Automatic Flight Control System Analysis Boeing and Airbus Project

AE3382 Individual Project Automatic Flight Control System Architecture
Table of Contents
ACRONYMS .............................................................................................................. v
LIST OF FIGURES .................................................................................................... vii
LIST OF TABLES ..................................................................................................... viii
1. INTRODUCTION:................................................................................................ 1
1.1. Background of the Project: ............................................................................... 1
1.2. Evolution of Automatic Flight control system. ................................................ 1
1.3. Revolution with Digital Electronics and Aircraft Systems. ............................. 3
2. OVERVIEW OF AUTOMATIC FLIGHT CONTROL SYSTEMS
ARCHITECTURE: ...................................................................................................... 4
2.1. Inner Loop stability and Outer loop stability................................................... 4
3. PRINCIPLE FUNCTION AND OPERATION FLIGHT CONTROL COMPUTER
(FCC): ........................................................................................................................ 6
3.1. Introduction to Flight Control Laws: ............................................................... 6
3.2. Flight control Laws computation and Gain Scheduling .................................. 7
3.3. Fly-by-wire Flight control computer and High Integrity for failure survival. .. 10
4. SYSTEM PROCESSING AND ARCHITECTURE ANALYSIS: AIRBUS Vs
BOEING ................................................................................................................... 12
4.1. Airbus Flight control system Architecture: Evaluation of Centralized Flight
control System Operation ......................................................................................... 12
4.1.1. Design Limitation of FCS Architecture in A319/320/321 and Subsequent
Developments on later A330/A340 ........................................................................... 16
4.2. Boeing Flight control computer system Architecture: Evaluation of
Distributed Flight control System Processing ........................................................... 18
4.2.1. Reliability Analysis on Number of lanes per channel and operational
capabilities: .............................................................................................................. 23
4.2.2. Reliability assessment on k-out-of-n parallel system network. ................... 25
4.3. Flight control laws and graceful degradation of A330/340 Vs B777 ............ 27
4.4. Engineering System Analysis of Boeing and Airbus AFCS: ........................... 28
4.5. Databus Analysis and System Efficiency:....................................................... 30
5. FAULT TOLERANT SYSTEM ARCHITECTURE: ............................................. 32
5.1. Safety and integrity of Fault tolerance Systems: ......................................... 32
6. THE EVOLUTION OF INTEGRATED MODULAR AVIONICS .......................... 33
Tissara Tilakaratne K0827514 Page | iii

7. SYSTEM RELIABILITY AND REDUNDANCY CHARACTERIZATION ............. 35

7.1.1. FAULT TOLERANT SYSTEM OVERVIEW: ................................................ 36
7.1.2. Approach Techniques to Fault Tolerant System: ........................................ 36
7.1.3. Hardware and Software Implementation for Fault Tolerance Computing. ... 37
7.2. Software Fault-tolerance Computing: .......................................................... 38
7.2.1. N-self checking software implementation by comparison fault detection .... 38
7.2.2. N-version Programming: ............................................................................. 39
7.3. Hardware Fault Tolerance System: ............................................................. 40
7.3.1. Passive (Static) Redundancy management: ............................................... 40
7.3.2. Active (Dynamic) Redundancy Management: ............................................. 42
7.3.2.1. Simplified Reliability Analysis on Passive and Active Hardware Redundancy
45
7.4. Hybrid Redundancy management: .............................................................. 46
8. RELIABILITY SYSTEM ANALYSIS OF BOEING AND AIRBUS FAULT
TOLERANT ARCHITECTURE: ................................................................................ 47
9. CONCLUSION .................................................................................................. 49
10. RECOMMENDATION: TRIPLE-DUPLEX REDUNDANCY FOR AIRBUS...... 50
10.1. System Operation Overview:....................................................................... 50
10.2. Design Consideration and Implementation: ................................................ 51
10.3. Practical Issues and Implementation of Voter System ................................ 52
10.4. Exceptional Handling and Recovery Reconfiguration: ................................ 53
10.5. Design of a Basic Algorithm Circuit and System Implementation ................ 54
11. REFERENCES ............................................................................................... 58
12. BIBLIOGRAPHY: ............................................................................................ 64
APPENDIX A: MODULAR INTEGRATION OF AIRBUS FCC. ................................. 66
APPENDIX B: BOEING 777 FLIGHT CONTROL PHILOSOPHY. ........................... 67
Functional Description of PFCs: ........................................................................ 68
Function Description of ACE: ................................................................................... 69
APPENDIX C: BOEING 777 PFC FUNCTIONAL DESCRIPTIONS AND LANE
AVAILABILITY. ......................................................................................................... 70
APPENDIX D: FLIGHT CONTROL COMPUTER INTERFACE BOEING AND
AIRBUS .................................................................................................................... 71
APPENDIX E: INTEGRATED MODULAR AVIONICS ARCHITECTURE: ................ 73
APPENDIX F: CLASSIC BACKWARD ERROR RECOVERY BLOCK TECHNIQUE79
Tissara Tilakaratne K0827514 Page | iv

APPENDIX G: RELIABILITY OF A BLOCK DIAGRAM SYSTEM ............................ 80

APPENDIX H: REDUNDANCY LEVELING: CUBE CONFIGURATION CONCEPT 81
DEFINITION: ............................................................................................................ 82
ACRONYMS
ACE: Actuator Control electronics
ADC: Air Data Computer.
ADIRU: Air Data Inertial Reference Unit.
AFCS: Automatic Flight control system
AFDS: Automatic Flight Director System
AIMS: Aircraft Information Management system
AP: Autopilot
AMM: Aircraft Maintenance manual
CAS: Control augmented system
CFM: Common Failure Mode
CPM: Core Processor Module
CRC: Cyclic Redundancy Check
FBW: Fly by Wire
FCC: Flight Control Computer
FCS: Flight control system
FCU: Flight Control Unit
FMC: Flight management computer
FMGES: Flight Management Guidance and Envelope system.
FMGS: Flight Management guidance system
FT: Fault Tolerance
H/W: Hardware
Tissara Tilakaratne K0827514 Page | v

ISM: Input signal Management
LRM: Line replaceable Module
LRU: Line replaceable Unit
LSB: Least Significant Bits
MTBF: Mean Time between Failures
MTTF: Mean time to Failure
MSB: Most Significant Bits
MVS: Median Value Selection
PCO: Proposed Command Output
PFC: Primary Flight Control computer
PRIM: Primary Computer
SAS: Stability augmented system
SEC: Secondary computer
SCO: Selected Command Output
SAARU: Standby Attitude and Air Data reference Unit
S/W: Software
TMR: Triple Modular Redundancy
Tissara Tilakaratne K0827514 Page | vi

