising, in said normal operation mode, communicating, from said secondary channels to said first and second channels, said fault statuses of said secondary channels.
  - 12. The method of claim 9, comprising, in said normal operation mode, communicating, from said secondary channels to said first and second channels, said fault statuses of said secondary channels.
  - 13. The method of claim 1, in which the step of independently performing comparisons comprises comparing said model signal and said monitoring signal communicated from the other of said first and second channels to each other, and comparing each of said signals communicated from the other of said first and second channels to each of said model signal and said monitoring signal generated in said one of said first and second channels.

14. A method of detecting faults in an aircraft control system having an actuator, and a plurality of control channels for receiving control signals and processing said signals to generate output signals for driving said actuator, said method comprising:
- in each said channel, generating a monitoring signal representative of actual operation of said actuator and a model signal corresponding to expected operation of said actuator, comparing said monitoring signal to said model signal, and determining an operating status based on results of said comparing;
  
  communicating said monitoring signal and said model signal generated in a first one of said channels to a second one of said channels, and communicating said monitoring signal and said model signal generated in said second channel to said first channel;
  
  in each one of said first and second channels, independently performing comparisons of said monitoring signal and said model signal communicated from the other of said first and second channels and said monitoring signal and said model signal generated in said one of said first and second channels to determine a fault status of each of said first and second channels; and
  
  maintaining communication links between said channels, including a link between said first channel and said second channel; and
  
  providing, in each of said first and second channels, a deactivating switch responsive to a fault status signal from the other of said first and second channels;
  
  wherein said method comprises providing first and second predetermined difference thresholds, said second threshold representing a greater deviation tolerance than said first threshold;
  
  determining said fault statuses on a basis of said first threshold; and
  
  comparing said output signals of said first and second channels to determine a failure status based on said second threshold.

15. In an aircraft control system having an actuator, and a plurality of control channels for receiving control signals and processing said signals to generate output signals for driving said actuator, a fault detection system comprising:
- in each said channel, a monitoring device that interfaces with said actuator to sense actual operation of said actuator and that generates a monitoring signal, model logic for generating a model signal representative of expected operation of said actuator, and comparison logic for comparing said monitoring signal with said model signal;
  
  communication links between said channels, including a link between two of said channels for transmitting said model signals and said monitoring signals in both directions between said two of said channels;
  
  in each of said two of said channels, voter logic for independently comparing said model signals and said monitoring signals of said two of said channels to determine a fault status of each of said two of said channels, said voter logic including said comparison logic; and
  
  in each of said two of said channels, a deactivating switch responsive to a fault status signal from either of said two of said channels.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The fault detection system of claim 15, in which said actuator is a dual actuator, said two of said channels are primary channels, and said channels include said primary channels and two secondary channels;
    - in which said communication links include a link between said secondary channels for transmitting model signals and monitoring signals in both directions; and
      
      which further comprises, in each of said secondary channels, voter logic for independently comparing said monitoring signals and said model signals of said secondary channels to determine a fault status of each of said secondary channels, and a deactivating switch responsive to a fault status signal from either of said secondary channels.
  - 17. The fault detection system of claim 16, in which said communication links comprise a link between said secondary channels and said primary channels.
  - 18. The fault detection system of claim 15, further comprising a comparator for comparing said output signals of said two of said channels.
  - 19. The fault detection system of claim 15, in which said voter logic comprises logic for comparing each one of said model signals and said monitoring signals of said two of said channels to each of the others of said model signals and said monitoring signals of said two of said channels, to produce six separate outputs;
    - and logic for determining said fault status of each of said two of said channels based on said six separate outputs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Chenoweth, Charles C., Takats, Imre J.
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
PARK, COLLIN

Application Number

US07/649,616
Time in Patent Office

1,061 Days
Field of Search

364/424.01, 364/424.03, 364/434, 364/184, 364/186, 364/187, 371/9.1, 371/68.1, 371/68.2, 371/68.3, 371/67.1, 318/563, 318/564, 318/565, 244/76 R
US Class Current

701/33
CPC Class Codes

G06F 11/1641   where the comparison is not...

G06F 11/181   Eliminating the failing red...

G06F 11/182   based on mutual exchange of...

G06F 11/188   where exact match is not re...

G06F 2201/81   Threshold

Multiple-voting fault detection system for flight critical actuation control systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple-voting fault detection system for flight critical actuation control systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links