The present invention relates to the ability to build in and/or use previously certified circuit board assemblies in electronic hardware for a modular control loop application system, more particularly for safety-critical systems, without the need to re-certify the new configuration or layout of the entire setup of circuit board assemblies in a specific electronic hardware configuration. More particular, the invention relates to a method to start up such an assembly of previously certified circuit boards in electronic hardware for avionic purposes without having the need to pre-program and certify the particular assembly as a hole.
For aviation systems, the safety and reliability measures taken to ensure that systems do not fail are extremely high. Therefore, systems specifically designed for aviation are considered the safest and mostly tested systems developed. To ensure that these standards are reached by everyone developing for aviation application, regulatory bodies require that any aviation system that may be included in an aircraft meet specific certification requirements. Generally, such certification standards are concerned with the approval of software and airborne electronic hardware for airborne systems (e.g., autopilots, flight controls, engine controls). This includes systems that may be used to test or make aviation systems, e.g., hardware or software to be installed on an aircraft. In the United States, for example, the FAA Aircraft Certification Service develops the policy, guidance and training for software and airborne electronic hardware that has an effect on an aircraft. Of particular relevance are the guidance documents DO-178C or ED-12C for software and DO-254 or ED-80 for hardware, that airborne systems must comply to.
The development and certification of software-intensive systems for aviation is extremely labor intensive. Steps include building planning documents that explain in detail how the applicant will comply with guidelines on development, verification, configuration management and quality assurance, and which standards the applicant will use for requirement writing, modelling, design, and coding. The system requirements are refined into a set of high-level requirements for the software and for the hardware. For software, these are further refined into an architectural design that can achieve the high-level requirements. Next, low-level requirement are developed that specify how to implement the high-level requirements within the context of the architectural design. These low-level requirements should be detailed enough such that testing these requirements will cover all aspects of the code. The source code is developed to comply with the low-level requirements. Source code and design are reviewed, requirements are tested until all decision points are covered, or even every condition inside each decision point is tested. The amount of work before coding starts is significantly larger than the coding itself, but the verification dwarfs all of the development work.
For hardware, the focus is more on the design but especially when using programmable logic the amount of work is similar.
These standards are in place to maximize the probability of error-free code, and indeed software developed this way has been working safely for decades. For safety reasons, it is a good idea to keep the process at least as rigorous as it currently is.
However, from a practical point of view, the increase of avionics in an aircraft is on an exponential scale. Almost all aircrafts are delayed to market, or have very long market lead times, due to the enormous, and rapidly rising, amount of work it takes to prove the correctness of an aircraft.
Tools and methods have been developed to reduce the work. Authorities have provided guidelines on how to correctly automate some of the development and verification objectives. Tool vendors have created tools, such as automatic code generators. When qualified, the generated code does not need to be reviewed. However, coding is only a smaller part of the overall project. These tools have an important but overall minor effect on the time to market of new aircraft.
Likewise, reusing of circuit board assemblies (CBA's) which have gone through the entire certification process, is a preferred way of reducing the overall time to develop and allows for a cost reduction since the CBA's can be designed so that they are usable for more than one particular setup or use, compared to custom tailed CBA's, which then individually need to go through the certification process one by one. Examples of CBA's which are good candidates for reuse are processor boards, interface cards, power supplies, etc. Re-usable CBA's will have to be designed according to a specific standard in terms of size and Input/Output (I/O) to allow reuse. An ANSI standard which is widely used in integrated modular avionics (IMA) is the VITA 46 or VPX standard. This standard defines the dimensions of the cards. Common boards are 3U boards which have a dimension of 160 mm×100 mm or 6U boards with dimensions of 160 mm×233 mm.
Not only the size of the boards is standardized, also the type of connectors and interfaces are standardized to allow the exchangeability of the boards in other applications. Compliant the VITA 46 standard, a common backplane or motherboard is used to allow the different CBA's to be plugged into.
Some CBA's 30, 40 and 50 are always present in a typical 3U system 10. These are the Processor card 30, the General Interfaces card 40 and the Power supply 50. The additional interfaces 60 are optional and are only added when required for the solution for which the system 10 is compiled. The total configuration of the system 10 being the backplane 20, CBA's 30, 40, 50, 60 and interconnection board 70 together will form the computer which is then to be installed on board of e.g. the airplane. It is clear from
Although there are a lot of benefits when using such a 3U system 10, one significant problem which such a system is that it is an expensive solution in terms of size and weight. The mechanical dimensions do not grow with the required interfaces, but the system 10 needs to be designed to accommodate for the worst case scenario. Also, the interconnection board 70 needs to be able to hold interfaces for all possible signals and will therefore always be over-dimensioned. This will have an impact on the minimum height and width of the unit, since all possible interfaces will need to find a space on this interconnection board 70. Also, the backplane 20 needs to provide for sufficient slots 80 to hold all possible interface cards, which will thus determine and in most cases over-dimension the total depth of the system 10. Although the size and weight of these 3U based systems might still be acceptable in traditional avionics, they cannot be considered as low SWaP (Size, Weight and Power) solutions as requested in Urban Air Mobility (UAM) and/or Unmanned Arial Vehicle (UAV) projects.
