Failure detection and isolation investigation for strapdown skew redundant tetrad laser gyro inertial sensor arrays by Eberlein, A. J. & Lahm, T. G.
Ii I I I
CR-137730
], FAILUREDETECTIONAND ISOLATION
INVESTIGATIONFORSTRAPDOWNSKEW
1[ REDUNDANTTETRADLASERGYRO
INERTIALSENSORARRAYS
l
Z
l By A. J. Eberleinand T. G. Lahn
(NASA-CP-13773_) FAILURE DETFCTION AND N76-16361 i
!SOLATICN INVESTIGATICN FO[R STRA[/DOWN SKEW i
I IASE_ GYRO INERTIAL SENSOR
REDUNDANT TETPAD
LA_BYS (HoneywellF Inc.) 100 p HC $5.'" UnclasCSCL 17G G3/C4 Iu,374
I Distributionof this report is providedin the interest of
informationexchange. Responsibilityfor the contents
I resides in the authoror organization that preparedit.
I
!
I PreparedunderContract No. NAS2-8065 by _ _u(<._%,__.
HONEYWELL INC, • [_-._" FEB1976 ',-_'E_.(_overnmentandAeronauticalProductsDivisio_ ¢}_t,_lu_ [,_
! Minn=_lis, Mii:nesota55413 i_ I_lL_;_ _t
• _._
•
i ",,T<.'.,> .,,_7• F,,r "<<_q_
m
| AMESRESEARCHCENTER
,NATIONALAERONAUTICSAND SPACEADMINISTRATION!
I ""_4L
_ ,'
.4
1976008973
https://ntrs.nasa.gov/search.jsp?R=19760008973 2020-03-22T18:00:53+00:00Z
1 I E f! i l
|
i \
5 '"
.: CONTENTS
} •. Section
/ 1 INTRODUCTION ...................... 2
I 2 TETRAD SYSTEM DESCRIPTION ............. 3
il
3 SYSTEM REDUNDANCY MANAGEMENT CONCEPTS . . . 11
General Reliability Considerations .......... 11
Computationalfailures............. iI
Hardware redundancy ............. 11
: Fail-safe computer approach ......... 13
: -- Reliability design acceptance criteria ..... 15
Tetrad Sensor]Dual-Computer Redundancy
' Management Concept 17
Dual-channel computers without output
comparison ................... 17
Design failures versus random failures .... 24
" Dual-channel computers with output
comparison monitoring ............ 24
I
nomograph 29 !Self-test ..............
; 4 LASER GYRO FAILURE DETECTION AND ISOLATION. . 34
,
Readout Control Circuitry .............. 37
! De s cription 37 _!
: Reliability ................... 39
___ Failure Detection ............... 39
_- Laser Block Assembly ................ 40
t_ Description ................... 40
ti
1976008973-002
CONTENTS (Continued)
Section P_
Reliability .................... 43
Failure detection ................ 44
Current Control Circuitry .............. 45
Description ................... 45
Reliability .................... 47
Failure detection ............... 47
Case Assembly .................... 47
Description ................... 47
Reliability .................... 47
Failure detection ................ 47
Path-Length Control Circuitry ............ 49
Description ................... 49
RelJ ability 51
Failure detection ................ 51
Dither Control Circuitry ............... 5I
Description ................... 51 i
Reliability .................... 53
Failure detection ................ 53 -
Gyro Failure Detection ................ 53 i
5 SINGLE-CHANNEL COMPUTER FAILURE
DETECTION AND ISOLATION .............. 56
i ._Computer Definition ................. 57
Computer Failure Definitions ............ 59
t
i
Ii
$
1976008973-003
T I
} I I
/ * t
: : CONTE_NTS (Continued)
.
Section _ :
!
Computer hardcore failures 59 :• • • • • Q • • • • 7
' Memory failures ................ 60
• Fault detection/reaction failures ....... 60
i CPU operational failures .......... 61
Multiplexed I/O failures ............ 61
Dedicated I/O failures ............. 61
Self-test Hierarchy .................. 61
' Computer Functional Test Descriptions ...... 62
Watch dog timer ................ 62
Dynamic computation monitor ......... 63
_ Memory tests .................. 64
_ Fault detection/reaction tests ......... 65
t ,/
• '_ CPU operational tests ............. 65
if i Power supply tests 66
Bite-the-tail tests ............... 66
Digit I/Oi al tests ................ 67
Computer Failure Model ............... 68
t( Summary ....................... 68
Pg
6 IMPACT OF LASER GYRO FAILUR_ ON FLIGHT
SAFETY ........................... 72
I
i
1976008973-004
11 } I I t
l
I
t
i ,I
i
CONT__;INTS (Concluded)
Section Pa__
i 7 CONCLUSIONS ....................... 76
Appendix
A COMPUTER SYNCHRONIZATION ............ 79
B TETRAD SKEWED GYRO VOTING AND
TRANSFORMATION EQUATIONS ............. 82
C LASER GYRO READOUT CONFIGURATIONS ....... 86
D FAILURE MODEL ..................... 92
• °
!
,t
,t
• iI
I
1976008973-005
! I F 1 1 T
t
6
! ' FIGURES
t
• 2
_ : _ 1 Tetrad navigation system ................. 5
t.
_ 2 Tetrad hardware ....................... 6
i _ 3 Strapdown skewed inertial computation ........... 8
,; 4 Tetrad block diagram .................... 10
' 5 System probabiIities 113
' _. 6 Tetrad sensor/dual-computer redundancy
_ management concept 18
i i_ 7 Dual-channel computer failure diagram ......... 19
8 Effect of self-test on flight safety for a dual-
i _" computer configuration ................... 22
9 Inoperative system diagram ............... 23
i 10 Dual-channel computer with comparison monitoring
failure diagram ....................... 25
l_ 11 Effect of self-test for dual-on flight safety a
' comparison computer .................... 28
_! 12 Effect of self-test on fail-operational performance .... 31
i
13 Self-test tradeoff homograph for dual computers
• with comparison monitoring ................ 32
14 GG1300 laser gyro ...................... 36
i •• 15 Laser gyro reliability functional block diagram ...... 36
i6 Gyro readout circuit .................... 37
_ 17 State ........................• diagram 38
• _ 18 Input/output curve (+ count spillover) ........... 42
['_ 19 Pulses/time versus input rate ............... 42
, _ 20 Discharge control circuit .................. 46
ii I vii
't
1976008973-006
.i
FIGU RES (Concluded)
s •
Figure Pa_e
21 Single-beam intensityversus cavity length......... 49 _i
22 Length control ........................ 50
23 Dither drive ......................... 52 -.
25 Gyro failuremodel diagram ............... 55
26 Computer mechanization .................. 58
27 Computer failuremodel diagram .............. 69
i
i
TABLES • '
i
Table _ , ;
1 Dual-Channel Tetrad Effectiveness with and
without Computer Comparator ................ 30 !i
, [
2 Component Failure Analysis ................ 40
3 Monitors Versus Parameters Monitored ......... 48
4 Gyro Self-Test Summary ................ 54
5 Self-Test Hierarchy Summary ............... 71
6 Gyro Failures Versus System Requirements 73 {
7 Undetected Failure Rate .................. 75
t ,
• i
I
viii
L
1976008973-007
t
" ¢
i LIST OF SYMBOLS
i : A C Accelerometer self-test deficiency
_ J A F Accelerometer failure rate
t A/D Analog-to-digital conversion
i _ C F Computer failure rate
I : CC Computer self-test deficiency
i : CCW Counter clockwise
.' cm Centimeter
CPU Central processor unit
CW C lockwise
ll! I D/A Digital- to- analog conversion
_ DCM Dynamic computation monitor
I i
E Estimated monitor effectiveness
m
t
FO Fail-operativet,
FS Fail-safe
I
, GC Gyro self-test deficiency
GF Gyro failure rate
I 1 Current in laser gyro leg 1
i I2 Current in laser gyro leg 2
INC Inertial navigation channel
r
l I / O Input/output
I t Total current (I I + 12)
MTBF Mean time between failure
i MTBLF Mean time between loss of function
n Number
ix
1976008973-008
PCCW Counter- clockwise pulse
PA Prol_ability of an inoperative system ..
PCF Probability of a potentially catastrophic failure , :
PDF Probability of a detect_.d failure "
"i
PCW C lockwise pulse
PFO Probability of a fail-operati,_e condition
J-i
PFS Probability of a fail-safe condition .
' PIF Probability of an indicator failure
PUF Probability of an undetected failure ' '
PZT Piezoelectric
t Time
WTD Watchdog timer
k Failure rate (%11000 hours)
i
8 Error
i
¢
.i!
:1
]
|
x
I
1976008973-009
1 l1
!
i /
_ -
t
FAILURE DETECTION AND ISOLATION INVESTIGATION
FOR STRAPDOWN SKEW REDUNDANT TETRAD
! I_ASER GYRO INERTIAL SENSOR ARRAYS
By A.J. Eberlein and T.G.I.,ahn
i Honeywell Inc.
SUMMA RY
: A study was performed to determine the degree to which flight-critical :
failures in a strapdown laser gyro tetrad sensor assembly can be isolated in :
i : short-haul aircraft after a failure occurrence has been detected by the skewed
sensor failure-detection voting logic. Also investigated was the degree to
which a failure in the tetrad computer can be detected and isolated at the
computer level, assuming a dual-redundant computer configuration.
' The tetrad system was mechanized with two two-axis inertial navigation
channels (INCs), each containing two gyro/accelerometer axes, computer,i
,.,; control circuitry and input/output circuitry. Gyro/accelerometer data is
i
crossfed between the two INCs to enable each computer to independently per-
i I form the navigation task. Computer calculations are synchronized betweenl
'0 the computers so that calculated quantities are identical and may be coro-
t ;
pared.
i No way was found to guarantee complete fail-operational/fail-safe
_ J pe_fc,,-,_r_ance from a tetrad with redundant computers. Fail-safe performance
" (identification of the first failure) can be accomplished with a probability
i approaching 100% of the time, while fall-operational performance (identift- '
cation and isolation of the first failure) can be achieved 93 to 96% of the time. _,
! _ During those times when the system operates satisfactorily after the first
failure (first failure has been identified and isolated), fail-safe performance
} , (identification of the second failure) can be accomplished 93 to 96% of the
time.
1976008973-010
i , I i
: i i
SECTION 1
INTRODUCTION
[
This report documents the results of a study performed by Honeywell Inc.
investiga+ing laser gyro self-test capability and computer self-test concepts
as applicable to a strapdown tetrad inertial navigation system. Prior to this
study the fail-operational/fail-safe characteristics of a tetrad INS mechanized _
with laser gyros had not been investigated.
The study was initiated by NASA Ames Research Laboratory to deter-
mine the performance viability of a tetrad strapdown inertial navigation sys-
tem against a fail-operational/fail-safe criterion. A tetrad consisting of two
two-axis inertial navigation channels (h-NCs) was configured as a reference,
with the main thrust of the study aimed at gyro self-test capability and com-
puter fault isolation.
Section 2 describes the tetrad configurationchosen as a reference and
describes the relationshipbetween the two two-axis INCs. Section 3 dis-
cusses tetrad system redundancy management concepts as applicable to the
gyros and computers. Included in this section are general relial:Llity con-
siderations and two alternate dual-comp,_ter configurations. Section 4
describes the functional a veas of the laser gyro along with a reliability
analysis of each functional area. The impact of a failure in each functional
area is assessed and BIT circuitry identified to detect the failure• A proba-
bility of failure detection is arrived at for each functional area within the
laser gyro, Section 5 describes failure detection and isolation techniques
that can be used to self test either of the dual computers. A qualitative
evaluation of the self-test effectiveness is also provided so that the feasi-
bility of the concept can be evaluated. Section 6 assesses the impact on
short-haul aircraft safety of flight of using the tetrad gyros for stability
augmentation, attitudereference and navigatmn.
m._
,!
.J
1976008973-011
1I t i '* i
SECTION 2
TETRAD SYSTEM DESCRIPTION
The tetrad skewed sensor array represents the simplest form of gyro
• - redundancy that may be mechanized into a strapdown navigation sy.Aem. A
tetrad array combined with a dual-redundant computer configuration was used
.. to mechanize the tetrad inertial navigation system investigated in this study.
Skewed sensor redundancy is a technique that enables a single inertial
sensor (gyro or accelerometer) to replace any failed sensor regardless of its
input axis orientation. The concept is to mount the sensors such that their
input a=.es are nonorthogonal (skewed) relative to one another, _vith any set
• of three input axes nonplanar. With this arrangement, any set of three sen-
sor outputs can be used to derive (in the system computer) the eqaivalent
output of an orthogonal sensor triad. Thus, four skewed sensors would be
capable of generating complete three-axis orthogonal output data with up to
one sensor failure, and five skewed sensors would be capable of tolerating
two failures. In a conventional redundancy appz'oach, two sets of orthogonal
triads (i. e., six sensors) would have the same redundancy capability as four
skewed sensors. The hax.dware savings is substantial with the skewed
approach as the redundancy requirement increases.
In the strapdown approach, the inertial sensor triad (gyros and accel-
erometers) are mounted directly to the _irt'rame. Both the gyro and accel-
erometer outputs are directed to the system computer. The computer pro..
cesses the gyro data to continuously determine aircraft attitude relative to
! earth-referenced coordinates. The attitude data is used with the aircraft..
mounted acceleromeLer signals to compute the equivalent acceleration data
i in the earth-referenced coordinate frame. Thus, the computer analytically
_ simulates the function of the gimbal assembly in the gimbaled approach.
t
; !
