 METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PR
专利摘要:
The invention relates to a method of handling an error during the execution of a predetermined avionics procedure, the method being implemented. automatically by a system (10) for detecting and alerting an aircraft, the method comprising, monitoring (46) the operation of one or more avionics device (s) for the aircraft, the monitoring (46) being based on the monitoring (54) a sequence representative of the predetermined avionics procedure in progress, according to the invention, the method further comprises the following steps implemented automatically by the alert detection system of the aircraft: - the detection (48) of a break in said sequence due to an erroneous command and / or to a jump of at least one expected command in accordance with the predetermined avionics procedure during execution , - restitution (50) of at least one piece of information representative of said break in sequence. 公开号:FR3072475A1 申请号:FR1701080 申请日:2017-10-17 公开日:2019-04-19 发明作者:Chris DESEURE;Laurent Flotte 申请人:Thales SA; IPC主号:
专利说明:
Method for handling an error when executing a predetermined avionics procedure, computer program and associated detection and alert system The present invention relates to a method for processing an error during the execution of a predetermined avionics procedure, the method being implemented automatically by an aircraft detection and alert system, the method comprising, the monitoring the operation of one or more aircraft device (s), the monitoring being based on the monitoring of a sequence representative of the predetermined avionics procedure in progress. The invention also relates to a computer program product comprising software instructions which, when implemented by an information processing unit integrated within an aircraft detection and alert system, implements such a treatment method. The invention also relates to an aircraft detection and alert system comprising, a module for monitoring the operation of one or more aircraft avionics device (s), the monitoring module being suitable for being connected to a module for monitoring a sequence representative of a predetermined avionics procedure in progress. The invention applies to the field of avionics, and more particularly to that of detection and alert systems (FWS) for an aircraft, such as an airplane or a helicopter. Conventionally, detection and alert systems have a double utility, namely on the one hand to alert the pilot when an abnormal flight situation occurs, and on the other hand to present to the pilot the procedure or procedures making it possible to treat the failure associated with the abnormal situation to return to a situation under control guaranteeing flight safety and the return to the ground of the aircraft. In current aircraft, the procedures are managed electronically by a procedure management module of the detection and alert system. More specifically, currently such a procedure management module restores one or more avionic procedures to be followed as a function of the flight phase in progress and / or as a function of the abnormal flight situation encountered, each procedure consisting of a series of 'instructions to follow for the smooth running of the procedure. The crew reads the restored procedure (s), and performs the actions (i.e. sends commands) corresponding to each instruction on the avionics devices of the aircraft. The crew then acknowledges each instruction carried out, or according to an alternative variant, the detection and alert system is capable of monitoring the state of the systems with which the crew interacts and in fact the detection and alert system is itself suitable for making such an acquittal. However, regardless of the case in which such an acknowledgment is handled, the fact remains that if an erroneous action or command is sent to one of the avionics devices, it is currently the crew's responsibility to report the error itself. In other words, current detection and alert systems are unable to detect if an action or command is inappropriate in the context of the procedure being executed. Indeed, current detection and alert systems are only capable of providing continuous monitoring of nominal or degraded states of avionics devices. However, this monitoring does not identify whether the detected condition is suitable for the situation or not. Subsequently, by “inappropriate command” is meant firstly a command error associated with a fault on the part of the crew corresponding to the crew performing an erroneous action in place of the expected action, or the forgetting of an action in the sequence of actions to be performed, and on the other hand a command error associated with a failure of the command interface corresponding for example to the absence or the delay in sending the command corresponding to the action of the crew, the non-correspondence between the command sent and the action of the crew, or even the sending of a multitude of commands while the action of the crew does not required only one. The effects of an erroneous command are variable and more or less easily detectable depending on the criticality of the procedure, the impact of the erroneous command on the performance of the aircraft, the time required to correct the error, the nature error (human, failure of the command interface). The identification of an erroneous command implemented by the crew is therefore not guaranteed and all the more compromised in a situation of stress in the face of an abnormal situation or a high workload (in particular in the event of multiple breakdowns for example ). An object of the invention is therefore to alleviate the errors of detection and human correction of erroneous orders by offering automated assistance (ie devoid of human intervention) to optimize their management and make it possible to improve the security and the serenity of a crew in the event of an abnormal flight situation. For this, the subject of the invention is a method for processing an error during the execution of a predetermined avionics procedure, the method being implemented automatically by an aircraft detection and alert system, the method comprising, monitoring the operation of one or more avionics device (s) of the aircraft, the monitoring being based on monitoring a sequence representative of the predetermined avionics procedure in progress, the method further comprising the following steps implemented automatically by the aircraft detection and alert system: - the detection of a break in said sequence due to an incorrect command and / or a jump of at least one command expected in accordance with the predetermined avionics procedure being executed, - the return of at least one piece of information representative of said break in sequence. According to particular embodiments, the display system includes one or more of the following characteristics, taken in isolation or in any technically possible combination: - the monitoring of the operation of one or more avionics device (s) of the aircraft corresponds to real-time state monitoring of the said avionics device (s), and in which the detection comprises a comparison of the real-time states of one or more avionics device (s) of the aircraft to at least one of the following: - a set of prohibited states, associated with the predetermined avionics procedure, and stored in a first dedicated memory space; - a set of expected states, as a function of the instant of execution of the sequence representative of the predetermined avionic procedure, the set of expected states being stored in a second dedicated memory space; - when