1. Field of the Invention
The invention relates to controlling aircraft.
2. Description of Related Art
The control of an aircraft such as a jumbo jet nowadays involves on-board computers. To improve control safety, it is known to base control architecture on a vote system comprising a plurality of instances together with an arbiter or “voter”.
Such a vote system includes at least two applications or channels of identical function: delivering an output value. Each application delivers the output it obtains using its own calculation algorithm. The architecture also includes an application that manages or monitors the other applications: this is referred to as the voter. Each application consists in software implemented on a computer. As a function of the collected outputs, the voter determines which output is finally to be forwarded to the airplane control circuit.
Voting may be based on the majority principle or on the unanimity principle. A vote based on the unanimity principle has the advantage that, providing a result is indeed obtained, then that result is reputed to be very reliable. However this principle has the drawback of not tolerating the slightest failure. Thus, as soon as one of the applications delivers an output that is different from the others, unanimity can no longer be achieved and voting leads to no result and no command can be forwarded. That is why vote systems generally obey the majority principle.
Furthermore, vote systems comprising one voter and two applications are of little interest since any disagreements between the applications leads to a tied vote. The voter is therefore generally associated with three or more applications.
That is why it is preferable to use a vote system comprising a voter and more than two channels, and based on the majority principle. This is the configuration considered below even though the invention is not limited to such conditions.
In a data processor system on board an airplane for generating a command, the voter is located downstream from the applications (which perform the major fraction of the function) and immediately upstream from the system that is to make use of the result of the vote.
The voter generally performs the following steps:                step 1: reading the output values from each of the applications. This assumes that the applications are synchronized or that they deliver their output values within a certain time after the first application transmits its output value;        step 2: comparing the output values of the application. In the nominal situation, the applications have used the same raw data and have implemented the same logical processing. They therefore deliver the same output value;        step 3: eliminating wrong output values. To do this, only the information delivered by a majority of the applications is conserved. Furthermore, if an application does not respond in time, its output value is not taken into consideration; and        step 4: transferring the output value of the function to the application that is situated downstream for processing in the control system.        
When the output values delivered by the applications are compared, a certain amount of tolerance should be allowed, in particular when the output is in the form of a high precision numerical value, so as to ensure that small differences are not considered as errors.
Nowadays, vote systems constitute an architecture that is conventional and they are known for their high integrity. In the aviation industry in particular, airplane flight control systems require a high level of integrity. That is why their architectures are generally fault-tolerant. More precisely, they may comprise three main channels together with two to three backup channels, and finally a degraded mode control module, i.e. a function that is used in the event of all of the other channels failing.
Nevertheless, other architectures are known in aviation.
The first is used for calculating air speed and altitude. This is not a genuine vote system since the output value delivered by each channel is not subjected to any qualification. Only a mean or median value is calculated. In the event of one of the channels failing, the result that is obtained remains close enough to the real value because of the other two channels.
A second type of vote is used for consolidating data, e.g. in the context of aircraft environment alerts, aircraft position calculation (taking a vote between global positioning system (GPS) values as delivered by satellites in order to eliminate the worst values), ADR monitoring (to eliminate inputs that are wrong because of failure of parts of their environment), and verifying the state of the aircraft (e.g. tests to determine whether the aircraft is on the ground). ADR is short for “air data reference” and concerns reference aerodynamic data (altitude, air speed, angle of incidence, etc.), i.e. data that is reputed to be accurate and that is used by the airplane as a whole.
Certain alerts relating to the airplane environment are issued by data delivered by a group of three computers. To take account of the risks of failure or wrong calculation, a specific mode of voting is implemented that is a combination of a standard vote and a vote with consensus. Thus, for each output value delivered by these computers, the voter verifies whether the value has been sent recently (if the value has not been refreshed, the computer is considered as having failed, otherwise the value is reputed to be up to date), and it verifies whether the value lies in a specific range (if so the data is considered as being “normal”). Therefore, the voter compares the up-to-date value (other values being eliminated) and establishes a consensus by determining the mean value, the median value, or the greatest value depending on the states of the three computers.
