Classifications

• • H—ELECTRICITY
  • H03—ELECTRONIC CIRCUITRY
  • H03M—CODING; DECODING; CODE CONVERSION IN GENERAL
  • H03M1/00—Analogue/digital conversion; Digital/analogue conversion
  • H03M1/10—Calibration or testing
  • H03M1/1071—Measuring or testing
  • H03M1/1076—Detection or location of converter hardware failure, e.g. power supply failure, open or short circuit
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/165—Error detection by comparing the output of redundant processing systems with continued operation after detection of the error
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
  • G06F11/2205—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
  • G06F11/2236—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/1633—Error detection by comparing the output of redundant processing systems using mutual exchange of the output between the redundant processing components
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/1654—Error detection by comparing the output of redundant processing systems where the output of only one of the redundant processing components can drive the attached hardware, e.g. memory or I/O
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
  • G06F2201/805—Real-time
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
  • G06F2201/83—Indexing scheme relating to error detection, to error correction, and to monitoring the solution involving signatures

Definitions

• TITLE Supervision method of an engine control unit
• the invention relates to turbomachines, such as a turbojet or an aircraft turboprop, and more particularly the control units of such turbomachines.
• control units capable of piloting and regulating the turbomachines, during the various phases of the aircraft's flight.
• control units include on-board electronic computers, communicating with each other, and performing calculations in parallel, from the same input data, for example from sensors, in order to establish the controls for the various components of the turbomachine.
• a first task called an OS (Operating System) task, consists of starting the operating system, that is to say all the programs managing the use of resources by application tasks.
• a second so-called application task or AS consists of performing the calculations necessary to determine the commands for controlling and regulating the turbomachines.
• the execution time of the AS task represents 80 to 90% of the time required for a calculation cycle.
• a third task closes the calculation cycle. This is the same OS task as the first task.
• FIG. 1 illustrates the sequencing of tasks and self-tests, as known in the prior art.
• a single self-test 26 is launched during the OS task at the start of the calculation cycle 24.
• component malfunctions can occur at the level of the components of the computers during the application tasks. Such malfunctions can thus be the source of disturbances in the engine control unit. It is possible by a post-processing analysis, from the disturbances, to go back to the faulty component and therefore to the faulty computer. This then makes it possible to isolate the faulty computer.
• the invention aims in particular to provide a simple, efficient and economical solution to the drawbacks of the current technique described above.
• a second component able to store data
• the application task executed by the first channel and the application task executed by the second channel being able to communicate with each other, the method comprising the following steps during a current execution cycle j of the application task in each channel: a) Detect a latency period;
• Such a method thus enables each computer to perform self-tests during application tasks, in particular during latency periods, so as to be able to determine, without waiting for the end of a calculation cycle, the state of the various components included. in the calculator.
• it is possible to detect a faulty computer without waiting for the end of a calculation cycle, and to isolate it suitably at the end of the cycle.
• This also makes it possible to carry out a diagnosis for maintenance by increasing the number of self-tests, to subsequently facilitate maintenance operations on the ground.
• the given application task can be the application task executed by the first channel and the application task executed by the second channel.
• the first and second channels can execute the same given application task.
• steps a) to c) can be carried out following the following step:
• the supervision method makes it possible to trigger self-tests of components as soon as a symptom, resulting from a failure of components, is detected.
• the self-tests are triggered as needed, on the appearance of symptoms identified in advance and resulting from component failures in the ECU computers.
• the invention therefore makes it possible to link component failures to unwanted events and / or behaviors of an engine control unit. This thus makes it possible to obtain a correspondence table linking symptoms to failures of the on-board electronic equipment, in other words of the components.
• the symptoms detected are recorded in a non-volatile memory, as well as various environmental information, for example thermal and / or vibratory, so as to facilitate maintenance operations.
• the symptom may be a difference in signature between the two channels and / or a loss of communication between the two computers.
• the two channels can each be made up of a computer
• the detection can be carried out during an execution cycle j-1 which precedes a current execution cycle j.
• the run cycle d-1 is called the "previous run cycle” or "previous cycle”.
