Fail-operational fault tolerant flight critical computer architecture and monitoring method

US 5,550,736 A
Filed: 04/27/1993
Issued: 08/27/1996
Est. Priority Date: 04/27/1993
Status: Expired due to Term

First Claim

Patent Images

1. A flight critical computer system for an aircraft, the aircraft having sensor means for providing sensor signals representative of characteristics concerning the aircraft, said system comprising:

a first lane having a first primary processor and a first redundant processor and for providing a first command signal, said first primary processor for providing a first output signal and said first redundant processor for generating a first redundant output signal, as a function of said sensor signals;

a second lane having a second primary processor and a second redundant processor and for providing a second command signal, said second primary processor for providing a second output signal and said second redundant processor for generating a second redundant output signal, as a function of said sensor signals;

wherein said first primary processor is dissimilar from said second primary processor and said first and second redundant processors, said second primary processor is dissimilar from said first and second redundant processors, and said redundant processors are substantially similar to each other;

first monitoring means for comparing said first output signal with said second output signal and generating first comparison signals as a function of disagreement therebetween;

second monitoring means for comparing said first output signal with said second redundant output signal and generating second comparison signals as a function of disagreement therebetween;

third monitoring means for comparing said second output signal with said first redundant output signal and generating third comparison signals as a function of disagreement therebetween; and

selection means for selecting, as a function of said first, second, and third comparison signals, one of said first output signal and said first redundant output signal as said first command signal and one of said second output signal and said second redundant output signal as said second command signal while allowing for at least one of said processors to fail before disabling either of said lanes and disabling both of said lanes when both of said lanes are unable to detect any processor failure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flight critical computer system for an aircraft includes dual independent lanes having two processors in each lane. The first lane has a primary processor and a redundant processor and provides a first command signal. The second lane includes a primary processor and a redundant processor and provides a second command signal. A first monitor compares the primary processor of the first lane with the primary processor of the second lane and generates first comparison signals as a function of disagreement therebetween. A second monitor compares the output signals of the redundant processor of the second lane and the primary processor of the first lane and generates second comparison signals as a function of disagreement therebetween. A third monitor compares the primary processor of the second lane with the redundant processor of the first lane and generates third comparison signals as a function of disagreement therebetween. Selection logic selects as a function of the first, second and third comparison signals at least output generated by the processors as a command signal of the system while allowing for at least one processor to fail before both command signals from the lanes, respectively, are disabled.

Citations

15 Claims

1. A flight critical computer system for an aircraft, the aircraft having sensor means for providing sensor signals representative of characteristics concerning the aircraft, said system comprising:
- a first lane having a first primary processor and a first redundant processor and for providing a first command signal, said first primary processor for providing a first output signal and said first redundant processor for generating a first redundant output signal, as a function of said sensor signals;
  
  a second lane having a second primary processor and a second redundant processor and for providing a second command signal, said second primary processor for providing a second output signal and said second redundant processor for generating a second redundant output signal, as a function of said sensor signals;
  
  wherein said first primary processor is dissimilar from said second primary processor and said first and second redundant processors, said second primary processor is dissimilar from said first and second redundant processors, and said redundant processors are substantially similar to each other;
  
  first monitoring means for comparing said first output signal with said second output signal and generating first comparison signals as a function of disagreement therebetween;
  
  second monitoring means for comparing said first output signal with said second redundant output signal and generating second comparison signals as a function of disagreement therebetween;
  
  third monitoring means for comparing said second output signal with said first redundant output signal and generating third comparison signals as a function of disagreement therebetween; and
  
  selection means for selecting, as a function of said first, second, and third comparison signals, one of said first output signal and said first redundant output signal as said first command signal and one of said second output signal and said second redundant output signal as said second command signal while allowing for at least one of said processors to fail before disabling either of said lanes and disabling both of said lanes when both of said lanes are unable to detect any processor failure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A system according to claim 1, wherein said selection means includes:
    - first selector means responsive to said first comparison signals and said second comparison signals for selecting one of said first output signal and said first redundant output signal as said first command signal;
      
      first reversion means responsive to said first comparison signals and said third comparison signals for prohibiting selection of said first redundant output signal as said first command signal;
      
      second selector means responsive to said first comparison signals and said third comparison signals for selecting one of said second output signal and said second redundant output signal as said second command signal;
      
