• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The present invention relates to a method of switching by a local processing unit of an aircraft flight control system, configured to control at least one local actuator and connected to at least one local sensor and an opposite processing unit. configured to control at least one opposite actuator and to be connected to at least one opposite sensor, comprising steps of: - sending to the opposite processing unit acquisition data relating to the at least one local sensor and data of actuator relating to the at least one local actuator, - reception from the opposite processing unit acquisition data relating to the at least one opposite sensor and actuator data relating to the at least one opposite actuator, - receiving opposite health data and determining local health data, - switching said local processing unit from a first state to a second state t among an active state, a passive state and a slave state, according to the received and local opposite health data determined.
    公开号:FR3025617A1
    申请号:FR1458354
    申请日:2014-09-05
    公开日:2016-03-11
    发明作者:Celine Liu;Nicolas Marti;Stephen Langford
    申请人:Sagem Defense Securite SA;Turbomeca SA;
    IPC主号:
    专利说明:

    [0001] TECHNICAL FIELD The invention relates to the field of aircraft flight control systems. It more particularly relates to a switching method between two processing units or computers constituting a two-way architecture of such a system.
    [0002] STATE OF THE ART The on-board flight control systems equipping aircraft such as existing aircraft or helicopters perform functions of control and regulation of the engine of the aircraft ensuring the proper functioning of the latter. Such functions are critical to the safety of passengers. Such systems must therefore be fault-tolerant. For this, the existing flight control systems generally include two processing units or computers, each capable of ensuring the proper operation of the engine. Such a system thus constitutes a two-way architecture in which each channel is capable of ensuring the execution of said critical functions in the event of failure of the other channel. Of these two routes, the control of the engine is usually entrusted to the path with the best health, that is to say the least breakdowns or failures with the lowest degree of severity. This path is called active path. In order to perform motor control and regulation functions, each of the channels may control at least one actuator. These actuators may fail. When one or more actuators of the active channel are out of order, it may no longer be able to correctly control the engine. If the other way, called passive, is in a state of health worse than that of the active way, it is also not able to ensure the correct control of the engine. Thus, neither of the two channels being able to correctly control the engine, the critical functions of the flight system can then no longer be ensured. There is therefore a need for a method enabling the active channel to correctly control the motor despite the failure of at least one of its actuators. PRESENTATION OF THE INVENTION The present invention thus relates, according to a first aspect, to a switching method implemented by a first processing unit, called local processing unit, of a flight control system of an aircraft comprising at least one motor, said local processing unit being configured to control at least one actuator, called local actuator, so as to control the engine of the aircraft, and 15 being capable of being connected to at least one local sensor and to a second processing unit, called the opposite processing unit, configured to control at least one opposite actuator and to be connected to at least one opposite sensor, said method comprising steps of: sending to the opposite processing unit data acquisitions relating to the at least one local sensor and actuator data relating to the at least one local actuator, receiving from the processing unit t opposite acquisition data relating to the at least one opposite sensor and actuator data relating to the at least one opposite actuator, - receiving a health data relating to the health status of the opposite treatment unit, said opposite health data, - determining a health data relating to the health of said local processing unit, said local health data, 30 - switching of said local processing unit of a first state to a second state, based on said received opposite health data and said determined local health data, said states being among an active state in which the local processing unit provides control of the aircraft engine, a passive state in which the local processing unit does not provide control of the engine of the aircraft and a slave state in which the local processing unit transfers to the opposite processing unit the command desd its local actuators for control of the engine of the aircraft.
    [0003] Such a method allows each processing unit to have a complete picture of the overall system, including actuators and sensors connected to the opposite processing unit, in order to be able to properly control the engine despite the failure of a system. local actuator. A processing unit unable to control the engine of the aircraft can thus give access to its actuators to the other processing unit which is in an active state, so that the flight control system can provide control of the engine. despite one or more failures of the actuators of the active processing unit. The opposing processing unit and the local processing unit being connected via a first bidirectional digital link and secondly a bidirectional second digital link and the opposite processing unit. transmitting opposite health data on each of the links, the step of receiving an opposite health data of the method according to the first aspect may comprise a step of receiving a first opposite health data on the first link and a second redundant opposite health data on the second link, a step of verifying the consistency of said first and second received health data, and a step of determining said opposite health data transmitted as a function of said verification step.
    [0004] This enhances the ability of the system to detect data alterations exchanged between the processing units and thus minimizes the probability of failure of the flight control system. The step of determining the opposite health data transmitted may include, when said first and second health data received are not consistent, a consolidation step in which the opposite health data transmitted is determined from the data. received on at least two successive frames. This makes it possible to minimize the risk of error when determining the opposite health data transmitted when the data transmitted on the two links on a first frame are not coherent and do not make it possible to determine the health data transmitted in such a way. safe. In order to ensure that the received data has not been corrupted during transmission, the opposite health data receiving step of the method according to the first aspect may include a step of verifying the integrity of said data. health data received. The step of determining a local health data of the method according to the first aspect may comprise a step of diagnosis of the state of health relating to the hardware ("hardware") and software ("software") of said unit of 10 local treatment. This provides a health data to diagnose all failures that may affect the ability of the local processing unit to provide control of the engine. The step of switching the method according to the first aspect may comprise: a step of determining, from the local health data, a state data item relating to the state of said local processing unit and a health status data of the local processing unit relating to the capacity of the local processing unit to control the motor, and a step of switching of said local processing unit to the slave state when the state data indicates that the local processing unit is in a passive state and, when the health status data indicates a status in which: the local processing unit is able to communicate with the opposite processing unit, for example if at least one of the two bidirectional digital links makes it possible to provide communications between the local processing unit and the opposite processing unit, the local processing unit is incapable of to control the motor, and the local processing unit is able to control the local actuators.
