It is generally recognized that there is a need to employ digital computers in applications in which improper operation could have severe consequences. For example, a sophisticated flight hazard warning system has been developed for aircraft which utilizes a number of independent warning systems including a ground proximity warning system, a wind shear detection system and a collision avoidance system. This particular system is generally described in U.S. patent application Ser. No. 08/847,328, filed Apr. 23, 1997 and entitled: “Integrated Hazard Avoidance System”, and is incorporated herein by reference. In the preferred embodiment described therein, a central computer, which may include multiple processors for redundancy, receives via various input/output (I/O) modules various types of flight data useful for anticipating and warning of hazardous flight conditions. Such information may include but is not limited to: barometric altitude, radio altitude, roll and pitch, airspeed, flap setting, gear position, and navigation data. This information is communicated to the central computer via a data bus.
For such an integrated warning system to provide warnings with a high degree of integrity, the data operated upon and instructions issued by the central computer must be accurate. A bus architecture to transfer data between each of the I/O modules in an orderly manner must therefore exist. Data placed on the bus must also be accurate and without error. Also, it is important to ensure, to the extent possible, that the individual systems execute the warning programs correctly.
There have been various approaches to solving these problems. For example such a system is described in ARINC Specification 659 entitled Backplane Data Bus published on Dec. 27, 1993 by Aeronautical Radio, Inc. In this system the bus includes four data lines and has a pair of Bus Interface Units (“BIU”) for each processor or node on the data system where each BIU is connected to two data lines in the bus. Data is transferred according to a time schedule contained in a table memory associated with each BIU. The tables define the length of time windows on the bus and contain the source and destination addresses in the processor memory for each message transmitted on the bus. These types of systems also use for some applications two processors that operate in a lock-step arrangement with additional logic provided to cross-compare the activity of the two processors. The two processors, each with its own memory, execute identical copies of a software application in exact synchrony. This approach usually requires that the two processors must be driven by clock signals that are synchronized.
Although such systems have high data integrity and provide for fault tolerant operation, they have a number of disadvantages. For example the use of tables having data source and destination addresses for each application program in the processor memory makes it difficult to reprogram the system for new applications because each table in the system must be reprogrammed. In addition, the use of two processor operating in lock-step reduces the flexibility of the system since it is not possible to run two different programs on the processors at the same time.
Application Ser. No. 09/009,463 discloses a fault tolerant bus architecture and protocol for use in an Integrated Hazard Avoidance System of the type generally described therein as well as other applications, aviation and otherwise, wherein data is to be handled with a high degree of integrity and in a fault tolerant manner. The system is partitioned into modules and an inter-module backplane data bus is shared between the modules to transfer data between the modules. The modules themselves may host multiple application functions that also share the backplane bus. The backplane bus is fault tolerant, multi-drop, time-multiplexed broadcast bus in which serial data is preferably transferred in a semi-duplex manner. Each module, or fault containment node, includes a single source microprocessor that executes instructions to place data onto the bus. Bus interface controllers, each with an independently driven clock, compare the retrieved data. If the interface controllers are in agreement, the data is placed on the bus.
According to co-pending application Ser. No. 09/009,463, the data is preferably placed on the bus using a data bus protocol that allocates to each node a predetermined number of slots in which to transmit. Each module contains a time table memory associated with each bus interface controller that stores the bus protocol information to enable the node to place data in a predetermined channel on the bus at the appropriate time period. A space table associated with each bus interface controller indicates the address space in a processor memory from which the data is to be transferred to the bus.
Co-pending application Ser. No. 09/454,054 provides an improvement over the disclosure of application Ser. No. 09/009,563 having a simplified time deterministic bus traffic protocol that is independent of the communication protocol and the number of sub-busses.
Although such systems have high data integrity and provide for fault tolerant operation, alternative bus topology can enhance the data integrity and fault tolerant operation of such systems.