1. Field of the Invention
The present invention relates to a modular architecture of a set of items of electronic equipment making it possible to control an industrial process which necessitates a high level of operating safety.
2. Discussion of the Background
It applies especially, but not exclusively, to the items of electronic equipment installed on board aircraft which perform various flight control functions. It is clear that current developments in this equipment are aimed more and more at automating the tasks of flight control, and in particular, the piloting of the aircraft. This tendency is leading to equipment which is more and more complex, bulky, energy-consuming, expensive and difficult to maintain.
In order to solve this problem, it has been sought to integrate this equipment and to make it modular. To that end, an architecture has already been proposed which brings together various electronics modules in electronics cabinets or racks, these modules carrying out the acquisition of the information originating from the sensors and the other on-board equipment, as well the deriving of flight control commands.
An attempt has also been made to group together and to share several functionality aspects within the same module, it being possible for the necessary processing and calculations to be carried out by means of a single processor used in timesharing mode.
However, in the equipment installed on board aircraft, a level of criticality is generally associated with each function carried out and each item of data used by the functions, each level of criticality corresponding to a maximum failure rate required by the authorities who certify aeronautical equipment. Thus, the functions of the most critical level correspond to those functions the failure of which may have catastrophic consequences. These functions should therefore exhibit a very low probability of failure (lower than 10xe2x88x929 failures per hour of flight). Likewise, the most critical data are the data which, if they are no longer available or erroneous, may give rise to catastrophic events. Obviously, the criticality of the data is not related to the criticality of the functions which use them, the same data item possibly being used by several functions with different levels of criticality.
The sharing of the same processor by several functions implies therefore that functions with different levels of criticality are performed by the same processor, which greatly increases the risk that less critical functions, such as the functions relating to the maintenance of the equipment, disturb or even block the performance of functions which are the most critical, that is to say a malfunctioning of which can lead to a catastrophic situation. It is then necessary to make special provisions so that the functions carried out, and in particular the most critical ones, are performed with the level of safety required by the authorities who certify on-board equipment.
To this end, a redundant architecture has been proposed, in which all the modules, in particular those which perform critical functions, are triplicated so that the critical functions can be carried out even following a breakdown. However, this solution exhibits little interest from the point of view of cost reduction, of the number of modules necessary, of the power consumed and dissipated, of the availability (failure rate) and of the equipment maintenance facilities.
Moreover, the redundant-architecture solution amounts to duplicating not only critical functions, but also noncritical functions, such as the maintenance functions.
The object of the present invention is to remove these drawbacks. To that end, the invention proposes a modular architecture of items of electronic equipment for the control of an industrial process, comprising, on the one hand, receptacles containing data-concentration modules and processing modules supplied with energy by power supply modules, and, on the other hand, critical display devices, the assembly being interconnected via data transmission means to critical sensors, noncritical sensors and actuators.
According to the invention, this architecture is characterized in that the critical sensors transmit their critical information directly to the critical display devices on the one hand, and to the concentration and processing modules of the receptacles on the other hand, the concentration modules, on the basis of the data from the critical and noncritical sensors, deriving noncritical data intended for the display devices and for the processing modules via a multi-receiver serial digital bus, the processing modules deriving commands intended for the actuators on the basis of the data from the critical sensors and of the noncritical data output by the concentration modules.
The distribution of the critical data to all the elements of the architecture is done using individual buses. The absence of concentration of the critical data on a single bus avoids all the equipment being out of service in the event of a breakdown of a single bus. This architecture thus allows faults to be confined to the affected module alone by preventing them from being propagated. It is therefore no longer necessary to use a completely duplicated or triplicated architecture, with instead only the critical functions being duplicated or triplicated. The invention thus makes it possible to substantially reduce the cost, size and dissipated power of such equipment.
Moreover, as the faults are confined to the affected module alone, the maintenance of the equipment, and in particular faultfinding and repair operations, are greatly facilitated.
Advantageously, the display devices comprise processing means for visually displaying the data which are transmitted to them originating from the sensors, the measuring instruments or other equipment.
In this way, the display devices can directly supply all the information on the control of the process, and particularly the critical information, independently of the availability of the processing modules.
According to one feature of the invention, each processing and data-concentration module comprises an identical processing card, equipped with a processor, and an input/output card providing the connection between the processing card and the inputs and outputs of the module, the processing card comprising a memory into which is loaded the program making it possible to control the processor so as to perform the function of the module.
This arrangement, by a scale effect, makes it possible to greatly reduce the cost of design and manufacture of the modules, and to facilitate their maintenance. This is because when a processing card of a module is faulty, it can thus be replaced directly on the aircraft by another processing card into which the program corresponding to the functions of the module has previously been loaded.
These items of equipment carry out, for example, the functions of automatic piloting of an aircraft, anti-stall protection, data concentration and centralized maintenance.