阅读说明：本技术 包括两个冗余控制通道的用于控制飞行器发动机的装置 (Device for controlling an aircraft engine comprising two redundant control channels ) 是由 克利斯朵夫·皮埃尔·乔治·马丁 塞巴斯蒂安·雅克·弗朗索瓦·米歇尔·苏利埃 于 2020-04-02 设计创作，主要内容包括：本发明涉及一种发动机控制装置,包括第一控制通道(V1)和第二控制通道(V2),各控制通道包括第一传感器(CAV1,CAV2)和第二传感器(CBV2,CBV2),所述第一传感器和第二传感器中的每个被配置为分别向各通道提供第一测量结果(A)和第二测量结果(B),各通道包括限定主动通道(V1)或被动通道(V2)的主动或被动状态,所述主动通道(V1)设计为控制所述发动机的至少一个致动器(ACT),而所述被动通道(V2)设计为在所述主动通道发生故障时取代所述主动通道。(The invention relates to an engine control arrangement comprising a first control channel (V1) and a second control channel (V2), each control channel comprising a first sensor (CAV1, CAV2) and a second sensor (CBV 2), each of said first and second sensors being configured to provide a first measurement (A) and a second measurement (B) to each channel, respectively, each channel comprising an active or passive state defining an active channel (V1) or a passive channel (V2), said active channel (V1) being designed to control at least one Actuator (ACT) of said engine, and said passive channel (V2) being designed to replace said active channel in the event of a failure of said active channel.)

1. An arrangement for controlling an engine, comprising a first control channel (V1) and a second control channel (V2), each control channel comprising a first sensor (CAV1, CAV2) and a second sensor (CBV 2), each of said first and second sensors being configured to provide a first measurement (a) and a second measurement (B) to each channel, respectively, each channel comprising an active or passive state defining an active channel (V1) or a passive channel (V2), said active channel (V1) being for driving at least one Actuator (ACT) of said engine, and said passive channel (V2) being for replacing said active channel in case of a failure of said active channel, the arrangement being such that each channel (V1, V2) comprises:

-units for combining measurements (UC1, UC2), each unit for combining measurements receiving as input measurements from both channels over at least one inter-channel communication Link (LCOM) to obtain combined parameters,

-at least one command (C) for processing at least one actuator of said engine (ACT)_V1，C_V2) The unit (UT1, UT2), the device comprising:

-nominal operation, wherein the units (UT1, UT2) for calculating the channels (V1, V2) calculate the commands (C) from the combined parameters and the commands calculated at the previous calculation time_V1，C_V2) And the actuator is driven by the active channel,

-fail-safe operation in case of interruption of the communication Link (LCOM), wherein the unit for calculating the passive channel (UT2) calculates the command (C) from the active channel (V1) according to a previous calculation time_V1) To calculate the command (C)_v2)。

2. An arrangement for controlling an engine according to claim 1, wherein each channel (V1, V2) further comprises a process monitoring unit (US1, US2) configured to detect a command (C) calculated from two channels (V1, V2)_V1，C_V2) The difference in value of (c).

3. Device for controlling an engine according to claim 2, wherein the process monitoring unit (U)S1, US2) is configured to: if a command (C) calculated from two channels (V1, V2) is detected_V1，C_V2) If there is a difference in the values of (a), the passive channel is temporarily or finally disabled (V2).

4. Arrangement for controlling an engine according to any one of the preceding claims, wherein the merging unit (UC1, UC2) averages the values measured by the two channels (V1, V2).

5. An arrangement for controlling an engine according to any one of the preceding claims, wherein the processing unit (UC1, UC2) of each channel (V1, V2) performs the following calculations: the calculation requires at least one result calculated by the processing unit itself at a previous time increment.

6. The device for controlling an engine according to any one of the preceding claims, wherein the processing unit (UT1, UT2) of each channel performs the following calculations: the calculation requires at least one intermediate result calculated by the processing unit itself at a previous time increment.

