UNIQUE DEPENDABILITY ISSUES FOR COMMERCIAL AIRPLANE FLY BY WIRE SYSTEMS

Similar documents
Boeing 777 Triple Triple Redundant Flight Controller

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

AIRBUS FLY-BY-WIRE A TOTAL APPROACH TO DEPENDABILITY

Multi/many core in Avionics Systems

Appendices. Introduction to Appendices

A Survey of Time and Space Partitioning for Space Avionics

AIRBUS FLY-BY-WIRE A TOTAL APPROACH TO DEPENDABILITY

D DAVID PUBLISHING. Development and Achievement of the T-50 Flight Control s Consolidated OFP. 1. Introduction. 2. Consolidated OFP s Needs

Critical Systems and Software Solutions

Technical Standard Order

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

Flight control checks Flight Control Events

Integrated Modular Avionics. The way ahead for aircraft computing platforms?

Advanced Flight Control System Failure States Airworthiness Requirements and Verification

Avionics Certification. Dhruv Mittal

Federal Aviation Administration. Summary

FLIGHT SAFETY Technology and the Human Factor. A pilot s perspective by Prof. dr ir J.A. Mulder Delft University of Technology

Research on Fault Tolerant Controls within GARTEUR

December 8, Dear Ms. Baker:

Publications and Training Solutions Course Syllabus:

Implementation challenges for Flight Procedures

THE BOEING COMPANY

Publications and Training Solutions Course Syllabus:

Feasibility of Battery Backup for Flight Recorders

International Conference on Integrated Modular Avionics Moscow

Unmanned Systems Certification

Advisory Circular. Automatic Dependent Surveillance - Broadcast

TABLE OF CONTENTS 1.0 INTRODUCTION...

Safety Enhancement SE ASA Design Virtual Day-VMC Displays

Very few accidents have occurred where there was loss of normal flight control

AIRWORTHINESS ADVISORY. Airworthiness Impacts of Electronic Flight Bags

Addendum: UAV Avionics

Civil Aircraft System Safety and Electromagnetic Compatibility

AIRBUS FlyByWire How it really works

Multicore Processing in the Avionics Industry Needs and Concerns April 21, 2017 Greg Arundale Rockwell Collins

Advisory Circular. 1.1 Purpose Applicability Description of Changes... 2

Semi - Annual Report. April 2, From September 21, 2003 to March 20, 2004

Managing the False Alarms & No Fault Found Events in Military Avionic Systems. Mustafa ilarslan, PhD. (R) Col. TurAF

Display Systems. 1. General. A. Multi-Function Display (MFD) B. Primary Flight Display (PFD)

When most people build their avionics package,

Gogo Connected Aircraft Services

SUPERSEDED [ U] DEPARTMENT OF TRANSPORTATION. Federal Aviation Administration. 14 CFR Part 39 [66 FR /5/2001]

Fly-by-wire. Contents. Development. Fly-by-wire

All-Weather Operations Training Programme

UAS OPERATIONS AS AN ECOSYSTEM

General Aviation Training for Automation Surprise

Certification Memorandum. Guidance to Certify an Aircraft as PED tolerant

[Docket No. FAA ; Directorate Identifier 2015-SW-068-AD] Airworthiness Directives; Northrop Grumman LITEF GmbH LCR-100 Attitude

Hazard Analysis for Rotorcraft

Aeronautics & Air Transport in FP7. DG RTD-H.3 - Aeronautics Brussels, January 2007

Amendment Docket No. FAA ; Directorate Identifier 2002-NM-12-AD

Certification of Rotorcraft and FHA Process

Special Conditions: Bell Helicopter Textron, Inc. (BHTI), Model 525 Helicopter; Mode

CAAC Continuing Airworthiness of Domestic Designed Transport Airplanes

Master Minimum Equipment Lists/Minimum Equipment Lists. Amendment Summary PART-MMEL/MEL. Amendment No. Effective Date Subpart Paragraph

Canadair Regional Jet 100/200 - Automatic Flight Control System

[Docket No. FAA ; Directorate Identifier 2014-NM-080-AD; Amendment. AGENCY: Federal Aviation Administration (FAA), DOT.