• the difference in signature may consist in comparing, at the end of cycle j and in parallel on the two channels, the sum of the calculations of the application task which are carried out during the current execution cycle j.
• the detection can be performed during the current execution cycle j.
• instructions for performing the test in step b) can be sent by the application task.
• the application task initiates the operating status tests at the correct frequency and during the latency period so that the operating status of the components can be established regularly, without impacting the calculations of the application task.
• the first component can be a reprogrammable integrated circuit or FPGA.
• the second component can be dynamic random access memory.
• FIG. 1 represents the sequencing of tasks and operating state tests during a calculation cycle according to the prior art
• FIG. 2 represents a simplified flowchart of the method according to the invention
• FIG. 3 shows a hardware architecture of an example of an engine control unit with two separate channels
• FIG. 4 illustrates the sequencing of tasks and operating state tests during a calculation cycle according to the method according to the invention
• FIG. 5 illustrates a flowchart of an embodiment of the method according to the invention.
• the supervision method 1 aims to supervise an engine control unit 2 with at least two distinct channels 4, 6, an example of the architecture of which is illustrated in FIG. 3.
• a two-channel engine control unit 2 4, 6 thus comprises, as can be seen in FIG. 3, two channels 4, 6, that is to say two computers. This redundancy of the computers 4, 6 makes it possible to ensure resistance to a possible failure that could affect one of the computers 4, 6. Although the two computers 4, 6 perform in parallel, the same calculations from the same data. inputs (that is to say, execute the same application task), only one of the computers 4 controls and regulates the turbomachine by calculating the commands. Thus, the redundant computer 6, also qualified as passive, does not send any command to the components of the turbomachine.
• the computers 4, 6 of the engine control unit 2 shown have the same architecture.
• each computer 4, 6 includes means for executing a given application task. These means are distributed in the digital heart 8 of the computer and the communication card 10.
• the digital core 8 comprises, among other things, a microprocessor 12.
• the communication card 10, participating in the inter-computer communication comprises a first and a second component 14, 16.
• the first component 14, capable of performing the calculations of said application task. from input data is in this example an FPGA, but can also be a reprogrammable integrated circuit.
• the second component 16, suitable for storing data is a memory, preferably a dynamic random access memory.
• the application task AS consisting in part of a plurality of calculations executed successively between which periods of latency elapse, makes it possible in particular to calculate, from input data originating from sensors for example, the control currents intended for 'actuators of mobile components constituting the turbomachine.
• Such actuators include, for example, electro-hydraulic servo valves associated with jacks or other devices.
• the AS application task is thus executed simultaneously in parallel on each of the computers 4, 6 of the engine control unit 2.
• the AS application task executed on the first channel 4 and the AS application task executed on the second channel 6 are able to communicating with each other, through a first 18, second 20 and third 22 bus.
• the first bus 18 is used to exchange addresses of data memories to be recovered.
• the second bus 20 allows data to be exchanged, such as, for example, input data from a sensor. These may, for example, be measurements such as acquisitions of engine temperature values.
• the results of the intermediate and final calculations pass through the second bus 20, from the digital core 8, carrying out the calculations, to the communication card 10, emitting the calculated currents for example.
• the third bus is used to exchange commands calculated from the input data. This is a so-called control bus making it possible to control the read and write authorizations on the first bus 18 and the second bus 20 and that for each of the computers 4, 6. This control bus thus makes it possible to sequence the exchanges and manage the priorities of read, write and exchange operations.
• the supervision method 1 is executed at each execution cycle 24 on each of the channels, as illustrated in Figure 4.
• the first step A of method 1 consists in detecting a symptom resulting from a failure of at least one of the components 14, 16 of the two channels 4, 6.
• Symptoms of component 14, 16 failure on one of the two channels 4, 6 are as follows:
• - Erroneous data the AS application task awaiting input data (resulting from a previous calculation or from a sensor) receives erroneous data to carry out the rest of the calculations, leading to erroneous calculations.
• - Data stored at the wrong address on receipt of a piece of data, it is stored at an address of the second component 16, a dynamic random access memory.
• the first consequence is that the failure observed corresponds to a signature difference on the two channels 4, 6, that is to say that for a given AS application task, the calculations carried out on each of the computers 4, 6 result in different results.
• the second consequence is that the observed failure consists of a disruption of inter-computer communication (the data exchanged is erroneous or missing).
