This paper presents a method to derive the efficiency of diagnostic functions so that consistency with safety requirements is met. The method is applied to a distributed UAV engine control system, but could as well be applicable to any other mechatronic system. A control system architecture is proposed with a minimum of hardware redundancy for lowest cost and simple design. Efficient diagnostic functions (executable assertions in software) are used to detect and isolate errors. The goal is to completely recover from any transient error and reconfigure the system after a permanent error so that engine thrust remains unaffected. Given the requirement that an engine failure due to the control system is not allowed to occur more than 10 times per million hours, any permanent or transient error must be correctly handled with 99% certainty on node level and 90–95% on system level. The high error coverage figures are much driven by the assumption that a transient error occurs 1 time per 1000 hours in any control system node. The high number used for transient errors are due to the concern about Single Event Upsets (SEUs) that have become a dominating cause of errors in electronic equipment in flight applications.

This content is only available via PDF.
You do not currently have access to this content.