1. Field of the Invention
This invention relates to a method and device for real-time management of a system comprising at least one processor capable of managing plural functions each comprising a set of services performed by the processor during execution of a software program capable of using sensors and/or actuators, this set of services being based on material resources inside the processor.
It mainly applies, though not exclusively, to the optimizing and security of real-time management in IMA-type (Integrated Modular Avionics) architectures.
2. Description of the Prior Art
It is generally known that the current organization of the different computers on a carrier plane is referred to as "spread out", since the computers required to perform avionics functions are positioned in several places in the carrier.
This obviously leads to certain drawbacks among which the following might be mentioned:
substantial weight due to the mechanical structures of each computer, PA1 global oversizing in terms of material resources such as the processors, inputs/outputs, power supplies, etc., PA1 different origins and therefore different designs of the computers (multiple equipment vendors), entailing a multitude of different electronic boards for similar functions, while all boards having a same general function (processor, input/output, memory) are globally very alike. PA1 automatic piloting, PA1 the electric flight controls, PA1 integrated maintenance, PA1 flight management, PA1 fuel management, PA1 flight screen control, PA1 smoke detection, etc. PA1 time-division of the processing cycle of the processor into slices of possibly different durations; PA1 allocation, to at least part of these slices, of respective functions, the tasks relating to each of these functions being inoperative outside the slice of time corresponding to this function; PA1 saving at the end of the machine context slice of the function being processed, this with a view to resuming this function during the following slice associated with it; and PA1 loading, at the start of a new slice, of the machine context linked with the activating of the function associated with this slice and which was previously saved at the end of a previous slice corresponding to this function. PA1 the shareable resources are attributed to F1 during the duration t1, PA1 the shareable resources are attributed to F2 during the duration t2, PA1 the shareable resources are attributed to FN during the duration tn, PA1 then the shareable resources are again attributed to F1 during the duration t1 given that t1+t2+. . . +tn=T PA1 it is capable of executing several programs in apparent simultaneity; to do so, the operating system distributes the time of the instruction processor(s) and internal memory between entities called "tasks"; it can also provide mechanisms for communication between the tasks; PA1 it handles the details of input/output operations, whether with regard to time scheduling, error corrections or the synthesis of complex operations. The programming language of the core virtual machine is an extension of the machine language of the base computer, a special mechanism enabling the creation of new instructions, referred to as primitives and whose role it is to request intervention of the nucleus to perform complex operations. It is particularly at this level that are situated the so-called real-time functions which enable the features reserved for the system to be used. PA1 in the slave mode, it is perceived by the processor as memory; this mode is used to execute primitives or service requests to the coprocessor which translates by successive reading and writing at the coprocessor address; PA1 in the master mode, it takes possession of the local bus to go and read or write data in the local memory; this mode is used for copy operations which are described in detail hereinafter. PA1 either by memory block copy operations initialized under the responsibility of the processor, but for which exchanges are conducted under the responsibility and at the initiative of the coprocessor by means of cyclestealing from the processor, PA1 or via the processor by passing through the coprocessor which then only steps in to take control of the swap memory bus. PA1 the processor executes a code sequence which enables it to save the minimum machine context of the function in process for proper resumption, at the next associated time slice; PA1 it then transmits a message to the coprocessor to advise it that it is ready to receive the number of the newly active function as well as the top priority task to be executed belonging to this function; PA1 the processor then reloads the machine context linked with the activation of the function and with the election of the task in question; the task context had been saved at the end of the last time slice relating to the newly reactivated task. PA1 the local time of the function which is managed as soon as the associated time slice is completed and reactivated at the next attributed slice; PA1 the global time of the system which