In-Service Data Program Helps Boeing Design, Build, and Support Airplanes

Runway Length Analysis Prescott Municipal Airport

KEY FEATURES IN SHORT

AIRBUS Generic Flight Test Installation

Human Factors of Remotely Piloted Aircraft. Alan Hobbs San Jose State University/NASA Ames Research Center

An Automated Airspace Concept for the Next Generation Air Traffic Control System

TYPE CERTIFICATE DATA SHEET A3WE

Safety insulation transformers for SmartPower controller family

Safety Analysis Tool for Automated Airspace Concepts (SafeATAC)

ECLIPSE 500. Aircraft Overview. Do Not Use For Flight

Quality Assurance. Introduction Need for quality assurance Answer to the need of quality assurance Details on quality assurance Conclusion A B C D E

Unmanned Aircraft Operations in the National Airspace System. AGENCY: Federal Aviation Administration (FAA), DOT.

Overview Net-Enabled Aircraft Design Current Project Status Join the Team! Kristin Yvonne Rozier University of Cincinnati

NATA Aircraft Maintenance & System Technology Committee Best Practices. RVSM Maintenance

Associate Professor Patrick Murray

Technical Standard Order

EASA Safety Information Bulletin

In-Flight Entertainment and Connectivity

Spanair Flight JK5022

Avionics CyberThreat. Airplanes Are Hard!

[Docket No. FAA ; Directorate Identifier 98-ANE-54-AD; Amendment ; AD ]

AC-MMEL/MEL.060 (b) Contents. Subject. CARC Master Minimum Equipment List Preamble

Quiet Climb. 26 AERO First-Quarter 2003 January

INTERNATIONAL STANDARD

FAA STRUCTURAL HEALTH MONITORING RESEARCH PROGRAM

AIRCRAFT SYSTEMS MAINTENANCE SYSTEM

Agenda Item 1.17 Wireless Avionics Intra-Communications (WAIC)

GUERNSEY ADVISORY CIRCULARS. (GACs) UPSET PREVENTION AND RECOVERY TRAINING GAC 121/135-2

The role of Flight Data Analysis in the aircraft manufacturer s SMS.

Index. Springer International Publishing AG 2018 I. Schagaev, B.R. Kirk, Active System Control, DOI /

RE: Draft AC , titled Determining the Classification of a Change to Type Design

CHAPTER 5 AEROPLANE PERFORMANCE OPERATING LIMITATIONS

Development of the Safety Case for LPV at Monastir

Operational Evaluation Board Report

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION National Policy

9/16/ CHG 213 VOLUME 3 GENERAL TECHNICAL ADMINISTRATION CHAPTER 61 AIRCRAFT NETWORK SECURITY PROGRAM

Analysis of alerting system failures in commercial aviation accidents

SMS Under IOSA. (IATA Operational Safety Audit) Jehad Faqir Head of Safety & Flight Operations IATA- MENA

[Docket No. FAA ; Directorate Identifier 2016-NE-30-AD; Amendment ; AD ]

Commercial Aircraft Electronic Checklists: Benefits and Challenges (Literature Review)

The Dangers of Interaction with Modular and Self-Healing Avionics Applications: Redundancy Considered Harmful

SUPERSEDED. [Docket No NM-148-AD; Amendment ; AD ]

Transcription:

UNIQUE DEPENDABILITY ISSUES FOR COMMERCIAL AIRPLANE FLY BY WIRE SYSTEMS Ying C. (Bob) Yeh Boeing Commercial Airplanes, Seattle, WA, USA ying.c.yeh@boeing.com Abstract: Key words: The fundamental concept of dependability is applied to the design of commercial airplane FBW systems beyond the lessons learned from the NASA FBW and industry/military FBW research and development projects. The considerations of generic errors and common mode failures play important role for configuring commercial airplane FBW system architectures and the FBW computer architectures. Dependability, Fly-By-Wire (FBW) 1. INTRODUCTION The NASA FBW projects provide the fundamental framework for functional integrity and functional availability requirements [1], [2] for the FBW computers. The Byzantine General Problems [3] and its solutions are illustrated in [1], [3], [4]. Further the lessons learned from the military FBW project [5] and other industry/academic experiences in dealing with generic faults [6], near-coincidence fault [7], and design paradigm [8] provide ground rules or derived design requirements for Boeing commercial airplane FBW programs [9], [10], [11]. A tutorial of fundamental concepts of dependability [12] can be used for referenced discussions. Two unique design requirements or design considerations for Commercial Airplane FBW are that of generic error/fault and common mode failure. The purpose of this article is to describe how

