Proceedings of CECNet 2021 A.J. Tallón-Ballesteros (Ed.) © 2022 The authors and IOS Press. This article is published online with Open Access by IOS Press and distributed under the terms of the Creative Commons Attribution Non-Commercial License 4.0 (CC BY-NC 4.0). doi:10.3233/FAIA210440

# A Study on Fault Tolerance Technology of Flight Control Computer for Unmanned Aerial Vehicle

Chen ZHANG<sup>a, 1</sup> and Jihui PAN<sup>b</sup> <sup>a</sup>Major Laboratory of Space Physics, Beijing,100076, China <sup>b</sup>Northwestern Polytechnical University, Xian, Shaanxi,710072, China

Abstract: According to the reliability requirement of the Flight Control Computer for Unmanned Aerial Vehicle (UAV), a design scheme is proposed to ensure its reliability by using tri-redundancy technology. Further, by selecting appropriate redundant mode and the architecture model of the triple redundant flight control computer is established in this paper. The multi-channel security level method can give full play to the error tolerance ability of the system and improve the fault tolerance performance of the aircraft. After an extensive analysis and study of the structure of each module, the hardware circuit and software flow chart of the key technologies, such as redundancy strategy and synchronization method are suggested. A channel selection method based on channel security level is proposed. Combined with the comparison technology between channels, the selection of the optimal safe channel is realized.

Keywords: Flight control system; synchronization; security level

#### 1. Introduction

Flight Control Computer is one of the core components of UAV, and the reliability of its design directly affects the flight safety of the aircraft [1,2]. Redundancy technology however, can effectively improve the reliability and fault tolerance of the flight control computer system. The number of redundancy has a direct impact on the reliability, it is obvious that the more the number of redundancy, the higher is the system mission reliability. But increasing the number of redundancy will in turn, reduce the basic reliability, increase the volume, weight and cost, so the number of redundancy should be balanced according to the target of product development and constraints. Therefore, it is necessary to start with the design of the flight control computer architecture and adopt redundancy technology to fundamentally improve the fault tolerance and the survivability of the system [3-5].

In this paper, a tri-redundancy computer is designed and a channel selection method based on the channel security level is proposed. The hardware circuit and software flow chart of the key technologies such as redundancy strategy and synchronization method are given.

<sup>&</sup>lt;sup>1</sup> Corresponding Author: Zhang Chen, Major Laboratory of Space Physics, Beijing,100076, China; Email: 925819259@qq.com.

# 2. Flight Control Computer Architecture

Commonly used redundancy architectures include n-mode redundant structures and comparative monitoring structures. Most flight control computers of large manned aircraft use the above two redundant structures, or a combination of two redundant structures [6,7].

The advantage of n-mode redundancy structure is the majority voting structure. When the redundancy is more than 3, the system is reliable, but when it is less than 3, the system can only select channels through self-monitoring, which reduces the reliability [8,9].

The advantage of the redundant monitoring structure is its high reliability. It selects channels by comparing two computers in each channel, but the disadvantage is that the hardware is rather more complex [10-13].

A tri-redundancy computer scheme is presented in this paper. By comparing the security levels of multiple channels, the selection of the optimal security channel is realized, the error tolerance ability of the system is brought into full play, and the fault tolerance performance of the aircraft is improved.

The flight control computer uses a tri-redundancy structure, the internal structure of which is shown in Figure 1. The flight control computer has three identical channels, each of which includes a central processing unit (CPU), input and output interface (DIO), analog quantity processing module (AIO), serial port transceiver module (Sio), power supply module (PS) and other functional modules. The flight control computer only has one set of I/O interface, and the I/O interface is pseudo triplex. In the process of flight control computer working, 3 channels receive external input data at the same time, and one of them is chosen as the control computer by voting mechanism.



Figure 1 Tri-redundancy flight control architecture

### 3. Channel selection method based on security level

In order to improve the reliability and the fault tolerance of the system, a channel selection method based on channel security level is proposed. Based on the comparative technology between the channels, the selection of the optimal safe channel is realized [6].

