Fault location in a redundant acquisition system

Abstract

A method detects and localizes a failure of a measurement acquisition channel in an acquisition system including two redundant acquisition channels for the measurement of a physical quantity in an environment. The method uses a processor with a memory storing a model including modeled values of the physical quantity based on measurements of other physical quantities in the environment. The method includes detecting a symptomatic error of a defective acquisition channel when a deviation between the measured values of the two channels reaches a detection threshold, waiting to let the acquisition system evolve for a certain period, and localizing the defective channel among the two channels, when the deviation of the values measured between the channels reaches a localization threshold different from the detection threshold. The localization is made from the comparison of the measured value of each of the channels with a modeled value of the physical quantity.

Claims

1. A method for detecting and localizing a failure of a measurement acquisition channel in an acquisition system comprising two redundant acquisition channels for a measurement of a physical quantity in an environment, the method using a calculation unit comprising a memory storing a model of a measured physical quantity, said model providing modeled values of the physical quantity based on measurements of other physical quantities in said environment, the method comprising the following steps: detecting a symptomatic error of a defective acquisition channel when a deviation between measured values of the two redundant acquisition channels reaches a detection threshold; waiting to let the acquisition system evolve for a certain period of keeping the symptomatic error under control; localizing the defective acquisition channel among the two redundant acquisition channels, when the deviation reaches a localization threshold, said localization being made from a comparison of the measured value of each of the two redundant acquisition channels with a modeled value of the physical quantity, the localization threshold being different from the detection threshold.

2. The method according to claim 1, wherein the calculation unit generates working data which takes into account the measured values of the two redundant acquisition channels as long as the localization step is not triggered, said method further comprising a step of: selecting a non-defective channel as a working quantity once the localization step has been carried out.

3. The method according to claim 2, wherein the working quantity corresponds to an arithmetic mean of quantities of the two redundant acquisition channels.

4. The method according to claim 1, wherein a fault threshold is predefined and the calculation unit generates working data which takes into account the measured values of the two redundant acquisition channels as long as the localization step is not triggered, and wherein the localization threshold is chosen so that the deviation between the measured values of the two redundant acquisition channels can exceed the fault threshold but a deviation between the working data and the measured value of either of the two redundant acquisition channels cannot exceed the fault threshold.

5. The method according to claim 4, wherein the localization threshold is greater than the fault threshold.

6. The method of claim 5, wherein the localization threshold is between the fault threshold and twice the fault threshold.

7. The method according to claim 1, further comprising notifying the detection of the defective acquisition channel before the localization step to provide information on a state of a detected but non-localized failure.

8. The method according to claim 7, wherein the calculation unit notifies the detection at the time of the detection step.

9. The method according to claim 1, wherein the detection threshold and/or the localization threshold and/or a fault threshold and/or the model of the physical quantity is/are a function of operating ranges of the acquisition system and/or of an accuracy of the model.

10. The method according to claim 1, wherein the detection threshold is set based on sensor specifications of both of the two redundant acquisition channels.

11. A calculation unit for detection and localization of failure of a measurement acquisition channel in an acquisition system comprising two redundant acquisition channels for a measurement of a physical quantity in an environment, the calculation unit comprising a memory storing a model of a measured physical quantity, said model providing modeled values of the physical quantity based on measurements of other physical quantities in said environment, the calculation unit being configured to receive measurement data from the two redundant acquisition channels of the acquisition system, the calculation unit being configured to execute the following steps: detecting a symptomatic error of a defective acquisition channel when a deviation between measured values of the two redundant acquisition channels crosses a detection threshold, waiting to let the acquisition system evolve for a certain period of keeping the symptomatic error under control, localizing a defective channel among the two redundant acquisition channels, when the deviation crosses a localization threshold, said localization being made from a comparison of the measured value of each of the two redundant acquisition channels with a modeled value of the physical quantity, the localization threshold being different from the detection threshold.

Description

PRESENTATION DES FIGURES

(1) Other characteristics, aims and advantages of the invention will emerge from the following description, which is purely illustrative and not limiting, and which should be read with reference to the appended drawings, in which:

(2) FIG. 1 illustrates a known detection and localization method.

(3) FIG. 2 illustrates an assembly for implementing the invention.

(4) FIG. 3 illustrates a method in accordance with one embodiment of the invention.

DETAILED DESCRIPTION

(5) FIG. 2 illustrates an assembly comprising a duplex or redundant acquisition system 10 and a calculation unit 20 able to receive data from the acquisition system 10.