I,
3
j if ,
' t
]976008973-0]2
i 1 1r i
' 1 1 i l
The remainder of the computation to determine aircraft velocity, posi-
tion, and reference torquing commands is identical to the gimbaled approach.
The emergence of the strapdown system as a more practical and cost-effective
system rests on the development of digital computers that are relatively in-
expensive and that have the computational speeds necessary to perform the
strapdown navigation computat,ons rapidly.
Fig_lre 1 is a block diagram showing the general configuration of the
tetrad navigation system which consists of two identical two-axis inertial
navigation channels. The two angular rate and acceleration signals from
each two-axis sensor array are sent to each computer. The computer com-
putational frames are synchronized through the use of a 40-msec clock inter-
change, while the data crossfeed permits each computer to compare its output
with that of its counterpart (see Appendix A).
Other computer inputs generally include an altitude signal, mode control
and latitude/longitude initialization data for the inertial computations from
the aircraft control panel. Outputs from each computer, in general, are
a-c, d-c, digital, and discrete outputs to the other aircraft systems and
disp_,ays.
The orientation of the input axes of one of the gyro/accelerometer sets in
a +wo-axis inertial navigation channel is shown in Figure 2(a) ard is parallel
to the long axis of the box (normal to the front face). The second gyro]
a_'_,elerometer set is mounted with input axes perpendicular to tim first set
but skewed 54.7 degrees (nonorthogonal) relative to the base. The two two-
axis inertial navigation channels are mounted to a common base, which is
part of the aircraft rack structure, in precision alignment such that the long
axes of the boxes are skewed relative to one another. This mounting arrange-
ment is shown in Figure 2(b),
With the two-axis INCs oriented this way, the gyro/aecelerometer sets
become aligned relative to one another such that the input axes m the four
sensors (tetrad) are noncopianar (i. e., they do not lie in a single plane). -
4
1976008973-013
i !.
!" ,_ Clock and data
_ " [ Two-ax,s _ crossfeed
_"_ navlyat,on system
i? I I I _
,. i Comm.,ori I "_ acO'_"a'
Discretes
ii , I 'sensor Sensor
Iii" _.z° [ array . I 'l . ._ crossfeed
ii a-e signdlq_-_ Discrete
d-c signal
"1
I Data str°bi [_ I
_'" I Computer ' _ acDigitaldc
; I ' I Discretesfl '
sensor
I array I
t.i
_.I _._,:LG]_T.,_LPAGE ]Bi OF POOR QUAI,I_
tJ _
1976008973-014
Figure 2. - Tetrad hardware ;
...
"l
6
i.l
I
]976008973-0]5
I I II I'I
Under these conditions, software routines in the computer can operate on the
tetrad signals to analytically compute the equivalent roll, pitch, and yaw axis
rate/acceleration data for computer operations. In addition, three of the four
; tetrad gyro/accelerometer signals can he combined to analytically derive what
the fourth sensor set is measuring. If the derived _ignals are unequal to the
fourth set output (within prescribed tolerances}, a failure has occurred in one
l
of the tetrad sensors.
Figure 3 illustrates the inertial computations in the system computers,
showing the inertial calculations data fl0w. The computer first compensates
the input data from the two-axis skewed gyro/accelerometer sets for known
systematic errors in each instrument such as bias, scale factor, and mis-
alignment. The compensated skewed gyro/accelerometer signals are then
: compared in the skewed voting algorithms for failure detection and computa-i
tion of equivalent three-axis orthogonal axis data (roll, pitch yaw axis rate
and acceleration}, assuming no failure is indicated. Appendix B provides the
derivation of a representative set of skewed redundancy gyro voting equations
and skew-to-orthogonal transformation equations that would be programmed
into the system computer. Skewed accelerometer equations would be similar
to those for the gyros in Appendix B.
; The roll/pitch/yaw angular rate derived from the skewed gyro voting !
i logic Ls then used in a three-axis attitude integration algorithm to compute
the attitude of the aircraft (more specifically, the accelerometer assembly)
relative to local vertical/azimuth coordinates. The angular rate of the air-
craft over the surface of the earth (due to earth' s rotation and aircraft
velocity} is included in this computation to account for the rotation rate of the
local vertical.
The aircraft attitude data is used to resolve the roll/pitch/yaw aircraft
axis acceleration vector data from the skewed accelerometer voting logic into
the local vertical/azimuth coordinate frame. The computed horizontal]
vertical acceleration components are then integrated in an inertial velocity/
i l position computation algorithm to calculate aircraft horizontal velocity and
(i
7 _
1976008973-016
o=
o_
.g__
o_
n _
6.2 _
°f'4
U _
fa _i
_-_ r- -I "_
- _
_---u I "0
___ °r..j_._ I o _o°_ _
•Xuo I I
I _ I I_iI
L ._J L .J
I_ I "
i
t
8
i I1 :.,RI6INALPAGE IS :..,
OF POOR_UAI_
1976008973-017
.... J........ : . ._ T
: , . latitude/longitude position. Barometric altitude is used in the inertLal
; computation to stabilize the vertical channel.
q ,.-
! Figure 4 shows signal flow through the tetrad. The sensor signals are i
' crossfed to the control and holding circuitry of each two-axis navigation ;
system, The sensor information is stored in memory until it is subsequently
• used to calculate the required outputs.
t .
L:
{
! '{
i i
ii
9
U
1976008973-018
1976008973-019
I!
I " i
i i : SECTION 3 "
i SYSTEM REDUNDANCY MANAGEMENT CONCEPTS :
i ! General Reliability Considerations
! Past analog systems have relied primarily on the use of additional
_ j components (hardware redundancy) to meet system fault specifications (i. e., i
i fail-operational/fail-safe, etc. ). When digital systems are considered, ;
I i various combinations of three types of redundancy can be used -- additional
i programming for a self check (software redundancy); repetition of calculations
t i or similar calculations for self check (time redundancy)_ and use of additional
i L2
components for cross checking (hardware redundancy). Each of these three
[ i types of redundancy has its advantages and disadvantages and can be applied
! _J" in varied degrees depending upon the requirements and philosophy used in the
.. system design.
Computational failures.- Both analog and digital systems can have either
r ; m
!!'' transient or permanent faults. However, because of the binary nature of the
digital computer, its errors result in logic faults (for example, a "1" is in a
! i' specific bit instead of a "0"). Transient and permanent faults are caused by
_: component failures, intermittent malfunctions, and external interference
during computation. Most faults will cause an error in the program being
i ! executed by the computer either an instruction is not executed correctly,
or an incorrect result is computed. Faults can cause either or both instruc-
.i tion and result errors. The exact nature of the fault depends on the nature
of the component failure.
For example, component failures in certain areas of memory or I/O
could result in a single bad value or output whereas other component failures
_'_ in more critical points could result in a completely inoperative computer.
[._ Hardware re dundanc_r.- The use of identical multiple circuits or channels
_ I I is the most common form of redundancy in modern analog systems:
11
it ,
1976008973-020
d ....... _ Failurewarning
ChannelA Comparator outputs
II ChannelB _-_
1 •
" Fail 'rewarning
ChannelC Cornparator outputs
i
A triple-channel approach to system redundancy has beer, used tradi-
tionaUy when fail-operational/fail-safe performance has been required.
Flight safety of the above system basically reduces to providing fail-safe
operation on any two channels.
The reliability model for a dual-channel fail-safe computer is shown
below:
,ii i
I H
'" Indicator IFallure .=
Comparator failure |Indicationw
ComputerB
i PCF = (_ : " PIF ) + PUF
_here
PCF = probability of a potentially catastrophic failure
PDF = probability of a detected failure
12
1976008973-021
I I
" !i
' PIF _-probability of an indicator failure
i . " PUF = probability of an undetected failure
NOTE: INS failures may or may not have the potential for causing a
catastrophic condition to exist in the aircraft. The classifi-
i cation of failures is a function of many variables such as :
i flight conditions, navigation mode, effect on flight controls
ana instruments, etc. In this report a conservative approach :
is taken relative _o failures by assuming that all failures are
potential catastrophic failures if they are not detected.
The failing indicator must be designed so that the probability of it failing
to respond is very small and the safety problem reduces to: PCF - PUF
where (PDF " PIF ) << PUF" The probability of a potentially catastrophic
condition (PcF) is then approximately equal to the probability of an undetected
failure in the computer.
The system is as good as its failure detection capability. For a dual-
channel comparison-monitored system, the failure detection is performed by
the comparator. Therefore, the system is as safe as the comparator.
To assess the safety of a comparator requires a failure mode and effects
analysis on all parts that can affect flight safety. For a comparator these
include: the comparator design and circuits plus trip levels and any common
elements of the two systems to be compared. A detailed analysis need only
be performed on these items to acquire a high confidence in the system safety.
Parts counts are low, modes are straightforward, and common elements are
easy to identify.
Fail-safe computer approach.- The basic dual-redundant self-check
computer configuration (see below) investigated in this study can provide fail-
operational/fail-safe capability to the extent that fail-safe operation can be
mechanized into a single-channel computer.
l
r
13
1976008973-022
| ._ Failure indication
A
Multiple ._ '"1
; sensor ComputerA 4b
i input
Framesync NavigationtraitoutlMs
Multiple __ ]
sensor ComputerB
Input
!
I "-,-Fallm Indlr._tM
The reliability model for the "fail-safe" single computer is shown below.
H ]I Indicator _ FailureComputer failure "- indication
PCF = (PDF " PIF ) +PUF
where
PCF = probability of a potentially catastrophic failure
PDF = probability of a detected failure
PIF = probability of an indicator failure
PUF = probability of an undetected faLlure
For a high-reliability system, the failure indicator must be designed so
that the probability of the failure indicator failing to respond is very small:
PCF -_ PUF
where (PDP " PIF ) << PUF" The probability of a potentially catastrophic
failure _PCF ) is approximately equal to the probability of an undetected failure ta
in the computer.
"i'
14 _ i
]976008973-023
This simply shows that the system is as good as its failure detection
capability. For a single-channel system, failure detection is predominately
self-test. Therefore, the system is as safe as its self-test, and significant
engineering effort is required in the design of the self-test.
To determine the safety level of a flight system requires failure modes
and effects analysis on all parts that can affect flight safety. For a single-
channel computer dependent on self-test, these modes include: the processor, •_
! memory, BIT circuits, I/O, etc. Once all modes are identified, they can be
evaluated to determine if they will be detected. A detailed analysis on a
' major portion of the system is required to gain any confidence in the self-test! ..j
i system. In general, any failure mode that can be identified can be. detected;
: _ but, have all modes been defined? Parts counts are high, and it is especially
difficult to identify all of the conditional failure modes. Latent failures are
i 7 always a potential problem.
l_liabilit_ ;desi_m acceptance criteria.- Figure 5 represents the universe!
_,. of system probabilities, relative to operating status, that are used in this
report.i
The probability of a failure is the _ of the k t' s of all the system parts,
_ while the probability of a system with no failures is determined by subtracting
the _ of the k t' s from 1.
J
L. The probability of potentially catastrophic failures (PcF) and the proba-
: bility for an inoperative system (PA) may be used as a basic design acceptance
_._ criteria for redundant systems. The probability of an inoperative system
includes the probability of a fall-safe system failure and probability of a
il poteo i U
i' The probability of a fail-operative system can be determined by sub-
tracting PA from the _ of the kt'_ for the system. The probability cff a fail-,
, safe system can be determined by subtracting PCF from PA"
12
15
1976008973-024
I
.........t .1................j....... ]
f
E
t
• o
Unfailedconditions Failed conditions
Probabilityof
a fail operative
system(failure
detectedand
isolated)
Pm_bilitv of P_
nofailures
Pm_bility / K:Pm_bllity of;
/ of a fall / t a potentially)
/ safesystem/ _ catastrophic)
/ (failure / "failure (PcF).
/ detectednot/ _(failurenot
/ isolated) / >detected) '_/
PA = Probabilityof an inoperativesystemequals ,
I)mbabilityof a fall safesystem+ probability
of a potenLiallycritical failure
1;'twe 5. - System probabilities
!
16
1976008973-025
• °
Tetrad Sensor/r2aai-Co:,p:_ter Redundancy
Manage net:' ,_ .z_v,'ept
The tefrad sensor/dual-coml_m _. _: ¢.,'_ndancy management concept
• investigated in thi_ study i_ show_ . _ _" _ure 6, In this concept, the t_trad
sensor assemblies feed all sensor _.:ig_;,-_lsand sensor validity signals to both
computers. Each computer the,. performs sensor monitoring and signal
selection in the event of a failure, This sensor monitoring in the computer
is performed so that even _fthe sensor self-testis inconclusive, the com-
puters can detect and disengage the system for a first sensor failure.
The selected sensor signals are used to perform the required navigation
computations. The outputs of these computations are fed by I/O devices to
u.__
the output and failure warning circuits. Sensors are tested by a combination
of self-test and comparison monitoring by the dual computers. The com-
parison monitoring ensures fail-safe opex.ation after a first failure. If the
sensor self-test is conclusive and the failure can be _solated to a particular
sensor, fail-operational performance is achieved using the remaining three
sensors. For any subsequent faLlure, sensor self-test is necessary for safe
disengagement. The failure diagrams for the sensors are included in the !
following computer config?,_ration discussions. The computer self-test also
feeds these output and warning circuits.