First, the flight parameters of the channel are obtained and synthesized to obtain the safety level of the flight parameters of the channel. Then, they are combined with the internal parameters of the channel, the security level of the channel is synthesized, and the security level of other channels of the redundancy computer is obtained through inter channel transmission. On comparing the security levels of the multiple channels of redundancy computer, the channel effectiveness of redundancy computer is obtained and one of the computers is selected as the control computer through the voting arbitration circuit.

#### 3.1. Safety level of channel flight parameters

The input parameters of channel are divided into three parameter sets: the parameter set for the safe execution of mission, the parameter set for the safe flight and guidance of aircraft, and the parameter set for the stability of flight attitude.

The first parameter set is to ensure the flight attitude stability of the aircraft, including pitch angle, tilt angle, heading angle, pitch angle rate, tilt angle rate, heading angle rate, barometric altitude, indicated airspeed and effective parameters of steering gear.

The second parameter set is the parameter set to ensure the safe flight and guidance of the aircraft. In addition to the first parameter set, it also includes the position parameters of the aircraft. The second parameter set includes the pitch angle, tilt angle, heading angle, pitch angle rate, tilt angle rate, heading angle rate, air pressure altitude, indicated airspeed, steering gear communication parameters and position parameters.

The third parameter set ensures the safe execution of the mission by the aircraft. In addition to the second parameter set, it also includes the parameters of the aircraft that affect the mission execution. The third parameter set includes pitch angle, tilt angle, heading angle, pitch angle rate, tilt angle rate, heading angle rate, air pressure altitude, indicated airspeed, steering gear communication parameters, position parameters and mission load parameters.

The safety level of channel flight parameters is integrated, and the external input parameters are classified into three parameter sets according to the critical difference of parameter. They include the parameter set of flight attitude stability, the parameter set of aircraft safe flight and guidance, and the parameter set of aircraft safe mission execution. The status is obtained according to the external input parameters of the channel, and synthesizes the flight parameter safety level of the channel. It is characterized in that the safety level of the channel flight parameters is divided into four levels: level 0: mission parameter safety, level 1: flight parameter safety, level 2: flight parameter degradation safety, and level 3: flight parameter insecurity.

Level 0: mission parameter safety, when the parameter is set for the aircraft to safely perform the mission, including all the parameters that can safely perform the mission.

Level 1: flight parameter safety, when the parameters are set for aircraft safe flight and guidance, aircraft safe flight and guidance parameters, but not the mission load parameters.

Level 2: flight parameters are degraded safely, when parameter is set for stable flight attitude and safe flight parameters after degradation.

Level 3: flight parameters are unsafe, and there is no parameter set for stable flight attitude.

## 3.2. Channel internal parameters

On the other hand, in channel security level synthesis method, the channel memory, the channel power supply, the channel watchdog, and the channel internal parameters are valid, otherwise the channel internal parameters become invalid.

# 3.3. Comprehensive channel safety level

According to the safety level of the channel flight parameters and combined with the effectiveness of the internal parameters of the channel, the comprehensive safety level of the channel is realized.

The channel safety level comprehensive method is characterized when the channel safety level is divided into four levels: level 0: channel mission safety, level 1: channel flight safety, level 2: channel flight degradation safety, and level 3: channel flight insecurity.

In the channel safety level synthesis method, when the internal parameters are valid, the channel safety level is equal to the channel flight parameter safety level; otherwise, the channel security level equals to level 3.

# 3.4. Channel selection circuit design

Channel flight parameter safety level Ex\_Pa\_Level is one of the above four values, Ex\_Pa\_Level consists of Bit1, bit0 and 2 bits, where, 00 represents level 0, 01 represents level 1, 10 represents Level 2 and 11 represents Level 3.

The validity of the channel internal parameters depends on the validity of channel CPU, channel memory, channel power supply and channel watchdog. When Cpu\_V is CPU effectiveness, Ram\_V is memory validity, Power\_V is power supply effectiveness, Wachdog\_V is the internal parameter inside the channel when the watchdog validity is valid at the same time, and Inside\_Pa\_V is valid. Otherwise, Inside\_Pa\_V is invalid (the signal is valid at low level and invalid at high level). 4 or gates are used to realize the synthesis of internal parameters of the channel.