7. The apparatus for controlling an engine of claim 5, wherein the fail-safe mode of operation is enabled for a period of time corresponding to a duration of interruption of the at least one inter-channel communication Link (LCOM).

8. The apparatus for controlling an engine according to claim 6, wherein the fail-safe operation mode is activated for a period of time corresponding to a time between calculating the intermediate value and a farthest time during which the value is used as the initial data.

9. An arrangement for controlling an engine according to any one of the preceding claims, wherein the fail-safe mode of operation is enabled for a predetermined period of time assessed by a communication link failure test.

10. An arrangement for controlling an engine according to any one of claims 2-9, wherein the process monitoring unit (US1, US2) is configured to: finally, the passive channel (V2) is disabled if a difference in the values of the commands calculated by the two channels (V1, V2) is detected immediately after the end of the failsafe operating mode.

11. An arrangement for controlling an engine according to any one of the preceding claims, wherein when one of the two channels (V1, V2) waits to receive a measurement from the other channel, the other channel (V1, V2) performs the next predetermined calculation in advance that does not require any measurement from the second channel, which measurement from the second channel is not used at this time.

Technical Field

The invention relates to a control device for a turbojet aircraft engine. More particularly, the present invention relates to an apparatus for achieving a given redundancy of calculations based on measurements from sensors configured to measure engine parameters.

Background

Turbojet engines are generally equipped with control devices that also provide protection against events with dangerous or catastrophic consequences, such as the case of engine overspeed. Thus, the same device performs both functions.

Such control devices typically comprise two identical channels, which makes it possible to provide redundancy in acquiring parameters and calculating set points for controlling one or more actuators.

Ideally, these channels are independent of each other, but they often exchange data in order to consolidate measurements. The purpose of the merging is to have both channels perform the same calculations at the same time to ensure the thermal redundancy of the control: one channel is active and controls the actuator and one channel is passive and ready to become active at any time when the system fails. Specifically, a failure on one channel may result in a dangerous or catastrophic event.

If control of the engine and protection against these events is provided by the same device, it is necessary to monitor the processors that perform the calculations to ensure that they are not malfunctioning. Specifically, a failure of the processor may cause the engine to enter an overspeed state.

Such monitoring is achieved by comparing the results of calculations for each channel, the so-called active channel, which commands an actuator (e.g. a variable geometry and/or fuel metering valve of the engine). If a divergence occurs between the calculation results, the passive channel is disabled and the control device becomes single-channel.

One problem is that it is not possible to distinguish between a failure of a processor and a problem of a swap between channels simply by comparing the results of the calculations on the channels.

In particular, the interruption of the inter-channel link, even for a short time, stops the mutual monitoring and it is necessary to ensure the security of the system, since this leads to differences in the calculations. Ensuring security consists in isolating the passive channel for the rest of the task, thus adversely affecting the availability of task redundancy and the availability of the computer performing the problem search under maintenance.

Thus, the isolated channel may be a healthy channel because during a communication problem, it is not known whether the error is located on the transmitter channel or the receiver channel. If the remaining channels fail and the failure can be detected by a hardware self-test, it will eventually isolate itself and cause the engine to stall. This type of behavior therefore adversely affects the rate of engine downtime in flight.

Disclosure of Invention

The subject of the invention is therefore to make the system more robust (i.e. more resistant) to inter-lane link loss, so that it can safely locate anomalies, ensuring that only the failed lane isolates itself. To this end, a first aspect of the invention provides an apparatus for controlling an engine, comprising first and second control channels, each control channel comprising first and second sensors, each of the first and second sensors being configured to provide first and second measurements to each channel respectively, each channel comprising an active or passive state defining an active channel for driving at least one actuator of the engine or a passive channel for replacing the active channel in the event of a failure of the active channel, the apparatus being arranged such that each channel comprises:

-means for combining the measurement results, each means for combining measurement results receiving as input measurement results from both channels over at least one inter-channel communication link to obtain a combined parameter,

-a unit for processing at least one command of at least one actuator of said engine, the device comprising:

nominal operation, wherein the unit for calculating each channel calculates a command from the combined parameters and a command calculated at a previous calculation time, an actuator being driven by the active channel,

-fail-safe operation in case of a communication link interruption, wherein the unit for calculating the passive channel calculates a command from a command calculated by the active channel at a previous calculation time.

Advantageously, the invention is completed by the following features taken alone or in technically feasible combinations of these features:

each channel further comprises a process monitoring unit configured to detect a difference in the values of the commands calculated by the two channels.

-the process monitoring unit is configured to: the passive channel is temporarily or eventually disabled if a difference in the values of the commands calculated by the two channels is detected.

-the merging unit averages the values measured by the two channels.

-the processing unit of each channel performs the following calculations: the calculation requires at least one result calculated by the processing unit itself at a previous time increment.

-the processing unit of each channel performs the following calculations: the calculation requires at least one intermediate result calculated by the processing unit itself at a previous time increment.

-enabling a fail-safe mode of operation for a period of time corresponding to a duration of interruption of the at least one inter-channel communication link.

-enabling a fail-safe operation mode for a period of time corresponding to the time between calculating the intermediate value and the farthest time during which the calculation uses the value as initial data.

-enabling a fail-safe mode of operation for a predetermined period of time evaluated by a communication link failure test.

-the process monitoring unit is configured to: the passive channel is finally disabled if a difference in the values of the commands calculated by the two channels is detected immediately after the end of the fail-safe mode of operation.

-when one of the two channels is waiting to receive a measurement from the other channel, the other channel performs in advance the next predetermined calculation that does not require any measurement from the second channel, which is not used at this time.

The invention has several advantages.

Availability of redundancy is achieved by increasing the robustness of the link to transient failures. This also helps to provide better protection in the face of catastrophic and dangerous risks.

The availability of computer maintenance is increased by facilitating troubleshooting and reducing the proportion of computers that are not confirmed to be faulty or erroneously removed.

The probability of downtime of the in-flight engine associated with a failure of one of the two channels of the control device is improved.

Drawings

Other characteristics, objects and advantages of the invention will become apparent from the following description, which is purely illustrative and non-limiting and must be read with reference to the accompanying drawings, in which:

FIG. 1 illustrates an example of an apparatus for controlling an engine including two passages according to an embodiment of the present invention;

fig. 2 shows an exemplary embodiment of a processing unit of the control device according to the present invention;

fig. 3 to 5 schematically illustrate the process steps implemented in the control device.

Throughout the drawings, similar elements have the same reference numerals.

Detailed Description

Fig. 1 shows an example of an apparatus for controlling an engine according to an embodiment of the present invention. Preferably, the engine is an engine of an aircraft, for example a turbine.

The control device comprises two control channels: a first control channel V1 and a second control channel V2.

Each control channel V1, V2 enables a command or setpoint C to be calculated_V1、C_V2To drive at least one actuator ACT. In operation, only one of the two channels drives the actuator ACT. It is the active channel. The other channel is considered passive and can replace the active channel if it fails.

Each control channel V1, V2 receives the input parameter A, B to be measured and calculates a command to the actuator ACT on the basis thereof. These parameters are for example: temperature, etc.

In the example shown in fig. 1, each channel receives two different parameters A, B to be measured, each channel measuring the same parameter. In particular, for each channel V1, V2, these parameters are measured by different or identical sensors:

-for the first channel V1: the first measurement MAV1 of the first quantity a is measured by the first sensor CAV1 and the second measurement MBV1 of the second quantity B is measured by the second sensor CBV 1.

For the second channel V2: the first measurement MAV2 of the first quantity a is measured by the first sensor CAV2 and the second measurement MBV2 of the second quantity B is measured by the second sensor CBV 2.