To overcome the need to over dimension and prepare a system for the worst case scenario, an alternative design to the backplane layout of
In the system of
As is the same with the system of
The object of the invention is therefore to allow a high degree of freedom to build together a new assembly without the need to go through a lengthy and costly re-certification and testing protocol and thus to overcome the need to re-certify a new combination of CBA's when stacked together to form a new computer designed for safety critical solutions and more particular to computers in avionic solutions, or if a change in configuration is done by adding, replacing or removing a specific CBA, and by doing so being able to create a computer with the lowest possible SWAP in a short development period. Additionally, it is the object of the present invention to provide for a modular stacked control loop application system or computer which is able to identify its function, position and if a defect is occurring on a component or connection of one of the units, without the need to identify and pre-program the location and function of each unit in the stack when assembling the system or computer.
This object is achieved by the subject matter of independent claim 1 of the present invention. Advantageous embodiments and aspects are described in the dependent claims.
The present approach provides efficient and effective solutions for adapting previously certified circuit board assemblies in electronic hardware for control loop systems, and particularly for safety-critical systems. Advantageously, the present approach avoids the need to re-certify the new configuration or layout of the entire setup of circuit board assemblies in a specific electronic hardware configuration. Therefore, a method is provided which allows, during start-up, to identify how many units are present, what type of units or which function they are capable of, and where they are installed in the control system, and to allow the control system to identify how to address these individual units, By doing so, there is no need to pre-program upfront the functions and positions of the units in the stack allowing a high degree of freedom when building together a new control system. As a result, embodiments of the present invention are significantly more efficient and effective for new control loop systems, and avoid both the need to complete expensive and lengthy certification processes and the contemporary option of using older, less efficient control loop systems. Additionally, because of the exchangeability of the units in the control system, it is possible to only stock a limited number of units, rather than an entire control system of computer, and thus have a more cost efficient stock system in place.
It is an advantage of the method of the present invention that it is not necessary for the top-level unit and additional units to have a specific and predefined position in the stack. Each additional unit will be able to work independently from the other additional units in the stack and will only need to know its own position in the stack and needs to understand how to communicate with the top-level unit and be able to receive power from this top-level unit. The individual additional units will not need to be aware of the function of the other additional units which may be present in the stack, because there is no synergy between the other additional units and no communication needs to be possible between the additional units itself. Also, for the top-level unit it is only important to know the function of each additional unit and which protocol it needs to use to send out the information to the particular additional unit and which type of interface it needs to use to send the information. Additionally, receiving by the top-level unit information about the function of each additional unit, additionally allows the top-level unit to perform checks during any time when the control system is active to detect any malfunctioning of a part or the complete control system.
In addition to the information sharing about the function of each unit, it may be advantageous if the top-level unit receives from each additional unit in the stack the location of this additional unit in the stack. In case a duplication of a unit in the stack is necessary, the top-level unit will be able to determine how to address a particular additional unit, even if this unit is an exact copy of another additional unit in the stack which would use the same protocol and interfaces to communicate with the top-level unit.
Further in addition, it may be advantageous but not mandatory, if the top-level unit receives a specific IP-address used by this additional unit. That way, the information flow between the top-level unit and the individual additional unit will only occur on the particular channel and over a specific IP-address instead of sending out the information over the channels and having the need for each additional unit to check if the information received is intended for this particular additional unit.
The following description is of the best currently contemplated mode of carrying out exemplary embodiments of the invention. The description is not to be taken in a limiting sense, and is made merely for the purpose of illustrating the general principles of the invention. Embodiments described are from avionics systems since these systems are considered to uphold the highest level of safety requirements, but it should be appreciated that the present approach may be applied to safety-critical systems in other industries or even in critical systems in non-safety critical industries.
This description uses various terms that should be understood by those of an ordinary level of skill in the art. The following clarifications are made for the avoidance of doubt. A “control loop system” as used herein is the hardware components and software control functions needed for the measurement and adjustment of one or more variables that controls an individual process. This can include the physical components and control functions necessary to adjust the value of one or more measured process variables, usually to achieve a desired set-point or maintain the value within a desired range. The control loop system includes one or more process sensors, controller functions, and final control elements which are all required for controlling the process.
The term “safety-critical system” as used herein is a system whose failure or malfunction may result in one (or more) of death or serious injury, environmental harm, and severe damage or loss to property or equipment. This can include the hardware, software, and human aspects needed to perform one or more safety functions, in which failure of a safety function would cause a significant increase in the safety risk for the people, equipment, or environment involved. A safety-critical system employs one or more control loops, depending on the purpose of the system. Safety-critical systems are present in numerous industries, such as infrastructure (e.g., electricity generation and transmission), medicine (e.g., life support), automobiles (e.g., airbags, braking, steering), and aviation (e.g., air traffic control, avionics, flight planning, navigation, engine control, and life support).
The term “Top-level unit” as used herein is a unit which performs the controlling function and although the term top-level is used, the entire system can be turned upside down, such that the “top-level unit” is placed in the bottom of the stack instead of in the top of the stack, or even in the middle of the stack. The actual position of the “top-level unit” in the stack will not change its function and functionality.
The present approach may be employed in a wide variety of industries having regulations and certification requirements on control loop systems. The embodiments described herein are made in the context of aviation systems and avionics (the electronic systems used on an aircraft). Various regulatory bodies require that any aviation system included in an aircraft meet specific regulatory requirements and standards before certification. Generally, regulatory requirements and standards are concerned with the approval of software and airborne electronic hardware for airborne control loop systems (e.g., autopilots, flight controls, engine controls). This includes systems that may be used to test or make aviation systems, e.g., hardware or software to be installed on an aircraft. In the United States, for example, the FAA Aircraft Certification Service develops the policy, guidance and training for software and airborne electronic hardware that has an effect on an aircraft. Of particular relevance are the guidance documents DO-178C for software and DO-254 for hardware, which apply to airborne systems. These regulations impose significant requirements for certification, and the certification process alone is considerably expensive and time consuming. Aviation system design is a complicated, lengthy, and expensive process. The costs of certification, as well as the risk of failing certification, are significant challenges facing the design and deployment of safety-critical systems.