214 Ying C.(Bob) Yeh these two requirements/considerations play an important role for the Commercial Airplane FBW computers [13], [14], [15]. 2. GENERIC ERROR AND DISSIMILARITY CONSIDERATIONS The concept of design diversity [16] [17] has played a central role in academic research and its follow on experiments [18] [19] while the commercial airplane industry is using dissimilarity for flight critical systems, such as Autopilot computers and the FBW research. The experiments [18] [19] has influenced the final decision for the 777 FBW system design [13]. The Airbus [15] and Boeing FBW computers design considerations for generic errors and dissimilarity considerations are studied [20] and can be summarized as follows. Two types of computers are used in the A320 FBW system: the ELAC (Elevator and Aileron computers) and the SEC (Spoiler and Elevator computers). The ELAC is produced by Thomson-CSF using Motorola 68010 processor, and the SEC is produced by SFENA/Aerospatiale using Intel 80186 processor. Each computer consists of two channels: control channel and monitor channel. The software and its programming language of the control channel are different from that of the monitor channel. Likewise the software of ELAC is different from that of SEC. Thus at software level, the architecture leads to the use of 4 software packages. Two types of computers are also used on A340: the PRIM (primary computers) and SEC (secondary computers). The basic design philosophy is similar to A320. The PRIM uses Intel 80386 processors with a difference in software. Further the control channel is programmed in Assembler, while the monitor channel is programmed in PL/M. The SEC uses Intel 80186 processors. Assembly language is used for control channel, and Pascal is used for the monitor channel. Also for dissimilarity reasons, only the PRIM computer is coded automatically (the SEC being coded manually) and that the PRIM automatic coding tool has two different coded translators, one for control channel and another for monitor channel. In addition to the ELAC and SEC of the A320, two computers are used for rudder control (FAC). On A330 and A340 FBW, these rudder control functions are integrated in the PRIM and SEC. The overview of Boeing 777 Primary Flight Control System (or FBW) is depicted in Figure 1. The Boeing FBW system design considerations [13] extend the concept of triple hardware resources (hydraulics, airplane electrical power, FBW ARINC 629 bus) to triple dissimilar processors and their Ada compilers to construct triple-triple redundant PFC (primary flight

Unique Dependability Issues for Commercial Airplane FBW Systems 215 computer) [14]. Further, dissimilarity is invoked in the design and implementation of the PFC system where it is judged to be a necessary feature to satisfy critical minds of Boeing engineers. The design diversity issue [11] is integrated to the system design issue of dealing with all possible errors for a complex flight controls systems, experienced in Boeing and in industry/academia. 3. COMMON MODE FAILURE AND SINGLE POINT FAILURE Common mode or common area faults [21] are considered for multiple redundant systems such as the FBW. Airplane susceptibility to common mode and common area damage is addressed by designing the systems to both component and functional separation requirement. This includes criteria for providing installations resistant to maintenance crew error or mishandling, such as the followings: impact of objects electrical faults electrical power failure electromagnetic environment lightning strike hydraulic failure structure damage radiation environment in the atmosphere ash cloud environment in the atmosphere fire rough or unsafe installation and maintenance The single point failure consideration is integrated to the safety requirements. For instance, the derived 777 PFC safety requirements include numerical and non-numerical requirements as follows. Safety requirements apply to PFC failures which could preclude continued safe flight and landing, and include both passive failures (loss of function without significant immediate airplane transient) and active failures (malfunction) with significant immediate airplane transient). The numerical probability requirements are both 1.0E-10 per flight hour for functional integrity requirement (relative to active failures affecting 777 Airplane Structure) and functional availability requirement (relative to passive failures).

216 Ying C.(Bob) Yeh Figure 1. 777 Primary Flight Control System

Unique Dependability Issues for Commercial Airplane FBW Systems 217 The PFC is designed to comply with the following non-numerical safety requirements described as follows: a) b) No single fault, including common mode hardware fault, regardless of probability of occurrence, shall result in an erroneous (assumed active failures for the worst case) transmission of output signals without a failure indication. No single fault, including common mode hardware fault, regardless of probability of occurrence shall result in loss of function in more than one PFC channel. Extensive validation process [22] is undertaken to comply with the 777 Flight Controls certification plan approved by the certification agencies, and to satisfy critical minds of Boeing engineers. 4. SUMMARY DISCUSSION: SIMPLEX DIRECT MODE CONTROL The virtue of simplicity [23] is not lost on the complex FBW systems due to extremely stringent numerical and non-numerical safety requirements and considerations of generic errors, common mode failure, and single point failure. The 777 Primary Flight Control Modes is shown in Table 1. The Direct Control mode provides simplex control law in the event of occurrences of known or unknown combinations of generic errors and common mode failure, or in the event of pilot decision to engage PFC Disconnect Switch for whatever reasons.

