The present application is based on, and claims priority from, French Application Number 07 04903, filed Jul. 6, 2007, the disclosure of which is hereby incorporated by reference herein in its entirety.
The present invention pertains to a method of improving the integrity and safety of a system, and in particular of an avionics system.
Currently, the problem of making radionavigation measurements safe represents a critical point for so-called GNSS applications, and often prevents the use thereof in the guise of sole radionavigation means of aircraft.
In the aeronautical sector, obtaining an airworthiness certificate for an item of equipment is one of the most expensive and most difficult aspects of the design of any aircraft, and in particular of its electronic flight system (also called the avionics system).
This difficulty is related to the increasing dependence of aircraft and their crew on avionics systems. This dependence has given rise to a heavy duty of responsibility regarding the robustness of these systems. A key requirement in the design of avionics systems is that they must never give rise to a catastrophic situation, or, in practice that the probability of occurrence of a catastrophic situation is negligible.
All the parts of an aircraft are subject to safety analyses. As far as avionics systems are concerned, these analysis procedures are dictated by institutional authorities, such as for example the FAA or the EASA for civil aviation. In the military world, the safety rules are in general less constraining.
Safety methodologies have a significant impact on the architecture of the system and on its components. To summarize, it may be considered that the safety requirements give rise to two types of constraints on avionics equipment:
Compliance with these constraints, notably the qualitative constraints, can pose problems, in particular in cases where technical, budgetary or legal constraints impose the use of a component or sub-assembly that has not been developed with the qualitative level required for its application in aeronautics, as is the case for example with microprocessors.
The certification rules already provide for cases in which components or sub-systems not developed to the level required are used inside a system which is itself developed to the level required. These tolerated “exceptions” are commonplace for electronic components (microprocessors, memories, etc.). In these cases, qualitative non-conformity regarding development is currently resolved through the following procedures:
Moreover, safety procedures exist that are conventionally based on a development methodology associated with an analysis of the occurrence of hardware failures and of their possible impacts on the performance of the systems implementing them.
These known procedures cannot therefore be applied to systems integrating elements not developed according to the appropriate level of methodology.
The subject of the present invention is a method of improving the integrity and safety of a system, this method making it possible, on the one hand, to detect and to locate an anomaly of a system, and on the other hand to estimate the impact of such an anomaly on the degradation of performance, with a view to attaining the safety level required and to making the data provided by this system safe. This method must also make it possible to loosen the qualitative constraints on the process of developing an item of equipment or a sub-assembly of this item of equipment by allowing the use of components of a development level that a priori is not in accordance with their use in an avionics system.
The method in accordance with the invention is characterized in that it consists, in a system comprising sub-assemblies, in monitoring the proper operation of sub-assemblies or of their components by checking their respective transfer functions in the operational mode with the aid of stimuli dispatched to these sub-assemblies. Subsequently, the subject of the monitoring will be referred to interchangeably as a system, sub-assembly or component.
The device for implementing the method of the invention, for monitoring a system is characterized in that it comprises a stimuli generator, a device for managing the stimuli generator, and a device for analysing the output signals of the system to be made safe. In an advantageous manner, it also comprises a device for observing and controlling the responses and for estimating the safety obtained.
Still other objects and advantages of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein the preferred embodiments of the invention are shown and described, simply by way of illustration of the best mode contemplated of carrying out the invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious aspects, all without departing from the invention. Accordingly, the drawings and description thereof are to be regarded as illustrative in nature, and not as restrictive.
The present invention is illustrated by way of example, and not by limitation, in the figures of the accompanying drawings, wherein elements having the same reference numeral designations represent like elements throughout and wherein:
The invention is described in detail below with reference to its application to a GNSS receiver, but it is of course not limited to this application alone, and may be implemented in any system (such as that shown diagrammatically in
The method of the invention makes it possible to detect in a radionavigation receiver of GNSS type any anomaly of its transfer function and to locate it, and also to estimate its impact on the performance of this receiver. The anomalies in question are, in particular, hardware faults, hardware drifting (aging and/or effect of temperature), hardware and software design errors. This method calls upon a device for monitoring non-compliant components of a system, this monitoring making it possible to check the integrity of the system. This monitoring device is integrated into the system and developed to a development level in accordance with that of the system. The integrity of the component is then guaranteed by the integrity and by the availability of its monitoring system. The invention is particularly, but not exclusively, appropriate to systems in which a non-compliant component (or several components) makes a measurement of a physical or electrical quantity. In the event of a defect in the integrity of a component detected by the monitoring system, the remainder of the system can be alerted, thereby making it possible to ensure the overall safety of the system. Another advantage of this monitoring device is that of detecting any hardware faults of a non-compliant component.
The checking of the complete transfer function of a complex system being too difficult to implement, the invention proposes to monitor this transfer function for the configuration of this system as used in the operational mode.
With respect to the known conventional methods, the method of the invention does not require any deep analysis of the elements contained in the function checked. It is therefore applicable, for example, to systems comprising modules developed for applications requiring only a lesser safety level, but nevertheless makes it possible to attain the safety level required. Moreover, it makes it possible to carry out the analysis of the checked system at the nominal operating point, and optionally around this point. This method must therefore be implemented in the operational phase of the checked systems, since the values of the stimuli are dependent on the configuration of the systems that is used.
