• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The present invention relates to a flight control system of an aircraft comprising: a first processing unit 1, a second processing unit 2, communication means configured to establish a first bidirectional digital link 3 and a second link bi-directional digital 4 between the first processing unit 1 and the second processing unit 2, said second link 4 being redundant with the first link 3, and said first 3 and second links 4 being able to be active concomitantly.
    公开号:FR3025626A1
    申请号:FR1458350
    申请日:2014-09-05
    公开日:2016-03-11
    发明作者:Celine Liu;Nicolas Marti;Stephen Langford
    申请人:Sagem Defense Securite SA;Turbomeca SA;
    IPC主号:
    专利说明:

    [0001] TECHNICAL FIELD The invention relates to a flight control system of an aircraft comprising two processing units or computers and constituting a two-way architecture. This system is particularly applicable to smaller engines such as helicopter engines.
    [0002] STATE OF THE ART The on-board flight control systems equipping aircraft such as existing aircraft or helicopters perform functions of control and regulation of the engine of the aircraft ensuring the proper functioning of the latter. Such functions are critical to the safety of passengers. Such systems must therefore be fault-tolerant. For this, the existing flight control systems generally include two processing units or computers, each capable of ensuring the proper operation of the engine. Such a system thus constitutes a two-way architecture in which each channel is capable of ensuring the execution of said critical functions in the event of failure of the other channel. In order to determine whether it should support the execution of these functions, each processing unit must be able to exchange information with the other processing unit of the control system, including information concerning the state of health of this other unit. treatment. To do this, the two processing units of the control system are generally connected by a bidirectional digital link, or two unidirectional links in opposite directions, such as a CCDL (Cross Chanel Data Link) link. In order to reinforce the failure resistance of such a flight control system, the processing units of the control system can be split into two remote boxes in order to be geographically distant from one another and thus to decrease. sensitivity to external aggression. In addition, in order to make the control system resistant to a data link failure between the processing units, the processing units can be connected by an additional link in the form of several discrete analog links, up to the number twenty on civil fadecs. Nevertheless increasing the number of links increases the probability that one of them will fail and increases the volume of wiring, thus making it difficult to develop a compact flight control system. Although an accessory for the control of large aircraft engines such as airliners, such compactness becomes essential to contain the total space requirement for the engine of a small aircraft, such as a helicopter engine. . There is therefore a need for a control system having a dual-channel architecture minimizing the amount of wiring while being resistant to external failures and aggression.
    [0003] SUMMARY OF THE INVENTION The present invention thus relates in a first aspect to a flight control system of an aircraft comprising: a first processing unit, a second processing unit, configured communication means to establish a first two-way digital link and a second bidirectional digital link between the first processing unit and the second processing unit, said second link being redundant with the first link, and said first and second links being capable of being active concomitantly. Such a system is highly resistant to failures due to the redundancy of its processing units and its communications means as well as the minimization of the number of communication links, while reducing its size. According to an advantageous and nonlimiting characteristic, the first and second links may be CCDL ("Cross Channel Data Link") links. Such a link notably allows the processing units to exchange more complex health information than those exchanged via the discrete analog links of the known systems while limiting the wiring volume.
    [0004] In case of failures of the first and second links, the flight control system may comprise backup communication means for ensuring data exchange between the first and second processing units. This avoids total blindness of the two-way system and a break in communications between the two processing units. According to an alternative embodiment, the backup communication means of the control system according to the first aspect may comprise an array of sensors or actuators. According to another variant embodiment, the backup communication means of the control system according to the first aspect may comprise an embedded secure network for the avionics, for example a redundant Ethernet network of the AFDX type ("Avionics Full DupleX switched ethernet" ) or pAFDX.
    [0005] The use of such networks to exchange information between the processing units makes it possible to increase the level of redundancy of the means of communication between the processing units and to ensure the operational safety of the flight control system without as well as requiring the establishment of additional means of communication dedicated solely to the communication between the processing units. According to an advantageous and nonlimiting characteristic, each processing unit of the control system according to the first aspect comprises means for verifying the integrity of data received on each of the links.
