The invention relates to turbomachines, such as a turbojet or an aircraft turboprop, and more particularly to the control units of such turbomachines.

State of the prior art

The operation of the turbomachines of the aircraft is controlled by means of control units, capable of piloting and regulating the turbomachines, during the various phases of flight of the aircraft.

These control units comprise on-board electronic computers, communicating with each other, and carrying out calculations in parallel, on the basis of the same input data originating for example from sensors, in order to establish the commands for the various members of the turbomachine.

During a calculation cycle of a computer, three tasks are carried out. A first task, called OS (Operating System) task, consists in launching the operating system, that is to say the set of programs managing the use of resources by application tasks. A second so-called application or AS (acronym from the English Applicative System) task consists of carrying out the calculations necessary to determine the commands for piloting and regulating the turbomachines. The execution time of the AS task represents 80 to 90% of the time required for a calculation cycle. A third task completes the calculation cycle. This is an OS task identical to the first task.

These computers, comprising many components, carry out self-tests to check that none of their components has a major malfunction. These self-tests are performed during OS tasks, ie at the start and end of calculation cycles. Figure 1 illustrates the sequencing of tasks and self-tests, as known in the prior art. A single self-test 26 is launched during the task OS at the start of the calculation cycle 24. Nevertheless, component malfunctions can occur at the level of the components of the computers during the application tasks. Such malfunctions can thus be the cause of disturbances at the level of the engine control unit. It is possible by a post-processing analysis, from the disturbances, to go back to the faulty component and therefore to the faulty computer.

It is necessary for this isolation to be carried out as quickly as possible, in order to reduce the impact of the malfunction on the piloting and regulation of the turbomachines. The object of the invention is in particular to provide a simple, effective and economical solution to the drawbacks of the current technique described above.

Summary of the invention

To this end, there is proposed a method for supervising an engine control unit with at least two separate channels each comprising a computer, each of said two channels comprising at least:

- Means for executing a given application task, the application task consisting in part of a plurality of calculations executed successively between which latency periods pass;

- a first component capable of carrying out the calculations of said application task, from input data;

- a second component capable of storing data;

the application task executed by the first channel and the application task executed by the second channel being able to communicate with each other, the method comprising the following steps during a current execution cycle j of the application task in each channel: a) detecting a latency period;

b) executing, during this latency period, a functional state test of at least one of the first and second components;

c) Determining a state of said component corresponding to a faulty state or a healthy state.

Such a method thus allows each computer to perform self-tests during application tasks, in particular during latency periods, so as to be able to determine, without waiting for the end of a calculation cycle, the state of the various components included in the calculator. Thus, thanks to such a method, it is possible to detect a faulty computer without waiting for the end of a calculation cycle, and to isolate it suitably, at the end of the cycle.

This also makes it possible to carry out a diagnosis for maintenance by increasing the number of self-tests, in order subsequently to facilitate maintenance operations on the ground.

The given application task can be the application task executed by the first channel and the application task executed by the second channel. Thus, the first and second channels can execute the same given application task.

Also, steps a) to c) can be carried out following the following step:

Detect a symptom resulting from a failure of at least one of the components of the two channels.

Thus, the supervision method makes it possible to trigger component self-tests as soon as a symptom, resulting from a component failure, is detected. Thus, the self-tests are triggered if necessary, on the appearance of symptoms identified beforehand and resulting from failures of components of the computers of the engine control unit.

The invention therefore makes it possible to link component failures to undesired events and/or behaviors of an engine control unit. This thus makes it possible to obtain a correspondence table linking symptoms to failures of the on-board electronic equipment, in other words of the components.

During each cycle, the symptoms detected (as well as the failures resulting therefrom) are recorded in a non-volatile memory, as well as various information on the environment, for example thermal and/or vibratory, so as to facilitate maintenance operations.

In addition, the symptom may be a difference in signature between the two channels and/or a loss of communication between the two computers.

This involves identifying the symptoms of a failure affecting the computers. These symptoms may be linked to a difference in signature between the two channels executing the same application task, i.e. to a difference between the results of calculations carried out by each of the computers of the first channel and of the second channel at the end of the application task, or which may be linked to data that has not arrived, thus preventing the performance of calculations of the application task on at least one of the channels.