LIST OF FIGURES
FIG 1: SIMPLIFIED BLOCK DIAGRAM AFCS (PALLET E.H.J, 1993, PG 75) ................................................................. 4
FIG 2: SINGLE-AXIS AUTOPILOT SYSTEM (AFTER HARRIS.D, 2004) ......................................................................... 5
FIG 3: OUTER LOOP AND INNER LOOP OF AFCS (AFTER HARRIS.D, 2004).............................................................. 5
FIG 4: PITCH AUTO-STABILISER LOOP (COLLINS R.P.G, PG 116) ............................................................................. 7
FIG 5: PITCH RATE COMMAND FBW LOOP (COLLINS R.P.G, 2011, PG 199) ........................................................... 8
FIG 6: FUNCTION OF A FCC (JENIE. D AND BUDIYONO. A, 2006) ............................................................................ 9
FIG 7: BASIC ELEMENT OF FBW (COLLINS R.P.G, 2011) ........................................................................................ 10
FIG 8: CENTRALIZED ARCHITECTURE OF AIRBUS (AFTER GAUTREY. J, 1996) ....................................................... 12
FIG 9: AIRBUS FCC (SOMMERVILLE. I, 2000) ......................................................................................................... 13
FIG 10: AIRBUS CENTRALIZED FLIGHT CONTROL SYSTEM ARCHITECTURE (COLLINS R.P.G, 2011)....................... 14
FIG 11: AIRBUS A330/A340 FLIGHT CONTROL COMPUTER ARCHITECTURE AND CONTROL DISTRIBUTION
(GAUTREY.J, 1996)....................................................................................................................................... 15
FIG 12: A320 FCC ARCHITECTURE (BY DUTCHOPS, 2009) ..................................................................................... 16
FIG 13: BOEING DISTRIBUTED FLIGHT CONTROL SYSTEM ARCHITECTURE........................................................... 19
FIG 14: DATAC ARINC 629 SYSTEM ARCHITECTURE (SEABRIDGE A. AND MOIR I, 2008) ...................................... 19
FIG 15: SERVO CONTROL LOOP OF EACH ACE (SEABRIDGE A. AND MOIR I, 2008) .............................................. 20
FIG 16: BOEING 777 PFC FUNCTION DESCRIPTION (BOEING 777 TRAINING MANUAL). ...................................... 21
FIG 17: TYPICAL ACE (RIGHT) ARCHITECTURE (BOB Y.C, 1998) ............................................................................ 22
FIG 18: BASIC FCC ARCHITECTURE OF AIRBUS AND BOEING. (BONNEVAL.A ET AL, 2008)................................... 22
FIG 19: GENERAL SYSTEM RELIABILITY INCREMENT IN PARALLEL REDUNDANT SYSTEM (LAZZARONI. M, 2011 ,
PG 40) .......................................................................................................................................................... 24
FIG 20: PFC LANE CONFIGURATION AND CORRESPONDING OPERATIONAL CAPABILITIES. (BOEING 777
TRAINING MANUAL, PG 318) ...................................................................................................................... 28
FIG 21: GATEWAY DESIGN OF AIMS BETWEEN FLIGHT CONTROL AND SYSTEM ARINC BUSES.( BOEING
TRAINING MANUAL 777, PG 20) ................................................................................................................. 31
FIG 22: RELIABILITY ANALYSIS BY THE USE OF IMA (DOBERNBERG.F, 1997) ........................................................ 33
FIG 23: FAULT TOLERANCE TAXONOMY ............................................................................................................... 35
FIG 24: N-SELF CHECKING PROGRAMMING (DUBROVA. E, 2008, PG 124)........................................................... 38
FIG 25: N VERSION PROGRAMMING (DUBROVA. E,2008, PG 121) ...................................................................... 39
FIG 26: TMR WITH A POTENTIAL SINGLE VOTER FAILURE. ................................................................................... 41
FIG 27: TRIPLICATION OF VOTER TO AVOID SINGLE POINT FAILURE. .................................................................. 41
FIG 28: DUPLICATION WITH COMPARISON. ......................................................................................................... 42
FIG 29: PAIR AND SPARE TECHNIQUE. .................................................................................................................. 44
FIG 30:LOW-LEVEL REDUNDANCY WITH MULTIPLE THREAD STRATEGY .............................................................. 45
FIG 31: HIGH-LEVEL REDUNDANCY WITH SINGLE THREAD STRATEGY ................................................................ 45
FIG 32: N-MODULAR REDUNDANCY WITH SPARES. ............................................................................................. 46
FIG 33: BASIC SWITCHING STRUCTURE OF HYBRID SYSTEM (DUBROVA. E,2008) ................................................ 47
FIG 34: TRIPLE-DUPLEX ARCHITECTURE. ............................................................................................................... 51
FIG 35: NEW PROPOSAL OF TRIPLE-DUPLEX ARCHITECTURE DESIGN .................................................................. 57
FIG 36: EVOLUTION OF AIRBUS FLY-BY-WIRE SYSTEM (SEABRIDGE A. AND MOIR I, 2008) ................................. 66
FIG 37: PFC LANE REUNDANCY MANAGEMENT (OUTPUT SIGNAL MONITORING) (Y.C BOB, 1996) .................... 67
FIG 38: TYPICAL FUNCTION OF ACE (BOEING 777 TRAINING MANUAL, PG 293) ................................................. 69
FIG 39: BOEING 777 PFC LANE CONFIGURATION AND CORRESPONDING FLIGHT MODES. (BOEING 777
TRAINING MANUAL, PG 318) ...................................................................................................................... 70
FIG 40: BASIC PFC INTERFACE OF BOEING 777 (BOEING 777 TRAINING MANUAL) ............................................. 71
FIG 41: AIRBUS- FCPC INTERFACE (AMM A330) ................................................................................................... 71
Tissara Tilakaratne K0827514 Page | vii

FIG 42: TYPICAL INTEGRATION PROCESS OF MODULAR AVIONICS ...................................................................... 76

FIG 43: IMA APPROACH & APPLICATION PARTITIONING ..................................................................................... 77
FIG 44: AIMS BOEING 777- IMA RACK APPROACH (MORGAN. J.M, 2001) ........................................................... 78
FIG 45: CLASSICAL RECOVERY BLOCK STRUCTURE(MODIFIED FROM ARMOUSH.A ET AL, 2008) ........................ 79
FIG 46: CUBE CONCEPT SYSTEM CONFIGURATION .............................................................................................. 81
LIST OF TABLES
TABLE NO 1: RELIABILITY PROBABILITY OF SYSTEM NETWORKS .......................................................................... 27

TABLE NO 2: TRUTH TABLE ................................................................................................................................... 43
TABLE 3: TRUTH TABLE FOR FAULT DETECTION ................................................................................................... 55
Tissara Tilakaratne K0827514 Page | viii

1. INTRODUCTION:
1.1. Background of the Project:
The project is based on research and analysis of the key elements in concerns with
Automatic flight control systems in commercial aircraft. Initially, the research was
based on online resources and books from LRC. However, it was soon realized that
project requires access to AMMs for different types of aircraft to understand the
operation and functioning aspects of the systems incorporated, based on which a
comprehensive analysis could be accomplished. Gaining access to AMMs was a
challenging task due to company policy and privilege reason. However, the access
was granted on justifying the grounds and the basis of the project aim. The project
needed further reading of online journals published on journal websites like Science
Direct and IEEExplore. The Kingston University web portal granted authorisations to
such sources. Further assistance to the project required to contact Fleet and Service
Engineers of Qatar Airways via email correspondence to clarify certain technical
issues related to Boeing and Airbus.
Aim : Analysis of Commercial Autopilot evolution and Automatic flight control

system architecture
Deliverable: To provide comprehensive analysis on contemporary Autopilot

flight control system architecture of modern Aircraft
1.2. Evolution of Automatic Flight control system.
Air transportation has become one of the significant modes of transportation in the
recent history; it has not only become the fastest means of reaching its destination
but the safest and most reliable modes of transportation. The fact that air travel has
taken to heights of providing the most outstanding and premium services to cater its
Tissara Tilakaratne K0827514 Page | 1

customers; the development of aircraft systems to ensure maximum crew and

passenger comfort and safety is an inevitable point of concern in the system
engineering and development.
If it would only to rely on the pilot skills and inherent stability due to aerodynamic
design of the aircraft to fly straight and level, this would have been milestone that
had never been achieved. This became the major concern with design of military
aircraft where short period response to changes in attitude is critical for steady
weapon aiming platform to destroy targets. The instability accompanied by short
period oscillatory motion required an auto stabilization mechanism introduced into
flight control system effectively augmented the stability in flight. Implementation of
dampers and servos control actuators were major closed loop servomechanism
techniques enabled to achieve auto stability in flight. The speed of response with
closed-loop flight control system is far better compared to an aircraft without a
closed-loop control. The continuous follow up action executed by gyros and
feedback systems ( e.g LVDTs, RVDTs, and tachogenerator) incorporated in the
servomechanism opposes the primary input of the pilot progressively reducing the
impact of heavy output to the servo control actuators and helps to dampen the output
to the actuators for smoother transition of control surface movements.
With the advent of electronics into flight control systems, the execution of complex
control laws through analogue computation of input signals from sensors and
feedback signals was achieved. This added stability is called as Stability
Augmentation system (SAS) which provides protection over a greater flight envelope
at critical phases of flight for instance in landing or approach. The Basic part-time
stability function could with the use of yaw dampers. However, sole use of stability
augmented system shall damp out the control inputs by the pilot detected as
disturbance and cause sluggish handling qualities of the flight control system (Pallet
E.H.J, 1993, pg79). This needed the Control augmentation system (CAS) to be
introduced to flight control system where the control command is fed prior to sensors
could detect and dampens out the input. This shall be discussed later in the report
where filters were incorporated to the autopilot loop.

