Managing Redundancy in Fly-by-Wire Control Systems
While redundancy is universally understood to be essential for safe fly-by-wire flight control systems, there are two schools of thought on how to provide and manage redundancy. Stephen Osder (1999) defines the two approaches as physical redundancy, which uses measurements from redundant elements of the system for detecting faults, and analytic redundancy, which is based on signals generated from a mathematical model of the system. Analytic redundancy (Frank, 1990) uses real-time system identification techniques, as in Chapter 14, Sec. 8, or normal optimization techniques.
Physical redundancy is the current technology for fly-by-wire, except for isolated subsystems. Figure 5.20 is a highly simplified diagram of a generic triplex physically redundant flight control system. The key concept is grouping of all sensors into sets and using the set outputs for each of the three redundant computers. Likewise, each of the computers feeds all three redundant actuator sets. Voting circuitry outputs the midvalue of the three inputs to the voting system. Fail-operability is provided, a necessity for fly-by-wire systems. Figure 5.20 clearly could be extended to quadruple redundant flight controls.
The practical application of physical redundancy requires close attention to communications among the subsystems. Unless signals that are presented to the voting logic are perfectly synchronized in time, incorrect results will occur. In the real world, sensors, computers, and actuators operate at different data rates. Special communication devices are needed to provide synchronization. Additional care is required to avoid fights among the redundant channels resulting from normal error buildup, and not from the result of failures.
The situation with regard to analytic redundancy is still uncertain, since broad applications to production systems have not been made. By replacing some physical or hardware redundant elements with software, some weight savings, better flexibility, and more reliability are promised. However, a major difficulty arises from current limitations of vehicle
Figure 5.20 Generic triplex-redundant architecture for flight-critical control systems. (From Osder, 1999) |
system identification and optimization methods to largely linearized or perturbation models. If an airplane is flown into regions where aerodynamic nonlinearities and hysteresis effects are dominant, misidentification could result. Misidentification with analytic redundancy could also arise from the coupled nature of the sensor, computer, and actuator subsystems. Osder (1999) gives as an example a situation where an actuator position feedback loop opening could be misdiagnosed as a sensor failure, based on system identification.
An analytic redundancy application to reconfiguring a system with multiple actuators is given by Jiang (2000). The proposed system uses (linearized) optimization to reconfigure a prefilter that allocates control among a set of redundant actuators and to recompute feedback proportional and integral gains. A somewhat similar analytic redundancy scheme, using adaptive control techniques, is reported by Hess (2000). Baumgarten (1996) reported on reconfiguration techniques focusing on actuator failures.
The best hope for future practical applications of analytical redundancy rests in heavy investments in improved methods of system identification. This appears to be the goal of several programs at the Institute of Flight Mechanics of the DLR. Several advances at that institute and at other places are noted in Chapter 14, Sec. 8, “Flight Vehicle System Identification from Flight Test.”
5.14 Electric and Fly-by-Light Controls
Fully electrical airplane flight control systems are a possibility for the future. Elimination of hydraulic control system elements should increase reliability. Failure detection and correction should become a simple electronic logic function as compared with the complex hydraulic arrangement seen in the F-16’s ISA. Fly-by-light control systems, using fiber optic technology to replace electrical wires, are likewise a future possibility. Advanced hardware of this type requires no particular advances in basic stability and control theory.