An avionics system is a combination of hardware and software, as used in aerospace or space for safety-critical functions. Safety-critical avionics systems are deployed in aerospace to control key aspects of the aircraft, such as the instruments of the pilot, the motors, the flaps, the rudder and the wheels. Many auxiliary safety-critical systems are developed to support these, such as position sensors, altitude measurements, etc.
What makes safety-critical systems special relative to critical electronic systems in non-safety critical industries, is that safety-critical systems are deemed so critical that they need to be proven correct before first use, because any malfunctioning equipment has a high probability to cause injury or loss of life. Safety-critical industries are aerospace, space, trains, cars, some of the medical equipment, and parts of nuclear facilities. Before an avionics system is used, it must be certified before government agencies, and shown to comply with the applicable standards. At the most abstract level, these standards indicate acceptable error rates. For instance, the probability that a single event can upset the key instruments of an aircraft pilot must be shown to be less than 1 in a billion. In-depth safety analysis methods will be used to statistically prove this probability for hardware based on known component failure rates and providing hardware redundancy measures to overcome single event upset, and software will be designed to work around identified vulnerabilities of the hardware. The software itself will be developed according to rigorous principles. Compliance to these guidelines is mandated and checked by the government, such as the FAA in the USA and EASA in Europe.
Safety-critical systems are always hard real-time systems, in the sense that they must respond in a predictable time, every single time. Software design goes to great lengths to ensure that under all possible circumstances, the system responds in the predefined time. The safety critical systems do not necessarily need to respond fast, they simply need to respond on time. For some avionics systems, for instance some control aspects inside the engine, the allowed response time is 1 millisecond. For other avionics systems, the response time can be as much as one hundred milliseconds. In both cases, the response may never be later than the required response time.
Because of these properties, safety-critical software can never be developed in isolation of the hardware. The performance and capabilities of the software is strongly linked to the hardware, the hardware must provide safety features to protect the software, and the software must be designed to take advantage of these features. At the same time, the software must monitor and work around any vulnerabilities that are present or may occur in the hardware.
As such, certification is always performed on a complete system, and never on hardware or software in isolation.
Certification has many aspects, including the compliance to minimum operational standards and other guidelines. There are also guidelines for the design and development of hardware and the same applies for software. These guidelines provide design assurance levels (DAL), from E (no oversight) to A (highest criticality). Our proposed method is applicable to all criticality levels. Currently any change in either the hardware or in the software automatically triggers complete re-certification, unless a change analysis can prove there is limited or no impact. In this case, only a limited testing and re-certification was deemed necessary. In the prior art systems, changing something small like a hardware resistor on the board was considered acceptable. However, typically a design change would always go beyond the simple change of a single component and would thus often not be considered as a change with limited or no impact, resulting in the need to re-certify the entire system.
Adding to the certification complexity is the fact that the complexity of safety-critical systems is rising quickly. Studies show that the complexity of aircraft onboard avionics doubles on average every 2 years. This enables safer ways to operate the aircraft, address new threats, as well as higher efficiency of the aircraft, or provide new capabilities to an aircraft, such as unmanned aircraft operations.
On the one hand, the technology to accommodate the requested increase in functionality, safety, user-friendliness and complexity is available, however, would automatically result in a mandatory re-certification which is time consuming and costly. To cope with all of this complexity, the common strategy in the industry so far has been to re-use as much as possible the existing instruments, to overcome the massive effort to obtain certification for new or modified instruments.
From the view point of the industry, it is too time consuming and expensive to develop new on-board computers and go through the entire certification process. Although it is thus not the ideal situation, but in practice, the avionics industry typically decides to re-use the entire instrument, rather than adapting the computers with latest available hardware technology and providing the aircrafts with the latest available technology. This is why many aircrafts use the same instruments, which are often outdated, and unfortunately, often aircrafts use instruments that are not ideal for that particular aircraft, at a certain point in time get outdated, but are good enough and most often the only cost-efficient way of obtaining the instruments within the relatively short timeframe it takes to bring a new aircraft to market. This approach also results in a very slow evolution in instrument features for the established instruments, although the technology is often available, but just did not go through the required certification process.
Due to the complexity of the hardware/software interaction to achieve the required safety levels for an implementation, and the need to verify all of the code against the applicable certification requirements, currently, the reused instruments are usually very narrowly tuned to their intended function.