1.3. Revolution with Digital Electronics and Aircraft Systems.
Later with evolution of Digital computers, consolidation of multiple systems took

place in a view of reducing dedicated hardware for each control axis and improving
the flexibility of upgradation of systems by software updates as opposed to
uneconomically hardware modification in conventional Analogue systems (Collins
R.P.G, 1996 pg 158). This approach has essentially cut down in dedicated hardwired
analogue control computers for specific axis of control rather operate on common
hardware platform to execute multiple tasks by simply changing the stored program.
Automatic Flight control system (AFCS) has greatly benefited by the implementation
of digital flight control system architecture where large weight saving could be
accomplished by cutting down point-to-point wiring between sensors, controls, flight
control computers and avionic sub systems. This is achieved through multiplexing of
several streams of data from parallel inputs at the source end to serial data bus
cable for transmission, which at receivers end could be de-multiplexed to feed the
parallel receivers. With advent of FBW, duplex redundancy could be upgraded to
triplex and quadraplex redundant systems with minimum weight penalty increase
outweighed by the overall improvement of system reliability.
For stability augmented systems in AFCS is greatly depended on aircraft response

on to the steering command, therefore any lags on response with control surface
actuation has detrimental effect on the handling qualities and degrades the auto-
stabilization performance in flight. This had been the issue with aircraft with
mechanical flight controls by increased drifting of the flight off-course from the
commanded flight path. The excursion was greatly reduced with the implementation
of fly-by-wire. Fly-by-wire essentially reduced the lags of the control servo response
by increased autopilot loop gain operating essentially at high bandwidth loop
frequency (Collins.R.P.G, pg 122). Operating at high bandwidth frequency reduced
the lag between the groups of sensor (for added redundancy) to negligible value
which further reduced destabilizing effect on the FBW control loop.

2. OVERVIEW OF AUTOMATIC FLIGHT CONTROL SYSTEMS

ARCHITECTURE:
Its effectively a closed loop operation system where servo controlled actuators
restores stability of the aircraft and maintains a continuous follow up of aircraft
response to its external environment. Closed loop approach essentially takes over a
faster and more precise response to changes in attitude compared to Human pilot.
This shall avoid and prevents the aircraft from entering to a dangerously unstable
condition while assisting the pilot to execute a decent maneuver.
Sensor Computation Output
Aerodynamic feedback- Aircraft reaction
Fig 1: Simplified Block Diagram AFCS (Pallet E.H.J, 1993, pg 75)
2.1. Inner Loop stability and Outer loop stability.
Inner loop stabilization performs the functions of holding the aircraft to a desired
attitude and augmenting the stability of the flight. This loop holds the aircraft to
internal conditions provided by the various aircraft motion sensors and gyros of the
aircraft. SAS and CAS are both integral part of the inner loop stability system. Initially
AFCS systems were fitted with only roll gyros, effectively a single axis stability
control providing lateral stabilization (see fig 2). At this phase only leveling of wing
could be achieved which was quite adequate for low speed light weight aircraft.
However, with the swept-back wing design to achieve greater top speeds, the aircraft
tends to witness an unstable oscillatory condition known as Dutch roll (see
appendix). This would add to the discomfort of passengers in commercial aircraft or
deteriorate the maneuverability of military aircraft. In reference to the problem, yaw

dampers were introduced to the FCS. This essentially required yaw channel to be
included to the FCS. Later, all three were included to achieve 3 dimensional stability
of the aircraft.
AMP
Gyros Error detector Aileron
sensors (Comparator) Servo Motor Co
(roll Gyro)
Fig 2: Single-axis Autopilot system (After Harris.D, 2004)
Inner Loop
Gyros Error Flight control

sensors Sensors computer
Servo motor Cont

surfa
Pilot Interlocks
Inputs
Outer Loop
Radio NAV, Flight

ADC,VOR Management
system
Aerodynamic
Feedback
Fig 3: Outer Loop and Inner Loop of AFCS (After Harris.D, 2004)

However, this shall confine the aircraft response to only internal environment
assessed through gyro sensors. This invoke the integration of an outer loop control
(see fig 3) system to inject external environmental parameters inputs from
navigational systems to direct the autopilot system (FMGCS) against preselected
lateral and vertical flight plan with the help of various ground based radio station like
VOR station and DME (Harris.D,2004). As a whole, system facilitates the aircraft to
follow against a vector direction with a minimum deviation from path.
3. PRINCIPLE FUNCTION AND OPERATION FLIGHT CONTROL

COMPUTER (FCC):
3.1. Introduction to Flight Control Laws:
Flight control computer plays a significant role in computation of control laws and
reconfiguration of computers in event of anomaly or temporary loss of function for
processing. They are designed to work on simplified laws like get you home type
control laws with limited information available during a multiple failure and avoid the
total loss of flight control. This could be seen in Airbus in 3 modes of control law
operation namely Normal, alternate and direct to counter different modes of failure.
One of the most important function of Flight control computers (FCC) is that they
works continuously in real time to convert the input demand of the pilots to desired
and more meaningful actuations of control surfaces. These control laws are simple
set of instruction executed by the software of the FCC (Jenie. D and Budiyono. A,
2006). These control laws takes care of the flight envelope protection by limiting the
pilot inputs from exceeding boundaries of the flight envelope or FMGCS when
autopilot is in command. Flight domain protection involves High angle of attack
protection, Over-speed protection, Bank angle protection and protection of Load
factor for aircraft structural integrity. All protections are available to the pilot during a
normal mode operation, however loss of important parameters like the ADIRU or
failures of all primary computers may result down grade the operation capabilities of
the aircraft by limiting the protection available to the pilot (Boeing 777 manual).

3.2. Flight control Laws computation and Gain Scheduling
Required displacement of flight control surfaces for a given input by the pilot varies
with the airspeed its travelling. By equation of dynamic pressure we shall
determine the effective Lift forces are greater at higher speed and vice versa.
Therefore, we can determine a slight deflection of flight control surface at high speed
shall have an equivalent effect by a larger deflection at a lower speed. This requires
the control over the loop gain to accommodate such variation in height and airspeed
across the flight envelope. This is achieved by an air data scheduling system or gain
scheduling (see fig 4 & 5) with the aid of air data computers (ADC).
These control complex laws are defined through algorithms, which are extremely
complex. However, very simple basic pitch rate command law could be derived as
follows:
Control surface
Fig 4: Pitch Auto-stabiliser loop (Collins R.P.G, pg 116)

K
C
Fig 5: Pitch rate command FBW loop (Collins R.P.G, 2011, pg 199)
D=K (i - Gq)
D= tailplane demand angle in degrees
K=loop gain control (gain scheduling)
i = Input demand from the pilot
G= auto-stabiliser gearing (Auto stabalising actuator)
q=Pitch rate (from rate gyros)

In modern day flying, Pitch is demanded through a pilots force sensitive side stick
controller providing electrical signals corresponding to the force applied by the pilot
The variation of the input of pilot control side stick to angular movement of the
control surface of a high performance flight extends as far as 40:1 over the flight
envelope (Collins R.P.G, 2011). This cannot be achieved through an open loop gain,
so the gain controller K is varied by the computation software of the FCC in
reference to the external condition sensed from ADIRU and FMGC. In simple terms
function of FCC is to moderate the inputs of the pilot to suit the flight condition
without jeopardizing the flight envelope protection.
Control Inputs
Actuator
Gain Scheduling
Fig 6: Function of a FCC (Jenie. D and Budiyono. A, 2006)
Once input signal i is fed, after necessary computation from the FCC, the output
signal D to the elevators shall cause the pitch the aircraft the nose and while pitch
rate gyros input to auto-stabaliser actuator helps in damping of the aircraft pitch
response. The auto stabilizer gearing G may also have different values depending
upon the function of Airspeed and altitude for optimum stability augmentation at
different flight condition. Gain scheduling improves the stability of the aircraft by
improving the response of flight controls, and however excessive gain shall cause to
destabilizing effect as it takes longer to nullify the control movements (E.H.J Pallet,
1993).