To compute the position of the airplane, values are used that come from twenty-four satellites in the GAS system. The positioning system then determines the best value by comparing all of the inputs. To do this, it begins by calculating the position of the airplane while taking account of all of the satellites. Thereafter, it calculates the position of the airplane twenty-four times, each time eliminating a different one of the satellites. Thereafter, it calculates the position of the airplane five hundred fifty-two times, each time eliminating a different pair of satellites. Finally, it makes use of the results of the calculation to determine the best position. It can thus be considered that the positioning system implements a vote by consensus.
Airplane state tests, such as those seeking to determine whether the airplane is on the ground, makes use of various data sources that take specific values when the airplane is in the state under consideration. If at least three parameters take these values (or indeed four in certain specific configurations), then the airplane is considered as being in the assumed state. For example, the airplane is considered as being on the ground if:                its altitude is the same as the altitude of the ground;        its ground speed is less than a given value;        its air speed is less than a given value;        the pressure on its landing gear is greater than a given value; and        one of its doors is open.        
The invention also applies to space vehicles. Thus, a voting process can be implemented in the context of controlling various functions such as flight control, control and monitoring of an automatic transfer vehicle, temperature control, management of energy supplies, communication with the ground, trajectory corrections, and transfers of fuel.
Vote systems may also be used within road vehicles or on board rail vehicles.
Certain limits of known vote systems appear when examining the consequences of failure of one of the channels. In other words, failure of one of the applications or of one of the pieces of equipment or systems that deliver data to the application. Consideration is given below to two types of architecture regardless of the number of channels they have.
In the scenarios considered below, matters are simplified by assuming that the applications deliver output values of Boolean type. Nevertheless, the invention is not restricted to values of this type.
Failure Conditions for a Three-Channel Architecture
The table below shows various failure scenarios in the presence of a voter that receives a plurality of numerical inputs. To simplify, no tolerance is implemented in any of these scenarios.
In this table and in the subsequent tables, step 1 is the step during which the voter receives values coming from the applications hosted by the computers. During steps 2 and 3, the voter compares the values and eliminates wrong values, labeling them as such. In step 4, the voter forwards the result of the function in the form of a single global data value that is delivered to the following application that serves to make use of it for control purposes.
Tables 1 to 6 show various scenarios. There is therefore no chronological connection between their various rows.
The nominal scenario occurs when all of the applications are working on the basis of the same data and are applying the same computation logic. An erroneous channel is considered as being a channel that delivers a wrong value. Erroneous channels may themselves be incoherent, i.e. different erroneous channels may deliver different wrong values. A lost channel is a channel that has not delivered any value to the voter. An individual data value is a value transmitted by an application to the voter. A global data value is a data value forwarded by the voter to the downstream control device.
It is assumed below that the true value is data of value “10” such that the vote system ought normally to deliver the value “10” as the global data value.
TABLE 1ScenarioStep 1Step 2 & 3Step 4Nominal 1 erroneous channel 1 channel lost 2 erroneous incoherent channels
Thus, in the nominal scenario, all of the applications deliver individual data values of “10” to the voter, which qualifies them all as being valid and forwards the global data value “10” in step 4.
In the second row, if one channel is erroneous and delivers the value “8”, then this is detected as being in the minority by the voter, which therefore qualifies it as erroneous, and the voter forwards the global value “10”.
Likewise, in the following row, if one channel is lost, then the voter processes only two values and forwards the value “10”.
Finally, in the last row, the voter is faced with three values “10”, “8”, and “13”, and can therefore not qualify any of them since there is no majority, and it is therefore not in a position to supply a global data value to the downstream application. Of the four scenarios considered, it can thus be seen that only this scenario leads to the voter not being in a position to continue processing the data at the end of step 3 and therefore being unable to accomplish step 4.
