Piloting an aircraft entails executing a certain number of actuator control and display operations deduced from mathematical modelings of the behavior of the aircraft and of certain of its subassemblies which are implemented by computers and which take account of the current values of the flight parameters and of the instructions from the crew.
At first, the computers on board an aircraft each had a specific configuration adapted to a modeling appropriate to a particular type of operation: piloting functions, flight management functions, alarm management functions, and so on. This architecture very quickly proved disadvantageous for maintenance because it entails managing a large base of spare computers that are dedicated and not interchangeable.
To facilitate maintenance, research efforts are focused on combining the onboard computers within one and the same technical cabinet, adopting one and the same architecture for the majority of them and dedicating them only at the level of their inputs/outputs which have been made interchangeable and of their programming, that is, the computations or applications that they execute. This leads to the concept of IMA computer network.
Since task execution errors within an application and their propagation to other applications executed concurrently can have particularly disastrous consequences in the context of the piloting of an aircraft, measures to immunize against their occurrence must be taken in the context of an IMA computer network. These immunization measures consist in providing the various applications with tasks for monitoring correct execution and in having one and the same application run on several identical computers operating independently, one of them having control and the other computer(s) running the same application in mirror mode to take over control in case of detection of an error in the execution of the application by the computer that is currently in control.
The task for monitoring the correct execution of an application usually consists in periodically sending questions with agreed responses to the application being monitored and checking the accuracy of the responses given.
This method has the drawback of running counter to the portability of the applications because it requires account to be taken, when an application is being designed, of the architecture of the computer required to execute it. In practice, the search for agreed responses to the questions asked by the monitoring task has to involve as many elements as possible of the computer for the monitoring to be effective.