EP-4741951-A1 - A CONTROL SYSTEM

Abstract

A control system comprising an actuator and a system controller that outputs a command for controlling the actuator. A primary controller within the control system generates a primary control signal for controlling the actuator based on a system controller command and primary sensor data from one or more primary sensors. A secondary controller within the control system generates a secondary control signal for controlling the actuator based on the system controller command and secondary sensor data from one or more secondary sensors. A control signal router within the control system routes either the primary control signal or the secondary control signal to the actuator based on a routing command that is generated by a primary monitor that is part of the secondary controller.

Inventors

• WILLIAMS, CONNEL
• VIJAYAKUMAR, Franklin
• ALI, Bertan
• TEJPAL, Ritish

Assignees

• Evolito Ltd

Dates

Publication Date

20260513

Application Date

20251104

Claims (15)

1. A control system comprising: an actuator; a system controller for outputting a command for controlling the actuator; a primary controller coupled to the system controller and configured to generate a primary control signal for controlling the actuator based on the system controller command and primary sensor data from one or more primary sensors; a secondary controller coupled to the system controller and configured to generate a secondary control signal for controlling the actuator based on the system controller command and secondary sensor data from one or more secondary sensors; a control signal router coupled to the primary controller and secondary controller and to the actuator, the control signal router being configured to route the primary control signal or the secondary control signal to the actuator based on a routing command, wherein the secondary controller comprises a primary monitor that is configured to compare the primary and secondary control signals and to generate a primary routing command based on the comparison of the primary and secondary control signals.
2. A control system according to claim 1, wherein the one or more primary sensors are independent of the one or more secondary sensors, and/or wherein the primary controller is independent of the secondary controller.
3. A control system according to any preceding claim, wherein the primary monitor is configured to detect a failure in the primary controller from the comparison of the primary control signal and the secondary control signal, and wherein the primary monitor generates a primary routing command to cause the control signal router to switch from routing the primary control signal to the actuator, to routing the secondary control signal to the actuator in response to detecting a failure in the primary controller.
4. A control system according to claim 3, comprising a secondary monitor coupled to the secondary controller and control signal router, the secondary monitor being configured to detect a failure in the secondary controller and generate a secondary routing command based on the detection of a failure in the secondary controller.
5. A control system according to claim 4, wherein the secondary routing command enables the routing of the secondary control signal to the actuator when no failure is detected in the secondary controller.
6. A control system according to claim 4 or 5, wherein the secondary monitor receives a secondary controller command from the primary monitor, the secondary controller command comprises at least a portion of the command generated by the system controller, the secondary monitor being configured to detect a failure in the secondary controller by: comparing the secondary control signal with a control signal based on the secondary controller command and tertiary sensor data from one or more tertiary sensors; and detect whether or not that there is a failure in the secondary controller based on the comparison of the secondary control signal from the secondary controller with a control signal based on the secondary controller command and the tertiary sensor data.
7. A control system according to claim 6, wherein the one or more tertiary sensors are independent of the primary and secondary sensors.
8. A control system according to any one of claims 4 to 7, comprising a latch controller coupled to the primary monitor and secondary monitor, the latch controller being configured to enable or disable the control signal router from switching between the primary control signal or secondary control signal based on a detected failure state of the primary and secondary controllers.
9. A control system according to claim 8, wherein the latch controller is part of the secondary monitor.
10. A control system according to any preceding claim, wherein the system controller is configured to override the routing control signals.
11. A control system according to any preceding claim, wherein the primary and secondary controllers each comprise a respective processor, and wherein the processor in the secondary controller is lower-powered than the processor in the primary controller, and/or wherein the secondary controller and primary monitor are co-located with each other, or wherein the secondary controller and primary monitor are part of the same processor.
12. A control system according to any preceding, wherein the control system is for an axial flux machine, and wherein the actuator comprises an inverter for generating a multi-phase AC output voltage for powering the axial flux machine, optionally wherein the axial flux machine is an axial flux motor or generator, and/or wherein the system controller command comprises a demand torque and/or speed condition for the axial flux machine.
13. An Electric Propulsion Unit comprising: an electrical machine; and a control system according to any one of claims 1 to 11, wherein the actuator comprises an inverter for generating a multi-phase AC output voltage for powering the electric machine.
14. An Electrical Propulsion Unit according to claim 13, comprising a second control system according to any one of claims 1 to 11, wherein the electric machine comprises a stator having first and second electrically isolated groups of stator bars in the same electrical machine, the first and second isolated groups of stator bars magnetically interacting with a common rotor, wherein the first control system is electrically coupled to the first electrically isolated group, and the second control system is electrically coupled to the second electrically isolated group, and/or wherein the electrical machines are axial flux electrical machines, and/or wherein the electrical machines are motors or generators.
15. An Electrical Propulsion Unit according to any one of claims 14, wherein the system controller command comprises a demand torque and/or speed condition for the axial flux machine.