the comparison of the real-time states and the set of prohibited states is positive, the representative information restored corresponds to a first alert comprising a first triplet of data respectively representative of: - the predetermined procedure, - the prohibited state detected among the states in real time, and - a command to execute recommended to overcome the detected prohibited state; - when the comparison of the real-time states and the set of expected states is negative, the representative information restored corresponds to a second alert comprising a second triplet of data respectively representative of: - the predetermined procedure, - the expected state missing from the real-time states, and - of a command to execute recommended to compensate for the missing expected state or to reiterate at least one command associated with at least one previous step of the predetermined procedure; - in the first and / or the second dedicated memory spaces, each state respectively prohibited and / or expected is automatically associated with a level of criticality; the monitoring of the operation of one or more avionics devices of the aircraft corresponds to the monitoring of the commands received in real time by the said avionics device (s), and in which the detection comprises a comparison of said commands received in real time with a set of expected commands, as a function of the instant of execution of the sequence representative of the predetermined avionic procedure, the set of expected commands being stored in a third dedicated memory space; - when the comparison of the orders received in real time and of all the orders expected is negative, the representative information restored corresponds to a third alert comprising a third triplet of data respectively representative of - the predetermined procedure, - an unexpected order and / or a missing order among the orders received in real time, and - a command to execute recommended to compensate for the unexpected and / or missing command, and in which the method also includes a time delay of: - the execution of the unexpected command by restitution of a request for confirmation of the unexpected command to the crew, and / or - restitution of the information representative of said break in sequence, by transmission of a request to enter the missing order; - The method comprises a prior step of building a database comprising at least one of said first, second, third dedicated memory spaces, by automatic learning or by implementing an inference engine. The invention also relates to a computer program product comprising software instructions which, when implemented by an information processing unit integrated within an aircraft detection and alert system, implements a treatment method as defined above. The invention also relates to an aircraft detection and alert system, comprising, a module for monitoring the operation of one or more avionics devices of the aircraft and for monitoring a sequence representative of a predetermined avionics procedure in progress, the detection and alert system being capable of processing an error during the execution of the predetermined avionics procedure, and further comprises: - a module for detecting a break in said sequence due to an erroneous command and / or a jump of at least one command expected in accordance with the predetermined avionics procedure being executed, - a module for rendering at least one item of information representative of said break in sequence. The invention and its advantages will be better understood on reading the detailed description which follows of a particular embodiment, given solely by way of nonlimiting example, this description being made with reference to the appended drawings in which: - Figure 1 is a general representation in the form of blocks of the detection and alert system of an aircraft according to the invention; - Figures 2 and 3 are representations of two variants of an aircraft detection and alert system according to a first embodiment of the invention; - Figures 4 to 8 are representations of five variants of an aircraft detection and alert system according to a second embodiment of the invention; - Figures 9 and 10 are flow diagrams respectively of a processing method and a data set associated with an avionics procedure to be used to detect a control error according to a first embodiment; - Figures 11 and 12 are flow diagrams respectively of a processing method and a set of data associated with an avionics procedure to be used to detect a control error according to a second embodiment. Referring to general FIG. 1, the detection and alert system 10 according to the invention firstly conventionally comprises a module 12 for monitoring the operation of one or more avionics device (s) of the aircraft and monitoring a sequence representative of a predetermined avionics procedure in progress. More specifically, such a monitoring module 12 is first of all suitable for implementing a function for calculating alerts and contexts (i.e. procedure monitoring). In particular, to implement such a function, using as inputs the various physical data produced by the avionics devices equipping the aircraft, the monitoring module 12 produces a list of events (alerts, change of flight phase, etc.). .) and also provides the state of the different avionics devices (ie equipment) of the aircraft and the different contexts (flight phases, icing conditions for example) as performed by a conventional detection and alert system based on combinations of mathematical and logical operators. From the alerts and events detected above and also from various pilot inputs entered to navigate within the procedures, such a monitoring module 12 is also suitable for implementing a procedure management function consisting in particular in presenting to the crew the pilot procedure to be carried out in order to allow them to follow its good progress. More precisely, such a presentation consists for example in providing the identifier of the procedure and of the sub-procedure in progress, a sub-procedure being defined as a sequence of actions (ie an ordered sequence of actions) requiring no choice on the part of the crew, indicate, by means of a visual interface (ie playback on a screen) or audio (ie by means of a loudspeaker), the actuator of the aircraft on which the crew must act (which corresponds in English to the "challenge") and also specify the type of action (ie the expected command) to be performed on this actuator (which corresponds in English to the "response") and the associated time constraint to implement such an action. In addition, the monitoring module 12, suitable for implementing such a procedure management function, is also suitable for enabling the crew to acknowledge the actions once they have been carried out. Such an acquittal makes it possible, among other things, to guarantee that the crew will have a correct vision of the state of the procedure in the event of an interruption in the completion thereof (in particular in the event of solicitation from the ground center, for example). Optionally, the monitoring module 12, according to a more automated version, is capable of enabling the crew to carry out the action directly and automatically from the avionics procedure presented. In other words, an avionics procedure in progress depends on the criticality (capable of establishing an inter-event priority level) of the events and alerts detected and also on the choices and actions of the crew. Furthermore, in the event of an event of higher priority than the event associated with the avionics procedure in progress, the