Search

EP-3889779-B1 - METHOD FOR HANDLING A SIMULTANEOUS FAILURE OF ALL CHANNELS OF A MULTI-CHANNEL ENGINE CONTROLLER FOR A GAS TURBINE ENGINE

EP3889779B1EP 3889779 B1EP3889779 B1EP 3889779B1EP-3889779-B1

Inventors

  • HART, DAVID
  • REESE, Adam
  • GILTON, Jeffrey

Dates

Publication Date
20260506
Application Date
20210126

Claims (13)

  1. A method (500) for handling simultaneous software exceptions for all channels of a multi-channel engine controller (202) configured to control operation of a gas turbine engine (100), the method (500) comprising: obtaining, by a first processor (330) associated with a first channel (310) of the multi-channel engine controller (202), data indicative of a respective number of software exceptions for each channel, for all channels of the multi-channel engine controller (202); determining, by the first processor (330) associated with the first channel (310) of the multi-channel engine controller (202), that the first channel (310) is healthier than every other channel of the multi-channel engine controller (202) based on the first processor (330) having fewer software exceptions than each of the other channels; providing, by the first processor (330), one or more control signals (360) associated with resetting at least a second processor (340) associated with a second channel (320) of the multi-channel engine controller (202) based, at least in part, on the data; controlling, by the first processor (330), operation of the gas turbine engine (100) while at least the second processor (340) is resetting; and while at least the second processor (340) is resetting, the first processor (330) entering a safe mode (380) in which the first processor (330) is operable to perform only critical functions.
  2. The method (500) of claim 1, wherein determining that the first channel (310) is healthier than every other channel of the multi-channel engine controller (202) comprises comparing, by the first processor (330), one or more software exceptions associated with the first channel (310) to one or more software exceptions associated with each of the remaining channels of the multi-channel engine controller (202).
  3. The method (500) of claim 1 or 2, wherein providing the one or more control signals (360) associated with resetting at least the second processor (340) associated with the second channel (320) of the multi-channel engine controller (202) occurs in response to determining the first channel (310) is healthier than every other channel of the multi-channel engine controller (202).
  4. The method (500) of any of claims 1 to 3, wherein controlling operation of the gas turbine engine (100) while the second processor (340) is resetting comprises: controlling, by the first processor (330), operation of one or more actuators (240) of the gas turbine engine (100) such that operation of the gas turbine engine (100) is uniform while resetting the second processor (340).
  5. The method (500) of claim 4, wherein the one or more actuators (240) comprise at least one of a torque motor and a fuel metering solenoid valve.
  6. The method (500) of any of claims 1 to 5, further comprising: determining, by the second processor (340), one or more software exceptions associated with the second channel (320) no longer exist subsequent to resetting the second processor (340); and providing, by the second processor (340), one or more control signals (360) associated with resetting the first channel (310) in response to determining the one or more software exceptions associated with the second channel (320) no longer exist.
  7. The method (500) of any of claims 1 to 6, further comprising: controlling, by the second processor (340), operation of the gas turbine engine (100) while the first processor (330) is resetting.
  8. The method (500) of any of claims 1 to 7, further comprising: determining, by the first processor (330), at least the second channel (320) is offline when a predetermined amount of time lapses without the first processor (330) receiving data indicating at least the second processor (340) has reset.
  9. The method (500) of claim 8, further comprising: responsive to determining at least the second channel (320) is offline, providing, by the first processor (330), one or more control signals (360) associated with resetting the first processor (330) within a predetermined amount of time; and controlling, by the first processor (330), operation of the gas turbine engine (100) subsequent to resetting the first processor (330).
  10. The method (500) of claim 9, wherein the predetermined amount of time ranges from about 1 millisecond to about 5 milliseconds.
  11. A multi-channel engine controller (202) configured to control operation of a gas turbine engine (100), the multi-channel engine controller (202) comprising: a plurality of processors, each of the plurality of processors associated with a corresponding channel of the multi-channel engine controller (202), wherein a first processor (330) associated with a first channel (310) of the multi-channel engine controller (202) is configured to: obtain data indicative of a respective number of software exceptions for each channel of the multi-channel engine controller (202); determine the first channel (310) is healthier than every other channel of the multi-channel engine controller (202) based on the first processor (330) having fewer software exceptions than each of the other channels; provide one or more control signals (360) associated with resetting at least a second processor (340) associated with a second channel (320) of the multi-channel engine controller (202) based, at least in part, on the data; and control operation of the gas turbine engine (100) while at least the second processor (340) is resetting, wherein while at least the second processor (340) is resetting, the first processor (330) is configured to enter a safe mode (380) in which the first processor (330) is operable to perform only critical functions.
  12. The multi-channel engine controller (202) of claim 11, wherein the first processor (330) is configured to compare one or more software exceptions associated with the first channel (310) to one or more software exceptions associated with each of the remaining channels of the multi-channel engine controller (202) to determine the first channel (310) is healthier than every other channel of the multi-channel engine controller (202).
  13. The multi-channel engine controller (202) of claim 11 or 12, wherein the first processor (330) is configured to provide the one or more control signals (360) to at least the second processor (340) in response to the first processor (330) determining the first channel (310) is healthier than every other channel of the multi-channel engine controller (202).

