In the design of modern fly-by-wire flight control system, distributed actuation system is adopted. Each actuator has an independent control unit, which belongs to the category of complex electronic hardware. It is necessary to avoid losing control or non-command motion of multiple rudder surfaces due to common mode fault. This paper introduces the design of an actuating system controller, which can effectively alleviate the availability and integrity of the controller caused by common mode failures.
Distributed flight control actuation system is the mainstream design of newly developed passenger aircraft in recent years. Each control surface actuator has its own controller, and the aircraft must meet the minimum control configuration requirements in order to ensure flight safety. Actuator control loop is composed of actuator and actuator controller. If common mode fault occurs in flight, it will lead to simultaneous failure of multiple rudder actuators and affect flight safety. Therefore, in the design of actuating system controller, the availability and integrity of the controller caused by common mode fault must be effectively alleviated. The position and attitude control of civil aircraft for pitch, roll and yaw is mainly realized by elevator, aileron and rudder. In order to prevent the single point failure in the actuator control loop from causing the whole rudder surface to be uncontrollable, two or three actuators are arranged in parallel on each rudder surface. That is to say, each rudder loop contains multiple actuator control loops to work in active-active mode or active-bypass mode. However, because the controller realizes the functions of position control, thermostatic element bus communication, signal excitation, sensor feedback, fault monitoring and isolation, it belongs to the category of complex electronic hardware. According to the DO254 airborne electronic hardware design support guide, the common mode fault of electronic hardware should be alleviated. It is a usability problem that the failure causes the loss of control loop. It is a problem of integrity to issue wrong instructions to the control circuit after the fault occurs. When common mode faults occur in the controller, multiple actuator circuit faults will occur, and the simultaneous failure of multiple rudder surfaces will bring disastrous effects to the aircraft. Therefore, different actuators on the same rudder should adopt different configurations of controllers. The basic functions, environment design, interface and packaging of the two REUs are the same. When a single actuator control loop fails due to the failure of one configuration of the controller, another configuration of the actuator control loop is maintained on the rudder surface to maintain the availability of the rudder surface.
When a common mode fault occurs in the controller, the actuator control loop executes the wrong instructions, which will also lead to the aircraft imbalance and the disastrous accident. In order to prevent common mode failures of single monitor design, two kinds of non-similar monitors need to be designed inside the controller. When one monitor fails, another monitor can still detect and isolate the failures, thus eliminating the occurrence of non-command motion and ensuring the integrity of the rudder surface. In order to prevent common mode faults from affecting the usability of rudder circuit, two different configurations of controllers are adopted. The complex logic, operation and monitoring functions of the controller are realized by the core operation chip. It is a complex electronic hardware, while the peripheral interface circuit belongs to simple electronics. Therefore, different types of core chip designs are used to realize the non-similarity of the controllers. Field Programmable Gate Array (FPGA) has become the main choice of controller design because of its rich logic units and high computing speed.
In this paper, taking the FPGA as an example, we analyze the method of chip selection to obtain sufficient non-similarity. The logic, arithmetic and architecture design of the FPGA should be designed by different companies or teams, so as to avoid potential defects in the same design leading to the loss of all actuator control loops at the same time; the different architecture and technology should be adopted to prevent the loss of all actuator control loops at the same time due to hardware defects; and the hardware cost solidified in the chip of the FPGA.
Sources such as multiplier and adder, IO are different. In order to prevent the controller from executing wrong instructions due to faults, the internal design of the controller monitors, but there is still a high probability of failure for a single monitoring. Therefore, the dual-channel design is adopted in the controller, and the action of the actuator control loop is the instruction channel and the monitoring channel respectively. The command channel receives the command position and actuator position from the flight control computer through the bus. Through the position loop operation, the driving current is output to control the actuator movement to the command position. The monitoring channel also reads flight control computer instructions and actuator position feedback, and outputs the calculation results through position loop operation. After real-time comparison between the calculation results and the operation results of the instruction channel, if the results are consistent, the output of the instruction channel is valid, otherwise the output of the controller will be cut off.
In addition to the control loop instruction operation monitoring, other key signals need to be monitored. For hydraulic actuators, there are mainly electro-hydraulic servo valve EHSV current and spool position monitoring, position sensor feedback monitoring, bus instruction monitoring, etc. [2]. The control loop arithmetic of instruction channel and monitoring channel needs different design; the control logic of instruction channel and monitoring channel needs different design; and the mechanism of cut-off controller of instruction channel and monitoring channel must be independent. Modern Xinyan civil aircraft adopts distributed actuation control system. In order to avoid losing control of multiple rudder surfaces due to common mode fault, the controller design introduced in this paper can effectively alleviate common mode fault, and has been successfully applied to a domestic civil aircraft project.