5、相关专利全文数据ep2784676a1

1、(19)TEPZZ 784676A_TEP 2 784 676A1(11)EUROPEAN PATENT APPLICATION(12)(43)(51) Int Cl.:G06F 11/07(2006.01) G05B 23/02(2006.01)Date of publication:01.10.2014 Bulletin 2014/40G06F 11/32 (2006.01)(21)Application number: 13380011.0(22)Date of filing: 28.03.2013(54)DIMA extension health monitor supervisor(

2、57)In an aircraft (1), a distributed architecture com-ing Health Monitor Units (HMU) in the Modules (6) is run as a Health Monitor Supervisor (HMS).The invention allows communicating all the existing Health Monitor Units (HMU), thus providing global errors visibility, shared recovery actions and smo

3、oth fault treat- ment.pliant to the specification ARINC653 forms a DIMA (3) with Partitions (5) in hardware Modules (6), where shared memories (13) are mapped with shared I/O memory (11).For detecting / treating errors at various Levels in the DIMA (3) a superintending RTOS extension of exist-Printe

4、d by Jouve, 75001 PARIS (FR)EP 2 784 676 A1(84) Designated Contracting States:AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TRDesignated Extension States:BA ME(71) Applicant: EUROCOPTER ESPAA, S.A. Albacete (ES)(72) Inventors: Esparcia

5、 Perez, AntonioES-02400 Hellin, Albacete (ES) Catalan Alarcn, Jos Antonio ES-02006 Albacete (ES)(74) Representative: GPI & Associs EuroParc de Pichaury Btiment B2 - 1er Etage1330, rue Guillibert de la Lauzire 13856 Aix-en-Provence Cedex 3 (FR)EP 2 784 676 A1Description0001 The general technical fiel

6、d of the invention relates to aircrafts. For instance, the invention is useful to rotary wing aircrafts like helicopters. The invention relates specifically to airborne computing systems.0002 In aircrafts, some airborne computing systems also operate so called Integrated Modular Avionics (IMA). IMAs

7、 enable multiple software applications, often of different safety criticality levels, to execute safely on a shared hardware platform. This allows reducing the systems overall space, weight, and power requirements.0003 Among IMAs, so-called Distributed Integrated Modular Avionics (DIMA) refers to an

8、 architecture having dis- tributed hosts connected in a safety-critical manner for communication.0004 Typically, an IMA / DIMA include Cabinets, Modules, Partitions and subprocesses. Cabinets are physical struc- tures (e.g. processing boards like Line Replacable Units or LRU) providing an environmen

9、tal barrier and memory means/ processing means. In each Cabinet, memory means / processing means are allocated to hardware components called Modules. Modules are connected each others via physical communication means.0005 In Modules, an underlying Real-Time Operating System (RTOS) provides common se

10、rvices for small software units called Partitions. Partitions are independent one from another, in execution and memory management.0006 Finally, Partitions are managing various subprocesses like Threads. According to ARINC653 specification, such Threats are called process(es).0007There are usually d

11、efined three (3) distinct working levels in a DIMA, notwithstanding the RTOS: a Low Threats Level (LTL) where subprocesses are operated, a Medium Partition Level (MPL) and a High Module Level (HML). 0008For software compatibility among safety-critical avionics, a standard called ARINC653 is widely u

12、sed in Inte- grated Modular Avionics (IMA). In a DIMA as per ARINC653, the RTOS is executing a so-called Health Monitor Unit (HMU). 0009Known HMUs are responsible for monitoring and reporting faults and failures in the hardware, applications, and operating system. This being told, examples of existi

13、ng HMUs are discussed.0010 For instance, the document WindRiver VXworks 653 Platform 2.3 (online at: /prod- ucts/product-notes/PN VE 653 Platform2 3 0410.pdf), refers to such a classical HMU. This Platform describes a: software Development Suite, Middleware and pending Operati

14、ng System (OS).0011 This document describes a Health Monitor i.e. a classical HMU as per ARINC653. This HMU is responsible for monitoring and reporting faults and failures. The HMU provides a framework to raise and handle events in a system, which can be alarms or notifications. Alarms are injected

15、to represent faults in the system. The alarms have handlers to perform health recovery actions. The HMU implements also the optional hierarchical structure and response capability specified in the ARINC653. The Platform provides a process-, partition-, and module-level health monitor, including both

16、 cold and warm restarts at partition and module level.0012 In addition to dispatching events, the HMU dispatch notifications, which are messages that a health event has occurred. These messages can be used to handle any impact that the occurrence of an event in one partition may have on other partit

17、ions.0013 As part of the functionality, the Platform provides logging capability. The health logs are used to record events that could impact the stability of applications in the system. The module OS, as well as each partition, has a separate safety log into which events can be injected. Event inje

18、ction can be configured to occur automatically or as needed by each event handler. Examples of events include hardware-generated exceptions, error paths in the code, and crossed thresholds. The sizes of logs, their access rights, and their default policies are all managed in the Platform system conf

19、iguration.0014 No known document describe a DIMA with a superintending health monitoring. Otherway speaking, none of the studied documents allows an overseing detection of errors in a DIMA, providing a global visibility of errors, shared recovery actions and optimized errors treatment.0015 Besides,