    [0005] This makes it possible to ensure, before entering the slave state, that the processing unit is not in the process of controlling the motor, that it is not capable of providing the control of the engine in place of the other processing unit, and that the failures that affect it do not prevent it from giving access to its actuators to the other processing unit. According to an advantageous and nonlimiting characteristic, the step of switching the method according to the first aspect comprises: a determination step, in which said local processing unit determines from said local and opposite health data that its state of health is better than that of the opposite processing unit, - a waiting step in which said local processing unit waits for the opposite processing unit to go into the passive state, - a switching step of the processing unit. local processing in the active state. This avoids the flight control system being in a situation in which the two processing units are active at the same time and risk transmitting conflicting orders to their actuators. According to a second aspect, the present invention relates to a computer program product comprising code instructions for executing a switching method according to the first aspect when this program is executed by a processor. According to a third aspect, the present invention relates to a processing unit of a flight control system of an aircraft comprising at least one engine and configured to control at least one actuator, called a local actuator, so as to control the engine of the aircraft, said processing unit, said local processing unit being capable of being connected to at least one local sensor and to a second processing unit, said opposite processing unit, being configured to control at least one actuator opposed and being connected to at least one opposite sensor, and being characterized in that it comprises: means for sending to the opposite processing unit acquisition data relating to the at least one local sensor and actuator data relating to the at least one local actuator; means for receiving from the opposite processing unit relative acquisition data; the at least one opposed sensor and actuator data relating to the at least one opposite actuator; means for receiving a health data item relating to the state of health of the opposite processing unit, called opposite health data, - means for determining a health data relating to the health of said local processing unit, called local health data, - means for switching said local processing unit from a first state to a second state based on said received opposite health data and said determined local health data, said states being among an active state in which the local processing unit provides control of the aircraft engine, a passive state in which the local processing unit does not provide control of the aircraft engine and a slave state in which the local processing unit transfers to the opposite processing unit the control of said local actuators for control of the engine of the aircraft. The present invention relates in a fourth aspect to a flight control system comprising two processing units according to the third aspect.
    [0006] Such computer program products, processing unit and flight control system have the same advantages as those mentioned for the method according to the first aspect. The two processing units may be connected via a first bi-directional digital link and second bi-directional digital link, said second link being redundant with the first link, and the first link and second bonds being able to be active concomitantly. Such a system has a high resistance to failures through the redundancy of its processing units and its communications means 30 as well as by minimizing the number of communication links, while reducing its size. The first and second links may be Cross Channel Data Link (CCDL) links.
    [0007] Such a connection makes it possible in particular for the processing units to exchange more complex health information than those exchanged via the discrete analog links of the known systems while limiting the wiring volume.
    [0008] In the event of failures of the first and second links, the flight control system according to the fourth aspect may comprise backup communication means making it possible to exchange data between the local processing unit and the processing unit. opposite. This makes it possible to avoid total blindness of the two-channel system and a break in communications between the two processing units. According to an alternative embodiment, the backup communication means of the control system according to the fourth aspect may comprise an array of sensors or actuators. According to another variant embodiment, the backup communication means of the control system according to the fourth aspect may comprise an embedded secure network for the avionics, for example a redundant Ethernet network of the AFDX type ("Avionics Full DupleX switched ethernet"). ) or pAFDX. The use of such networks to exchange information between the processing units makes it possible to increase the level of redundancy of the means of communication between the processing units and to ensure the operational safety of the flight control system without however require the establishment of additional means of communication dedicated solely to the communication between the processing units.
    [0009] Other features and advantages will be apparent from the following description of an embodiment. This description will be given with reference to the accompanying drawings in which: - Figure 1 schematically illustrates a flight control system according to one embodiment of the invention; FIG. 2 schematically illustrates hardware means for establishing two CCDL links between two processing units of a flight control system according to one embodiment of the invention; FIG. 3 schematically illustrates the physical segregation of CCDL modules of each processing unit of a flight control system according to one embodiment of the invention; FIG. 4 schematically illustrates the segregation of the hardware means of a processing unit intended to establish two CCDL links according to one embodiment of the invention; FIG. 5 represents the graph of the states of the processing units of the flight control system according to one embodiment of the invention. DETAILED DESCRIPTION An embodiment of the invention relates to a switching method implemented by a first processing unit 1, called local processing unit, of a flight control system, represented in FIG. an aircraft comprising at least one engine. The flight control system also comprises a second processing unit 2, called the opposite processing unit. The local processing unit is capable of being connected to at least one local sensor and to the opposite processing unit, itself connected to at least one opposite sensor. These two processing units are redundant and can each perform the functions of control and regulation of the engine of the aircraft. For this purpose each processing unit is configured to control at least one actuator, so as to control the engine of the aircraft. The actuators that can be controlled by the local processing unit 1 are called local actuators. The actuators that can be controlled by the opposite processing unit are called opposed actuators. The system as illustrated in FIG. 1 thus constitutes a two-channel architecture comprising a channel A and a channel B. The processing units 1 and 2 may be processors of the same multiprocessor computer system comprising several processors. In order to increase the resistance of the flight control system to external aggression and to prevent a single localized event from being able to deactivate the two treatment units 1 and 2, the two tracks can be installed remotely. one of the other in separate boxes. In such a configuration, the processing units are not integrated execution cores within a single processor.
    [0010] The system also comprises communication means making it possible to connect the two processing units to enable the exchange of data essential for the proper functioning of each of the processing units, such as information on the health status of the processing unit. opposite.
    [0011] In an alternative embodiment, these communication means are configured to establish a first two-way digital link 3 and a second bidirectional digital link 4 between the first processing unit 1 and the second processing unit 2. Such a system has no link discrete between the two processing units, which limits the complexity of its wiring and the probability that one of the communication links fails. The second link 4 is redundant with the first link 3 to ensure communication between the two processing units in case of failure of the first link 3, and vice versa. Such redundancy ensures, from the point of view of the exchange of information between the two processing units, a good level of safety. In addition, said first and second links may be active concomitantly. Thus, unlike systems in which the redundant link is used only in the event of failure of the first link, the flight control system may use the first link 3 and the second link 4 at the same time in normal operation, that is to say, in the absence of failure of one of the two links, and can take advantage of the concomitant use of these two links to verify the absence of corruption of the data exchanged between the two processing units.
    [0012] The first and second processing units 1 and 2 may use a protocol to communicate with each other via the two links 3 and 4, for example among the Ethernet protocols IEEE 802.3, HDLC, SDLC, or any other protocol with an error detection or correction function. An Ethernet link makes it possible in particular to ensure high performance, high environmental robustness, particularly with respect to lightning resistance and Electro Magnetic Compatibility ("EMC") and high functional robustness thanks to the implementation of data integrity and flow control mechanisms. In addition the Ethernet protocol is a 5 industry standard consistent with avionics communication technologies, such as AFDX ("Avionics Full DupleX switched ethernet") or pAFDX, and maintenance. The first and second links may be Cross Channel Data Link (CCDL) links. Such a link makes it possible to synchronize each application with an accuracy less than one hundred microseconds. Such a link also makes it possible, instead of exchanging discrets as in known systems, to exchange health information constructed by hardware ("hardware") or software ("software"), information useful to the system ( acquisition, statuses, ...) and functional data of operating system (OS) or application system (AS). Such CCDL links between the two processing units A and B are shown in FIG. 2. Each processing unit 1, 2 comprises a system 5a, 5b, comprising a first CCDL module (CCDLA) 6a, 6b for establishing the first CCDL link. 3 and a second CCDL module (CCDLB) 7a, 7b to establish the second CCDL link 4. Such a system may be in the form of a system-on-a-chip (SoC) or consist of a microprocessor and peripherals implemented in separate boxes or in an FPGA card. Each CCDL module is connected to the input / output interface of its box by a physical layer. Such a layer may for example comprise a Phy hardware interface 8a, 8b, 8c, 8d and a transformer 9a, 9b, 9c, 9d as shown in FIG. 2. As illustrated in FIG. 3, the CCDL modules of each processing unit They can be segregated physically by being arranged on the system 5a, 5b in separate locations and away from each other, for example by placing them each at a corner of a system-on-a-chip. This makes it possible to reduce the probability of common failure in the event of SEU ("Single Event Upset") or MBU ("Multiple Bit Upset") alterations. According to a first variant, each system 5a, 5b is powered by a separate power supply. According to a second variant, the system comprises a power supply 15 common to the entire system-on-a-chip. Each system-on-a-chip can be powered by two separate clock signals 11 and 12, as shown in FIG. 4. Thus, although they are not independently powered, the CCDL modules of each processing unit can be powered. by independent clocks, which enhances the system-on-chip failure resistance by preventing a clock failure of one of the CCDL modules from affecting the other CCDL module. The CCDL modules of each processing unit can be synchronized by means of a local real-time clock (HTR or RTC) mechanism 10a, 10b as represented in FIG. 2 and a synchronization mechanism such as a synchronization window mechanism. Thus, in the event of loss of synchronization, each processing unit operates with its local clock and then synchronizes again with the reception of a valid signal. The local clock mechanism is programmable by the application and its programming is protected against SEU ("Single Event Upset") or MBU ("Multiple Bit Upset") alterations. However, CCDL links can still operate even if there is no synchronization or if a clock is lost. The system may further include backup communication means for providing data interchange between the first and second processing units and used only in the event of first and second link failures, to avoid disconnection of communications treatment units. In a first embodiment illustrated in FIG. 1, these backup communication means may comprise an array of sensors or actuators 13. Such a network of sensors or actuators may for example be a network of sensors. or smart actuators ("smartsensor, smart-actuator"). Each processing unit can then be connected to this network 13 via a bus of the RS-485 type making it possible to transmit information no longer analogically but numerically. In a second embodiment illustrated in FIG. 1, these backup communication means comprise an embedded secure network for the avionics 14. Such an embedded secure network may for example be a redundant Ethernet network such as AFDX (" Avionics Full DupleX switched 12 3025617 ethernet ") or pAFDX. Such a network provides means for resource sharing, segregation of flows as well as the determinism and availability required for aeronautical certifications. The digital signals transmitted between the processing units can be sensitive to disturbances, integrity control mechanisms and consistency checks of the data transmitted between the two remote processing units can be set up. Thus, each processing unit may comprise means for verifying the integrity of the data received.
    [0013] In order to verify the integrity of the received data, the different fields of each received frame can be checked, particularly in the case of an Ethernet link, the fields relating to the destination address, the source address, the type and frame length, MAC data, and padding data. A frame may be considered invalid if the length of this frame is not consistent with the length specified in the field length of the frame or if the bytes are not integers. A frame may also be considered invalid if the CRC (Cyclic Redundancy Check) calculated on receipt of the frame does not correspond to the CRC received due to errors due for example to interference during the transmission. In addition, when the local processing unit and the opposite processing unit are connected via two bidirectional links, each processing unit may comprise means for checking following the transmission of data at a time on the first link and on the second link, the coherence of the data received on the two links which must convey the same information in the absence of failure or corruption of the transmitted frames, and to determine the data actually transmitted. When the data received on the two links are not coherent, the processing unit can implement a consolidation step during which the data actually transmitted is determined from the data received over at least two successive frames, possibly on three frames. Such consolidation can also be achieved by extending the period of time between receipt of two successive Ethernet data packets, for example by setting the length of this period of time to a greater duration than the duration of a disturbance. électomagnétique. This can be implemented by adding a parameter ("Inter Frame Gap") setting such a period between the transmitted packets. Such an implementation may make it possible, for example, to avoid the corruption of two Ethernet packets transmitted in a redundant manner.
    [0014] Each of the processing units of the flight control system may be in one of the following states, as shown in the state graph in FIG. 5: an active state ("ACTIVE") in which processing unit provides control of the engine of the aircraft, 10 ^ a passive state ("PASSIVE") 16 in which the processing unit does not provide control of the engine of the aircraft but performs other functions, for example diagnostic, and may possibly communicate with the other processing unit of the control system, ^ a reset state ("RESET") 17 in which the processing unit 15 is inactive and performs no function , ^ a slave state ("SLAVE") 18 in which the processing unit transfers to the other processing unit the control of its actuators for the control of the engine of the aircraft. In order for each processing unit to have a complete image of the overall system, including actuators and sensors connected to the opposite processing unit, in order to be able to correctly control the motor despite the failure of a local actuator, the The switching method implemented by a local processing unit comprises steps of: sending to the opposite processing unit acquisition data relating to the at least one local sensor and actuator data relating to the at least one local actuator, receiving from the opposite processing unit acquisition data relating to the at least one opposite sensor and actuator data relating to the at least one opposite actuator.
    [0015] Such acquisition data relating to a sensor may for example in the case of temperature sensors include the temperature measured by the sensor.
    [0016] In addition, in order to allow the local processing unit 1 to change state among the four states described above, the switching method comprises steps of: - receiving a health data, such as a status, relative to the state of health of the opposite treatment unit 2, called the opposite health data, - determination of a health data relating to the health of said local processing unit 1, said data of local health, - switching said local processing unit 1 from a first state to a second state, according to said received opposite health data and said determined local health data, said first and second states being among the states active, passive, reset and slave described above. Since the received opposite health data may be subject to disturbances, the step of receiving an opposite health data may include a step of verifying the integrity of the received data. Moreover, coherence verification mechanisms can also be implemented, the opposite health data being redundantly transmitted over the two bidirectional links. The step of receiving an opposite health data then comprises a step of receiving a first opposite health data on the first link and a second redundant opposite health data on the second link, a verification step the consistency of said first and second received health data, and a step of determining said opposite health data transmitted as a function of said verification step. Alternatively, the first opposite health data received on the first link and the second opposite health data received on the second link may be subject to an integrity check before checking for consistency. In case of inconsistency of the data received on the two links, the local processing unit may ignore this health data and wait for the transmission of a new opposite health data. In the case of receipt of inconsistent data on both links in two or more successive transmissions, the local processing unit may conservatively retain as the opposite health data the received data indicating the worst health status of the health unit. opposite treatment if the data received during the first transmission are identical to those received during subsequent transmissions. Otherwise, the last health data received in a consistent manner is retained as long as no new health data has been consistently received. In order to determine a local or opposite health data item, the processing unit concerned performs a diagnosis of the state of health relating to its hardware and software elements. Such a diagnosis can be established from information obtained from different monitoring means ("monitoring") or from several registers. By way of example, a register makes it possible to obtain the state of health of the equipment of the processing unit and another register makes it possible to obtain the state of health of the software of the processing unit. Health data determined locally or transmitted by the opposite processing unit are thus data allowing the selection of a channel and the establishment of a complete system diagnosis. They may in particular be CCDL diagnostic data, operating system status data or applications, hardware diagnostic data, in particular sensors or actuators, functional diagnostic data produced by the software,. From local or opposite health data, the local processing unit may determine a state data indicating the active, passive, slave or reset state in which the state is located. corresponding local or opposite processing unit, and health status data relating to the capacity of the local or opposite processing unit to provide control of the engine. According to one embodiment, each treatment unit may have a health status among the following four statuses: a GOOD status in which the processing unit has no breakdown, an ACCEPTABLE status in which However, the processing unit has certain failures which would not prevent it from correctly controlling the motor, for example the breakage of a transformer of a CCDL link or the loss of the clock signal of a single link. CCDL, ^ A "SLAVE" status in which the processing unit has failures that are too severe to allow it to properly control the engine, for example a processor failure, but does not have any hardware failures that cause it to fail. prevent it from driving its actuators or communicating with the opposite processing unit, ^ An ADB status in which the processing unit is unable to properly control the engine and minus a hardware failure preventing the processing unit from controlling its actuators, for example a power or clock failure affecting the entire processing unit or a failure of the two CCDL links. The local processing unit executes the above-described steps of receiving opposite health data and determining local health data at a regular time interval. In order to determine whether to change state, the local processing unit determines, from the local health data, a local state data indicating its state and a local status data indicating its health status. Similarly, the local processing unit determines, from the opposite health data, opposite state data indicating the status of the opposite processing unit, and opposite status data indicating the status of the opposite processing unit. opposite treatment unit. The local processing unit then performs a comparison of its state of health, indicated by the local status data, with that of the opposite processing unit, indicated by the opposite status data.
    [0017] If the local processing unit is in an active state and its state of health remains better than that of the other processing unit (CTL_REQ = 1), the processing unit remains in an active state and continues to ensure engine control. For example, the state of health of the local processing unit is better than that of the opposite processing unit when: the local processing unit has the GOOD status and the opposite processing unit has a status among the ACCEPTABLE, SLAVE and ADB statuses, - the local processing unit has the ACCEPTABLE status and the opposite processing unit has a status among the SLAVE and ADB statuses. If the local processing unit is in an active state and its health state becomes worse than that of the other processing unit (CTL_REQ = O), the local processing unit switches to a passive state and ceases to ensure the control of the engine which is then provided by the opposite processing unit. By way of example, the state of health of the local processing unit is worse than that of the opposite processing unit when: the local processing unit has the ACCEPTABLE status and the opposite processing has the GOOD status, or - the local processing unit has the SLAVE status and the opposite processing unit has status between the GOOD and ACCEPTABLE statuses, or 5 - the local processing unit has the ADB status and the opposite processing unit has a status among the GOOD and ACCEPTABLE statuses. If the local processing unit is in a passive state and its state of health remains worse than that of the opposite processing unit (CTL_REQ = O), the processing unit remains in a passive state.
    [0018] If the local processing unit is in a passive state and its state of health becomes better than that of the opposite processing unit (CTL_REQ = 1), the local processing unit switches to an active state in order to control the motor in place of the opposite processing unit. Switching from a passive state to an active state may go through a wait state 19 in which the local processing unit waits for the opposite processing unit to go into the passive state (OPP_CH_STATE = O) before go into the active state and take hold of the engine control. This prevents the flight control system from finding itself in a situation in which the two processing units would be active at the same time and risk transmitting conflicting orders to their actuators. The processing unit can remain in such a waiting state as long as the opposite processing unit is active (OPP_CH_STATE = 1). Since this state, the local processing unit may even return to a passive state if the health status of the opposite processing unit is again better than the state of health of the local processing unit 25 (CTL_REQ = O) before it has gone into an active state. If the local processing unit is in a passive state and the local status data indicates that the processing unit has a health status "SLAVE" (Remote Req = 1), the local processing unit can switch to the slave state described above. According to one variant, the switching in the slave state is also conditioned on the reception of a request signal for access to the actuators of the local processing unit from the opposite processing unit. Since the slave state, the processing unit can return to the passive state when the local status data no longer indicates that the processing unit has a health status "SLAVE" (Remote Req = O) 18 3025617 If the local status data indicates a health status "ADB", the local processing unit switches to a reset state regardless of its current state. Once the reset is successful (HRESET_N rising edge), the processing unit can return to the passive state.
    [0019] In the case where the local processing unit and the opposite processing unit have the same health status, GOOD or ACCEPTABLE, each processing unit can according to a first variant remain in its current state, active or passive. According to a second variant, it is possible to provide for the control of the motor to be assigned to a default processing unit, for example the first processing unit 1, in which case the two processing units remain in their current state if the unit The default process is already in an active state, or is transitioning from passive to active state and vice versa if the default processing unit was previously in a passive state. A processing unit can change from ACCEPTABLE status to 15 GOOD status if it overlaps functions it had previously lost but a processing unit with SLAVE or ADB status can not revert to ACCEPTABLE or GOOD status unless a reset. Thus, the passive path of the control system can pass into a state enabling it to make its actuators available to the active channel, which is in a better state of health, so that the flight control system can continue to provide control. the engine of the aircraft despite a failure affecting the ability of the active channel to control its own actuators. 19
    权利要求:
    Claims (10)
    [0001]
    REVENDICATIONS1. Switching method implemented by a first processing unit (1,2), called local processing unit, of a flight control system of an aircraft comprising at least one engine, said local processing unit (1, 2) being configured to control at least one actuator, said local actuator, so as to control the engine of the aircraft, and being capable of being connected to at least one local sensor and to a second processing unit (2.1 ), said opposite processing unit, configured to control at least one opposite actuator and to be connected to at least one opposite sensor, said method comprising steps of: - sending to the opposite processing unit acquisition data relating to the at least one local sensor and actuator data relating to the at least one local actuator, receiving from the opposite processing unit acquisition data relating to the at least one opposite sensor and donating actuator outputs relating to the at least one opposite actuator, - receiving a health data relating to the state of health of the opposite treatment unit (2.1), said opposite health data, - determination health data relating to the health of said local processing unit (1,2), called local health data, - switching of said local processing unit (1,2) from a first state to a second state , based on said received opposite health data and said determined local health data, said states being among an active state (15) in which the local processing unit (1,2) provides control of the motor of the aircraft, a passive state (16) in which the local processing unit (1,2) does not provide control of the engine of the aircraft and a slave state (18) in which the local processing unit (1) , 2) transfers to the opposite processing unit (2,1) the control of said local actuators for the control of the motor. r of the aircraft. 20 3025617
    [0002]
    The method of claim 1, wherein the opposing processing unit (2.1) and the local processing unit (1.2) are connected via a first bidirectional digital link. (3) and on the other hand a second bidirectional digital link (4), and the opposite processing unit (2,1) transmitting an opposite health data on each of the links (3,4), the step of receiving an opposite health data item comprises a step of receiving a first opposite health data on the first link (3) and a second redundant opposite health data item on the second link (4), a step of verifying the consistency of said first and second health data received, and a step of determining said opposite health data transmitted according to said verification step. 15
    [0003]
    3. Method according to the preceding claim, wherein the step of determining the opposite health data transmitted comprises, when said first and second health data received are not consistent, a consolidation step during which the data of opposite transmitted health is determined from the data received on at least two successive frames.
    [0004]
    The method of any one of the preceding claims, wherein the step of receiving opposite health data comprises a step of verifying the integrity of said received health data.
    [0005]
    5. Method according to one of the preceding claims, wherein the step of determining a local health data comprises a step of diagnosis of the state of health relating to the hardware ("hardware") and the software (" software ") of said local processing unit (1,2).
    [0006]
    The method according to one of the preceding claims, wherein the step of switching comprises: a step of determining, from the local health data, a state data item relating to the state of said local processing unit (1,2) and a health status data of the local processing unit relating to the capacity of the local processing unit to provide the control of the engine, and a step of switching said local processing unit (1,2) into the slave state (18): - when the state data indicates that the local processing unit (1) is in a passive state (16) and, when the health status data indicates a status in which: the local processing unit is able to communicate with the opposite processing unit, the local processing unit (1,2) is unable to provide the motor control, ^ and the local processing unit (1,2) is able to control the actuators lo cal.
    [0007]
    The method according to one of the preceding claims, wherein the step of switching comprises: - a determining step, wherein said local processing unit (1,2) determines from said local and opposite health data that its state of health is better than that of the opposite processing unit (2.1), 25 - a waiting step in which said local processing unit (1.2) waits for the opposite processing unit (2). , 1) goes into the passive state (16), - a step of switching the local processing unit (1,2) into the active state (16). 30
    [0008]
    A computer program product comprising code instructions for executing a switching method according to any one of the preceding claims when the program is executed by a processor. 22 3025617
    [0009]
    9. Treatment unit (1,2) of an aircraft flight control system comprising at least one engine and configured to control at least one actuator, said local actuator, so as to control the engine of the aircraft , Said processing unit (1,2), said local processing unit being connectable to at least one local sensor and to a second processing unit (2,1), said opposite processing unit, being configured for controlling at least one opposite actuator and being connected to at least one opposite sensor, and being characterized in that it comprises: - means for sending to the opposite processing unit acquisition data relating to the at least one local sensor and actuator data relating to the at least one local actuator; means for receiving from the opposite processing unit acquisition data relating to the at least one opposite sensor and actio data relative to the at least one opposite actuator; means for receiving a health data relating to the state of health of the opposite treatment unit (2,1), referred to as the opposite health data; for determining health data relating to the health of said local processing unit (1,2), said local health data, means for switching said local processing unit (1,2) from a first state to a second state, based on said received opposite health data and said determined local health data, said states being among an active state (15) in which the local processing unit (1,2) provides the engine control of the aircraft, a passive state (16) in which the local processing unit (1,2) does not provide control of the engine of the aircraft and a slave state (18) in which the processing unit local (1,2) transfers to the opposite processing unit (2,1) the control of said locomotive actuators. ux for control of the aircraft engine.
    [0010]
    10. Flight control system comprising two processing units (1,2) according to the preceding claim. Flight control system according to the preceding claim, in which the two processing units (1, 2) are connected via a part of a first bidirectional digital link (3) and on the other hand a second bi-directional digital link (4), said second link (4) being redundant with the first link (3), and said first and second links (3,4) being able to be active concomitantly. The flight control system of claim 11, wherein the first and second links (3,4) are Cross Channel Data Link (CCDL) links. 13. Flight control system according to one of claims 11 or 12, comprising backup communication means (13,14) 15 for ensuring data exchange between the local processing unit (1,2) and the opposite processing unit (2,1) in case of failures of the first and second links (3,4). Flight control system according to the preceding claim, wherein the backup communication means comprise an array of sensors or actuators (13). The flight control system of one of claims 13 or 14, wherein the backup communication means comprises an embedded secure network for the avionics (14). 16. Flight control system according to claim 15, wherein the embedded secure network (14) is a redundant Ethernet network type AFDX ("Avionics Full DupleX switched ethernet") or pAFDX.
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3189380B1|2018-08-22|Two-way architecture with redundant ccdl's
    EP3189381B1|2018-07-25|Two channel architecture
    CA2740280C|2017-11-07|Flight-control system and aircraft comprising same
    CN101390336B|2011-11-02|Disaster recovery architecture
    JP5337022B2|2013-11-06|Error filtering in fault-tolerant computing systems
    FR3027477A1|2016-04-22|SWITCHING DATA TRANSMISSION BETWEEN HETEROGENEOUS NETWORKS FOR AIRCRAFT
    WO2017071274A1|2017-05-04|Disaster tolerance method and apparatus in active-active cluster system
    US20060143497A1|2006-06-29|System, method and circuit for mirroring data
    US7499987B2|2009-03-03|Deterministically electing an active node
    EP2998877A2|2016-03-23|Server comprising a plurality of modules
    CN103262044A|2013-08-21|Method for virtual machine failover management and system supporting the same
    US20070180308A1|2007-08-02|System, method and circuit for mirroring data
    FR2996651A1|2014-04-11|FLIGHT CONTROL SYSTEM USING SIMPLEX AND AIRCRAFT COMPUTERS COMPUTERS
    FR2925191A1|2009-06-19|HIGH INTEGRITY DIGITAL PROCESSING ARCHITECTURE WITH MULTIPLE SUPERVISED RESOURCES
    FR2946769A1|2010-12-17|METHOD AND DEVICE FOR RECONFIGURING AVIONICS.
    EP3204867B1|2018-07-18|System on a chip having high operating certainty
    EP3123330A1|2017-02-01|Electronic component with deterministic response
    Mori2001|Autonomous decentralized systems technologies and their application to a train transport operation system
    JP6653250B2|2020-02-26|Computer system
    EP2251789B1|2011-11-02|Input/output module for sensors and/or actuators exchanging information with two central processing units
    JP2004078425A|2004-03-11|Duplex switching method of duplex control system
    WO2021044652A1|2021-03-11|Master device, arithmetic processing device, programmable logic controller, network, and method
    FR2551897A1|1985-03-15|APPARATUS AND METHOD FOR REALIZING REDUNDANCY IN A PROCESS CONTROL SYSTEM, DISTRIBUTING
    JP2008017182A|2008-01-24|Gateway device
    同族专利:
    公开号 | 公开日
    KR102284080B1|2021-08-02|
    CN107077103A|2017-08-18|
    US10162314B2|2018-12-25|
    RU2017111184A3|2018-10-05|
    CA2960107C|2020-03-10|
    EP3189381B1|2018-07-25|
    EP3189381A1|2017-07-12|
    CN107077103B|2020-10-13|
    KR20170095183A|2017-08-22|
    US20170277151A1|2017-09-28|
    CA2960107A1|2016-03-10|
    FR3025617B1|2016-12-16|
    WO2016034825A1|2016-03-10|
    JP6484330B2|2019-03-13|
    RU2679706C2|2019-02-12|
    RU2017111184A|2018-10-05|
    JP2017534502A|2017-11-24|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP0742507A1|1995-05-12|1996-11-13|The Boeing Company|Method and apparatus for synchronizing flight management computers|
    EP1695886A1|2005-02-28|2006-08-30|Delphi Technologies, Inc.|Fault-tolerant node architecture for distributed systems|
    US20080205416A1|2007-02-23|2008-08-28|Honeywell International, Inc.|Flight control computers with ethernet based cross channel data links|
    EP2595023A2|2011-11-16|2013-05-22|Nabtesco Corporation|Aircraft control apparatus and aircraft control system|
    FR2986398A1|2012-01-30|2013-08-02|Snecma|SAFETY DEVICE FOR CONTROLLING AN ENGINE COMPRISING A REDUNDANCY OF ACQUISITIONS OF A SENSOR MEASUREMENT|
    JPH0410832A|1990-04-27|1992-01-16|Nec Commun Syst Ltd|Backup system for packet network system|
    AU3124697A|1996-05-14|1997-12-05|Boeing Company, The|Flight management system providing for automatic control display unit backup utilizing structured data routing|
    US6611499B1|1999-03-18|2003-08-26|At&T Corp.|Method for measuring the availability of router-based connectionless networks|
    JP4478037B2|2004-01-30|2010-06-09|日立オートモティブシステムズ株式会社|Vehicle control device|
    FR2879388B1|2004-12-15|2007-03-16|Sagem|SECURE TRANSMISSION METHOD, SYSTEM, FIREWALL AND ROUTER EMPLOYING IT|
    US20060184253A1|2005-02-03|2006-08-17|International Business Machines Corporation|Intelligent method of organizing and presenting operational mode information on an instrument panel of a flight deck|
    US7346793B2|2005-02-10|2008-03-18|Northrop Grumman Corporation|Synchronization of multiple operational flight programs|
    JP4754993B2|2006-02-16|2011-08-24|デルファイ・テクノロジーズ・インコーポレーテッド|Fault-tolerant node architecture for distributed systems|
    RU2378521C2|2007-12-25|2010-01-10|Федеральное государственное унитарное предприятие "Московское машиностроительное производственное предприятие "САЛЮТ" |System for automatic control of gas turbine engines|
    JP5404101B2|2009-02-27|2014-01-29|三菱重工業株式会社|Multiple redundant control system|
    FR2943036B1|2009-03-11|2011-04-15|Airbus France|DISTRIBUTED FLIGHT CONTROL SYSTEM IMPLEMENTED ACCORDING TO AN INTEGRATED MODULAR AVIONIC ARCHITECTURE.|
    FR2959489B1|2010-05-03|2013-02-15|Airbus Operations Sas|CONTROL PANEL FOR AIRCRAFT.|
    US9625894B2|2011-09-22|2017-04-18|Hamilton Sundstrand Corporation|Multi-channel control switchover logic|
    FR2983319B1|2011-11-25|2014-02-07|Turbomeca|METHOD AND SYSTEM FOR CONTROLLING POWER IN CASE OF FAILURE OF AT LEAST ONE AIRCRAFT ENGINE|
    RU136011U1|2012-12-27|2013-12-27|Российская Федерация в лице Министерства промышленности и торговли Российской Федерации|AIRCRAFT WITH THE CONTROL SYSTEM OF THE AIR-PLANE EQUIPMENT AND AIRCRAFT SYSTEMS|
    EP2790073A1|2013-04-09|2014-10-15|Airbus Operations GmbH|Control of aircraft systems with at least two remote data concentrators for control of an aircraft system component|
    CN103955188B|2014-04-24|2017-02-15|清华大学|Control system and method supporting redundancy switching function|
    FR3025617B1|2014-09-05|2016-12-16|Sagem Defense Securite|BI-TRACK ARCHITECTURE|FR3025617B1|2014-09-05|2016-12-16|Sagem Defense Securite|BI-TRACK ARCHITECTURE|
    EP3428748B1|2017-07-13|2020-08-26|Siemens Aktiengesellschaft|Method and assembly for operating two redundant systems|
    US10698752B2|2017-10-26|2020-06-30|Bank Of America Corporation|Preventing unauthorized access to secure enterprise information systems using a multi-intercept system|
    IT201900012900A1|2019-07-25|2021-01-25|Hitachi Rail Sts S P A|Apparatus and method for the control of a railway system|
    法律状态:
    2015-08-27| PLFP| Fee payment|Year of fee payment: 2 |
    2016-03-11| PLSC| Search report ready|Effective date: 20160311 |
    2016-08-22| PLFP| Fee payment|Year of fee payment: 3 |
    2017-01-13| CJ| Change in legal form|Effective date: 20161214 |
    2017-01-13| CD| Change of name or company name|Owner name: TURBOMECA, FR Effective date: 20161214 Owner name: SAGEM DEFENSE SECURITE, FR Effective date: 20161214 |
    2017-08-22| PLFP| Fee payment|Year of fee payment: 4 |
    2017-09-01| CD| Change of name or company name|Owner name: SAFRAN HELICOPTER ENGINES, FR Effective date: 20170727 Owner name: SAFRAN ELECTRONICS & DEFENSE, FR Effective date: 20170727 |
    2018-08-22| PLFP| Fee payment|Year of fee payment: 5 |
    2019-08-20| PLFP| Fee payment|Year of fee payment: 6 |
    2020-08-19| PLFP| Fee payment|Year of fee payment: 7 |
    2021-08-19| PLFP| Fee payment|Year of fee payment: 8 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1458354A|FR3025617B1|2014-09-05|2014-09-05|BI-TRACK ARCHITECTURE|FR1458354A| FR3025617B1|2014-09-05|2014-09-05|BI-TRACK ARCHITECTURE|
    KR1020177009173A| KR102284080B1|2014-09-05|2015-09-04|Two-way architecture|
    RU2017111184A| RU2679706C2|2014-09-05|2015-09-04|Two-channel architecture|
    JP2017512804A| JP6484330B2|2014-09-05|2015-09-04|Two-way architecture|
    EP15780914.6A| EP3189381B1|2014-09-05|2015-09-04|Two channel architecture|
    PCT/FR2015/052344| WO2016034825A1|2014-09-05|2015-09-04|Two-way architecture|
    CN201580051534.XA| CN107077103B|2014-09-05|2015-09-04|Bidirectional architecture|
    US15/508,455| US10162314B2|2014-09-05|2015-09-04|Two-way architecture|
    CA2960107A| CA2960107C|2014-09-05|2015-09-04|Two-way architecture|
    [返回顶部]