Just a thought came up, thinking about the Boeing problems....
Single sensor usage risks with duplicated+ control systems:
Now I wondered where sensors actually plays a critical role, why instead of one sensor feeding 2+ duplicated systems info, why not have like 3 exact same sensors mounted together in a group(Unit at same location), then one sensor is the "Active " one and the other two "Slaves" calibrated at factory to be the exact same.
Now if the active one goes faulty in flight(maybe at a critical height as well) or intermittent faulty, the other two are stable(OK) and the computer controls switch to one of the other two in an instant and flag the faulty one as well as disable it for immediate attention. The plane build is already expensive, I don't think this may make that of a difference consider the extra possible lyer of safety.....What do you think-?
Digital Control systems and sensors
Moderator: Moderators
-
- Too Tousand
- Posts: 2519
- Joined: Mon Jul 23, 2007 4:39 pm
- Has thanked: 72 times
- Been thanked: 75 times
Re: Digital Control systems and sensors
You need to ask them this question.
If after decades of real world testing and "refinement" they still continue to do things as they do then by golly they sure have to have a sound reason for doing things the way they are.
No doubt they will respond to your question (if you get someone willing to speak to you...)with a long winded multi paragraphed reply that would not really answer your question nor make absolute sense.
As to your question and "solution to be tried and tested" sounds very plausible to me.
If after decades of real world testing and "refinement" they still continue to do things as they do then by golly they sure have to have a sound reason for doing things the way they are.
No doubt they will respond to your question (if you get someone willing to speak to you...)with a long winded multi paragraphed reply that would not really answer your question nor make absolute sense.
As to your question and "solution to be tried and tested" sounds very plausible to me.
Ubluwulululululu....!
-
- 1k poster
- Posts: 1583
- Joined: Mon Jul 03, 2006 8:57 am
- Closest Airfield: Cab
- Location: The Matrix
- Has thanked: 204 times
- Been thanked: 372 times
Re: Digital Control systems and sensors
To try and keep it short:
If a sensor is required for a critical system (loss leads to catastrophic failure), then it (or the complete system) is duplicated / triplicated.
If critical sensors were to be co-located, then they would be exposed to zonal risks, ie an issue in that zone can affect both. Acceptable Zonal Hazard Analysis i(ZHA) s required for certification.
If a sensor is required for a critical system (loss leads to catastrophic failure), then it (or the complete system) is duplicated / triplicated.
If critical sensors were to be co-located, then they would be exposed to zonal risks, ie an issue in that zone can affect both. Acceptable Zonal Hazard Analysis i(ZHA) s required for certification.
- These users thanked the author StressMerchant for the post:
- EDP
Dweller on an errant planet
-
- Too Tousand
- Posts: 2519
- Joined: Mon Jul 23, 2007 4:39 pm
- Has thanked: 72 times
- Been thanked: 75 times
Re: Digital Control systems and sensors
Then they should Isolate and make zones redundant as well one not affecting the other, i believe a life/death critical system such as this should be redundant by nature.
They could even design different sensing methods.
With todays technology all this and more can be done.
They could even design different sensing methods.
With todays technology all this and more can be done.
Ubluwulululululu....!
-
- Engine Started
- Posts: 52
- Joined: Mon Oct 24, 2011 8:25 pm
- Has thanked: 11 times
- Been thanked: 6 times
Re: Digital Control systems and sensors
My point maybe ...that having one sensor duplicated in a duplicated system is one thing....., however having 3 sensors in a pack in the same place looking at the same important thing and that duplicated, is very different situation, in this case the system A or B has a verification per side right there(LOcal in that system) and the system can decide that one of the 3 must be faulty and that decission is pinned to system A or B indendantly whether system A or B may have failed from something else not that important and switch over to a single faulty side that does not know that by design.StressMerchant wrote: ↑Mon Apr 01, 2024 6:19 am To try and keep it short:
If a sensor is required for a critical system (loss leads to catastrophic failure), then it (or the complete system) is duplicated / triplicated.
If critical sensors were to be co-located, then they would be exposed to zonal risks, ie an issue in that zone can affect both. Acceptable Zonal Hazard Analysis i(ZHA) s required for certification.
If mounting 3 sensors together deliver problems of design, there maybe a challenge for the engineers to sort out to make the concept reliable.
-
- Seven Thousand
- Posts: 7697
- Joined: Mon Sep 19, 2005 3:45 pm
- Closest Airfield: Rhino Park
- Location: Pretoria
- Has thanked: 62 times
- Been thanked: 1048 times
Re: Digital Control systems and sensors
Reliability Engineering is a remarkably complex subject.
9 times out of 10, you will find that just duplicating a sensor actually decreases reliability. More wires, more connectors, more complex software, etc. Every single one of these adds additional failure probabilities.
There is a very good reason that safety critical systems have settled on completely independent systems with the simplest possible voting/alerting systems.
But back to the original statement:
9 times out of 10, you will find that just duplicating a sensor actually decreases reliability. More wires, more connectors, more complex software, etc. Every single one of these adds additional failure probabilities.
