This invention relates to fault tolerant data bus architectures and more particularly to use of such architectures in safety critical avionics.
It is generally recognized that there is a need to employ digital computers in applications in which improper operation could have severe consequences. For example, a sophisticated flight hazard warning system has been developed for aircraft which utilizes a number of independent warning systems including a ground proximity warning system, a wind shear detection system and a collision avoidance system. This particular system is generally described in U.S. patent application Ser. No. 08/847,328, filed Apr. 23, 1997 and entitled: xe2x80x9cIntegrated Hazard Avoidance Systemxe2x80x9d, and is incorporated herein by reference. In the preferred embodiment described therein, a central computer, which may include multiple processors for redundancy, receives via various input/output (I/O) modules various types of flight data useful for anticipating and warning of hazardous flight conditions. Such information may include but is not limited to: barometric altitude, radio altitude, roll and pitch, airspeed, flap setting, gear position, and navigation data. This information is communicated to the central computer via a data bus.
For such an integrated warning system to provide warnings with a high degree of integrity, the data operated upon and instructions issued by the central computer must be accurate. A bus architecture to transfer data between each of the I/O modules in an orderly manner must therefore exist. Data placed on the bus must also be accurate and without error. Also, it is important to ensure, to the extent possible, that the individual systems execute the warning programs correctly.
There have been various approaches to solving these problems. For example such a system is described in ARINC Specification 659 entitled Backplane Data Bus published on Dec. 27, 1993 by Aeronautical Radio, Inc. In this system the bus includes four data lines and has a pair of Bus Interface Units (xe2x80x9cBIUxe2x80x9d) for each processor or node on the data system where each BIU is connected to two data lines in the bus. Data is transferred according to a time schedule contained in a table memory associated with each BIU. The tables define the length of time windows on the bus and contain the source and destination addresses in the processor memory for each message transmitted on the bus. These types of systems also use for some applications two processors that operate in a lock-step arrangement with additional logic provided to cross-compare the activity of the two processors. The two processors, each with its own memory, execute identical copies of a software application in exact synchrony. This approach usually requires that the two processors must be driven by clock signals that are synchronized.
Although such systems have high data integrity and provide for fault tolerant operation, they have a number of disadvantages. For example the use of tables having data source and destination addresses for each application program in the processor memory makes it difficult to reprogram the system for new applications because each table in the system must be reprogrammed. In addition, the use of two processor operating in lock-step reduces the flexibility of the system since it is not possible to run two different programs on the processors at the same time.
The present invention provides a fault tolerant bus communication protocol for use in an Integrated Hazard Avoidance System of the type generally described above. In addition, the present invention may also be used in applications, aviation and otherwise, wherein data is to be handled with a high degree of integrity and in a fault tolerant manner. Such applications may include for example, the banking industry or other safety critical processing functions, including but not limited to environmental control.
In the present invention as applied to an integrated flight hazard avoidance system, the system is partitioned into modules. An inter-module backplane data bus is shared between the modules to transfer data between the modules. The backplane bus according to the present invention is fault tolerant, multi-drop, time-multiplexed broadcast bus. The inter-module backplane bus includes multiple independent data lines grouped into multiple data communication networks. In a preferred embodiment, the inter-module backplane bus includes four independent data lines divided into two data communication networks each having two data lines. Each module is provided with reception and/or transmission privileges on one or more of the data lines of each data communication network. The modules themselves may host multiple application functions that also share the backplane bus. In a preferred embodiment of the invention, serial data is transferred in a semi-duplex manner.
According to one aspect of the present invention, each of the processing nodes performs a processing function which is replicated in one or more other processing nodes. Multiple ones of the processing nodes are physically isolated in a resource enclosure. Preferably, each of the processing nodes in a resource enclosure performs a different processing function. According to another aspect of the present invention, each of the processing nodes in the resource enclosure is replicated in at least one other resource enclosure.
According to one aspect of the present invention, each module, or processing node, comprises a single source microprocessor which executes instructions to place data onto the bus.
According to another aspect of the present invention, the data is placed on the bus using a data bus protocol that allocates to each node a predetermined number of slots in which to transmit. Each module contains a time table memory associated with each of two arbitration circuits that stores the bus protocol information to enable the processing node to place data in a predetermined channel on the bus at the appropriate time period. Each arbitration circuit independently determines the transmission time period allocated to the associated microprocessor. If both interface controllers are in agreement, an access window is opened between the microprocessor and the bus, and the data is placed on the bus.
According to yet another aspect of the present invention, a dual source operation may be used wherein each arbitration circuit retrieves data via a separate and independent microprocessor and associated memory.
According to still another aspect of the present invention, the dual source architecture may be utilized as a single source operation on a selectable basis. This implementation of the dual source architecture permits each microprocessor within the node to simultaneously execute separate applications for greater efficiency when the particular data being processed does not require the degree of robustness necessary for dual sourced operations. The resulting system is thereby made more efficient.
According to yet another aspect of the present invention, a method is provided for transmitting data over a data bus between multiple processing nodes wherein each of the processing nodes includes at least one processor. The method includes dividing transmission over a first data line of a data bus into a first group of time slots and dividing transmission over a second data line of said data bus into a second group of time slots. Each of the first and second groups of time slots are divided into groups of channels. Data are transmitted from a first processing node on the first group of channels and other data are transmitted from a second processing node on the second group of channels.
A first portion of the data from the first processing node are selectively received on the first group of channels in a pair of arbitration circuits located in the second processing node, each of the arbitration circuits, including an associated time table defining the first channel containing the first portion of data, and transferring that first portion of data to an application memory coupled to a processor in the first processing node. A second portion of data from the second processing node are selectively received on the second group of channels in a pair of arbitration circuits located in the first processing node, each of the arbitration circuits having an associated a time table defining the second channel containing the second portion of data, and transferring that second portion of data to an application memory coupled to a processor in the second processing node.
According to yet another aspect of the present invention, one or more of the processing nodes includes two or more processors, each processor including an application memory coupled thereto and executing identical application programs.