If a failure is detected by the self-test, a failure will be indicated, and
outputs may be inhibited. The basic concept may be used with or without
signal comparison of the dual computer. The following subsection discusses
dual-computer configurationwithout output comparison.
Dual-channel computers without output comparison.- Figure 7 shows the
failure diagram for a dual-c_'.annel computer configuration that rehes cnm-
pletely on self-test for computer failure detection. This di'_gram illustrates
the system slat'us for variour_ failure situations, including the fail-operate
conditions, the fail-safedisengage conditions and the potentiallycatastrophic
condltic,ns.
17
i j
1976008973-026
i ,
1976008973-027
i ' ' I 1 I !
,.,.a
, 1 _ i t
2
The fail-operate points are shown by "FO" on Figure 7. These points
are found after the first self-test-conclusive box and may be located by
following a path (left to right) which includes a single failure and a self-test-
conclusive box. The "FO" points means that the failure has been detected
and isolated, thus permitting the system to remain operative. A warning
light is activated in the cockpit indicating a failure has occurred, but the
system remains operative.
The fail-safe points are shown by a "FS" on Figure 7 and mean that a
failure has been detected but not isolated_ These points are located after the
self-test-conclusive box associated with the second failure. A warning light
is activated in the cockpit indicating a failure has occurred and that the sys-
tem can no longer be relied upon and has been automatically disengaged or
should be manually disengaged.
A potentially catastrophic failure point is shown in the right side of
Figure 7; it may be reached by many paths originating from the point labeled
"system operational. " The dark line entitled "critical path" on Figur e 7 is
the dominant failure mode for the configuration where the system is mecha-
nized with two computers which rely on individual self-test for computer
failure detection. For this configuration, the PCF can be approximated by
considering only the critical failure path through the computer because the
probability of a failure in the other paths is several orders of magnitude
smaller. Using the procedure in Appendix D and eliminating insignificant
terms, the PCF equation from Figure 7 reduces to:
PCF = 2 C F • C c • t
where
C F = computer failure rate/hour
C c = computer test deficiency
t = mission time in hours
2O
1976008973-029
This configuration has practical limitations because the computer self-
test effectiveness complezely dominates the PCF value. Figure 8 shows the
overall computer self-test deficiency as a function of the required total failure i
I : probability per flight hour (a plot of the previously derived PCF equation for a
given CF). If a PCF of less than 10 -6 is required, the self-test effectiveness
i has _ be better than 99.990. (Conversely, the overall computer self-test
¢leficiency has to be less than, 001. ) Self-test effectiveness approaching this
level requires very extensive FMEA analysis, i
{
The following failure rates have been estimated in order to show a calcu-
c_ lation of PCF applicable to the critical path shown in Figure 7.
i inputCo er
! 1 processor at 2.790/1000 hr 2.7
f f
• 3 memory cards at 2, 09o/1000 hr/card 6.0
i , 12 computer cards at 1.0%/1000 hr[card 12.0
= 2.1 • 10 -4 failures/hr i
,i C F
,' ',, Computer test deficiency C = 0.05
PC.._._t= 2 CF • Cc = failures/hr _i
=2 . 2.1. 10"4. 05
. i
= 2.1 • 10-5 i
The probability of an inoperative system (PA) due to a computer or sensor
l failure can be determined from Figure 9 by summing the parallel paths leading
to an inoperative system. This results in the following equation (using
Appendix D):
PA = [2 CFCc+ _. CF 9 (l"Cc)+ 4GFGc+ 2'12GF _ (1.C_,c)
12 Ac)] t+ 4AFAc + AF (1-
21
,.iu
1976008973-030
J iI 1 I t.... ! .1 .....i .... ,
10_1
" 10- PCF"= 2CFX Cc35 t
J3
e
e-,
==
--= Systemconfiguration
--n= inadequate
2 CF = 2.1 X 10 -4 failures/hrUt
m I Self-test
effective area
--" s
c-
Self-test not
o L:
"._
0"
0 ',1
100 80 60 40 20 0 :(
Overall computerself-test effectiveness(%)
I--- I t i ' i ' 'I _0 0.2 0.4 0.6 0.8 1.0
,-t
Overall computerself-test deficiency (CC) !It ;
Figure 8. - Effect of self-test on flight safety for a dual-computer i !
configuration _"
..°
t
22
1976008973-031
, 1 1
i ;
'( L__ I-% CF
( ' Computer _ Second _.
self-_est
L._ 2 C F cone,us,re _ll sm_
E,ther _
computer
;, I Computer
self'test !
inconclusive
G_-te_t Second
, 4o_ oo_.°.,,j r:,,'_
_ System Any #not_qative systmoperat onal
falls GC
Gym
self-test
,_... inconclusive
Second _ I
Accelemmeter _ accelemmeter I Isell-test
4 AF conclus,ve fads I i
i i A.y _ ,
accelerOmetez _
[L fads ) L_ AC
I Accelemme(erself-test
mconcluslve
I/:
r i
I ! I
I | Other m
I system I !
| failures I
L- .... --1
_, indicates a failure rate is associated with box
t
t Figure 9. - Inoperative system diagram
L.
_-3 ,
U , t
] 976008973-032
I I I 1 I
The above equ&tior_ can bc simplHied by eliminating all multiple identical
failures (i. e., two gyros, two accelerometers, two computers) because the
failure probability resulting from these paths is several orders of magnitude
smaller than the dominant paths. The equation reduces to
PA =(2CF " Cc +4GF " G,+4A F • Ac)t
where
i
CF = computer failure rate/hr
C c = computer test deficiency .
G_ = gyro failure rate/hr
Gc = gyro test deficiency "_
AF = accelerometer failure rate/hr
Ac = accelerometer test deficiency
t = mission time in hours
Design failures versus random failures.- A distinction is made between
random failures and failures which occur due to design deficiencies in the
hardware or software that preclude satisfactory operation over the complete
operational envelope. The latter failures may appear as simultaneous failures
during actual operation and are not the type of failures given consideration in ,,
this report. ,,
Dual-channel computers with output comparison monitorin_t- Figure I0
is the failurediagram for a dual-channel computer configurationwhere each
computer provides comparison monitoring of itsoutputs with the other com-
puter by the digitalintercom bus. Detection of the firstcomputer failure
approaches an effectivenessof 100%. Effectiveness of isol_tionof the first
computer ,'allureis determined by the computer self-testeffectiveness. A
sensor failure is detected by the computer by summing the sensor signals,
but actual isolationof the failure is dependent on the individualsensor self-
test. This diagram illustratesthe system status for various failure
24
1976008973-033
1976008973-034
situations, including the fail-operate condition, the fail-safe disengage
conditions, and the potentially catastrophic conditions for the computer and
the sensors,
A potentially catastrophic failure has occurred when the system expe-
riences a failure but does not disengage or present a warning light in the
cockpit, This point is shown on the right side of Figure 10 and may be
reached by many paths originating from the point labeled "system opera-
tional." The dark lines entitled "critical paths" are the dominant failure
modes for this configuration, The comparison monitoring of the computers
effectively removes the possibility of not detecting the first computer failure
such that the PCF s for the critical path are now determined largely by the
self-test capability of the computers and sensors,
The fail-operate points are shown by "FO" on Figure 10. These points
may be located by following a path (left to right) which include a single failure
and a self-test-,conclusive box, The "FO" points mean that the failure has
been detected by the computer and subsequently isolated by self-test, thus
permitting the system to remain operative. A warning light is activated in
the cockpit indicating a failure has occurred, but the system remains opera-
tive.
The fail-safe points are shown by an "FS" on Figure 10 and mean that a
failure has beer. detected but not ismated. A warning light is activated in the
cockpit indicating a ,aLlure has occurred and that the system can no longer be
relied upon and has been automatically disengaged or should be manually dis-
engaged. In the case of the box entitled "system warning/disengage fails, "
the first failure is indicated in the cockpit as "FS" if the failure cannot be
isolated.
For this configuration, the PCF can be approximated by considering only
the indicated critical paths because the probability of a potentially cata-
strophic failure in the other paths is at least an order of magnitude smaller.
The PCF equation using Appendix D and Figure 10 reduces to: ..:
26
1976008973-035
PCF = (CF2 CC + 6GF 2 GC + 6AF 2 AC)t2
where
CF -- computer failure rate/hr
CC = computer test deficiency
GF -- gyro failure rate/hr
i GC = gyro test deficiency
: I AF = accelerometer failure rate/hr
AC -- accelerometer test deficiency
i. t -- mission time in hours
t This formula can either be used to find the expected PCF given the self-test
deficiency for the sensors and computer or to find the needed self-test for
! any one function given all of the other numbers. Figure 11 is a plot of
Pt'_ = CF2C C+6FF 2G C + 6AF 2A C
for the following set of conditions:
C C = GC = AC (component self-test deficiencies are the same)
CF - 2.1 • 10"4 (failure/hour)
GF - 0.5 • 10-4 (failure/hour)
AF - 0.4 • 10-4 (failure/hour)
Adding the computer comparison monitoring to the first configuration
practically eliminates the probability of a catastrophic failure in the computer
because computer failures are readily detected. If the failure is not isolated,
a fail-safe configuration results.
27
!
!J
1976008973-036
1 1
O4
0
e,-
"_._ _PcF = CF2 Cc + 6GF2Gc +6A 2 AC
_='-_o-_0_/,¢=2 System c,nfiguration
inadequ?.e
•-=-lo"9'_ CF = 2.1 X 10 .4 failures/hr
,.c
10_ 8 _ GF " 0.5 X 10 -4 failures/',r
/ / _ AF = 0.4 X 10 -4 failures/hrZ
Effective "
.,._ tradeoff area
\ _ Self-test not required __
_,,,_ ",,"_,,,,,,,\\ ,,,',,,"I_ ,I I I
100 80 60 40 20 0
Overall self-test effectiveness (%)
I I _ t I ] i
0 0.2 0.4 0.6 0.8 1.0 --
Overall self-te_t deficiency (CC = GC = AC)
.i
Figure II. - Effect of self-test on flight safety for a dual-comparison I
computer -J
i
.J
J
28
"!
1976008973-037
It_
- j
This condition is preferred over the first system discussed (Figure 7)
: because a decrease in PCF (increase in safety) by three orders of magnitude
is obtained by only slightly increasing overall complexity. A self-test effec-
, tiveness of 75 to 95% will provide PcF/hr2 values in the 10 .7 to 10 .9 range
', ; ' which are typical of values required to meet safety requirements. These
self-test effectiveness values can be achieved without extensive failure mode
i and effects analysis.
, The probability of an inoperative system (PA) is the same as discussed
for the dual-channel computer configuration (except for the failure rates of
: i.: the computer comparison monitor circuitry which are small).
The effectiveness of dlml-channel computers with and without output
i
'" comparison monitoring is summarized in Table 1.
_ Effect of Self-Test on Fail-Operational Performance
The self-test capabilities of the sensors and computers directly deter-
L_ mine the probability of an inoperative system (PA L Figure 12 shows the
relationship between self-test and an inoperative system and is based on the
_ failure rates shown. This figure and Figure 9 (inoperative system diagram)
L: apply to either the dual computer or dual computer with comparison moni-
_ toring configurations, and, as such, the fail-operational capability of bothsystems is the same. The fail-operational requirements may impact the
sell-test effectiveness as does the catastrophic failure requirement.
_; Self-test homograph.- In the previous illustration a common self-test
deficiency was applied to the computer and sensors. In reality a tradeoff
exists between the self-test capability of each sensor set and the computers.
Figure 13 shows the self-test tradeoff for the complete system and is a
nomograph of the previously derived formula:
Pt_ = CF2Cc + 6GF'Gc + 6AF2 9AC
u t
1976008973-038
ORIGINALPAGE
OFPOOR_uaLrfY3O
p
J
1976008973-039
L_
10-7.
!i o
i_" "_ PA
! _ _ 10-6- _ (CC GC AC); !, = = -
..0
2
' : =" Syc,ternconfiguration
LJ '- inadequate
; "i I0-5- _
LJ CF : 2.1 × 10 "4 failures/hr
GF = 0.5 X 10 -4 failures/hr
i _fecti_ _'_..,...._ AF : 0"4 X 10-4 failures/h,
\',,',,,,\'\\\\\i \; I I I I I I
, 100 80 60 40 20 0
i Overall self-test effectiveness(%)
i I I I I I
0 0.2 0.4 0.6 0.8 1.0
/
' O,."'zil self-test deficiency (Cc = Gc = Ac)
t
Ftgmre 12. - Effect of self-test on fail-operationaJ, performance
i
(
!
i!
!i; i
i i
1976008973-040
' I 1 t
I
' ! It ,! t
O°
PCF/t2 : 5,vi0
0.3 PCF/t2 = 1"5XI0-8 =
PCF/t 2 = 1XIO "8 IXIO -7
O.