This inability to deliver a data value is a risk that is presented by most known vote systems, given the way they are designed. To mitigate this risk, it is possible to provide an additional logic stage that enables the voter nevertheless to continue processing data. This is shown in the first three rows of Table 2.
TABLE 2   2 erroneous and coherent channels 2 channels lost 1 erroneous channel and  1 lost  1 erroneous channel and 1 lost With go-ahead logic (case 2)
Thus, in the first row, in the same situation as in the last row of Table 1, two channels are erroneous and incoherent so that the voter receives the values “10”, “8”, and “13”. Because of the go-ahead processing logic made available to it, it qualifies the values “8” and “13” as erroneous and delivers the value “10” in step 4.
With a different type of processing logic, as shown in the second row, it is the value “8” that is qualified as being valid and that is delivered in step 4.
Similarly, in a third case of processing logic, as shown in row 3, it is the value “13” that is delivered.
It can thus be seen that implementing a go-ahead logic processing stage makes it possible to experience situations in which the global value does not reflect reality, a situation that can have severe consequences for the system as a whole. This can be seen more clearly from the following five rows of this table.
Thus, if two channels are erroneous and coherent, the voter will receive the data value “30” once and the value “8” twice. The value received twice is in the majority, so the voter qualifies it as being valid and delivers the global data value “8”.
In the following row, if two channels have been lost, there remains only the value “10”, which is delivered as being the global value.
In the following row, one channel is erroneous and one channel is lost. The voter receives the values “10” and “8”. It does not know how to qualify them, and it is therefore not in a position to deliver a global value.
In the presence of a go-ahead logic stage, in a first case, if one channel is erroneous and another channel is lost, the voter receiving only the values “10” and “8” qualifies the value “8” as false and therefore delivers the global value “10”.
However, in a second case, shown in the last row, the voter qualifies the value “8” as valid and delivers it as the global value.
Table 3 below applies to the same scenarios in the situation where the voter receives individual data values that are of Boolean type. It is considered below that reality corresponds to a “True” value, such that the vote system should normally deliver the “True” value as the global value.
TABLE 3ScenarioStep 1Step 4Nominal 1 erroneous channel 1 channel lost 2 erroneous channels 2 channels lost 1 erroneous channel and 1 lost  
Thus, in the nominal scenario, all of the applications provide the “True” value so the global value delivered by the voter is the “True” value.
In the following row, one channel is erroneous and delivers the “False” value to the voter. This value is qualified as being erroneous by the voter since it is in the minority. The voter then delivers the “True” value as the global value.
In the following row, one channel is lost. The two individual values received by the voter are “True”. The same therefore applies to the global value.
In the following row, two channels are erroneous and therefore provide the voter with the “False” value. The voter qualifies them as being valid since they are in the majority and it therefore delivers the “False” value as the global value.
Next, two channels are lost and the voter receives only the “True” value. This is the value that it delivers as the global value.
Thereafter, one channel is erroneous and another is lost. The voter thus receives only the “True” value and the “False” value. It is not in a position to qualify them and therefore cannot deliver a global value.
In this scenario, it is possible to provide a first case of go-ahead logic processing. The voter qualifies the “True” value as valid and therefore delivers it as the global value.
With the second case of go-ahead logic processing, as shown in the last row, the voter qualifies the “False” value as valid and delivers that as the global value.
As can be seen from these two tables, the consequences of multiple failures in the system depend on the type of the individual data values used. For example, in a four-application architecture, if the individual data values can take a plurality of values (as when numerical data is used), then two applications may send erroneous data values to the voter that are not the same. Thus, if the correct value is “10”, while one of the wrong values is “8” and another is “13” then there is no voting tie since two of the applications have delivered the value “10”, one has delivered the value “8”, and the last has delivered the value “13”. The voter is then sometimes in a position to deliver the correct value. However, if the individual values can take on only two values (as applies with Boolean type data), then both erroneous applications will be sending the same wrong data to the voter. That leads to a voting tie so that the voter is not in a position to choose the correct solution. Given that the impact of erroneous data is worse in the presence of Boolean data than in the presence of data of other types, this situation is considered in greater detail below. Nevertheless, it should be understood that the invention is not restricted to this type of data.