      second reversion means responsive to said first comparison signals and said second comparison signals for prohibiting selection of said second redundant output signal as said second command signal;
      
      disable means responsive to said first comparison signals, said second comparison signals and said third comparison signals for disabling the command outputs from both said first and second lane when both primary processors, or one of said primary processors and said redundant processor of the same lane fail.
  - 3. A system according to claim 2, wherein said first selector means includes:
    - means for normally selecting said first output signal as said first command signal of said first lane if said first and second comparison signals represent agreement between said second output signal of said second primary processor, said second redundant output signal of said second redundant processor, and said first output signal of said first primary processor; and
      
      means for selecting said first redundant output signal of said first redundant processor as said first command signal of said first lane if said first and second comparison signals represent disagreement between said second output signal of said second primary processor, said second redundant output signal of said second redundant processor, and said first output signal of said first primary processor.
  - 4. A system according to claim 3, wherein said selection means further includes means for disabling selection of said first redundant output signal of said first redundant processor as said first command signal if said first and third comparison signals represent disagreement between said first output signal of said first primary processor, said first redundant output signal of said first redundant processor, and said second output signal of said second primary processor.
  - 5. A system according to claim 2, wherein said second selector means includes:
    - means for normally selecting said second output signal of said second primary processor as said second command signal of said second lane if said first and third comparison signals represent agreement between said first output signal of said first primary processor, said first redundant output signal of said first redundant processor, and said second output signal of said second primary processor; and
      
      means for selecting said second redundant output signal of said second redundant processor as said second command signal of said second lane if said first and third comparison signals represent disagreement between said first output signal of said first primary processors, said first redundant output signal of said first redundant processor, and said second output signal of said second primary processor.
  - 6. A system according to claim 5, wherein said selection means further includes means for disabling selection of said second redundant output signal of said second redundant processor for said command signal of said second lane if said first and second comparison signals represent disagreement between said second output signal of said second primary processors, said second redundant output signal of said second redundant processors, and said first output signal of said first primary processor.
  - 7. A system according to claim 1, wherein said first and second primary processors are each dissimilar in hardware and software with respect to each other and wherein said first and second redundant processors are dissimilar in hardware and software with respect to said first and second primary processors.
  - 8. A system according to claim 1, wherein said first and second primary processors are dissimilar in hardware with respect to each other, and wherein said first and second redundant processors are dissimilar in hardware with respect to said first and second primary processors.
  - 9. A system according to claim 1, wherein said first and second primary processors are dissimilar in software with respect to each other, and wherein said first and second redundant processors are dissimilar in software with respect to said first and second primary processors.
  - 10. A system according to claim 1, wherein said selection means includes means for disabling both said first command output and said second command output from both said first and second lanes if both said first and second primary processors fail or if both a primary processor and a redundant processor of one of said first or second lanes fail.

11. A flight critical computer system for an aircraft, the aircraft having sensor means for providing sensor signals representative of characteristics concerning the aircraft, said system comprising:
- a first lane having a first primary processor and a first redundant processor and for providing a first command signal, said first primary processor for generating a first output signal and said first redundant processor for providing a first redundant output signal as a function of said sensor signals;
  
  a second lane having a second primary processor and a second redundant processor and for providing a second command signal, said second primary processor for generating a second output signal and said second redundant processor for generating a second redundant output signal as a function of said sensor signals;
  
  wherein said first primary processor is dissimilar from said second primary processor and said first and second redundant processors, said second primary processor is dissimilar from said first and second redundant processors, and said first and second redundant processors are substantially similar to each other;
  
  wherein said first primary processor includes first monitor means for monitoring said second primary processor and second monitor means for monitoring said second redundant processor, said first and second monitor means for generating first and second comparison signals, respectively, representative of disagreement or agreement therebetween;
  
  wherein said second primary processor includes third monitor means for monitoring said first primary processor and fourth monitor means for monitoring said first redundant processor, said third and fourth monitor means for generating third and fourth comparison signals, respectively, representative of disagreement or agreement therebetween;
  
  wherein said first redundant processor includes fifth monitor means for monitoring said second primary processor and for generating fifth comparison signals representative of disagreement or agreement therebetween;
  
  wherein said second redundant processor includes sixth monitor means for monitoring said first primary processor and for generating sixth comparison signals representative of disagreement or agreement therebetween, and;
  
