Method of error detection of an aircraft flight management and guidance system and high-integrity flight management and guidance system

Abstract

A method of error detection of a flight management system coupled with a guidance of an aircraft according to a flight plan, comprises the steps of: generating a first reference guidance order, monitoring the integrity of the first reference position, when the first reference position is not monitored as being dependable: invalidating the first FMS assembly and the associated guidance system, when the first reference position and the first reference trajectory are monitored as being dependable: generating a first monitoring guidance order, generating a first reference flight control, generating a first monitoring flight control, in monitoring the integrity of the first reference guidance order when the first reference guidance order is not monitored as being dependable: invalidating the first FMS assembly and the associated guidance.

Claims

1. A method of error detection of a flight management system coupled with a guidance of an aircraft according to a flight plan, comprising the steps of: generating a first reference guidance order, calculated by a part of a first FMS assembly called the calculation part of the first FMS assembly, on the basis of a first reference position and of a first reference trajectory which are calculated by the calculation part of the first FMS assembly on the basis of data arising from onboard sensors, from a first navigation database and from a first performance database, monitoring the integrity, by a part of the first FMS assembly called the monitoring part of the first FMS assembly, of the first reference position, on the basis of at least part of the said data arising from onboard sensors, when the first reference position is not monitored as being dependable: Invalidating the first FMS assembly and the associated guidance system, when the first reference position is monitored as being dependable: generating a first monitoring guidance order, calculated by the monitoring part of the first FMS assembly, on the basis of the first reference position and of the first reference trajectory, generating a first reference flight control, by a reference part of a first automatic pilot, on the basis of the first reference guidance order, generating a first monitoring flight control, by a monitoring part of the first automatic pilot, on the basis of the first monitoring guidance order, monitoring the integrity of the first reference guidance order with the aid of the first monitoring guidance order, when the first reference guidance order is not monitored as being dependable: invalidating the first FMS assembly and the associated guidance, when the first reference guidance order is monitored as being dependable: delivering the first dependable reference guidance order.

2. The method according to claim 1, further comprising the step of, when the first reference guidance order is monitored as being dependable: verifying the consistency of the first reference flight and monitoring commands, when the first reference flight and monitoring commands are inconsistent: invalidating the first automatic pilot, when the first reference flight and monitoring commands are consistent: delivering the first consistent reference flight control.

3. The method according to claim 2, further comprising the step of, when the first reference flight and monitoring commands are consistent: displaying the first reference flight control.

4. The method according to claim 3, further comprising a step of triggering the automatic guidance of the aircraft with the first reference flight control, when the first reference flight and monitoring commands are consistent.

5. The method according to claim 1, further comprising a step of, when the first reference position or the first reference guidance order is not monitored as being dependable, or when the first reference flight and monitoring commands are inconsistent, informing a pilot of the invalidation of the first flight management system and of the first automatic pilot.

6. The method according to claim 1, wherein the monitoring of the integrity of the first reference guidance order consists of comparing it with the first monitoring guidance order with the aid of a guidance criterion.

7. The method according to claim 1, wherein the step of monitoring the integrity of the first reference position comprises the step of: comparing the reference position with an estimated position calculated by the monitoring part of the first FMS on the basis of at least part of the said data arising from onboard sensors with the aid of a position criterion.

8. The method according to claim 2, further comprising delivering a second consistent reference flight control obtained simultaneously in a continuous manner according to the same duplicated steps of the method according to claim 2 with the aid of a second automatic pilot.

9. The method according to claim 8, further comprising a step of displaying the second reference flight control, when the first flight management system or the first automatic pilot is invalid.

10. The method according to claim 8, further comprising a step of triggering the automatic guidance of the aircraft with the second reference flight control, when the first flight management system or the first automatic pilot is invalid.

11. The method according to claim 10, wherein the triggering step is operated manually by the pilot.

12. The method according to claim 10, wherein the triggering step is operated automatically without intervention of the pilot.

13. The method according to claim 8, in wherein the aircraft is in the approach phase according to a constrained-corridor procedure.

14. The method according to claim 13, comprising a preliminary step of validating the flight plan.

15. The method according to claim 8, wherein the first and second automatic pilots are engaged simultaneously prior to the commencement of the method.

16. A system for flight management and guidance of an aircraft with high integrity comprising: a first FMS assembly comprising: a part called the calculation part of the first FMS assembly comprising: a first navigation database and a first performance database, a first position calculation module configured to calculate a first reference position on the basis of data arising from onboard sensors and the databases, a first trajectory calculation module configured to calculate a first reference trajectory on the basis of data arising from onboard sensors and the databases, a first reference guidance module configured to generate a first reference guidance order, on the basis of the first reference position and of the first reference trajectory a part called the monitoring part of the first FMS assembly configured to monitor the integrity of the first reference position on the basis of at least part of the data arising from onboard sensors, store the first reference trajectory transmitted by the calculation part of the first FMS assembly, generate a first monitoring guidance order calculated on the basis of the first reference position and of the first stored reference trajectory, monitor the integrity of the first reference guidance order with the first monitoring guidance order the said flight management and guidance system further comprising a first automatic pilot comprising: a reference part configured to generate a first reference flight control on the basis of the first reference guidance order, a monitoring part configured to generate a first monitoring flight control, on the basis of the first reference guidance order, the said first automatic pilot being further configured to verify the consistency of the first reference flight and monitoring commands, the flight management and guidance system being further configured to invalidate the first FMS assembly and the first associated automatic pilot, when the first reference position is not monitored as being dependable or when the reference flight and monitoring commands are inconsistent.