3.3. Fly-by-wire Flight control computer and High Integrity for failure
survival.
Fig 7: Basic element of FBW (Collins R.P.G, 2011)
With the advent of FBW, high system integrity is achieved for greater availability,
reliability and required safety. This is achieved through failure survival computing
system enabling to detect failure, followed by isolation of the failure and final system
reconfiguration to ensure acceptable means of system functioning. Dependability of
the FCS system looks into following factors in the event of a failure:
System Availability
Reliability ( Continuity of correct service)
Dispatchability (Ability to fly with a faulty in place)
Maintainability (ability undergo repairs)
Mean time to failure (MTTF).
(M.Sghairi et all 2008).
The system availability and reliability enables a higher degree of dispatchability while
virtually eliminating unscheduled maintenance. Increase in dispatchability is

desirable from operational point of view since it allows the airline operators to defer
the rectification of fault module to later date (Scheduled maintenance) without
affecting the airline flight schedule (Gautrey. J, 1996, pg 28). This renders
uninterrupted revenue flow to the operators. The highest level of reliability and
availability is accomplished by redundancy techniques implemented to FCS.
However, Redundancy may not be the solution to achieve the desired level of fault-
tolerance measures if they all redundant elements were expected to fail from a single
cause know as common mode failure (CMF).
Common Mode Failures:
Lightening Strike
Electro Magnetic Interference
Fire/ Explosion/ Battle Damage
Incorrect Maintenance
Common Design faults H/W & S/W (Collins R.P.G, 2011, pg 225)
Therefore, Philosophy known as design diversity is also implemented to both

software and hardware for masking the CMF. This may include two or more
microprocessors from different manufactures running on same or different software
developed by different software team for defense against common mode software
errors during development process in safety critical system. (M.Sghairi et al 2008).
This shall also include monitoring systems, independent signal pathways, physical
segregation of system and different signal pathways.

4. SYSTEM PROCESSING AND ARCHITECTURE ANALYSIS:

AIRBUS Vs BOEING
In this chapter of the report explains the different FCS system Architecture of Boeing
and Airbus utilised to execute the flight controls and analytical study is conducted on
both system architectures. This chapter includes description of each system design
and where detailed explanation is required reference is made to the appendix. On
the basis of the analysis made, Pros and Cons of each system design are
highlighted in the context.
4.1. Airbus Flight control system Architecture: Evaluation of

Centralized Flight control System Operation
FMGS- A/P
1 Flight
23
ADIRS PRIM control
surfaces
Inceptors SEC
SEC1
Sides-stick
2
Fig 8: Centralized Architecture of Airbus (After Gautrey. J, 1996)
The Airbus family of computers approaches a more centralized processing system

where full authority and processing is vested on a single computer (i.e. Master
PRIM) (See fig 8). The master computer carries out all the computation for flight
envelope protection and required surface angle deflection for control surfaces routed
via the slave computers to control their own set of servo loops (smart cockpit, 1999).

This is for increased reliability of the redundant architecture system; no single

computer shall drive all actuators. Therefore, each actuator is driven by different
computer achieving the concept of segregation for isolation and separation of
redundant elements. In Airbus, (exception to A319/320/321) flight control functions
are exercised through 3 PRIM and 2 SEC computers. PRIM computers use the Intel
808386 processor with different software packages for its command (Assembler
program) and monitor channel (PL/M programming) while SEC computer uses Intel
80186 processor. (Jacquart R, 2004). The signal from two independent computing
lane are feed to a comparator (see fig 9) in which if the divergence between the
channels of 2mA lasts longer than 0.05s the system Config off mode to avoid
nuisance disconnection forming a fail fast module.(Traverse P and Briere D, 1993).
Fig 9: Airbus FCC (Sommerville. I, 2000)
In Airbus A330/340 pilot shall exercises the privileges of full flight envelope
protection even with the failure of single PRIM computer causing no degradation on
the Normal Law operation and achieved greater dispatchability, which is subsequent
improvement from A319/320/321 design review. However, second failure of the
PRIM reverts to Alternate law losing the privileges of autopilot and auto-throttle
function to the pilot and some of the vital functions of the flight envelope protection
(Ranter.H.2011).The intra FCC communication takes along Arinc 429 databus. In
Normal configuration PRIM 1 computer takes authority of performing all the
computation of flight control laws centrally and commanded via different PRIM and
SEC computers (see fig10) to control surface actuator (R.P.G Collins, 2011). In case

of failure of PRIM 1, reconfiguration takes place to switch over to the PRIM2 as the
master of computation and executes the function. Since FCC in airbus is hardwired
between the computers and actuators by, failure of a single FCC may result total
loss function to all actuators operated from that particular computer but in such
instance SEC computer shall take over (see fig 11)( Gautrey. J, 1996). No single
SEC is a master, they simply control their own servo control loops and in case of all
PRIMs failure, SEC perform in direct law and provide full flight control. (smart
cockpit, 1999).
Fig 10: Airbus Centralized flight control system architecture (Collins R.P.G, 2011)

Control Surface Primary computer Backup computer Hydraulics
Left Elevator 1 PRIM 2 SEC 2 Blue

(Outboard)
Left Elevator 2 PRIM 1 SEC 1 Green
Right Elevator 2 PRIM 1 SEC 1 Green
Right Elevator 1 PRIM 2 SEC 2 Yellow
(Outboard)
Trimmable Hoz Stab 1 PRIM 1 - Blue & Yellow

Left out Aileron 1 (Out) PRIM 3 - Yellow

Left out Aileron 2 SEC 1 - Green
Left Inner Aileron 1 PRIM 1 SEC1 Green
Left Inner Aileron 2 PRIM 2 SEC2 Blue
Right Inner Aileron 2 PRIM 2 SEC2 Green

Right Inner Aileron 1 PRIM 1 SEC1 Blue
Right Out Aileron 2 PRIM 3 - Yellow
Right Out Aileron 1 (Out) SEC2 - Green
Rudder Servo Actuator 1 PRIM 1 SEC 1 Green

Rudder Servo Actuator 2 PRIM 3 SEC2 Yellow
Spoiler 1 & 12 SEC2 - Yellow

(Outboard)
Spiloer 2 & 11 SEC1 - Green
Spoiler 3 & 10 SEC1 - Yellow
Spoiler 4 & 9 SEC3 - Blue
Spoiler 5 & 8 SEC3 - Blue
Spoiler 6 & 7 (Inboard) SEC3 - Green
Fig 11: Airbus A330/A340 Flight control computer architecture and Control Distribution (Gautrey.J,
1996)

4.1.1. Design Limitation of FCS Architecture in A319/320/321 and

Subsequent Developments on later A330/A340
Fig 12: A320 FCC Architecture (By Dutchops, 2009)
The flight control system architecture of A319/320/321 consist total of 7 computers

out of which only 1 ELAC computer is in command or ELAC2 in the event of ELAC 1
failure. The fact that it employs only two primary computers, dispatchability states
both ELACs to be serviceable at all times and no dispatch with single ELAC failure.
The following problem was addressed in subsequent design of A330/340 by
employing 3 PRIM computers providing dispatchablity with one PRIM failure. SEC
computers operate its own set of spoilers and provide secondary control to elevators
in case of total ELAC failure. This is a fail-safe technique of seizing the operation of
both spoiler pair in the event of specific SEC failure and avoids causing asymmetric
operation of spoilers leading to an inadvertent roll.
It was soon realized on analysis of the system usage most of SEC computers were
not used frequently as ELAC and FAC computers. Since the SEC computers provide
only direct law, initiations were taken to reduce the number of SEC computers in
subsequent A330/340 and include an additional primary computer to enhance the
flexibility and redundancy (See appendix A). This provided greater availability of
autopilot system and reduced the chances of the system degrading to direct law as
in A320 (Petitt.K, 2010) when landing.

In A320, no ELAC computer could drive spoilers directly without the SEC, reducing
the controllability. Whilst in A330/340 PRIM computers are upgraded to include most
of the spoiler function and also extended its secondary computer to operate ailerons,
rudder, and elevators servo-loop. Furthermore, In A320 ELAC computers were of no
significant importance if FAC computers were inoperative as they execute rudder
trim, yaw damper servo and rudder limiting in conjunction with the FMGEC when
autopilot is engaged. The modular integration of ELAC and FAC into PRIM
computers on A330/A340 has also extended the availability of full flight control
effectively with lesser number of LRUs. Unlike in A319/320/321, a single SEC
computer in A330/340 can provide full flight control (smart cockpit, 1999) .The
system integration achieved not only augmentation of flight control capabilities but
also reduced the power wastage on cooling, space and wiring used by reduction of 2
computers.

4.2.Boeing Flight control computer system Architecture: Evaluation of

Distributed Flight control System Processing
EDIU
FSEU
PSEU
AIMS
AIMS PFC-1 PFC-2 PFC
System Bus
ARINC 629
Fl
A
Pilot AFDS-A/P
ACE ADIRU SAARU
Inputs (1)
ACE
Flight control surfaces
Key:
ACE: Actuator Control Electronics
ADIRU: Air Data Inertial reference unit
AIMS: Aircraft Information Management Unit
AFDS: Autopilot system
EDIU: Engine Data Interface unit
FSEU: Flaps/Slat Electronics Unit
PFC: Primary Flight Computer

PSEU: Proximity Switch Electronics unit
SAARU: Standby Attitude and Air Data inertial Reference unit
Fig 13: Boeing Distributed flight control system architecture.
Fig 14: DATAC Arinc 629 system Architecture (Seabridge A. and Moir I, 2008)
In Boeing all PFCs receive command either from inceptor pilot controls via the ACE
during manual flying or from AFDS when the autopilot is flying the plane through
universal ARINC 629 data bus (see fig14). Unlike in airbus, since all computers
participate in computation process, each computer will give out its own
computational data as proposed command output PCO which is subsequently
voted and passed on to consolidator for mid-value selection whilst the invalid signals
are voted out. The selected data is called selected command output or SCO(Bob
Y.C, 1996). The L-PFCs takes the SCO from its side databus (Left) and transmit the
position commands to the L-ACE via the same ARINC 629 databus where the digital
signal is converted to analogue for controlling its own servo loop (see fig 15). This a
unique feature of ARINC 629 that any member could transmit, receive or both on a

common data bus enabling to cross talk and monitor between the lanes (same bus)
and channels (different bus) to exchange information on real-time basis.
KEY:
R.O.B: Right Outboard
L.O.B : Left Outboard
R.I.B: Right Inboard
L.I.B: Left Inboard

Fig 15: Servo control loop of each ACE (Seabridge A. and Moir I, 2008)
The design philosophy used in Boeing 777 is distributed system processing where
each Primary flight control computer (PFC) is a master and real-time processing of
data in parallel with 2 other redundant PFCs takes place. In Boeing all 3 PFCs are
active and compute control laws and commands necessary to drive the control
surface actuators .Each PFC composed of three dissimilar computing lanes from
different microprocessor known as command lane, stand by lane and monitor lane
gives total of nine simultaneous processing lanes. This design of extra standby lane
compared to airbus within each PFC shall give full operational capability of PFC with
one command lane failure and give indefinite operation. Aircraft may also dispatch
for 10 days with 2 lane failures benefiting the airline operators to defer their
maintenance to a later planned maintenance date without the loss of revenue.
(Seabridge A. and Moir I, 2008). Its important to note that increase in the number of
lanes per channel is limited by the reliability factor and economical constrains which
is analyzed later in the report.

Separate PFCs cross-talk through ARINC629 flight control data bus which is a global
databus for sharing data between the PFCs and external data from air-data
computers (ADIRU), autopilots (AIMS) and ACE (See appendix B) . Both PFC and
ACE box is only configured to transmit to its own side databus but receive data from
all 3 flight control data bus (See fig 16). This is done to reduce the likely hood of fault
propagation from a malfunction component to other healthy data buses and also to
reduce data traffic within the data bus. (Doerenberg F.M.G et al, n/k, pg 2).
Fig 16: Boeing 777 PFC Function Description (Boeing 777 Training Manual).
Boeing has outstanding graceful degradation capability of being able to provide full
flight control with only one operative PFC provided majority of ACE are function
properly. This is a development made from the unique feature of ARINC 629 with
access of multiple transmitter and multiple receivers on a common databus(Berger
S.J, 1997, pg 1). The configuration of ACE (R) to receive data from all three data

buses (see fig 17) has given the exceptional capability to depend on the data from
other buses (L & C) when the data of the default bus is invalid or loss due to
inoperative PFC. In such instance, the ACE shall depend on the data received from
other PFCs to command its own servo loop (Bartley.G, 2005, pg8). This has enabled
single PFC of Boeing to provide fully functional flight control system in normal
configuration needed to fly the plane is a remarkable achievement of the technology
which no single airbus computer can accomplish. (Gautrey. J, 1996, pg 41).
Fig 17: Typical ACE (Right) Architecture (Bob Y.C, 1998)
Fig 18: Basic FCC architecture of Airbus and Boeing. (Bonneval.A et al, 2008)

4.2.1. Reliability Analysis on Number of lanes per channel and operational

capabilities:
In general, terms like channels and lanes are interchangeable. However, for the
purpose of the explanation on the analysis study of the FCC, lanes are regarded
independent processors within the FCC.
-t
R (reliability of a single component) = e (1)
(hazardous rate) = (2)
MTBF: Mean Time between failures of an element
n= number of parallel lanes in a given channel
Unreliability of component = (1-R)n with unreliability being always less than unity,
with increase in nth number unreliability decreases whilst the system reliability
increases given by equation (3)
System Reliability (RS) of parallel redundant design=
( )
(3)

Fig 19: General System Reliability increment in parallel redundant system (Lazzaroni. M, 2011 , pg
40)
The above graph shows the significant improvement in reliability with increase in
lanes up until 3 lanes and further increase in number has no significant advantage
over reliability increament. In a simplex (single channel) system with a BIT
incorporated to self check its own failures will not prove to eliminate all malfunctions
caused by faulty signals as BIT is usually not more than .95 reliable(Hammett.R,
2002,pg 19) even at its best implementation and highly application
dependent.Therefore, there is likely hood of errors will pass undetected. With 2 lanes
in place duplex processing of independent lanes as in Airbus FCC system shall give
100% fault coverage through a data comparison circuitry and downgrade to fail
passive configuration upon a single lane failure. . So reducing the possibility of

errors going undetected and cause substantial improvement in reliability as seen on

the graph (Fig 19). In fail passive mode no computation takes place and processing
system shuts itself down. Whereas in three lanes with its extra standby lane as in
Boeing 777 one failure is tolerated before a second failure causes the system to
enter fail passive configuration and takes the computer offline Gautrey. J, 1996. This
gives the system fail operational capability with single lane failure active and further
noticeable increase in reliability. However, reliability increment of shifting from 1-to-2
lanes compared 2-to-3 is progressively diminishing (see fig 19) , futher increase in
lanes may show no significant increase in reliability as probability of failure of more
than two lane is extremely improbable and rather each additional lane would
increase cost ,complexity and weight factor.
4.2.2. Reliability assessment on k-out-of-n parallel system network.
In the following section, reliability is evaluated by using Binomial Distribution

function. Given by the formula:
Rs ( k, n, R) :
( )
(4)
Where n is total number of lanes
k is the minimum number of lanes for successful operation.
Fail-safe design requires minimum of 2 lanes being operative at all times for which
one lane is dedicated for monitoring while the other takes over the command role.
Therefore this reliablity assessment shall not consider the reliability of a single
operating lane as no single lane operation is allowed by FCC for safety and integrity.
Certain assumptions were taken in account before the analysis on reliability is

assessed. These involves MTBF for single lane is assumed around 35,000 hours
and sector time is given as t =300 hours. This gives us the reliability of single
channel by equation 1 & 2 as

R= 0.991465201 0.99147
The derivation of 2-out-of 3 success reliability using Binomial expansion

approach
( )
=Probability of at least 2 lanes operating + Probability of all 3 lanes

operating
( )
= [ ]
The following equations in table 1 given below are derived through similar
simplification of Binomial expansion given in equation 4 and by substituting the
assumed reliability of a single lane into the equation we can deduce the overall
system reliability of triplex and duplex system reliability under given condition.
Duplex reliability is considered in series configuration as it requires both command
and monitor to be operative for it to function. The table below highlight the possible
reliability increment achieved through a triplex configuration as to Duplex
Architecture FCC.

