Safety critical control system that includes control logic or machine readable instructions that selectively locks or enables the control system based on one or more machine implemented state machines that includes states associated with detection or matching of one or more predetermined signals on distinct conduction paths between elements of the control system and related methods

Abstract

This disclosure involves a method of controlling a safety critical control device, the method comprising: sending user inputs to a first state machine, identifying user inputs by the first state machine, determining the correct state to communicate to a second state machine, the correct state being determined by selecting one state of a plurality of states depending on the user inputs, communicating the correct state to a second state machine through a control bus, and determining the correct state for the second state machine based on communication from the control bus.

Claims

1. A method for controlling a safety critical function of a weapon system, the method comprising: receiving, by a control panel, from an operator, an indication to arm the weapon system; in response to the receiving the indication to arm the weapon system, transmitting, by the control panel, a first set of three or more discrete signals to a weapon control device coupled to the weapon system; determining, by the weapon control device, whether each of the first set of three or more discrete signals meet a first set of level requirements; upon determining that each of the first set of discrete signals do not meet the first set of level requirements, inhibiting, by the weapon control device, the weapon system from performing a safety-critical function; upon determining that each of the first set of discrete signals meet the first set of level requirements, entering, by the weapon control device, an armed state; receiving, by the control panel, from the operator, an indication to activate the safety-critical function of the weapon system; in response to the receiving the indication to activate the safety-critical function of the weapon system, transmitting, by the control panel, a second set of three or more discrete signals to the weapon control device coupled to the weapon system, the second set of three or more discrete signals being different from the first set of three or more discrete signals; determining, by the weapon control device, whether each of the second set of discrete signals meet a second set of level requirements; upon determining that each of the second set of discrete signals do not meet the level requirements, inhibiting, by the weapon control device, the weapon system from performing the safety-critical function; and upon determining that each of the set of discrete signals meets the second level requirement and the weapon control device being in the armed state, activating, by the weapon control device, the safety-critical function of the weapon system.

2. The method of claim 1, wherein each of the first set of discrete signals are transmitted via an electrical conductor shared by a corresponding signal of the second set of three or more discrete signals.

3. The method of claim 2, wherein a signal of the second set of three or more discrete signals is a time-varying discrete signal and the second set of level requirements includes timing information for the second set of three or more discrete signals.

4. The method of claim 3, wherein the weapon control device is further configured to inhibit the safety-critical function of the weapon system if the time-varying discrete signal does not periodically change logic levels based on the timing information.

5. The method of claim 1, wherein each of the first set of discrete signals and each of the second set of discrete signals comprise signals from the set of: a constant logic level; and a periodically time-varying logic level, the time-varying at a determined periodicity.

6. The method of claim 1, wherein, in response to determining that each of the first set of discrete signals or each of the second set of discrete signals do not meet either the first set of level requirements or the second set of level requirements, inhibiting, by the weapon control device, the weapon system from performing the safety-critical function.

7. The method of claim 6, wherein, in response to determining that each of the first set of discrete signals or each of the second set of discrete signals do not meet either the first set of level requirements or the second set of level requirements, the weapon control device enters a lock-out state, wherein, while in the lock-out state, the weapon control device inhibits the weapon system from performing the safety-critical function; and wherein the weapon control device remains in the lock-out state regardless of a status of the first set of discrete signals or the second set of discrete signals.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Further objects and advantages of the present invention will become readily apparent upon reference to the following description of the preferred embodiments and to the accompanying drawings, wherein corresponding reference characters indicate corresponding parts in the drawings and wherein:

(2) FIGS. 1A and 1B depict a safety critical control system in one embodiment of the invention;

(3) FIG. 2 shows another embodiment of a safety critical control system;

(4) FIG. 3 shows one embodiment of a control panel of the safety critical control system of FIGS. 1A and 1B;

(5) FIG. 4 shows one embodiment of a transmitter state machine of the safety critical control system of FIGS. 1A and 1B;

(6) FIG. 5 shows an embodiment of a receiver state machine of the safety critical control system of FIGS. 1A and 1B; and

(7) FIG. 6 shows an embodiment of a control system signal timing configuration of the safety critical control system of FIGS. 1A and 1B.