monitoring module 12 is capable of interrupting the avionics procedure in progress and automatically presenting an avionics procedure more adapted to the event of higher priority in terms of criticality. The crew remains however free to interact with the monitoring module 12 so as to modify the order of processing of the actions of the procedures via a command interface. According to the present invention, the detection and alert system 10 is specifically capable of handling an error during the execution of the avionics procedure predetermined by the crew, and for this purpose further comprises an automatic detection module 14 ( ie without human intervention) of a break in the sequence due to an incorrect command (for example entered by the crew or resulting from an automaton executing, the sequence associated with the procedure, in place of the crew 22), and / or a jump of at least one command awaited in accordance with the predetermined avionics procedure being executed, and a module 16 for restoring at least one item of information representative of the break in sequence. More specifically, the detection module 14 is capable of implementing an error detection function according to at least two distinct embodiments, depending on whether the error detection is based on the states of the avionic devices once the action or the actions of the acquitted crew (s) as illustrated by the structural variants of detection and alert systems in FIGS. 2 and 3, or depending on whether the error detection is based on the nature of the command (s) received in real time by the crew as illustrated by the structural variants of detection and alert systems in FIGS. 4 to 8. According to a first embodiment, called “detection and recovery” (in English “detect and recover”) as illustrated by FIGS. 2 and 3, the detection module 14 is capable of signaling an erroneous action or an oversight in carrying out a procedure in progress, the avionics procedure being of the “normal” type, namely for example relating to the landing of the aircraft, or else an “abnormal” type procedure relating to the processing of '' failure of an avionics device. To do this, the detection and alert system 10 is capable of being structured according to a first variant into an “integrated structure”, for example multi-instantiated, as shown in FIG. 2, in other words where the majority of the constituent modules of the detection and alert system according to the invention are integrated within the same housing (ie assembly) 17. More specifically, such a detection and alert system 10 comprises an equipment 18 for real-time state monitoring of the avionics device (s) of the aircraft and an equipment 20 for management of avionics procedures, these two equipment 18 and 20 forming the monitoring module 12 previously indicated in relation to FIG. 1. The equipment 18 for monitoring real-time states of the avionics device (s) is capable of providing real-time alerts, events, received commands and states associated with the aircraft avionics devices on the one hand to the equipment 20 for managing avionics procedures, itself suitable for receiving as input the actions of the crew 22, and on the other hand for events and states associated with the avionics devices of the aircraft to the error detection equipment 24, that is to say for detecting a break in the sequence representative of the procedure being executed. Furthermore, the avionics procedure management equipment 20 is capable of supplying the error detection equipment 24 with the identifier of the avionics procedure being executed (or to be executed) as well as the sequence of actions. associated. In other words, according to the variant embodiment of FIG. 2, the error detection equipment 24 constitutes the detection module 14 of FIG. 1. More specifically, the error detection equipment 24 is able to compare, by means of a comparator not shown, real-time states of one or more avionics device (s) of the aircraft to at minus one of the following: - a set of prohibited states, associated with the predetermined avionics procedure, and stored in a first dedicated memory space; - a set of expected states, as a function of the instant of execution of the sequence representative of the predetermined avionic procedure, the set of expected states being stored in a second dedicated memory space. According to the representation of FIG. 2, the first dedicated memory space and the second dedicated memory space are stored within a database 28 of the detection and alert system 10 according to the present invention. In addition, the error detection equipment 24, like the equipment 18 for monitoring states and / or for control received, are both suitable for being connected to the screen 30 of the rendering module 16 of at least information representative of the break in sequence of FIG. 1. According to an alternative embodiment, the screen 30 is an existing screen of the aircraft. According to another variant, the screen 30 is dedicated to the detection and alert system 10 of the invention. In particular, the equipment 18 for monitoring states and / or for command received is suitable for transmitting for restitution on the screen 30 to the crew 22 the alerts, events and states of one or more avionics devices monitored and detected in real time. The error detection equipment 24 is itself capable of restoring representative information, which when the result of comparison of the states in real time and of the set of prohibited states of the database 28 provided by the comparator is positive, corresponds to a first alert comprising a first triplet of data respectively representative of the predetermined procedure, the prohibited state detected among the states in real time, and of a command to execute recommended to remedy the detected prohibited state, or when the result of comparison of the states in real time and of the set of states expected from the database 28 provided by the comparator is negative, corresponds to a second alert comprising a second triplet of data respectively representative of the predetermined procedure, the expected state missing from the real-time states, and a recommended command to execute to compensate for the missing expected state or to repeat at least one command associated with at least one previous state of the predetermined procedure. Subsequently, by "positive", "positive" is meant in terms of comparison, for example, that one of the real-time states of one or more avionics devices is a prohibited state. By "negative", "negative" is meant in terms of comparison, for example, that one of the real-time states of one or more avionics devices does not correspond to an expected state, or that one of the states expected at the instant of execution of the procedure is missing among the real-time states monitored. According to a particular aspect, in the first and / or the second dedicated memory space of the database 28, each state respectively prohibited and / or expected is automatically associated with a level of criticality on which depends the number of events to be monitored and d 'dreaded events more or less important. In the database 28, a level of criticality defined according to a hierarchical classification going from "major" (the lowest level of criticality) to "catastrophic" (the highest level of criticality) through a level of criticality intermediate "dangerous" (in English respectively "major", "hazardous", "catastrophic") is used to classify errors. In relation to FIG. 3, another variant of this first embodiment is shown in which, unlike the structure of the detection and alert system of FIG. 2, the structure of the detection and alert system according to FIG. 3 is “distributed” in at least two separate boxes (ie set) 32 and 34 each comprising 18 A and 18 B equipment for real-time state monitoring of the avionics device (s) of the aircraft. In other words, according to this distributed structure, sets of separate equipment 32 and 34, possibly each multi-instantiated, are implemented to ensure fine segregation making it possible to increase the security level of the detection and alert system 10. According to a second embodiment, called “prevention and recovery” (in English “preclude and recover”) as illustrated by FIGS. 4 to 8, the detection module 14 is able to prevent the realization of a erroneous action resulting from an inappropriate choice of the crew 22 or else from a failure of a fault handling system not shown. Such an embodiment presupposes an overall avionics architecture of the aircraft integrating an automated management system for the avionics devices and by means of which the crew 22 no longer acts directly on the avionics devices of the aircraft. In other words, in such an architecture, all the commands that the crew 22 carries out are triggered via one or more on-board systems (and not directly by the crew 22) capable of sending commands to the external and avionic systems (of the English "utilities"). As for the first embodiment described above, according to the second embodiment, the detection and alert system 10 is also capable of being structured according to two first variants into an “integrated structure”, for example multi-instantiated, as shown in FIGS. 4 and 5, in other words where the majority of the constituent modules of the detection and alert system 10 according to the invention are integrated within the same housing (ie assembly) 40 A on Figure 4 and 40 B in Figure 5. In terms of structure, the integrated detection and alert systems of FIGS. 4 and 5 differ from that of FIG. 2 by the nature of the error detection equipment 36 more specifically specific to the “prevention” embodiment. and recovery ”. Indeed, the error detection equipment 36 is able to compare the commands received in real time, and supplied by the monitoring equipment 18, with a set of expected commands, as a function of the instant of execution of the sequence representative of the predetermined avionic procedure, the set of expected commands being stored in a third dedicated memory space of the database 28. Furthermore, the error detection equipment 36, in the event of a negative comparison of the orders received in real time and of all the orders expected, is capable of acting on the processing of the orders received before their execution by restoring on the screen 30 representative information corresponding for example to a third alert comprising a third triplet of data respectively representative of the predetermined procedure, of an unexpected command and / or of a missing command among the commands received in real time, and d '' a command to execute recommended to compensate for the unexpected and / or missing command. In addition, the error detection equipment 36 is specifically capable of implementing a delay in the execution of the unexpected command by restitution of a request for confirmation of the unexpected command to the crew 22 on the screen 30, and / or a time delay for the restitution of the information representative of the break in sequence, by transmission of a request for inputting the missing command. In relation to FIG. 4, as a function of the action implemented by the crew 22, the error detection equipment 36 is capable of directly delivering the unexpected unexpected order confirmed (ie validated) by the crew 22 and / or the missing command entered by the crew 22 to a control system 38. Such a control system 38 is not necessarily a system controlled as such, for example, it is a gateway ( from the English “gateway”), of the relay type, or of an actuator making it possible to pilot the target avionics device indirectly. As a variant, in relation to FIG. 5, the error detection equipment 36 is suitable for authorizing or not the unexpected command and / or the missing command sent by the crew 22 to the control system 38. In other words, in this architecture of the detection and alert system 10 of the second “prevention and recovery” embodiment, that is, as shown in FIG. 4, the command received corresponds to an expected command is transmitted directly by the detection and alert system 10 to a target control system 38, or, as shown in FIG. 5, the command transmitted directly by the crew 22 to the control system 38 is authorized, or not in the event of a discrepancy with an expected command, by the detection and alert system 10. Thus, in the first case of FIG. 4, the detection and alert system 10 avoids the errors of the crew 22 by transmitting directly only the commands received in accordance with the commands expected from the database 28 or to all less confirmed by the crew 22, and in the second case of FIG. 5, the detection and alert system 10 avoids the crew's errors but also the errors which can be generated during the production of the commands (ie errors due to system failure, not crew error 22. Figures 6 to 8 illustrate different variants of a distributed architecture (i.e. distributed in housings 42, 44 (i.e. sets) distinct (multi-instantiated or not) of the detection and alert system 10 according to the second embodiment. More specifically, the variant of FIG. 6 is the structure distributed in the housings 42A and 44A corresponding to the integrated structure of FIG. 5. FIG. 7 represents an alternative to the distributed architecture of FIG. 6 in the distribution is distributed within the boxes 42B and 44B, and in which the equipment 20 for management of avionic procedures is suitable for centralizing and retransmitting the commands of the crew, via link 45 wireless or wired, to control system 38. The variant of FIG. 8 is, for its part, the structure distributed in the housings 42C and 44C corresponding to the integrated structure of FIG. 5. In other words, according to this structure, it is the equipment 36 for detecting errors which is capable of centralizing and retransmitting the commands received from crew 22. Thus, according to all of the examples of architecture of detection and alert systems 10 illustrated by FIGS. 2 to 8, in comparison with conventional detection and alert systems, the detection and alert system 10 according to the present invention comprises or is suitable for being connected to a database 28 consulted in real time to detect control errors. According to a particular aspect, the implementation of one or other of the two embodiments described above is selectable by means of a selection tool, not shown, of the detection and alert system according to the invention , for example a press button or a switch that can be activated manually or remotely via a radio link. In connection with FIGS. 9 to 12, the method for processing an error during the execution of a predetermined avionics procedure according to the present invention is described below. In general, the method comprises three main steps, namely a step 46 for monitoring the operation of one or more avionics devices of the aircraft, the monitoring 46 being based on monitoring a sequence representative of the predetermined avionics procedure in progress, a step 48 of detecting a break in the sequence due to an erroneous command (for example entered by the crew or resulting from an automaton executing, the sequence associated with the procedure, with the crew seat 22) and / or at a jump of at least one command expected in accordance with the