The present invention relates to a system for downloading software to a control unit by way of a serial communications link. In particular, a software downloading system is disclosed for use in downloading, verifying and/or testing software from a remote programmer or host computer to an unprogrammed, sealed electronic engine control unit on a gas turbine engine.
It is well known on modern aircraft powered by gas turbine engines to control multiple engine functions through a central, on-board or host computer that communicates instructions by way of a shielded serial communications link to an electronic engine control ("E.E.C.") unit on each engine. The E.E.C. unit, in turn, transmits signals to a plurality of actuators, thereby controlling various engine functions. For example, upon commencing a flight, an aircraft operator manipulates a throttle to increase fuel supply to the gas turbine engines. The throttle directs the on-board or host computer to communicate a specific fuel-supply increase to an E.E.C. unit on each engine. Each E.E.C. unit then generates a specific electronic signal and transmits it to an actuator on a torque motor controlling a throttle valve, thereby increasing fuel supply to the engine.
E.E.C. units are typically microprocessor based, and include a data communications link, a central processing unit ("C.P.U."), a program memory, and at least one in/out ("I/O") port. An E.E.C. unit receives instructions in the form of data words from the on-board computer, via its data communications link. In response, the C.P.U. then executes an application code stored in the program memory, and thereby generates and transmits appropriate signals to the actuators, via an electric circuit affixed to the unit's I/O port.
Two major factors have influenced design of current E.E.C. unit hardware architecture. The first factor has been the extremely hostile working environment of a typical aircraft E.E.C. unit adjacent a gas turbine engine. Virtually all such components are exposed to extremes of heat, moisture and vibration, as well as to severe static electricity hazards. Consequently, design of E.E.C. units has tended to produce tightly sealed containers housing the units components, wherein the containers have a minimum number of potential electrical contact points. The second factor influencing design has been a need to frequently change programs stored in E.E.C. units' program memories, and to verify and test resident programs. Therefore, current E.E.C. units are designed to be tested and/or modified prior to and between flights by a technician using a "remote programmer" in place of the host computer.
Known E.E.C. units have utilized at least three distinct hardware-architecture designs to resolve problems arising from inherent tensions between the aforesaid two design influences. A first design enables the E.E.C. unit to remain sealed during downloading, verifying and/or testing by having a test-connector fixture in the container housing the unit, in addition to the unit's data communications link and I/O ports. Such a test connector is utilized for on-board programming of the unit, and also enables a technician to have direct access to the unit's program memory, through the test connector. Test connector fixtures, however, expose the E.E.C. unit to a static-spark contact hazard. Additionally, such a hardware design poses a substantial security risk, because valuable programs stored in the program memory can be read and duplicated by any entity having access to the test connector fixture.
A second common E.E.C. unit design utilizes a special programming station separate from the unit. It enables a technician to remove memory components of the unit's program memory for downloading, verifying and/or testing in the special programming station. Although no additional connector fixture is required in the unit's container, this method requires that the technician be properly trained to open the unit to remove memory components, thereby exposing its circuit boards, chips and other components to possible damage. Additionally, such a removable memory component cannot be volatile, thereby prohibiting utilization of potentially desireable memory components such as static RAMS. Finally, this second design also poses a security risk, because elements of the unit's program memory are removable and transportable.
A third known E.E.C. unit design has resolved some of the problems associated with the first two designs by utilizing a serial communications channel and a boot program that enables the unit's C.P.U. to download, verify and/or test software code. This design requires that the boot software be resident in a memory component of the unit prior to downloading, or that a boot program is first downloaded to a special memory area within the unit, prior to communications with the unit's program memory by a remote programmer or host computer. Such a design minimizes additional connector fixtures and allows the E.E.C. unit's container to remain sealed during downloading, verifying and/or testing. However, the design requires additional memory components in the unit to load and/or store the boot program.
Moreover, this design also poses a security risk because the boot program remains in the unit after it is programmed. This permits a continual access to the unit's program memory via its data communications link.
Consequently, due to inherent design limitations, known E.E.C. units are exposed to severe static spark hazards during ordinary usage; require partial disassembly by highly skilled technicians for downloading, verifying and/or testing software; or, require special memory areas within the unit for boot software. Additionally, all known E.E.C. unit designs pose security risks because their program memories are accessible via their data communication links during ordinary usage.
Accordingly, it is a general object of the present invention to provide a system for downloading software into an E.E.C. unit that overcomes the problems of the prior art.
It is a more specific object to provide a system for downloading software into an E.E.C. unit that utilizes a minimum number of electrical connector fixtures within a container housing components of the unit.
It is another object to provide a system for downloading software into an E.E.C. unit that enables the software in the unit to be changed, verified and/or tested without opening the container housing components of the unit, or removing any of the components.
It is yet another object to provide a system for downloading software into an E.E.C. unit that prohibits access to software loaded into the unit's program memory during ordinary usage of the unit.
The above and other objects and advantages of this invention will become more readily apparent when the following description is read in conjunction with the accompanying drawings.