17. The system for flight management and guidance according to claim 16, further comprising at least one display module configured to display the first reference flight controls when the first FMS assembly and the first automatic pilot are valid.

18. The system for flight management and guidance according to claim 16, configured to trigger the automatic guidance of the aircraft with the first reference flight control, when the first flight management system and the first automatic pilot are valid.

19. The system for flight management and guidance of an aircraft with high integrity according to claim 16, further comprising a second FMS assembly and a second automatic pilot corresponding respectively to a duplication of the first FMS assembly and of the first automatic pilot, the system being configured to generate a first reference flight control and a second reference flight control simultaneously and in a continuous manner.

20. The system according to claim 19, configured further to trigger the automatic guidance with the first reference flight control when the first flight management system and the first automatic pilot are valid, and to trigger the automatic guidance of the aircraft with the second reference flight control when the first flight management system and the first automatic pilot are invalid.

21. The system according to claim 20, in which the display module is further configured to display the second reference flight control when the first flight management system and the first automatic pilot are invalid.

22. A computer program product, the computer program comprising code instructions to perform the steps of the method according to claim 1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Other characteristics, aims and advantages of the present invention will become apparent on reading the detailed description which will follow and with regard to the appended drawings given by way of nonlimiting examples and in which:

(2) FIG. 1 already cited presents a summary diagram illustrating the structure of an FMS known from the prior art,

(3) FIG. 2 already cited illustrates an architecture of the prior art ensuring the integrity of the guidance of the aircraft,

(4) FIG. 3 already cited illustrates the three components of the error in calculating the aeroplane position (TSE),

(5) FIG. 4 already cited illustrates the contribution of a flight management system to the three components of the error in calculating the aeroplane position (TSE),

(6) FIG. 5 already cited illustrates an architecture of the prior art compatible with an RNP xx approach,

(7) FIG. 6 describes a method of error detection of an aircraft flight management and guidance system according to the invention,

(8) FIG. 7 describes an embodiment of the method according to the invention,

(9) FIG. 8a describes the method according to the invention furthermore comprising steps duplicated on a second system executing the same method,

(10) FIG. 8b describes an embodiment of the method executed by the second system,

(11) FIG. 8c describes another embodiment of the method executed by the second system,

(12) FIG. 9 describes a system 10 for flight management and guidance of an aircraft according to the invention with high integrity,

(13) FIG. 10 describes a more detailed implementation of the system according to the invention,

(14) FIG. 11 illustrates a variant of the system 10 for flight management and guidance of an aircraft with high integrity according to the invention comprising a second FMS assembly and a second automatic pilot,

(15) FIG. 12 describes an exemplary detailed implementation of the system of FIG. 11,

(16) FIG. 13 illustrates another variant of the system according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

(17) FIG. 6 describes a method 100 of error detection of a system for flight management and guidance of an aircraft in accordance with a flight plan PV according to the invention.

(18) The method comprises a first step 101 consisting in generating a first reference guidance order CG1.sub.COM calculated in a conventional manner on the basis of a first reference position POS1.sub.COM and of a first reference trajectory TRAJ1.sub.COM.

(19) The first reference guidance order CG1.sub.COM is calculated by a part of a first FMS assembly called E-FMS1, the part being called the calculation part FMS1-COM of the first FMS assembly E-FMS1.

(20) POS1.sub.COM and TRAJ1.sub.COM are calculated by FMS1-COM in a conventional manner on the basis of data DATA arising from onboard sensors such as GPS receivers, inertial platforms, signals arising from VHF radio beacons, from a first navigation database NAV1 DB and from a first performance database PERF1 DB.

(21) CG1.sub.COM is calculated in a conventional manner, the function being ensured by a module GUID1.sub.COM of FMS1-COM.

(22) The method 100 according to the invention thereafter comprises a step 102 of monitoring the integrity of the first reference position POS1.sub.COM on the basis of at least part of the said data arising from onboard sensors.

(23) The monitoring is performed by a part of E-FMS1 called the monitoring part F1-MON, independent of the part F1-COM; stated otherwise carried by a calculation facility different from that of FMS1-COM.

(24) Typically, the FMS1-MON receives the information arising from the position sensors (GPS, Inertias) and the position POS1.sub.COM which is transmitted to it by FMS1-MON. FMS1-MON performs a likelihood test by comparing the position POS1.sub.COM with the GPS positions, which for example gives three positions forming a triangle in which the aeroplane must be situated. If the disparity is too significant the position POS1.sub.COM is considered invalid. For example during a procedure RNM<0.3 mn, one looks to see whether POS1.sub.COM is not more than 0.1 nm away from the GPS position. The position is not recalculated completely by FMS1-MON; it is sought here to verify that the calculation carried out by FMS1-COM does not exhibit an anomaly.

(25) Thus the monitoring of POS1.sub.COM makes it possible to detect an error of PEE type.

(26) When the first reference position POS1.sub.COM is not monitored as being dependable, the method 100 comprises a step 103 consisting in invalidating the first FMS assembly E-FMS1 and the associated guidance system PA1. This invalidation consists in disengaging the assembly FMS1/PA1.

(27) When the first reference position POS1.sub.COM is monitored as being dependable the method 100 generates in a step 104 a first monitoring guidance order CG1.sub.MON on the basis of the first monitored reference position POS1.sub.COM and of the first reference trajectory TRAJ1.sub.COM which has been dispatched to F1-MON by FMS1-COM, which stores it. The calculation of CG1.sub.MON is therefore performed by the monitoring part F1-MON.

(28) The guidance order CG1.sub.MON is calculated on the basis of a position and of a trajectory which are identical to that of FMS1-COM. This calculation is performed by F1-MON, using the same guidance laws independently.

(29) Therefore CG1.sub.MON is calculated independently of CG1.sub.COM, and this will make it possible to detect possible errors in the calculation of the guidance order used to guide the aircraft.

(30) The method 100 also comprises a step 105 of generating a first reference flight control CV1.sub.COM on the basis of the first reference guidance order CG1.sub.COM.

(31) CV1.sub.COM is generated in a conventional manner by a reference part PA1-COM of a first automatic pilot PA1 coupled to the first FMS assembly E-FMS1. The automatic pilot PA1 exhibits a conventional COM/MON architecture, that is to say that it comprises a reference part PA1-COM and a monitoring part PA1-MON as described in the prior art.

(32) Thus steps 101 and 105 are conventional steps carried out by the part FMS1-COM which fulfils the functions of a conventional FMS coupled to the COM part of the automatic pilot PA1.

(33) A step 106 generates a first monitoring flight control CV1.sub.MON on the basis of the first reference guidance order CG1.sub.COM, which is dispatched by E-FMS1 directly to the part PA1-MON of PA1 (see further on in the description of the architecture). The generation of CV1.sub.MON is carried out by the monitoring part PA1-MON of the first automatic pilot PA1. Thus, the monitoring flight control CV1.sub.MON is generated by PA1-MON independently of the flight control CV1.sub.COM generated by PA1-COM on the basis of the same guidance order CG1.sub.COM. The automatic pilot PA1 is used here in a different manner from the prior art, since in the implementation of the method 100 the part PA1-MON receives the guidance order CG1.sub.COM directly without passing through PA1-COM, on the basis of which it generates an inherent flight control CV1.sub.MON.

(34) A step 116 monitors the integrity of the first reference guidance order CG1.sub.COM with the aid of the first monitoring guidance order CG1.sub.MON. This monitoring is rendered possible on account of the fact that the existence of a directive CG1.sub.MON generated by FMS1-MON by the method according to the invention.

(35) This monitoring makes it possible to detect an error of PSE type.

(36) Thus the method 100 according to the invention delivers as output a dependable guidance order CG1.sub.COM.

(37) Typically the reference trajectory TRAJ1.sub.COM calculated by FMS1-COM and transmitted by FMS1-COM to F1-MON which stores it decomposes into a lateral trajectory TRAJ1.sub.L-.sub.COM and a vertical trajectory TRAJ1.sub.V-.sub.COM. Likewise, a guidance order decomposes into a lateral guidance order CG.sub.L and a vertical guidance order CG.sub.V. The FMS1-COM calculates a guidance order according to the three axes, i.e. a lateral guidance order, a vertical guidance order and a speed directive.

(38) According to a variant the monitoring of the guidance carried out by F1-MON is performed on the overall guidance order, that is to say that the MON part carries out a calculation of the lateral directive and of the vertical directive and of the speed directive, which will be compared with the lateral, vertical and speed directives calculated by the COM part.

(39) According to another preferred variant, the monitoring of the guidance carried out by F1-MON is performed by comparison on the lateral guidance order according to the following steps:

(40) calculation by F1-MON of a lateral guidance order on the basis of the first lateral reference trajectory TRAJ1.sub.L-.sub.COM stored by F1-MON and of the position POS1.sub.COM (use of the same guidance laws by FMS1-COM and F1-MON),

(41) comparison of the lateral guidance order calculated by F1-MON with the lateral guidance order calculated by FMS1-COM.

(42) According to one embodiment, the monitoring of the vertical guidance is not performed by calculation by the F1-MON of a vertical guidance order (so as to be compared with the vertical directive arising from the FMS1-COM), but is performed according to the following steps:

(43) on the basis of TRAJ1.sub.v-.sub.COM and of the position POS1.sub.COM, calculation of the desired parameters altitude and/or speed and/or slope,

(44) comparison of the desired parameters with these same measured parameters (arising from a part of the data arising from onboard sensors) corresponding to what the aircraft actually does. For example, if the aircraft must be at 2500 ft while passing over a point of the flight plan, F1-MON verifies that the altitude of the aircraft is equal to 2500 ft+/50 ft when passing the point.

(45) Indeed, the vertical-piloting laws are very complex and their duplication on the one hand would increase the complexity of F1-MON and on the other hand would increase the difficulty of fine tuning of the comparators of the guidance orders. The variant hereinabove therefore sticks to the comparison of the aforementioned parameters, making it possible to verify that the aircraft is indeed following the desired vertical trajectory.

(46) When the first reference guidance order CG1.sub.COM is not monitored as being dependable the method 100 invalidates at 103 the first FMS assembly E-FMS1 and the associated guidance, thereby making it possible to prevent the aeroplane from taking an erroneous trajectory as a consequence of an erroneous guidance order.

(47) The monitoring of the integrity of CG1.sub.COM makes it possible to invalidate the first assembly E-FMS1 as soon as an anomaly is detected.

(48) The method thus allows a monitoring of the position and of the guidance order making it possible to attain a high hazardous level of integrity in the calculation of CG1.sub.COM. This increase in the integrity is obtained by a lone FMS with simple modifications of the FMS, the increase in the integrity being carried entirely by the MON part.

(49) When the first reference guidance order CG1.sub.COM is monitored as being dependable, the method 100 according to the invention delivers as output a first reference guidance order CG1.sub.COM with an integrity level improved by the integrity monitoring steps 102 and 116. Thus the method 100 delivers a first dependable reference guidance flight control CG1.sub.COM, a first reference flight control CV1.sub.COM and a first monitoring flight control CV1.sub.MON which are generated on the basis of the first dependable reference guidance flight control CG1.sub.COM.

(50) The improvement of the integrity is not obtained at the price of a significant increase in the calculation resources.

(51) The method according to the invention is implemented in real time and permanently, thus steps 105, 106 and 116 are carried out quasi-simultaneously.

(52) In a preferred mode, the step 116 of monitoring the integrity of the first reference guidance order CG1.sub.COM consists in comparing it with the first monitoring guidance order CG1.sub.MON with the aid of a guidance criterion. This comparison entails the same logic as that effected by an automatic pilot of COM/MON type. Echoing this COM/MON comparison of the PA, FMS-COM and F-MON can exchange their CG1.sub.COM and CG1.sub.MON.

(53) Preferentially the comparison is performed in the part FMS1-MON, the part FMS1-COM transmitting the directive CG1.sub.COM to it for this purpose. Thus in this preferred mode FMS1-COM transmits CG1.sub.COM to FMS1-MON (for comparison), and to PA1-COM and PA1 MON (for the guidance).

(54) Preferentially, the method 100 furthermore comprises a step 107 consisting in verifying the consistency of the first reference flight CV1.sub.COM and monitoring CV1.sub.MON commands, as illustrated in FIG. 7.

(55) Typically this verification is operated with the aid of the conventional comparator of the automatic pilot.

(56) When the flight controls CV1.sub.COM CV1.sub.MON are inconsistent, the method 100 comprises a step 108 which invalidates the first automatic pilot PA1 (that is to say disengages or disconnects it).

(57) From an operational point of view, the method 100 delivers a guidance order CG1.sub.COM (step 101) which is dispatched to the PA1 to generate a flight control CV1.sub.COM according to steps 105, 106, 107 and then 109 and 110. The monitoring with the aid of steps 104 and 116 is carried out in parallel. Thus, when a non-dependable directive CG1.sub.COM is dispatched to the PA1 which generates a CV1.sub.COM, in a very short time span the E-FMS/PA chain is invalidated.

(58) When the flight controls CV1.sub.COM and CV1.sub.MON are consistent, the method delivers as output a consistent flight control CV1.sub.COM. Preferentially, the method furthermore comprises a step 109 of displaying the first consistent reference flight control CV1.sub.COM. Preferentially, this display is carried out on the PFD (Primary Flight Display) in the form of flight director bars.

(59) The pilot thus benefits from a flight control CV1.sub.COM whose integrity has been strengthened by the verification step 107, which uses the command CV1.sub.MON calculated independently as explained above.

(60) The method 100 thus makes it possible to obtain a flight control of the aircraft exhibiting a high integrity compatible with the hazardous level required for the RNP xx procedures, for example RNP 0.3.

(61) The pilot can thus if he so wishes pilot the aircraft with the stick and aided by the display of CV1.sub.COM. In a preferred variant, the method 100 furthermore comprises a step 110 (also illustrated in FIG. 7) consisting in triggering the automatic guidance of the aircraft with the first reference flight control CV1.sub.COM (when the first reference flight CV1.sub.COM and monitoring CV1.sub.MON commands are consistent). According to one option the triggering is automatic, according to another option the triggering is performed by a pilot action, such as pressing a button.

(62) The aircraft thus has a high-integrity flight control allowing automatic guidance of the aircraft compatible with an RNP AR procedure with RNP<0.3 NM.

(63) Preferentially, the method 100 according to the invention furthermore comprises a step 111 consisting in informing the pilot of the invalidation of the first FMS assembly E-FMS1 and of the automatic pilot, when the first reference position or the first reference guidance order CG1.sub.COM is not monitored as being dependable, and a step 112 consisting in informing the pilot of the invalidation of the first automatic pilot PA1, when the first reference flight CV1.sub.COM and monitoring CV1.sub.MON commands are inconsistent.

(64) Preferentially, the informing is operated by displaying on a display, typically the control panel FCU (FCU for Flight Control Unit). Preferentially the displaying of steps 111 and 112 is common.

(65) The pilot can also be informed by an audio signal, a telltale light.

(66) The availability is obtained by a duplication of the method 100 according to a preferred variant such as illustrated in FIGS. 8a, 8b and 8c.

(67) The method 100 according to this preferred variant delivers a second dependable reference guidance command CG2.sub.COM, a second reference flight control CV2.sub.COM and a second monitoring flight control CV2.sub.MON, which are obtained simultaneously in a continuous manner according to the steps of a method 200 corresponding to the steps of the method 100 of FIG. 6 and duplicated, with the aid of a second FMS assembly E-FMS2 and of a second automatic pilot PA2.

(68) FIG. 8b describes the method 200 making it possible to generate the second dependable reference guidance command CG2.sub.COM.

(69) The method 200 comprises:

(70) a step 101 consisting in generating a second reference guidance order CG2.sub.COM, calculated by a part of a second FMS assembly E-FMS2 called the calculation part of the second assembly FMS FMS2-COM, on the basis of a second reference position POS2.sub.COM and of a second reference trajectory TRAJ2.sub.COM which are calculated by the calculation part FMS2-COM of the second FMS assembly on the basis of data arising from onboard sensors DATA, from a second navigation database NAV2 DB and from a second performance database PERF2 DB,

(71) a step 102 consisting in monitoring the integrity, by a part of the second FMS assembly E-FMS2 called the monitoring part of the second FMS assembly F2-MON, of the second reference position POS2.sub.COM on the basis of at least part of the said data arising from onboard sensors.

(72) When the second reference position is not monitored as being dependable the method 200 comprises a step 103 consisting in invalidating the second FMS assembly E-FMS2 and the associated guidance system and preferentially a step 111 consisting in informing the pilot of the invalidation.

(73) When the second reference position is monitored as being dependable, the method 200 comprises:

(74) a step 104 consisting in generating a second monitoring guidance order CG2.sub.MON, calculated by the monitoring part of the second FMS assembly F2-MON, on the basis of the second reference position POS2.sub.COM and of the first reference trajectory TRAJ2.sub.COM,

(75) a step 105 consisting in generating a second reference flight control CV2.sub.COM, by a reference part PA2-COM of a second automatic pilot PA2, on the basis of the second reference guidance order CG2.sub.COM,

(76) a step 106 consisting in generating a second monitoring flight control CV2.sub.MON, by a monitoring part PA2-MON of the second automatic pilot PA2, on the basis of the first reference guidance order CG2.sub.COM,

(77) a step 116 monitors the integrity of the second reference guidance order CG2.sub.COM with the aid of the second monitoring guidance order CG2.sub.MON. When the second reference guidance order CG2.sub.COM is not monitored as being dependable the method 200 invalidates at 103 the second FMS assembly E-FMS2 and the associated guidance.

(78) When the second reference guidance order CG2.sub.COM is monitored as being dependable, the method 200 delivers as output the first dependable reference guidance order CG2.sub.COM.

(79) Preferentially, the method 100 according to this preferred variant integrates the method 200 furthermore comprising, as illustrated in FIG. 8c:

(80) a step 107 consisting in verifying the consistency of the second reference flight CV2.sub.COM and monitoring CV2.sub.MON commands.

(81) When the second reference flight CV2.sub.COM and monitoring CV2.sub.MON commands are inconsistent, the method 200 furthermore comprises a step 108 consisting in invalidating the second automatic pilot PA2 and preferentially a step 112 consisting in informing the pilot of the invalidation.

(82) When the second reference flight CV2.sub.COM and monitoring CV2.sub.MON commands are consistent, the method 200 delivers as output CV2.sub.COM consistent.

(83) From an operational point of view, the method 200 delivers a guidance order CG2.sub.COM (step 101) which is dispatched to the PA2 to generate a flight control CV2.sub.COM according to steps 105, 106, 107 and then 113. The monitoring with the aid of steps 104 and 116 is carried out in parallel. Thus, when a non-dependable directive CG2.sub.COM is dispatched to the PA2 which generates a CV2.sub.COM, in a very short time span the E-FMS2/PA2 chain is invalidated.

(84) Thus according to this preferred variant, the method 100 simultaneously delivers a first flight control CV1.sub.COM and a second flight control CV2.sub.COM Indeed, to ensure continuity, it is appropriate that the process 200 be implemented in parallel, simultaneously and in a continuous manner, with the method of FIG. 6 or 7, so as to be able to have a dependable guidance command CG2.sub.COM and preferentially a consistent flight control CV2.sub.COM with high integrity level in case of invalidation of the first assembly E-FMS1 or of the first automatic pilot PA1.

(85) FIG. 8a describes the method 100 according to the preferred variant of the invention consisting in delivering the second consistent reference flight control CV2.sub.COM, generated and verified simultaneously in a continuous manner according to the same duplicated steps (method 200) of the method according to the invention, when the first flight management system or the first automatic pilot is invalid.

(86) Preferentially, as illustrated in FIG. 8a, the method 100 furthermore comprises a step 113 consisting in displaying the second reference flight control CV2.sub.COM, when the first flight management system or the first automatic pilot is invalid.

(87) Preferentially, as illustrated in FIG. 8a, the method 100 furthermore comprises a step 114 consisting in triggering the automatic guidance of the aircraft with the second reference flight control CV2.sub.COM.

(88) According to one option, the triggering step 114 is operated manually by the pilot. According to another option, the triggering step 114 is operated automatically without intervention of the pilot.

(89) Thus the method 100 according to the preferred variant, implementing in parallel a method 200 on a second FMS assembly coupled to a second automatic pilot, makes it possible on the one hand to guide the aircraft with an initial flight management and guidance system (E-FMS1 and PA1) with a high integrity level and on the other hand, in case of detection of a fault with this initial system, to perform a switchover to another flight management and guidance system (E-FMS2 and PA2) and to guide the aircraft with this other system with the same integrity level as that of the initial system.

(90) Advantageously the step 102 of monitoring the integrity of the first reference position POS1.sub.COM comprises a sub-step consisting in comparing the reference position POS1.sub.COM with an estimated position POS1.sub.est calculated by the monitoring part of the first FMS FMS1-MON, on the basis of at least part of the data DATA arising from onboard sensors, typically GPS data, with the aid of a position criterion.

(91) The position criterion is for example that the calculated position POS1.sub.COM is situated at a distance of less than a certain threshold (depending on the desired precision in an RNPxx approach) of the estimated position POS1.sub.est. For example less than 0.2 NM for an RNP 0.3 approach.

(92) From an operational point of view, one option is that the aircraft cruises using the two FMS assemblies E-FMS1 and E-FMS2 in a conventional manner, that is to say with a simplified method implementing steps 100, 105, 106, 107 (108,112) 109 and 110, i.e. guidance with CG1.sub.COM and CV1.sub.COM without implementing the monitorings operated by the parts F1-MON and F2-MON.

(93) Next, when the aircraft is in the approach phase according to a constrained-corridor procedure requiring an RNP AR procedure, the complete method 100 is activated, implementing steps 102, 103 (111), 104, 116, and the switchover onto the second system and steps 113 and 114 in case of invalidation or of inconsistency of the first assembly E-FMS1.

(94) Thus the complete method 100 is implemented solely during the RNP approach phase requiring an integrity level of hazardous type.

(95) The RNP procedure is geo referenced, this signifying that the flight plan and the trajectory have the same definition, and preferentially it is sought to validate that the extraction of the procedure from the database is correct. Thus, advantageously the method according to the invention, when the aircraft is in the RNP approach phase, comprises a preliminary step of validating the flight plan consisting in:

(96) selecting the RNP AR procedure (pilot action),

(97) inserting the procedure into the flight plan. This insertion is performed by FMS1-COM and FMS2-COM,

(98) comparing the inserted flight plans.

(99) If the result of the comparison is incorrect, the pilot is alerted, up to him to relaunch a new insertion, to deactivate the FMS identified as erroneous and to relinquish flying the procedure.

(100) If the result of the comparison is correct, each FMS-COM calculates the trajectory and provides this trajectory to its F-MON which stores it etc.

(101) For optimal automatic guidance and fast switchover in case of a problem in the first chain, the first and second automatic pilots PA1 and PA2 are engaged simultaneously prior to the commencement of the method 100.

(102) The method is intended to be executed by the overall flight management system of the aircraft, that is to say the flight management system comprising the first and second assembly E-FMS1 and E-FMS2, the two automatic pilots PA1 and PA2, and a facility making it possible to operate if appropriate a triggering of the simplified method, and a triggering of the complete method according to the invention in parallel on the two assemblies and associated guidance during an RNP procedure, as well as the switchover from one to the other in case of invalidation of the first.

(103) According to another aspect, the invention relates to a system 10 for flight management and guidance of an aircraft with high integrity illustrated in FIG. 9 and comprising a first FMS assembly E-FMS1 and a first automatic pilot PA1 coupled to E-FMS1.

(104) The first FMS assembly E-FMS1 comprises a calculation part FMS1-COM and a monitoring part F1-MON.

(105) The part FMS1-COM comprises:

(106) a first navigation database NAV1 DB and a first performance database PERF1 DB,

(107) a first position calculation module LOCI configured to calculate a first reference position POS1.sub.COM on the basis of data arising from onboard sensors and the databases,

(108) a first trajectory calculation module TRAJ/PRED1 configured to calculate a first reference trajectory TRAJ1.sub.COM on the basis of data arising from onboard sensors and the databases,

(109) a first reference guidance module GUID1.sub.COM configured to generate a first reference guidance order CG1.sub.COM, on the basis of the first reference position POS1.sub.COM and of the first reference trajectory TRAJ1.sub.COM.

(110) The part FMS1-COM corresponds to a conventional architecture of FMS as described in the prior art.

(111) The monitoring part F1-MON is configured to monitor the integrity of the first reference position POS1.sub.COM on the basis of at least part of the data arising from onboard sensors (functionality illustrated by the module LOCMON1). The module LOCMON1 is not a module of the same type as LOC1 and TRAJ/PRED1 and its role is not to recalculate POS1.sub.COM entirely but to verify it, that is to say to detect a calculation error. It therefore requires much less calculation power.

(112) For example the position POS1.sub.COM is transmitted to LOCMON1 by FMS1-COM and this position is compared with data DATA, typically GPS and/or inertial, arising from onboard sensors, directly received by F1-MON. If the position POS1.sub.COM differs from the position estimated on the basis of these sensors, the position POS1.sub.COM is considered non-dependable.

(113) The monitoring part F1-MON is also configured to store the reference trajectory TRAJ1.sub.COM transmitted by FMS1-COM (functionality illustrated by the storage module MEM.sub.Traj) and to generate a first monitoring guidance order CG1.sub.MON (functionality illustrated by the first monitoring guidance module GUID1.sub.MON), calculated on the basis of the first reference position POS1.sub.COM monitored and of the first reference trajectory TRAJ1.sub.COM stored. The first monitoring guidance order CG1.sub.MON is generated by F1-MON independently of CG1.sub.COM, by using piloting laws identical to those used by FMS1-COM to calculate CG1.sub.COM.

(114) The monitoring part F1-MON is also configured (module GUID1.sub.MON) to monitor the integrity of the first reference guidance order CG1.sub.COM. Accordingly the first reference guidance order CG1.sub.COM is transmitted by FMS1-COM to F1-MON.

(115) Verification of integrity typically consists in comparing the first reference guidance order CG1.sub.COM calculated by the first reference guidance module GUID1.sub.COM with the first monitoring guidance order CG1.sub.MON calculated by the first monitoring guidance module GUID1.sub.MON, with the aid of a guidance criterion. If too significant a disparity exists between the two directives, the directive CG1.sub.COM is declared non-dependable. Operationally, during an RNP xx approach, the current directive CG1.sub.COM which will cause the aircraft to exit the corridor is invalidated and the coupled automatic pilot PA1 is disengaged.

(116) According to a preferred variant, only a lateral guidance order is calculated by the module GUID1.sub.MON, the monitoring of the vertical guidance taking place through a comparison of parameters, such as is described above.

(117) Thus the part F1-MON (module GUID1.sub.MON) makes it possible to detect a calculation error at the level of CG1.sub.COM, and constitutes a means for verifying the integrity of CG1.sub.COM, which makes it possible to be compatible with the hazardous level.

(118) Moreover, the integrity has been increased independently of the base initial flight management system FMS1-COM by the addition of an external surveillance chain F1-MON. The part F1-MON does not comprise any complex functions and does not demand any significant calculation resources, resources that it must be able to share with another application and on an existing facility.

(119) An additional advantage is to use the guidance order formulation capability of the F-MON. Indeed on loss of the 2 FMSs because of a circuit fault for example, by connecting the F-MON to the Automatic pilot, it is possible, in this degraded configuration, to maintain the guidance of the aeroplane on the basis of the trajectory stored by the F-MON.

(120) The directive CG1.sub.COM generated by FMS1-COM and monitored by F1-MON is thereafter dispatched into the first automatic pilot PA1.

(121) PA1 comprises a reference part PA1-COM and a monitoring part PA1-MON, according to a conventional architecture. But the system 10 according to the invention is configured to dispatch CG1.sub.COM to PA1-COM and to PA1-MON in parallel independently.

(122) PA1-COM is configured to generate a first reference flight control CV1.sub.COM on the basis of the first reference guidance order CG1.sub.COM, for example in a conventional manner.

(123) PA1-MON is configured to generate a first monitoring flight control CV1.sub.MON, on the basis of the first reference guidance order CG1.sub.COM.

(124) The commands CV1.sub.COM and CV1.sub.MON are thus generated in an independent manner by the two parts of the automatic pilot.

(125) PA1 is furthermore configured to verify the consistency of the first reference flight CV1.sub.COM and monitoring CV1.sub.MON commands, typically with its comparator. Thus the flight control CV1.sub.COM is on the one hand generated on the basis of a high-integrity directive, and on the other hand verified independently by PA1-MON. Thus in order to pilot the aircraft the system 10 has a flight control CV1.sub.COM with greatly improved integrity level, amply compatible with a hazardous level. This integrity level has been obtained without substantially modifying the automatic pilot of conventional COM/MON architecture.

(126) The flight management and guidance system 10 is furthermore configured to invalidate the first FMS assembly E-FMS1 when the first reference position or the first reference trajectory or the first guidance order is not monitored as being dependable, and to invalidate the first automatic pilot PA1 when the first reference flight CV1.sub.COM and monitoring CV1.sub.MON commands are inconsistent.

(127) Preferentially the flight management and guidance system 10 furthermore comprises at least one display module DISP configured to display the first reference flight controls CV1.sub.COM when the first FMS assembly and the first automatic pilot are valid.

(128) Advantageously the flight management and guidance system 10 according to the invention is configured to trigger the automatic guidance of the aircraft with the first reference flight control CV1.sub.COM, when the first flight management system and the first automatic pilot are valid. The triggering can take place automatically or on action of the pilot.

(129) FIG. 10 describes a more detailed implementation of the system according to the invention highlighting the 2 levels of verification of FMS1-COM operated by F1-MON.

(130) According to a variant illustrated in FIG. 11, the system 10 for flight management and guidance of an aircraft with high integrity according to the invention furthermore comprises a second FMS assembly E-FMS2 and a second automatic pilot PA2 corresponding respectively to a duplication of the first FMS assembly E-FMS1 and of the first automatic pilot PA1.

(131) The system 10 is configured to generate a first reference flight control CV1.sub.COM and a second reference flight control CV2.sub.COM simultaneously and in a continuous manner. The flight control CV1.sub.COM arises from the chain consisting of E-FMS1 coupled to the PA1, and the flight control CV2.sub.COM arises from the chain consisting of E-FMS2 coupled to the PA2.

(132) Preferentially, the system is configured to trigger the automatic guidance with the first reference flight control CV1.sub.COM when the first flight management system and the first automatic pilot are valid, and to trigger the automatic guidance of the aircraft with the second reference flight control CV2.sub.COM when the first flight management system and the first automatic pilot are invalid.

(133) In this manner, the continuity of the guidance is ensured in case of fault with the first chain E-FMS1/PA1.

(134) Thus the dual requirement of high integrity and of continuity is fulfilled with only two complete FMSs, FMS1-COM and FMS2-COM, verified by respectively the external chain F1-MON and F2-MON. This architecture is called DUAL COM/MON, since it consists of two independent chains, each being verified by a MON part.

(135) This solution is less expensive than the Triplex solution since it avoids a third FMS, an additional calculator which on the other hand increases the weight of the aircraft and its electrical consumption. Moreover this architecture gives rise to only a low level of modification of the automatic pilot.

(136) Advantageously, the display module DISP is furthermore configured to display the second reference flight control CV2.sub.COM when the first flight management system and the first automatic pilot are invalid.

(137) From an operational point of view, the system 10 according to the variant of FIG. 11 complies with the requirements of RNP AR approaches for aeroplanes having only two FMSs. The hazardous integrity constraint and availability constraint are complied with automatically.

(138) During the RNP approach, the two chains operate in parallel, the second being at any instant ready to take over in case of fault detected on the first.

(139) FIG. 12 describes an exemplary detailed implementation of the system 10 of FIG. 11. Only the modules useful to the understanding of the invention are represented.

(140) The DATA are the redundant GPS1, GPS2 data, ADIRS signifies Air Data Inertial Reference System, HPATH signifies Horizontal Path, FG signifies Flight Guidance and FD Flight Director.

(141) According to another variant described in FIG. 13, the directive CG.sub.COM (1 or 2) is dispatched solely to the part PA-COM (1 or 2), and it is the directive CG.sub.MON (1 or 2) which is dispatched to the part PA-MON (1 or 2) of the automatic pilot.

(142) According to another aspect the invention relates to a computer program product comprising code instructions making it possible to perform the steps of the method according to the invention.

(143) The method can be implemented on the basis of hardware and/or software elements. The method may be available in the guise of a computer program product on a computer readable medium.

(144) The method may be implemented on a system that can use one or more dedicated electronic circuits or a general-purpose circuit.

(145) The technique of the method according to the invention can be carried out on a reprogrammable calculation machine (a processor or a micro-controller for example) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example an assembly of logic gates such as an FPGA or an ASIC, or any other hardware module).

(146) The various modules of the system according to the invention can be implemented on one and the same processor or on one and the same circuit, or distributed over several processors or several circuits. The modules of the system according to the invention consist of calculation means including a processor.

(147) The reference to a computer program which, when it is executed, performs any one of the previously described functions, is not limited to an application program executing on a single host computer. On the contrary, the terms computer program and software are used here in a general sense to refer to any type of computing code (for example, application software, micro software, microcode, or any other form of computer instruction) which can be used to program one or more processors to implement aspects of the techniques described here.