20、some inherent technical problems sometimes impair DIMAs involving classical HMUs.0016 A current HMU is not capable of treating errors at levels higher than the level where this error occurred, though such errors may propagate to a higher level. Though this aims to isolate faults, recovery actions ar

21、e limited to the faulty level only. For instance, errors happening in a faulty Module may impact e.g. the hosting Cabinet. A classical HMU is therefore not helping regarding such errors in the whole hosting Cabinet.0017 With such a current HMU, an error in a faulty structure (Cabinet, Module, Partit

22、ion, subprocess) at a given level is managed only in this faulty given structure, independently from the other similar structures at the same level. Thus, one HMU action carried out in said faulty structure is transparent to the other similar structures at the same level. This aims to prevent failur

23、es from propagating.0018 Also, though a current HMU is responsible for reporting faults to a central aircraft maintenance and display function, no global view is available onboard of what is happening in the complete system. Indeed, when a classical HMU is provided in a DIMA, with display and mainta

24、inance functions, such functions are operated outside the aircraft equipped with the DIMA, e.g. via a remote maintainance station outside the aircraft, such as a Retail & Maintainance Operation (acronym: RMO) ground facility.5101520253035404550552EP 2 784 676 A10019 Lacking of overall system errors

25、knowledge, implementation of optimized fault tolerance mechanisms happens to be difficult in a modular approach.0020 Redundancy implies hardware duplication, thus increasing costs for the system. This also makes reconfiguration more expensive.0021 The invention is defined in the appending claims.002

26、2 An object of the invention is a Health Monitor Supervising (HMS) method for a Distributed Integrated Modular Avionics or DIMA onboard an aircraft. The DIMA is having a plurality of equipments. The method is executed through automated processing steps / stages / phases / actions with the aid of a c

27、omputer system. The DIMA is having at least: Cabinets, Modules, Partitions and Threats subprocesses. The Cabinets are connected by physical communication means. Each Cabinet is having distributed processing means and memory means. An underlying Real-Time Operating System or RTOS is installed in each

28、 Module to provide common services from distributed processing means and memory means to independent Partitions. The RTOS is having a Health Monitor Unit or HMU. The HMU is allocated to each Module for: a detection step of detecting errors in the computer system; an allocation step of allocating at

29、least one corresponding responsive action predetermined in Health Monitoring Tables; and a performing step of executing by the HMU the corresponding responsive action. The Method proposes that: a Health Monitoring Supervising step is executed by a Health Monitoring Supervisor or HMS implemented in e

30、ach Module and is allocated at RTOS level. The Health Monitoring Supervisor is executing at least:51015-a local information collecting stage from the RTOS, Cabinets, Modules and Threats subprocesses, by the HMS;20-a external information capture stage from equipments aboard the aircraft, by the HMS;-

31、a local information / external information treatment stage, by the HMS, for calculating relevant health monitoring information based upon the collected information;25-a transmitting stage of passing from the HMS the relevant health monitoring information to at least one local HMU of a local Module;

32、and-based upon the transmited relevant information, the performing step is executing by the local HMU, at least one responsive action.300023 In an embodiment, the method comprises, during the transmitting stage, a communicating phase of connecting the HMS with a plurality of local HMUs, via the Phys

33、ical Communication means.0024 In an embodiment, the method comprises after the transmitting step of relevant information to local Modules, a stage of recording the relevant information in memory means allocated to the local Module where the local HMU is executing the performing step.0025 In an embod

34、iment, the method comprises that the performing step is executing recovery actions in at least one of: RTOS, Cabinet, Module and Threat subprocess, in the Computer system.0026 In an embodiment, the method comprises that the performing step includes an information phase of announcing by the HMS, outs

35、ide the local Module, to at least one RTOS, Cabinet, Module and Threat subprocess, in the Computer system, of the performing step in the local Module0027 In an embodiment, the method comprises that the performing step is executing in the local Module, at least one recovery action of:354045-Module sh

36、utdown action of the local Module with an information phase of announcing by the HMS, to at least one other Module in the Computer system, of the shutdown of the local Module;-Restoring launch action of the local Module; and50-Back-up recording action of recording at least one Partition of the Compu

37、ter System, in at least one memory means allocated to each local Module where the performing step is executed.0028 In an embodiment, the method comprises that the performing step is executing at least one recovery action in another Module than the local Module.0029 For instance, the method comprises

38、 that the performing step is executing at least one recovery action in another Module than the local Module, including a partition stop action / partition launching transfer action to at least one distinct partition, of at least one task previously operated by a stopped partition having been submitt

39、ed to a partition stop action. 0030 Another object of the invention is a computer system having a distributed architecture of DIMA onboard an553EP 2 784 676 A1aircraft and the DIMA has a HMU compliant to the ARINC653 specification dedicated for executing the method above according to the invention.0

40、031 Another object of the invention is an aircraft having onboard a computer system dedicated for executing the above method according to the invention, said aircraft being a rotary wing aircraft.0032 Summarizing the invention against the background art, the invention allows the RTOS of a DIMA, to b

