The present invention relates generally to image manipulation, and more particularly to integrity checking apparatus and procedures for ensuring the correctness of data transformations.
For safety-critical systems, it has been impractical, if not impossible, to monitor high throughput data transformations to be sure that they produce correct results. Such systems are therefore capable of producing hazardous situations. Also, in the past, image manipulation has been performed in an "unmonitored" manner because of the cost of required hardware.
The prior art relating to safety monitoring of safety-critical systems involved either (a) replicated hardware and software with comparison monitoring to detect errors, or (b) two computational hardware channels containing dissimilar hardware and software with comparison monitoring to detect the errors between channels. Both approaches are impractical for very high throughput applications because of the cost, power, weight, and volume of a second computational hardware channel. In addition, the first approach is ineffective at detecting software errors since both channels behave identically.
The particular application for which the present invention was developed is the display of a radar image of a runway. The image is used by a pilot of an aircraft to aid the task of landing the aircraft in extremely low visibility conditions, such as fog, for example (known as category III weather). The basic procedure of the present invention, however, is applicable to a general set of problems in which the integrity of a set of calculations must be ensured.
A radar image viewed by the pilot initially exists in range/azimuth coordinates, which is a natural result of the way a radar operates. In this coordinate system, the image is highly distorted from what a pilot would see through a windshield of the aircraft. To make an image that is conformal to the actual runway image that would be seen if there were no fog obscuring the pilot's vision, for example, the radar image must be rotated almost 90 degrees, from a horizontal plane to a nearly vertical plane. The actual amount of rotation depends on aircraft attitude and the orientation of the display on which the image is to be projected. In addition, aircraft roll attitude causes a lateral distortion of the image which must also be corrected. Also, signal processing must be performed on the intensity information contained in the radar image to ensure that bright objects are visible and that the surface of the runway appears black (clear). To perform this transformation on an image that must be refreshed at 10 frames per second, or greater, requires a significant amount of computation, and for this purpose, a special purpose signal processor was developed. Ultimately, the signal processor will be produced as a dedicated VLSI implementation for production.
Because the pilot uses the image for monitoring or lateral guidance during the final stages of the landing, errors in the image location, orientation, scaling, or in the intensity of key elements could cause a hazard, such as landing off the centerline of the runway, or striking an obstacle. An error in the image could occur due to a failure of the image processing hardware which was not detected by normal monitoring, or by an error in an algorithm (hardware or software) that performs the transformations and processing. Because of the safety-critical nature of the system, these errors must be detected with high confidence in real time, and the pilot alerted, such as by inhibiting the display if it is in error.
If the only requirement was to detect and report hardware errors or failures, it would be adequate to provide a second identical processing channel and compare the results. This is a common practice in high-integrity computing, such as is provided by Stratus computers, for example, or in many flight control systems, such as the L-1011 autopilot system, for example. Providing a second computational channel is quite expensive, not only in terms of cost, but also in terms of weight and power due to the very large computational workload imposed by the transformations (nearly a billion operations per second). In addition, providing identical processing channels and comparing results will not detect an error in the implementation or design of the transformation itself, thus leaving the system exposed to software errors. The normal means for addressing software errors is to provide dissimilar processing (different algorithms in different channels) with the expectation that if two (or more) different calculations produce similar results, then the result must be correct (known as N-version programming). It is, in this situation, just as impractical to transform the data with a different algorithm and compare results as it is to transform it with an identical algorithm. In both cases, physical and cost limitations prevent using this approach.
Accordingly, it is an objective of the present invention to provide for error detection apparatus and procedures that ensure the correctness of data transformations that are displayed or used in safety-critical systems, and the like.