1. Field of the Invention
The present invention relates to a method and a device for processing several computer-controlled technical applications, each of them executing with the safety appropriate thereto.
2. Discussion of the Background
This method can be used in particular in a flight management system (known by the initials FMS) for aircraft which talks to the pilot and which assists him in a certain number of operations. At present, the applications such as the automatic pilot, the ground proximity detection system, the system for protecting against stalling, the system for concentrating the flight parameters for the flight recorder or xe2x80x9cblack boxxe2x80x9d, the system for concentrating data for maintenance, the system for analysing faults, the system for displaying flight parameters intended for the pilot etc. each executes simultaneously in a different computer. These various applications therefore do not interfere with one another since they are executed independently of each other.
These technical applications do not require the same safety of operation. A scale with several levels of criticality A, B, C, D etc. is defined so as to grade the safety required for a technical application. These levels of criticality reflect the maximum residual rate of appearance of faults graded as xe2x80x9ccriticalxe2x80x9d. Level A is higher than level D.
It is readily appreciated that the automatic pilot or the system for displaying parameters for the pilot require a higher level of criticality than that of the maintenance application which is not critical.
In general, work time, memory space and data to be sent to entities which are associated with the application are needed in order to process a technical application in a computer.
The processing in a computer of a technical application demanding a high level of criticality will be carried out with many more steps of tests and checks than that of a technical application whose level is lower.
The development of a technical application possessing a low level of criticality is less expensive than that of a technical application possessing a higher level.
So as not to needlessly increase the cost of development of a technical application and also possibly the processing time and the memory store, it is therefore expedient to develop all these technical applications with the level(s) of criticality appropriate thereto. At present, since each of them is controlled by its own computer, no problem of safety arises between the technical applications.
With the considerable development in speed and capacity of microprocessors, the computers equipped with such microprocessors would be capable of supporting several of these technical applications. Such a grouping, of the order of eight applications, would allow a very substantial reduction in costs.
However, an important problem arises. The execution of one of the technical applications having one or more levels of criticality must not disturb the execution, in the same computer, of another application of higher or equal level. It is not acceptable to increase the rate of appearance of critical faults of a technical application on account of its closeness, in the same computer, with another less critical technical application.
The term disturbance should be understood to mean either a modification of the data in write mode or routed to the entities associated with the other application, or a modification of the time allotted to processing of another application.
The present invention aims to solve this problem by proposing a method for processing several technical applications on the same computer while avoiding any interaction between one application and another.
More precisely, the processing method executes all the technical applications within the same computer working in successive work cycles by allotting thereto, during these work cycles, at least one time slot of previously fixed duration and,
generates at the end of time slot allotted to a technical application a start interrupt aimed at starting the execution of another technical application,
allots to each technical application at least one memory space slot for writing data, this memory space slot being write-inaccessible to the other technical applications so that a technical application which, during execution, possesses a given level of criticality does not disturb another technical application having a higher or equal level of criticality.
During the processing of a technical application it may be necessary to execute one or more steps dubbed xe2x80x9catomic sectionsxe2x80x9d which cannot be interrupted. During a time slot, the method can generate an end interrupt intended to interrupt the current application unless an atomic section is currently executing, the time interval between an end interrupt and the following start interrupt being at least equal to the duration of the longest atomic section.
To carry out the spatial slicing, the method allocates entitlements to the current technical application and, before writing data relating to the said technical application into a memory space slot, checks whether this memory space slot corresponds to the entitlements possessed by the current technical application, the entitlements of the said technical application being in particular dependent on its level of criticality.
The method according to the invention can also be applied to the data intended for entities associated with the various applications. To do this, the method, after having written the said data to a memory space slot, having previously performed the above check, sends them via a communication bus to the associated entity, possibly causing them to travel through a buffer memory area.
In order to guarantee the non-interaction of one technical application with another, the method according to the invention can generate a write-violation interrupt, with prohibition of writing, when a technical application write-accesses a memory space slot in respect of which it is without entitlements.
Write-protection can be envisaged; to do this, before reading data relating to the technical application being currently executed from a memory space slot, the method can check whether this memory space slot corresponds to the entitlements possessed by the technical application currently being executed. It can generate a read-violation interrupt when a technical application read-accesses a memory space slot in respect of which it is without entitlements. This read-safety is an additional means of detecting possible failures in the technical applications.
It can be envisaged that the method executes in the same time slot, without time segregation, a technical application with several levels of criticality.
When one of the technical applications calls upon the services of the basic software of the computer, the process according to the invention temporarily interrupts the computer and updates the entitlements of the current technical application, this update corresponding to the entitlements of the basic software applied to the technical application, the basic software possessing a level of criticality higher than or equal to the highest level of all the technical applications processed by the computer.
The present invention also relates to a device for processing several computer-controlled technical applications which comprises:
means for defining work time cycles within the same computer generating cycle interrupts,
means for defining, during these work time cycles, time slots of fixed duration, which are allotted to the technical applications, and for generating at the end of a time slot allotted to an application, a start interrupt for starting another application,
means for allotting each application at least one memory space slot write-protected in relation to the other applications.