218 Ying C.(Bob) Yeh The 777 Actuator Control Electronics Architecture is shown in Figure 2. The hardware circuitry for Direct Mode control function in ACE is designed to be as simple as possible. Further the hardware system architectures resided in all critical LRUs supporting the Normal Mode function are designed to be fail-passive so that the ISM (input signal management function) can direct/fail to the defaulted condition of Direct Mode control. REFERENCES [1] [2] J.H. Wenseley et al SIFT: Design and Analysis of a Fault Tolerant Computer for Aircraft Control Proceeding of the IEEE, Vol. 66, No. 10, October 1978. A.L. Hopkins Jr., T.B. Smith,III, J.H. Lala, FTMP-A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft, Proceeding of the IEEE, Vol. 66, No. 10, October 1978.

Unique Dependability Issues for Commercial Airplane FBW Systems 219 Figure 2. 777 Actuator Control Electronics Architecture

220 Ying C.(Bob) Yeh [3] [4] [5] [6] [7] [8] [9] L. Lamport, R. Shostak, and M. Pease, The Byzantine Generals Problem, ACM Trans. On Programming Languages and Systems, Vol.4, No.3, July 1982. R. Kieckhafer, C. Walter, A. Finn, and P. Thambidurai, The MAFT Architecture for Distributed Fault Tolerance, IEEE Trans. On Computers, 37(4):398-405, 1988. J.H. Watson, W.J. Yousey, A.M. Arabian, and T.M. Schindler, Lessons learned from development of AFTI/F-16 Digital Flight Control System, 5th digital avionics systems conference, Seattle, Washington, 1983. S.S. Osder, Generic Faults and Architecture Design Considerations in Flight-Critical Systems, AIAA Journal of Guidance, Vol.6, No.2, March-April 1983. J. McGough, Effects of Near-Coincident Faults in Multiprocessor Systems, Fifth AIAA/IEEE Digital Avionics Conference, October 1983. A. Avizienis, A Design Paradigm for Fault-Tolerant Systems, AIAA Computers in Aerospace Conference, October 1987, Paper 87-2764. R.J. Bleeg, Commercial Jet Transport Fly-By-Wire Architecture Consideration, Ninth AIAA/IEEE Digital Avionics Conference, October 1988. J. McWha, 777 Systems Overview, RAeS Presentation, November 1993. [10] [11] Y.C. Yeh, [12] [13] Design Considerations in 777 Fly-By-Wire Computers, 3rd IEEE International High-Assurance Systems Engineering Conference, Washington, DC, October 1988. A. Avizienis, J.-C. Laprie, and B. Randell, Fundamental Concepts of Dependability, Research Report NO1145, LAAS-CNRS, April 2001. Y.C. Yeh, Dependability of the 777 Primary Flight Control System, in Dependable Computing for Critical Applications (DCCS-5), Dependable Computing and Fault- Tolerant Systems, 10, pp.3-17, IEEE Computer Society Press, 1998. [14] Y.C. Yeh, Triple-Triple Redundant 777 Primary Flight Computers, 1996 IEEE Aerospace Applications Conference, February 1996. [15] D. Briere and P. Traverse, AIRBUS A320/A330/A340 Electrical Flight Controls A [16] [17] [18] [19] [20] Family of Fault-Tolerant Systems, in FTCS-23, pp.616-23, IEEE Computer Society Press, 1993. A. Avizienis, Design Diversity the Challenge of the Eighties, FTCS-12, pages 44-45, June 1982. A. Avizienis, and J.P.J Kelly, Fault Tolerance by Design Diversity: Concepts and Experiments, Computer, August 1984. A. Avizienis, M.R. Lyu, and W. Schutz, In Search of Effective Diversity: A Six- Language Study of Fault-Tolerant of Fault-Tolerant Flight Computer Software, FTCS- 18, 1988. J.C. Knight, N.G. Leveson, An Experimental Evaluation of the Assumption of Independence in Multiversion Programming, IEEE Trans. on Software Engineering, January 1986. D. Powell, J.P. Blanquart, Y. Crouzet, and J.C. Fabre, Architecture Approaches for using COTS Components in Critical Applications, 11th European Workshop on Dependable Computing (EWDC-11), Budapest, Hungary, 2000. [21] SAE ARP4761, Guidelines and Methods for Conducting The Safety Assessment Process on Civil Airborne Systems and Equipment, Society of Automotive Engineers. [22] H. Buss, et al, 777 Flight Controls Validation Process, Fourteen AIAA/IEEE Digital Avionics System Conference, November 1995. [23] L. Sha, B. Goodenough, and B. Pollak, Simplex Architecture: Meeting the Challenges of Using COTS in High-Reliability Systems, Cross Talk, The Journal of Defense Software Engineering, April 1998.

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback