![]() ![]() N2 - The controllability and steady-state response of parallel-redundant flight control systems are examined. Index categories: Aircraft Handling, Stability and Control Navigation, Control, and Guidance Theory Aircraft Subsystem Design. This research was supported by NASA Contract NAS9-10268. Received Jrevision received December 14, 1972. This and the consequent pilot actions resulted in the crash.T1 - Some effects of bias errors in redundant flight control systems The another one had already been diagnosed as faulty and excluded from consideration. In case of Air France flight 447, the FCS reverted to alternate law due to temporary inconsistency between the measured speeds (likely due to obstruction of the pitot tubes by ice crystals) of two ADRIUs. The Flight computers degrade to alternate law or direct law under two circumstances: The FCS needs two matching (with some allowed variation) values to generate output. The input of the 'voter' ( each flight computer) comes from all three ADIRUs. median).Ĭonsider the air data input in case of Airbus: there are three Air Data and Inertial Reference Units. averaging) selecting one of them based on some metric (for e.g. The other system produces an output even if there is no agreement between the redundant systems, usually by 'combining' (for e.g. This is usually the method used in Flight Control Systems (like Airbus). There are two ways the 'Voter' can determine the output from redundant systems:Īgreement based voting system produces an output only if a certain number (e.g. Image from A Novel Family of Weighed Average Voters for Fault-tolerant Computer Control Systems by Latif-Shabgahi et.al. A triple redundant system used in Flight Control Systems would look something like this: ![]() triple redundancy indicates three independent members, while a quadraplux redundancy indicates four independent members. In general, the number of redundancy indicates the number of independent members i.e. In principle though the secondary system could have been the basis of a perfectly competent fallback strategy if we'd thought it was necessary. In this case the fallback behaviour was simply to pull the plug on the car if the primary system went dodgy, because for a car that's reasonable. ![]() For added fun, the secondary and tertiary systems periodically injected spurious faults and checked their fault-reporting mechanisms were detecting them correctly, so they knew a real fault would trigger correctly. And a tertiary system checked that the primary and secondary systems were coming up with valid behaviour, using an even simpler (and hence even-easier-to-validate) model. Because it was a simpler model, testing could be more complete. A secondary system had a simpler model of how things should behave, checking for when the primary system was outside some tolerance of its simpler model for some time. A primary control system ran the whole thing, managed emissions, best driver response, and all that good stuff. These things are drive-by-wire as far as go/stop are concerned, so a lot of the same safety principles apply. I've worked on a multiply-redundant hybrid electric vehicle controller. Your question also makes the implicit assumption that redundancy involves multiple systems trying to come up with the same answer. The voting happens first in the comparator step (between the two channels) and again in the filters (between the single systems). Input is from the side sticks, and output goes to the hydraulic valves at the control surfaces. Only the first system of each is expanded the boxes for system 2 and 3 look the same on the inside. This helps to reduce systematic errors, when all together would fail because of a common malfunction.Īirbus flight control system diagram (picture source). Inside, each has two channels which run software written by a different team, run on a processor different to the one in the other channel and which are supplied by two different suppliers. In case of Airbus, besides the three main FCS computers two backup systems are available to help isolate the faulty one. And if all three disagree, two of them must be faulty already, so this is a case of multiple failures. However, often the term "triple redundant" is used when the system has only three members. Triple-redundant systems have four independent members, so if one fails, a two-to-one vote of the remaining three is still possible. ![]()
0 Comments
Leave a Reply. |