It should however be noted that the method of the invention does not provide any additional guarantee as regards the availability of a non-compliant component. It is therefore implemented only when an integrity constraint justifies the system development level, as is, for example, the case for avionics sub-systems, and notably the case for satellite radionavigation systems, which are not a primary navigation means, and whose unavailability does not therefore give rise to a “catastrophic” situation.
The method of the invention consists in particular in verifying that responses of a component being monitored forming part of a system to monitoring stimuli comply with its specification. These monitoring stimuli use the operational input and output signals of this component. The stimuli can either be superimposed on these operational signals, or be substituted for them in a momentary manner. In the event that a non-integrity is detected, the latter is signalled to the system. The monitoring can be either continuous, or be cyclic with a recurrence frequency that is at minimum compatible with the safety requirements of the system, that is to say the time span between two consecutive monitoring tests must be less than the duration beyond which an erroneous data item produced by this component may give rise to a catastrophic situation.
According to a variant of the method of the invention, the test stimuli are calculated and applied to the component to be monitored in such a way that the theoretical response of the component is identical to its last operational response. It is thus possible to permanently tailor the testing of the component to its functional operating zone.
Represented in
In an advantageous manner, the implementation of the method of the invention is rendered non-disruptive if there is a hardware redundancy allowing the device 1 to be made safe sequentially in blocks of sub-assemblies of the overall function of the device 1. For example, in the case of a device for processing the radionavigation signals received from satellites, this device being composed of several parallel processing pathways each assigned to one of the satellites of a received constellation of satellites, it is possible to append a surplus channel, identical to the other channels, so as each time to release, by dynamic reassignment of pathways, one of these pathways and test it without disrupting the reception and processing of the signals received from the various satellites.
The choice of the stimuli is an important characteristic of the invention. It is determined by analysing the function implemented by the device to be tested receiving these stimuli, through the knowledge, even partial, of the architecture of this device, of the performance level demanded and of the impact of the performance of this device on the quality of the system incorporating this device. Complementary procedures are implemented to make it possible to determine the characteristics of these stimuli (logical analysis, path analysis, statistics, etc.). An essential condition is to choose these stimuli so that they are representative of the current operating point of the tested device (same exchange configuration or equivalence), so as to check the device at its point of use or around this point.
Shown diagrammatically in
The safety device combined with the radionavigation receiver of
Management of the stimuli is checked according to two checking levels:
The safety software is installed in the processor 22 with appropriate segregation and an appropriate development level. It will be noted that the overall testing of the radionavigation receiver with the aid of stimuli also allows software functions installed in the processor 18, and in particular signal processing functions, to be made safe.
In the application, described above, to a GNSS radionavigation receiver, the correlation function installed in the circuit 16 must carry out the correlation of the input signal 12 with a local replica of the GNSS signals received that is slaved to these signals, so as to calculate the correlation function locally, for example over 32 adjacent time lags, at a tempo of half a chip, doing so for all the satellites to be tracked. This correlation function can be subdivided into four sub-assemblies:
A criticality analysis shows that an important characteristic of the invention is the generation and checking of the replica of the GNSS signals, the other elements (correlation-based filtering, optional encryption, etc.) having discernable effects during nominal operation of the receiver. In order to check this assembly at the current operating point of the receiver, it is possible to generate a “like” signal (replica, encrypted or not, of the GNSS signal for this current operating point) dispatched to the coupler 31 and to check all the filtered output signals of the circuit 16, representing the correlation function, namely a correlation performed for the maximum signal on the “punctual” pathway, for the reduced amplitude signal on the pathways adjacent to this punctual pathway and for the practically zero signal for the other pathways. This makes it possible to validate the check of the local replica of the GNSS signal and of the calculation of the correlation function.
In conclusion, the invention makes it possible to detect and to quantify the effects of a malfunction of a system such as a radionavigation receiver. It is thus possible to enhance the latter's capabilities in regard to safety, in particular when strategic applications are involved. Generally, the invention makes it possible to guarantee the integrity of a component and/or of a system by checking its proper operation at the instant considered and in the operating domain considered.
The relative simplicity of the means required to implement the method of the invention, namely the processing algorithm which can be installed in an existing computer (with segregation between this algorithm and the other functions of the computer) or indeed installed in a small dedicated computer associated with a small ASIC (or FPGA) circuit, with the development level suited to the integrity requirements to be complied with, enables its low-cost integration into the majority of military or civil GNSS signal receivers.
It will be readily seen by one of ordinary skill in the art that the present invention fulfils all of the objects set forth above. After reading the foregoing specification, one of ordinary skill in the art will be able to affect various changes, substitutions of equivalents and various aspects of the invention as broadly disclosed herein. It is therefore intended that the protection granted hereon be limited only by definition contained in the appended claims and equivalents thereof.
Number | Date | Country | Kind |
---|---|---|---|
07 04903 | Jul 2007 | FR | national |