Table No 1: Reliability Probability of System Networks
Number of required lanes Triplex Lane distribution Duplex Lane Distribution

for successful operation
3 out of R3 = 0.97462 Not applicable
2 out of 3R2 2R3 = 0.999782 R2 = 0.98301
1 out of (Ignored) 3R-3R2 + R3 2R-R
From the above facts, its evident the probability of losing a PFC in Boeing is lesser
to that of a FCC of Airbus as Boeing tolerates a single lane failure with its standby
lane taking over. Further with the assumptions made and calculated reliability of
given channel with triplex lane configuration stands greater system reliability
compared to Duplex lane architecture (See Table 1). Both Boeing 777 and Airbus
meets the minimum level of redundancy and safety requirements for acquisition of
certificate of airworthiness. However, Boeing seems to have very high redundant
architecture and greater dispatchability compared to Airbus, with infinite operation of
single lane failure and for 10 days of uninterrupted operation from 2 lane failures
provided its from 2 different PFC channels (Bartley.G, 2001, pg8). Downside of such
over redundant system could be additional cost involved from additional hardware
resources and greater technology complexity.
4.3. Flight control laws and graceful degradation of A330/340 Vs B777
Boeing with its 3 lane PFC, effectively operates 9 lanes in total, giving a tolerance up
to 6 lane failures or 8 possible failure configuration before it switches from Normal to
direct law (see fig 20), whilst Airbus can only tolerate up to maximum of 2 single-
lane failures, losing two FCC owing to its fail passive (Duplex) configuration. This
limits and downgrades to alternate law from Normal Law operation within short
tolerance span compared to Boeing.
Airbus enters alternate mode over two subsequent identical module failures, in which
many significant features like the Autopilot and stall protection will be lost (A330

factsheet, 2012) while Boeing 777 retains its autopilot features as long as a single
PFC is operating (Boeing Training Manual, pg 326).
This confirms Boeing 777 has greater fault tolerance capability, giving full flight
envelope protection long before it reverts to lower protection mode (See appendix C
for further explanation). Lastly, its evident that Boeing with 3 PFCs allows greater
flexibility and capabilities compared to 5 FCCs (i.e. 3 PRIM and 2 SEC) of Airbus
showing efficient utilization of hardware resources.
The main reason of SEC computers is to provide secondary form of dissimilar control
(Direct law) for airworthiness certification, providing no significant assistance in
safeguarding the flight envelope.
Fig 20: PFC Lane configuration and corresponding operational capabilities. (Boeing 777
Training manual, pg 318)
4.4. Engineering System Analysis of Boeing and Airbus AFCS:
The centralized architecture of Airbus uses only ARINC429 data bus for
communication between computers, whilst inceptors and actuators are hardwired
directly to the FCC (Gautrey. J, 1996). The FCC computers are assigned to send
and receive feedback from its own specific servo-loop in order to achieve the
optimum isolation and separation from rest of the redundant elements. (M.Sghairi et
all 2008).Since in centralized architecture all computation function is retained in the

FCC, long buses and discrete wire would be needed to receive and send data to end
terminals (e.g. actuators). This type of centralized FCS architecture becomes a
significant weight factor on large aircraft like A330/340 (Field L, 2005, pg 4, 9).
Airbus FCC are also in direct links with assigned actuators and inceptors which
means potential of faulty subsystem at the end terminal (e.g. loss negative feedback
signal) affecting the core processing unit is high and may subjected to
reconfiguration of FCC upon detection of invalid or dead signal.
On the contrary, distributed system provides greater fault protection and insulates
the core-processing unit from erratically operating systems (TTTech, 2005). In
Boeing 777 with its ARINC 629 flight control data bus the information is available
from all inceptors sensor and feedback signals from actuators via the ACE which
subsequently chosen by the majority voting leaving no PFCs effected (Bonneval. A,
2009, pg 2). It provides a better fault tolerant capability over centralized architecture
as its being cross-checked and monitored by other parallel processor before it
finalizes the output. Therefore, in a distributed processing, transient faults creates no
system interruption out as users receives the output data from all other users and
then validated through a software to accept or reject by a voting logic leaving smooth
continuation of the function and no transient errors transmitted downstream.
However, downside is increased complexity in bus access sharing and since every
processor is a master; system reconfiguration will require change to every user of
the system.
Further, constrains do apply since system processors need to be powerful to meet

the throughput of real-time processing system and no time delay is accepted for
which the power consumption of such a design is equally high. Another
disadvantage attributed to the design of sharing data, inter-dependability between
subsystems makes physical segregation between the subsystems quiet difficult, and
hence process of certification to assert the integrity of the system and prove that no
single component brings the whole system down becomes equally difficult. Where as
in a centralized architecture even though end subsystems are directly in connection
with the core processor, the redundant system processors are loosely coupled that
means systems can operate largely independent (NASA Research,2000), hence
safe separation between the signaling paths is inherent with the system.

4.5. Databus Analysis and System Efficiency:
ARINC629 data bus technology enables the freedom of exchange of data between
the transmitters and receivers easily for cross-lane and cross-channel monitoring
Unlike to ARINC429 protocol. Therefore every transmitted data is available to every
other user in the system for synchronizing and data comparison where as in
ARINC429 data bus technology is a point-to-point communication protocol, the
privileges of exchange of data and intra computer communication is difficult (Isik. Y,
2010). This leaves the ARINC 429 protocol suited for a centralized architecture
where one holds the majority processing and authority to communicate with slave
subsystems while ARINC 629 is an ideal communication protocol for distributed
architecture for real-time processing of parallel redundant systems.
The real-time processing capability supported by the unique feature of ARINC 629
protocol enables to be monitored and cross-checked by other parallel redundant
elements like each PFC control law computation is checked by every other PFCs
and its own monitor lane which gives a better utilization of hardware resources.
ARINC629 has replaced large number of point-to-point connection used in
conventional ARINC429 to single stub current mode coupler. Since it uses
differential voltage transformer which is the first implementation of voltage mode
(Berger S.J, 1997) to access the data bus channel unlike direct connection of
ARINC429, the probability of failure of single bus causing to bring down all the
terminals associated is extremely low and interference of terminals with the bus
channel is also kept to a minimum (Seabridge A. and Moir I, 2008). Providing greater
reliability on data bus communication of Boeing compared to Airbus.
Analysing the communication interface of Boeing and Airbus FCC, Boeing FCCs
receives all vital information from the three ARINC629 data buses as multiple
transmitters is capable of sharing data through a single data bus channel. However,
similar information in an ARINC429 will be available through number of individual
data bus channels to communicate between the LRUs and so each item may need
as many inputs data buses that it expects to receive data from, giving rise to large
number of pin connectors, which potentially is the weakest link in a reliability chain.
This shall be a potential point of failure during service. In terms of maintenance,

larger number of connectors adds to increase cost in maintenance and servicing

reducing the cost effective maintenance on operators.
The three flight control data buses architecture of Boeing 777 supersede many
analogue, discrete and ARINC 429 buses used in Airbus flight control computer (see
appendix D). This shall show importance of availability of ARINC 629 buses as loss
of single bus could result loss large number of critical parameters needed for
computation and to uphold the integrity of the critical flight control data buses,
separate system bus is used to receive and execute the function of AIMS.
Fig 21: Gateway design of AIMS between Flight control and System ARINC buses.( Boeing Training
Manual 777, pg 20)
AIMS carry out functions related to navigation, throttle management, Flight

management systems and less critical secondary flight controls while maintaining the
safe separation between the two main set of buses and act as a gateway allowing
data to be interchanged between the two buses and by such implementation benefits
of reduced data traffic in the buses is also achieved.

5. FAULT TOLERANT SYSTEM ARCHITECTURE:
This chapter introduces to fault tolerant system computing and evaluates the
reliability of different architecture techniques. The biggest problem with the present
day computing is the dependability of the system. In broad terms, system
dependability is the ability to deliver an intended level of services to the users
(Dubrova.E, 2008) for a defined period. This becomes an inevitable point of concern
in system engineering of flight critical systems. The issue is addressed through fault
tolerance to maintain and improve the system reliability presented.
5.1. Safety and integrity of Fault tolerance Systems:
Safety is the Prime factor in aviation for the economic success. To meet the extreme
safety standards stipulated by FAA CS 25.1309, according to which failure rate of
any critical function or systems should be extremely improbable i.e. probability of
failure, should not be greater than 10-9 per flight for its approval (Dominique.B,
Traverse.P,1993). To meet these stringent safety and availability is challenging task
in system engineering and validation. One way to approach the philosophy is the
fault tolerance, a term that is used to define the ability to withstand a single or
multiple failures without the complete loss of functionality of the system or working of
the system with reduced level of redundancy within the acceptable level of flight
safety (Bartley.G. F, 2001). However limitation due to economies of production and
operation, the availability of system may well be outweighed by the overall increase
in weight and lowering of Mean time between failure (MTBF) of the overall system
due to increase in point-to-point connections between systems and complexity
added (R.P.G Collins, pg 145). Even if its likely to increase the perceived reliability
through the system availability by providing the ability to withstand and recover from
Total system failure, the overall system reliability is decreased (The PCguide, 2001)
by increased complexity of the system involved. By equation,

6. THE EVOLUTION OF INTEGRATED MODULAR AVIONICS
The issues of great number of LRUs to execute dedicated system function and large
number of redundant elements for system availability has driven down cost benefits,
increased the weight factor and power consumption significantly. The avionic
industry has long recognised the integration and modularisation as the solution to the
problem and gave rise to the concept of Integrated Modular avionics as the key to
the success of functional integration. Further explanation is available in Appendix E
Fig 22: Reliability analysis by the use of IMA (Dobernberg.F, 1997)
The above graph shows the Perceived system reliability seen to increase at the
green end of the graph but Actual system reliability has decreased down the Blue
end. This could be one strategy to implement Integrated Modular Avionics (IMA) like
the AIMS of Boeing 777 where numbers of functions are executed over common

computing platform using the concept of shared resource to reduce the cost, space
and weight incurred due to individual computing system to run each specific function.
Redundancy and failure survival:
With the advent of FBW control system, Full authority SAS was established. In full
authority configuration of FCS, its crucial that single component failure shall not
jeopardize the entire functional operation of the system. Fault detection system is
necessary to detect and isolate the fault and redundant element should be present to
take over for continued operation with or without reduced capabilities.
The first commercial aircraft to implement this technology is the Anglo-French

Concorde in 1969 ( McClean.D, 1990) which facilitated to upgrade from conventional
Duplex level redundancy to triplex level redundancy architecture. This parallel
redundant system architecture improved the reliability of the AFCS system
significantly, as graceful degradation of from triplex to duplex could be achieved
upon a single failure. However, in Duplex redundant system of conventional
mechanical flight control system as in classic series of Boeing 737 shall enter a fail
passive mode i.e avoidance of any control movement upon a single failure. This is
safety feature avoiding the possibility of stand-alone authority of a simplex control
system taking over the control of complete flight control system, which is
catastrophic during a malfunction. Therefore, redundant systems are in place and
authority is prioritized accordingly for system operation, which is finally tested and
validated.

7. SYSTEM RELIABILITY AND REDUNDANCY

CHARACTERIZATION
System Operation Taxonomy
Fault avoidance (Intolerance) Fault tolerance (Redundancy Management)
Static (Masking) Dynamic Hybrid
Fault Masking Fault Detection Fault Isolation and reconfiguration
No reconfiguration Watchdog timers Switching Circuit
No fault Detection Comparators Hot or Cold Standby

module.
Replication checks
Acceptance Check
Voters: Selection Algorithm
N-Version: Triple Modular

redundancy (TMR)
Hybrid system
Fault masking like

static redundancy
and detects and
reconfigures like
dynamic
Fig 23: Fault Tolerance Taxonomy

7.1.1. FAULT TOLERANT SYSTEM OVERVIEW:
The system operation taxonomy indicates broad range of possibilities the

redundancy management could be invoked to a system design depending upon the
desired level of integrity and the flexibility of the system. The taxonomy is widely
differentiated under two sub-groups i.e. fault avoidance and fault tolerance
techniques (See fig23). The former technique relies on avoiding faults at the first
place and achieving a complete fault free system operation. This could be costly and
practically improbable design to address all faults and unanticipated errors at design
stage. However, this technique is seen implemented at lower level in shielding of
cables against EMI etc. The system faults and errors will exists and the best method
to address faults is through fault tolerance techniques. Primarily Fault tolerant
system relies on additional hardware elements to detect the fault, isolate the fault
and recover back into operation. Even if the bottom line of the FT system is to
ensure high availability of the operation system, the order in which the FT is
executed to achieve desired protective redundancy differs one to another. Any fault
tolerance system brings number of penalties like weight, space and cost as means of
redundancy allocation requirements. (Randell.B et al, 1978).
7.1.2. Approach Techniques to Fault Tolerant System:
Prior to implementation of FT, the software and hardware developers endeavor to

preclude the possibility of generating errors in the first place through the concept
known as Design diversity. The main strategy of the design is to build multiple
versions of software that fail independently and avoid the probability of coincidental
failure through common design errors (NASA/TM-2000-210616, 2000). The design
requires minimizing the common cause of errors through isolating the software
developing team whilst establishing a coordinating team providing a interface
between the teams and making no information is penetrate through the interface.
These versions effectively compute the same functions in a different way to give
similar appropriate outputs. However, its virtually impossible to rely on design
diversity will address all faults and provides absolute fault free system processing.

This potentially highlights the need of robust FT system in conjunction with the
system operating to provide high availability of the system.
Designing a system capable of providing all failure fault tolerant system is not
economically feasible at any stage and may rather execute without it. Before the
implementation of desired Fault tolerant system, it is necessary to assess the
probability of component fault occurring (reliability), system criticality and the impact
of not tolerating the faulty module (Hitt F.E & Mulcare. D, 2011). The requirement of
Fault tolerance is determined by its safety critical function of the system executed.
The non-critical system may not be addressed through FT techniques. In Aircraft, the
loss of flight-critical functions may involve the loss of the aircraft or life like with
jeopardizing the integrity of AFCS may certainly be the case for such catastrophic
failure. Consequently, such full-time safety-critical functions as FCS need to be
addressed through an appropriate and sufficiently reliable FT technique. The
approach to FT could be differentiated masking (static) redundancy from dynamic
redundancy. The masking technique uses to effectively hide the faults during system
operation whilst dynamic redundancy technique relies on fault detection, isolation
and often requires reconfiguration to retrieve the system back into operation. Further
into FT development, the attractive features of both static and dynamic used in
conjunction to produce an ultra-high reliable technique known as Hybrid redundancy.
The system is extremely fault tolerant and may require additional spares to facilitate
greater system availability. The FT is implemented through both Hardware and
software, which works in conjunction to address the faults generated.
7.1.3. Hardware and Software Implementation for Fault Tolerance

Computing.
Software runs effectively on a hardware platform, which undertakes the controls and
the execution functions of the hardware according to set instructions in a sequence.
To validate the input data is processed correctly and the output values are correct
various embedded checks such as error coding, checkpoint and acceptance test are
in place for improving the reliability of the information processed. The two software

techniques to handle fault tolerance processing are N-version and N-Self checking
programming essential found in fault tolerance architecture of Boeing and Airbus
respectively (Dubrova E, 2008, pg123) . The two types hold a prominent position
attributed to its Forward error recovery or roll forward strategy, with no recovery
delay expected as in roll back to a previous checkpoint of Recovery block technique
(see appendix F for explanation). This continues from erroneous state to the next
state by making a selective correction without having to restart the execution all over
from the last checkpoint state. This suits ideally for a real time processing application
as in for flight control computation and particularly where non-recoverable actions
cannot be tolerated.
7.2. Software Fault-tolerance Computing:
7.2.1. N-self checking software implementation by comparison fault

detection
Module (e.g FCC)
Fig 24: N-self checking programming (Dubrova. E, 2008, pg 124)
Airbus uses the following software FT strategy to compensate the errors by

comparison and continue its operation by switching to the next immediate processor.

