Originally Posted by
HighWind
What is meant by ’Activate the control system’?
My reading: if the system is known to have failed, it must warn of failure and fail
inactive, and not activate just-in-case it might have been needed.
Are the system not allowed to perform control based on erroneous sensor data, i.e. have to perform fault insulation? (Logical)
If the system detects erroneous sensor data and issues a warning of this, then it shouldn't activate based on that
known erroneous data. If the data isn't
known to be bad, say if it runs off one AOA sensor, then no warning and it can activate away...
Are the system not allowed to ‘Activate’ another control strategy, i.e. perform fault insulation by ‘failing silent’, and perform gracefully degradation like transitioning from Normal to Alternate mode? (Illogical)
My guess is that this is allowed provided the degradation is notified (which effectively is the "warning"), and the backup/reversion system is then assessed separately (with that assessment tempered by the likelihood of ending up in that mode - it may not need to comply to the same extent provided there is a low likelihood reversion in the first place).
Or are the system not allowed to ‘Activate’ another sensor channel, i.e. perform fault insulation by voting in another sensor, and thereby ‘Failing active’? (Illogical)
Based on what existing systems do, voting out an anomalous sensor may not require a warning - that is the point of redundant systems. There may be a maintenance warning of some sort so that it is known that redundancy has been lost and something needs fixing to restore it... and not leaving unfixed until the next one fails (see e.g. Australian report on 9M-MRG). Of course when you get common-mode or byzantine failure and multiple sensors are voted out or the voting system decides it doesn't know what to trust,
then you should be right back to giving a failure warning and failing inactive (in the case of a stability augmentation system).