Boeing 777 Triple Triple Redundant Flight Controller

Similar documents
The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

UNIQUE DEPENDABILITY ISSUES FOR COMMERCIAL AIRPLANE FLY BY WIRE SYSTEMS

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

Global Avionics Training Specialists, LLC

Integrated Modular Avionics. The way ahead for aircraft computing platforms?

Canadair Regional Jet 100/200 - Automatic Flight Control System

D DAVID PUBLISHING. Development and Achievement of the T-50 Flight Control s Consolidated OFP. 1. Introduction. 2. Consolidated OFP s Needs

FLIGHT SAFETY Technology and the Human Factor. A pilot s perspective by Prof. dr ir J.A. Mulder Delft University of Technology

Research on Fault Tolerant Controls within GARTEUR

Hiway Gateway Specification and Technical Data

AIRBUS FlyByWire How it really works

Alpha Systems AOA Classic & Ultra CALIBRATION PROCEDURES

Advisory Circular (AC)

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

Pitot/Static System. Avionics. Single ADC LEFT PITOT TUBE AIR DATA COMPUTER RIGHT PITOT TUBE COPILOT ASI PILOT COPILOT ASI VSI PILOT

Appendices. Introduction to Appendices

AIRBUS Generic Flight Test Installation

ECLIPSE 500. Aircraft Overview. Do Not Use For Flight

Publications and Training Solutions Course Syllabus:

The 10 Year Market (Estimation: No. of Aircraft x list prices, in US $ Billions)

Publications and Training Solutions Course Syllabus:

Global Avionics Training Specialists, LLC

INVESTIGATION REPORT. Incident to ATR registered F-GVZG on 11 September 2011 at Marseille

CHAPTER AUTOMATIC FLIGHT CONTROL SYSTEM LIST OF ILLUSTRATIONS

Multi/many core in Avionics Systems

A Survey of Time and Space Partitioning for Space Avionics

Global Avionics Training Specialists, LLC

Boeing 787 Dreamliner Flight Deck Safety, Comfort, Efficiency

NGAP / TRAINAIR PLUS Regional Conference The Americas. Training Challenges for New Generation Aircraft

Autopilots. The most important thing we build is trust. Understanding their role in cockpit workload, safety and convenience

AIRBUS FLY-BY-WIRE A TOTAL APPROACH TO DEPENDABILITY

Technical Standard Order

Progressive Technology Facilitates Ground-To-Flight-Deck Connectivity

Raytheon Hawker Horizon Avionics. Featuring the Primus Epic Integrated Avionics System

Cyber-hijacking Airplanes:

ERRONEOUS SAFETY 28 AERO DAVID CARBAUGH CHIEF PILOT FLIGHT OPERATIONS SAFETY BOEING COMMERCIAL AIRPLANES. Third-Quarter 2003 July

Fly-by-wire. Contents. Development. Fly-by-wire

Critical Systems and Software Solutions

Committed to keeping you flying Controls and Avionics Solutions

CESSNA 400 EQUIPPED WITH GARMIN G1000

Display Systems. 1. General. A. Multi-Function Display (MFD) B. Primary Flight Display (PFD)

International Conference on Integrated Modular Avionics Moscow

IATA Air Carrier Self Audit Checklist Analysis Questionnaire

Instructions for Continued Airworthiness GDL 84/88 Part 23 AML STC as installed in. (Make and Model Airplane)

AIRBUS FLY-BY-WIRE A TOTAL APPROACH TO DEPENDABILITY

Dealing with Unexpected Events. ICAO LOC-I Symposium June 2015, Nairobi Sunjoo Advani - President, IDT

787 Design for Maintainability

Aircraft Controls MILITARY AIRCRAFT COMMERCIAL AIRCRAFT AFTERMARKET

Evidence - Based Training: A walk through the data

Wireless Avionics Intra- Communications (WAIC) SAE Aerospace Standards Summit Spring 2017, 25-26th April, 2017, Cologne, Germany

AMC and GM to Part-SPO Amendment 3

series airplanes with modification and Model A321 series airplanes with modification

Aviation studies projectgroep 1K

Product Description. SmartRunway and SmartLanding. functions of the. Enhanced Ground Proximity Warning System

Garrecht TRX 1500 Traffic-Sensor

Pat Reines Avionics Support for GBAS and Performance Based Navigation (PBN)

Automation Dependency. Ensuring Robust Performance in Unexpected Situations Sunjoo Advani, IDT

AMC and GM to Part-CAT Issue 2, Amendment 3

Implementing UPRT in an airline

Figure 3.1. Foreign Airport Assessment Aid

The LINK2000+ Test Facility Presentation. Eurocontrol LINK Programme

OPERATIONS CIRCULAR 01/2012. Subject: HEAD-UP DISPLAYS (HUD) AND ENHANCED VISION SYSTEMS (EVS)

USE OF TAKEOFF CHARTS [B737]

Upset Recovery Training (UPRT) for Type Rating Course

By providing more capacity than any other twin-engine freighter, the 777F brings new levels of efficiency to the long-haul market.