Description

FEDERALLY SPONSORED RESEARCH This invention was made with government support under contract N00019-04-C-0093 awarded by the US Naval Air Systems Command. The government may have certain rights in the invention. FIELD OF THE INVENTION The present subject matter relates generally to a method for handling a simultaneous failure of all channels of a multi-channel engine controller configured to control operation of a gas turbine engine. More specifically, the present subject matter is directed to a method for resetting each channel of the multi-channel engine controller without experiencing a lapse in control of the gas turbine engine. BACKGROUND OF THE INVENTION A gas turbine engine on an aircraft generally includes, in serial flow, a compressor section, a combustion section, a turbine section and an exhaust section. In operation, air enters an inlet of the compressor section where one or more compressors progressively compress the air until it reaches the combustion section. Fuel is mixed with the compressed air and burned within the combustion section to provide combustion gases. The combustion gases are then routed from the combustion section through a hot gas path defined within the turbine section and exhausted from the turbine section via the exhaust section. Operation of the gas turbine engine may be controlled via an engine controller. Typical engine controllers can have dual channels to provide redundancy. For instance, typical engine controllers can include a first processor associated with a first channel of the engine controller and a second processor associated with a second channel of the engine controller. In some implementations, the two channels (e.g., first channel and second channel) may operate in an active/standby mode where one channel is active and in control while the other channel is in standby and ready to assume control if needed. In alternative implementations, the two channels may operate in an active/active mode where both channels are in control. Still further, in some implementations, the two channels may operate in a mixed mode where the engine controller implements an active/standby scheme and an active/active scheme. In some instances, both the first channel and the second channel may each simultaneously experience one or more fault conditions (e.g., software exceptions). In such instances, both the first processor and the second processor may reset at the same time. This is undesirable, because resetting both the first processor and the second processor at the same time leaves no processor available to control operation of the gas turbine engine. Accordingly, a method for handing a simultaneous failure of all channels of a multi-channel engine controller configured to control operation of a gas turbine engine would be welcomed in the technology. US 2018/349235 relates to a redundant computer system utilizing comparison diagnostics and voting techniques. US 2006/200278 relates to generic software fault mitigation. EP 1 835 404 relates to an electronic apparatus for detecting faults. US 2018/212858 relates to systems and methods for selection between multiple redundant data streams. The cited prior art fails to disclose determination of a healthier channel in case of simultaneous software exceptions occurring in all given channels, for the purpose of controlling operation of a gas turbine engine based on the determined healthier channel. BRIEF DESCRIPTION OF THE INVENTION The invention is set out in the claims. BRIEF DESCRIPTION OF THE DRAWINGS A full and enabling disclosure of the present invention, including the best mode thereof, directed to one of ordinary skill in the art, is set forth in the specification, which makes reference to the appended figures in which: FIG. 1 depicts an aerial vehicle according to example embodiments of the present disclosure;FIG. 2 depicts a cross-sectional view of a gas turbine engine according to example embodiments of the present disclosure;FIG. 3 illustrates a schematic view of an engine control system according to example embodiments of the present disclosure;FIG. 4 depicts a control flow diagram of a multi-channel engine controller handling a simultaneous failure of all channels of the multi-channel engine controller according to example embodiments of the present disclosure;FIG. 5 depicts another control flow diagram of a multi-channel engine controller handling a simultaneous failure of all channels of the multi-channel engine controller according to example embodiments of the present disclosure; andFIG. 6 illustrates a flow diagram of one embodiment of a method for handling a simultaneous failure of all channels of a multi-channel engine controller configured to control operation of a gas turbine engine according to example embodiments of the present disclosure. DETAILED DESCRIPTION OF THE INVENTION Reference now will be made in detail to embodiments of the invention, one or more examples of which are illustrated in the drawings. Each