predetermined avionics procedure being executed, and a step 50 of restitution of at least one item of information representative of said break in sequence . Figures 9 and 11 show two embodiments of implementation of the method according to the invention consisting of alternative embodiments of the main steps 46, 48, and 50 previously mentioned. In addition, in general, each avionics procedure is stored and retrieved by the management equipment (i.e. monitoring) of the procedure described above in the form of a sequence of actions that the crew 22 must implement. FIGS. 10 and 12 respectively illustrate a set of data associated with an avionic procedure to be used to detect a control error according to two embodiments of the invention. In connection with FIG. 9, the method is described according to the first embodiment called "detection and recovery" (in English "detect and recover"), the associated detection and alert system of which is illustrated in FIGS. 2 and 3. More specifically, according to this first embodiment, the step 46 of monitoring the operation of one or more avionics device (s) of the aircraft comprises on the one hand a step 52 of monitoring states in time of the avionics device (s) and a step 54 of monitoring a sequence representative of the predetermined avionics procedure in progress. According to this first embodiment, the sequence relates to the list of states of the avionic devices to be monitored as the procedure proceeds. Then, according to this first embodiment, step 48 of detecting a break in the sequence associated with the avionics procedure in progress comprises either a step 58 of comparing the states in real time of one or more devices (s) avionics of the aircraft with a set of prohibited states, associated with the predetermined avionics procedure, and stored in a first dedicated memory space of the database 28 previously described, ie a step 58 of comparing the real-time states of one or more avionics device (s) of the aircraft to a set of expected states, as a function of the instant of execution of the sequence representative of the predetermined avionics procedure, the set of expected states being stored in a second dedicated memory space of the database 28, or even the two comparison steps 58 and 60. According to this first embodiment, step 50 of restitution of at least one piece of information representative of said break in sequence comprises, respectively for each comparison step 58 and / or 60 previously cited: - when the comparison 58 of the real-time states and of the set of prohibited states is positive, the representative information restored corresponds to the restitution 62 of a first alert comprising a first triplet of data respectively representative of the predetermined procedure ( eg an identifier), the prohibited state detected among the real-time states, and a command to execute recommended to overcome the detected prohibited state; when the comparison of the real-time states and of the set of expected states is negative, the representative information restored corresponds to the rendering 64 of a second alert comprising a second triplet of data respectively representative of the predetermined procedure, l 'expected state missing from the real time states, and a command to execute recommended to compensate for the missing expected state or to repeat at least one command associated with at least one previous step of the predetermined procedure. In other words, according to this first embodiment, as the progress of the avionics procedure in progress, when an event occurs on one of the avionics devices monitored, according to the method of invention, access to the knowledge database 28 is operated and monitoring by comparison with the feared events which are linked to it is implemented to ensure the smooth running of the procedure. As soon as one of the feared commands associated with a feared system event is detected, the specific error message is automatically presented to the crew 22 in order to alert them to the fact that they are committing an error and / or a failure to interpret its command is present, and / or to present to the crew the list of the remaining actions to be carried out to remedy this error. Optionally, according to a prior step not shown, for example during the design of the aircraft, the method comprises the construction, for example, by automatic learning (from the English "iearning machine") or by implementing a inference engine from aircraft security analyzes, from the database 28 comprising at least one of the first, second and third dedicated memory spaces mentioned above. More specifically, the database 28 is a knowledge database of the events monitored according to the invention and associated with a predetermined procedure. Security analyzes define the events and combinations of feared events and associate their criticality. In other words, to prevent human and / or machine error, we associate failing states of systems with the commands that may be at their origin. We therefore exclude in fact the internal failures of the system. In relation to FIG. 10, the software structure of the data set associated with a predetermined avionics procedure stored in the database 28, for example an avionics procedure triggered in the event of the loss of an engine on an aircraft corresponding to a twin-engine airplane is shown. The software structure of FIG. 10 is a reference-based structure (ie each type of data is defined there only once for the sake of simplification) and is organized in the form of a logical association, also called dependency tree, between at least five types of data, namely the events to be monitored, the feared events 68 associated, the characteristics 70 of the aircraft associated, the commands 72 associated and the messages 74 returned to the corresponding crew. Such a structure in the form of a reference base makes it possible to avoid redundancy of definition and to ensure consistency between the procedures and the way in which they are monitored. By way of illustration, according to the example of FIG. 10, the events 66 to be monitored are the cutout 76 of the first engine and consequently the detection 78 of the failure of this first engine. When the first engine cuts out 76, the dreaded events 78 associated and considered to be catastrophic, their combination possibly leading to the loss of the aircraft, is one by a cut 80 in the fuel supply of the second engine or a cut 82 of the second engine. When the fuel supply to the second engine is cut 80, two types of avionics characteristics 70 are associated, namely: on the one hand the supply 84 of the second motor by the main pump, which amounts to detecting the state 86 on of the main pump and off of the secondary pump, the associated feared command 72 is then switching off 88 of the main pump and the message associated with the expected action to remedy it 74 is the ignition 90 of the main pump, and on the other hand the supply 92 of the second motor by the secondary pump, which amounts to detection from the state 94 on of the secondary pump and off of the main pump, the associated feared command 72 is then the extinction 96 of the secondary pump and the associated message 74 to remedy this is the ignition 98 of the secondary pump. When the second engine 82 is cut off, two types of avionics characteristics 70 are associated, namely: on the one hand the extinction 100 of the second engine, the associated feared control 72 is then on the one hand the setting 102 of the power lever of the second engine on an idle flight speed (Fl from English “Flight Idle”) and the associated message 74 to remedy