  selection means for selecting, as a function of said first, second, third, fourth, fifth, and sixth comparison signals, one of said first output signal and said first redundant output signal as said first command signal and one of said second output signal and said second redundant output signal as said second command signal while allowing for at least one of said primary processors and said redundant processors to fail before both said first and second command signals from said first and second lanes, respectively, are disabled.
- View Dependent Claims (12)
- - 12. A system according to claim 11, wherein said selection means includes;
    - first selector means responsive to said third comparison signals and said sixth comparison signals for selecting one of said first output signal and said first redundant output signal as said first command signal;
      
      first reversion means responsive to said first comparison signals, third comparison signals, fourth comparison signals and fifth comparison signals for prohibiting selection of said first redundant output signal as said first command signal;
      
      second selector means responsive to said first comparison signals and said fifth comparison signals for selecting one of said second output signal and said second redundant output signal as said second command signal;
      
      second reversion means responsive to said first comparison signals, second comparison signals, third comparison signals and sixth comparison signals for prohibiting selection of said second redundant output signal as said second command signal; and
      
      disable means responsive to said first, second, third, fourth, fifth and sixth comparison signals for disabling said first and second command outputs from both said first and second lanes when both primary processors, or one of said primary processors and said redundant processor of the same lane fail.

13. A monitoring method for fail-operational fault tolerant flight critical computer architecture, said method comprising the steps of:
- providing dual independent lanes having two dissimilar processors in each lane, said first lane including a first primary processor and a first redundant processor and said second lane including a second primary processor and a second redundant processor, said first and second primary processors being dissimilar and said redundant processors being similar to each other, each of said processors producing an output signal in response to signals from one or more sensors representative of characteristics concerning an aircraft;
  
  monitoring the outputs of said first and second primary processors with respect to each other and generating comparison signals representative thereof;
  
  monitoring the outputs of said first redundant processor and said second primary processor with respect to each other and generating second comparison signals representative thereof;
  
  monitoring the outputs of said second redundant processor and said first primary processor with respect to each other and generating third comparison signals representative thereof; and
  
  selecting one of said output signals of said first primary processor and said first redundant processor and selecting one of said output signals of said second primary processor and said second redundant processor as command signals for said aircraft as a function of said first, second, and third comparison signals.
- View Dependent Claims (14, 15)
- - 14. A method according to claim 13, wherein said selecting step includes the step of allowing for at least one of said processors to fail before said command signals are disabled.
  - 15. A method according to claim 13, wherein said selecting step includes the steps of:
    - selecting the output signal of said first primary processor as a command output of said first lane if said first and third comparison signals represent that said second primary processor and second redundant processor agree with said first primary processor;
      
      selecting the output signal of said first redundant processor for the command output of said first lane if said first and third comparison signals represent that said second primary processor and said second redundant processor disagree with said first primary processor, but only if said first redundant processor has not also failed;
      
      selecting the output signal of said second primary processor as a command output of said second lane if said first and second comparison signals represent that said first primary processor and said first redundant processor agree with said second primary processor;
      
      selecting the output signal of said second redundant processor for the command output of said second lane if said first and second comparison signals represent that said first primary processor and said first redundant processor disagree with said second primary processor, but only if said second redundant processor has not also failed; and
      
      disabling both command outputs from both said first and second lanes if both primary processors fail or if both processors of one of said first and second lanes fail.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell Incorporated (Honeywell International Inc.)
Original Assignee
Honeywell Incorporated (Honeywell International Inc.)
Inventors
Hay, Rick H., Smith, Clarence S., Yount, Larry J., Girts, Robert D.
Primary Examiner(s)
PARK, COLLIN

Application Number

US08/054,777
Time in Patent Office

1,218 Days
Field of Search

364/424.01, 364/424.03, 364/184, 364/186, 364/187, 364/424.06, 318/563, 318/564, 318/565, 371/9.1, 371/11.1, 371/36, 371/67.1, 371/68.1, 371/68.3, 395/575, 244/76 R, 244/194
US Class Current

701/3
CPC Class Codes

G05B 9/03   with multiple-channel loop,...

G05D 1/0077   using redundant signals or ...

G06F 11/1645   and the comparison itself u...

G06F 11/1654   where the output of only on...

G06F 11/184   where the redundant compone...

G06F 11/187   Voting techniques

Fail-operational fault tolerant flight critical computer architecture and monitoring method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Fail-operational fault tolerant flight critical computer architecture and monitoring method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links