The present invention solves these and other problems by advantageously providing for a control loop system or computer which can be built together by using additional units which individually or in combination with a top-level unit went through the mandatory testing phase, and which can be combined without the need to re-certify the new combination. In order to make this possible, the different units need to be able to work together with the top-level unit without the need to embed the function of each unit and its position in the stack in the top-level unit when compiling or putting together the computer. The system, once stacked together, needs to be able to detect upon starting the position of the different additional units 521-524, their function in the computer and the way to address them to allow communication between these additional units and the top-level unit. Therefore, a method is provided to allow the identification of how many additional units there are in a specific configuration, to identify in which position in the stack each unit is placed and to identify which protocol and/or interface is needed to address these units. Having the possibility for the modular system to identify the interface to use, and how to address it, will allow the modular system to have a large number of slave busses on the same communication buss, while only using those slave busses when needed, depending on the modular system build for a specific application. It is even possible with the present method to foresee multiple and identical additional units, while still allowing them to be addressed in a unique way after the identification process has finished. This method will allow a modular system to be put together where power supply and all possible interfaces are foreseen in the top-level unit only, such that the top-level unit will be able to provide power and communication to the additional units via a specific communication buss using a specific interface which is defined by the additional unit, and only a limited number of interfaces need to be provided on this additional unit, having the result that each module or unit is interchangeable without effecting the other units. This interchangeability without affecting the other units is an advantage which cannot be found back in the prior art systems where it is always the case that an entire system needed to be built together and pre-programmed beforehand, and if one component fails, the entire system needed to be replaced, which can be very expensive.
Although the preferred way of designing the top-level unit and the additional units is with a power supply in the top-level unit alone, it may however be possible for a particular unit to foresee additional power supply for the particular unit when the power usage for this unit is too high to extract from the top-level unit alone. Once all additional units 521-524 are designed, with or without the additional power supply, each additional unit can get a certification in combination with a generic (top-level) unit 520, 620. Such an individual combination can be considered as a new individual basic computer 500 which went through the certification process and is considered safe to use. Once certified, the combination of the generic unit 520, 620 with the specific additional unit 521-524 can then be combined with one or more additional units to form a new custom tailed system or computer 500. However, there is no need for this new combination to undergo the certification process for this particular set-up, since each individual unit in combination with a generic unit was already pre-certified and considered safe. The ability to use the same generic top-level unit 520, 620, which will typically hold the power supply, and stacking additional pre-certified units to form a custom tailed computer 500, will result in making the re-certifying redundant since no change is needed to the specific additional unit, or to the top level unit. There is no need to pre-program the function of all the additional units in combination with their position in the stack and the way they can be addressed, since this is detectable by the method of the present invention and as a consequence thereof, each unit will be addressable by the top-level unit, regardless in which position they are placed in the stack when bringing them together to form the required computer for a specific airplane. Again, this provides the advantage that any combination in a stack is possible, from the exchangeability of the different units to the position of the units in the stack. Any combination of units is possible, without the need to pre-program (and thus certify) each of these combination of units and its position in a stack so that these combinations arc useable in an airplane. This is extremely beneficial to the speed of development and will improve the time to market drastically. Since all additional units are pre-certified, one can simply create an endless possibility of combinations which don't need re-certification when brought together to form a new system, where the prior art solutions will still need to get a certification for a new combination. If a new additional unit is created, or an update to an existing unit is needed, only this additional unit in combination with a generic unit will need to undergo the certification process, which is easier and faster than having the entire computer with all additional units (including the new one) to undergo the same certification process. Additionally, in comparison with the computers of the prior art, it is possible to limit the number of completely configured computers and only provide for the need to have a limited number of pre-certified units in stock. When a specific unit in a stack needs to be replaced, it is possible with the present invention to only replace this unit, without affecting the other units in the stack. That way, it is not necessary to have a large number of different types of complete computers in stock, but only a number of the additional units of a stacks need to be available. This is especially beneficial if e.g. an airliner has a large fleet of different airplanes, and each type of airplane has its own specific computer configuration. When using the present invention, the airliner will not need to have a stock of complete computers available for each type of airplane, such that, in case of a defect, a quick repair is possible. The units according to the present invention are typically the same for the different type of airplanes and are typically less expensive to keep in stock than an entire computer. Instead, with computers of the prior art, the entire computers of all the different airplanes need to be kept in stock if a similar level of serviceability is required. Therefore, a reduction in investment on spare parts is accomplished due to the interchangeability of the units over the entire range of different airplanes.
As mentioned above, in order to prevent that for each newly compiled computer 500 a full certification process is needed, as was the case in the prior art systems, a number of combinations are certified, whereby each unit will have a specific function or perform a specific task, and will thus have specific components installed on the CBA 530, 540, 550 to perform the specific function determined for e.g. an avionics application. Once each of these units in combination with a top level unit is certified, they are interchangeable without the need to certify the system in other configuration setups again. This is possible because each unit—together with a top-level unit 520—will function as a stand-alone system, in which each individual unit is individually addressable by the top-level unit 520 and the power supply for all units in a stacked configuration is foreseen in the top-level unit 520. Combining one of the certified stand-alone systems with another certified stand-alone system will not require for synergies between the different systems and there is no interaction needed between the different units. As will be explained further below, each system will be independent of another system and will have no impact or influence on another system in the stack. So, if a specific stand-alone unit is certified, there is no need to re-certify the combination again if it is built into a new system due to the fact that there are no synergies needed between the different units.
An additional video interface unit 623 can be added to the example of
Alternatively, the connectors 665, 668 between the CBA 650, the CBA 660 and the CBA 662 can be duplicated as is also possible in the example of
Although in the example of
In any case, the total system will only have two types of units: the basic unit and the edge unit. Depending on the needs, this edge unit could be repeated multiple times in the system.