SPEDESTER Series QUICK REFERENCE GUIDE

R9 Slides - Systems & Limitations Validation Questions

ADVANCED SURVEILLANCE IN ONE INTEGRATED PACKAGE

Safety in prototype flight

Multicore Processing in the Avionics Industry Needs and Concerns April 21, 2017 Greg Arundale Rockwell Collins

FLIGHT OPERATIONS REQUIREMENTS AEROPLANE APPENDIX 8. FLIGHT RECORDERS

SITUATIONAL AWARENESS

AIRCRAFT SYSTEMS MAINTENANCE SYSTEM

Gogo Connected Aircraft Services

VFR Module 2. G1000 Transition VFR Module 2

Monitoring & Control Tim Stevenson Yogesh Wadadekar

Introduction Fly By Wire Aircraft & New Technology

A Human Factors Approach to Preventing Tail Strikes. Captain Vern Jeremica Senior Safety Pilot Boeing Commercial Airplanes May 2004

Very few accidents have occurred where there was loss of normal flight control

Addendum: UAV Avionics

Flight control checks Flight Control Events

SR22T Pilot s Operating Handbook (POH) Temporary Change

KEY FEATURES IN SHORT

Special edition paper Development of a Crew Schedule Data Transfer System

Official Journal of the European Union L 186/27

Flying with L-NAV Version 5.7 and S-NAV Version 7.6 & 8.6 Dave Ellis, February 1999

Certificate IV Aeroskills (Avionics) MEA The largest CASR and EASA Part 147 approved Maintenance Training Organisation in Australia.

ACN: Time / Day. Place. Environment. Aircraft Reference : X. Component. Person. Events. Date :

Aircraft Systems and 4D Trajectory Management

Cover...0. Page #...0 TOC Index.0. Inside Back Cover..0. Outside Back Cover 0

TRT800 ATC Transponder Mode A, A-C, S P/N 800ATC-(1XX)-(1XX) Operation Manual. Document No.: e Revision 1.00 Datum:

Overview Net-Enabled Aircraft Design Current Project Status Join the Team! Kristin Yvonne Rozier University of Cincinnati

The role of Flight Data Analysis in the aircraft manufacturer s SMS.

The Dangers of Interaction with Modular and Self-Healing Avionics Applications: Redundancy Considered Harmful

154 km west of Learmonth, WA 7 October 2008, VH-QPA Airbus A

Honeywell International Inc.: Amendment ; Docket No. FAA ; Directorate Identifier 2012-NM-191-AD.

AUTOMATIC FLIGHT MANAGEMENT SYSTEMS TABLE OF CONTENTS

Cessna Corvalis TT x. INTRINZIC TM Flight Deck powered by Garmin

del Airbus en el mundo de la

Transcription:

Fault-tolerance Seminar Summer term 2005 Boeing 777 Triple Triple Redundant Flight Controller Prof. Dr. Polze Renneberg 1

Boeing 777 Table of Contents General Remarks/Scope Features and Technologies of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 2

Boeing 777 Flight Controller General Remarks / Scope Restriction on sources due to commercial interests Not all details known Contradictory statements in different sources Use of existing technologies ARINC 629 data bus Frame Synchronization Lynx and CsLEOS RTOS ADA Programming Language Prof. Dr. Polze Renneberg 3

Boeing 777 Flight Controller Features Long-range and high density market Serious rival to Airbus A330 and A340 Twin-Engine 350-450 seat market Cargo Capacity IFE/PTV in Y Class 777-200LR: LHR->SYD Nonstop Constraint: only eastbound with tailwinds in about 20h Built in Everett, WA First commercial flight in 1995 Important Costumers UAL, ANA, JAL, BA, Singapore Airl., Emirates, ILFC and even Air France, but not LH Price: USD 165m to 250m a piece Prof. Dr. Polze Renneberg 4

777 Primary Flight Controller Technologies Fly-By-Wire (FBW) 100% Electronic Flight control system - Boeing to catch up with Airbus (Airbus A320) Primary Flight Controller (PFC) Automatic Landing Airplane Information Management System (AIMS) Navigational aid, flight indicator Prof. Dr. Polze Renneberg 5