41、e provided with a Health Monitor Supervisor (HMS) capable to superintend detecting / treating errors possibly occurring at various levels (HML, MPL, and LTL). This would allow both both level-to-level and level-to-above handling of errors, thus making optimized dispatch of actions possible upwards a

42、nd in parallel, when useful. Broad surveillance of errors makes synthetic and ergonomic display and maintenance functions. Faul tolerance is optimized and made easier to implement. This also widens the possibilities of redundancy and reconfiguration at a lower cost.0033 The invention and some advant

43、ages thereof are detailed from the following specification of exemplifying em- bodiments which refers to the accompanying figures, in which:510Figure 1 is a schematic elevation side view of an example of aircraft of the rotary wing type, equipped with a computing system DIMA compliant to ARINC653 sp

44、ecification, to which the invention is applied; andFigure 2 is a schematic sequence flow diagram illustrating an example of how a Health Monitor Supervisor (HMS) in a RTOS of a DIMA, is capable to superintend detecting / treating of errors possibly occurring at various levels (HML, MPL and LTL) acco

45、rding to the invention.15200034Below, are detailed some presently preferred embodiments of the invention. In the figures, the reference 1 generally designates an aircraft. In shown embodiments, the aircraft 1 is a rotary wing aircraft, e.g. a helicopter. 0035On figures 1 and 2, a method M is execute

46、d through automated processing steps / stages / phases / actions with the aid of a computer system 2 onboard the aircraft 1.0036 In embodiments, the aircraft 1 comprises one or a plurality of onboard computing systems 2. One or a plurality of integrated modular avionics 3 (IMA) are run onboard the a

47、ircraft 1. The IMA 3 is compliant to the ARINC653 specification and forms a Distributed Integrated Modular Avionics (DIMA) on board the aircraft 1.0037 In this DIMA, the onboard computer system 2 comprises: a series of equipments 4. Some of these equipments 4 are Information Exchange Means 24, such

48、as radio, RFID, GPS, UHF transponders or the like, provided onboard the Aircraft 1 for feeding / sending useful information / signals from this Aircraft 1.0038 The onboard computer system 2 also comprises Partitions 5, at least one Module 6 that contains at least the processing resources (distribute

49、d processing means 10) and memory (distributed memory means 11) for executing at least one Partition 5, in this Module 6.0039At least one physical cabinet structure 7 forms housing, i.e. an environmental barrier, with at least one hardware Modules 6. The different cabinets 7 that are comprised in th

50、e architecture of the DIMA 3 are connected among them by using physical communication means 8 (i.e.: ARINC 429, Ethernet), e.g in the form of an avionics Common Bus. 0040In the Modules 6, an underlying Real-Time Operating System or RTOS 12 provides common services for small software units called Par

51、titions 5. Partitions 5 are independent one from another, in execution and memory management. Finally, the Partitions 5 are managing various subprocesses called Threads 9. For instance such Threats 9 are of the type of the so-called processes as defined in the ARINC653 specification.0041Each Cabinet

52、 7 is having a distributed architecture for sharing resources of the processing means 10 and memory means 11.0042 An underlying Real-Time Operating System or RTOS 12 is installed in each Module 6 so as to provide common services from distributed processing means 10 and memory means 11 to independent

53、 Partitions 5. The RTOS 12, also called core OS is having a Health Monitor Unit or HMU depicted as 13 on figures 1-2. The HMU 12 is allocated to each Module 6 for:2530354045-an error detection step 14 of detecting errors in the computer system 2;-a responsive action allocation step 15 of allocating

54、at least one corresponding responsive action 17 predetermined in Health Monitoring Tables 18; and50-a responsive action performing step 16 of executing by the Health Monitoring, the corresponding responsive action(s) 17.550043Such a distributed environment with a Health Monitoring is executing such

55、steps 14, 15 and 16 through exchange in the DIMA 3 of Data Messages 20.0044Typicaly in DIMAs, such Data Messages 20 are reflecting various types of information, useful to the work for the DIMA 3, e.g. for helping the piloting of the aircraft 1.4EP 2 784 676 A10045 Such Message Data Messages 20 are f

56、or example reflecting information chosen from: software status, hardware availability, frequency values, sensor measurements values, GPS position and tracking information related to a particular track point. For instance, Data Messages 20 transit from given equipment 4, via the communication means 8

57、 such as a Bus or the like, for e.g. reaching the memory / processing means 10-11 where this Data Messages 20 is used / treated by a Module 6 / Partition 5.0046 The DIMA 3 in the Computer System 2 of the invention is also having a Health Monitor Supervisor or HMS depicted as 19 on the figures.0047 A

58、s of this HMS 19, the Message Data 20 dispatched in this Computer System 2 are also error messages, i.e. fault messages and / or error responsive messages. Other way speaking, the Data Messages 20 also include error messages reflecting critical information about the DIMA 3.This information is useful to the HMU 13 and HMS 19 and / or produced by such HMU 13 and HMS 19. Some information of this Data Messages 20 is reflecting e.g. software / hardware status / availabilit