    [0006] This ensures that the received data has not been corrupted during transmission. Furthermore, each processing unit may comprise means for verifying, following the transmission of data on both the first link and the second link, the coherence of the data received on the first link and on the second link. . This enhances the ability of the system to detect data alterations exchanged between the processing units and thus minimizes the probability of failure of the flight control system. Furthermore, the communication means of the flight control system 20 according to the first aspect can be configured to transmit from a first processing unit to a second processing unit of the health data of the first processing unit, said system according to the first aspect further comprising means for selecting a processing unit for controlling an engine of said aircraft from the first and second processing units based on the health data of the first processing unit transmitted. and health data of the second processing unit. Such data exchange allows each processing unit to be aware of the health status of the other processing unit to ensure that the healthier route still provides control of the engine.
    [0007] Other features and advantages will be apparent from the following description of an embodiment. This description will be given with reference to the accompanying drawings in which: - Figure 1 schematically illustrates a flight control system according to one embodiment of the invention; FIG. 2 schematically illustrates hardware means for establishing two CCDL links between two processing units of a flight control system according to one embodiment of the invention; FIG. 3 schematically illustrates the physical segregation of CCDL modules of each processing unit of a flight control system according to one embodiment of the invention; FIG. 4 schematically illustrates the segregation of the hardware means of a processing unit for establishing two CCDL links according to one embodiment of the invention. DETAILED DESCRIPTION An embodiment of the invention, illustrated in FIG. 1, relates to a flight control system of an aircraft comprising at least a first processing unit 1 and a second processing unit 2. These two processing units are redundant and can each perform the functions of control and regulation of the engine of the aircraft. The system as illustrated in FIG. 1 thus constitutes a two-way architecture comprising a channel A and a channel B.
    [0008] The processing units 1 and 2 may be processors of the same multiprocessor computer system comprising several processors. In order to reinforce the resistance of the flight control system to external aggression and to prevent a single localized event from being able to deactivate the two treatment units 1 and 2, the two tracks can be installed remotely one of them. on the other in separate boxes. In such a configuration, the processing units are not integrated execution cores within a single processor. The system also comprises communication means 10 making it possible to connect the two processing units to enable the exchange of data essential for the proper functioning of each of the processing units, such as information on the state of health of the processing unit. opposite. This two-way system differs from known systems in that the communications means are configured to establish a first bi-directional digital link 3 and a second bidirectional digital link 4 between the first processing unit 1 and the second processing unit 2. Unlike known systems, such a system has no discrete link between the two processing units, which limits the complexity of its wiring and the probability that one of the communication links fails. The second link 4 is redundant with the first link 3 in order to ensure communication between the two processing units in the event of failure of the first link 3. Such redundancy guarantees, from the point of view of the exchange of information between the two processing units, the same level of safety as that presented by the known systems. In addition, said first and second links may be active concomitantly. Thus, unlike known systems in which the redundant link is generally only used in case of failure of the first link, the flight control system can use the first link 3 and the second link 4 at the same time in normal operation. , that is to say in the absence of failure of one of the two links, and can take advantage of the concomitant use of these two links to check the absence of corruption of the data exchanged between the two units treatment. The first and second processing units 1 and 2 may use the Ethernet IEEE 802.3 or HLDC or SDLC protocol or any other protocol having an error detection or correction function to communicate with each other via the two links 3 and 4. An Ethernet link makes it possible in particular to ensure high performance, high environmental robustness, particularly with respect to lightning resistance and electromagnetic compatibility ("EMC") and high functional robustness. through the implementation of data integrity and flow control mechanisms. In addition the Ethernet protocol is an industry standard consistent with avionics communication technologies, such as AFDX ("Avionics Full DupleX switched ethernet") or pAFDX, and 15 maintenance. The first and second links may be Cross Channel Data Link (CCDL) links. Such a link makes it possible to synchronize each application with an accuracy less than one hundred microseconds. Such a link also makes it possible, instead of exchanging discrets, as in known systems, to exchange health information constructed by the hardware (hardware) or the software ("software"), useful information for the system. (acquisition, status, ...) and operating system (OS or "Operating System") or application system (AS or "Application System") functional data.
    [0009] Such CCDL links between the two processing units A and B are shown in FIG. 2. Each processing unit 1, 2 may comprise a system, for example a system on a chip (SoC), or a system on a chip. system consisting of a microprocessor and peripherals implemented in separate boxes or in an FPGA card, 5a, 5b having a first CCDL module (CCDLA) 6a, 6b for establishing the first CCDL link 3 and a second CCDL module (CCDLB) 7a, 7b to establish the second CCDL link 4. Each CCDL link having its own module, the independence of each of the CCDL links is enhanced and the probability of simultaneous failure of the two CCDL links is thus reduced. Each CCDL module can be connected to the interface input / output of its housing through a hardware interface Phy 8a, 8b, 8c, 8d and a transformer 9a, 9b, 9c, 9d.
    [0010] As illustrated in FIG. 3, the CCDL modules of each processing unit can be segregated physically by being arranged on the system 5a, 5b at distinct locations and distant from each other, for example by placing them each at a corner of the system. . Alternatively, these CCDL modules can be arranged on separate chips. This makes it possible to reduce the probability of common failure in the event of SEU ("Single Event Upset") or MBU ("Multiple Bit Upset") alterations. According to a first variant, each system 5a, 5b is powered by a separate power supply. According to a second variant, in addition to a power supply 15 common to the entire system-on-a-chip, each system-on-a-chip can be powered by two distinct clock signals 11 and 12, as shown in FIG. Thus, although they are not powered independently, the CCDL modules of each processing unit can be powered by independent clocks, which increases the fault-tolerance of the system-on-a-chip by preventing a failure of the system. clock of one of the CCDL modules can affect the other CCDL module. The CCDL modules of each processing unit can be synchronized using a local real time clock (HTR) mechanism 10a, 10b and a synchronization mechanism such as a synchronization window mechanism. Thus, in the event of loss of synchronization, each processing unit may operate due to its local clock and then synchronize again upon receipt of a valid signal. The local clock mechanism is programmable by the application and its programming is protected against alterations of type SEU ("Single Event Upset") or MBU ("Multiple Bit Upset"). The CCDL links can still continue to operate even in the absence of synchronization or in the event of a clock being lost.
    [0011] The system may further comprise backup communication means for providing data exchange between the first and second processing units and used only in the event of failures of the first and second links, to avoid communication outage. between the processing units. In a first embodiment illustrated in FIG. 1, these backup communication means may comprise an array of sensors or actuators 13. Such a network of sensors or actuators may for example be a sensor array or smart actuators ("smart-sensor", "smart-actuator"). Each processing unit can then be connected to this network 13 via a bus of the RS-485 type for transmitting information either analogically but numerically. In a second embodiment illustrated in FIG. 1, these backup communication means comprise an embedded secure network for avionics 14. Such an embedded secure network may for example be a redundant Ethernet network such as AFDX (FIG. "Avionics Full DupleX switched ethernet") or pAFDX. Such a network provides means for resource sharing, flow segregation as well as the determinism and availability required for aeronautical certifications. The digital signals transmitted through the two bidirectional links between the processing units being more sensitive to disturbances than the discrete analog signals transmitted on the plurality of discrete links of the existing systems, the integrity control and consistency of the data transmitted between the two remote processing units can be set up. Thus, each processing unit may comprise means for verifying the integrity of the data received via each of the bidirectional links. In order to verify the integrity of the data received, the different fields of each received frame can be verified, in particular in the case of an Ethernet link, the fields relating to the destination address, the source address, the type and frame length, MAC data, and stuffing data. A frame may be considered invalid if the length of this frame is not consistent with the length specified in the field length of the frame or if the bytes are not integer. A frame may also be considered invalid if the CRC (Cyclic Redundancy Check) calculated on reception of the frame does not correspond to the CRC received due to errors due for example to interference during the transmission. In addition, each processing unit may comprise means for checking following the transmission of data on both the first link 3 and 10 on the second link 4, the coherence of the data received on the two links that must convey the data. same information in the absence of failure or corruption of transmitted frames. In order to be able to control an engine of the aircraft, the flight control system must entrust this control to one of its two lanes. For this, each treatment unit must know the health status of the opposite treatment unit. To do this, the communication means of the system are configured to transmit, from a first processing unit to a second processing unit, data relating to the health of the first processing unit, and vice versa. Such health data is data allowing the selection of a pathway and the establishment of a complete system diagnosis. They may be: CCDL diagnostic data, signals necessary for the channel switching logic, operating system status data or applications, hardware diagnostic data, particularly sensors or actuators, The flight control system may include means for selecting for control of an engine of the aircraft, based on the health data of the first processing unit being transmitted. and health data of the second processing unit, a processing unit 1125 among the first and second processing units for ensuring the best operation of the flight control system. 12
    权利要求:
    Claims (9)
    [0001]
    REVENDICATIONS1. An aircraft flight control system comprising: a first processing unit (1), a second processing unit (2), communication means configured to establish a first bidirectional digital link (3) and a second bidirectional digital link (4) between the first processing unit (1) and the second processing unit (2), said second link (4) being redundant with the first link (3), and said first link (4) being second links (4) being able to be active concomitantly.