Failure Conditions with a Four-Channel Architecture
Table 4 below relates to a four-channel system.
TABLE 4ScenarioStep 1Step 2 & 3Step 4Nominal 1 erroneous channel 1 erroneous channel 1 channel lost 2 erroneous channels 2 erroneous channels With go-ahead logic (case 1) 2 erroneous channels With go-ahead logic (case 2) 2 channels lost 1 erroneous channel and 1 lost 3 erroneous channels 3 channels lost 2 erroneous channels and 1 lost 1 erroneous channel and 2 lost 1 erroneous channel and 2 lost With go-ahead logic (case 1) 1 erroneous channel and 2 lost With go-ahead logic (case 2)
In the nominal scenario, all four channels provide the “True” value as their individual values so the voter delivers the “True” value as the global value, and this corresponds to reality.
In the following row, one channel is erroneous, delivering the “False” value. Since it is identified as being in the minority by the voter, it is qualified as being invalid. The voter therefore forwards the “True” global value.
In the following row, one channel is lost. In the presence of three “True” values, the voter provides the “True” global value.
In the fourth row, two channels are erroneous, both providing the “False” value. The voter thus receives the “True” value twice and the “False” value twice. When the votes are tied in this way, it is not possible to provide a global value.
In the following row, a first case of go-ahead logic processing is envisaged for mitigating this scenario. By means of this logic, the voter qualifies the “True” values as delivered by the first two applications as valid and it therefore provides the “True” value as the global value.
With the other case of go-ahead logic processing, the voter makes the opposite choice, finding valid the individual values delivered by the erroneous channels, and it therefore delivers the “False” value as the global value.
In the following row, two channels are lost. The voter thus receives two “True” values simultaneously and it delivers a “True” global value.
Thereafter, one channel is erroneous and another channel is lost. The voter receives two “True” values and one “False” value. It qualifies the “False” value as invalid since it is in the minority and therefore provides the “True” value as the global value.
In the following row, three channels are erroneous. The voter thus receives one “True” value and three “False” values. The “False” values are in the majority so they are qualified as being valid and “False” is delivered as the global value.
Next, three channels are lost. The only value received by the voter is “True”, such that “True” constitutes the global value.
Next, two channels are erroneous and one channel is lost. The voter thus receives the “True” value once and the “False” value twice. Since the “False” value is in the majority, it is delivered as the global value.
In the scenario where one channel is erroneous and two channels are lost, the voter receives the “True” value once and the “False” value once. In the presence of such a tie, the voter is not in a position to provide a global value.
In the same scenario together with a first case of go-ahead logic processing, the voter qualifies the “True” value as valid and therefore forwards “True” as the global value. However, with the second case of go-ahead logic processing, shown in the last row of the table, it is the “False” value that the voter validates and forwards as the global value.
Generalizing Failure Conditions for an N-Channel Architecture
It is easy to generalize the question by analogy with an n-channel architecture. A failure that leads to the loss of one channel makes the scenario identical to that of an architecture having n−1 channels.
Thus, a basic vote system can cope appropriately with failure situations providing they lead to the “True” value being delivered by a majority of channels. In contrast, it is necessary to select a logic architecture for coping with failures that lead to a scenario in which votes are tied, i.e. a situation in which the voter is faced with equal numbers of “True” and “False” values. Finally, the vote system is not capable of coping with failure scenarios that lead to receiving a majority of “False” values from the channels.
It can thus be seen that this type of architecture is sufficiently robust to cope with certain failure situations in which only a minority of channels are erroneous or lost. However it is not satisfactory in failure situations that lead to tied votes.