1. Field of the Invention
This invention relates to a fault-tolerant computer architecture.
It applies notably, though not exclusively, to computers that must provide a high rate of detection of operating failures such as e.g. those taken on board aerodynes.
2. Description of the Prior Art
Furthermore, in the field of commercial aviation, there is a drive to increase the availability rate of aircraft, and therefore to limit maintenance interventions outside of preprogrammed inspections. This objective implies that failures occurring in the electronic equipment of aerodynes must not alter either the reliability or the availability of the functions they perform, in order for it to be possible to defer any repair work until the next maintenance inspection. This requires an architecture capable of detecting the resources actually broken down with a high rate of confidence, and capable of reconfiguring itself on a redundant resource. In addition, to facilitate maintenance, such an architecture must be capable of discriminating between a failure and a flaw in the design, in order to avoid any unnecessary reconfiguration and unjustified maintenance operation.
At present, to achieve such reliability and security objectives, use is made of computers with redundant architecture in which the processing chain is duplicated to constitute a module which also checks that it is operating properly by comparing the results obtained by the two chains. When a difference is detected, thereby indicating that a failure has occurred, the module reverts to an idle state. To be able to continue the processing performed by the chain and to enable maintenance to be deferred, a second module similar to the first one is used.
This solution therefore implies an architecture with four redundant chain, thereby entailing particularly high costs.
To achieve these objectives at a lesser cost, it has been proposed that use be made of an architecture with three redundant processing chains coupled to a voting device which compares the results obtained by these three chains. When a difference is detected, the chain that provided a result differing from the one provided by the two other chains is declared out of order and made idle, the processing being continued by the two other chains which issue a datum signaling the failure.
However, a processing chain can be broken down into three functions, i.e.
a data acquisition function which receives all analog or digital type data to be processed, which converts the analog signals into digital data, and which includes a function selecting the datum to be provided at output,
an actual data processing function, generally performed by means of a processor, which acts on the acquisition function to select the datum to be provided to it, and
a transmission function to transmit the results provided by the processing function.
These solutions thus lead to the use of three complete redundant chains and are therefore expensive.