DEVICE FOR CONTROLLING AN AIRCRAFT ENGINE COMPRISING TWO REDUNDANT CONTROL CHANNELS

Abstract

The invention relates to an engine control device comprising a first control channel (V1) and a second control channel (V2), each control channel comprising a first sensor (CAV1, CAV2) and a second sensor (CBV2, CBV2), each configured to provide, respectively, a first measurement (A) and a second measurement (B) to each channel, each of the channels having an active or passive state defining an active channel (V1) or a passive channel (V2), the active channel (V1) being designed to control at least one actuator (ACT) of the engine while the passive channel (V2) is designed to take over for the active channel if the latter fails.

Claims

1. A device for controlling an engine, the engine comprising a first control channel (V1) and a second control channel (V2), each control channel comprising a first sensor (CAV1, CAV2) and a second sensor (CBV2, CBV2), each first and second sensor being configured to supply a first measurement (A) and a second measurement (B) to the first control channel and to the second control channel respectively, each of the first and second channels comprising an active or passive state defining an active channel (V1) or a passive channel (V2), the active channel (V1) being intended to drive at least one actuator (ACT) of the engine whereas the passive channel (V2) is intended to take over on the active channel in the event of malfunction of the active channel, the device being such that each first and channel (V1, V2) comprises: a unit (UC1, UC2) for configured to consolidate measurements, the unit receiving as input the measurements coming from the first and second channels by way of at least one inter-channel communication link (LCOM) in such a way as to obtain a consolidation parameter, at least one unit (UT1, UT2) configured to process at least one command (C.sub.V1, C.sub.V2) of at least one actuator of the engine (ACT), the device being in a nominal operation in which the unit (UT1, UT2) of the first channel and of the second channel for computing each first and second channel (V1, V2) computes the command (C.sub.V1, C.sub.V2) as a function of the consolidation parameter and of the command computed at the previous computing time, the actuator being driven by the active channel, the device being in a failsafe operation, in the event of interruption of the communication link (LCOM), in which the unit (UT2) for computing the passive channel computes the command (C.sub.V2) as a function of the command (C.sub.V1) computed by the active channel (V1) at the previous computing time.

2. The device for controlling an engine as claimed in claim 1, wherein each the first channel and the second channel (V1, V2) comprises a process-monitoring unit (US1, US2) configured to detect a difference in the value of the command (C.sub.V1, C.sub.V2) computed by the first channel and the second channels (V1, V2).

3. The device for controlling an engine as claimed in claim 2, wherein the process-monitoring unit (US1, US2) is configured to temporarily or definitively disable the passive channel (V2) if a difference in the value of the command (C.sub.V1, C.sub.V2) computed by the first and the second channels (V1, V2) is detected.

4. The device for controlling an engine as claimed in claim 1, wherein the consolidating unit (UC1, UC2) takes an average of the values measured by the first and the second channels (V1, V2).

5. The device for controlling an engine as claimed in claim 1, wherein the processing unit (UC1, UC2) of each channel (1, V2) performs a computation requiring at least one result computed by itself at a previous time increment.

6. The device for controlling an engine as claimed in claim 1, wherein the processing unit (UT1, UT2) of each of the first channel and the second channel performs a computation requiring at least one intermediate result computed by itself at a previous time increment.

7. The device for controlling an engine as claimed in claim 5, wherein the failsafe operating mode is enabled for a period corresponding to the duration of the interruption of the at least one inter-channel communication link (LCOM).

8. The device for controlling an engine as claimed in claim 6, wherein the failsafe operating mode is enabled for a period corresponding to the time between the computing of an intermediate value and the furthest-away time during which a computation uses this value as initial datum.

9. The device for controlling an engine as claimed in claim 1, wherein the failsafe operating mode is enabled for a predetermined time period estimated by communication link fault tests.

10. The device for controlling an engine as claimed in claim 2, wherein the process-monitoring unit (US1, US2) is configured to definitively disable the passive channel (V2) if a difference in the value of the command computed by the two channels (V1, V2) is detected immediately after the end of the failsafe operating mode.

11. The device for controlling an engine as claimed in claim 1, wherein when one of the two channels (V1, V2) is waiting to receive measurements coming from the other channel, said other channel (V1, V2) performs in advance the next scheduled computations not requiring any measurement coming from the second channel, of which it does not have the use at this time.

Description

OVERVIEW OF THE FIGURES

[0032] Other features, aims and advantages of the invention will become apparent from the following description, which is purely illustrative and non-limiting, and which must be read with reference to the appended drawings wherein:

[0033] FIG. 1 illustrates an example of a device for controlling an engine including two channels according to an embodiment of the invention;

[0034] FIG. 2 illustrates an exemplary embodiment of a processing unit of the control device according to the invention;

[0035] FIGS. 3 to 5 schematically illustrate processing steps implemented in the control device.

[0036] In all the figures similar elements bear identical reference numbers.

DETAILED DESCRIPTION OF THE INVENTION

[0037] FIG. 1 illustrates a device for controlling an engine according to an embodiment of the invention. The engine is preferably that of an aircraft such as a turbomachine.

[0038] The control device comprises two control channels: a first control channel V1 and a second control channel V2.

[0039] Each control channel V1, V2 makes it possible to drive at least one actuator ACT as a function of a computed command or setpoint C.sub.V1, C.sub.V2. In operation only one of the two channels drives the actuator ACT. This is the active channel. The other channel is considered as passive and makes it possible to take over on the active channel if said active channel has a malfunction.

[0040] Each control channel V1, V2 receives as input quantities A, B to be measured, on the basis of which the command of the actuator ACT is computed. These quantities are for example: temperature etc.

[0041] In the example illustrated in FIG. 1, each channel receives two different quantities A, B to be measured, each channel measuring the same quantities. In particular, for each channel V1, V2 these quantities are measured by different or identical sensors: [0042] For the first channel V1: a first measurement MAV1 of the first quantity A is measured by a first sensor CAV1 and a second measurement MBV1 of a second quantity B is measured by a second sensor CBV1. [0043] For the second channel V2: a first measurement MAV2 of the first quantity A is measured by a first sensor CAV2 and second measurement MBV2 of the second quantity B is measured by a second sensor CBV2.

[0044] The sensors used depend on the quantities measured: a temperature sensor for the temperature etc.

[0045] In order to determine a command C.sub.V1, C.sub.V2 each channel will perform a certain number of processing actions on the measurements taken.

[0046] In particular, each channel comprises a consolidating unit UC1, UC2 making it possible to unify data measured by the sensors of each of the two channels by a consolidation process, for example by taking an average of the values measured by the sensors of each of the two channels.

[0047] As will be understood, there is an exchange of data between the channels V1, V2 by means of an inter-channel communication link LCOM.

[0048] For each channel, the result of the consolidation is then used by a processing unit UT1, UT2 which will compute the setpoints C.sub.V1, C.sub.V2 for the actuator ACT. Advantageously, the processing unit UT1, UT2 can use as input data the commands computed at one or more previous computing times as well as intermediate results computed at one or more previous computing times. In this case, the processing unit may comprise a first computing module MOD1 and a second computing module MOD2: one of them performs the first part of the computations, and the second performs the computations requiring the intermediate computations performed previously (see FIG. 2). The data coming from the first module are retrieved by the second module with a delay, typically of 1 to 4 computing times.

[0049] Under normal operation, the setpoints C.sub.V1, C.sub.V2 computed by each of the channels are identical. To ensure that this is indeed the case, each channel also comprises a monitoring unit US1, US2, in charge of checking that the computed commands C.sub.V1, C.sub.V2 are indeed identical. To be able to perform this comparison of the computed commands, the monitoring unit US1, US2 receives the commands computed by the channel to which it belongs, as well as those computed by the other channel via a communication link LVER2, LVER1.

[0050] When a difference is detected between the two computed commands C.sub.V1, C.sub.V2, self-test mechanisms of the processing units UT1, UT2 make it possible to identify where the errors may come from and disable one of the channels which in this case does not escalate information to the other channel. In this case, it is possible to select the channel that will be in the “active” state or in the “passive” state, and to disable the one which is in the “passive” state.

[0051] As mentioned in the introduction, this is because the control channels V1, V2 each have an “active” or “passive” state indicator. This makes it possible to determine which channel effectively controls the actuator(s) ACT of the engine. These states are exclusive: the two channels V1, V2 cannot be in the same state, one must be active and the other passive.

[0052] On the other hand, if the source of the error is not detected by the self-test mechanisms of the processing units, the passive voice is always disabled. The redundancy provided by it is then lost. As will be understood, when this happens it is possible for a channel to be disabled when it does not have a problem, since the problem may come from the at least one inter-channel communication link LCOM. Consequently, rather than disabling the passive channel and supposing that the problem comes from the inter-channel communication link LCOM, the control device will exhibit a failsafe operating mode in which the commands computed by the processing units UT1, UT2 will be transmitted. In particular, this transmission is done from the active channel to the passive channel. It makes it possible, when the computations performed by the processing unit are based on results computed in a previous time increment, to unify the input data of the computing units of the two channels in order to allow the convergence of the commands after a certain number of time increments.

[0053] Advantageously, for a processing unit the computing time is set to a duration t, for example between 5 and 50 ms, typically t=15 ms, which is limited and the exceeding of this duration gives rise to an exception of the processing unit and the disabling of the channel concerned by the exception. It is therefore necessary to be careful as regards the computing load executed on the processing unit. In the event of an interruption in the communication link between the channels V1, V2, it is necessary, on re-establishment of the inter-channel communication link LCOM, to follow the mechanisms for transmitting the computed commands to ensure the reconvergence of the computations. This gives rise to a computing overload of the processing unit. It is therefore necessary to optimize the duration of the exchanges and the ordering of the computations to comply with the time constraints of the processing unit.