CC
.w
_ 0.2
Pcg/t 2 5XlO -9 •.,.- =
E
O
0.7
lX10 "11 1X10"10 lX10 "9 IX10 "8 1X10 "7
Figure 13, - Self-test tradeoff nomograph for dual computers with
compari sot. monitor:" ug
32
1976008973-041
{ { I 1 'i 1
i{
This chart can either be used to find the expected PCF" given tbe self-test
_ deficiency for the sensors and computer, or to find the needed self-test for
any one function, given all other numbers. To find the exi_.cted PCF draw
i horizontal lines corresponding to the computer and gyro self-test deficiencies.
Then, draw a vertical line from the intersection of the gyro deficiency and
_ the accelerometer deficiency curve. The point the vertical line intersects the
{ ,
: L: computer deficiency horizontai line is the expected PCF It2" The value shown
i on this curve is then multiplied by the square of the mission time to get the
: expected probability of a potentially catastrophic failure. .
2
• i (
t_ Am example of using tradeoff figure to get an accelerometer self-test
requirement would be: Given mission time of 5 hours (t 2 = 25) and given
: i!: PCF = 1.25 x 10"7/flight, PCF/t2. -- 5 x 10"9. Assuming computer self-test
• .
deficiency = . 05 and gyro self test deficiency = . 035, you need accelerometer
f_ self-test effectiveness = 75% I. 25 self test deficiency).
{!
L
i
U
33
i
1976008973-042
I 1 II t I Ij , 1
SECTION 4
LASER GYRO FAILURE DETECTION
AND ISOLATION
The laser gyro, a recent development in optical technology, combines
, the properties of the optical oscillator, the laser, and general relativity to
produce an integrating rate gyroscope. Remarkable features of the laser
, gyro include the absence of a spinning mass, simplicity of construction, in-
herent digital output, an5 capability of wide dynamic range with high resolu-
tion and accuracy.
The laser gyro concept is based on the principle that the distance around
a closed optical path in a rotating frame of reference depends on the direc-
tion the path is traversed. For example, a beam of light traveling _round a
path in the direction of rotation will have to travel further than one traveling
against the direction of rotation. This difference in path length is proportion-
al to the rate of rotation and can be used to measure angular motion. In
general, these path-length differences are exceedingly small and could not be
measured before the advent of the laser. For example, a triangular laser
gyro having a 50-cm path, rotating at 10 deg/hr would produce a path length
difference of 10 -4 Angstroms. _
The ring laser converts this path-length difference into a measurable
frequency difference because the frequency of laser osciltation depends
directly on the distance around the resonator. A 50..cm ring laser oscillating
at 5 x 1014 Hz would give a measurable 10-Hz frequency difference for an in-
put of 10 deg/hr. The light leaking through one of the laser mirrors is used
for obtaining the rotation information. The counter-traveling laser beams
are combined by a simple optical system into an interference fringe pattern.
The motion of this fringe pattern gives information on both magnitude and
direction of rotation.
!:
34
t
1976008973-043
_a
_h
Honeywell has emphasized laser gyro design factors that minimize any
_: disturbance in the measurement of these small path differences. This has
led to the use of ultra-low-expansion CerVit glass ceramic to form the stable
_' ring laser structure that establishes the basic path length. This material
has a very low temperature coefficient of expansion and is compatible with
; _': the hard-vacuum technology required to generate the laser light source.
"" CerVit is also characterized by low helium diffusion which is required for a
!
_, long-life, stable laser.
-. There is a lock-in phenomenon associated with the two counter-traveling
i i l laser beams. When the frequency difference between the two oscillators be-
comes low, on the order of 1000 Hz, the two oscillators are "pullea" in fre-
_ quency towards each other. This pulling is caused by coupling which occurs
at the mirrors and is a function of backscattering of light. An oscillating
. mechanical dither technique is used to substantially reduce the amount of
time the gyro is in the lock-in region, thereby reducing the lock-in error.
I
!: The GG1300 laser gyro is shown in Figure 14. The required electronics
are mounted inside of the gyro case where they are protected from the en-
! : vironments. The CerVit block is shown attached to the center post by clamp-
ing springs used for oscillating mechanical dither lock-in compensation,
The laser gyro has been divided into six functional areas for a reliability
analysis. These areas are shown in the functional block diagram of Figure
_ 15 and are:
• Readout assembly • Case assembly
;" • Block assembly • Dither assembly
• Current control • Path length
I •
L-
_ 35
' i
I
1976008973-044
,I 1 _ 1 , i.... _ ! I i r
Figure 14. - GG1300 laser gyro
Laser case assembly
assL_11hly
Laser C,yro
i
',
Figure 15. - Laser gyro reliability functional block diagram
¢i
_ 36
1976008973-045
i [
Readout Control Circuitry
Description. - The laser gyro has two laser beams, one propagating
clockwise around the cavity and the other propagating counter-clockwise.
The two beams are optically combined outside the cavity into a fringe pattern.
The motion of the fringe pattern is detected by a dual-photodetector, ampli-
fied and converted into a pulse rate. A logic circuit separates the gyro out-
put pulses into two groups, one group proportional to clockwise rotation of
the laser gyro, and the other proportional to counter-clockwise pulses. This
raw output is then buffered by line drivers. The block diagram of the readout
circuitry is shown in Figure 16.
Channel A Slgr_1 Channel
detector A sine
), .:
'_ _1 Line CW
_ ('_,/ 4__F A "_ _'_ pu,ses
driver
Photo I pulse converter
sensor Differential Voltage
I ! Later amplifiers comparators
.. ! beams
/'_ /-_ B Line CCW
_ driver pulses
' [i- Channels
;' detector g sine
! Figure 16. - Gyro readout circuit
37
1976008973-046
t lt
Analysis of the readout _ircuit reveals the following:
• The sum of the gyro CW and CCW counts is equal to or less
than the counts measured at e_ther of the photosensor channel
outputs which feed the logic (points A and B on the logic block).
• The counts measured at A may or may not equal the counts
measured at B. t
The fun,_tion of the logic and pulse converter is best understood by use of i i
a four-quadrant state diagram (Figure 17) ....
I
Figure 17. - State diagram
A CW pulse is generated any time the (0, 1) (1, 1) and (1, 0) states occur
sequentially. A CCW \mlse is generated any time the (1, 0) (1, 1) and (0, 1)
states occur sequentially. This latching arrangement reduces the generation
of unnecessary CW and CCW counts due to small oscillations about the input
axis. The states refer to the signal levels coming to the logic and pulse con-
verter (Figure 16) and are generated in accordance with the following dia-
gram.
38
,|
1976008973-047
iStates
',i o,oo,11,1 o,o
i_! ' i i i '
I ! _ i I
I I I I I
i i! , ,
, levels 0 I I
1 CW pulses
/ ! I !I _- ,0 CCW pulsc_
Reliability. - Table 2 summarizes the work done in each functional area
i i to determine its applicable failure rate, This failure rate is determined by
i summing the individual component failure rates. Failure rates are generally
: expressed in percent per 1000 hour_ where 100% per 1000 hours equals one
failure per 1000 hours.
Table 2 shows the elements included in the determination of the failure
rate ( _oo ,%,/lnn0 hrs) for the readout circuitry or twice that for a redundant
readout circ_t (1. 196 %/1000 hrs).
i. Failure Detection. - The gyro output (clockwise pulses and counter-
clockwise pulses) may be partially validated by external checks performed by
! i' the computer, The output is a function of input rate and without knowledge of
the input rate the output cannot be checked for accuracy as it may vary up to
: plus or minus several hundred thousand pulses per second. However, there
i is a phenomenon around zero input rate caused by dither spillover which is a
function of the misalignment between the mechanically dithered quartz blocki
I and the pickoff. The physical motion produced by the mechanical dither
motion is a few thousandths of an inch and is not apparent to a human observer.
This dither angle must be removed from the readout as it can produce uncer-
tainties in the output angle, limit the time between accurate measurements,
or cause computer errors to be introduced.
i The dither angle is removed from the gyro output by design of the gyro
' ! readout optics which removes this dither angle, instant by instant, from the
; gyro output.
i! i 39
!Lt
1976008973-048
, 1 ] I:
I i i _ 1
• voo
TABLE2. - COMPONENTFAILUREANALYSIS
'l I i ( ,irlr,t|l
('om[)¢_'lPil_ _ ( nA¢' I l! i_c k t,g._dqnlt I )tt h,,i I_'Tt_lh f ,wltrc,I
1- LI [ ' I
l-, II
t "IpIl ttor I
• tl I ", I I , _)l g',
. 0(1| r_ '_7 040'. _.' I 111It III• ( pltt_rl;l"
t • '_OI tlm.t 004", I 0114 _ _' I}O_t ', OZ_ / • 0 f)ll
• IIS plaBttr 01
t ' 004 ", ...........
• ('1' Ililit'o.I 2 I O0't 1 . (|04 S 2 I . 00'*
| • /.e.n,.r , OnW_ i o0_ I 7 o',(, _ I . °24
• ('p (c'(m_) 014 I I 1114 J I . tt2J:
2 I . n_
i
• Anlh_ .0% .2000 4 2000 4 2000 2 I I000I
• Ih_tal I 00_'
02OO
. t',t,_ !O r. 1 2 ,gO0
llelll _tor .000%
• II1[ 1 OIGO _1 1110% 1(I . 1200 I(1 110% !
} • I{W t,ore) _. .... -- _ _ (pIN
Trans,ator
• I'I;T I - o;r'
, . ,.ml 1 01. 2 ";'_ t Ii Z [ .,,,'I• ' 113 4 " ¢26
['tOTO arllultor . OFt|
l, eldO, lt .... ,or. d_m, .l Jr I .1,, I I ' !
('04 .... t.... 00IV--N-- 31 00%6 ¢ .0017 254 016 It3' .Or2 ]200 I .014 13' ! .12
I | !
i ('erveq hlock arid mirrors 4_ 1 4",_
('lthOde lift" :'. n()O
_- Total I*. (e./lO00 hrll) 0756 2 4;37 :0 2300 6045 , 3345 ,
! k failure rate in p_reent per 1000 ho.rs wl..Vv on,' failure
I _qua|a 100% per 1000 hotlrL
I |q6 for red_md_nt rnadout
Laser Block Assembly
i Description. - The structure and function of the Honeywell GG1300 laser
gyro block assembly is set forth in the following paragraphs.
I The two main elements of the ring laser are the resonator and the ampli-
, tier. In the solid-block design, the resonator contains only two elements, _!
i the mirrors and the aperture. The ring laser cavity is generated by a set of :_
q
I three mirrors placed to form a closed optical path that is an equilateral tri- •
angle. All three mirrors have the same reflectivity. In this approach the .:
i ring laser geometry is precisely defined by the solid block.
t 40
!
S t
1976008973-049
!i
T
_ -- The gyro readout is shown in Figure 16. The readout corner cube is
w :
_, placed so that the CW beam i. superimposed on the CCW beam at an angle
"_ .._ controlled by the wedge angle of the readout mirror. This creates the fringe
o pattern shown and permits up-down counting of the output phase difference of
:, the two oscillators.
mm
The readout corner cube prism which translates and returns the laser
T" output is fixed to the gyro base. The gyro readout mirror therefore moves
_ with respect to this prism. The path length in the readout system is in-
-- creased and decreased as the two elements move with respect to each other.
_. By dithering the gyro about a point slightly removed from the center of the
.. gyro, this path difference in the readout is made equal and opposite to the
! fringe motion created by the gyro oscillator phase changes. The cancellationtw
is instant by instant, with the readout detectors thus "seeing" a fringe motion
equal to the base motion of the gyro with a small residual dither amplitude.
The resid_ml dither motion (uncompensated dither) is defined as dither spill-
_ over.
; _r Figure 18 is an input/output curve which illustrates the effect of dither
:: -- spillover on pulse count. Dither spillover is normally adjusted to be below
_ ,. +1.0 count per cycle. For this scheme it would be ad'usted between. 5
! _ counts/cycle and I.0 counts/cycle. For a positiveinput rate near zero, the
_ CW pulses do not vary as a function of input rate, but remain constant v;,nle
!r
, _ the actual input rate is determined by subtracting the CCW pulses from the
!_, CW pulses for a given time period [_ (Pcw - PCCW )]" The same is true
ii_ for the CCW pulses and a negative input rate. This phenomenon is very use-
#m ful in detecting failures, inasmuch as zero pulses during a given time period
!_ doesnotmeanzeroratebutafailure(Figurel9).
i: Appendix C contains descriptions of various readout configurations of
,, which two provide redundant readout circuitry. For these configurations, the
,_ computer can compare the multiple readouts to ensure the circuitry is work-
|_ ing correctly.
41
I! ,
1976008973-050
cw /
Pulses/second/
_ Ci pulse/_ Ns / et pulses
(CVV-CCW)/ /I + Input Rate ,III
I I/ i_/ CCW pulses/
CCW
°
Figure 18. - Input/output curve (+ count spillover)
/_'of CWandCCWpulses
: Doesnotgoto zero
at zero rate
- Inputrate + Inputrate
Figure 19. - Pulses/time versus input rate
42
i
1976008973-051
1 I l t 1
!I
_. Appropriately" drilled holes permit passage of the oppositely-directed
,. traveling waves. _1hese holes serve as apertures and, when filled with a low
pressure of heli,Jir, and neon, as gain tubes. A single large cathode and two
anodes establish the split balanced d-c discharge. This permits precision
gain control ant _rimming of null offsets.
'" The optical path length is precisely controlled to an integral multiple of
; the lasing wavelength by a piezoelectricallydriven transducer mirror. Con-
_. trol is maintained to t!_= peak laser power for optimum performance and
:. temperature capability.
4_
The light leakage through the multilayer dielectric flat mirror is used for
obtaining the rotation signal. The two beams _.re folded together by a simple
optical system to form an interference pattern on a dual photosensor. The
:: cube cor_er is mounted to the base, producing a signal that exactly counter-
"" acts the gyro-_reated dither signal. The net readout is therefore the true
- • rotation of the gyro in inertial space.
.
• Gyro dither is obtained from a very simple piezoelectric motor. PZT
elements are bonded onto both sides of the reeds of the dither spring which
supports the block. Acting push-pull, the PZT elements create bending
moments in the reeds and create an oscillating input (dither) to the ring laser.
Reliability.,. Table 2 shows the elements included _n the determination of
the failurerate (2.454 _0/I000 hrs) for the block assembly. This includes a
2_/0failurerate per 1000 hours for the cathode life. The wearout mechanism
i that limits lifetimein the laser gyro is the gas pumping action of the cathode.
To sustain the laser gas discharge, positiveions collideto provide electroni
emission. Some ions are trapped during this process, and other gas atoms
are buried by the sputtered cathode material. Thus, when the discharge is
run, a small amount of heiium and neon is pumped by the cathode. Over a
period of time thisresults in reduced gas pressure and eventual gyro failure.
, Based on accelerated life-test results, estimates for the wearout life due to
cathode pumping is 50,000 hours. *
43
1976008973-052
i 1 i T i
Based on accelerated life-test results, estimates for the wet.rout life due to
cathode pumping is 50,000 hours. *
An approximate equivalent MTBF for gyros having both a random and
wearout (normal) failure distribution can be computed using the following
equation:
1 (1-e -hT)
(MTBF)equivalent = _-
where
h = random failure rate
T = mean in hours of wearout distribution
Using 2.99% per 1000 hours (random) from Table 2 and 50,000 hours
(mean life) for the laser gyro yields an MTBF of 25, 900 hours, A 20,000
hour MTBF is indicated by Table 2 if no distinction is made between random
and wearout failures. The more conservative of the two estimates is used in
the report.
Failure detection. - The integrity of the laser block assembly can best
be monitored by analyzing the channel A sine and channel B sine signals
(Figure 16). The presence of a sinewave signal on both channels indicates
that an interference pattern is being generated internally in the block and is
being sensed by the photosensors. The contrast or amplitude of the signal
will decrease if the gas in the block be=omes contaminated or there is a leak.
A faulty pickoff, in terms of an alignment shift or mirror deterioration,
would also reduce the amount of signal. When the amplitude of the signal
drops below a predetermined level, s failure is imminent.
I_wearo_ due tocathod'epumping was reported as 30,000 hours in CR-
137585 ("Strapdown Cost Trend Study and Forecast"). This figure has
now been revised to 50,000 hours based on ongoing tests. "
i
44 -
L
1976008973-053
.J
._ .. The present channel A sine and channel B sine signals are brought out
,. with an RC circuit which is valid for monitoring to about i0 kHz, beyond
which the output drops off, Isolation amplifiers and level detecto_'s would be
i substituted for the RC networks to prevent high-frequency roUoff to provide
fault detection over the complet_ operating range.
Current Control Circuitry
' Description. - The laser gyro discharge is initiated by applying a high-
.. voltage d-c potential between the anode and cathode. This voltage, typically
twice the operating potential required to sustain the discharge, is sufficient
to cause ionization discharge within several milliseconds after the circuit is
energized, After discharge is initiated, it is immediately regulated by the _
current control circuits.
Discharge current control is required to stabilizegain and to balance
i
the two discharge current paths. Variations in totalcurrent cause gain
changes and result in a small scale-factor variation;variation in the current
balance results in a null shiftin the gyro output.
Figure 20 shows the design of the discharge current control• Laser
gyro configurationshave one cathode and two anodes so thatthere are two
distLnctcurrent paths in the gyro discharge.
Differentialdischarge current control is accomplished by a FET cont_ol
i, element in each current path. The totalcurrent (I1 + 12)flows through the LI
bridge which measures the differentialcurrent (I1 - 12). The current unbal-1
ance (II - 12)is sensed by a differentialamplifier. The output signal of the
amplifier drives the FET transistors, maintaining a given current balance
i J.i in the presence of disturbances.
_ T
,!i
I "" 45
/ '
Q
1976008973-054
1 , T I 1 T
i I i I
' I
i P
- t , l
i
I
I1 Control I I1
: transistor
_1_ Discharge A
;" / monitor point
Total current
monitor Total
int current ' 'control
Anode
T -">L
._ La_er
- Br,_qe gym .. CaU _de
"=" Anode
Di fferential
control
I I _Discha_e B
/ / m°n't°r
" _ , / point
12 " transistor ]
Co,,tml L..._ 2__J
I Oischa_e + I1 + 12
ZI _wer
suppl)
?
Figure 20. - Diseha"ge control eireuit
L ,,,. ,=
- ¢
1976008973-055
q Reliability. - Table 2 shows the elements included in the determination
of the failure rate (, 3345 _/0/1000 hours) for the current control circuitry.
: Failure detection. - Total current (discharge current) is monitored to
determine that the operating point o.f the laser gyro has not shifted. A shift
i in operating point is indicative of a change in the gyro bias. Currents
I1 and 12 are monitored to make s1_rethe control loops are working and not
driven into saturation.
i Case Assembly
° •
! ) Description. - The case assembly is sealed to protect the laser block
and electronics from environmental contaminates (dirt, salt, moisture, etc. )
' and to provide an internal gas pressure which does not vary with altitude,
"" thus minimizing high-voltage arcing problems.
/.
_- The center post of the case assembly must support and maintain the
_lignment of the laser block relative to the case mounting surfaces.
Reliability. - Table 2 shows the elements included in the determination
_ of the failure rate (. 0756 _0/1000 hr) for the case assembly.
Failure detection. - The most probable failure modes of the case involve
failures associated with the case seal and the connector. These failures sub-
. sequentlyproduce failuresin the gyro electronics, and a case seal failureor
a connector failureis detected when the electronics failureis signaled. The
, ¢_iI . high-voRage circuitryis the most sensitiveto itsenvironment, and a case
• seal failure would probably affect this circuitry first, The self-test capabili-
ty cf the case is equated to the self-test capability of the high-voltage current
control circuitry. Table 3 shows the monitors relativeto the gyro para- '
' meters. A case seal failure would eventually manifest itself in a failure of
e_
L/ or which are monitored.It , [ 1 , 12
,• 47 1
' , .......""'_ ..........._,,,,.,,_,tmllUm,,li_............ _,;.............. ,...................................................... ,__,, -,r ............................. ......
,b ,' IIII-
I
o •
I
1976008973-056
?
i 1 !
TABLE 3. - MONITORS VERSUS PARAMETERS MONITORED
Monitor Gyro parameter monitored
i,
Laser block assembly monitor
Channel A sine Presence of laser fringe pattern
Contrast of laser fringe patternCharnel B sine
Determines pickoff integrity
Readout assembly monitor
External gyro output Checks readout circuitry
Analysis Determines presence of dither spillover(rates 360 °/hr) .
Dithe_ monitor Determines that dither loop is working
Path-length monitor Determines laser path is an integral "-
number of k's (beat frequency)
Laser case assembly and IT value _onfirms proper lasing operating
current control monitor
point
I 1, 12 values confirm that current control
loop is working satisfactorily
L
¢,!
,t
48 "-'
'i
i
1976008973-057
I'tP !
• ¢
t J _'
• o
Path-Length Co_trol Circuitry
• .
Descril_tion. - Length control of the laser cavity is necessary in inertial-
/ grade gyros principally because of thermal effects that caus. =. £he laser cavity
.r;
' to change length when wide thermal environments are encountered. Also, the
i ;_ initial set point must be controlled. Uncontrolled changes in length cause
! "-" changes in scale factor and null, reducing the ultimate accuracy.
i ,
; ' [ Length control is accomplished by a control circuit operating on the in-
_' tensity of the laser beam. The variation of the laser output intensity with
{_ cavity length is characterized by a maximum near doppler center and a de-
crease in intensity on either side (see Figure 21). This pattern repeats as
: , modes are scanned (frequency tuned) by a variation of cavity length.
?
- - Intensity
L;
Cavity
_: length
L -_, L L+_
i
_ _ Figure 21. - Single-beam intensity versus cavity length
i.J
Stabilization of cavity length requires generation of a length reference
,¢. point and a measure of the deviation from this point. The maximum of the
_ laser intensity curve is used as a length control reference.
Deviations from this maximum are measured by a small modulation or
dither of cavity length. The small modulation of length produces a small-
intensity modulation which bears a fixed-phase relationship with r_.spect to
the applied dither signal. In addition, this phase relationshipchanges by
49
ILllt-
. . !
I
1976008973-058
i
t
!
t
f
+
180 degrees in going from one side of the intensity maximum to the other.
As a consequence, a discriminant is generated for use in closed-loop control
to stabilize the cavity length.
Figure 22 illustrates the design of the length control. " "
gym Ibeam _ sens°r H Amplifier HDem°dulat°r ]_ ""
I Oscillator I _ :i
'
transducer voltage
andmirror driver I
Path '
length ',
monitor
Figure 22. - Len_h control
The cavity length is controlled by a piezoelectric transducer which dis-
places one of the laser gyro mirrors. The length dither has an amplitude
equal to a small percent of the mode spacing. It is generated by the oscillator
and applied to the mirror .hrough the piezoelectric transducer. The ampli-
fied photosensor signal, derived from the variation in intensity of the laser
beam, is applied to a phase-sensitive demodulator which receives its refer-
ence input from the oscillator. The resulting d-c signal is proportional to
:: the deviation from intensity maximum and has a polarity which depends on
! which side of the maximum the operating point is located. This u-c signal is
, used as an input for a high-voltage driver which applies de to the piezoelectrici
5O
)
1976008973-059
I l 1.. . t i _ ; j
,.P
. o
transducer. In closed-loop operation, the length control operates as a null-
seeking system to stabilize cavity length at the intensity maximum. In the
°
presence of cavity length disturbances, the d-c voltage applied to the piezo-
" electric transducer changes to keep the cavity length constant.
• J
* Reliability. - Table 2 shows the elements included in the determination
' ' of the failure rate (. 6045 %/1000 hours) for the path length control.
; , '" Failure detection. - Figure 22 shows the monitor for the path length
: _ _ - control. The path length servo loop is considered to be working if the path
, ! length monitor voltage does not go above 5 volts (10 volts is saturation). A
: level detector is adequate for this monitor.
t
{. _,*
i l Dither Control Circuitry
i i :: DescriPtion. - To improve the performance of the laser gyro, a mechan-
' [: ical rotational bias is introduced so that the gyro operates outside the lock-
/ in region. The bias technique consists of physically oscillating (dithering}
i _ the laser gyro about its input axis. The amplitude of this oscillation or dither
! t is typically 200 to 400 arcseconds. The frequency is approximately 200 to
' ! 400 Hz.
V_ The operation of the bias system is shown in Figures 23 and 24. Thei', }.
laser gyro, constructed as a solid quartz block, is suspended from the case
• _ i.' by a set of cruciform springs.
'_ _ A d-c torquer is attached to the suspension mechanism and the case, and
i ..i': provides the driving force for generating the sinusoidal bias. The inertia of
• the quartz block, together with the spring constant of the suspension, consti-
,_ tutes a mechanically resonant system.
_, The dither drive electronics have the function of dithering the gyro and
controlling the average amplitude of this drive.
51
II_-
[ '
I
976008973-060
f8
Drive Torquer Suspension Laser gvro
electronics ._
Dither ""
sensor _ i
Figure 23. - Dither drive ,,
i
_t
o J
Randomsignal
..L
Feed #
forward ,,
Dither Pre-amp Clipper Filter
sensor
Torquer
Dither monitor
Figure 24. - Dither electronics
s
52
n
.......... ......
1976008973-061
i' T
+- Reliability. - Table 2 shows the elements included in the determination
_.' of the failure rate (. 33 _0/1000 hr) for the dither control circuitrv.
_ Failure detection. - Figure 24 shows the placement of the dither monitor
which senses the presence of the a-c dither signal. The c_rcuit is not work-
i ing if the signal goes to zero or to a steady-state d-c level.
r_
. Gyro Failure Detection
i. The laser gyro design (supplemented v_ith a redundant readout) lends it-
self quite readily to built-in-testing monitors. Table 3 summairzed the
r
' monitors along with the specific gyro parameters that are monitored. These
parameters and monitors have been discussed previously.
i
:- Table 4 summarizes the self-test capability of the gyro (in this instance,
self-test also includes a computer test of the redundant readout). The moni-
.. tor description, calculated failure rate, and estimated effectiveness are
shown for each of the gyro elements. The gyro test effectiveness are esti-
, mates based on similar self-monitoring techniques and circuitry from 7X7
and JA 37 digital autopilot programs. The specific self-test effectiveness
: numbers must be determined from a FMEA on the specific mechanization.
(Typically a monitor has a single thread failure mode which precludes 100%
effectiveness. )
Monitor effectiveness is approximately 95_0 for monitors which are acti-
!, vated when a given signal deviates from a nominal by a specified percentage.
Examples are the monitors which monitor the laser block assembly, laser
case assembly and the current cnntrol. Monitor effectiveness is increased
to approximately 99% where a signal is driven to a maximum because a con-
trol loop is no longer controlling.
+ .
• If the readout assembly is a redundant function, it can be checked exter-
"" nally by the computer. The effectiveness of this check approaches 100_o.
_+ 53
• &
, i
"--_ ........ 7.................... ,,_ ,, ...... t "
......... ._ ........................... T ........................ I ................... I .... :'. .............. T" + .... __'" ................ I .... '1 j ........
] 976008973-062
t I 1l i I I, I !
TABLE 4. - GYRO SELF-TEST SUMMARY ._
Est:lmated '"
Calculated
: Gyro Monitor monitor
- element description effectiveness, failure rate, --
% %/1000 hrs .,
HH
,, ,, , =
_ Laser block Sine wave n_,g 0 2, 4 54 ""
_ assembly amplitude detector .,
Redundant Computer .,
readout test 99.9 1. 196 _J
assembly "'
Laser case Current control _'
assembly monitors case 95.0 .076 .,
integrity
b_
Current Voltage level 95.0 .335 -,
control detector
Path-length d-c max amplitude 99.0 .605
control detector -.
w,
Dither a-c max amplitude 99.0 .330
control detector o.
.. ,,.
Figure 25 shows the gyro failure model diagram. The validity monitors
shown must be designed so that the probability of their failing is very much
less than the probabilityof the self-testbeing inconclusive. ""
The laser gyro technology is new, and, as such, there is an incomplete "'
knowledge of all the possible failure modes. Undoubtedly variations in the •.
design of the monitors will be required as further work is accomplished and _.
as more information becomes available.
The undetected gyvo failure rate is the sum of the individual gyro assem-
bly failure rates times their respective monitors' self-test inconclusive fac-
u
tor. In this manner, the total _,_c_._,,,..__--*-'. ... a_ of the._ gyro self=test is calculated
at 96.5%,
j,
1976008973-063
, 1 , 1 } t tf
, } { . i
r
'" ORIGINAI_PAGB
OF POOR QUAI_
! 55
/
Y
197600897:3-064
1 T ti
, i i
SECTION 5
SINGLE-CHANNEL COMPUTER FAILURE DETECTION
AND ISOLATION
One of the basic mechanisms that makes strapdown inertial systems
attractive is the ability to utilize the strapdown computer to time-share
a number of different operations during a given computation cycle, This
property also provides the system with a method to perform self-monitoring,
since a portion of each computational cycle can be dedicated to verifying
the proper operation of the system while the remaining portmn of the cycle
is used to perform the normal functional computations. Self-monitoring is
performed to some degree on .most digital systems to aid in fault isolation
for maintenance. In this application, in-line monitoring or self-test is a
key element in meeting reliability requirements.
To provide a high degree of fault detection and isolation (i. e., approaching
99 percent) with a self-monitored system, a concept using "selective redund-
ancy" may be necessary. That is, any critical portions of the system that
cannct continuously be self-tested must be redundantly mechanized and moni-
tored. Continuous self-testing in a digital system implies periodic self-
testing at a frequency sufficient to prevent a catastrophic system failure
from occurring between tests. In the case of the flight control signals, a
failure must be detected within milliseconds.
This section does not address the determination of criticalityof functions
or any tradeoffs involvingalternate redundant configurations, but does assume
criticalfunctionswill be redundant where necessary. For example, ifa
transmission lineto another device is critical,sufficientparity/format
checks will be incorpo2ated or a dual line provided that can be comparison
56
I
......................... girl Bill III IIIII ]11 -
I
1976008973-065
.. monitored upon receipt by the device. This section primarily dlscusses
in-line or self-monitoring teclmiques generally applicable to each channel of
the dual-computer configurations. A qualitative evaluation of the self-test
effectiveness is also provided so that the general feasibility of the approach
can be evaluated against given system requirements.
b .
-- Computer Definition
The tetrad computer consists of the following major functional elements:
' digital processor (CPU), memory, fault detection/reaction logic, input/
output (I/O) control logic, and I/O functions. For this study, a Honeywell
HDC-301-type general-purpose medium-speed digital processor is assumed.
The CPU not only performs the necessary signal processing calculations
but also controls all input/output via the I/O control logic. The intelligence
necessary to direct the CPU is provided by the memory. The fault detection/
reaction logic provides the fault reaction signal if a failure is detected and
also acts as a detecting element for computer hardcore failures. Hardcore
• failures are those failures in the CPU, memory and I/O control that may
prevent the failed computer from detecting its own failure.
The I/O control logic receives address and timing commands from the
: CPU, processes these commands through decoders, and provides output
"" commands. These commands select the proper input or output signal to
:" be processed and performs the multiplex switching and control for these
_- signals. I/O functions contain the circuits to provide conversion of d-c,
_. o-c, discrete and digital inputs and outputs. Figure 26 shows the general
! computer mechanization to be considered Included in this diagram are
the built-in test wrap-around signals that may be necessary for self-test.
i
_,,
] 976008973-066
I /+
1976008973-067
T ' T
"7"
Computer Failure Definitions
In the following discussion, six functionalfailuremodes for the tetrad
computer are defined. The major contributors to each mode are presented
with a brief description of their impact on the failure mode. The six func-
" " tional failure modes are: computer hardcore failures, memory failures,
fault detection/reaction failures, CPU operational failures, multiplexed I/O
failures and dedicated I/O failures.
Computer hardcore failures. -Computer hardcore failures are defined
as those failures that will prevent ti.e CPU and associated I/O from detecting
its own failure and taking corrective action. Among these failures are those
modes that result in a dead or inoperative/erratic computer. The major
contributors to this failure mode are portions of the power supply, r mory,
I/O control and CPU.
An obvious contributer to computer hardcore failures is total loss of
power. With no power, the CPU is incapable of performing any self-test.
Less massive power losses can also cause hardcore failures such as partial
loss of power _, the CPU, I/O control, or fault reaction logic. These failures
can cause the CPU to stop or render it incapable of communicating with its
I]O. Massive memory failures will also prevent the CPU from performing
useful self-test or taking corrective action. Among these failures are: dead
memory, dead memory buffer control to the CPU, loss of addressing lines
• that prevent access to large blocks of memory, and inoperative instruction
.. lines to CPU which scramble the CPU instructions. Many failures in the I/O
control logic will prevent the CPU from reacting t_ known failures. Among
; these are any failure that prevents the CPU from communicating with the
fault reaction logic.
¢
A.
Some CPU failures will also cause hardcore failures. Among these are
: the functions involving the program counter, addressing control and operation}
! [: 59
• 4
I
I
1976008973-068
code decoding. Failures in the program counter functions of the CPU will
prevent it from performing proper instruction-ietch sequences and will
result in erratic CPU operation. Failures in the addressing control functions
wil! prevent the CPU from properly performing jump and branch instructions,
and t_ilures in the operating code decoding prevent the CPU from properly
interpreting the instructions from memory, and, again, erratic operation
will result.
Memory failures. - Memory failure modes other than the massive types
described above are dependent on the type of memory an,_ mechanization.
The following general failure modes apply to most memory types: address
control line failures, bite failures, bit failures. Address control line failures
are those failures that either prevent access to a block of words or cause
multiple access (more than one word in one fetch) to a block of words. These
failures will result in a scrambled portion of data or" instruction memory.
The size of the failed blocks are dependent on memory mechanization but are
typically 32 words or more. Bite failures are those failures that result in
failures iu portions of all words within a block. For instance, bits i through
4 of all words are inoperative. These failures are more common to semi-
conductor memories and are a result of inoperative memory chips. Bit
failures include all those that result in any single bit in data or instruction
memory failing. These failures will result i.n one bad instruction or data
word.
Fault detection]reaction failures. - The fault detection/reaction functions
are safety-critical portions of the computer. The fault-detection portion of
these circuits are included to detect hardcore computer failures when the
CPU and I/O are incapable of detecting failures in tnemselves. Because of
the importance of these circuits to flight safety, an extensive failure modes
and effects analysis is performed for each application. In general, these
circuits are designed to be highly reliable, fail-safe and testable. The fault
reaction portion of these circuits are also safety-critical, and again, extensive
l
6O
I
""
I r ' 'qi I
1976008973-069
1 li 1 I
, .. failure modes alld effects analysis is performed for each application. These
circuits are also highly reliable fail-safe, and testable• Failure ef these
functions, along with any computer or sensor failure could result in an
: unsafe condition.
CPU operational failures. - CPU operational failures are those CPU
; failures which result in partial loss of CPU capability. Among these are:
" i _ accumulator failures, I/O control failures, data register failures, adder
. carry failures, etc. _Ihese failures will result in improper operation on
,', data or 110 devices. As a result, some or all computations performed by
the CPU will be in error, even though the processor sequences properly
i. through its instructions.
.
i_ Multiplexed I/O failures. - Multiplexed I10 failures are failures in the
"" control circuits that result in partial or complete loss of an I/O function.
: i! For examp, . if a switching chip analog input I/O should fail, an entire
i_ i . group of inputs would be inoperative. Similar failures exist for all I/O
: , pDrtions of the computer.
_ Dedica_,ed I/O failures. - Dedicated I/C failures are failures that affect
' 7
"
. only one inpu_ or output. If these signals are safety-critical, they must
• eiLher be testable or redundant.
_ Self-test Hierarchy
The computer control functions flow from the CPU to the I/O control
I and finally to the dedicated I/O. Because o.f this hierarchy of control, the
following self-test approach is preferred:
• Ensure that the computer is capable of reacting to a failurei:
j within itself.
t I
?-
• Ensure that the memory is intact so that testing can ,
be performed. ..
• Ensure that the CPU can properly process data and
evaluate test results.
• Ensure that the CPU can control the I/O so that it
can be tested.
• o
• Ensure that the critical interfaces are operational. ""
If the computer is capable of reacting to a failure within itself, it can
then be used to see that its memory is intact. Given these, the computer
has the intelligence to perform testing functions. The CPU can now perform
3elf-tests on itself to check its data processing capability. Given these
functions, the CPU can be used to exercise the I/O circuits and evaluate
their operation. The following subsection discusses various techniques
that can be used to perform self-test on a digital computer system.
Computer Functional Test Descriptions
Monitoring and testing of the computer for hardcore failures is provided
by circuits that do not require a functioning processor or memory to give
failure warning. Typical systems will use one or more watch dog timers
and possibly a dynamic computation monitor if detection in excess ,)£ 98%
is needed.
Watch dog timer. - The purpose of the watch dog timer (WDT) is to
protect against central processor or memory failures which prevent execu-
tion of a computation cycle in the prescribed period of time. It is designed
to provide this protection without dependence on processor or memory
functions. The essential element is a monostable slngle-shot flip-flop which
62
• "'"""'I ....... _ ......................""'"'1 ........ ""l "_'''_'''' .....1..........................I ...................v............... _""_r ........... i
1970000973-071
0 + l 1
+ °
• +
: i
i
_ has a high output state for about 204 longer than the basic computation cycle
after receiving an update pulse. A low output state disengages the DAFCS
servos directly through hardware logic. To maintain system engagement,
the DAFCS servos directly through hardware logic. To maintain system
engagement, the DAFCS program checks that the WDT is not failed and
then issues an output control pulse to update the flip-flop once every compu-
tation cycle.
Dynamic computation menitor. -The dynamic computation monitor
(DCM) provides an independent a,_dcontinous test of CFU capabilityto per-
form continous control functions. The concept defines a relativelyprecise
control functionwhich must be performed on an analog element by the CPU
+ and I/O. The analog element to be controlled is an operational amplifier
integrator. The objective of the control law contained in the software is to
produce a stable +5-vdc time-dependent triangular integrator o,,tput. The
DCM control law also maintains certain similarities to the LINS computations.
• Exercises AID and D/A conversion.
• Sample inputs and outputs a command at fixed rates.
• Exercises much of the instruction repertoire used by
LINS computations.
• Relies on the real-time synchronism for maintenance
of a precise computation interval.
• Uses CONSTANT and SPAE+ memory.
} The integrator output is monitored by dedicated hardware for peak
' values both above and below nominal. Failure to exceed a 4.4-vdc me.gnitude
at least every computation cycle causes disengage. Exceeding 5.6-vdc mag-
nitude at any time also causes disengage.
/l " •
°
63 '
L '+
• i
1976008973-072
' t 1
!
Because thc WDT or DCM do not require a functioning processor or
memory to cause a disengagement, they are also relied upon for that
function when failures are detected by other processor or memory monitors.
In those cases, failure detection causes the computation flow to jump to a
"fail loop" which prevents update of the WDT and DCM.
Memory tests. - Two basic memory testing schemes are in general use
to test computer memories. These are parity and sum checks. In a simple
single-bit parity _cheme, each word sent to memory is routed through
circuitry which first checks parity and then adds a "one" to the parity bit
in each word if necessary to achieve odd parity. When any word is accessed,
Jt is checked for correct parity by dedicated circuits, and, if an error is
detected, a processor interrupt is immediately performed. Multiple-parity-
bit schemes are available if additional checking is necessary. Among these
are one parity bit per chip used to form a word and one parity bit for each
bit in a chip to form a word. If two eight-bit chips were used to form a
sixteen-bit word, the first multiple parity scheme would require two oarity
bits and the second eight parity bits.
Memory sum checks are used to protect again: "_rdware failures in the
memory, memory interface, or processor which c_ actual or effective
changes in the contents of critical instruction or data memory locations. A
"critical" instruction or data is defined as one which can have significant
effect, from a safety viewpoint, on the output signals.
• .
The concept is to treat the contents of a given block of critical locations
as data, and compute the sum of the contents of all locations in the block•
This sum must then compare ex_otly with a precomputed check sum stored
in data memory. Failure to compare, leads to failure warning via the CPU.
SPAD memory sum checks protect against failures in the memory,
memory, interface or processor which cause actual or effective cbanges in
' critical SPAD locations.
64
L_mJl
L
...... "..............I ................... ",v'-............ "_ " ;_"itwle_'_""__" _'""''""'_'T ....... _""""*'"l<'__"""'_ ........... " ...... f ......................... :I""'.................
1976008973-073
,o Since the contents of SPAD locations arc variable, the following sum
.. check concept can be used: Each critical SPAD variable is double stored;
' i.e., the A register contents are stored in both a primary and a secondary
sr
SPAD memory location. The primary location is used in computations on
subsequent passes through the program. The secondary location is used
_ "" only for sum checking. The sum check routine effectively adds the primary
" locations, subtracts the secondary locations and checks for a zero result.
-- Failure warning is provided by the CPU if an error is detected.
Fault detection/reaction tests. - Because of the safety dependence on
the fault detection/reaction circuits, a means of testing them is needed to
ensure that no latent failures exist. These circuits are not normally tested
- p
continuously during flight because failure indications are usually latched
to prevent transient resets. However, if the circuits are sufficiently fail-
safe and reliable, a thorough automatic preflight is sufficient to provide
"" safe operation. Testing usually consists of stim/measure and timing tests
_- which check all components in the circuits. For instance, the watch dog
timer is updated and then checked for not-time-out and timed-out at its
.. minimum and maximum intervals,
t
CPU operational tests. - Monitoring of the operation of the _entral
processor unit (CPU) is primarily performed by a set of special software.
The basic CPU operation can be continuously tested in flight. The functions
:, "" included in this test are:
e Data address lines of the CPU and memory
!
_; • Operation code decoding _.
_- . Information transfer to the A and B registers
I; • Logic instructions
• Shift and rotate instructions
. • Load and store instructions !
' f ' 65
N
1976008973-074
I: 1
• Arithmetic instructions
• The accumulator
• Indexing
• Branch and return
• Conditional and unconditional jumps
• Special circuits
If a failure is detected by the CPU, a jump to a "fail loop" is executed.
Power supply tests. - The computer supplies which are critical to com-
puter operations can be monitored by comparisons against nominals.
The purpose of these tests is two-fold:
• To compare the supply outputs against predetermined
nominals and tolerances.
• Since these are known-value analog inputs, each of which
_ can be wired to a different bank of the multiplexer, an
inherent test of the analog I/O and analog-to-digital
converter is performed.
Bite-the-tail tests. - All analog and discrete outputs are tested using
a technique that has been labeled "bite-the-tail". Outputs are fed back to
the input and re-entered into the processor through the appropriate input
channel to be compared with the commanded output (to a suitable tolerance
in the case of analog outputs). This type of test ]ms the advantage of being
an end-to-end check of the input/output since almost all of the circuitry is
exercised by performing such a test.
• 66
1976008973-075
t i
Digital I/O tests. - Digital inputs and outputs are checked by means of
a parity bit attached to each word at time of transmission and checked at
time of receipt at the destination• This circuitry contains the multichannel
digital interface.
Multichannel interfaces perform the following functions:
• Real-time synchronization between the redundant
channels
• All data exchanges amon, the redundant c:hannels
• Majority output or differential (digital) voting if
desired
The real-time synchronization is necessary to ensure that all redundant
channels are running the same problem so that their results can be com-
pared. Data exchange is utilized primarily on inputs so that comparison
of inputs can be performed prior to the computations. Because of com-
parisons within each computer, the interfaces are self-.checking and no
or little additional testing is necessary.
Dedicated input I/O tests. - The dedicated input I/O can be tested to
some degree by providing stim signals from the computer to the input
device. These tests usually require special dedicated hardware for each
input to be tested. Continuous testing is usually not practical and therefore
testing is limited to preflight only. Inflight tests are sometimes performed
by using reasonable tests on the input signals.
T'
I: 67 :
L
......................"I .................., "'"_ _"I .......................I _L ............':_'i_......................"r....................-_r ....... _..... _ ....................-1................
1970000973-070
i,_ C o.,nputerFailure Model
In an actual system application, a detailed failure modes and effects
analysis is necessary to arrive at a detailed failure model. Included in a
detailed model would be: programming restrictions to prevent use of not-
tested CPU functions, the effects of redundant signal paths, restrictions on
use of not-tested I]O control signal3, and failure modes unique to the appli-
!"
cation and mechanization. A general computer model is shown in Figure 27.
Previously, it was stated that the fault detection/reaction logic should be
designed to be highly reliable and failsafe. If this design is adequate, all
failure paths containing these elements can be ignored when making the pre-
: liminary reliability calculations. Tl.e system failure state then reduces to
the sum of probability of each failure mode occurring, multiplied by the
self-test ineffectiveness.
Self-test effectiveness is dependent on the design, failure analysis, and
failure testing effort. Numbers approaching 100_ self-test are possible if
considerable effort is made. This analysis and testing can easily become
man years if a highly testable system (98+_) is required. The task consists
primarily in defining all the possible safety-critical failure modes in the
• computer. In general, any failure mode that can be identifiec can be detected;
but have all modes been defined ? The parts count is high and it is especially
difficult to identify all of the conditional failure modes. Also, latent failures
are a potential problem.
Summary
Various proven techniques are available to achieve a reasonable self-
test effectiveness. This effectiveness is largely dependent on the effort
68
]
..... "'*'_" "T ...... _ III I I I! ......
•
-..,_---.._,._,w T, _ _,,.......... ..,_.,_._.,_.-._4_,m_m_p_. T ,,...,....... ..,,...,._.. ........,_ .. .............. ._..... ; .......... , ' .
#
]976008973-077
•- i i I
t i
C-
M_. ,ory I Memory _ Fault
failure l - test reachon
i L_ conclusive circuitsfail
Memory
test
, • inconclusive
L_ Fault
All CPU _1 CPU test i _ reaction _System
" " good operat_onalfailure -I[ conclusive I fadC_rcu_ts fadu_
t' : .
CPU test
: inconclusive
Multiplexed I L_ Common J Fault
; - I/0 I/0 tests - reaction :
f, failure conclusive -[ circuitsfall
_"' Common
, I/0 tests '.
_., Inco_clusive
! ' De_l_d Dedicated Fault
• " I/0 I/0 t*st! reaction
fllllufl _nclu|lvl circuitsfa_l
• '" Dedl_ .
I/0 tilts ,.
,_. ¢¢ncluslve
'.
Figure 27. - Computer failure model diagram :T
f,
197600897:3-078
spent on detailed failure modes and effccts analyses and testing. To prevent
unsafe conditions resulting from computer hardcore failures, some form of
watch dog timer or dynamic computation monitor circuits is required. Also,
selective redundancy may be necessary, particularly for critical I/O signals.
Table 5 summarizes the self-test hierarchy. Included are estimated
failure rates and self-test effectiveness values. The values are estimated
based on experience on similar systems and assume a failure modes and .
effects similar to conventional redundant systems. An overall self-test
effectiveness of greater than 93 percent is reasonable for the tetrad computer, ..
and this number can approach 100 percent given sufficient design and test
effort. The dedicated I/O circuJ.try is typically the predominent contributor
to the self-test ineffectiveness.
7O
t
1976008973-079
It
1976008973-080
SECTION 6
IMPACT OF LASER GYRO FAILURE ON FLIGHT SAFETY
For flight occurring during LFR conditions, flight safety can be com-
promised by an undetected failure in any gyro which is part of a stability
augmentation system, attitude reference system, or ,avigation system.
The assumption is made that systems which provide a warning flag when
they have failed (fail-safe) do not compromise flight safety in short haul
aircraft because of backup systems of the same or differe ,t configurations.
For instance, the inertial navigation system could be backed up by radio
navigation (or vice-versa).
In a tetrad system, the first sensor failure can be detected at the
system level with a confidence approaching 100_. Consequently, the system
may be classified as a fail-safe system relative to the first sensor failure.
Subsequent paragraphs discuss the rational for stating that individual gyro
tests will identify the failed unit 96.5_ of the time permitting the system to
remain operational. However, an operational tetrad system with one gyro
failure is no longer a fail-safe system 100_ of the time, but is a fail-safe
system (relative to a second gyro failure) 96.5_ of the time.
Table 6 shows the effects of a failure in a functional area of the gyro.
For instance, a failure of the .aser case, laser block, laser readout or
laser current control would make the gyro inoperative and its error would
greatly exceed 360 deg/hr, which is typically the maximum error a stabil:ty
augmentation system can tolerate even in a degraded mode. Cousequent_y,
all boxes ass,_ciated with these areas are marked unusable (x). Loss of
laser dither and laser path length results in gyro performance which is not
usable for navigation but is usable (depending on the size of the error) for
stability augmentation and attitude reference.
72
t
l
m ................... I !
1976008973-081
l f 1 Ii !I L I _
ORIGINALPAGE I_
OF.POOR QUALIT_ 73
mo
t
...... ! I r ..................... _ .............. l..L .............. ,...........
1976008973-082
TThe undetected failure rate for a gyro in each of the ,'eferenced system is
shown in Table 7. Th_s is arrived at by multiplying the gyro failure rate and
the self-test inconclusive factor. The gyro undetected failure rate is essen-
tially the same for all three system functions, and the gyro undetected mean
time between failure is in excess of 700, 000 hours.
74
1976008973-083

SECTION 7
CONC LU SIONS
The failure modes of laser gyros and cnmputers were studied with
respect to the potential use of a tetrad inertial navigation system in short-
haul aircraft. This system was configured with two two-axis sensor channels,
each channel containing its own computer. In this configuration, any set of
sensor outputs c.,n be used to derive the equivalent output of an orthogonal
sensor triad.
The laser gyro was studied relative to the type of monitors necessary
•_ to iso__ate a gyro failure to a specific gyro within the tetrad system. In addi-
tion to the monitors, a redundant readout circuit in the gyro is consi¢_ered
necessary. The total potential effectiveness of the individual gyro monitor-
ing circuitry is estimated at 96.5%. Note" Actual verification of this num-
ber reouires a detailed failure mode and effects analysis with subsequent
: confirmation by actual hardware testing. An overall self-test effectiveness :
of 93% is reasonable for the computer and this rmmber can approach the 99
to 100% range given sufficient design and test effort. The dedicated I/O
circuitry is typically the predominant contributor to the self-test ineffective-
ne _s.
The most promising system redundancy management concept consists of
detecting the first sensor failure at the system level by analysis of the sensor
outputs and by detecting the first computer error by comparison of co.nputer
outputs. Isolation of the first failure was found to be as good as the individual
components (gyro and computer} failure detection capability.
For short-haul, aircraft, flight safety is assumed to be compromised
any ti _e a system fails and a warning flag is not activated. In the tetrad
system the first failure may be detected at the system level and a warning
flag actuated with a confidence approaching 100%.
76
t
1976008973-085
- Isolation of the failure, in the case of the gyro and computers, _an be
" [.. accomplished 93 to 96% of the time, thus permitting the system to continue
. operating _¢ith one failure. However, a tetrad with one failure reverts to a
I.i system which is less than 100% fail-safe.
T
L
1
¢"
?
_ 77
i
]976008973-086
• . APPENDIX A
COMPUTER SYNCHRONIZATION
The computer hardware synchronization concept assumed for the study
• +
is shown in block diagram form in Figure AI. A 2-MHz oscillator in each
computer is used to generate a 125-kHz ISA data transfer pulse rate signal,
a 200-Hz data strobe ISA input cycle pulse, and a 40-msec {25-Hz) clock
: : pulse. The 40-msec clock pulse is compared with the equivale'at clock pulse
-- from the other computer channel to derive a 40-msec sync pulse used to
synchronize the computers, to reset and start the ISA input data timing
counters {200-kHz and 125-kHz clocks}, and to start the next 40-msec clock
time count.
The 40-msec clock pulses are transferred between channels and sub-
jected to the clock sy-lc generator and failure detection logic shown in Fig-
" ure A2. This logic generates a valid sync pulse when two pulses from the
individual 40-msec clocks occur within a prescribed time interval {r}, which
.. is derived from the 2-MHz oscillators, and reset each time a pulse is
received. If the time difference between the occurrence of the first and
second is greater than r failure discrete F, is generated. In either case,
a 40-msec c].ock sync pulse is generated that synchronizes the computers by
releasing them from a "halt" condition entered at the end of each 25-Hz
computation cycle. The derived 40-msec clock sync pulse also synchro-
nizes the 125-kHz, 200-Hz ISA data transfer timing signals and resets/
•" starts the 40-msec clock timer to generate the next 40-msec pulse.
.. The above operations occur simultaneously in each computer such that
,. both become synchronized to the same 40-msec clock.
e=
J' I
]976008973-087
I
]
j I
i dLgltal _
i 'nterface } " _-D Processor
' _ _ J 40 msec and
- II clo_k sync _ memory
I and fadure
detector
i 4omsecl_--
Oym/accelerometer ":
Data strobe 200 kHz J I 200 Hz _. _ Reset 12 MHz
I osc
40-msec _ ]
clock ....
nterchange
ii
Computer = 2
, Serial i
I digital vinterface F
"'' ' J40 msec _ 'IP andPmCe_'s°r
"I_i ; '1 clock sync _ memory
.. , ,.JIand fadure
--'" i:,oosec 3 detector "11"11Gyro/accelerometer 200 kHz _ '
Data strobe _ , 200 Hz Reset
---I 12sk.z 1osc
'_ J
i i
Figure A1. - Computer synchronization concept
8O
i
1976008973-088
LI
Cotmter receives I
clock svnc
.. and isstopped
i|
isresetand Overflow J Generate J
startswith I failureF1 Ifirst
pulse 1
secondpulse second pulse
I Generate 1
clock svnc
i
Internal I0 logic
i Return to IA Starts computational frame I(halt exit to computer) Ii
Starts 40 msec clock
Figure A2. - Sync generator and failure detection logic
81
I
1976008973-089
APP ENDIX B
TETRAD SKEWED GYRO VOTING AND
T R AN SF ORM AT ION EQU AT ION S
The derivation of a typical set of error equations to be used in the gyro
error detection/isolationroutines for the tetrad system is described in this
subsection. Itis assumed that the two sets of orthogonal two-axis ISAs are
placed such that each ISA has one input axis in the p and q (rolland pitch)
plane, and the other axis rotated through an angle with respect to the p and
q piane as shown in Figure B1. The p, q, and r (roll, pitch, yaw) coordi-
ate frame was selected as the orthogonal reference triad. Figure B2 shows
the projection of the tetrad input axes on the p and q plane,
: ,
The tetrad input axes can be expressed in terms of the reference triad
and configuration geometry by inspection as
"c01 ] 1 0 0 p]
_2 = 0 -C_ S_ q iI
_3 C B SB 0 r .I
_4 Co,CA -C_SA S_
, L
where
: wi = angular rate sensed by tetrad gyro
p,q, r= roll, pitch, yaw rates
= 45°
B = 60°
A = 30°
C = Cosine
S = Sine
82
1976008973-090
• Figure B1. - Tetrad geometry
]
_2
1.14
u1
_ p
Figure B2,. - Projection of hexad input axes into q-p plane
83
i -
1976008973-091
The two sets of orthonormal two-axis ISA outputs are defined by _]' '_2"
_3' and w4. The associated error equations are derived for the tetrad and
are sufficient to detect a first failure.
The tetrad error equations are derived by selecting pairs of triads from
the tetrad such as
_i' _2' w3 and Wl' _3' w4
and solving for p, q, and r in terms of the three-rowed submatrix inverses
associated with each pair of triads. That is, for the selected pair of triads
!1 "_01 1 0 0 ,!p' w2 = 0 -Ca -Sa , q
_3 .1 C B SB 0 r,. L J
i
w3 = CB -Ca -S_ q lj ,w4 CAC_ -SACs Sa r
Taking the inverse
00 0= Cot 0 Csc(B) and =-TanA SecA 0L-Cota_,etE Csc a CotaCsc(n)J L.CotSecA TanACota Csca
In an ideal system, subtracting any two of the expressions for p, q, or
r in each tetrad should yield gyro. Nonzero values are indications of gyro
(Wl) failures. The difference equations can, therefore, be identified as error
equations used to evaluate tetrad functional integrity. Subtracting the terms
for the tetrad yield the following equations:
E --CotA SecA (l-Sin A) (_3 + ¢°I)_c_ (w2 _4 )]
84
1976008973-092
• And for the angles as previously specified
E = 0.58 (_1 + _3 ) + 0. 707 (_2 - _4 )
To minimize the software requirements, the equation would be scaled
such that one of the coefficients in each error equation would become unity.
To be capable of discriminating low-level (soft) failures from normal
input random noise, the equation is first integrated and squared before com-
w
parison with an error tolerance equation for error detection. The error
tolerance equations is a second-order polynomial and its coefficients repre-
sent statistical sensor output error tolerances. The tolerance eouation _.
the form
" T = A+Bt+CL 2 i
where t
A = constant, based on the covariance of the scale factor and 1':
_. misalignment calibration uncertainties input axis geometry, !
and worst case rates. I
B = function of input axis geometry and random walk bias
covariance.
, _ C = function of input axis geometry and constant bias covariance.
. If the inequality
= IS t E dt.] 2 IA+ Bt + Ct 2E'
exists, a failure is indicated.
When a sensor failure is indicated, the appropriate error flag is set for
use by the error response/action routine ia the computer.
85
i
1976008973-093
: APPENDIX C
LASER GYRO READOUT CONFIGURATIONS
Establishment of criteria to determine the performance of the existing
readout circuitry is difficult because the outpu_ is dependent on the input rate
and may vary from zero pulses per second to several hundred thousand
pulses per second.
The photosensor in the readout circuitry detects movement of the laser
beam fringe pattern and converts this movement to a digital pulse train. The
: existing readout circuitry consists of two photosensors (1/4 wavelength of
beat frequency apart}. Each sensor generates _ digital pulse train. The
pulse trains are subsequently combined in a logic circuit to produce CW and
CCW pulses depending on the direction on the laser beam fringe pattern is
moving.
The two photos_nsor channels are not redundant in the normal sense;
i. e., they do not produce the same pulse train when the fringe pattern is con-
tinually reversing direction but do produce a similar pulse train (90 degrees
displaced with each other} when the fringe pattern is going in one direction.
There are four fringe pattern readout configurations, each employing a
different number of photosensors, that are examined for potential applicability.
Configuration 1
The roadout configuration shown in Figure C1 consists of a single photo-
detector and associated electronics feeding the line driver. Counts can be
generated from this configuration, but the direction the fringe pattern is
moving cannot be determined, so this configuration is of no practical value
for this application but is shown as a building block for other configurations.
86
l
I
1976008973-094
e_
[ Photo detector channel 1
" H Hfringe Photodetector Differential Voltage Line: pattern amplifier comparator driveri
, Figure C1. - Single-channel readout
Configuration 2
The readout circuitry used on the gyro is shown in Figure C2 and con-
sists of two photodetector channels whose response to the moving fringe
i pattern is separated by 1/4 cycle of beat frequency). These two signals are
-- processed by directional logic circuitry to produce CW and/or CCW pulses
as inputs for the line drivers.
"--4 PhOtOdetectOr I =J "DI Line F
channelA _ driver CCW pulses
Laser - Directional
fringe 1/4_, Iog,c
p'tt='rn--_llPh°t°de_'_t°rLl _t Line F
Olannel B '- driver CCW pulses
Figure C2. - Standard readout
87
I
1976008973-095
Configuration 3
Figure C3 shows three photodetector channels being crossfed into three
sets of directional logic and subsequently producing three comparable sets of
CW and CCW pulses. Three angles are determined by subtracting the respec-
tive sets of clockwise pulses from counter-clockwise pulses for a given time
period. Failure in the readout circuitry exists anytime the three angles are
not within +1 pulse of each other. It is not possible to have a failu_'e in the
readout circuitry and to determine which of the output angles are valid b/
i examining the three output angles. For instance, a failure in the direction
' logic would result in two of the output angles being correct while a photo-
detector channel failure would invalidate two of the output angles.
Hard failures in the readout circuitry of Figure C3 may be detected using
the following criteria:
' • The three angles (A, B, and C) shall be ±1 pulse for each
other.
• The summation of pulses [_ (Pcw = PCCW )l from any one
of the outputs shall not equal zero.
Failure of the gyro to lase is also readily determined by this scheme as
well as failure of any power supply related to the readout circuitry or lasing
circuitry because the output pulse rate would go to zero.
Configuration 4
Figure C4 shows t_o separate qets of readout circuitry which are identi-
cal to the configuration 2 readout circuitry except that the photodetectors are
physically adjusted so their response to the moving fringe pattern is separated
by 1/4 cycle (1/4 k).
88
1976008973-096
w | r,driver PCW
Photodetector Directional Anqle A = -
T channelA Ioqic _ (Pcw PCCW)
Line
driver
1/3
Laser driver F
fringe 1 Photodetector Directional
pattern l channel B logic H drive,Line_Angle B = (Pcw " PCCW)
1/3
drlve_
Photodetector Directional AngleC = (Pcw" PCCW)channelC logic
Linedriver
PCW = Clockwisepulses
PCCW = Counter-clockwisepulses
Figure C3. - Crossfed redundant readouts
N I,neChannelA driver _' PCWDirectional1/4_ oQic Angte ._.= T (Pcw'Pccw)ChannelB driverLaserfringe
pattern _ driver An_91e
HChannelC PCWI Directional " B --- .r(Pcw-Pccv.)Ic.lic
ChannelD ,_ r .....J
Figure C4. - Redundant readouts
i
89
1976008973-097
', i t ' l
Hard failures in the readout circuitry of Figure C4 may be detected -_
: u_:ing the following criteria: . :
• The two angles (A and B) shall be within +1 pulse of each
other.
• The sumr:ation of the pulses _ (Pcw + PCCW )] from either _i
of the outputs shall not equal zero. :i
Failure of the gyro to lase is also readily determined by this schenue as
well as failure of any power supply related to the readout circuitry or lasing " t
circuitry because the output pulse rate would go to zero.
"i
: t
Figure C5 is an input]output curve which illustrates the effect of dither _
" spillover on pulse count. The amount of dither spillover is controlled by a - i
physical alignment. Dither spillover is presently adjusted to be below ±1 _.
count per cycle. For this scheme it would be adjusted between. 5 counts]
cycle and 1 count/cycle. For input rates near zero, the sum of the CW pulses _j
and CCW pulses for a given time period [_ (Pcw + PCCW )] remain constant
while the actual input rate is determined by subtracting the CCW pulses from i
the CW pulses for a given time period [_ (Pcw - PCCW )]" This phenomenon
is very useful in detecting failures inasmuch as zero pulses during a given _i
time period does not mean zero rate but a failure. :J
=J
• !
t
I
t
90 ,_
1976008973-098
I I j I [
/
CW
t_i Pulses/second
(CW-CCW)
S
CCW pulsesd ,S
COW
Figure C5. - Input/output curve (+ count spillover)U
91
[J
1976008973-099
t !I
APPENDIX D
FAILURE MODEL
In practical work it is often desirable to find an approximate solution to ai
i problem that is in a simpler form and is easier to evaluate. We are all
z familiar with certain approximations, like x for sin x if x is small; the same
: : approximation is also good for tan x under the same conditions. Let us derive
the approximate solution for the state block diagram, The simplest ,.zay of
obtaining an approximate expression is to use power series expansion for the
given result and then to keep only the first few terms, If we tried to apply
this method directly to our state block diagram model, we would have to
obtain the solution in terms of exponential expressioas and then expand these
terms in power series using the proper expression for the given exponentials.
It is obvious that the use of this procedure will be rather lengthy and time
consuming. Let us investigate, therefore, an alternate approach.
In the simplest case the state diagram can be expressed as a sequence of
arrows forming a straight path, An example of a ge._eral string is:
The state probabU.ity for the last state (failure state) will be given in Laplace
transform by
klk2k3 ... k N
PN(S) = (S+kl) (s+k 2) (s+k 3) .... (S+kN)S
If we expand the denominator, we will obtain
s N+I + sN (k +k 2 +k 3+ ..... kN ) + a N-l( )1 ,,.° .... °. -t- .... .,..
92
I
1976008973-100
l 1 k
: I
Substituting this expression in the equation giving PN(S) and then performing
long division, we obtain
klk2k 3 ..... kN
: PN (s) = ,, sN+l
,_ klk2k 3 ........ kN(k 1 +k 2 +k 3+ ...... +k N) :
sN+2 + ........ i
The above expression is then inverted
klk2k 3 ...... k N tN
PN(t) = N_.
klk2k 3 ...... kN (k 1 +k 2 +k 3 ..... +k N) +t N+I
: (N+IP.
If we use _k to denote the product of all failure rates and _k to denote
t the sum of all failure rates, we may rewrite the above formula as
I PN(t ) = _ (nk) (_k)t N+I' " (N+ 1P. + .... other terms
,!
i Normally we will use only the first terms for the approximate expression
:. , _ givingtheprobabilityof failure,Thus
" - N;
Since, in this case, we are dealing with an alternating power series, the next
i term will give an indication of the error involved. Or, numerically
lError I < {_k) (_,k)t TM
(N+IP.
93
1976008973-101
] 1 ] 1
In addition to the k's probabilities, self-test deficiencies can be added to
the above expression. Where CN(S) = C 1 ° C 2 • C3, etc., substitution into
; the above expression results in the composite approximate expression
E (_kC)t N
PN (t) -_ P N:
whe r e
E is the sum of all paths from system operational to the
P point(s) of interest
N is the number of blocks in a path containing k's
rrkC denotes the products of all failure rates (k' s) and self-test
deficiencies (C' s) in a path
' denotes factorial
The following example demonstrates the use of this technique:
System
operational PCF
Potentially
castastmphic
failure
The probability of failure
4k" 3k. CEt2 4k(1-CE)t
PCF = 2: +" 1'
which reduces to 6k 2 CEt2 + 4k (1- CE)t°
94
1976008973-102