There is a very good reason that safety critical systems have settled on completely independent systems with the simplest possible voting/alerting systems.
But back to the original statement:
As far as I know, this never happens in a safety critical system - what exactly are you referring to here?
Justin Schoeman
ZU-FSR (Raven)
ZU-FSR (Raven)
-
- Engine Started
- Posts: 52
- Joined: Mon Oct 24, 2011 8:25 pm
- Has thanked: 11 times
- Been thanked: 6 times
Re: Digital Control systems and sensors
Just about the nature of the sensor out of more requirements over and above the existance of the sensor.heisan wrote: ↑Tue Apr 02, 2024 10:19 am Reliability Engineering is a remarkably complex subject.
9 times out of 10, you will find that just duplicating a sensor actually decreases reliability. More wires, more connectors, more complex software, etc. Every single one of these adds additional failure probabilities.
There is a very good reason that safety critical systems have settled on completely independent systems with the simplest possible voting/alerting systems.
But back to the original statement:
As far as I know, this never happens in a safety critical system - what exactly are you referring to here?
1-According to CNN 2019 they had one sensor........There were duplicated systems. They later added another sensor.
2-I just made a suggestion from that the "simplist" idea caused problems. The suggestion was based from the idea that in a duplicated system, that failed like this, the sensor may be faulty in such a way the system does not recognise that due to the circuimstances it operates in and just excecutes accordingly naturally(Which ends up being wrong).........If 3 sensors in place, the faulty one could be recognised "locally" in the one system, while otherwise the nature is such the other system is not the wiser either. It's not that the sensor flatout fail, but rather provide faulty info within a range, it not like the thing went dis short or wires off, not straight forward fault to raise a system alarm on the one system.
3-One should differenciate between an ouright technical failure and a failure thats "off base" but does not trigger an alarm in the system due to the nature of its operation.
Theres nothing more I can say or suggest apart from best manufacturing practices right through.
-
- 1k poster
- Posts: 1583
- Joined: Mon Jul 03, 2006 8:57 am
- Closest Airfield: Cab
- Location: The Matrix
- Has thanked: 204 times
- Been thanked: 372 times
Re: Digital Control systems and sensors
Where sensors need to be duplicated / triplicated and protected, they will be. That is already part of standard design practices across the industry.
The regulatory requirements are listed in 14 CFR 25.1309:
(a) The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that--
(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
(2) The occurrence of any other failure condition which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.
(c) Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.
(d) Compliance with the requirements of paragraph (b) of this section must be shown by analysis, and where necessary, by appropriate ground, flight, or simulator tests. The analysis must consider--
(1) Possible modes of failure, including malfunctions and damage from external sources.
(2) The probability of multiple failures and undetected failures.
(3) The resulting effects on the airplane and occupants, considering the stage of flight and operating conditions, and
(4) The crew warning cues, corrective action required, and the capability of detecting faults.
The real issue has been why the 737 MAX design appears to have ignored this regulation. You'll read a lot about cost-cutting and insufficient FAA oversight, but the truth is probably even simpler: the designers did not appreciate the danger during the failure. From all the reports I have seen, the aircraft could be safely flown without the MCAS system. System works, aircraft safe; system switched off, aircraft safe. What no one seems to have appreciated was the difficulty the operational pilots would experience identifying and dealing with the failure. Changes to the system during development probably didn't help. If the failure mode had been properly identified, the original system would probably have not been certified.
Aviation system safety is one of the most difficult fields of aerospace engineering to master. If you want to learn more, one of the leading experts in the world is a South African named Duane Kritzinger, now in the UK.
(https://aircraftsystemsafety.com/)
The regulatory requirements are listed in 14 CFR 25.1309:
(a) The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that--
(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
(2) The occurrence of any other failure condition which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.
(c) Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.
(d) Compliance with the requirements of paragraph (b) of this section must be shown by analysis, and where necessary, by appropriate ground, flight, or simulator tests. The analysis must consider--
(1) Possible modes of failure, including malfunctions and damage from external sources.
(2) The probability of multiple failures and undetected failures.
(3) The resulting effects on the airplane and occupants, considering the stage of flight and operating conditions, and
(4) The crew warning cues, corrective action required, and the capability of detecting faults.
The real issue has been why the 737 MAX design appears to have ignored this regulation. You'll read a lot about cost-cutting and insufficient FAA oversight, but the truth is probably even simpler: the designers did not appreciate the danger during the failure. From all the reports I have seen, the aircraft could be safely flown without the MCAS system. System works, aircraft safe; system switched off, aircraft safe. What no one seems to have appreciated was the difficulty the operational pilots would experience identifying and dealing with the failure. Changes to the system during development probably didn't help. If the failure mode had been properly identified, the original system would probably have not been certified.
Aviation system safety is one of the most difficult fields of aerospace engineering to master. If you want to learn more, one of the leading experts in the world is a South African named Duane Kritzinger, now in the UK.
(https://aircraftsystemsafety.com/)
- These users thanked the author StressMerchant for the post:
- EDP
Dweller on an errant planet