Boeing 777 Table of Contents General Remarks/Scope Features of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 6

777 Primary Flight Controller Overview Triple Triple Redundancy (TMR) for all hardware resources Triple channels with triple dissimilar lanes in each channel Computing system, electrical power, hydraulic power, communication path (not engines!) Fly-By-Wire (FBW) Flight Control System for Boeing 777 No heavy mechanical cables Powered by three GEC-Marconi primary flight control computers (132k LOC Ada, with 3 different ADA compilers for triple dissimilarity) Deferred Maintenance Central Computing Element: Primary Flight Controller (PFC) E.g. calculating control surface position commands FBW to provide manual and automatic control of electrohydraulic actuators (using electrically transmitted command) of pitch, roll and yaw axes Prof. Dr. Polze Renneberg 7

777 Primary Flight Controller Overview A/D conversion with ACE s (Actuator Control Electronics) Data transmission via DATAC bus (ARINC 629) TDM, 2 MBits/s, one wordstring in 20 ms 120 users (connecting to bus with coupler, one transmission by one terminal at a time in defined time intervals) Terminal Controller - Demodulator used for checking faults - Receiver Circuitry determines which data needed - Subsystem Interface PFC Cross-Channel and Cross-Lane Data Bus Frame Synchronization Data Synchronization Median Value Prof. Dr. Polze Renneberg 8

777 Primary Flight Controller Triple Redundancy for PFC Three PFC s to provide triple redundant computational channels Three internal computational lanes Receiving data from three data buses (transmitting only to one bus) via ARINC 629 terminals Prof. Dr. Polze Renneberg 9

777 Primary Flight Controller Triple Redundancy for ACE Time division multiplex ARINC 629 data bus Prof. Dr. Polze Renneberg 10

777 Primary Flight Controller Control Modes ntrol Mode PITCH ROLL YAW RMAL MODE Control C* Maneuver Cmd with Speed Feedback Envelope Protection Autopilot Stall, Overspeed Control Surface Cmd (Augm.) Manual Trim Fixed Feel Envelope Protection Bank Angle Control Surfce Cmd (Augm.), Wheel/Rudder Gross Fixed Feel Yaw Rate Damper Gust Suspension Autopilot Envelope Protection Thrust Asymmetry Compensation Autopilot CONDARY MODE oeing 747) Control Surface Cmd (Augm.) Flaps Up/Down Gain Direct Stabilizer Trim Flaps Up/Down Feel Control Surface Cmd (Augm.) Manual Trim Fixed Feel Control Surfce Cmd (Augm.), P Pressure Reducer Fixed Feel Yaw Rate Damper DIRECT ONTROL echanical link) Control Surface Cmd (Augm.) Flaps Up/Down Gain Direct Stabilizer Trim Flaps Up/Down Feel Control Surface Cmd (Augm.) Manual Trim Fixed Feel Control Surfce Cmd (Augm.), PCU Pressure Reduce Fixed Feel Prof. Dr. Polze Renneberg 11

777 Primary Flight Controller Control Modes Mode Switching Switch to Direct Mode if ACE s to detect invalid commands from PFC Analog pilot controller transducer signals for surfacecommands ACE not to respond to ARINC 629 data bus Switch to Secondary Mode if detecting insufficient air data or ACE s in direct mode Mode Switching is open to discussion Prof. Dr. Polze Renneberg 12

Primary Flight Controller Safety Design Constraints Common mode/ common area faults Separation of concerns for FBW (LRU) components FBW functional separation Dissimilarity FBW effect on structure Prof. Dr. Polze Renneberg 13

Primary Flight Controller Safety Design Constraints Common mode/ common area faults Impact of objects Structural damage Electrical faults Lightning strike Hydraulic failure Pilot error Prof. Dr. Polze Renneberg 14

Primary Flight Controller Safety Design Constraints Separation of FBW Hardware Units Isolation Separation of electrical and hydraulic line routing through airplane structure Flightdeck equipmentand wiring separation and protection from foreign object collision Multiple Equipment Bays LRU (Line Replaceable Units) Prof. Dr. Polze Renneberg 15

Primary Flight Controller Safety Design Constraints Functional Separation (L)eft, (C)enter, (R)ight positions of hardware resources - Electrical power, flight control ARINC 629 buses, PFCs, ACEs, Hydraulic systems - PFC s and ACE s to listen to all 3 ARINC 629 channels - L/C/R PFC s and ACE s to transmit to corresponding L/C/R ARINC 629 channel only Prof. Dr. Polze Renneberg 16