• the detection of these symptoms reflects the failure of at least one component 14, 16 of at least one of the computers 4, 6.
• the second step B of the method then consists in detecting a latency period of the application task AS.
• the AS application task consists of a plurality of calculations from several input data, there are latency periods between the calculations during which the AS application task is waiting for data to perform the next calculation.
• the resources of channels 4, 6, that is, the first 4 and second 6 components are not used. These latency periods can thus be exploited to perform operating condition tests to determine which of the first 14 and second 16 components of the first 4 and second 6 computer is faulty and is the cause of the identified symptom (s).
• the third step C of method 1 then consists in performing, during this latency period, an operating state test of at least one of the first 14 and second 16 components.
• This operating condition test is preferably carried out on each of the components 14, 16 in parallel on the two channels 4, 6, that is to say for the two computers.
• the sequencing of the operating state tests is moreover visible in FIG. 4. Thus, several operating tests are triggered during the latency times of the application task, in addition to that triggered at the start of the cycle during the OS task.
• Self-tests are so-called March type tests. Self-tests are used to test the write and read capacity of each component. To do this, a message of type AAAA then 5555 is written successively in hexadecimal respectively to addresses of type 5555 then AAAA in hexadecimal. Writing content to these two addresses automatically triggers read tests.
• the application task AS sends instructions, respectively to each of the components 14, 16, for an operating state test 26 to be carried out.
• the health tests 26 are called by the application task AS so as to be executed during the latency times.
• the tests performed do not impact the calculation time of the AS application task.
• the fourth step D of method 1 consists in determining a state of the component (s) 14, 16 for which an operating state test 26 has been carried out.
• the state can be either a failed state or a healthy state.
• the computer comprising the faulty component is isolated.
• the computer comprising a detected and proven fault no longer executes the application task AS during the following cycles and does not therefore no longer communicates with the computer considered healthy.
• the engine control unit 2 then becomes single-channel, the AS application task being executed only on a single computer considered to be healthy.
• FIG. 5 illustrates, by means of a flowchart, another example of the method 28 according to the invention.
• the overall strategy of the system is to trigger self-tests 26 on the appearance of a symptom of the control unit 2.
• the first step consists in detecting, as detailed previously, a following failure symptom during cycle j.
• Symptoms may be:
• the signature difference consists in comparing, at the end of the previous cycle j-1 and in parallel on the two channels 4, 6, the sum of the calculations of the application task AS carried out during the previous cycle j -1.
• steps B to D of method 1 are carried out during the current cycle j.
• the AS application task increases the number of autotest launches 26 during latency periods in order to identify component failures that may be causing the symptom.
• the self-tests 26 are thus launched until the end of the current execution cycle j.
• the possible failures of the first component 14, the FPGA are as follows:
• Microcrack in one of the welds of one of the 16 branches of component 14 some microcracks may be non-impacting, except when the microcrack impacts the weld of a corresponding low-weight bit branch;
• the possible failures of the second component 16, the DPRAM are as follows:
• Internal memory fault which can be of the following three types: short circuit, coupling fault and sticking fault.
• the channel on which the failure is observed is secured, in other words the channel is isolated.
• the failure, as well as contextual information relating to the state of the control unit such as for example the temperature, the vibratory state, the engine speeds, the attitudes of the airplane, the state of health of the engine, flight number and date of failure, are recorded in a non-volatile memory to facilitate maintenance operations.
• a safety lock is provided for by the supervision method 28.
• the safety of a computer consists in ensuring that than :
• control currents are no longer calculated and therefore no longer emitted by this computer. Redundancy is then lost.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• General Engineering & Computer Science (AREA)
• Quality & Reliability (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• Hardware Redundancy (AREA)
• Combined Controls Of Internal Combustion Engines (AREA)
• Testing And Monitoring For Control Systems (AREA)
• Test And Diagnosis Of Digital Computers (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=67262757

Family Applications (1)

Country Status (7)

Family Cites Families (5)

• 2019
  • 2019-05-03 FR FR1904675A patent/FR3095705B1/fr active Active
• 2020
  • 2020-04-30 WO PCT/FR2020/050732 patent/WO2020225507A1/fr unknown
  • 2020-04-30 CA CA3137976A patent/CA3137976A1/fr active Pending
  • 2020-04-30 US US17/607,259 patent/US20230036687A1/en active Pending
  • 2020-04-30 CN CN202080032398.0A patent/CN113785276A/zh active Pending
  • 2020-04-30 EP EP20732261.1A patent/EP3963458A1/de active Pending
  • 2020-04-30 JP JP2021564979A patent/JP2022531597A/ja active Pending

Also Published As

Similar Documents

Legal Events