The two channels can each be constituted by a computer

Moreover, if the symptom detected is a signature difference between the two channels then the detection can be performed during an execution cycle j-1 which precedes a current execution cycle j. The execution cycle d-1 is called “previous execution cycle” or “previous cycle”.

The difference in signature may consist in comparing, at the end of cycle j and in parallel on the two channels, the sum of the calculations of the application task which are carried out during the current execution cycle j.

If the symptom detected is a loss of communication between the computers, then the detection can be performed during the current execution cycle j.

According to another characteristic, instructions for the execution of the test of step b) can be sent by the application task.

Thus, the application task triggers the operating state tests at the correct frequency and during a latency period so as to be able to establish the operating state of the components regularly, without impacting the calculations of the application task.

According to another characteristic, the first component can be a reprogrammable integrated circuit or FPGA.

Additionally, the second component may be dynamic random access memory.

Brief description of figures

[Fig. 1] represents the sequencing of tasks and operating state tests during a calculation cycle according to the prior art;

[Fig. 2] represents a simplified flowchart of the method according to the invention;

[Fig. 3] shows a hardware architecture of an example of an engine control unit with two separate channels;

[Fig. 4] illustrates the sequencing of tasks and operating state tests during a calculation cycle according to the method according to the invention;

[Fig. 5] illustrates a flowchart of an embodiment of the method according to the invention.

Detailed description of the invention

The supervision method 1, the flowchart of which is illustrated in FIG. 2, aims to supervise an engine control unit 2 with at least two distinct channels 4, 6, of which an example of architecture is illustrated in FIG. 3.

An engine control unit 2 with two channels 4, 6 thus comprises, as can be seen in FIG. 3, two channels 4, 6, that is to say two computers. This redundancy of the computers 4, 6 makes it possible to ensure resistance to a possible breakdown which could affect one of the computers 4, 6. Although the two computers 4, 6 perform in parallel, the same calculations from the same data from inputs (that is to say, execute the same application task), only one of the computers 4 pilots and regulates the turbomachine by calculating the commands. Thus, the redundant computer 6, also referred to as passive, sends no command to the components of the turbomachine.

The computers 4, 6 of the illustrated engine control unit 2 have the same architecture.

First, each computer 4, 6 comprises means for executing a given application task. These means are distributed in the digital core 8 of the computer and the communication card 10.

The digital heart 8 includes, among other things, a microprocessor 12. The communication card 10, participating in the inter-computer communication, includes a first and a second component 14, 16. The first component 14, capable of carrying out the calculations of said application task from input data is in this example an FPGA, but can also be a reprogrammable integrated circuit. The second component 16, able to store data, is a memory, preferably a dynamic random access memory.

The first component 14, in the example an FPGA (in English Field-Programmable Gate Array), makes it possible to clock the exchanges between the two computers 4, 6. The second component 16, preferably a DPRAM (in English Dual Ported Random Access Memory

meaning dual-port RAM), receives signals from the first component 14 and stores data such as, for example, input data from sensors, as well as intermediate results of calculations.

The application task AS, consisting in part of a plurality of calculations executed successively between which latency periods elapse, makes it possible in particular to calculate, from input data originating from sensors for example, the control currents intended for actuators of moving parts constituting the turbomachine. Such actuators include, for example, electrohydraulic servo valves associated with jacks or other devices. The application task AS is thus executed simultaneously in parallel on each of the computers 4, 6 of the engine control unit 2. The application task AS executed on the first channel 4 and the application task AS executed on the second channel 6 are able to communicate with each other, through a first 18, second 20 and third 22 bus. The first bus 18 makes it possible to exchange memory addresses of data to be recovered. The second bus 20 makes it possible to exchange data, such as for example input data coming from sensors. These may for example be measurements such as acquisitions of motor temperature values. The results of the intermediate and final calculations pass through the second bus 20, from the digital core 8, performing the calculations, to the communication card 10, transmitting the calculated currents for example. The third bus makes it possible to exchange the commands calculated from the input data. This is a so-called control bus making it possible to control the read and write authorizations on the first bus 18 and the second bus 20 and this for each of the computers 4, 6.

The supervision method 1 is executed at each execution cycle 24 on each of the channels, as shown in Figure 4.

The first step A of method 1 consists in detecting a symptom resulting from a failure of at least one of the components 14, 16 of the two channels 4, 6.

The symptoms of a failure of components 14, 16 on one of the two channels 4, 6 are as follows:

- Data not arrived: the AS application task awaiting input data (from a previous calculation or from a sensor) does not receive the data to carry out the rest of the calculations.

- Erroneous data: the AS application task awaiting input data (from a previous calculation or from a sensor) receives incorrect data to perform the rest of the calculations, leading to incorrect calculations being performed.

- Data stored at the wrong address: upon receipt of a piece of data, it is stored at an address of the second component 16, a dynamic random access memory.

When the address at which the data is stored is incorrect, there can be two consequences:

- data not arrived: at the address at which the data was to be stored, there is no data that can be used for the calculations of the application task AS.

- erroneous data: at the address at which the data should have been stored, a

data which was previously stored there is then used for the rest of the calculations of the application task AS.

These symptoms can have two consequences. The first consequence is that the failure observed corresponds to a difference in signature on the two channels 4, 6, that is to say that for a given AS application task, the calculations carried out on each of the computers 4, 6 lead to different results. The second consequence is that the failure observed consists of a disturbance of inter-computer communication (the data exchanged is erroneous or missing).

Thus, the detection of these symptoms reflects the failure of at least one component 14, 16 of at least one of the computers 4, 6.

The second step B of the method then consists in detecting a latency period of the application task AS. Indeed, the application task AS consisting of a plurality of calculations from several input data, there are latency periods between the calculations during which the application task AS is waiting for data to perform the next calculation. During these latency periods, the resources of the channels 4, 6, that is to say the first 4 and second 6 components, are not used. These latency periods can thus be used to carry out operating state tests to determine which of the first 14 and second 16 components of the first 4 and second 6 computer is faulty and is the cause of the identified symptom(s).

The third step C of method 1 then consists in executing, during this latency period, a test of the operating state of at least one of the first 14 and second 16 components. This operating state test is preferably carried out on each of the components 14, 16 in parallel on the two channels 4, 6, that is to say for the two computers. The sequencing of the operating state tests is also visible in Figure 4. Thus, several operating tests are triggered during latency times of the application task, in addition to the one triggered at the start of the cycle during the OS task.

The self-tests are so-called March-type tests. The self-tests are used to test the write and read capacity of each component. To do this, a message of type AAAA then 5555 in hexadecimal is successively written to addresses of type

5555 then AAAA in hexadecimal. Writing content to these two addresses automatically triggers read tests.

These self-tests are performed during latency times (ie free times) and almost simultaneously with each exchange on the bus.

Thus, the application task AS sends instructions, respectively to each of the components 14, 16, so that an operating state test 26 is carried out. In other words, the operating state tests 26 are called by the application task AS so as to be executed during latency times. Thus, the tests performed do not impact the calculation time of the AS application task.

The fourth step D of method 1 consists in determining a state of the component(s) 14, 16 for which an operating state test 26 has been carried out. The state can be either a fault state or a healthy state. Thus, if, during the same cycle or two consecutive cycles, a symptom is observed and a faulty state of one of the components 14, 16 is confirmed, then a correlation between the detected symptom(s) and the fault(s) of the of the noted components is made.

In order to limit the impacts of the identified faulty component, the computer comprising the faulty component is isolated. In other words, following an operating state test or self-test 26, which is launched by the application task AS, the computer comprising a detected and proven failure no longer executes the application task AS during the following cycles and does not therefore communicates more with the computer considered to be healthy. The engine control unit 2 then becomes single-channel, the application task AS being executed on only one computer considered to be healthy.

Following this isolation, to avoid engine shutdowns in flight (In Flight Shutdown -IFSD), when one of the two channels 4, 6 is isolated, the launch of the self-tests 26 by the application task AS is suspended. Thus, no self-test 26 is carried out on the remaining computer, apart from the self-tests 26 carried out by the task OS at the start and at the end of the cycle.

FIG. 5 illustrates by means of a flowchart another example of method 28 according to the invention. The overall strategy of the system is to trigger self-tests 26 on the appearance of a symptom of the control unit 2. The first step consists in detecting, as detailed previously, a following failure symptom during cycle j. The symptoms can be the following:

- Non-arrival data: when the AS application task is actively waiting for data, during a latency period, non-arrival data is detected when the waiting time for the data by the application task exceeds a time of maximum wait. The maximum wait time is at least 3 ms.