Other systems are also possible and may be built with specific components depending on the functionality intended for this particular unit. Important to realize is that each new system which is certified, will always be certified in combination with a top-level unit 620. Each additional second-level unit can be provided with its own dedicated I/O interfaces to be able to receive inputs and send out outputs without the need to use the I/O interfaces of the top-level unit 620. Each second level unit will also be provided with at least one dedicated interface to provide for a connection between the top-level unit 620 and the addition second level unit to allow power supply and a communication between the top-level unit 620 and the additional unit.
So, to be able to create a new functional system according to the present invention, it is necessary to test and comply with the certification requirement the top-level unit as stand-alone unit, and each combination of a top-level unit with at least one unique additional second level unit. Although not necessary, it is also possible to certify a multi-layer combination, meaning a combination of more than one additional unit, and have them certified as a complete unit. Although this is possible, this is not necessary, as long as each additional unit in the combination is certified in combination with a top-level unit, and with the condition that there is no synergy between the additional units. If however for some reason, a synergy exists between the additional units, then a certification is needed for a system having a top-level unit and the additional units between which synergy exists.
Once the different types of systems are certified with the specific components and layouts for each system, these systems can be used in a modular approach to construct hybrid systems. Such a hybrid system can be a combination of any of the above described exemplary systems. If e.g. a computer is required having a unit with mass storage and video capabilities, it is straight forward to build a three-level unit containing a basic unit as shown in
In order for airborne electronic systems to be certified, they have to comply with several certification standards. Currently, the two most important ones for hardware systems are the environmental qualification standard DO-160 and the Airborne Electronic Hardware design certification standard DO-254, ED-80 or AMC 20-152.
As was also the case for the prior art certification process, the certification process of the present invention depends on the chosen components, usage of these components, the architecture in which these components are used and the usage of programmable logic. However, in the present invention, when the certification process is implemented on unit level, all certification artifacts can be reused for the system in which the unit will be integrated. Therefore, it is important that requirements are captured on the level of the unit and that no change in requirements is needed when integrating the unit in different systems.
For example, when the basic system has gone through full AMC 20-152/DO-254/ED-80 certification, other systems can fully reuse this certification data because the function provided by this particular unit is identical in each system in which it will be integrated.
For the environmental qualification it will be more complex to reuse qualification data because it will not always be possible to split the qualification to unit level. However, once qualification has completed on one system, most of the test results could be reused for other derived systems. The most important environmental tests are tests relating to power input, voltage spike/lightning susceptibility/ESD, induced signal susceptibility, temperature and altitude, fungus resistance, salt fog, RF emission/susceptibility and Vibration/Shock & Crash safety. Although these tests can change over time, depending on the requirements installed by governmental organizations, they are briefly explained below and indicated to what extend they are affecting the need to re-certify or not.
However, the circuitry for the power input is part of the top-level unit and is identical for all systems in the family. Therefore, reuse of the qualification data is possible if the power input remains the same for all systems.
The circuitry to protect the system against lightning, voltage spike or ESD is part of the interface circuit. When reusing a unit with a certain interface, the system will provide the exact same protection against these surges as the original system. Therefore, reuse of the qualification data is possible in this case. If a different interface is used, only some or possibly none of the qualification data can be reused and recertification may be necessary. However, this will then result in a new unit, with the same functionality as the comparable unit, but with the difference that a different interface is used between the top-level unit 620 and this additional unit to provide for the communication and power supply between the units. A reason for certifying multiple units with the same functionality but with different interfaces can be that a specific type of interface is over-dimensioned for the function this unit will have in a specific type of airplane. E.g. a unit with a 2×Gtr Lanes interface can be certified and a unit with the same functionality but now with a 4×Gth Lanes interface can also be certified. In this example, not all tests need to be repeated to become certified. Only this particular test to check if the system is protected sufficiently against lightning, voltage spike or ESD will need to be repeated.
The induced signal susceptibility depends on the connector of the system and the EMC protections of the interfaces. When reusing a unit with a certain interface and connector, the system will provide the exact same protection against induced signal susceptibility as the original system. Therefore, reuse of the qualification data is possible in this case. If a different interface and/or connector is used, only some or possibly none of the qualification data can be reused and recertification may be necessary.
The resilience against temperature and altitude depends on the choice of the components, the usage of these components (derating) and thermal design. All these factors remain the same when a unit is reused in another system.
Salt fog is testing the effect of accelerated corrosion. The fungus test on the other hand will verify if the system is adversely affected by fungi. The result of both tests depend on the used material of the connector and the housing. Since this will not change between different variants of the system, the results from these tests could be reused.
The susceptibility against external RF emission depends mainly on the design of the housing of the system. The same is valid for RF emission of the unit itself. Since the design of the housing can change between system variants, some delta qualification testing will be required. Such delta qualification testing will take less time and effort than a full qualification testing. Further, because the mechanical design is similar and differs only in size, the risk on failure can be considered as low, which makes it worthwhile to perform such delta testing.
The resilience against vibration and shock depends on the choice of the components, the fixation of these components and the overall mechanical design. Since the design of the housing might change between system variants, some delta qualification testing will be required. Because the mechanical design is identical apart from the size, the risk on failure can be considered as low, which makes it worthwhile to perform such delta testing.
Once certification of each system is done, it will be easy to use these systems as building blocks to create a new computer as per the specifications of the client in a modular way. Since the certification can be reused, or only some delta testing is required, it is possible to build a computer which is a low SWAP solution, which is cost efficient, which can be brought to market a lot faster than the current prior art systems, and which allows for a less expensive spare parts policy.