    [0002]
    The flight control system of claim 1, wherein the first (3) and second (4) links are Cross Channel Data Link (CCDL) links.
    [0003]
    3. The flight control system according to one of the preceding claims, comprising backup communication means making it possible to exchange data between the first (1) and second (2) processing units in the event of failures of the data. first (3) and second links (4).
    [0004]
    4. Flight control system according to the preceding claim, wherein the backup communication means comprise an array of sensors 25 or actuators (13). 13 3025626
    [0005]
    5. Flight control system according to one of claims 3 or 4, wherein the backup communication means comprise an embedded secure network for the avionics (14).
    [0006]
    6. Flight control system according to claim 5, wherein the embedded secure network (14) is a redundant Ethernet network type AFDX ("Avionics Full DupleX switched ethernet") or pAFDX.
    [0007]
    Flight control system according to one of the preceding claims, wherein each processing unit (1, 2) comprises means for verifying the integrity of data received on each of the links (3, 4).
    [0008]
    Flight control system according to one of the preceding claims, in which each processing unit (1, 2) comprises means for checking, following the transmission of data at a time on the first link (3). ) and on the second link (4), the coherence of the data received on the first link (3) and on the second link (4).
    [0009]
    An aircraft flight control system according to one of the preceding claims, wherein the communication means is configured to transmit from a first processing unit (1, 2) to a second processing unit (2). , 1) health data of the first processing unit (1,2), said system comprising means for selecting a processing unit for controlling an engine of said aircraft from the first (1,2) and the second (2.1) processing units based on the health data of the first transmitted processing unit and the health data of the second processing unit (2.1).
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3189380B1|2018-08-22|Two-way architecture with redundant ccdl's
    Alena et al.2007|Communications for integrated modular avionics
    FR3027477A1|2016-04-22|SWITCHING DATA TRANSMISSION BETWEEN HETEROGENEOUS NETWORKS FOR AIRCRAFT
    CA2740280C|2017-11-07|Flight-control system and aircraft comprising same
    EP3189381B1|2018-07-25|Two channel architecture
    US7840852B2|2010-11-23|Method and system for environmentally adaptive fault tolerant computing
    EP2366237B1|2013-01-16|Secure avionics equipment and associated method of making secure
    JP2015069270A|2015-04-13|Fault tolerant system
    FR2934693A1|2010-02-05|A DYNAMIC RECONFIGURATION ONBOARD AERONAUTICAL SYSTEM, ASSOCIATED METHOD AND AIRCRAFT EMBARKING SUCH A SYSTEM.
    WO2016055541A1|2016-04-14|System on a chip having high operating certainty
    CN109739765B|2021-12-31|Test system
    WO2002056176A1|2002-07-18|Fault-tolerant synchronisation device for a real-time computer network
    FR3019340A1|2015-10-02|DETERMENIST RESPONSE ELECTRONIC COMPONENT
    FR2947127A1|2010-12-24|SIMULATION OR TEST SYSTEM AND ASSOCIATED METHOD
    Mori2001|Autonomous decentralized systems technologies and their application to a train transport operation system
    FR3093831A1|2020-09-18|Device for and method of data transmission
    Obermaisser2005|Requirements of an Integrated Architecture
    同族专利:
    公开号 | 公开日
    EP3189380A1|2017-07-12|
    KR102213762B1|2021-02-09|
    RU2670941C2|2018-10-25|
    RU2017111197A3|2018-10-05|
    FR3025626B1|2017-11-03|
    US20170277152A1|2017-09-28|
    CA2960093C|2020-03-10|
    CN107005446A|2017-08-01|
    US10338560B2|2019-07-02|
    JP2020030815A|2020-02-27|
    EP3189380B1|2018-08-22|
    RU2017111197A|2018-10-05|
    CA2960093A1|2016-03-10|
    WO2016034824A1|2016-03-10|
    KR20180087468A|2018-08-01|
    JP2017530461A|2017-10-12|
    RU2670941C9|2018-11-26|
    KR20170089835A|2017-08-04|
    CN107005446B|2018-11-27|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20040088991A1|2001-11-13|2004-05-13|Steven Gallant|Fault management system for gas turbine engines|
    US20040153700A1|2003-01-02|2004-08-05|Nixon Mark J.|Redundant application stations for process control systems|
    US20080205416A1|2007-02-23|2008-08-28|Honeywell International, Inc.|Flight control computers with ethernet based cross channel data links|
    US20100222900A1|2009-02-27|2010-09-02|Atsushi Kakino|Multiple redundant control system|
    JPH0410832A|1990-04-27|1992-01-16|Nec Commun Syst Ltd|Backup system for packet network system|
    US5274554A|1991-02-01|1993-12-28|The Boeing Company|Multiple-voting fault detection system for flight critical actuation control systems|
    US6611499B1|1999-03-18|2003-08-26|At&T Corp.|Method for measuring the availability of router-based connectionless networks|
    KR100564758B1|2003-12-12|2006-03-27|한국전자통신연구원|The duplicating unit of communication channel and the method for operating the duplicated communication channel|
    JP4478037B2|2004-01-30|2010-06-09|日立オートモティブシステムズ株式会社|Vehicle control device|
    KR100603599B1|2004-11-25|2006-07-24|한국전자통신연구원|Apparatus and Method for Redundancy Control of Redundancy Switch Board|
    FR2879388B1|2004-12-15|2007-03-16|Sagem|SECURE TRANSMISSION METHOD, SYSTEM, FIREWALL AND ROUTER EMPLOYING IT|
    US20060184253A1|2005-02-03|2006-08-17|International Business Machines Corporation|Intelligent method of organizing and presenting operational mode information on an instrument panel of a flight deck|
    US7346793B2|2005-02-10|2008-03-18|Northrop Grumman Corporation|Synchronization of multiple operational flight programs|
    US8503484B2|2009-01-19|2013-08-06|Honeywell International Inc.|System and method for a cross channel data link|
    JP5607919B2|2009-12-16|2014-10-15|川崎重工業株式会社|Integrated airborne electronic system|
    CN102130722B|2011-03-01|2014-04-23|南京航空航天大学|Cross channel data link system of fly-by-light flight control system|
    JP6227239B2|2011-11-16|2017-11-08|ナブテスコ株式会社|Aircraft control apparatus and aircraft control system|
    FR2986398B1|2012-01-30|2014-03-07|Snecma|SAFETY DEVICE FOR CONTROLLING AN ENGINE COMPRISING A REDUNDANCY OF ACQUISITIONS OF A SENSOR MEASUREMENT|
    CN103853626A|2012-12-07|2014-06-11|深圳航天东方红海特卫星有限公司|Duplex redundant backup bus communication method and device for satellite-borne electronic equipment|
    CN103441875A|2013-08-23|2013-12-11|中国铁道科学研究院|Method for achieving redundant communication of signal centralized monitoring system|