(6) The acquisition system 10 comprises a first channel A and a second channel B for measuring data relating to a mechanical, electronic, electrical and/or hydraulic device 30. The channels A, B are intended to measure the same physical quantity of the same device 30. The channels A and B each comprise for that at least respectively one sensor 12, 14 (voltage, magnetic field, temperature, torque, force sensor, etc.).

(7) The sensors 12, 14 of the two channels A, B then send their data to the calculation unit 20. The data are generally in the form of an electrical voltage value indicative of the parameter that the sensors 12, 14 are measuring. The data can be transmitted in a digital or analog manner. Particularly, the data can be pre-processed (filtering, smoothing, etc., either at the level of the sensor or at the level of the calculation unit 20) in order to be able to be used in the case of a method in accordance with the different embodiments of the invention.

(8) The acquisition system 10 can thus comprise a processing module 16 to perform the pre-processing of the data from the channels A, B so that the calculation unit 20 receives data that can be used directly.

(9) The calculation unit 20 comprises a processor 22 able to process data (for example calculate the differences between the values of the acquisition channels A, B, calculate a new quantity from these acquisition channels A, B, calculate a mean, etc.) and perform calculations, and further comprises a memory 24. The processor 22 can communicate with the memory 24.

(10) The calculation unit 20 also has the function of generating a working data S, which is then used by the other calculators of the aircraft. The working data S corresponds to a function of the values of the acquisition channels A, B, which can be written in the form S=f(A,B). The principle of redundancy calls for a principle of symmetry in the function f (because the two channels A, B are generally preferably undifferentiated and neither is privileged over the other) therefore a function f such that f(A,B)=f(B,A) is preferably chosen. This may not be the case: sometimes, for certain temperatures, it is preferred to favor the maximum between the channels for protection against over-temperatures.

(11) In a preferred embodiment, the function f is a mean and S=moy_AB=(A+B)/2 is obtained. This means that the working data S corresponds to the mean of the values of the acquisition channels A and B.

(12) The memory 24 stores a computer model Mod of the quantity measured by the channels A, B. This model has been developed beforehand from other measurements.

(13) As indicated previously, the accuracy of the sensors 12, 14 is better than that of the model Mod.

(14) The calculation unit 20 can group together several calculation sub-units, in particular in the case where the tasks are shared between different calculators or computers.

(15) The acquisition channels A, B acquire continuously (or at regular intervals) data relating to the device 30. These data are sent to the calculation unit 20 which calculates in particular a deviation Δ between the measured values of the channels A, B. This deviation Δ can be in absolute or relative (positive or negative) value. To illustrate some situations in the present description, it will be considered that the acquired values verify the following definition of Δ: B=A+Δ.

(16) A fault threshold Th_Err is defined from which it is considered that the deviation Δ on the measurement, following a failure, may cause a feared or unwanted event (LOTC for example). This means that if the working data S corresponds to the defective acquisition channel (therefore to be avoided), there is a risk of causing the unwanted event.

(17) FIG. 3 graphically illustrates the different steps of the detection and localization method, this method will be described. A fault threshold of 8K is here assumed.

(18) In a first step E1, an error, following a fault, is detected when the deviation Δ reaches a detection threshold Th_D (1K in FIG. 3). The error is symptomatic of a faulty acquisition channel. The data relating to the detection threshold Th_D is typically stored in the memory 24. The detection threshold Th_D depends on the acquisition system 10, including in particular the specifications of the sensors 12, 14 (therefore of their accuracy).

(19) Step E1 is implemented by the calculation unit 20. In FIG. 3, step E1 occurs at t1.

(20) Optionally, a notification step E1′ is triggered by the calculation unit 20 to provide information according to which an error has been detected. The error detection information can be used by a computer, another module of the calculation unit 20, or by a human operator, etc.). Consequently, there is error detection information relating to the acquisition system indicating that one of the two channels A, B is defective, but without being able at this stage to identify which one.

(21) Then, a waiting step E2 is carried out, which simply corresponds to a wait to let the system evolve for a period T. During this waiting step E2, the failure is known but under control, i.e. it is known that the generated error will not lead to the feared event: it is therefore a period of keeping the error under control or a period of harmlessness of the error. The period T lasts until a step of localizing E3 the defective channel is triggered (see FIG. 3). The period T is typically non-zero (except in case of clear failure, where a channel moves instantaneously).

(22) The localization step E3 is carried out when the deviation Δ of the measured values between the channels A, B reaches a localization threshold Th_L (FIG. 3). The localization is made by comparing the values measured for the channels A, B with the model Mod of the channels A, B stored in the memory 24. Typically, the channel A, B considered as non-defective is the one which is the closest to the model Mod. The closest means that the deviation between the values is the smallest.

(23) Step E3 is implemented by the calculation unit 20. In FIG. 3, step E3 occurs at t2.

(24) Thanks to the wait E2, the deviation Δ has been able to grow since the detection step E1 (for example in case of sensor gain drift), which means that the identification of the channel is made with less risk of error despite the inaccuracy of the model Mod.

(25) Naturally, the localization threshold Th_L has a value different from that of the detection threshold Th_D, otherwise the same risks of error related to an early localization would be present.

(26) In addition, as the detection E1 has been made upstream, a new state of detected but non-localized failure is created. There is thus a preventive detection which can cause the establishment of some preventive measurements: not taking into account the data generated by the acquisition system 10 or maintenance operation. Indeed, even if the risk of mistake on the channels A, B is high at this stage, the criticality in maintenance is much lower than during operation. It is therefore reasonable within this framework to try to localize the error earlier.

(27) Once the localization E3 has been made and the defective channel has been identified (or concomitantly), a selection step (also called accommodation) E4 of the non-defective channel is implemented. This means that the working data S of the calculation unit 20 becomes the non-defective acquisition channel—the other channel being ignored.

(28) The selection step E4 is implemented by the calculation unit 20. In FIG. 3, the step E4 also occurs at t1.

(29) There are therefore two thresholds to be set: the detection threshold Th_D and the localization threshold Th_L. The detection threshold Th_D only depends on the sensor specifications.

(30) On the other hand, the value of the localization threshold Th_L remains to be determined, which requires knowing the time that would lead up to the feared event without accommodation.

(31) In practice, as was indicated earlier, the working data S corresponds to the mean Moy_AB of the acquisition channels A, B. By definition, if there is a mistake on the measurement of a deviation Δ equal to Th_Err and if the working data S corresponds to the defective channel, there is a risk of ending up with the feared event.

(32) However, as long as the defective acquisition channel has not been localized, the failure has a halved impact (because the working data S is the mean Moy_AB between the two channels A, B).

(33) Consequently, the risk only occurs when S−A=Moy_AB−A=Th_Err−A. Th_Err−A=(A+B)/2−A=(A+A+Δ)/2−A=Δ/2, namely Δ=2Th_Err, is thus obtained.

(34) It is therefore possible to implement the localization step E3 only when the deviation Δ between the channels reaches 2Th_Err, i.e. as late as possible. This value being extreme, the application of a safety margin means sought to be localized when the deviation Δ between the channels reaches Th_L such that Th_Err<Th_L≤2Th_Err.

(35) In other words, as Th_L>Th_Err (Th_L is strictly greater than Th_Err), the deviation Δ between the channels A, B will be caused to exceed the fault threshold Th_Err during the waiting step E2. On the other hand, as Th_L≤2Th_Err, the working data S=Moy_AB indeed keeps a deviation with the channel A (or moreover the channel B, in absolute value, because the function is the mean function) lower than Th_Err during the whole waiting phase E2, which means that the risk that the feared event occurs is avoided. If Th_L=2Th_Err, the localization step is triggered at the time when the working data S=Moy_AB reaches a deviation with the channel A which is Th_Err. If Th_L<2Th_Err, then the working data S=Moy_AB keeps a deviation with the channel A which will always be less than Th_Err.

(36) As other output data S are possible (use of functions f other than the mean), the principle can be immediately generalized: a localization threshold Th_L is chosen so that the deviation between the values of the two channels A, B can exceed the fault threshold Th_Err but so that the deviation between the working data S and either of the two channels A, B (the two deviations can be calculated and the maximum of the deviations can be taken) cannot exceed the fault threshold Th_Err.

(37) In this way, “at the latest” is localized when the error on the faulty acquisition channel is maximum, which greatly reduces the probability of wrong localization.

(38) The values of the thresholds Th_Err, Th_L_, Th_D are stored in the memory 24 of the calculation unit 20. The thresholds are here expressed in absolute value, i.e. they are positive.

(39) As specified above, the thresholds and the deviations are advantageously expressed in absolute value, so as not to depend on the signs of the acquired data. It is however possible to work outside the absolute value: the signs and the (increasing or decreasing) evolutions of the data must then be taken into account.

(40) Thanks to the method described, the maximum tolerances on the acquisition are used as much as possible before the localization step E3 for accommodation as needed. Consequently, the more this criticality will be mastered, the more the failure management performance can be improved.

(41) Finally, the operation of the acquisition system 10 and/or the accuracy of the model Mod may vary based on the operating regime of the device 30. In this case, different values of each threshold Th_Err, Th_L and/or Th_D, and/or the model Mod can be stored in a table in the memory 24, based on the operating ranges of the acquisition system 10 and/or on the accuracy of the model.