this is the re-ignition 104 of the second engine, and on the other hand the setting 106 of the control lever of the second engine on the fuel cut, and the message associated with the expected action 74 is also the re-ignition 108 of the second engine; on the other hand the securing 110 of the second engine, the associated feared command 72 is then of three types: the establishment 112 of the management power of the second engine on the level "maximum continuous thrust" (MOT from English "Maximum Continuous Thrust"), the setting 116 of the power lever of the second engine on an idle flight speed, or the setting 120 of the control lever of the second engine on the fuel cut and the associated message 74 to remedy each of these three types of the dreaded commands 72 is the re-ignition 114, 118, 122 of the second engine. Optionally, such a dependency tree is further conditioned by the flight phase in progress at the time of the execution by the crew 22 of the predetermined procedure so that the avionics characteristics 70 and the associated feared commands 72 are reconfigurable in the database 28 as a function of the flight phase (ie landing, take-off, turn, etc.) The data set associated with an avionics procedure implemented in the event of complete loss of the communication means, also stored in the database 28, is suitable for being organized in a similar manner to the example of FIG. 10 previously described. . The implementation of such a procedure is also major in terms of criticality since it involves an overload of work for the crew. In connection with FIG. 11, the method is described according to the second embodiment called “prevention and recovery” (in English “preclude and recover”), the associated detection and alert system of which is illustrated in the figures. 4 to 8. More specifically, according to this second embodiment, the step 46 of monitoring the operation of one or more avionics device (s) of the aircraft comprises on the one hand a step 123 of monitoring the commands received in time real by the said avionics device (s) of the avionics device (s) and step 54 of following a sequence representative of the predetermined avionics procedure in progress. According to this second embodiment, the sequence relates to the list of commands to be carried out to process the procedure and not the states of the avionic devices associated with the first embodiment. The list of commands associated with a procedure will, for example, be transmitted as follows, specifying the maximum period of time for the implementation of the command: command 1 (engine shutdown 1; motor lockout 1; 30s), command 2 (engine shutdown 1; extinguisher trip 1; 10s), command 3 (engine shutdown 1; engine fire stop control 1; 10s); command 4 (electrical reversion; ignition of the auxiliary power unit (APU in English for “Auxiliary Power Unit”); 10s). Other variants of the description of commands can be used in particular in global and macroscopic form in the event of unambiguity, for example: command 1 (Engine shutdown 1; 50s), command 2 (Electrical reversion; 30s), etc. Then, according to this second embodiment, step 48 of detecting a break in the sequence associated with the avionics procedure in progress comprises a step 124 of comparing the commands received in real time with a set of expected commands , as a function of the instant of execution of the sequence representative of the predetermined avionic procedure, the set of expected commands being stored in a third dedicated memory space of the database 28 previously described. According to this second embodiment, the subsequent restitution step 50 comprises, when the comparison 124 of the orders received in real time and of all the expected orders is negative, a step of formation / restitution 126 of the representative information corresponding to a third alert comprising, for example, a third triplet of data respectively representative of the predetermined procedure, of an unexpected order and / or of a missing order among the orders received in real time, and of a recommended order to be executed to compensate for the unexpected and / or missing order. In addition, the subsequent restitution step 50 also comprises a time delay 128 of the execution of the unexpected command by restitution of a request for confirmation of the unexpected command to the crew, and / or of the restitution of the 'information representative of the break in sequence, by transmission of a request to enter the missing order. In other words, according to this second embodiment, as the commands entered by the crew 22 are detected, the method according to this second embodiment monitors the progress of the execution of the list of commands associated with the avionics procedure to be followed. In case of detection 124 of a command which does not correspond to the procedure, the command is not directly sent to the recipient avionics device, but a confirmation is previously requested from the crew 22 to ensure that the diverging command in question fits his intention well. Similarly, if an expected command identified in the command list associated with the procedure to be followed is not carried out after the time associated with it, the detection 124 implemented according to this second embodiment will raise a message to crew 22 to make sure it's not an oversight. According to a completely automated variant, this second embodiment is particularly suitable for being implemented in addition to automatically trigger / correct the various commands expected in the absence of reaction from the crew 22, and / or to help the crew 22 in a stressful situation, and / or again to control the proper execution of the avionics procedure to be executed, whether it is controlled by the single method according to the invention or else in combination with one or more systems. In relation to FIG. 12, the software structure of the data set associated with a predetermined avionic procedure stored in the database 28 implemented according to this second embodiment is also shown. As indicated previously, this software structure is similar to that implemented according to the first embodiment. For example, in FIG. 12 is also represented according to the second embodiment the dependency tree associated with an avionics procedure triggered in the event of the loss of an engine on an aircraft corresponding to a twin-engine aircraft. In comparison with FIG. 10, the reference tree of FIG. 12 comprises additional avionic characteristics 70 to be monitored linked to the loss of the first engine, these characteristics not being linked to a dreaded event this time but determining the commands 72 expected to monitor, namely: on the one hand, the extinction 130 of the first engine, the associated expected command 72 is then, on the one hand, the setting 132 of the power lever of the first engine on an idle flight speed (F1). and the associated message 74 returned to the crew 22 in order to concretize this action is the shutdown 134 of the first engine, and on the other hand the setting 136 of the control lever of the first engine to (at fuel cut, and the associated message 74 is also the stop 138 of the first engine; on the other hand the setting in safety 140 of the first engine, the associated expected command 72 is then of three types: the establishment 112 of the management power of the first engine on the level "maximum continuous thrust" (MCT) “Maximum Continuous Thrust”), the setting 116 of the power lever of the first engine on an idle flight speed, or the setting 120 of the control lever of the first engine on the fuel cut and the message associated 74 with each of these three types of commands 72 expected is the stop 144, 148, 152 of the first engine. It is thus understood that the present invention proposes at least to allow the detection and the correction of an erroneous action by automatically assisting the crew in the detection of the execution of an erroneous command, by showing them that a break in sequence has occurred in the procedure, if necessary explain to him moreover what is the cause of the break in sequence, and also help the crew to resolve this break (taking into account the priority between the correction of the erroneous action and the need to repeat the procedure). In addition, according to a second embodiment, subject to the implementation of a particular system architecture where the crew does not act directly on the avionics devices to be controlled, the realization of the erroneous command of the crew 22 is suitable for being avoided (ie the erroneous command is filtered) so as to prevent the degradation of flight safety. The present invention thus allows significant time savings in taking into account and correcting the erroneous command by the crew 22.
权利要求:
Claims (10) [1" id="c-fr-0001] 1, - Method for processing an error during the execution of a predetermined avionics procedure, the method being implemented automatically by an aircraft detection and alert system (10), the method comprising, monitoring (46) of the operation of one or more avionics device (s) of the aircraft, monitoring (46) being based on monitoring (54) a sequence representative of the predetermined avionics procedure in progress , characterized in that it further comprises the following steps implemented automatically by the aircraft detection and alert system: - detecting (48) a break in said sequence due to an erroneous command and / or a jump of at least one command expected in accordance with the predetermined avionics procedure being executed, - restitution (50) of at least one piece of information representative of said break in sequence. [2" id="c-fr-0002] 2, - Method according to claim 1, wherein the monitoring (46) of the operation of one or more avionics device (s) of the aircraft corresponds to the monitoring (52) of real-time states of the said avionics device (s), and wherein the detection (48) comprises a comparison (58, 60) of the real-time states of one or more avionics devices (s) of the aircraft to at minus one of the following: - a set of prohibited states, associated with the predetermined avionics procedure, and stored in a first dedicated memory space (28); - a set of expected states, as a function of the instant of execution of the sequence representative of the avionic procedure, the set of expected states being stored in a second dedicated memory space (28). [3" id="c-fr-0003] 3, - Method according to claim 2, in which when the comparison (58) of the real-time states and of the set of prohibited states is positive, the restored representative information (62) corresponds to a first alert comprising a first triplet of data respectively representative of: - the predetermined procedure, - the prohibited state detected among the states in real time, and - a command to execute recommended to overcome the detected prohibited state. [4" id="c-fr-0004] 4. - Method according to claim 2 or claim 3, wherein when the comparison (60) of the real-time states and of the set of expected states is negative, the restored representative information (64) corresponds to a second alert comprising a second triplet of data respectively representative of: - the predetermined procedure, - the expected state missing from the real-time states, and - of a command to execute recommended to compensate for the missing expected state or to reiterate at least one command associated with at least one previous step of the predetermined procedure. [5" id="c-fr-0005] 5. - Method according to any one of claims 2 to 4, in which, in the first and / or the second dedicated memory spaces (28), each state respectively prohibited and / or expected is automatically associated with a level of criticality. [6" id="c-fr-0006] 6. - Method according to claim 1, wherein the monitoring (46) of the operation of one or more avionics device (s) of the aircraft corresponds to the monitoring (123) of the commands received in real time by the or said avionics device (s), and in which the detection (48) comprises a comparison (124) of said commands received in real time with a set of commands expected, according to the instant of execution of the sequence representative of the predetermined avionics procedure, the set of expected commands being stored in a third dedicated memory space. [7" id="c-fr-0007] 7. - Method according to claim 6, wherein when the comparison (124) of the commands received in real time and of the set of expected commands is negative, the representative information restored (126) corresponds to a third alert comprising a third triplet of data respectively representative of - the predetermined procedure, - an unexpected order and / or a missing order among the orders received in real time, and - a command to execute recommended to compensate for the unexpected and / or missing command, and in which the method also includes a time delay (128) of: - the execution of the unexpected command by restitution of a request for confirmation of the unexpected command to the crew, and / or - the restitution of the information representative of said break in sequence, by transmission of a request to enter the missing order. [8" id="c-fr-0008] 8. - Method according to any one of the preceding claims, in which the method comprises a preliminary stage of construction of a database (28) comprising at least one of said first, second, third dedicated memory spaces, by automatic learning or by implementing an inference engine. [9" id="c-fr-0009] 9. - Computer program product comprising software instructions which, when implemented by an information processing unit integrated within an aircraft detection and alert system, implement the treatment method according to any one of the preceding claims. [10" id="c-fr-0010] 10. - An aircraft detection and alert system (10), comprising, a module (12) for monitoring the operation of one or more avionics devices of the aircraft and for monitoring a sequence representative of a predetermined avionics procedure in progress, characterized in that the detection and alert system (10) is capable of handling an error during the execution of the predetermined avionics procedure, and further comprises: - a module (14) for detecting a break in said sequence due to an erroneous command and / or to a jump of at least one command expected in accordance with the predetermined avionics procedure being executed, - a module (16) for rendering at least one piece of information representative of said break in sequence.
类似技术:
公开号 | 公开日 | 专利标题 FR3072475B1|2019-11-01|METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PROGRAM AND SYSTEM FOR DETECTION AND ALERT FR2940482A1|2010-06-25|DEVICE FOR MANAGING STEERING TASKS CARRIED OUT BY A CREW OF AN AIRCRAFT EP0780746B1|2000-05-10|Monitoring system for a complex system, especially for an aircraft FR3013929A1|2015-05-29|SYSTEM AND METHOD FOR MANAGING DATA TRANSMISSION ON AN AIRCRAFT. CA2755408C|2019-04-23|Air operations assistance method and device necessitating guaranteed navigation and guidance performance FR2978264A1|2013-01-25|AN AUTOMATIC SOFTWARE RECHARGING METHOD AND AN AUTOMATIC SOFTWARE RECHARGING DEVICE FR2970093A1|2012-07-06|METHOD AND DEVICE FOR AUTOMATIC MONITORING OF AIR OPERATIONS REQUIRING GUARANTEE OF NAVIGATION PERFORMANCE AND GUIDANCE FR2966616A1|2012-04-27|METHOD, DEVICE AND COMPUTER PROGRAM FOR AIDING THE DIAGNOSIS OF A SYSTEM OF AN AIRCRAFT USING GRAPHICS OF REDUCED EVENTS FR3027386A1|2016-04-22|METHOD AND DEVICE FOR ASSISTING THE MANAGEMENT OF PROCEDURES, ESPECIALLY TROUBLESHOOTING SYSTEMS OF AN AIRCRAFT. FR3001556A1|2014-08-01|METHOD, DEVICE AND COMPUTER PROGRAM FOR AIDING THE MAINTENANCE OF A SYSTEM OF AN AIRCRAFT USING A DIAGNOSTIC ASSISTING TOOL AND BACK EXPERIENCE DATA FR2901893A1|2007-12-07|Aircraft`s e.g. airbus A320 type civil transport aircraft, control information e.g. commanded roll, monitoring device, has alerting system generating signal when difference between control information is higher than preset threshold value WO2006085028A2|2006-08-17|Test flight on-board processing system and method FR2940480A1|2010-06-25|DEVICE FOR RECONFIGURING A TASK TREATMENT CONTEXT EP2237126A1|2010-10-06|Method of managing alert signals in an aircraft and apparatus therefor FR2960680A1|2011-12-02|ON-BOARD AIRCRAFT SYSTEM FR3044143A1|2017-05-26|ELECTRONIC APPARATUS AND METHOD FOR ASSISTING AN AIRCRAFT DRIVER, COMPUTER PROGRAM EP2549455B1|2014-11-19|Method for reconfiguring a device for monitoring the surroundings of an aircraft CA2951843A1|2017-06-24|Control and monitoring system and method for aircraft equipment FR2954842A1|2011-07-01|Crew i.e. pilot, tasks managing device for controlling aircraft, has selecting unit selecting additional procedures and recorded additional tasks to transmit modified procedures and attributes of tasks to alert management unit KR20140045367A|2014-04-16|System for recommending helicopter engine maintenance FR3001065A1|2014-07-18|CENTRALIZED DEVICE FOR THE AUTOMATIC MANAGEMENT OF THE CONFIGURATION AND RECONFIGURATION OF MULTIPLE SYSTEMS OF AN AIRCRAFT. EP3232417B1|2019-11-06|Protection of the sequencing of an aircraft flight plan WO2007036452A1|2007-04-05|Aircraft failure validation method and system WO2012084613A1|2012-06-28|Centralized maintenance device for aircraft CA2922591A1|2016-09-11|Help system for the implementation of aircraft procedures including a sequence of operations to carried out and associated process
同族专利:
公开号 | 公开日 FR3072475B1|2019-11-01| US10510243B2|2019-12-17| RU2018136340A|2020-04-16| CN109669368A|2019-04-23| US20190114906A1|2019-04-18|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 FR2940482A1|2008-12-19|2010-06-25|Thales Sa|DEVICE FOR MANAGING STEERING TASKS CARRIED OUT BY A CREW OF AN AIRCRAFT| EP2386054A1|2009-01-06|2011-11-16|The Boeing Company|System and method for cruise monitoring and alerting| US20160216849A1|2015-01-23|2016-07-28|Honeywell International Inc.|Adaptive interface system for confirming a status of a plurality of identified tasks| FR3033637A1|2015-03-11|2016-09-16|Dassault Aviat|ASSISTANCE SYSTEM FOR THE IMPLEMENTATION OF AIRCRAFT PROCEDURES COMPRISING A NARROWING OF DEROULER OPERATIONS AND ASSOCIATED METHOD| US5111400A|1987-03-16|1992-05-05|Yoder Evan W|Automatic integrated real-time flight crew information system| US5050086A|1990-04-30|1991-09-17|The Boeing Company|Aircraft lateral-directional control system| US5894323A|1996-03-22|1999-04-13|Tasc, Inc,|Airborne imaging system using global positioning system and inertial measurement unit data| US6367031B1|1998-12-17|2002-04-02|Honeywell International Inc.|Critical control adaption of integrated modular architecture| US20030182043A1|2002-03-22|2003-09-25|Christiansen Mark David|Smart system seat controller| US7260505B2|2002-06-26|2007-08-21|Honeywell International, Inc.|Method and apparatus for developing fault codes for complex systems based on historical data| US7006032B2|2004-01-15|2006-02-28|Honeywell International, Inc.|Integrated traffic surveillance apparatus| DE602006007825D1|2006-05-16|2009-08-27|Saab Ab|Fault-tolerant control system| US8774986B1|2007-05-31|2014-07-08|Rockwell Collins, Inc|Method, system, and apparatus for takeoff rotation guidance| US7567862B2|2007-08-14|2009-07-28|The Boeing Company|Actuation response oscillation detection monitor| US8185255B2|2007-11-30|2012-05-22|The Boeing Company|Robust control effector allocation| US8930046B2|2011-11-16|2015-01-06|Textron Innovations Inc.|Derived rate monitor for detection of degradation of fuel control servo valves| EP2667366B1|2012-05-25|2017-10-04|The Boeing Company|Conflict detection and resolution using predicted aircraft trajectories| US9527588B1|2012-09-28|2016-12-27|Scott B. Rollefstad|Unmanned aircraft system with active energy harvesting and power management| CN105517893B|2013-08-23|2018-12-18|庞巴迪公司|Abnormal aircraft responds monitor| US9457892B2|2014-02-03|2016-10-04|Airbus Operations |Management interfaces for aircraft systems| EP2916308B1|2014-03-07|2016-05-25|The Boeing Company|An aircraft intent processor| WO2015153727A2|2014-04-02|2015-10-08|Sikorsky Aircraft Corporation|System and method for heatlh monitoring of servo-hydraulic actuators| US9533752B2|2014-07-16|2017-01-03|The Boeing Company|Input congruence system for flight control surfaces| US9463868B2|2015-01-06|2016-10-11|Textron Innovations Inc.|Systems and methods for aircraft control surface hardover and disconnect protection| CN108028717B|2015-09-22|2019-07-16|帕斯卡尔·克雷蒂安|Fault-tolerant optical device| US10232933B2|2015-12-17|2019-03-19|Amazon Technologies, Inc.|Redundant aircraft propulsion system using co-rotating propellers joined by tip connectors| US9940761B2|2016-08-02|2018-04-10|International Business Machines Corporation|Self-driving vehicle sensor fault remediation| US9639087B1|2016-12-06|2017-05-02|Kitty Hawk Corporation|Emergency landing using inertial sensors| US10423504B2|2017-08-04|2019-09-24|The Boeing Company|Computer architecture for mitigating transistor faults due to radiation| FR3072475B1|2017-10-17|2019-11-01|Thales|METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PROGRAM AND SYSTEM FOR DETECTION AND ALERT|FR3072475B1|2017-10-17|2019-11-01|Thales|METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PROGRAM AND SYSTEM FOR DETECTION AND ALERT| FR3073966B1|2017-11-21|2019-11-01|Thales|AVIONIC DEVICE AND METHOD FOR TRANSMITTING A DATA MESSAGE FOR AT LEAST ONE RECEIVER ELECTRONIC DEVICE, RECEIVER ELECTRONIC DEVICE, RECEIVING METHOD, AND PROGRAM ...| CN110617743A|2019-09-02|2019-12-27|中国人民解放军总参谋部第六十研究所|Hot start method for target drone aircraft avionics equipment|
法律状态:
2018-10-30| PLFP| Fee payment|Year of fee payment: 2 | 2019-04-19| PLSC| Publication of the preliminary search report|Effective date: 20190419 | 2019-10-31| PLFP| Fee payment|Year of fee payment: 3 | 2020-10-30| PLFP| Fee payment|Year of fee payment: 4 | 2021-10-29| PLFP| Fee payment|Year of fee payment: 5 |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 FR1701080A|FR3072475B1|2017-10-17|2017-10-17|METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PROGRAM AND SYSTEM FOR DETECTION AND ALERT| FR1701080|2017-10-17|FR1701080A| FR3072475B1|2017-10-17|2017-10-17|METHOD OF PROCESSING AN ERROR DURING THE EXECUTION OF A PREDETERMINED AVIONIC PROCEDURE, COMPUTER PROGRAM AND SYSTEM FOR DETECTION AND ALERT| US16/148,834| US10510243B2|2017-10-17|2018-10-01|Method for processing an error when performing a predetermined avionics procedure, related computer program and detection and alert system| CN201811191079.5A| CN109669368A|2017-10-17|2018-10-12|Avionics program execution error processing method, computer program and detection alarm system| RU2018136340A| RU2018136340A|2017-10-17|2018-10-16|METHOD FOR ERROR PROCESSING IN PERFORMANCE OF THE TASKED PROCEDURE FOR THE AVIATION ON-BOARD ELECTRIC EQUIPMENT, THE COMPLIANCE OF COMPUTER PROGRAM AND DETECTION AND ALARM SYSTEM| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|