The sensors used depend on the measured variable: temperature sensors for temperature, etc.

To determine command C_V1、C_V2Each channel will perform a certain amount of processing operations on the measurements taken.

In particular, each channel comprises a merging unit UC1, UC2, so that the data measured by the sensors of each of the two channels can be unified by the merging process (for example by averaging the values measured by the sensors of each of the two channels).

It is understood that data exchange is performed between the channels V1, V2 via the inter-channel communication link LCOM.

For each channel, the combined result is then used by the processing units UT1, UT2, which will calculate the results for the actuators ACSet point C of T_V1、C_V2。

Advantageously, the processing units UT1, UT2 may use commands calculated at one or more previous calculation times and intermediate results calculated at one or more previous calculation times as input data. In this case, the processing unit may include a first calculation module MOD1 and a second calculation module MOD 2: one of the first and second calculation modules performs a first portion of the calculation and the second of the first and second calculation modules performs a calculation that requires an intermediate calculation that was previously performed (see fig. 2). The data from the first module is retrieved by the second module after a delay of typically 1 to 4 computation times.

Set point C calculated for each channel under normal operating conditions_V1、C_V2Are the same. To ensure that this is true, each channel also includes a monitoring unit US1, US2, responsible for checking the calculated command C_V1、C_V2Whether it is exactly the same. In order to be able to compare the calculated commands, the monitoring units US1, US2 receive commands calculated by the channel to which they belong and commands calculated by the other channels via the communication links LVER2, LVER 1.

When two calculated commands C are detected_V1、C_V2The self-test mechanism of the processing units UT1, UT2 makes it possible to identify where the error may come from and to disable one of the channels, in which case the disabled channel does not raise the information to the other channel. In this case, a channel to be in an "active" state or a "passive" state may be selected and the channel in the "passive" state may be disabled.

This is because, as described herein, each of the control channels V1, V2 has an "active" or "passive" status indicator. This enables determination of which channel is effectively controlling the actuator ACT of the engine. These states are mutually exclusive: the two channels V1, V2 cannot be in the same state, one must be active and the other passive.

On the other hand, if the self-test mechanism of the processing unit does not detect the source of the error, the passive channel is always disabled. The redundancy it provides is then lost. As will be appreciated, when this occurs, the lanes may be disabled without problems, as problems may come from at least one inter-lane communication link LCOM.

Thus, instead of disabling the passive channels and assuming that the problem comes from the inter-channel communication link LCOM, the control device will exhibit a fail-safe operation mode in which commands calculated by the processing units UT1, UT2 will be transmitted. In particular, the transmission is from an active channel to a passive channel. When the calculation performed by the processing unit is based on the result of the calculation in the previous time increment, it is enabled to unify the input data of the calculation units of the two channels so as to allow the command to converge after a certain amount of time increment.

Advantageously, for the processing unit, the calculation time is set to a duration t, for example between 5 and 50 milliseconds, typically t 15 milliseconds, which is limited and exceeding this duration causes an anomaly of the processing unit and the channel involved in the anomaly to be disabled. Therefore, attention must be paid to the computational load performed on the processing unit. In case of a break of the communication link between the channels V1, V2, it is necessary for the re-establishment of the inter-channel communication link LCOM to follow the mechanism for transmitting the calculated commands to ensure the re-convergence of the calculation. This results in computational overload of the processing unit. Therefore, it is necessary to optimize the duration of the exchanges and the ordering of the calculations to comply with the time constraints of the processing units.

Exemplary embodiment of a fail-safe operation of a control device according to a preferred embodiment of the invention

Such an example is shown in fig. 3 to 5. The example shown is to consider only the previous time increment

Calculation at t ═ i-1

In this example, let

C_V1(0)＝C_V2(0)

As long as the system does not have any failures in the inter-lane links, the calculations will proceed as shown in fig. 3. Further, in this example, channel V1 is an active channel, while channel V2 is a passive channel.

