GENERAL TECHNICAL FIELD
The invention relates to 5 the field of flight control systems of aircraft.
It more particularly relates to a switching method between two processing units
or computers making up a two–way architecture of such a system.
STATE OF THE ART
10
The onboard flight control systems fitting out aircraft such as existing airplanes
or helicopters execute control functions and regulation functions of the engine of the
aircraft ensuring proper operation of the latter. Such functions are critical for the
safety of the passengers. Such systems therefore have to be resistant to failures.
15 For this, the existing flight control systems generally comprise two processing
units or computers, each capable of ensuring proper operation of the engine. Such a
system thus makes up a two way architecture in which each channel is capable of
ensuring the execution of said critical functions in the case of a failure of the other
channel. From among both of these channels, the control of the engine is generally
20 given to the channel having the best health condition, i.e. the less failures or failures
having the lowest degree of seriousness. This channel is called an active channel.
In order to execute the control and regulation functions of the engine, each of
the channels is able to control at least one actuator. These actuators may fail. When
one or several actuators of the active channel fail, the latter may no longer be
25 capable of ensuring properly the control of the engine. If the other channel called
passive channel is in a worst health condition as that of the active channel, it is then
no longer able to ensure properly the control of the engine. Thus none of the two
channels is capable of properly ensuring the control of the engine, the critical
functions of the flight system may then no longer be ensured.
30 Therefore there exists a need for a method giving the possibility to the active
channel of properly ensuring the control of the engine in spite of the failure of at least
one of its actuators.
PRESENTATION OF THE INVENTION
2
The present invention thus relates according to a first aspect to a switching
method applied by a first processing unit, called local processing unit, of a flight
control system of an aircraft comprising at least one engine,
5 said local processing unit being configured for controlling at least one actuator,
called local actuator, so as to control the engine of the aircraft, and being able
to be connected to at least one local sensor and to be connected via at least
one link to a second processing unit, called opposite processing unit,
configured for controlling at least one opposite actuator and being connected
10 to at least one opposite sensor, said local processing unit being further
configured so as to be connected to emergency communication means giving
the possibility of ensuring exchange of data between the local processing unit
and the opposite processing unit in the case of failures of said at least one link
connecting them, said emergency communication means comprising a
15 network of sensors or of actuators and/or an onboard secure network for
avionics,
said method comprising steps of:
- sending to the opposite processing unit acquisition data relative to at least one local
20 sensor and actuator data relative to the at least one local actuator,
- receiving from the opposite processing unit acquisition data related to the at least
one opposite sensor and actuator data relative to the at least one opposite actuator,
- receiving a health datum relative to the health condition of the opposite processing
unit, called opposite health datum,
25 - determining from a health datum relative to the health of said local processing unit,
said local health datum,
- switching of said local processing unit from a first state to a second state,
depending on said received opposite health datum and depending on said
determined local health datum,
30 said steps for sending, receiving acquisition data and receiving a health datum being
applied via said at least one link or said emergency communication means, and said
states being from among an active state in which the local processing unit ensures
the control of the engine of the aircraft, a passive state in which the local processing
unit does not ensure control of the engine of the aircraft and a slave state in which
3
the local processing unit yields to the opposite processing unit the control of said
local actuators for the control of the engine of the aircraft.
Such a method gives the possibility to each processing unit to have a
complete image of the global system, including actuators and sensors connected to
the opposite processing unit, in order to 5 be able to properly ensure the control of the
engine in spite of the failure of a local actuator. A processing unit incapable of
controlling the engine of the aircraft may thus give access to its actuators to the other
processing unit which is in an active state, so that the flight control system may
ensure the control of the engine in spite of one or several failures of the actuators of
10 the active processing unit. Further, the use of emergency communication means
gives the possibility of avoiding total blindness of the two–way system and a cutting
out of the communications between both processing units. Finally, the use of such
networks for exchanging information between the processing units gives the
possibility of increasing the redundancy level of the communication means between
15 the processing units and of ensuring the operating safety of the flight control system
without however requiring the setting into place of additional communication means
exclusively dedicated to the communication between the processing units.
The opposite processing unit and the local processing unit being connected
via on the one hand a first bidirectional digital link and on the other hand, via a
20 second bidirectional digital link and the opposite processing unit transmitting an
opposite health datum on each of the links,
the step for receiving an opposite health datum from the method according to the first
aspect may comprise a step for receiving a first opposite health datum on the first link
and a second redundant opposite health datum on the second link, a step for
25 verifying the consistency of said first and second received health data, and a step for
determining said opposite health datum transmitted according to said verification
step.
This gives the possibility of reinforcing the detection capability by the system of
the alterations of data exchange between the processing units and thus minimizes
30 the failure probability of the flight control system.
The step for determining the transmitted opposite health datum may comprise,
when said first and second received health data are not consistent, a consolidation
step during which the transmitted opposite health datum is determined from data
received over at least two successive frames.
4
This allows minimization of the risk of an error during the determination of the
transmitted opposite health datum when the transmitted data over both links on a first
frame are not consistent and do not allow determination of the transmitted health
datum in a safe way.
5 In order to ensure that the received data have not been corrupted during their
transmission, the step for receiving an opposite health datum of the method
according to the first aspect may comprise a step for verifying the integrity of said
received health datum.
The step for determining a local health datum of the method according to the
10 first aspect may comprise a step for diagnosing the health condition relative to the
hardware and to the software of said local processing unit.
This gives the possibility of obtaining a health datum allowing a diagnostic of
the whole of the failures which may affect the capability of the local processing unit of
ensuring the control of the engine.
15 The switching step of the method according to the first aspect may comprise:
- a step for determining, from the local health datum, a state datum relative to
the state of said local processing unit and from a health status datum of the local
processing unit relative to the capability of the local processing unit of ensuring
control of the engine, and
20 - a step for switching said local processing unit into the slave state:
- when the state datum indicates that the local processing unit is in a
passive state and,
- when the health status datum indicates a status in which:
􀂃 the local processing unit is capable of communicating with the
25 opposite processing unit, for example if at least one of the two
bidirectional digital links gives the possibility of ensuring
communications between the local processing unit and the
opposite processing unit,
􀂃 the local processing unit is incapable of ensuring the control of
30 the engine,
􀂃 and the local processing unit is capable of controlling the local
actuators.
This gives the possibility of ensuring, before switching into the slave state, that
the processing unit is not ensuring the control of the engine, that it is not capable of
5
ensuring the control of the engine in the place of the other processing unit, and that
the failures which affect it do not prevent it from giving access to its actuators to the
other processing unit.
According to an advantageous and non–limiting feature, the switching step of
the method 5 according to the first aspect comprises:
- a step for determination, in which said local processing unit determines from said
local and opposite health data that its health condition is better than that of the
opposite processing unit,
- a waiting step in which said local processing unit waits for the opposite processing
10 unit to switch into the passive state,
- a step for switching the local processing unit into the active state.
This gives the possibility of avoiding that the flight control system is found in a
situation wherein both processing units would be active at the same time and would
risk transmitting contradictory commands to their actuators.
15 The present invention relates according to a second aspect to a computer
program product comprising code instructions for executing a switching method
according to the first aspect when this program is executed by a processor.
The present invention relates according to a third aspect to a processing unit
of a flight control system of an aircraft comprising at least one engine and configured
20 for controlling at least one actuator, called local actuator, so as to control the engine
of the aircraft,
said processing unit, said local processing unit, being able to be connected to at least
one local sensor and to be connected via at least one link to a second processing
unit, called opposite processing unit, configured for controlling at least one opposite
25 actuator and being connected to the at least one opposite sensor, said local
processing unit being further configured so as to be connected to emergency
switching means giving the possibility of ensuring data exchanges between the local
processing unit and the opposite processing unit in the case of failures of said at
least one link connecting them, said emergency communication means comprising a
30 network of sensors or actuators and/or an onboard secure network for avionics, and
comprising:
- means for sending to the opposite processing unit acquisition data relative to the at
least one local sensor and actuator data relative to the at least one local actuator,
6
- means for receiving from the opposite processing unit, acquisition data relative to
the at least one opposite sensor and actuator data relative to the at least one
opposite actuator,
- means for receiving a health datum relative to the health condition of the opposite
5 processing unit, called opposite health datum,
- means for determining a health datum relative to the health of said local processing
unit, called local health datum,
- means for switching said local processing unit from a first state to a second state,
depending on said received opposite health datum and on said determined local
10 health datum,
said states being from among an active state in which the local processing unit
ensures control of the engine of the aircraft, a passive state in which the local
processing unit does not ensure the control of the engine of the aircraft and a slave
state in which the local processing unit gives over to the opposite processing unit the
15 control of said local actuators for controlling the engine of the aircraft.
The present invention relates according to a fourth aspect, to a flight control
system comprising two processing units according to the third aspect and further
comprising emergency communication means giving the possibility of ensuring the
exchanges of data between the local processing unit and the opposite processing
20 unit in the case of failures of the links connecting them, said emergency
communication means comprising the network of sensors or actuators and/or the
onboard secure network for avionics.
Such computer program product, processing unit and flight control system
have the same advantages as those mentioned for the method according to the first
25 aspect.
Both processing units may be connected via on the one hand a first
bidirectional digital link and on the other hand via a second bidirectional digital link,
said second link being redundant with the first link, and said first and second links
being able to be active concomitantly.
30 Such a system has a great resistance to failures by the redundancy of its
processing units and of its communication means as well as by the minimization of
the number of communication links, while reducing its bulkiness.
The first and second links may be CCDL links (“Cross Channel Data Link”).
7
Such a link notably gives the possibility to the processing units of exchange
more complex pieces of health information than those exchanged via discrete
analogue links of the known systems while limiting the wiring volume.
The onboard secure network for avionics may for example be a redundant
Ethernet netw 5 ork of the AFDX (“Avionics Full DupleX switched Ethernet”) or 􀂗AFDX
type.
PRESENTATION OF THE FIGURES
10 Other features and advantages will become apparent upon reading the
description which follows of an embodiment. This description will be given with
reference to the appended drawings wherein:
- Fig. 1 schematically illustrates a flight control system according to an
embodiment of the invention;
15 - Fig. 2 schematically illustrates hardware means intended to establish two
CCDL links between two processing units of a flight control system
according to an embodiment of the invention;
- Fig. 3 schematically illustrates the physical segregation of CCDL modules
of each processing unit of a flight control system according to an
20 embodiment of the invention;
- Fig. 4 schematically illustrates the segregation of the hardware means of
a processing unit intended to establish two CCDL links according to an
embodiment of the invention;
- Fig. 5 represents the graph of the states of the processing units of the
25 flight control system according to an embodiment of the invention.
DETAILED DESCRIPTION
An embodiment of the invention relates to a switching method applied by a first
30 processing unit 1, called local processing unit, of a flight control system, illustrated in
Fig. 1, of an aircraft comprising at least one engine.
The flight control system also includes a second processing unit 2, called
opposite processing unit. The local processing unit may be connected to at least one
local sensor and be connected via at least one link 3, 4 to the opposite processing
8
unit, itself connected to at least one opposite sensor. Both of the processing units are
redundant and may each execute functions for controlling and regulating the engine
of the aircraft. For this, each processing unit is configured for controlling at least one
actuator, so as to control the engine of the aircraft. The actuators controllable by the
5 local processing unit 1 are called local actuators. The actuators which may be
controlled by the opposite processing unit are called opposite actuators. The system
as illustrated in Fig. 1 thus is a two–way architecture comprising a channel A and a
channel B.
The processing units 1 and 2 may be processors of a same multiprocessor
10 computer system including several processors. In order to reinforce the resistance of
the flight control system to external aggressions and to avoid that a single localized
event may put both processing units 1 and 2 out of operation, both channels may be
installed at a distance from each other in separate casings. In such a configuration,
the processing units are not execution cores integrated within a single processor.
15 The system also comprises communication means giving the possibility of
connecting both processing units in order to allow exchange of essential data for the
proper operation of each of the processing units such as pieces of information on the
health condition of the opposite processing unit.
In an alternative embodiment, these communication means are configured for
20 establishing a first bidirectional digital link 3 and a second bidirectional digital link 4
between the first processing unit 1 and the second processing unit 2. Such a system
does not include any discrete link between both processing units, which allows
limitation of the complexity of its wiring and of the probability that one of the
communication links fails.
25 The second link 4 is redundant with the first link 3 in order to ensure the
communication between both processing units in the case of failure of the first link 3,
and vice versa. Such redundancy guarantees, from the point of view of the exchange
of information between both processing units, a good safety level.
Further, said first and second links may be active concomitantly. Thus, unlike
30 the systems in which the redundant link is only used in the case of failure of the first
link, the flight control system may use the first link 3 and the second link 4 at the
same time during normal operation, i.e. in the absence of any failure of one of the two
links, and may utilize the concomitant use of both of these links in order to verify the
absence of corruption of the data exchanged between both processing units.
9
The first and second processing units 1 and 2 may use a procedure for
communicating between them via both links 3 and 4, for example from among the
protocols Ethernet IEEE 802.3, HDLC, SDLC, or any other protocol having a function
for detecting or correcting an error. An Ethernet link may notably ensure high
performances, large 5 environmental robustness, notably as regards resistance to
lightening and the Electro–Magnetic Compatibility (“EMC”) and a high functional
robustness by the application of mechanisms for controlling the integrity of data and
for controlling the flow. Further, the Ethernet protocol is an industrial standard
consistent with avionic communication technologies, such as AFDX (“Avionics Full
10 DupleX switched Ethernet”) or 􀂗AFDX, the maintenance techniques.
The first and second links may be CCDL links (“Cross Channel Data Link”).
Such a link gives the possibility of synchronizing every application with an accuracy
of less than one hundred microseconds. Such a link also allows, instead of
exchanging discretes as in known systems, of exchanging pieces of health
15 information constructed by the hardware or the software, information useful to the
system (acquisition, statuses,…) and functional data of the operating system (OS)
and of the application system (AS).
Such CCDL links between both processing units A and B are illustrated in
Fig. 2. Each processing unit 1, 2 comprises a system 5a, 5b, including a first CCDL
20 module (CCDLA) 6a, 6b for establishing the first CCDL link 3 and a second CCDL
module (CCDLB) 7a, 7b for establishing the second CCDL link 4. Such a system may
appear as an on–chip system (SoC, “system on a chip”) or consist of a
microprocessor and peripherals implemented in separate casings or in an FPGA
cardboard. Each CCDL module is connected to the input/output interface of its casing
25 through a physical layer. Such a layer may for example comprise a hardware
interface Phy 8a, 8b, 8c, 8d and a transformer 9a, 9b, 9c, 9d as illustrated in Fig. 2.
As illustrated in Fig. 3, the CCDL modules of each processing unit may be
physically segregated by being positioned on the system 5a, 5b in distinct
localizations and away from each other, for example by positioning each of them at a
30 corner of a on–chip system. This gives the possibility of reducing the common failure
probability in the case of an alteration of the SEU type (“Single Event Upset”) or MBU
(“Multiple Bit Upset”).
According to a first alternative, each system 5a, 5b is powered by a separate
power supply. According to a second alternative, the system comprises a power
10
supply 15 common to the whole of the on–chip system. Each on–chip system may be
powered through two distinct clock signals 11 and 12, as illustrated in Fig. 4. Thus,
although they are not powered independently, the CCDL modules of each processing
unit may be powered through independent clocks, which reinforces the resistance to
failures of the on–5 chip system by preventing a clock failure of one of the CCDL
modules from affecting the other CCDL module.
The CCDL modules of each processing unit may be synchronized by means of
a local real time clock mechanism (HTR or RTC “Real time clock”) 10a, 10b as
illustrated in Fig. 2 and of a synchronization mechanism such as a mechanism with a
10 synchronization window. Thus, in the case of loss of the synchronization, each
processing unit operates by means of its local clock and then synchronizes again
upon receiving a valid signal. The local clock mechanism is programmable by the
application and its programming is protected against alternations of the SEU type
(“Single Event Upset”) or MBU (“Multiple Bit Upset”). The CCDL links may
15 nevertheless continue to operate even in the absence of synchronization or in the
case of loss of a clock.
The system may further comprise emergency communication means giving
the possibility of ensuring exchanges of data between the first and second
processing units and exclusively used in the case of failures of the first and second
20 links, so as to avoid cutting–off of the communications between the processing units.
In a first embodiment illustrated in Fig. 1, these emergency communication
means may comprise a network of sensors or actuators 13. Such a network of
sensors or actuators may as an example be a network of smart sensors or actuators
(“smart–sensor, smart–actuator”). Each processing unit may then be connected to
25 this network 13 via a bus of the RS–485 type allowing transmission of information no
longer in an analogue way but in a digital way.
In a second embodiment illustrated in Fig. 1, these emergency communication
means comprise a secure network onboard for avionics 14. Such an on board secure
network may as an example be a redundant Ethernet network such as AFDX
30 (“Avionics Full DupleX switched Ethernet”) or 􀂗AFDX. Such a network provides
means for sharing resources, for segregating flows as well as determinism and
availability required for aeronautical certifications.
11
The digital signals transmitted between the processing units may be sensitive
to perturbations, mechanisms for controlling integrity and for controlling consistency
of the transmitted data between both remote processing units may be set into place.
Thus, each processing unit may comprise means for verifying the integrity of
5 the received data.
In order to verify the integrity of the received data, the different fields of each
received frame may be verified, notably in the case of an Ethernet link, the fields
relative to the destination address, to the source address, to the type and to the
length of the frame, to the MAC data and to the filling data. A frame may be
10 considered as non–valid if the length of this frame is not consistent with the length
specified in the length de field of the frame or if the bytes are not integers. A frame
may also be considered as non–valid if the redundancy control (CRC, “Cyclic
Redundancy Check”) calculated upon receiving the frame does not correspond to the
CRC received because of errors, for example due to interferences during the
15 transmission.
Further, when the local processing unit and the opposite processing unit are
connected via two bidirectional links, each processing unit may comprise means for
verifying subsequently to the transmission of a datum both over the first link and over
the second link, the consistency of the received data on both links which should
20 convey the same information in the absence of a failure or of corruption of the
transmitted frames, and for determining the actually transmitted datum. When the
data received over both links are not consistent, the processing unit may apply a
consolidation step during which the actually transmitted datum is determined from
data received on at least two successive frames, optionally over three frames. Such a
25 consolidation may also be achieved by extending the time period which separates the
reception of two successive Ethernet data packets, for example by setting the length
of this time period to a duration greater than the duration of an electromagnetic
perturbation. This may be applied by adding a parameter (« Inter Frame Gap »)
setting such a period between the emitted packets. Such an application may for
30 example give the possibility of avoiding corruption of two Ethernet packets
transmitted in a redundant way.
Each of the processing units of the flight control system may be found in a
state from among the following states, which is illustrated in the state graph in Fig. 5:
12
􀂃 an active state (“ACTIVE”) 15 in which the processing unit ensures the
control of the engine of the aircraft,
􀂃 a passive state (“PASSIVE”) 16 in which the processing unit does not
ensure control of the engine of the aircraft but executes other functions,
5 for example diagnostic functions, and may optionally communicate with
the other processing unit of the control system,
􀂃 a reset state (“RESET”) 17 in which the processing unit is inactive and
does not execute any function,
􀂃 a slave state (“SLAVE”) 18 in which the processing unit gives over to the
10 other processing unit, the control of its actuators for the control of the
engine of the aircraft.
In order that each processing unit has a complete overview of the global
system, including the actuators and sensors connected to the opposite processing
unit, in order to be able to correctly ensure the control of the engine in spite of the
15 failure of a local actuator, the switching method applied by a local processing unit
comprises steps of:
- sending to the opposite processing unit acquisition data relative to the at
least one local sensor and actuator data relative to the at least one local
actuator,
20 - receiving from the opposite processing unit acquisition data relatively to the
at least one opposite sensor and actuator data relative to the at least one
opposite actuator.
Such acquisition data relative to a sensor may be, as an example in the case
of sensors, temperatures comprising the temperature measured by the sensor.
25 Further, in order to allow the local processing unit 1 to change state from
among the four states described above, the switching method comprises steps of:
- receiving a health datum such as a status, relative to the health condition of
the opposite processing unit 2, called opposite health datum,
- determining a health datum relatively to the health of said local processing
30 unit 1, called local health datum,
- switching of said local processing unit 1 from a first state to a second state,
depending on said received opposite health datum and on said determined
local health datum, said first and second states being from among the active,
passive, reset and slave states described above.
13
Said steps for sending, receiving acquisition and reception data of a health
datum are applied via links 3, 4 connecting both processing units or via emergency
communication means 13, 14 in the case of a failure of the links 3, 4.
The received opposite health datum may be subject to perturbations, the step
for receiving an opposite health datum may comprise 5 a step for verifying the integrity
of the received datum.
Moreover, mechanisms for verifying consistency may also be applied, the
opposite health datum being able to be transmitted in a redundant way over the
bidirectional links. The step for receiving an opposite health datum then comprises a
10 step for receiving a first opposite health datum over the first link and of a second
redundant opposite health datum over the second link, a step for verifying the
consistency of said first and second received health data, and a step for determining
said opposite health datum transmitted according to said verification step.
Alternatively, the first opposite health datum received over the first link and the
15 second opposite health datum received over the second link may be subject to a
verification of integrity before verifying their consistency.
In the case of inconsistency of the data received over the two links, the local
processing unit may ignore this health datum and wait for the transmission of a new
opposite health datum. In the case of receiving inconsistent data over both links
20 during two successive transmissions or more, the local processing unit may retain
conservatively as an opposite health datum, the received datum indicating the worst
health condition of the opposite processing unit if the received data during this first
transmission are identical with those received during subsequent transmissions.
Otherwise, the last received health datum in a consistent way is kept as long as no
25 new health datum has been received consistently.
In order to determine a local or opposite health datum, the relevant processing
unit makes a diagnostic of the health condition relative to its hardware and software
elements. Such a diagnostic may be established from information obtained from
different monitoring means (“monitoring”) or from several registers. As an example, a
30 register gives the possibility of obtaining the health condition of the hardware of the
processing unit and another register gives the possibility of obtaining the health
condition of the software of the processing unit.
The determined local health data or transmitted by the opposite processing
unit are thus data giving the possibility of selecting a channel and of establishing a
14
full system diagnostic. They may notably be diagnostic CCDL data, data of statuses
of the operating system or of the applications, diagnostic data of the hardware,
notably of sensors or actuators, functional diagnostic data produced by the software.
From a local or opposite health datum, the local processing unit may
determine a 5 state datum indicating the state, active, passive, slave or reset, in which
is found the corresponding local or opposite processing unit, and a datum of the
health status relative to the capability of the local or opposite processing unit of
ensuring control of the engine.
According to an embodiment, each processing unit may have a health status
10 from among the four following statuses:
􀂃 a status “GOOD” in which the processing unit does not have any failure,
􀂃 a status “ACCEPTABLE” in which the processing unit has certain failures
which however will not prevent it from correctly ensuring the control of the
engine, for example the breakage of a CCDL link transformer or the loss
15 of the clock signal from one CCDL link,
􀂃 a status “SLAVE” in which the processing unit has too serious failures for
giving it the possibility of correctly ensuring the control of the engine, for
example a processor failure, but which does not have material failures
which would prevent it from controlling its actuators or of communicating
20 with the opposite processing unit,
􀂃 a status “BAD” in which the processing unit is incapable of correctly
ensuring control of the engine and has at least one hardware failure
preventing the processing unit from controlling its actuators, for example
a power supply or clock failure affecting the whole of the processing unit
25 or a failure of both CCDL links.
The local processing unit executes at a regular time interval the steps
described above for receiving an opposite health datum and for determining a local
health datum. In order to determine whether it should change state, the local
processing unit determines, from the local health datum, a local state datum
30 indicating its state and a local status datum indicating its health status. Also, the local
processing unit determines, from the opposite health datum, an opposite state datum
indicating the state of the opposite processing unit, and an opposite status datum
indicating the status of the opposite processing unit.
15
The local processing unit then carries out a comparison of its health condition,
indicated by the local status datum, with that of the opposite processing unit,
indicated by the opposite status datum.
If the local processing unit is in an active state and that its health condition
5 remains better than that of the other processing unit (CTL_REQ=1), the processing
unit remains in an active state and continues to ensure the control of the engine.
As an example, the health condition of the local processing unit is better than
that of the opposite processing unit when:
- the local processing unit has the status GOOD and the opposite processing unit has
10 a status from among the statuses ACCEPTABLE, SLAVE and BAD,
- the local processing unit has the ACCEPTABLE status and the opposite processing
unit has a status from among the statuses SLAVE and BAD.
If the local processing unit is in an active state and if its health condition
becomes not as good as that of the other processing unit (CTL_REQ=0), the local
15 processing unit will switch into a passive state and will stop ensuring the control of
the engine which is then ensured by the opposite processing unit.
As an example, the health condition of the local processing unit is not as good
as that of the opposite processing unit when:
- the local processing unit has the ACCEPTABLE status and the opposite processing
20 unit has the GOOD status, or
- the local processing unit has the SLAVE status and the opposite processing unit
has a status from among the statuses GOOD and ACCEPTABLE, or
- the local processing unit has the BAD status and the opposite processing unit has a
status from among the statuses GOOD and ACCEPTABLE.
25 If the local processing unit is in a passive state and if its health condition
remains not as good as that of the opposite processing unit (CTL_REQ=0), the
processing unit remains in a passive state.
If the local processing unit is in a passive state and if its health condition
becomes better than that of the opposite processing unit (CTL_REQ=1), the local
30 processing unit switches into an active state in order to ensure control of the engine
instead of the opposite processing unit. The switching from a passive state to an
active state may pass through a waiting state 19 in which the local processing unit
waits for the opposite processing unit to pass into the passive state
(OPP_CH_STATE=0) before passing into the active state and to take over the control
16
of the engine. This gives the possibility of avoiding that the flight control system is
found in a situation in which both processing units would be active at the same time
and would risk transmitting contradictory commands to their actuators. The
processing unit may remain in such a waiting state 19 as long as the opposite
5 processing unit is active (OPP_CH_STATE=1). From this state, the local processing
unit may even return into a passive condition if the health condition of the opposite
processing unit has become again better than the health condition of the local
processing unit (CTL_REQ=0) before the latter passes into an active state.