When a specific control loop application system or computer requires additional interfaces, an additional layer or unit 521, 522 is added to the top-level unit 520. Each additional layer comprises an individual CBA 530, 540 on which specific components can be added dedicated to the specific task for which the layer is intended. If more specific tasks can be allocated to the same additional unit, additional components specifically for this additional task will be added to the same unit. Again, each additional layer or unit 521, 522 may have a dedicated interconnection board 531, 541 holding the specific I/O connectors 532, 542 needed for this particular layer. The additional units 521, 522 are connected to the top-level unit (or to each other) by the use of spacers (not shown) on their four corners, similar to the stacked configuration as illustrated in
Each additional first stack connector 533 bridging between the additional units may at least be equipped with one main type of interface, e.g. a I2C slave interface. This will allow the top-level unit 520 to communicate with each additional unit using the e.g. I2C and a unique position address (see below). Using the e.g. I2C interface will allow the top-level unit to detect which additional interfaces are used in the first stack connector 533 and identify what other interfaces are supported by the additional units 521, 522. It is however possible for the first stack connector 533 to only contain the main interface being in this example the I2C interface.
If a SPI interface is available, it can work in a single mode, while in case of a QSPI it is able to work in a quad mode. Selecting between a SPI or QSPI will depend on the required bandwidth. The PCIe will be operable between 1 and 4 lanes, a selection which will be made again depending on the required bandwidth. Currently available technology allows up to a bandwidth of 5 GT/s per lane. All of this kind of information will be made available by the additional units 521, 522 using their main interface (e.g. I2C) such that the top-level unit 520 can identify which kind of interface it can use to communicate with which additional unit 521, 522.
For instance, if a particular layer or unit requires only a low bandwidth between the top-level unit 520 and the particular additional unit 521, e.g. I2C can be used as a communication bus by the stack connector between the top-level unit 520 and the additional unit 521. For the majority of the applications, such a communication bus will be sufficient. If this is sufficient for the particular application, the computer of the present invention does not require additional (costly) interfaces. However, if the required bandwidth needs to be high to provide a specific additional unit 522 with the required information, another type of communication bus which is also part of the first stack connector 533, 543 can be used, such as e.g. a 4 lane PCIe gen 2 communication bus. While this would be more costly, the cost will only occur in applications where this particular functionality is needed.
Additionally, at least one second stack connector 534, 544 can be installed between the units and has the function to allow the top-level unit 520 to automatically detect how many units or layers 521-524 there are in the total system 500 and for each additional unit 521-524 to detect its position in the stack as will be discussed further in relation to
The first stack connector 533 and second stack connector 534 are connectors which consists of a first (e.g. female) part 533′, 534′ being installed on one side of the CBA of the additional unit 522, while a second (e.g. male) part 533″, 534″ is installed on one side of the CBA of the additional unit 521. When stacking these two additional layers on top of each other, the two parts 533′, 534′ and 533″, 534″ will be aligned and the female part will be pushed inside the male counterpart thus connecting the two halves with each other and establishing a connection between the two additional units.
Similar, the stack connectors 543 and 544 are connectors which consists of a first (e.g. female) part 543′, 544′ being installed on one side of the CBA of the additional unit 521, while a second (e.g. male) part 543″, 544″ is installed on one side of the CBA of the top-level unit 520. When stacking these two layers on top of each other, the two parts will be aligned and the female part will be pushed inside the mail counterpart thus connecting the two halves with each other and establishing a connection between the two units.
The same applies to the stack connectors of
In order for the top-level unit 520 to be able to communicate with the additional layers or units 521, 522 according to the preferred method of the invention, a number of steps are needed when starting up the modular control loop application system or computer 500. After providing power to the control loop application system, the next step is the detection and determining the total number of units 520, 521, 522 in the system by the top-level unit 520. The following step is allowing each unit 520,521,522 to detect and determine its position in the stack and with the next step, use this position information by each unit 521, 522 to identify to the SoM or processor of the top-level unit 520 which unique I2C slave address to use according to the detected position in the stack. The top-level unit 520, and more particularly the SoM will know, by the number of detected units 520, 521, 522, and their position in the stack, which protocol to use and which unique I2C addresses to use to send out information to the additional units, and from which I2C addresses to expect to receive information from. The link between the position in the stack, and thus the position information, and the unique I2C slave address corresponding herewith is embedded in a library in the top-level unit and in each additional units. This will allow the individual units and the top-level unit to identify the necessary I2C slave address. So, which I2C addresses to use according to the number of additional units is embedded in the top-level unit and which I2C address to use depending on its position in the stack is embedded in each additional unit. When the top-level unit has identified the number of additional units in the stack and knows the location of the particular unit, it will identify which I2C slave address it will use, depending on the information provided in the library. E.g. a first additional unit located on position 1 in the stack will, according to the library embedded in the top-level unit and additional units, always use I2C slave address No 1 to communicate with the top-level unit and vice versa. A second additional unit located on position 2 in the stack will always use I2C slave address No 2 to communicate with the top-level unit and vice versa, the third additional unit located on position 3 in the stack will always use I2C slave address No 3 to communicate with the top-level unit and vice versa, etc. However, each additional unit will need to be able to identify its respective position in the stack, because this will determine which I2C address can be used by this additional unit. Each additional unit will use this I2C address to send information (e.g. about its functionality, or unit specific data) to the top-level unit. Likewise, the top-level unit will thus know which specific I2C address (with or without the offset) to use to send over specific information for a specific additional unit, without the need to know the position in the stack. Although some of the above steps are described above as sequential steps, this is not necessary. The detection of the position and detecting how many additional units there are foreseen in the stack can be done simultaneously.
