1. Field of the Invention
The present invention relates to a method and a device allowing the execution by a single processor of several functions for controlling an industrial process, some of these functions requiring a high level of safety of operation.
It applies in particular, but not exclusively, to computers carried on board aerodynes which cater for various flight control functions. It emerges that the current developments in such equipment are aimed at ever greater automation of the flight control tasks, and especially, the piloting of aerodynes. This tendency is leading to equipment of ever greater complexity, bulk, energy consumption and cost and which is ever more difficult to maintain.
To solve this problem, it has been sought to integrate such equipment and make it modular. To do this, an architecture has already been proposed which brings together various electronic modules into electronics racks or cabinets, these modules performing the acquisition of the information arising from the sensors and other on-board equipment, as well as the formulation of flight commands.
The grouping together of several functions comprising several tasks executed cyclically, within the same module, has also been attempted, it being possible for the necessary computations and processing operations to be performed by means of one and the same processor used in timesharing mode.
However, in the equipment installed on board aerodynes, a level of criticality is generally associated with each function carried out, and with each datum used by the functions, each level of criticality corresponding to a maximum failure rate required by the authorities for certifying aeronautical equipment. Thus, the functions with the most critical level correspond to those whose failure may have catastrophic consequences. These functions must therefore exhibit a very low probability of failure (less than 10xe2x88x929 faults per flying hour). Likewise, the most critical data are the data which, if they are no longer available or erroneous, may give rise to catastrophic events. Of course, the criticality of the data bears no relation to the criticality of the functions which use them, it being possible for one and the same datum to be used by several functions with different levels of criticality.
The sharing of the same processor by several functions therefore involves tasks with different levels of criticality being executed by the same processor, thus considerably raising the risk that less critical functions, such as the functions related to the maintenance of the equipment, might disturb or even shut down the execution of the most critical functions. It is then necessary to make special provisions so that the functions carried out, and especially the most critical ones, are executed with the level of safety required by the authorities who certify on-board equipment.
To this end, redundant architectures have been proposed in which all the modules, especially those which cater for critical functions, are triplicated in such a way that the critical functions may be carried out even following a failure. However, this solution is of little benefit with a view to reducing costs, the number of modules required, the power consumed and dissipated, the availability (failure rate) and the ease of maintenance of the equipment.
Furthermore, the redundant architecture solution amounts to duplicating not only critical functions, but also noncritical functions, such as the maintenance functions.
The object of the present invention is to eliminate these drawbacks To this end, it proposes a method for the execution by a single processor of several functions each grouping together several tasks, the processor having addressing access to an addressable space comprising memories for a program and for data, and input and output registers allowing the processor to communicate with its environment.
According to the invention, this method is characterized in that it comprises:
the allocating of a right of access to each function to be executed by the processor,
the dividing of the space addressable by the processor into addressable partitions and the associating of each addressable partition with the access right of one of the functions, in such a way as to allow each function to access at least one addressable partition,
the dividing of the time of use of the processor into cyclic time slices, and the associating of each cyclic time slice with the access right of one of the functions, in such a way that each function is executed in the course of at least one time slice,
at the start of each new time slice, the confirming that the processor has terminated the execution of the previous function, and the transmitting of an error signal to the processor if the execution of the previous function has not terminated, the updating of a current access right corresponding to the access right associated with the new time slice, and the activating of the tasks of the corresponding function, and
during each access by the processor to an addressable partition, the reading of the access right associated with the accessed addressable partition, the comparing of this access right with the access right associated with the current time slice, and the transmitting of an error signal to the processor in the case in which the comparison reveals an inconsistency.
These provisions allow the execution in a totally independent manner of several functions by a single processor, and thus make it possible to prevent an addressing error made by the processor when executing a function from giving rise to modifications of memory areas allocated to other functions, and simultaneously to prevent an execution error which causes the exceeding of the time allocated to the function from disturbing the execution of the subsequent function by the processor. The errors which may appear in the course of a cyclic time slice are therefore strictly confined to this time slice, and thus, cannot disturb the functions executed in the course of the subsequent time slices.
In this way, it is possible to group functions with various levels of criticality together into the same module comprising a single processor, without engendering an increase in the risks of a fault.
It is therefore no longer necessary to use a totally duplicated or triplicated architecture, only the most critical functions being duplicated or triplicated. The invention thus allows an appreciable reduction in the cost, bulk and power dissipated by such equipment.
Additionally, since the faults are confined solely to the function affected, maintenance of the equipment, and especially the fault locating and repair operations are made considerably easier.
Generally, the functions executed in respect of the real-time control of an industrial process comprise several tasks which are executed periodically, each task having a level of criticality. In this context, the method according to the invention furthermore comprises:
the dividing of the partitions of the addressable space into addressable areas, and the associating of access rights with these areas,
the allocating of the access rights of the areas of each addressable partition to the tasks of the function corresponding to the addressable partition as a function of the respective levels of criticality of the tasks,
during the activating of each task, the updating of a current access right, and
during each access to an addressable area, the comparing of the access right associated with the addressable area, with the access right of the task currently being executed.
Advantageously, the method according to the invention furthermore comprises the allocating to each task of a minimum and maximum execution time, the checking at the end of the execution of each task that these times are complied with, and the transmitting of an error signal if this condition is not fulfilled.
This provision allows more accurate checking of the execution of the tasks by the processor, and thus, better detection of errors.
To further limit the consequences of addressing errors, the areas of the space addressable by the processor which can be used at each time slice are separated by unused areas, thus making it possible to prevent some addressing errors from giving rise to erroneous modifications of the memory or erroneous output-accesses.
According to another feature of the invention, the unused areas of the memories for a program and for data are filled with code executable by the processor making it possible to stop or shut down the latter, thereby making it possible to cause the exceeding of the maximum time allocated to the task currently being executed.