- Signature difference between the first channel 4 and the second channel 6: this involves, at the end of the application task AS, comparing the sum of the results of the calculations performed by the application task AS on the two channels 4, 6 This makes it possible to verify that the two channels 4, 6 carry out the same calculations. If the sum is different on the two channels 4, 6, this means that there is, on at least one of the two channels 4, 6, a use of an erroneous calculation input datum. Given that the sum is carried out at the end of the application task AS, that is to say of a cycle, the detection of this symptom is carried out during the previous cycle j-1, so that the self-tests 26 are launched during cycle j. In other words, the difference in signature consists in comparing, at the end of the previous cycle d-1 and in parallel on the two channels 4, 6, the sum of the calculations of the application task AS carried out during the previous cycle j-1. In the case of detection of a signature difference during the previous cycle j-1, steps B to D of method 1 (of the flowchart of FIG. 2) are carried out during the current cycle j.

When one of the above symptoms is identified, the AS application task increases the number of 26 self-test launches during latency periods in order to identify component failures that may be the cause of this symptom. The self-tests 26 are thus launched until the end of the current execution cycle j.

Thus, by increasing the number of self-tests and distributing them during the latency periods of the calculation cycle, the coverage of the self-tests consequently increases.

The possible failures of the first component 14, the FPGA, are as follows:

Microcrack of one of the solders of one of the 16 branches of component 14: some microcracks may be non-impacting, except when the microcrack impacts the solder of a corresponding branch with a low-order bit;

Data not updated;

Failures during read and/or write memory access.

The possible failures of the second component 16, the DPRAM, are as follows:

Storage of data at the wrong memory address;

Non-storage of data;

Internal memory failure that can be of the following three types: short circuit, coupling fault and sticking fault.

As soon as a failure is identified by means of the self-tests 26, the channel on which the failure is observed is made safe, in other words the channel is isolated. Also, the failure, as well as contextual information relating to the state of the control unit such as for example the temperature, the vibration state, the engine speeds, the attitudes of the aircraft, the state of health of the engine, the flight number and the date of the failure, are recorded in a non-volatile memory in order to facilitate maintenance operations. In the event that no component failure is identified, a lockout is provided for by the supervision method 28. The lockout of a computer consists in ensuring that:

the OS task no longer calls the AS application task,

the control currents are no longer calculated and therefore no longer sent by this computer. Redundancy is then lost.

CLAIMS

1 . Method (1, 28) for supervising an engine control unit (2) with at least two separate channels (4, 6) each comprising a computer, each of said two channels (4, 6) comprising at least:

- Means for executing a given application task (AS), the application task (AS) consisting in part of a plurality of calculations executed successively between which latency periods pass;

- a first component (14) capable of carrying out the calculations of said application task (AS), from input data;

- a second component (16) capable of storing data;

the application task (AS) executed by the first channel (4) and the application task (AS) executed by the second channel (6) being capable of communicating with each other, the method comprising the following steps when a current execution cycle (j) of the application task (AS) for each channel (4, 6):

a) Detect a latency period;

b) Executing, during this latency period, a functional state test (26) of at least one of the first (14) and second (16) components;

c) Determining a state of said component (14, 16) corresponding to a faulty state or a healthy state.

2. Method (1, 28) according to claim 1, in which steps a) to c) are carried out following the following step:

- Detecting a symptom resulting from a failure of at least one of the components (14, 16) of the two channels (4, 6).

3. Method according to claim 2, in which the symptom is a difference in signature between the two channels and/or a loss of communication between the two computers (4, 6).

4. Method according to claim 3, in which, if the detected symptom is a signature difference between the two channels (4, 6), the detection is carried out during a previous execution cycle (j-1) which precedes the current execution cycle (j).

5. Method according to claim 3 or 4, in which the signature difference consists in comparing, at the end of the current execution cycle (j) and in parallel on the two channels (4, 6), the sum of the calculations of the application task (AS) carried out during the current execution cycle (j).

6. Method according to claim 3, in which, if the symptom detected is a loss of communication between the two computers (4, 6), the detection is carried out during the current execution cycle (j).

7. Method according to one of the preceding claims, in which instructions for the execution of the test of step b) are sent by the application task (AS).

8. Method according to one of the preceding claims, in which the first component (14) is a reprogrammable integrated circuit or FPGA.

9. Method according to one of the preceding claims, in which the second component

(16) is dynamic random access memory.