DETAILED DESCRIPTION OF THE DRAWINGS

(8) The embodiments of the invention described herein are not intended to be exhaustive or to limit the invention to precise forms disclosed. Rather, the embodiments selected for description have been chosen to enable one skilled in the art to practice the invention.

(9) Referring now to FIGS. 1A and 1B, a safety critical control system 1 in accordance with one embodiment of the invention includes a transmitter 5, a control bus 9, and a receiver 11. The transmitter 5 is adapted to receive system control inputs from a user or other control systems (not pictured). The exemplary control bus 9 includes redundant bus lines or wires coupling the transmitter 5 with the receiver 11; the receiver 11 interfaces with a system under control 15. The exemplary control bus 9 comprises wires or lines that are shielded and separated from each other. In this embodiment, the redundant control lines or wires comprise three lines or wires 19, 21, 23 in at least one redundant portion of the system where two out of the three control wires (e.g., 19, 21) carry an inverted logic signal as compared to the signal carried on the third line or wire, e.g., 23. An additional fourth wire or control line can be utilized to communicate fault conditions detected by the receiver to the transmitter, 25.

(10) In particular, the exemplary control bus 9 wiring or control lines comprise a primary 19, secondary 21, and tertiary line 23 which are each adapted to carry a plurality of signals generated by the transmitter 5, one of which indicates a valid activation or control signal. The three wires or control lines 19, 21, 23, 25 comprising the exemplary control bus 9 can be routed in their own wire bundle which can be further protected by a grounded shield (not shown). The wires or control lines 19, 21, 23, 25 can be separated and shielded to reduce risks associated with damage to the bus 9 lines or wires as well as to reduce susceptibility to radiated emissions. The receiver 11 can have a signal processing system having a section adapted to function as a receiving state machine 43 for detecting signal combinations from one or more lines (e.g., 19, 21, 23) in the exemplary control bus 9. One embodiment has a receiver 11 and receiving state machine 43 further adapted to further detect and process signals from at least one system under control 15.

(11) FIG. 2 illustrates how one station 200 can be controlled and powered by the safety critical control system 1. In this embodiment, a power supply subassembly 204 can provide the necessary power to the station 200. Station 200 can include an activation mechanism 202 that is electronically coupled to transmitting state machine 41 (e.g. seen in FIG. 1B). Further, a control panel 208 can be located in a position that is accessible to a user and can contain a plurality of buttons or controls. Control panel 208 can also be electronically coupled to transmitting state machine 41. Transmitting state machine 41 can transmit a signal along the bus 9 that is generated by inputs received from both the control panel 208 and the activation mechanism 202. The bus 9 may further relay the signal to a receiving state machine 43. The receiving state machine 43 can interpret the signal sent by the transmitting state machine 41 through the bus 9 to control a safety critical device 206. The safety critical device 206 may not be activated unless the proper state indicator has been received from the transmitting state machine 41.

(12) FIG. 3 illustrates a control panel 208 that can control a plurality of helicopter external weapon or stores mounting stations (not shown). For example, the control panel 208 can provide for user inputs to arm or disarm a selected weapon or stores mounting, e.g., station four 304, or station seven 306. The control panel 208 can be electronically coupled to both the activation mechanism 202 and the transmitting state machine 41 to communicate the user inputs to the transmitting state machine 41. For example, when one of the stations 304 or 306 has been switched by the user into an armed state, the transmitting state machine 41 may be in a ready to operate state. Further, if the transmitting state machine 41 is in a ready to operate state and the activation mechanism 202 is engaged by the user, the transmitting state machine 41 may enter into an operate state for a duration of a time the activation mechanism 202 is engaged.

(13) Referring to FIG. 4, the exemplary transmitting state machine 41 referenced in FIG. 1B is shown having a plurality of states including a power-up/safe state 45, a fault and/or lock-out state 42, a ready-to-operate (RTO) state 47, and an operate state 49. These states are duplicated in both the transmitter 5 and receiver 11 referenced in FIG. 1B. The exemplary transmitting and receiving state machines 41, 43 are adapted to have transitions from one state to another that require one or more conditions to be satisfied. The exemplary transmitter power-up/safe state 45 of the transmitter 5 occurs when power is applied to the transmitter 5. The exemplary transmitter 5 transitions between the power-up/safe state 45 and the RTO state 47 when inputs to the transmitter 5 (either from other control systems or from the user) equal a predetermined state, e.g., when one of the stations 304 or 306 of the control panel 208 is switched to an armed position. While in the RTO state 47, the transmitter 5 changes the state of the control bus 9 as shown in FIG. 6 with the primary line 19 being driven logic low, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic high. The exemplary transmitter 5 transitions between the RTO state 47 and operate state 49 when inputs to the transmitter 5 (either from other control systems or from the user engaging the activation mechanism 202) equal a predetermined state. While in the operate state 49, the transmitter 5 changes the state of the control bus 9 as shown in FIG. 6 with the primary line 19 being driven logic high, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic low. Additionally, these states must transition to their opposite logic state periodically to remain in the operate state 49. During the operate state 49, the primary line 19 may be delivering a first discrete signal while the secondary 21 and tertiary 23 lines may be delivering a parallel discrete signal to one another, but an inverted discrete signal compared to the primary line 19. For the transmitting state machine 41 to remain in the operate state 49, the discrete and inverted discrete signals can properly transitioning from logic high to logic low state while being monitored by time restraints. For example, if the primary line 19 transitions from the logic high state to the logic low state, the secondary 21 and tertiary 23 lines may have to transition to a logic low state within 10 milliseconds of the transition of the primary line 19 in order to continue operating the safety critical device. The exemplary transmitter 5 cannot transition directly from the power-up/safe state 45 to operate state 49.

(14) In FIG. 4, the exemplary transmitter 5 enters the fault and/or lock-out state 42 when an internal error to the transmitter 5 is detected, other input conditions to the transmitter 5 (either from other control systems or from the user) equal a predetermined state, or the receiver 11 transmits a fault condition to the transmitter 5 via the fault control line 25 on the control bus 9. The fault and/or lock-out state 42 prevents the transmitter 5 from transitioning to any other state until power is cycled to the transmitter 5. The exemplary transmitter power-up/safe state 45 of the receiver 11 occurs when power is applied to the receiver 11.

(15) FIG. 5 illustrates how the exemplary receiver 11 transitions from the power-up/safe state 45 to the RTO state 47 when the control bus 9 transitions to the states shown in FIG. 6 with the primary line 19 being driven logic low, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic high.

(16) Referring to FIG. 5, the exemplary receiver 11 transitions from the RTO state 47 to the operate state 49 when the control bus 9 transitions to the states shown in FIG. 6 with the primary line 19 being driven logic high, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic low. Additionally, during the operate state 19, the primary, secondary, and tertiary lines 19, 21, and 23 can send discrete and inverted discrete signals to the receiver 11. The primary, secondary and tertiary lines 19, 21, and 23 must transition to their opposite logic state periodically within a time constraint to remain in the operate state 49. While in operate state 49, the receiver 11 will permit the system under control 15 to be operated. The exemplary receiver 11 cannot transition directly from the power-up/safe state 45 to the operate state 49.

(17) The exemplary receiver 11 enters the fault and/or lock-out state 42 when an internal error is detected, other input conditions to the receiver 11 equal an unrecognized state, or the control bus 9 does not transition as specified in FIG. 6. The receiver 11 transmits a fault condition to the transmitter 5 via the fault control line 25 on the control bus 9 while in the fault and/or lock-out state 42. The fault and/or lock-out state 42 prevents the receiver 11 from transitioning to any other state until power is cycled to the receiver 11.

(18) While the present invention has been described in connection with the preferred embodiments of the various figures, it is to be understood that other similar embodiments may be used or modifications and additions may be made to the described embodiment for performing the same function of the present invention without deviating therefrom. Therefore, the present invention should not be limited to any single embodiment, but rather construed in breadth and scope in accordance with the recitation of the appended claims.