Description

FIELD OF THE INVENTION The present invention relates to improvements in control system integrity in the face of system component failure in safety critical applications. BACKGROUND OF THE INVENTION Though the present invention is applicable to a wide variety of applications including battery management systems, automotive power steering, control of avionic surfaces, generator and motor control, DCDC converters, etc, the focus here will be in motor control, though it is to be understood this application is not limiting. There are several instances where failure of an electric propulsion motor may cause critical safety issues. Automotive is clearly one such, generators for medical facilities, nuclear power plant control systems are others, but arguably of greatest safety concern is loss of motive power in in-flight aerospace applications. In the field of aviation safety, ensuring the reliable operation of aircraft control systems is paramount as failures in these systems can lead to catastrophic consequences. Though multiple redundant systems are generally uneconomic for land and sea-based applications, because alternative less costly options are available, because of the need to stay airborne, and land safely, redundant control systems have been a standard approach for aerospace. WO2016193884 teaches a triple redundant safety control system controlling a quadcopter for which opposing propellor and power units (effectors) are paired, with each effector pair being sufficient to support flight in the event one effector fails. There are master and slave control units and an emergency master unit providing triple redundancy of control. Various control architectures using triple redundant components are taught and such systems inevitably rely on fast communications to enable effective transfer of control authority. This highlights a problem with triple redundant systems in that apart from cost of duplicate components, there is reliance on high-speed signalling which of itself carries a high cost of robust implementation. Duplex Systems, also known as Dual Redundancy Systems, involve two parallel sets of control units. Unlike TMR, where three units operate simultaneously, Duplex Systems typically consist of two identical systems: a primary unit and a backup unit. Each system operates independently but processes the same inputs, usually from separate transducer inputs. The primary system usually handles all control tasks under normal conditions, while the backup system remains in standby mode, continuously monitoring the primary system's performance. US4032757A teaches such a system in which duplicate control systems operate independently with their own monitors that check their own system inputs and outputs which are compared to the other system. Data input / output is sequentially processed in each system and compared not only between systems, but in comparison to the last cycle and/or stored look-up table. Differences between the last and present cycle / look-up table e.g., for transducer data show if a transducer has failed. If the difference between the two control units is small then the primary unit uses the mean of the two independently arrived at signals and its difference to the asked-for control value to set a new control output. Other comparison strategies are also taught. The implementation of TMR and Duplex Systems, including advanced variants, represents a fundamental strategy in ensuring the failsafe operation of aircraft control systems. These redundancy techniques provide a robust framework for maintaining control integrity in the face of component failures, thereby significantly enhancing the safety and reliability of aviation systems. The present invention seeks to further refine these methods, offering novel approaches to optimising redundancy and fault tolerance in complex control environments. EP3839688 teaches a variant of a duplex system for control of multiple motor units each managing a specific motor through a primary motor controller. These controllers are interconnected with a central system control unit (COMstring) and a system monitoring unit (MONstring), which oversees the overall functionality and safety of the system. The system includes primary and secondary motor controllers, with switches that can alter the control path to the motors in response to detected malfunctions. The MONstring can disable communications between the COMstring and motor controllers, or directly between motor controllers and motors, to prevent damage or unsafe conditions. Malfunctions are detected by sensors that monitor the operational state of the motors, such as temperature and rotation speed. In case of detected issues, the system can switch control from primary to secondary controllers, ensuring continued safe operation. EP3839688 teaches primary and secondary motor controllers for each motor. In the event of a failure in a primary controller, the system can switch control to the secondary controller,