Exemplary Embodiment of the Failsafe Operation of the Control Device According to a Preferred Embodiment of the Invention

[0054] Such an example is illustrated in FIGS. 3 to 5. The example shown is that of a computation taking into account only a result at the previous time increment

t=i−1

in this example, let

C.sub.V1(0)=C.sub.V2(0).

As long as the system does not undergo any fault in the inter-channel link, the computations take place as illustrated in FIG. 3. Furthermore, in this example, the channel V1 is the active channel while the channel V2 is the passive channel.

[0055] To determine the command to be applied to the actuator ACT at a time increment

t=i

computations are made on the basis of the data measured by the sensors associated with the control channels. In a simplified example, the following computations are performed:

C.sub.V1(i)=C.sub.V1(i−1)+average(i)

C.sub.V2(i)=C.sub.V2(i−1)average(i)

with:

[00001]$\mathrm{average}\left(i\right)=\frac{\left(\mathrm{MAV}1\left(i\right)+\mathrm{MAV}2\left(i\right)\right)}{2}+\frac{\left(\mathrm{MBV}1\left(i\right)+\mathrm{MBV}2\left(i\right)\right)}{2}$

[0056] Which corresponds to FIG. 2 where the operators OP1, OP2 are for example sums of the two terms taken as input. Other operators may also be envisioned.

[0057] It is obvious here that after the computations described previously, in the context of a nominal operating rating, if one agrees that in the previous computing increment one does indeed have:

C.sub.V1(i)=C.sub.V2(i)

, then in the current computing increment, the following equality is indeed verified:

C.sub.V1(i+1)=C.sub.V2(i+1)

[0058] On the other hand, when an interruption occurs on the inter-channel communication link at a time

j

[0059] the consolidating units are no longer able to exchange the data measured by the sensors connected to their respective channels. The computations performed by the processing unit then occur as shown in FIG. 4: each of the two channels performs the computations given previously in the consolidating step (here the average). The processing unit therefore performs the following computations:

C.sub.V1(j)=C.sub.V1(j−1)+MAV1(j)+MBV1(j)

C.sub.V2(j)=C.sub.V2(j−1)+MAV2(J)MBV2(j)

[0060] However, the data of the same kind measured by the sensors of each of the two channels are in practice always different (this is why consolidation is necessary). This gives:

MAV1(j)+MBV1(j)≠MAV2(j)+MBV2(j)

[0061] And in this case the commands computed by the two channels are no longer identical:

C.sub.V1(j)≠C.sub.V2(j)

[0062] This divergence of the computed commands is detected as an error by the monitoring units. In addition, even if the link is re-established, the previous computations being different after processing, the computed commands will remain different from one channel to the other.

[0063] To palliate this problem, the solution consists in sending the results computed by the active channel (in this example the channel V1) to the passive channel (in this example channel V2) when the link is re-established at a time

k

[0064] as shown in FIG. 5. The computations made here are as follows:

C.sub.V1(k+1)=C.sub.V1(k)+average(k+1)

C.sub.V2(k+1)=C.sub.V1(k)+average(k+1)

Hence:

C.sub.V1(k+1)=C.sub.V2(k+1)

[0065] Note that the values of the commands C.sub.V1, C.sub.V2 are identical to the re-establishment of the inter-channel communication link LCOM.

Possible Example of Implementation

[0066] By way of example the processing units of each of the two channels may be split into two modules MOD1, MOD2 as illustrated in FIG. 2. In this case, the computations made are based on several previous results. More precisely, the computations made use the results of the 4 previous commands as well as the intermediate results coming from the 3 previous computing times. In such a case, it is therefore necessary to exchange the commands computed during several computing times, to optimize as much as possible the duration of these exchanges which are expensive in computing time. These must be performed during the shortest time possible: [0067] when one or more previous commands are used as input of the processing units with a delay time

r.sub.1,

[0068] measured in number of computing times, the commands must be transmitted from the active channel to the passive channel during a number of computing times equivalent to the duration of the interruption of the link [0069] when one or more previous intermediate results are used with a delay

r.sub.2

[0070] the commands must be transmitted from the active channel to the passive channel during

r.sub.2

[0071] computing increments.

[0072] In addition, in order to satisfy the real-time system requirements specific to any on-board control device, the duration of each cycle cannot exceed a predetermined duration, for example 15 ms, so it is necessary to optimize the order of the operations added to continue to comply with this constraint. To do this, the ordering of the tasks performed by the processing units is modified in order to perform computations when these are awaiting the reception of data over a data link. In this way computing time is freed up: [0073] In nominal operating mode, in the absence of any fault; [0074] In failsafe operating mode, during the communication fault; [0075] In failsafe operating mode, after the feedback of the inter-channel link, during the exchange of data from the active channel to the passive channel.

[0076] This freed-up computing time thus makes it possible to comply with the imposed time constraints and to perform additional self-tests to detect a malfunction of a component of one of the two channels.