System and method for fail safe process execution monitoring and output control for critical systems

US 6,523,139 B1
Filed: 12/17/1999
Issued: 02/18/2003
Est. Priority Date: 12/17/1999
Status: Expired due to Term

First Claim

Patent Images

1. A fault detection apparatus for use in a system that transmits data signals over at least one signal path via a bus connecting computation and I/O modules of a system, the apparatus comprising:

a status monitor for monitoring validity of real-time control system state variable parameters, wherein the real-time control system state variables are made available to an independent partition, process, or module for independent monitoring of intermediate steps in a functions calculation, the control system state variable parameters characterizing a plurality of critical systems that communicate on the bus, wherein the control system state variables are present on the bus;

a state comparator comparing the real-time control system state variables with respect to expected system state variable conditions;

variable producing controller and variable consuming controller for validating output command validity based on expected individual state variable conditions; and

memory for storing state variable parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for fail-safe process execution, monitoring and output control for critical systems operating on an open bus architecture with multiple, independent partitions on a single processor is presented. The control system state variables and their status of critical systems, within the control laws and mode logic, are monitored for process completion and health, and shut down if necessary. The embodiments provide for a dual path for shut down of, for example, flight critical systems so that the failure of one partitioned module does not affect the operation of the remaining partitioned modules. One path involves the CPM and IOM determination of command/response health. If persistent faults are detected, then either the DSP monitoring or the CPM performance monitoring results in a discrete signal being sent to the H-bridge disable to shutdown the current output. The second path is CPM controlled via a separate discrete signal on the input/output controller to the flight critical system shut-off valve. By implementing these separate paths, critical systems in one partition cannot be defeated by a single failure in another partition.

Citations

16 Claims

1. A fault detection apparatus for use in a system that transmits data signals over at least one signal path via a bus connecting computation and I/O modules of a system, the apparatus comprising:
- a status monitor for monitoring validity of real-time control system state variable parameters, wherein the real-time control system state variables are made available to an independent partition, process, or module for independent monitoring of intermediate steps in a functions calculation, the control system state variable parameters characterizing a plurality of critical systems that communicate on the bus, wherein the control system state variables are present on the bus;
  
  a state comparator comparing the real-time control system state variables with respect to expected system state variable conditions;
  
  variable producing controller and variable consuming controller for validating output command validity based on expected individual state variable conditions; and
  
  memory for storing state variable parameters.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1 further comprising a termination for failed critical systems without affecting the operation of other critical systems, being executed on a same module, based on the comparison of the real-time control system state variable parameters against expected system state variable conditions.
  - 3. The apparatus of claim 1, wherein said status monitor is operable to monitor failures within individual computational partitions or processes.
  - 4. The apparatus of claim 1, wherein said status monitor is operable to select key control system state variable parameters for monitoring.
  - 5. The apparatus of claim 1, wherein said apparatus is operable to terminate any one of the critical system processes if the comparison of the real-time system state variable parameters against expected system state variable conditions results in a value that is not expected with respect to the expected system state variable conditions.
  - 6. The apparatus of claim 1, wherein said monitor provides full critical closed loop monitoring and said apparatus provides termination within a control loop.

7. A fault detection system for a single processor system partitioned to operate, monitor and control more than one flight critical process, comprising:
- a single partitioned processor for simultaneously operating more than one flight control software related process;
  
  a status monitor for monitoring validity of real-time control system state variable parameters operating within said processor, wherein the real-time control system state variables are made available to an independent partition, process, or module for independent monitoring of intermediate steps in a functions calculation, the control system state variable parameters characterizing a plurality of critical systems that communicate via at least one bus, wherein the control system state variables are present on the at least one bus;
  
  a state comparator comparing the real-time control system state variables with respect to expected system state variable conditions;
  
  variable producing controller and variable consuming controller for validating output command validity based on expected individual state variable conditions; and
  
  memory for storing state variable parameters.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7 wherein said apparatus further comprises a termination for failed critical systems without affecting the operation of other critical systems, being executed on a same module, based on the comparison of the real-time control system state variable parameters against expected system state variable conditions.
  - 9. The system of claim 7, wherein said status monitor is operable to monitor failures within individual computational partitions or processes.
  - 10. The system of claim 7, wherein said status monitor is operable to select key control system state variable parameters for monitoring.
  - 11. The system of claim 7, wherein said apparatus is operable to terminate any one of the critical system processes if the comparison of the real-time system state variable parameters against expected system state variable conditions results in a value that is not expected with respect to the expected system state variable conditions.
  - 12. The system of claim 7, wherein said monitor provides full critical closed loop monitoring and said apparatus provides termination within a control loop.

13. A method for fault detection within a system that executes, monitors and controls multiple function within a single processor system that transmits data signals over at least one signal path via a bus connecting computation and I/O modules of a system, the method comprising:
- monitoring the status of real-time control system state variable parameters, wherein monitoring is programmed into the computation and I/O modules, the control system state variable parameters characterizing a plurality of critical systems that communicate on the bus, wherein the control system state variables are present on the bus;
  
  comparing the real-time control system state variable parameters with respect to expected system state variable conditions; and
  
  validating output command validity based on expected individual state variable conditions.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13 wherein said output command validity is stored in a memory.
  - 15. The method of claim 13 wherein said expected system state variable conditions are retrieved from a memory.
  - 16. The method of claim 13 wherein monitoring is conducted via a bus as part of a partitioned processor architecture.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Banning, Ronald Ray, Goossen, Emray Rein
Primary Examiner(s)
BADERMAN, SCOTT T

Application Number

US09/467,111
Time in Patent Office

1,159 Days
Field of Search

714/43, 714/44, 714/736, 714/797, 714/21, 714/30, 714/47, 714/56
US Class Current

714/43
CPC Class Codes

G05B 9/02 electric

G05B 9/03 with multiple-channel loop,...

System and method for fail safe process execution monitoring and output control for critical systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for fail safe process execution monitoring and output control for critical systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links