Primary Flight Controller Safety Design Constraints Prof. Dr. Polze Renneberg 17

Primary Flight Controller Safety Design Constraints Dissimilarity Design errors to defeat redundant strategies Dissimilar design Dissimilar Microprocessor (AMD, Motorola, Intel), ADA Compilers ACE Dissimilar Control and Monitor Functions - Bypassing ARINC 629 by private bus N-Version programming Prof. Dr. Polze Renneberg 18

Primary Flight Controller Safety Design Constraints FBW effect on structure Envelope Protection Prof. Dr. Polze Renneberg 19

Primary Flight Controller Safety Requirements Single fault not to lead to erroneous transmission of output signal without failure indication Single fault not to result in loss of function in more than one PFC Fail-Passive and Fail-Operational Electronics "An electronics function is fail-passive if, in the event of a failure, the continued safe flight and landing of an airplane can be maintained by the pilot Prof. Dr. Polze Renneberg 20

Primary Flight Controller Architecture PFC Cross-Lane Data Bus Private Bus apart from ARINC 629 Frame and Data Synchronisation within a PFC channel - For tight tracking/monitoring of each lane Cross-Lane data transfer to complement other PFC (redundancy) Input Data synchronous operation within each PFC channel Prof. Dr. Polze Renneberg 21

Primary Flight Controller Architecture Median Value Select for PFC output commands Performed by command lane after calculating surface commands Fault blocking through Cross-Lane-Monitoring and lane inhibitation via hardware logic PFC external resources monitoring Terminal Controller (Demodulator, Receiver, Subsystem Interface) PFC Cross-Channel Consolidation and Equalization - Channel Output Select Function (Terminal Controller) - Channel inhibition Annunciation of marginal errors to AIMS Prof. Dr. Polze Renneberg 22

Boeing 777 Table of Contents General Remarks/Scope Features and Technologies of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 23

Airplane Information Management System Overview AIMS (Airplane Information Management System) by Honeywell Consists dual cabinets with all central processing, I/O hardware needed for flight management, flat-panel cockpit displays Condition monitoring AIMS replaceable units not self-contained - Functions gathered in AIMS share processors, memory system, hardware, I/O ports (out of economic reason) AIMS communicates with 777 components through 12 data bus networks (11 Arinc 629, 1 optical fiber) Prof. Dr. Polze Renneberg 24

Airplane Information Management System Digital Processor Digital Processor with elements for rapid recovery Self-checking pairs processor with Honeywell SAFEbus communication technology - Detecting loss of output by master If faulted processor module, twocopies of processor state data in core - Within nanoseconds faulty unitis blocked from generating output AIMS can be dispatched with one failed processor or failed I/O module Prof. Dr. Polze Renneberg 25

Boeing 777 Table of Contents General Remarks/Scope Features and Technologies of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 26

Boeing 777 Flight Controller Validation and Verification Process Testing of actuating in B757 Iron Bird (SIL) Contained most operational LRU s CATIA 100% paperless airliner Error scenario Single/dual engine out, single/dual hydraulics, sensor failures Propagation ETOPS certification Problems in capturing requirements, chaotic change management (esp. with contractors) and detail trap Prof. Dr. Polze Renneberg 27

Boeing 777 Table of Contents General Remarks/Scope Features and Technologies of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 28

Boeing 777 Flight Controller Outlook Deferred Maintenance Improvement of airplane dispatch reliability (delays, delays) Life Cycle Cost: Computer Architectures one level of redundance beyond requirement Operating System Lynx RTOS CsLEOS Real-Time Operating System from BAE Systems ADA Programming Language Boeing 787 Dreamliner Prof. Dr. Polze Renneberg 29

Boeing 777 Table of Contents General Remarks/Scope Features and Technologies of Boeing 777 Primary Flight Controller Overview Control Modes Safety Design Constraints Safety Requirements Architecture AIMS Robust Computing Architecture Validation and Verification Process Outlook Sources Prof. Dr. Polze Renneberg 30

Boeing 777 Sources Hess, Richard, Computing Platform Architectures for Robust Operation in the Presence of Lightning and other Electromagnetic Threats, Honeywell, Phoenix, 1997 Boeing s seventh Wonder, IEEE Spectrum, 1995 Y.C. Yeh, Design Considerations in Boeing 777 Fly-By-Wire Computers, Boeing, Seattle Y.C. Yeh, Triple-Triple Redundant 777 Primary Flight Computer, Boeing, Seattle Buus, Henning, 777 Flight Control Validation Process, Boeing, 1995 Soft sources: Wikipedia, BoeingMedia.com, Airliners.Net Prof. Dr. Polze Renneberg 31

Thank You!!! Prof. Dr. Polze Renneberg 32

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback