CN1945546A - Redundant method for micro aircraft GNC system - Google Patents

Redundant method for micro aircraft GNC system Download PDF

Info

Publication number
CN1945546A
CN1945546A CN 200610113986 CN200610113986A CN1945546A CN 1945546 A CN1945546 A CN 1945546A CN 200610113986 CN200610113986 CN 200610113986 CN 200610113986 A CN200610113986 A CN 200610113986A CN 1945546 A CN1945546 A CN 1945546A
Authority
CN
China
Prior art keywords
processor
redundant
mode program
tasks
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610113986
Other languages
Chinese (zh)
Other versions
CN100382040C (en
Inventor
房建成
张霄
李建利
孙宏伟
徐帆
孙科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CNB2006101139869A priority Critical patent/CN100382040C/en
Publication of CN1945546A publication Critical patent/CN1945546A/en
Application granted granted Critical
Publication of CN100382040C publication Critical patent/CN100382040C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Hardware Redundancy (AREA)

Abstract

一种用于微小型飞行器GNC系统的冗余方法:对多处理器进行编号;按照级联式规则,分别配置并连接各处理器的脉冲发送端、脉冲接收端、串行数据发送端、串行数据接收端、复位信号发送端、复位信号接收端,使得各处理器相互冗余,构成冗余链;若系统中的处理器与外部硬件设备有通讯联系,外部硬件设备通过模拟开关与处理器连接,使其可分别与多个处理器进行通讯;设计两种模式:正常模式程序框架和紧急模式程序框架,正常模式程序框架使处理器执行自身的任务;紧急模式程序框架用以判断故障处理器编号,尝试修复故障,并通过减少单位时间任务量的方法,此时系统会表现出冗余特征。发明的系统具有可靠性高、体积小、功耗低、成本低等优点。

Figure 200610113986

A redundancy method for the GNC system of a micro-aircraft: number the multiprocessors; configure and connect the pulse sending end, pulse receiving end, serial data sending end, serial Line data receiving end, reset signal sending end, and reset signal receiving end make the processors mutually redundant to form a redundant chain; if the processor in the system communicates with external hardware devices, the external hardware devices communicate with the processing connected with multiple processors so that they can communicate with multiple processors respectively; two modes are designed: the normal mode program framework and the emergency mode program framework, the normal mode program framework enables the processor to perform its own tasks; the emergency mode program framework is used to judge faults Processor numbers, try to fix failures, and by reducing the amount of tasks per unit time, the system will exhibit redundant characteristics. The invented system has the advantages of high reliability, small volume, low power consumption and low cost.

Figure 200610113986

Description

一种用于微小型飞行器GNC系统的冗余方法A Redundancy Method for Micro-aircraft GNC System

技术领域technical field

本发明涉及一种微小型电子系统的冗余方法,特别是一种适用于微小型飞行器导航、制导与控制(GNC)系统的冗余方法。可应用于既要求系统可靠性高,又要求体积小、功耗低的场合。The invention relates to a redundancy method for a miniature electronic system, in particular to a redundancy method suitable for a navigation, guidance and control (GNC) system of a miniature aircraft. It can be applied to occasions that require high system reliability, small size and low power consumption.

背景技术Background technique

为实现微小型飞行器自主、安全地飞行,需要其导航、制导与控制(GNC)系统具有高可靠性。冗余设计是提高系统可靠性最有效的途径。冗余系统一般是基于硬件实现并且与软件相互配合的多机系统。现有的冗余方式有静态冗余、动态冗余和混合冗余三种。静态冗余系统中,冗余模块构成系统的永久性部分,它们通过自身的存在来掩盖系统中的故障,使系统的功能最终不受影响。静态冗余方式一般由N(N≥1)台主设备,K(K≥1)台备份设备和至少一台的监控计算机组成。由监控计算机监控系统的状态,并决策使用主设备还是备份设备。采用静态冗余方式的系统会增加至少K+1台设备,这会使系统的体积、功耗成倍增加。动态冗余是用无故障模块代替故障模块,对系统实现更新组合,故障修复后,还可重新投入到系统中去。动态冗余方式一般由N(N≥1)台主设备,至少一台备份设备和至少一台监控计算机组成。由监控计算机监控系统的状态,发现某台主设备故障时,用备份设备代替主设备工作。待主设备故障修复后,重新投入到系统中去,备份设备退出系统。采用动态冗余的系统会增加至少两台设备,同样会使系统的体积、功耗大大增加。静态冗余和动态冗余在一个系统中混合使用就叫做混合冗余。采用混合冗余方式的系统,其体积、功耗介于静态冗余方式和动态冗余方式之间。In order to realize autonomous and safe flight of micro-aircraft, its navigation, guidance and control (GNC) system needs to have high reliability. Redundant design is the most effective way to improve system reliability. A redundant system is generally a multi-machine system that is implemented based on hardware and cooperates with software. There are three kinds of existing redundancy methods: static redundancy, dynamic redundancy and hybrid redundancy. In a static redundant system, redundant modules constitute a permanent part of the system, and they cover up faults in the system through their own existence, so that the function of the system will not be affected in the end. The static redundancy mode generally consists of N (N ≥ 1) master devices, K (K ≥ 1) backup devices and at least one monitoring computer. The monitoring computer monitors the status of the system and decides whether to use the primary device or the backup device. A system using static redundancy will add at least K+1 devices, which will double the size and power consumption of the system. Dynamic redundancy is to replace faulty modules with non-faulty modules, and realize update combination for the system. After the fault is repaired, it can be put into the system again. The dynamic redundancy mode generally consists of N (N≥1) master devices, at least one backup device and at least one monitoring computer. The state of the monitoring system is monitored by the monitoring computer, and when a master device is found to be faulty, the backup device is used to replace the master device. After the failure of the main equipment is repaired, it will be put into the system again, and the backup equipment will exit the system. A system using dynamic redundancy will add at least two devices, which will also greatly increase the size and power consumption of the system. The mixed use of static redundancy and dynamic redundancy in a system is called hybrid redundancy. The volume and power consumption of the system adopting the hybrid redundancy mode are between the static redundancy mode and the dynamic redundancy mode.

由于微小型飞行器载荷非常有限,因此需要其GNC系统同时具有体积小、重量轻、功耗低等特点。而现有的冗余方式,都不同程度地需要多台设备来进行备份、监控和决策,这会使系统的体积、功耗大大增加,根本无法适应上述场合的要求。Due to the very limited load of the micro-aircraft, the GNC system needs to have the characteristics of small size, light weight, and low power consumption. However, the existing redundancy methods require multiple devices to varying degrees for backup, monitoring and decision-making, which will greatly increase the size and power consumption of the system, and cannot meet the requirements of the above-mentioned occasions at all.

发明内容Contents of the invention

本发明的技术解决问题是:克服现有冗余技术的不足,提供一种在不增大GNC系统的体积和功耗的情况下,适用于微小型飞行器导航、制导与控制系统的冗余方法。The technical solution problem of the present invention is: overcome the deficiency of existing redundant technology, provide a kind of under the situation that does not increase the volume and power consumption of GNC system, be applicable to the redundant method of navigation, guidance and control system of miniature aircraft .

本发明的技术解决方案为:一种用于微小型飞行器GNC系统的冗余方法,其特点在于:利用系统中现有的多处理器资源,通过处理器间的复用和硬件通道上的交叉,采用变结构软件系统,在必要时产生冗余效果,具体实现方法如下:首先对系统硬件进行设计:The technical solution of the present invention is: a kind of redundant method that is used for the GNC system of miniature aircraft, and its characteristic is: utilize the existing multi-processor resource in the system, through multiplexing between processors and crossover on the hardware channel , the variable structure software system is adopted to produce redundant effects when necessary. The specific implementation method is as follows: firstly, the system hardware is designed:

(1)根据系统任务分配,对各处理器进行编号;(1) Number each processor according to the assignment of system tasks;

(2)按照级联式规则,分别配置并连接各处理器的脉冲发送端、脉冲接收端、串行数据发送端、串行数据接收端、复位信号发送端、复位信号接收端,使得各处理器相互冗余,构成冗余链;(2) According to the cascade rules, configure and connect the pulse sending end, pulse receiving end, serial data sending end, serial data receiving end, reset signal sending end, and reset signal receiving end of each processor respectively, so that each processing The devices are redundant with each other to form a redundant chain;

(3)若系统中的处理器与外部硬件设备有通讯联系,外部硬件设备需通过模拟开关与处理器进行连接,使其可分别与多个处理器进行通讯。系统中处理器按照一定的逻辑关系控制模拟开关,使外部硬件设备在某一条件下能与合适的处理器进行通讯。然后根据系统的硬件配置,对系统软件进行设计:系统中各处理器的软件系统均设计为变结构软件系统,即各处理器的软件系统包含两种程序框架:正常模式程序框架和紧急模式程序框架,两种程序框架间的切换通过软开关控制。正常模式程序框架使处理器执行自身的任务,并监控其它相关处理器的状态,此时系统没有表现出冗余特征;紧急模式程序框架判断故障处理器编号,尝试修复故障,并通过减少单位时间任务量的方法,使正常处理器在执行自身任务的同时,还执行故障处理器应执行的任务,此时系统表现出冗余特征。(3) If the processor in the system communicates with external hardware devices, the external hardware devices need to be connected to the processor through analog switches so that they can communicate with multiple processors respectively. The processor in the system controls the analog switch according to a certain logical relationship, so that the external hardware device can communicate with the appropriate processor under certain conditions. Then, according to the hardware configuration of the system, the system software is designed: the software system of each processor in the system is designed as a variable structure software system, that is, the software system of each processor contains two program frameworks: normal mode program framework and emergency mode program Frame, the switching between the two program frames is controlled by a soft switch. The normal mode program framework enables the processor to perform its own tasks and monitor the status of other related processors. At this time, the system does not show redundant features; the emergency mode program framework judges the number of the faulty processor, tries to repair the fault, and reduces the unit time The method of task volume enables the normal processor to perform the tasks that the faulty processor should perform while performing its own tasks. At this time, the system shows the characteristics of redundancy.

本发明的原理:如图2所示,正常情况下,系统中多处理器运行正常模式程序框架,分别执行各自不同的任务。各处理器分别通过特定端口互相检测其它处理器的状态,并把各自任务的结果和中间变量等信息发送给相关的处理器,此时系统未表现出任何冗余特征。当某一处理器出现故障时,其脉冲停止发送。与之相关的另一正常处理器检测不到此脉冲,触发软开关,使其程序切换到紧急模式程序框架。紧急模式程序框架执行以下任务:发送复位脉冲给故障处理器,尝试使其重新启动;接管故障处理器的任务。由于在故障发生前,此正常处理器一直在接收故障处理器的运行结果及中间变量等信息,故此正常处理器可无缝接管故障处理器的任务。此时,此正常处理器在执行自身的任务的同时,还需要执行原本故障处理器的任务。由于其处理能力有限,故采用把原来系统单位时间任务量减半的方法,来实现系统的正常运行,此时系统表现出冗余特征。当故障处理器复位成功后,继续发送脉冲信号,此正常处理器检测到脉冲信号,把接管任务的运行结果及中间变量等信息发送给故障处理器,同时触发软开关,使程序切换回正常模式运行。若故障处理器发生致命故障而无法重启,则此正常处理器仍继续执行全部任务,直至任务结束。暗冗余方法在不增加系统体积、功耗的基础上,保证了系统在某一或几个处理器同时出现故障时的可靠、不间断运行。Principle of the present invention: as shown in FIG. 2 , under normal circumstances, the multiprocessors in the system run the normal mode program framework to perform different tasks respectively. Each processor detects the status of other processors through a specific port, and sends the results of their tasks and intermediate variables to the relevant processors. At this time, the system does not show any redundant features. When a processor fails, its pulses stop sending. Another normal processor associated with it does not detect this pulse, triggers a soft switch, and makes its program switch to the emergency mode program frame. The emergency mode program framework performs the following tasks: sends a reset pulse to the failed processor in an attempt to restart it; takes over the task of the failed processor. Since the normal processor has been receiving information such as the operation result and intermediate variables of the faulty processor before the fault occurs, the normal processor can seamlessly take over the tasks of the faulty processor. At this time, the normal processor also needs to execute the original task of the faulty processor while performing its own task. Due to its limited processing capacity, the method of halving the original system's unit time tasks is adopted to realize the normal operation of the system. At this time, the system shows redundant characteristics. When the faulty processor is successfully reset, it continues to send pulse signals. The normal processor detects the pulse signal, and sends the running results and intermediate variables of the task to the faulty processor. At the same time, it triggers a soft switch to switch the program back to normal mode. run. If the faulty processor fails fatally and cannot be restarted, the healthy processor continues to execute all tasks until the task ends. The dark redundancy method ensures reliable and uninterrupted operation of the system when one or several processors fail at the same time without increasing the system size and power consumption.

本发明与现有技术相比的优点在于:本发明利用了现有的,用于不同任务的多处理器资源,在不增加系统体积、功耗的基础上,大大增强了系统的可靠性。与现有的冗余方法相比,不需要额外硬件系统的备份,也不需要额外的监控与决策系统,故系统结构简单,体积、功耗大大减少。Compared with the prior art, the present invention has the advantages that the present invention utilizes existing multi-processor resources for different tasks, and greatly enhances system reliability without increasing system size and power consumption. Compared with the existing redundancy method, it does not require the backup of additional hardware systems, nor does it require additional monitoring and decision-making systems, so the system structure is simple, and the volume and power consumption are greatly reduced.

附图说明Description of drawings

图1为本发明方法的流程图;Fig. 1 is the flowchart of the inventive method;

图2为本发明的系统工作原理流程图;Fig. 2 is a flow chart of the working principle of the system of the present invention;

图3为本发明以双处理器为例的系统正常工作时的系统结构图;Fig. 3 is the system structural diagram when the system of the present invention takes double processor as example when the system works normally;

图4为本发明以双处理器为例的系统处理器1故障时系统结构图;Fig. 4 is the system structural diagram when the system processor 1 of the present invention takes dual processors as an example to fail;

图5为本发明以双处理器为例的系统处理器2故障时系统结构图;Fig. 5 is the system structural diagram when the system processor 2 failure of the present invention takes dual processor as an example;

图6为本发明以双处理器为例的系统正常工作状态时的变结构软件系统状态;Fig. 6 is the variable structure software system state when the present invention takes dual processor as an example when the system is in normal working state;

图7为本发明以双处理器为例的系统发生故障时的变结构软件系统状态;Fig. 7 is the state of the variable structure software system when the system with dual processors as an example breaks down in the present invention;

图8为本发明多处理器(三个以上)情况下的系统正常工作时的系统结构图。FIG. 8 is a system structure diagram of the system in the case of multiprocessors (more than three) in the present invention when the system works normally.

具体实施方式Detailed ways

如图1、2、3所示,以双处理器为例予以说明。对于图3所示情况,系统包含两个处理器,处理器1和2,处理器1需要与外部硬件设备1进行通讯,处理器2需要与外部硬件设备2进行通讯。此情况下需要对系统进行如下处理:①首先对硬件进行设置:处理器1的2号输出端,即O-2端连接到处理器2的中断响应端IRQ端,处理器2的O-2端连接到处理器1的IRQ端,处理器1的串行口发送端TX端连接到处理器2的串行口接收端RX端,处理器2的TX端连接到处理器1的RX端,处理器1的3号输出端,即O-3端连接到处理器2的复位端Reset端,处理器2的O-3端连接到处理器1的Reset端;②外部硬件设备1与处理器1的通讯接口处设置模拟开关K1,K1的1号端连接到处理器1的1号输入端,即I-1端,K1的2号端连接到处理器2的2号输入端,即I-2端,K1的开关控制端连接到处理器2的O-1端;外部硬件设备2与处理器2的通讯接口处设置模拟开关K2,K2的1号端连接到处理器2的I-1端,K2的2号端连接到处理器1的I-2端,K2的开关控制端连接到处理器1的1号输出端,即O-1端;③处理器1和处理器2的软件系统均设计为变结构软件系统如图6所示,即两个处理器的软件系统包含两种程序框架:正常模式程序框架和紧急模式程序框架,两种程序框架的切换通过软开关SK控制。As shown in Figures 1, 2, and 3, a dual processor is taken as an example to illustrate. For the situation shown in FIG. 3 , the system includes two processors, processor 1 and processor 2 , processor 1 needs to communicate with external hardware device 1 , and processor 2 needs to communicate with external hardware device 2 . In this case, the system needs to be processed as follows: ① First, set up the hardware: the No. 2 output terminal of processor 1, that is, the O-2 terminal is connected to the interrupt response terminal IRQ terminal of processor 2, and the O-2 terminal of processor 2 The terminal is connected to the IRQ terminal of processor 1, the TX terminal of the serial port of processor 1 is connected to the RX terminal of the serial port of processor 2, and the TX terminal of processor 2 is connected to the RX terminal of processor 1. The No. 3 output terminal of processor 1, that is, the O-3 terminal is connected to the Reset terminal of the processor 2, and the O-3 terminal of the processor 2 is connected to the Reset terminal of the processor 1; ②The external hardware device 1 and the processor Analog switch K1 is set at the communication interface of 1, and No. 1 end of K1 is connected to No. 1 input end of processor 1, namely I-1 end, and No. 2 end of K1 is connected to No. 2 input end of processor 2, namely I-1 end. -2 end, the switch control end of K1 is connected to the O-1 end of processor 2; The analog switch K2 is set at the communication interface of external hardware device 2 and processor 2, and No. 1 end of K2 is connected to I-1 of processor 2 Terminal 1, terminal 2 of K2 is connected to terminal I-2 of processor 1, and the switch control terminal of K2 is connected to output terminal 1 of processor 1, that is, terminal O-1; ③The terminals of processor 1 and processor 2 The software systems are all designed as variable-structure software systems, as shown in Figure 6, that is, the software systems of the two processors include two program frameworks: normal mode program framework and emergency mode program framework, and the switching of the two program frameworks is controlled by the soft switch SK .

正常情况时,系统中双处理器分别执行各自不同的任务,处理器1执行任务1,处理器2执行任务2。处理器1和处理器2的O-1端均设为高电平,使模拟开关K1,K2均处于默认的1号位置。处理器1和处理器2的O-2端以特定的频率(如1000Hz)发送脉冲信号,处理器1和处理器2的IRQ端实时互相检测对方处理器的脉冲信号以获取对方工作状态(正常或故障)。处理器1和处理器2把各自任务的结果和中间变量等通过串行口TX端和RX端发送给对方处理器。系统正常工作时,各处理器软件系统的软开关SK均设置在1号位置(如图6所示),处理器执行正常模式程序框架,系统未表现出任何冗余特征。Under normal circumstances, the dual processors in the system execute different tasks respectively, processor 1 executes task 1, and processor 2 executes task 2. The O-1 terminals of processor 1 and processor 2 are both set to high level, so that the analog switches K1 and K2 are both in the default position of No. 1. The O-2 terminals of processor 1 and processor 2 send pulse signals at a specific frequency (such as 1000Hz), and the IRQ terminals of processor 1 and processor 2 detect each other’s pulse signals in real time to obtain the working status of the other party (normal or failure). Processor 1 and processor 2 send the results and intermediate variables of their respective tasks to the other processor through the serial port TX and RX. When the system is working normally, the soft switch SK of each processor software system is set at No. 1 position (as shown in Figure 6), the processor executes the normal mode program framework, and the system does not show any redundant features.

当处理器1出现故障时,其脉冲信号停止发送。此时处理器2收不到此脉冲信号,超过一定时间后(如5ms),触发软开关SK变换到2号位置,处理器2执行紧急模式程序框架,此时其软件系统结构由图6变换到图7状态。紧急模式状态下:①处理器2由其O-3端给处理器1发送复位信号,尝试使处理器1重新启动;②处理器2的O-1端设置为低电平,从而使模拟开关K1变换到2号位置,系统硬件结构由图3变换到图4状态;③处理器2同时与外部设备1和外部设备2通讯,并执行任务1和任务2。由于故障前处理器2一直在接收处理器1的运行结果和中间变量等信息,因此可无缝接管任务1。在处理器1尝试重启的这段时间内,系统只有处理器2在工作,处理能力只有原系统的一半,所以此时的系统单位时间的任务量也相应减为原来的1/2,即处理器2在单位时间内执行1/2的任务1和1/2的任务2。When the processor 1 breaks down, its pulse signal stops sending. At this time, the processor 2 cannot receive the pulse signal. After a certain period of time (such as 5ms), the soft switch SK is triggered to change to the No. 2 position, and the processor 2 executes the emergency mode program framework. At this time, its software system structure is transformed from Figure 6 Go to the state of Figure 7. In emergency mode: ①Processor 2 sends a reset signal to processor 1 through its O-3 terminal, trying to restart processor 1; ②The O-1 terminal of processor 2 is set to low level, so that the analog switch K1 changes to position No. 2, and the system hardware structure changes from Figure 3 to Figure 4; ③ Processor 2 communicates with external device 1 and external device 2 at the same time, and executes task 1 and task 2. Since the processor 2 has been receiving information such as the operation result and intermediate variables of the processor 1 before the failure, it can seamlessly take over the task 1. During the period when processor 1 is trying to restart, only processor 2 is working in the system, and its processing capacity is only half of that of the original system. Controller 2 executes 1/2 of task 1 and 1/2 of task 2 in unit time.

若处理器1重启成功,其O-2端继续以原来的频率发送脉冲信号;处理器2检测到此脉冲信号,触发软开关SK变换到1号位置,使处理器2执行正常模式程序框架,同时设置其O-1端为高电平,使模拟开关K1变换到1号位置;处理器2把任务1的处理结果、中间变量等信息通过串行口TX端发送给处理器1,使处理器1重新无缝接管任务1。系统恢复到正常状态。若处理器1发生致命故障而无法重启,处理器2仍可继续执行1/2的任务1和1/2的任务2,直至任务结束。If processor 1 restarts successfully, its O-2 terminal continues to send pulse signals at the original frequency; processor 2 detects this pulse signal, triggers the soft switch SK to change to position 1, and makes processor 2 execute the normal mode program frame, At the same time, set its O-1 terminal to be high level, so that the analog switch K1 is changed to No. 1 position; Processor 2 sends the processing results, intermediate variables and other information of Task 1 to Processor 1 through the TX port of the serial port, so that the processing Server 1 seamlessly takes over Task 1 again. The system returns to normal state. If processor 1 has a fatal failure and cannot be restarted, processor 2 can continue to execute 1/2 of task 1 and 1/2 of task 2 until the end of the task.

同理,当处理器2出现故障时,其脉冲信号停止发送。此时处理器1收不到此脉冲信号,超过一定时间后(如5ms),触发软开关SK变换到2号位置,处理器1执行紧急模式程序框架,此时其软件系统结构由图6变换到图7状态。紧急模式状态下:①处理器1由其O-3端给处理器2发送复位信号,尝试使处理器2重新启动;②处理器1的O-1端设置为低电平,从而使模拟开关K2变换到2号位置,系统硬件结构由图3变换到图5状态;③处理器1同时与外部设备1和外部设备2通讯,并执行任务1和任务2。由于故障前处理器1一直在接收处理器2的运行结果和中间变量等信息,因此可无缝接管任务2。在处理器2尝试重启的这段时间内,系统只有处理器1在工作,处理能力只有原系统的一半,所以此时的系统单位时间的任务量也相应减为原来的1/2,即处理器1在单位时间内执行1/2的任务1和1/2的任务2。Similarly, when the processor 2 fails, its pulse signal stops sending. At this time, the processor 1 cannot receive the pulse signal. After a certain period of time (such as 5ms), the soft switch SK is triggered to change to the No. 2 position, and the processor 1 executes the emergency mode program framework. At this time, its software system structure is transformed from Figure 6 Go to the state of Figure 7. In emergency mode: ① Processor 1 sends a reset signal to processor 2 through its O-3 terminal, trying to restart processor 2; ② The O-1 terminal of processor 1 is set to low level, so that the analog switch K2 changes to No. 2 position, and the system hardware structure changes from Figure 3 to Figure 5; ③ Processor 1 communicates with external device 1 and external device 2 at the same time, and executes task 1 and task 2. Since the processor 1 has been receiving information such as the operation result and intermediate variables of the processor 2 before the failure, it can seamlessly take over the task 2. During the period when processor 2 is trying to restart, only processor 1 is working in the system, and the processing capacity is only half of the original system. Machine 1 executes 1/2 of task 1 and 1/2 of task 2 in unit time.

若处理器2重启成功,其O-2端继续以原来的频率发送脉冲信号;处理器1检测到此脉冲信号,触发软开关SK变换到1号位置,使处理器1执行正常模式程序框架,同时设置其O-1端为高电平,使模拟开关K2变换到1号位置;处理器1把任务2的处理结果、中间变量等信息通过串行口TX端发送给处理器2,使处理器2重新无缝接管任务2。系统恢复到正常状态。若处理器2发生致命故障而无法重启,处理器1仍可继续执行1/2的任务1和1/2的任务2,直至任务结束。If the processor 2 restarts successfully, its O-2 terminal continues to send pulse signals at the original frequency; processor 1 detects this pulse signal, triggers the soft switch SK to change to position 1, and makes processor 1 execute the normal mode program frame, At the same time, its O-1 terminal is set to be high level, so that the analog switch K2 is changed to the No. 1 position; processor 1 sends the processing results of task 2, intermediate variables and other information to processor 2 through the serial port TX terminal, so that the processing Controller 2 seamlessly takes over Task 2 again. The system returns to normal state. If processor 2 has a fatal failure and cannot be restarted, processor 1 can continue to execute 1/2 of task 1 and 1/2 of task 2 until the task ends.

对于多处理器(三个以上)的情况,系统如图8所示。系统包含n(n≥3)个处理器,其中m(m≤n)个处理器需要与m个外部硬件设备进行通讯。(说明:以下用x表示处理器编号,1≤x≤n,当x=n时,处理器x+1表示处理器1;y表示外部硬件设备编号,K(y)表示模拟开关编号,1≤y≤m,当y=m时,外部设备y+1表示外部设备1)此情况下需要对系统进行如下处理:①首先根据系统任务分配,对各处理器进行编号;②然后按照级联式规则,对硬件进行设置,使各处理器互相冗余,构成冗余链:处理器x的O-2端连接到处理器x+1的IRQ端,处理器x的TX端连接到处理器x+1的RX端,处理器x的O-3端连接到处理器x+1的Reset端,③外部硬件设备y与处理器x的通讯接口处设置模拟开关K(y),K(y)的1号端连接到处理器x的I-1端,K(y)的2号端连接到处理器x+1的I-2端,K(y)的开关控制端连接到处理器x+1的O-1端;④处理器x的软件系统均设计为变结构软件系统如图6所示,即各处理器的软件系统包含两种程序框架:正常模式程序框架和紧急模式程序框架,两种程序框架的切换通过软开关SK控制。For the case of multiple processors (more than three), the system is shown in Figure 8. The system contains n (n≥3) processors, among which m (m≤n) processors need to communicate with m external hardware devices. (Explanation: x is used below to represent the processor number, 1≤x≤n, when x=n, processor x+1 represents processor 1; y represents the external hardware device number, K(y) represents the analog switch number, 1 ≤y≤m, when y=m, the external device y+1 means the external device 1) In this case, the system needs to be processed as follows: ①First, number each processor according to the system task allocation; ②Then follow the cascade Formula rules, set the hardware so that each processor is redundant with each other to form a redundant chain: the O-2 terminal of processor x is connected to the IRQ terminal of processor x+1, and the TX terminal of processor x is connected to the processor The RX terminal of x+1, the O-3 terminal of processor x is connected to the Reset terminal of processor x+1, ③ the analog switch K(y) is set at the communication interface between external hardware device y and processor x, K(y ) is connected to terminal I-1 of processor x, terminal 2 of K(y) is connected to terminal I-2 of processor x+1, and the switch control terminal of K(y) is connected to processor x The O-1 terminal of +1; ④The software system of processor x is designed as a variable structure software system, as shown in Figure 6, that is, the software system of each processor contains two kinds of program frameworks: normal mode program framework and emergency mode program framework , the switching of the two program frames is controlled by the soft switch SK.

正常情况时,系统中各处理器分别执行各自不同的任务,即处理器x执行任务x。处理器x的O-1端均设为高电平,使模拟开关K(y)均处于默认的1号位置。处理器x的O-2端以特定的频率(如1000Hz)发送脉冲信号,处理器x+1的IRQ端实时检测处理器x的脉冲信号以获取对方工作状态(正常或故障)。处理器x把任务的结果和中间变量等通过串行口TX端和RX端发送给处理器x+1。系统正常工作时,各处理器软件系统的软开关SK均设置在1号位置(如图6所示),处理器执行正常模式程序框架。系统未表现出任何冗余特征。Under normal circumstances, each processor in the system executes its own different tasks, that is, processor x executes task x. The O-1 terminals of the processor x are all set to high level, so that the analog switches K(y) are all in the default position of No. 1. The O-2 terminal of processor x sends a pulse signal at a specific frequency (such as 1000Hz), and the IRQ terminal of processor x+1 detects the pulse signal of processor x in real time to obtain the working status (normal or faulty) of the other party. Processor x sends the result of the task and intermediate variables to processor x+1 through the serial port TX and RX. When the system is working normally, the soft switch SK of each processor software system is set at No. 1 position (as shown in Figure 6), and the processor executes the normal mode program framework. The system does not exhibit any redundant features.

当处理器x出现故障时,其脉冲信号停止发送。此时处理器x+1收不到此脉冲信号,超过一定时间后(如5ms),触发其软开关SK变换到2号位置,处理器x+1执行紧急模式程序框架,此时其软件系统结构由图6变换到图7状态。紧急模式状态下:①处理器x+1由其O-3端给处理器x发送复位信号,尝试使处理器x重新启动;②处理器x+1的O-1端设置为低电平,从而使模拟开关K(y)变换到2号位置;③处理器x+1同时与外部设备y和外部设备y+1通讯,并执行任务x和任务x+1。由于故障前处理器x+1一直在接收处理器x的运行结果和中间变量等信息,因此可无缝接管任务x。在处理器x尝试重启的这段时间内,处理器x+1同时执行任务x和任务x+1,而其处理能力不变,所以此时的系统单位时间的任务量也相应减为原来的1/2,即处理器x+1在单位时间内执行1/2的任务x和1/2的任务x+1。When processor x fails, its pulse signal stops sending. At this time, processor x+1 cannot receive this pulse signal. After a certain period of time (such as 5ms), its soft switch SK is triggered to change to position 2, and processor x+1 executes the emergency mode program framework. At this time, its software system The structure is transformed from Fig. 6 to Fig. 7 state. In emergency mode: ① processor x+1 sends a reset signal to processor x through its O-3 terminal, trying to restart processor x; ② the O-1 terminal of processor x+1 is set to low level, Thus, the analog switch K(y) is changed to position No. 2; ③ processor x+1 communicates with external device y and external device y+1 at the same time, and executes task x and task x+1. Since processor x+1 has been receiving information such as the running result and intermediate variables of processor x before the failure, it can seamlessly take over task x. During the period when processor x tries to restart, processor x+1 executes task x and task x+1 at the same time, and its processing capacity remains unchanged, so the task amount per unit time of the system at this time is also reduced to the original 1/2, that is, processor x+1 executes 1/2 of task x and 1/2 of task x+1 in unit time.

若处理器x重启成功,其O-2端继续以原来的频率发送脉冲信号;处理器x+1检测到此脉冲信号,触发软开关SK变换到1号位置,使处理器x+1执行正常模式程序框架,同时设置其O-1端为高电平,使模拟开关K(y)变换到1号位置;处理器x+1把任务x的处理结果、中间变量等信息通过串行口TX端发送给处理器x,使处理器x重新无缝接管任务x。系统恢复到正常状态。若处理器x发生致命故障而无法重启,处理器x+1仍可继续执行1/2的任务x和1/2的任务x+1,直至任务结束。If processor x restarts successfully, its O-2 terminal continues to send pulse signals at the original frequency; processor x+1 detects this pulse signal, triggers the soft switch SK to change to position 1, and makes processor x+1 perform normally Mode program framework, and set its O-1 terminal to be high level at the same time, so that the analog switch K(y) is changed to the No. 1 position; processor x+1 passes the processing result of task x, intermediate variables and other information through the serial port TX end to processor x, so that processor x seamlessly takes over task x again. The system returns to normal state. If processor x has a fatal failure and cannot be restarted, processor x+1 can continue to execute 1/2 of task x and 1/2 of task x+1 until the end of the task.

本发明说明书中未作详细描述的内容属于本领域专业技术人员公知的The content that is not described in detail in the description of the present invention belongs to those skilled in the art

现有技术。current technology.

Claims (3)

1、一种用于微小型飞行器GNC系统的冗余方法,其特征在于:包括以下步骤:1, a kind of redundant method for GNC system of miniature aircraft, it is characterized in that: comprise the following steps: (1)根据系统任务分配,利用现有系统中多处理器资源,并对多处理器进行编号;(1) Utilize the multiprocessor resources in the existing system according to the system task assignment, and number the multiprocessors; (2)按照级联式规则,对多处理器的硬件端口,即输入输出端口进行连接,使各处理器互相冗余,构成冗余链;(2) According to the cascading rules, the hardware ports of the multiprocessors, i.e. the input and output ports, are connected so that each processor is redundant with each other to form a redundant chain; (3)若系统中的处理器与外部硬件设备有通讯联系,外部硬件设备通过模拟开关与处理器连接,使其可分别与多个处理器进行通讯;(3) If the processor in the system has a communication connection with the external hardware device, the external hardware device is connected to the processor through an analog switch, so that it can communicate with multiple processors respectively; (4)根据系统的硬件配置,对系统软件进行设计:系统中各处理器的软件系统均设计为变结构软件系统,即各处理器的软件系统包含两种程序框架—正常模式程序框架和紧急模式程序框架,两种程序框架间的切换通过软开关控制;正常模式程序框架使处理器执行自身的任务,并监控其它相关处理器的状态,此时系统没有表现出冗余特征;紧急模式程序框架用以判断故障处理器编号,尝试修复故障,并通过减少单位时间任务量的方法,使正常处理器在执行自身任务的同时,还执行故障处理器应执行的任务,此时系统表现出冗余特征。(4) According to the hardware configuration of the system, the system software is designed: the software system of each processor in the system is designed as a variable structure software system, that is, the software system of each processor contains two kinds of program frameworks - normal mode program framework and emergency mode Mode program framework, the switching between the two program frameworks is controlled by a soft switch; the normal mode program framework enables the processor to perform its own tasks and monitor the status of other related processors. At this time, the system does not show redundant features; the emergency mode program The framework is used to judge the number of the faulty processor, try to repair the fault, and reduce the amount of tasks per unit time, so that the normal processor can perform the tasks that the faulty processor should perform while performing its own tasks. At this time, the system shows redundancy. remaining features. 2、根据权利要求1所述的用于微小型飞行器GNC系统的冗余方法,其特征在于:所述的多处理系统为2个或2个以上。2. The redundancy method for the GNC system of micro-aircraft according to claim 1, characterized in that: there are two or more multi-processing systems. 3、根据权利要求1或2所述的用于微小型飞行器GNC系统的冗余方法,其特征在于:所述对输入输出端口连接是连接各处理器的脉冲发送端、脉冲接收端、串行数据发送端、串行数据接收端、复位信号发送端、复位信号接收端,使得各处理器相互冗余,构成冗余链。3. According to claim 1 or 2, the redundancy method for the GNC system of the miniature aircraft is characterized in that: the connection to the input and output ports is to connect the pulse sending end, the pulse receiving end, the serial port of each processor The data sending end, the serial data receiving end, the reset signal sending end, and the reset signal receiving end make each processor redundant with each other to form a redundant chain.
CNB2006101139869A 2006-10-24 2006-10-24 A Redundancy Method for Navigation, Guidance and Control System of Micro-aircraft Expired - Fee Related CN100382040C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101139869A CN100382040C (en) 2006-10-24 2006-10-24 A Redundancy Method for Navigation, Guidance and Control System of Micro-aircraft

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101139869A CN100382040C (en) 2006-10-24 2006-10-24 A Redundancy Method for Navigation, Guidance and Control System of Micro-aircraft

Publications (2)

Publication Number Publication Date
CN1945546A true CN1945546A (en) 2007-04-11
CN100382040C CN100382040C (en) 2008-04-16

Family

ID=38044957

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101139869A Expired - Fee Related CN100382040C (en) 2006-10-24 2006-10-24 A Redundancy Method for Navigation, Guidance and Control System of Micro-aircraft

Country Status (1)

Country Link
CN (1) CN100382040C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176202A (en) * 2010-12-29 2011-09-07 哈尔滨工业大学 Redundant network design circuit of satellite commercial devices
CN103654855A (en) * 2013-12-19 2014-03-26 海信集团有限公司 Ultrasonic device and method for abnormality detection and recovery of ultrasonic device
CN104199440A (en) * 2014-08-20 2014-12-10 中国运载火箭技术研究院 Four-unit three-bus redundancy heterogeneous GNC (guidance navigation control) system
CN104698833A (en) * 2015-01-28 2015-06-10 北京华清燃气轮机与煤气化联合循环工程技术有限公司 Redundancy control method and redundancy control system
CN106774367A (en) * 2016-12-27 2017-05-31 歌尔股份有限公司 A kind of redundancy control method of aircraft
CN113110124A (en) * 2021-03-11 2021-07-13 上海新时达电气股份有限公司 double-MCU control method and control system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BR0108782A (en) * 2000-02-14 2003-07-01 Aerovironment Inc Aircraft and method for controlling solar cell exposure to light
US6710739B1 (en) * 2003-01-03 2004-03-23 Northrop Grumman Corporation Dual redundant GPS anti-jam air vehicle navigation system architecture and method

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176202A (en) * 2010-12-29 2011-09-07 哈尔滨工业大学 Redundant network design circuit of satellite commercial devices
CN102176202B (en) * 2010-12-29 2013-12-25 哈尔滨工业大学 Redundant network design circuit of satellite commercial devices
CN103654855A (en) * 2013-12-19 2014-03-26 海信集团有限公司 Ultrasonic device and method for abnormality detection and recovery of ultrasonic device
CN103654855B (en) * 2013-12-19 2015-06-03 海信集团有限公司 Ultrasonic device and method for abnormality detection and recovery of ultrasonic device
CN104199440A (en) * 2014-08-20 2014-12-10 中国运载火箭技术研究院 Four-unit three-bus redundancy heterogeneous GNC (guidance navigation control) system
CN104199440B (en) * 2014-08-20 2017-05-03 中国运载火箭技术研究院 Four-unit three-bus redundancy heterogeneous GNC (guidance navigation control) system
CN104698833A (en) * 2015-01-28 2015-06-10 北京华清燃气轮机与煤气化联合循环工程技术有限公司 Redundancy control method and redundancy control system
CN104698833B (en) * 2015-01-28 2020-01-03 北京华清燃气轮机与煤气化联合循环工程技术有限公司 Redundancy control method and system
CN106774367A (en) * 2016-12-27 2017-05-31 歌尔股份有限公司 A kind of redundancy control method of aircraft
CN113110124A (en) * 2021-03-11 2021-07-13 上海新时达电气股份有限公司 double-MCU control method and control system
CN113110124B (en) * 2021-03-11 2022-08-19 上海新时达电气股份有限公司 double-MCU control method and control system

Also Published As

Publication number Publication date
CN100382040C (en) 2008-04-16

Similar Documents

Publication Publication Date Title
US8312318B2 (en) Systems and methods of high availability cluster environment failover protection
CN101634959B (en) Dual redundant fault-tolerant system based on embedded type CPU,
US20070128895A1 (en) Redundant automation system for controlling a techinical device, and method for operating such an automation system
CN1945546A (en) Redundant method for micro aircraft GNC system
EP2437430A1 (en) Method and system for switching main/standby boards
US12013769B2 (en) Hot-standby redundancy control system, method, control apparatus, and computer readable storage medium
EP2573636A2 (en) Multi-channel control switchover logic
US20020120884A1 (en) Multi-computer fault detection system
CN115826393A (en) Dual-redundancy management method and device of flight control system
CN111077763A (en) Vehicle-mounted display device redundancy control method and device
CN104133744A (en) Arbitration system and method oriented to critical applications
JP2003150279A (en) Management system and backup management method in computer system
JP2009177987A (en) Power supply circuit
CN116089176A (en) Hot standby dual-redundancy computer control system for AUV
CN109814519A (en) The method of remaining switching dual-redundancy avionics apparatus output signal
JP5464886B2 (en) Computer system
EP4275123A1 (en) Program flow monitoring for gateway applications
CN112650168A (en) Distributed control system and method for dynamically scheduling resources thereof
JP2014164472A (en) Information processing system and failure management method of information processing device
CN102332853A (en) Safe shutdown apparatus and system
CN119218235A (en) Multi-redundancy central controller system control implementation method and system
JPS6139138A (en) Multiplexing system
US10768999B2 (en) Intelligent load shedding for multi-channel processing systems
CN118625945A (en) A distributed touch screen redundant control architecture and method
US20200183385A1 (en) Network control device and method thereof and electronic control unit for vehicle

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080416

CF01 Termination of patent right due to non-payment of annual fee