The above steps will be explained further using the
Starting with
So, in the case of
In
Now, with the top-level unit 520 and additional unit 521 stacked on each other and as such form a new computer, as soon as the computer is turned on, a flow of current will start to flow through the available ports of the connector 544. The top-level unit 520, and more particular the SoM, is now able to identify itself as the lowest unit in the stack, since only the “0” pin of the position connectors 544″ is grounded. Also, when looking at the second set of male connectors, one of the pins is grounded, indicating that one additional unit 521 is connected with this top-level unit 520. When looking at the additional unit, this unit will detect that there are no grounded presence detection pins of its stack connector 534″, meaning that there are no additional units place on top of this additional unit. When looking at the pins identifying the position in the stack, it will see that only the “1” pin of the position connectors 534″ has become grounded, meaning that this unit is located on position 1 in the stack. Following, or alternatively simultaneously, the SoM of the top-level unit 520 will send out an I2C signal over the stacked connector 543 (via the connected stack connectors 534′ and 534″) to the above unit following a BUS protocol, in which the top-level unit enquires with the additional units what type of unit they are and what their function is. When no additional unit is present in the stack, as is the case in the example of
Now, turning to
Similar to the starting up of the computer of
Following, or alternatively simultaneously, the SoM of the top-level unit 520 will send out an I2C signal over the stacked connecter 543 to the above unit following a BUS protocol, in which the top-level unit enquires with the additional units what type of unit they are and what their function is. The connector 543 continues to send the I2C signal via the stack connector 533 to the above unit. In the present case, there are two additional units 521, 522 installed, and a reply will be send back over the same stack connector 543 from the first additional unit 521 to the top-level unit 520 and from the second additional unit 522 via stack connector 533 and stack connector 543 to the top-level unit 520 with information about the function of these additional units 521, 522. The SoM of the top-level unit 520 is now able, with the received information via the stack connectors 543 and 533, to identify which protocol and/or I2C address it needs to use to address this particular units during normal operation. In the library of the SoM, this protocol and/or I2C address is stored which will allow the SoM to identify which I2C address needs to be used to address the particular unit. Once the top-level unit 520 knows which I2C address to use, normal operation of the computer can continue.
As mentioned before, each additional unit is able to detect its respective position in the stack. This is relevant in case the same I2C address or internal interface needs to be used by the top-level unit to address this particular additional unit. E.g. in the example of
Due to the above start-up method, the presence of these libraries in the top-level unit and additional units, and the fact that there are no synergies between the additional units, it is possible to replace a defect unit in the stack with an identical unit, to reposition the units in the stack, to replace them by other function units, or to remove units from the stack without the need to pre-program and re-certificate each possible combination again. Each additional unit is able to identify its position in the stack, look up the offset the top-level unit will use when sending a signal and identify, via this offset, if the signal is actually intended for the additional unit or not. The top-level unit in turn will only need to be able to identify the protocol and interfaces it needs to use to address each additional unit, and which offset to use when addressing this additional unit. It does not need to know the exact position in the stack of each additional unit.
In an alternative embodiment of the present invention, the top-level unit 520 may also be able to detect the number of additional units 521, 522 and identify the functionality of each additional unit 521, 522 by sending out a detection signal on each I2C address known by the top-level unit 520. For this, each respective additional unit will need to have a designated I2C address allocated to it, and when receiving this detection signal over its allocated I2C address, will send an identification signal back to the top-level unit. After receiving the identification signal from the respective additional unit, the top-level unit will know which I2C address to use to address a specific additional unit. The potential disadvantage of such a method is that the top-level unit 520 will need to send out the detection signal on each I2C address and wait for a reply on these addresses. If no feedback is received, there will be a time out, which indicates that there is no unit present at this I2C address. In the preferred method of the invention to identify which I2C addresses to use, such time out communication is not needed to start the computer, which results in a saving in time when starting the computer. However, this alternative embodiment may be adopted without departing from the present approach.
Another alternative method of starting up a system according to the present invention is shown in
In order to detect the number of units in the stack, when starting the computer, position signals are send out by the additional units 521-524 in their respective channel A (see
Now, three different position signals are received by unit 521, which in this example is placed directly underneath the top-level unit 520. As was the case with the lower level units 522 and 523, the position signals from the lower level units 522, 523 and 524 are shifted one channel by the internal routing in the CBA of the unit 521, so that the position signal from unit 522 is shifted from the channel A to the channel B, the position signal from unit 523 is shifted from channel B to channel C and the position signal from unit 524 is shifted from channel C to channel D. Unit 521 will in its turn send out a position signal on channel A.
