Embodiments of the present invention relate to determining whether a configuration for an installed subsystem is suitable for operating the subsystem and to providing to an installed subsystem data for a suitable configuration.
Conventional systems are packaged to facilitate maintenance and upgrades by permitting portions of a system to be removed and replaced with a functionally compatible replacement portion. Such portions may be equivalently referred to as subsystems, system components, replaceable units, or line replaceable units (LRUs). A subsystem may be operated by itself apart from the rest of the system for testing, though such operation may be somewhat different from typical system operation, for example, to facilitate diagnostics, analysis of extreme conditions, measurement, calibration, monitoring of internal signals, debugging, or special purpose tests. The specified performance of a subsystem is typically defined for system level operations and may also be defined at the subsystem level by specifying sequences of inputs and acceptable outputs of the subsystem.
Certifying the performance of a subsystem typically includes ascertaining and recording the identity and configuration of the subsystem, isolating the subsystem from other system components (e.g., to assure performance isn""t masked by other subsystems), conducting tests using instrumentation that has been properly calibrated, recording that each step of a test was performed properly with an acceptable result, and recording that all testing was completed satisfactorily. The time, labor, equipment utilization, and management associated with certifying a subsystem represent a costly investment aimed at assuring proper operation of the system under all system operating conditions.
Conventional subsystem design in electronics and software places emphasis on modular design techniques for decreasing development time. These modules may be circuits, circuit assemblies, memory devices, integrated circuits, application specific integrated circuits, or portions of software handled as a unit during software development processes. Such portions of software may include data or instructions in any form readable by human programmers or machines. Subsystems as a whole, and all internal modules, may be designed to perform according to one or more predefined configurations. Typically, a configuration corresponds to prescribed conditions of signals at an electrical interface of the subsystem or module, or to prescribed contents of a memory device. A configuration may establish an initial operating mode (or set of modes) or may, upon configuration change, establish a different mode (or set of modes) for further operations.
Conventional subsystems have been designed to operate with centralized control of subsystem modules. For example, all hardware and software modules for an airplane cockpit system function such as a collision avoidance system computer for a collision avoidance system have been packaged as a line replaceable unit. Also, a system may be installed in a variety of environments, each characterized by different system operations or operational modes. Consequently, for a given subsystem, all modules that may be necessary or desirable for all system environments have typically been included in the subsystem. As the number of environments and the complexity of the system and subsystem increase, the cost of certification of the subsystem has dramatically increased.
Without systems and methods of the present invention, further development of systems and subsystems may be impeded. Development, operating, and maintenance cost targets and performance reliability goals may not be met using conventional system design as discussed above. Consequently, important systems for assuring safety of personnel and equipment may not implemented to avoid injury, loss of life, and destruction of property.
A system, according to various aspects of the present invention, operates in an aircraft and includes several cooperating subsystems. At least one of the subsystems is coupled to an environment memory having content and a plurality of signature values of respective portions of the content. That subsystem includes a nonvolatile memory, an interface, and a processor. The nonvolatile memory includes content and at least one signature value of the content of the nonvolatile memory. The interface facilitates removal and replacement of the subsystem. The processor has access to the environment memory via the interface. The processor validates the content of the nonvolatile memory with reference to the signature value of the content of the nonvolatile memory, validates the content of the environment memory with reference to at least one signature value of the content of the environment memory, updates the content of the nonvolatile memory in accordance with the content of the environment memory, and performs a program in accordance with the updated content of the nonvolatile memory.
By using signatures stored in environment memory and in nonvolatile memory, the processor may easily recognize that the subsystem has been removed from one system and installed in another system. After updating the content of nonvolatile memory, the program operates in a certified configuration for the system where the subsystem is now installed.
A subsystem, according to various aspects of the present invention, operates in a system in accordance with contents of a system memory that is not part of the subsystem. The system memory includes content and a plurality of signature values of respective portions of the content of the system memory. The subsystem includes a nonvolatile memory, an interface, and a processor. The nonvolatile memory has content and a signature value of the content. The interface facilitates removal and replacement of the subsystem. The processor has access to the system memory via the interface. The processor validates the content of the nonvolatile memory with reference to the signature value of the content of the nonvolatile memory, validates the content of the system memory with reference to at least one signature value of the content of the system memory, updates the content of the nonvolatile memory in accordance with the content of the system memory, and performs an application program in accordance with the updated content of the nonvolatile memory.
A tray, according to various aspects of the present invention, accepts a replaceable subsystem. The tray includes an interface and a memory. The interface facilitates removal and replacement of the subsystem. The memory is coupled to the subsystem via the interface. The memory includes a plurality of signatures, each signature associated with a respective portion of the content of the memory. In one implementation, the memory is housed in the shell of a connector of a cable assembly that connects to the subsystem.
By storing a signature in the memory for each of several portions of content, the identity and certification status of that portion of content may be easily ascertained. Greater flexibility results in defining memory content when the identity of each portion of content is independent of its storage location in memory.
A method, according to various aspects of the present invention, operates a subsystem of an avionics system. The avionics system has a plurality of subsystems. The subsystem is packaged as a replaceable unit for installation via an interface of the subsystem. The subsystem includes a processor and a first memory. The system includes a second memory accessed by the subsystem via the interface. The method is performed by a processor of the subsystem and includes in any order: (a) determining a first calculated signature of a first content of the first memory; (b) comparing the first calculated signature with a first stored signature stored in the first memory to conclude validity of the first content; (c) determining a second calculated signature of the second memory, the second memory comprising a plurality of stored signatures for respective portions of the content of the second memory; (d) comparing the second calculated signature with a second stored signature stored in the second memory to conclude validity of the second content; (e) updating the first content in accordance with the second content in response to determining that the first content is valid and the second content is valid and a difference exists among at least two of the first calculated signature, the second calculated signature, the first stored signature, and the second stored signature; and (f) performing an avionics program in accordance with the updated first content.
By determining validity before performing an avionics program, the avionics program may be performed in a certified configuration.
A method, according to various aspects of the present invention operates a subsystem of an avionics system. The avionics system includes a plurality of subsystems. The subsystem being packaged as a replaceable unit for installation via an interface of the subsystem. The subsystem includes a processor and a first memory. The avionics system includes a second memory accessed by the subsystem via the interface. The method is performed by a processor of the subsystem. The method includes in any order: (a) determining whether first content of the first memory is not complete, determining being with reference to a preferences store of the subsystem; and (b) transferring second content from the second memory to the first memory, the second content being identified by a signature.
Use of a signature simplifies identification of portions of content to assure that a preferred certified configuration of an application program is used by the subsystem.