Not applicable.
The present invention relates generally to the field of redundant information transmission over multiple communication paths. More specifically, the present invention relates to systems and methods for fail-safe process execution, monitoring and output shutdown for critical systems using multiple communication paths and partitioned processing systems.
Processors are used in a vast array of applications, from simple single processor controlled systems to complex flight critical systems where high integrity output from multiple processors may be required. Processor and related module functions may stand alone within one system or may be tied to other processing systems on a bus, or accessible through a network. It is generally desirable that reliable mechanisms be available when a controlled system failure is detected in complex systems.
In flight critical systems, for example, current practices generally employ an array of, or a redundant set of, federated computers (meaning controlled by a single processor). Single I/O threads may be used as a redundant set in order to accomplish a flight critical function like a flight control algorithm. The way federated systems are monitored is generally through a voting scheme, wherein each output of a component would be voted on/recorded. The logical outputs are generally averaged; therefore, a failing or malfunctioning module may be eliminated from the system before outputs were applied to a control surface in order to save an aircraft. One pathology of this practice is that, in order for a module to be, voted out of a system, it must be allowed to fail. Awaiting failure of a module-in-order to get it voted out of the system generally causes upsets of the system and/or its operation. Such upsets can produce a fatal outcome in a flight critical systems.
In the application of flight critical functions for fly-by-wire systems, failures in the processing element must be contained from continuing to influence the flight control surfaces of the aircraft. For example, servo drives need to be safely shut off if a processor or other critical function within the processor ceases to operate properly. One common method of identifying faults in fly-by-wire systems generally solves faults through software ticket checking of critical processes, and via hardware watch dog timer monitoring of processor health. The output of the watch dog timer may then be used to shut down critical systems, such as servo drive outputs and shut off hydraulic valves.
Typically, a monitoring program examines the outputs of a primary system and/ or its function, and based on unique design criteria, decides whether the system/function is operating/executing correctly or not. Detection of random faults is generally augmented with custom-designed built-in self-test programs that exercise various parts of the system (e.g, actuator)/function (e.g, software sequence) and compares the results against known-good results. Because these tests are not continuous, and are subject to less than 100% coverage of random faults, there is an exposure time where a fault can occur which manifests itself in incorrect outputs to all functions which rely on that resource. Watchdog timers are usually present to detect those faults that result in the function not executing at all. But such timers do not detect incorrect results from a function that does complete its execution. The monitor function is generally counted on to detect error conditions.
What is needed is a more robust, more secure means of monitoring systems for faults and making sure that a fault is caught and associated outputs are shutdown, or otherwise ignored, before they propagate as a control input within a system.
The following summary of the invention is provided to facilitate an understanding of some of the innovative features unique to the present invention, and is not intended to be a full description. A full appreciation of the various aspects of the invention can be gained by taking the entire specification, claims, drawings, and abstract as a whole.
Through integrated module technology, separate processors and/or associated operations are integrated onto a single computing platform to improve process monitoring and enable controlled shut downs that would normally be implemented in separate components or through independently controlled processes.
In accordance with one aspect of the present invention, a single computer (instead of multiple computers) having a backplane providing a partitioned platform enabling a central set of imbedded (virtual) processors as computing platforms to be shared, through the partitioning system, are allowed to execute software functions as if multiple processors are operating, rather than a single computers. The virtual processors are protected/isolated from each other through a partitioning mechanism so a failure on one software element on this integrated platform cannot be propagated and effect another processor and/or computation.
In accordance with another aspect of the present invention, a fault detection apparatus for use in a system that transmits data signals over a plurality of signal paths via a bus with multiple independent partitions on a single processor is provided. Shared memory stores the status of reference control system state variable parameters. A status monitor monitors status of real-time control system state variable parameters, the control system state variable parameters characterizing a plurality of critical systems that communicate on the bus, the control system state variables present on the bus. A state comparator compares the reference control system state variables with respect to the real-time control system state variable parameters. A system controller controls critical systems based on the comparison of the real-time control system state variable parameters against reference control system state variable parameters.
In accordance with another aspect of the present invention, a single processor system partitioned to operate, monitor and control more than one flight critical process is described where more than one flight control software related process operates simultaneously on a single partitioned processor; a partitioning mechanism partitions a single processor into virtual processors dedicated to a single process without interference from other processes; and shared memory is provided for storing programs and data for said more than one flight control software related process.
In accordance with another aspect of the present invention, a method for executing, monitoring and controlling multiple functions with a single processor system is described, wherein a single processor partitionable into plural operating processes that can operate simultaneously and without interference with other processes is provided; a memory may be shared by the plural operating processes; a monitoring architecture for detecting operational success and failures of said processes is provided; and a control architecture for assured that failed processes are controlled or terminated without interference of successful processes is provided.
The novel features of the present invention will become apparent to those of skill in the art upon examination of the following detailed description of the invention or can be learned by practice of the present invention. It should be understood, however, that. the detailed description of the invention and the specific examples presented, while indicating certain embodiments of the present invention, are provided for illustration purposes only because various changes and modifications within the spirit and scope of the invention will become apparent to those of skill in the art from the detailed description of the invention and claims that follow.