Now, the top-level unit 520 will scan his respective channels, will have received 4 position signals on his channels A, B, C and D and will determine that there are four additional and active units 521-524 in the system 500 by counting how many position signals are grounded or received by the top-level unit 520. The detection of the number of units in the system is thus realized by allowing each unit in the system to shift the bottom-to-top position signal by one position due to an internal routing in the CBA of the units (so from channel A to channel B to channel C to channel D in the example of
Once the number of additional units is determined, the position of each of these addition units 521-524 in the stack needs to be detected by the additional unit 521-524 itself. This is accomplished by sending out a single grounding signal by the top-level unit 520 on a downward channel Z to the below unit 521 (see
Upon detection of each unit 521-524 of its unique position in the stack, each unit will generate a unique I2C slave address. A convention is stored in a library in the top-level unit 520 and in the additional units 521-524, which will allow the units to determine which position in the stack corresponds to which specific I2C slave address. These I2C slave address can now be used by the top-level unit 520 to address the specific unit. It is not necessary for the top-level unit to know which additional unit is corresponding to which I2C slave address. The top-level unit simply needs to know which channels are used, so that it is avoided that the top-level unit is sending out information on a non-used I2C slave address or tries to read from this channel. Finally, the additional units 521-524 will send information about the functionality of the additional unit over the I2C slave address to the top-level unit 520. Once all units have determined their individual addresses and used this individual address to send over the functionality information to the top-level unit 520, the initiation process is finished and the computer 500 is now ready to be used. These individual addresses thus allocated by the preferred and alternative method allows the top-level unit 520 to address all units 521-524 without any address overlap and without the need to have complicated and expensive interfaces.
As an example, the top-level unit 520 may hold a I2C master device, a QSPI master device supplemented with 4 chip selects and a 4 lane PCIe gen 2 (root complex) device. The other units 521, 522 may hold a I2C slave device, a 0 to 4 SPI slave device(s) and 0 to 4 lane PCIe gen 2 (end point) device(s). Since the top-level unit 520 holds 4 chip selects, the top-level unit is able to communicate with 4 SPI slave devices via the 4 different chip selects. Such a setup will allow a maximum of 4 additional units, each containing 1 SPI slave device, 1 unit containing 4 SPI slave devices or any other combination having in total a maximum of 4 SPI slave devices. The same goes for the PCIe slave devices. Each combination is possible, as long as it does not exceed a total number of 4 PCIe slave devices.
Every unit will communicate via the I2C interfaces of the bridging stack connectors 543, 533 how many lanes or slaves the unit is using to the top-level unit 520. Those units which do not use e.g. the SPI interface will simply loop the SPI interface to the next unit. So, if only the bottom unit is using the SPI interface, the units in between will loop their respective (inactive) SPI interface to the one below such that a connection can be assured between the top-level unit 520 and the bottom unit 532. Units which do use the SPI interface will always use the first available chip select (position A: see
Now, turning back to
When multiple units are installed as is the case in the computers of
The examples of
As an alternative (not shown), the housing of a computer—being a single layered or multi layered computer—can be designed such that multiple individual computer units can be connected to each other by having connection holes on the top and bottom of the housing. Placing e.g. two computer units on top of each other, aligning the top holes of the bottom computer with the bottom holes of the top computer, and providing connection means (e.g. bolts and nuts) in the aligned holes, will connect the two computer units with each other. Now, only the bottom computer unit needs to be connected inside the airplane.
An additional advantage of the present invention is that the computer will be able to identify at any time if all additional units and the top-level unit itself is still active and working correctly and/or that all connectors bridging the different units is still functioning correctly. During start-up of the computer, the top-level unit will be able to identify the number of additional units in the stack via the presence detection during start-up. In the examples of
Besides this automatic detecting functionality of the units, the top-level unit is also able to perform Build in Tests (BIT). A first type of BIT is an Integrated BIT or I-BIT, where the top-level unit will send out on a determined point in time a detection signal over the I2C bus to all additional units to see if all units provide a feedback. If the same number of units are providing feedback, all units are still functioning. If not, there is an issue with one of the units. A second type of BIT is an Power-On BIT or P-BIT. During, or shortly after starting the computer, the top-level unit can send out a detection signal over the I2C bus to all additional units to see if all units provide a feedback. A third type is a continuous BIT or C-BIT, where the top-level unit is constantly sending out a detection signal.
As will be appreciated by one of skill in the art, aspects or portions of the present approach may be embodied as a method, system, and/or process, and at least in part, on a computer readable medium. The computer readable medium may be used in connection with, or to control and/or operate, various pneumatic, mechanical, hydraulic, and/or fluidic elements used in systems, processes, and/or apparatus according to the present approach. Accordingly, the present approach may take the form of combination of apparatus, hardware and software embodiments (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit.” “module” or “system.” Furthermore, the present approach may include a computer program product on a computer readable medium having computer-usable program code embodied in the medium, and in particular control software. The present approach might also take the form of a combination of such a computer program product with one or more devices, such as a modular sensor brick, systems relating to communications, control, an integrate remote control component, etc.
Any suitable non-transient computer readable medium may be utilized. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non-exhaustive list) of the non-transient computer-readable medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a device accessed via a network, such as the Internet or an intranet, or a magnetic storage device. Note that the computer-usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory. In the context of this document, a computer-usable or computer-readable medium may be any non-transient medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
Computer program code for carrying out operations of the present approach may be written in an object oriented programming language such as Java, C++, etc. However, the computer program code for carrying out operations of the present approach may also be written in conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The present approach may include computer program instructions that may be provided to a processor of a general-purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a non-transient computer-readable memory, including a networked or cloud accessible memory, that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to specially configure it to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
Any prompts associated with the present approach may be presented and responded to via a graphical user interface (GUI) presented on the display of the mobile communications device or the like. Prompts may also be audible, vibrating, etc.
Any flowcharts and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present approach. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the approach. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the claims of the application rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Number | Date | Country | Kind |
---|---|---|---|
BE2021/5416 | May 2021 | BE | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2022/025236 | 5/20/2022 | WO |