    CN103490959B|2013-10-10|2016-12-07|北京航天发射技术研究所|A kind of dual-redundant CAN bus fault detection method|
    FR3025626B1|2014-09-05|2017-11-03|Sagem Defense Securite|BI-TRACK ARCHITECTURE WITH REDUNDANT CCDL LINKS|FR3025626B1|2014-09-05|2017-11-03|Sagem Defense Securite|BI-TRACK ARCHITECTURE WITH REDUNDANT CCDL LINKS|
    CN107331185B|2017-08-16|2019-12-06|青岛海信网络科技股份有限公司|Abnormal state processing method of traffic signal lamp machine, host and slave|
    US10710741B2|2018-07-02|2020-07-14|Joby Aero, Inc.|System and method for airspeed determination|
    CN108924955B|2018-07-30|2021-12-14|山东大骋医疗科技有限公司|CT data transmission and control method and device based on double-chain wireless communication|
    DK201870684A1|2018-08-27|2020-05-19|Aptiv Technologies Limited|Partitioned wireless communication system with redundant data links and power lines|
    US20200092052A1|2018-09-17|2020-03-19|Joby Aero, Inc.|Aircraft control system|
    US10983534B2|2018-12-07|2021-04-20|Joby Aero, Inc.|Aircraft control system and method|
    US10845823B2|2018-12-19|2020-11-24|Joby Aero, Inc.|Vehicle navigation system|
    CN109707517B|2018-12-21|2021-06-25|中国航发控制系统研究所|Method and system for controlling dual-channel synchronization|
    WO2020219747A2|2019-04-23|2020-10-29|Joby Aero, Inc.|Battery thermal management system and method|
    US11230384B2|2019-04-23|2022-01-25|Joby Aero, Inc.|Vehicle cabin thermal management system and method|
    US10988248B2|2019-04-25|2021-04-27|Joby Aero, Inc.|VTOL aircraft|
    US20210162937A1|2019-12-03|2021-06-03|Woodward, Inc.|Systems and methods for commanded or uncommanded channel switchover in a multiple processor controller|
    法律状态:
    2015-08-27| PLFP| Fee payment|Year of fee payment: 2 |
    2016-03-11| PLSC| Publication of the preliminary search report|Effective date: 20160311 |
    2016-08-22| PLFP| Fee payment|Year of fee payment: 3 |
    2017-01-13| CJ| Change in legal form|Effective date: 20161214 |
    2017-01-13| CD| Change of name or company name|Owner name: TURBOMECA, FR Effective date: 20161214 Owner name: SAGEM DEFENSE SECURITE, FR Effective date: 20161214 |
    2017-08-22| PLFP| Fee payment|Year of fee payment: 4 |
    2017-09-01| CD| Change of name or company name|Owner name: SAFRAN HELICOPTER ENGINES, FR Effective date: 20170727 Owner name: SAFRAN ELECTRONICS & DEFENSE, FR Effective date: 20170727 |
    2018-08-22| PLFP| Fee payment|Year of fee payment: 5 |
    2019-08-20| PLFP| Fee payment|Year of fee payment: 6 |
    2020-08-19| PLFP| Fee payment|Year of fee payment: 7 |
    2021-08-19| PLFP| Fee payment|Year of fee payment: 8 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1458350A|FR3025626B1|2014-09-05|2014-09-05|BI-TRACK ARCHITECTURE WITH REDUNDANT CCDL LINKS|FR1458350A| FR3025626B1|2014-09-05|2014-09-05|BI-TRACK ARCHITECTURE WITH REDUNDANT CCDL LINKS|
    KR1020187021423A| KR102213762B1|2014-09-05|2015-09-04|Two-way architecture with redundant ccdl's|
    EP15767223.9A| EP3189380B1|2014-09-05|2015-09-04|Two-way architecture with redundant ccdl's|
    PCT/FR2015/052342| WO2016034824A1|2014-09-05|2015-09-04|Two-way architecture with redundant ccdl's|
    JP2017512815A| JP2017530461A|2014-09-05|2015-09-04|Two-way architecture with redundant CCDL|
    CN201580047789.9A| CN107005446B|2014-09-05|2015-09-04|Binary channels framework with redundancy CCDL|
    KR1020177007922A| KR20170089835A|2014-09-05|2015-09-04|Two-way architecture with redundant ccdl's|
    US15/508,476| US10338560B2|2014-09-05|2015-09-04|Two-way architecture with redundant CCDL's|
    RU2017111197A| RU2670941C9|2014-09-05|2015-09-04|Dual-channel architecture with ccdl excess links|
    CA2960093A| CA2960093C|2014-09-05|2015-09-04|Two-way architecture with redundant ccdl's|
    JP2019130023A| JP2020030815A|2014-09-05|2019-07-12|Flight control system|
    [返回顶部]