is permanently counted down. PA1 the tasks, PA1 the events, PA1 the counter semaphores, PA1 the mailboxes, PA1 the timeouts, PA1 the cycles. PA1 priority number in the function, PA1 active time slice number, PA1 durations of execution, expiration and reactivation. PA1 time, PA1 busy semaphore, PA1 writing in a full mailbox, PA1 reading in an empty mailbox, PA1 an event, PA1 a cycle, or PA1 unconditionally. PA1 it is active if it is in the course of execution in the processor, PA1 otherwise it is on stand-by. PA1 active for the function associated with the time slice in process, PA1 inactive in the case of all other functions. PA1 either software events, i.e. the occurrence of the event is triggered by the execution of a primitive in a task or interruption program, PA1 or hardware events, i.e. the occurrence of the event is triggered by a physical signal outside or inside the component. PA1 a) primitives that can be accessed in the case of internal management of slice changes such as the following primitive: PA1 b) primitives that can be accessed in the case of external management of the slice changes, such as the following primitives: PA1 c) and primitives that can be accessed irrespective of the management, such as the following: PA1 Absolute-time-programming: PA1 a) in the case of internal management of The slice changes, primitives such as: PA1 b) primitives that can be accessed irrespective of the management, PA1 the ELIGIBLE state by means of the Activate and Activate-cyclically primitives, or by automatic reactivation (for tasks having been activated with the Repetition=Yes parameter, and for cyclical tasks); PA1 the BLOCKED state by primitives of the activate-upon-condition type (Activate-upon-event, Activate-after-timeout); PA1 the DEAD state by means of the Kill primitive. PA1 the ELECTED state solely by decision of the scheduler; PA1 the DEAD state by means of the Kill primitive. PA1 the ELIGIBLE state by decision of the scheduler (preemption); PA1 the BLOCKED state by primitives of the awaiting-condition type: Await (software-event), Await (hardware-event), Reserve (semaphore), Deposit (box), Extract (box), Awaiting-timeout; PA1 the DORMANT state by means of the End primitive; PA1 the DEAD state by means of the Kill primitive. PA1 the ELIGIBLE state by the end of a stand-by condition (occurrence of the event, freeing of the semaphore, extraction of a message in the box, depositing of a message in the box, arrival at expiry of the timeout); PA1 the DEAD state by means of the Kill primitive. PA1 upon transition from the "blocked" to the "eligible" state of a task; PA1 upon transition from the "dormant" to the "eligible" state of a task; PA1 upon transition from the "elected" to the "dormant" state of a task; PA1 upon transition from the "elected" to the "dead" state of a task; PA1 upon transition from the "elected" to the "blocked" state of a task; PA1 upon transition from the "elected" to the "elected and frozen" state of a task corresponding to the end of a slice; PA1 at the start of a slice.
Understandably, this diversity entails series costs and maintenance costs that are not optimized for aircraft constructors and airline companies.
The heterogeneousness of the electronic equipment installed can also lead to excessive downtime of the units when no replacement is available in the event of failure.
In order to attempt to obviate these drawbacks, considerable developments are in process. The object of these developments is to concentrate, in large racks, all or part of the functions performed by the on-board electronics (currently spread over different computers), by installing them in a small number of standardized modules to enable aircraft constructors to purchase from different equipment vendors.
All the processings performed by the computers or calculators on board a carrier can be broken down into major functions or applications each corresponding to a service of very high level for the carrier, and among which the following can notably be found:
In the continuation of the description, a function will be assimilated with a group of tasks providing high-level services to the carrier, and this Group of tasks cannot be spread over more than one processor module. Several functions can be installed in a same processor.
Integration of the functions into a same rack with a common backpanel bus, division of a same processor for certain functions, distribution of the inputs/outputs used for communications between the rack, the sensors and the actuators, power supply are not entirely devoid of security problems.
These resources require particular attention in order to avoid failure of an element entailing the rack, and therefore a large number of functions, being put out of operation.
In fact, very strict rules exist to ensure the best of security for the equipment and to verify compliance with the specifications.
The certification stage, a very costly stage enabling the equipment to be qualified for marketing purposes, checks among other things that these rules have been complied with.