Safety level according to the channel flight parameters Ex\_Pa\_Level, is combined with the internal parameter validity of the Inside\_Pa\_V to achieve comprehensive channel security level. Internal parameter Inside\_Pa\_V is valid when the channel safety level is Chx\_Pa\_Level and is equal to the safety level of channel flight parameters; otherwise, the channel security level is equal to level 4. Chx\_Pa\_Level consists of 2 bits where, 00 represents level 0, 01 represents level 1, 10 represents Level 2 and 11 represents Level 3.

The channel effectiveness comparison comprehensive method is characterized when the input has three channel security levels Chx\_Pa\_Level and output has three channel validity Chx\_V. If the number of safety levels of the current channel is not greater than the other two channels, the channel is valid, otherwise the channel is invalid (Chx\_V signal high level is valid and low level is invalid).

According to the priority and effectiveness of the three channels, the channel with the best health is voted as the control channel.

The three channel control right arbitration circuit is characterized in that the input is three channel validity Chx\_En. The output is channel enable Chx\_En (high level of Chx\_En signal is valid and low level is invalid).

The channel with the best health is used as the control method, which is characterized in that if channel 1 is effective, channel 1 enable output is effective; if channel 1 fails and channel 2 is valid, channel 2 enable output is valid; if channel 1 fails, channel 2 fails and channel 3 is valid, channel 3 enable output is valid; if all three channels fail, the enable output of channel 1 is valid.

The logic diagram is shown in Figure 2.



Figure 2 Channel selection circuit design graph

#### 4. Synchronization method of the three channels

In order to meet the requirement of seamless switching during flight, the three channels must work synchronously. Synchronization means that the 3-channel periodic tasks are carried out in the same cycle, and the same tasks are executed at the same time as possible among the 3-channel periodic tasks. If it cannot work synchronously, the periodic tasks between the three channels cannot be completed in the same beat, which means that both the sampling and controlling of the three channels cannot be carried out simultaneously, and the seamless switching between the three channels cannot be realized, which could cause the craft to become unstable in an instant.

### 4.1. Synchronization method of the three channels

The main causes of the three-channel synchronization include the difference of channel start-up time and the accumulation of crystal oscillator errors. The difference of start-up time refers to the difference of start-up time of the operating system, which causes the three channels not to enter the flight control program at the same time. The accumulation of crystal oscillator errors is another reason why the three channels cannot be synchronized. The error accumulation test is carried out with two channels. After power-on, the two channels get synchronized and the periodic (period is 10ms)

pulses are sent out. From the oscillator, the clock errors accumulate and one channel is 10ms more than the other at 15 minutes. However, this error is not tolerated during the flight. Therefore, in addition to the start-up synchronization between the three channels, it is necessary to carry out periodic synchronization.

# 4.2. Hardware design of synchronous circuit

In order to synchronize the three channels, a simple handshake protocol is proposed to synchronize the flight control computer. As shown in figure 3, each channel has an output DO for outputting a synchronous handshake signal to the other two channels, and two inputs DI are used to receive synchronous input signals from the other two channels. The synchronization method uses handshake mode: First turn off the interrupt, then DO outputs a "logical low" synchronous handshake signal, and then inquire within a limited period whether the two DI generate "logical low" handshake signal; after the handshake is successful, open the interrupt, DO output "logic high", all 3 channels keep synchronization signal out for logic high preparation next synchronization.



Figure 3 Schematic diagram of synchronous signal hard connection

# 4.3. Software design of synchronization method

Aiming at the difference of start-up time, the concept of start-up synchronization and 10ms period synchronization are put forward in the software design. The synchronization software is interspersed in the whole Flight Control Program as shown in Figure 4. The start-up synchronization which is called only once after booting, guarantees the elimination of three channel start-up time-consuming errors, and is encapsulated as a function void power on synchronize. Start-up synchronization method: After the start-up, through the DO pin, the other two processors send synchronous signal, while collecting the synchronous signal sent by the other two processors, and after collecting the synchronous signal of the two machines, switch to 10ms mission cycle. If the synchronous signals of the other two computers have not been collected after waiting for 3S, the other two computers are considered to be out of order. The remaining two processors are set to permanent failure. The 10ms cycle synchronization, which is encapsulated as a function, void period 10ms synchronize (void), is called in a 10ms interrupt service routine. The function first disables all interrupts, determines if the other two processors are available, if not, goes into standalone mode, and if available, goes into synchronization. Synchronous method: The DO pin sends out the synchronous signal to the other two processors, and collects the synchronous signal from the other two processors at the same time. If the synchronous signal of the other two computers is not collected within 50 micro-seconds, it can be interrupted to judge whether it cannot be synchronized for 10 consecutive times, and if it is, it can be put into single-machine working mode.



Figure 4 Synchronous Flow Chart in Flight Control Program

Figure 5 is a diagram of narrow-amplitude pulse signals sent periodically (10ms period) by three channels of the flight controller. After synchronization, the narrow-amplitude pulses can be sent out at the same time the handshake protocol completely solves the problem of synchronization.



Figure 5 Asynchronous/synchronous periodic pulse graph

#### 5. Conclusion

After hundreds of simulation tests significant results were obtained in fault tolerance and reliability. The flight control aircraft adopts the redundancy strategy under this configuration to meet the requirements of small size and low weight of the UAV, and the system reliability is guaranteed. The multi-channel security level method can give full play to the error tolerance ability of the system and improve the fault tolerance performance of the aircraft.

#### References

- LI Hailiang, CAI Jing, KANG Tingwei. Study on design of visual intelligent detection instrument for aviation cable fault [J]. Journal of NorthwestemPolytechnical University, 2021, 39(4): 770-775.
- [2] Huang Y, He J H, Zhou M L, et al. Researching Integrated Flight / Fire Control System of Air-to-Ground Guided Bombs. Journal of NorthwesternPolytechnical University, 2016, 34(2): 275-280.
- [3] Pan J H, Zhang S B, Zhang X L. Fault Diagnosis and Adaptive Reconfiguration for Multi -Redundancy Flight Control System [J]. Computer measurement and control, 2015. 23(48): 441-447.
- [4] ZHANG Yang, ZHOU Zhou, LI Xu. Effect of turbulence intensity and gradient of turbulence intensity on airfoil aerodynamic characteristics at low Reynolds number [J]. Journal of NorthwestemPolytechnical University, 2021, 39 (4): 721-730
- [5] Pan J H, Zhang S B, Zhang X L. Design and Realization of Treble-Redundancy Management Method of Flight Control System [J]. Journal of NorthwestemPolytechnical University, 2013, 31(5): 798-802.
- [6] Suo X J, Kang X D, Zhou Q. Application of Fault Injection Technique in Analog SignalAcquisition of Airborne Computer [J]. Computer Measurement & Control, 2016, 24(1):304-312.
- [7] YANG Lei, ZHANG Bainan, GUO Bin, ZUO Guang, SHI Yong, HUANG Zhen. Concept definition of new-generation multi-purpose manned spacecraft [J]. Acta Aeronautica et Astronautica Sinica. 2015, 36(3): 703-713.
- [8] LEE J, KWON D, KIM N, et al. PHM-based wiring system damage estimation for near zero downtime in manufacturing facilities [J]. Reliability Engineering and System Safety, 2019, 184: 213-218.
- [9] WANG Danyang, TANG Jianjun, CHEN Ou, et al. Aerospace-cable fault location technology research based on time domain reflectometry (TDR) [J]. Aeronautical Manufacturing Technology, 2019, 62(Z2): 84-88, 96.
- [10] LI Lu. Simulation study on fault diagnosis of marine power cable [D]. Dalian: Dalian University of Technology, 2017.
- [11] CHUNG C C, LIN C P. A comprehensive framework of TDR landslide monitoring and early warning substantiated by field examples [J]. Engineering Geology, 2019, 262(28): 1-11.
- [12] LIU Yandong. Analysis of airworthiness requirement in EWIS design [J]. Journal of Shenyang Aerospace University, 2019, 30(4): 23-27.
- [13] MEI Z P, LI Q, WEN J Q. Research on optimization of wiring paths in airplane harness process [C]//2012 IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems, 2019: 485-488.