If the local processing unit is in a passive state and if the local status datum
10 indicates that the processing unit has a health status of “SLAVE” (Remote Req=1),
the local processing unit may switch into the slave state described above. According
to an alternative, the switching into the slave state is also conditioned by receiving a
signal for requesting access to the actuators of the local processing unit from the
opposite processing unit. From the slave state, the processing unit may return to the
15 passive state when the local status datum only indicates that the processing unit has
a health status of “SLAVE” (Remote Req=0).
If the local status datum indicates a “BAD” health status, the local processing
unit switches into the reset state regardless of its current state. Once the reset has
been carried out successfully (HRESET_N rising edge), the processing unit may
20 again pass into the passive state.
In the case when the local processing unit and the opposite processing unit
have the same health status, GOOD or ACCEPTABLE, each processing unit may
according to a first alternative remain in its current state, active or passive. According
to a second alternative, it is possible to provide giving the control of the engine to a
25 default processing unit, for example the first processing unit 1, in which case both
processing units remain in their current state if the default processing unit is already
in an active state, or else switch from the passive state to the active state and vice
versa if the default processing unit was previously in a passive state.
A processing unit may switch from the ACCEPTABLE status to the GOOD
30 status if it recovers the functions which it had lost previously but a processing unit
having a SLAVE or BAD status cannot switch again into an ACCEPTABLE or GOOD
status, unless it is reset.
Thus, the passive channel of the control system may switch into a state giving
it possibility of making its actuators available to the active channel, which is in a
17
better health condition, so that the flight control system may continue to ensure the
control of the engine of the aircraft in spite of a failure affecting the capability of the
active channel to control its own actuators.

claims.
1. A switching method applied by a first processing unit (1, 2), called local
processing unit, of a flight control system of an aircraft comprising at least one
engine,
5 said local processing unit (1, 2) being configured for controlling at least one
actuator, called local actuator, so as to control the engine of the aircraft, and being
able to be connected to at least one local sensor and to be connected via at least one
link (3, 4) to a second processing unit (2, 1), called opposite processing unit,
configured for controlling at least one opposite actuator and being connected to at
10 least one opposite sensor, said local processing unit (1, 2) being further configured
so as to be connected to emergency communication means (13, 14) giving the
possibility of ensuring exchanges of data between the local processing unit (1, 2) and
the opposite processing unit (2, 1) in the case of failures of said at least one link
connecting them (3, 4), said emergency communication means comprising a network
15 of sensors or actuators (13) and/or an onboard secure network for avionics (14),
said method comprising steps of:
- sending to the opposite processing unit acquisition data relative to the at
least one local sensor and actuator data relative to the at least one local actuator,
- receiving from the opposite processing unit acquisition data relative to the at
20 least one opposite sensor and actuator data relative to the at least one opposite
actuator,
- receiving a health datum relative to the health condition of the opposite
processing unit (2, 1), called opposite health datum,
- determining a health datum relative to the health of said local processing unit
25 (1, 2), called local health datum,
- switching of said local processing unit (1, 2) from a first state to a second
state, depending on said received opposite health datum and on said determined
local health datum,
said steps of sending, receiving acquisition data and of receiving a health
30 datum being applied via said at least one link or said emergency communication
means, and said states being from among an active state (15) in which the local
processing unit (1, 2) ensures control of the engine of the aircraft, a passive state
(16) in which the local processing unit (1, 2) does not ensure the control of the engine
of the aircraft and a slave state (18) in which the local processing unit (1, 2) gives
19
over to the opposite processing unit (2, 1) the control of said local actuators for
controlling the engine of the aircraft.
2. The method according to claim 1, wherein
5 the opposite processing unit (2, 1) and the local processing unit (1, 2) being
connected via on a first bidirectional digital link (3) and via a second bidirectional
digital link (4),
and the opposite processing unit (2, 1) transmitting an opposite health datum
over each of the links (3, 4),
10 the step of receiving an opposite health datum comprises receiving a first
opposite health datum over the first link (3) and a second redundant opposite health
datum over the second link (4), verifying consistency of said first and second
received health data, and determining said opposite health datum transmitted
depending on said verification.
15
3. The method according to the preceding claim, wherein determining the
transmitted opposite health datum comprises, when said first and second received
health data are not consistent, a consolidation step during which the transmitted
opposite health datum is determined from data received over at least two successive
20 frames.
4. The method according to any one of the preceding claims, wherein
receiving an opposite health datum comprises verifying integrity of said received
health datum.
25
5. The method according to one of the preceding claims, wherein
determining a local health datum comprises diagnosing the health condition relative
to the hardware and to the software of said local processing unit (1, 2).
30 6. The method according to one of the preceding claims, wherein the
switching step comprises:
- determining, from the local health datum, a state datum relative to the state
of said local processing unit (1, 2) and from a health status datum of the local
20
processing unit relative to the capability of the local processing unit of ensuring
control of the engine, and
- switching said local processing unit (1, 2) into the slave state (18):
- when the state datum indicates that the local processing unit (1) is in a
5 passive state (16) and,
- when the health status datum indicates a status in which:
􀂃 the local processing unit is capable of communicating with the
opposite processing unit,
􀂃 the local processing unit (1, 2) is incapable of ensuring the
10 control of the engine,
􀂃 and the local processing unit (1, 2) is capable of controlling the
local actuators.
7. The method according to one of the preceding claims, wherein the
15 switching step comprises:
- a determination step, in which said local processing unit (1, 2) determines
from said local and opposite health data that its health condition is better than that of
the opposite processing unit (2, 1),
- a waiting step in which said local processing unit (1, 2) waits for the opposite
20 processing unit (2, 1) to switch into the passive state (16),
- switching the local processing unit (1, 2) into the active state (16).
8. A computer program product comprising code instructions for executing a
switching method according to any one of the preceding claims when this program is
25 executed by a processor.
9. A processing unit (1, 2) of a flight control system of an aircraft comprising
at least one engine and configured for controlling at least one actuator, called local
actuator, so as to control the engine of the aircraft,
30 said processing unit (1, 2), called local processing unit, being able to be
connected to at least one local sensor and to be connected via at least one link (3, 4)
to a second processing unit (2, 1), called opposite processing unit, configured for
controlling at least one opposite actuator and being connected to at least one
opposite sensor, said local processing unit (1, 2) being further configured so as to be
21
connected to emergency communication means (13, 14) giving the possibility of
ensuring exchanges of data between the local processing unit (1, 2) and the opposite
processing unit (2, 1) in the case of failures of said at least one link connecting them
(3, 4), said emergency communication means comprising a network of sensors or
actuators (13) 5 and/or an onboard secure network for avionics (14),
and comprising:
- means for sending to the opposite processing unit acquisition data relative to
the at least one local sensor and actuator data relative to the at least one local
actuator,
10 - means for receiving from the opposite processing unit, acquisition data
relative to the at least one opposite sensor and actuator data relative to the at least
one opposite actuator,
- means for receiving a health datum relative to the health condition of the
opposite processing unit (2, 1), called opposite health datum,
15 - means for determining a health datum relative to the health of said local
processing unit (1, 2), called local health datum,
- means for switching said local processing unit (1, 2) from a first state to a
second state, depending on said received opposite health datum and on said
determined local health datum,
20 said states being from among an active state (15) in which the local
processing unit (1, 2) ensures control of the engine of the aircraft, a passive state
(16) in which the local processing unit (1, 2) does not ensure the control of the engine
of the aircraft and a slave state (18) in which the local processing unit (1, 2) gives
over to the opposite processing unit (2, 1) the control of said local actuators for
25 controlling the engine of the aircraft.
10. A flight control system comprising two processing units (1, 2) according to
the preceding claim and further comprising the emergency communication means
(13, 14) giving the possibility of ensuring exchanges of data between the local
30 processing unit (1, 2) and the opposite processing unit (2, 1) in the case of failures of
the links connecting them (3, 4), said emergency communication means comprising
the network of sensors or actuators (13) and/or the onboard secure network for
avionics (14).
22
11. The flight control system according to the preceding claim, wherein both
processing units (1, 2) are connected via a first bidirectional digital link (3) and via a
second bidirectional digital link (4), said second link (4) being redundant with the first
link (3), and said first and second links (3, 4) being able to be active concomitantly.
5
12. The flight control system according to claim 11, wherein the first and
second links (3, 4) are CCDL (“Cross Channel Data Link”) links.
13. The flight control system according to claim 10, wherein the onboard
10 secure network (14) is a redundant Ethernet network of the AFDX (“Avionics Full
DupleX switched Ethernet”) or 􀂗AFDX type.