To determine the time increment to be

t＝i

The calculation is based on data measured by sensors associated with the control channels for the commands applied to the actuator ACT. In one simplified example, the following calculations are performed:

C_V1(i)＝C_V1(i-1) + average value (i)

C_V2(i)＝C_V2(i-1) + average value (i)

Wherein:

it corresponds to fig. 2, where the operators (operateurs) OP1, OP2 are for example the sum of two terms as input. Other operators are also contemplated.

It is evident here that, after the calculation described above, in the case of nominal operating ratings (region de functionality nominal), if the calculation in the previous calculation increment is accepted, then there is indeed:

C_V1(i)＝C_V2(i)

then, in the current calculation increment, the following equation is indeed verified:

C_V1(i+1)＝C_V2(i+1)

on the other hand, when an inter-channel communication link interruption occurs in time

j

At the time, the merging units are no longer able to exchange the data measured by the sensors connected to their respective channels. The processing unit then performs the calculations as shown in fig. 4: each of the two channels performs the calculation (here the average) given previously in the merging step. Thus, the processing unit performs the following calculations:

C_V1(j)＝C_V1(j-1)+MAV1(j)+MBV1(j)

C_V2(j)＝C_V2(j-1)+MAV2(j)+MBV2(j)

however, in practice, the same kind of data measured by the sensors of each of the two channels is always different (which is why merging is necessary). This gives:

MAV1(j)+MBV1(j)≠MAV2(j)+MBV2(j)

and in this case the commands calculated by the two channels are no longer the same:

C_V1(j)≠C_V2 (j)

this difference in the calculated commands is detected as an error by the monitoring unit. Furthermore, even if the link is re-established, the previous calculations are different after processing, and the calculated commands are still different for one channel and another.

To alleviate this problem, the solution comprises: when the link is in time

k

When reestablished, the result calculated for the active channel (channel V1 in this example) is sent to the passive channel (channel V2 in this example)

As shown in fig. 5. The calculations made here are as follows:

C_V1(k+1)＝C_V1(k) + average (k +1)

C_V2(k+1)＝C_V1(k) + average (k +1)

Thus:

C_V1(k+1)＝C_V2(k+1)

note that Command C_V1、C_V2Is equivalent to the reconstruction of the interchannel communication link LCOM.

Examples of possible implementations

As an example, the processing unit of each of the two channels may be divided into two modules MOD1, MOD2, as shown in fig. 2. In this case, the calculation is performed based on the previous plurality of results. More precisely, the calculation uses the results of the previous 4 commands and the intermediate results resulting from the previous 3 calculations. In this case, it is therefore necessary to exchange commands calculated over a plurality of calculation times in order to optimize as much as possible the duration of these exchanges (the duration of the exchanges being time-consuming in the calculation times). These must be performed in as short a time as possible:

when one or more previous commands are at a delay time (measured in the amount of calculation time)

r₁

Which is then used as input to the processing unit, the command must be transmitted from the active channel to the passive channel during an amount of computation time equal to the duration of the link interruption,

-when one or more previous intermediate results are at a delay time

r₂

When later used, the command must be to compute the incremental r₂

During which time the transmission is from the active channel to the passive channel.

Furthermore, in order to meet the real-time system requirements specific to any on-board control device, the duration of each cycle cannot exceed a predetermined duration, for example 15ms, and it is therefore necessary to optimize the sequence of operations added to continue to comply with this constraint. To this end, the order of tasks performed by the processing unit is modified in order to perform calculations while the processing unit is waiting to receive data over the data link. In this way, computation time can be saved in the following cases:

in the nominal operating mode, without any fault;

-in a fail-safe mode of operation, during a communication failure;

-in a fail-safe mode of operation, during data exchange from the active channel to the passive channel after inter-channel link feedback.

Thus, the saved computation time enables adherence to the required time limits and enables the execution of additional self-tests to detect the failure of the components of one of the two channels.