The comparison of between the two software variants of independent command lane
(Ver A) and monitor lane (Ver B) is utilized to detect faults. This uses the concept of
design diversity by implementing different versions of the software essentially
computing the same function within the module precludes from common mode error
(Dubrova. E, 2008, pg 123). If the system includes n software versions participating
in the computation process, the output is always taken from the highest ranking
version (e.g Version 1A in fig 24). Next subordinate shall come online only when the
primary has taken offline due to a fault. The system closely resembles and works in
conjunction with active dynamic hardware redundancy management. In this system,
parallel execution is implemented where one module acts, as active component
while others remains as hot spares. The active component is switched to the standby
spare when error is detected within the module through external N-self checking
programming (Laprie. C.J, 1990).
7.2.2. N-version Programming:
Fig 25: N version programming (Dubrova. E,2008, pg 121)
This software FT resembles to N- modular hardware redundancy technique used in

static redundancy implementation. This could handle concurrent data input from all
N number modules for cross-comparison and select the correct output value by
means of an independent selection algorithm called a voter (See fig25). Unlike in N-
Self checking where cross comparison could be done only within the module at any
given time. Many different type of voters are developed like the formalized majority
voter and Generalised Median Voter (MVS) the two most widely used mechanisms.
Formalised majority voter workaround by assuring more than half the values are

identical based on 2-out-of 3 majority for instance in a TMR system. Latter, uses the
middle values out all the input values and works in a framework by eliminating the
pair of values that farthest apart until one value is set aside (Dubrova. E, 2008, pg
122). Boeing implements MVS voting system for selecting the correct output and the
hardware configuration for this setup to function is passive hardware redundancy.
7.3. Hardware Fault Tolerance System:
7.3.1. Passive (Static) Redundancy management:
In this system, all redundant modules participate in the computation process. The
voter subsequently masks out the error whilst ensuring general system operation
remains uninterrupted. This confirms only correct values are passed on to the next
subsequent system input in spite of the presences of a fault. The system uses no
explicit technique to detect or perform reactive action to the erroneous state but
simply masks the operation from propagating errors from one system to another.
This is done through an independent selection algorithm know as voter. In the
system of majority voter minimum of two modules should be functional for correction
functioning of the voter. Unlike in MVS, may require all three modules to be
functional at any given time. The most common form of this redundancy technique is
Triple modular redundancy (TMR) or in general N Modular redundancy (Dubrova. E,
2008).
The reliability evaluation of TMR with a simplex voter and applied conditioned that a
minimum of two module should be operative at all time gives the following reliability
of the overall system
Supposedly,
RV(t) is the reliability of the voter;
RM (t) is the reliability of the module
C is the coverage factor (Probability of detecting the fault)

the overall system is given by:
Where reliability of RTMR = Probability of all three modules functioning + Probability

of any two functioning times the reliability of the voter RV
RTMR(t)= RV . (t)
Input
Input Voter Output
Input
Fig 26: TMR with a potential single voter failure.
Its evident from the above diagram, voter is a potential single point failure (see fig
26) and therefore further improvements are taken to decentralize the voting system
to give triplex voters for enhanced fault tolerance capability and reliability.
Input Voter Output
Input Voter Output
Input Voter Output
Fig 27: Triplication of voter to avoid single point failure.
Reliability assessment of triplex voting system TMR shows overall reliability of the
system as follows,

RTMR-Triplex voter (t) = (RV.RM.)3(t). + 3(RV.RM) 2. (1- RV.RM).C (t)
The reliability increment of the system could be justified by substituting values to the
two equations derived above.
The use hardware voters with majority voting output arrangement will needs to
address the problems associated with inexact values as remote senor inputs may
vary in the their outputs depending upon the their strategic location and its local
environment. In aircraft, flight input parameters may vary due to slight differences in
pitot-static and static port calibration and their physical location (Krstic. M.D, pg 2,
n/k). The problem of disagreement with inexact values from minor input variation is
resolved by ignoring the least significant bits of data to certain acceptable limit while
Most-significant bits of the data remains untouched. MVS could be alternative
solution.
7.3.2. Active (Dynamic) Redundancy Management:
In the previous NMR system, employs the technique of masking out errors in the first
place by using considerable number of hardware in operation. However, in a
dynamic system temporary errors are acceptable provided they are detected and
compensated in a reasonable time.
The system relies on three-step approach; fault detection, effective isolation and fault
recovery through reconfiguration. This necessitates the use of spare standby
modules for replacement in the recovery phase of the three-step approach.
Version A
Input Comparator (XOR GATE)
Version B
Fig 28: Duplication with comparison.

This is similar in architecture of Airbus FCC where Version A and B are essentially
the command and monitor lane which is subsequently crosschecked by XOR logic
(see fig 28) gate to verify the input of the module in operation. The comparator can
simply determine whether the signals agrees or not, but has no means in locating the
faulty module. The truth table 2 justifies there is only one state in which the signal
declares itself is true and valid.
Table No 2: Truth Table
Truth Table (Error reporting system)
Input Input Logic

Module A Module B function
0 0 0
0 1 0
1 0 0
1 1 1
The system should incorporate an external reconfiguration circuit for switching over
to a standby spare module in the event of a failure. The N self-checking programme
usually embedded on the reconfiguration board examines the error reports received
from self-checking components and determines the switching to which standby spare
accordingly (Laprie. C.J, 1990). In aircraft, spares are usually on hot standby mode
for quick switchover by reducing downtime incurred on initialization and power up of
the spare module. By doing so, the system interruption in flight critical systems is
kept to a minimum.

Active Module
Version A
Switch Logic
Version B Error Detector
and
reconfiguration
Spare Module
Version A
Version B Error Detector
Fig 29: Pair and Spare technique.
Since the spare modules are in hot standby mode, spares in effect have the same
failure rates as the active modules. Hence, the reliability of active and standby
modules are treated the same.
Reliability assessment of the dynamic redundancy system is worked out below;
Where,R(t)= Reliability of the module.
N= Number of spare modules
RDET (t)= Reliability of the fault detection unit, the comparator
C= Coverage factor
Rreconfig (t) = Reliability of reconfiguration device, the switching circuit.
Rdyn (t) = C.RDET. [1-(1-R) N+1].Rreconfig. (t) (Koren.I, Krishna.C, 2007, pg 25)

7.3.2.1. Simplified Reliability Analysis on Passive and Active Hardware

Redundancy
Input Module 1 Voter 1
Input Module 2 Voter 2
Input Module N Voter N
Fig 30:Low-level redundancy with multiple thread strategy
Input Module 1 Error Detector
Input Module 2 Error Detector Reconfiguration M
Input Module N Error Detector
Fig 31: High-level redundancy with single thread strategy
By the simple block diagrams and reliability equations generated from above fig 30 &
31 we can deduce a descriptive analysis of the two systems. Active hardware
redundancy is an essentially a high-level redundancy implementation where entire
signaling path is duplicated for greater redundancy of the system with a single thread
strategy. Whilst passive redundancy is low-level redundancy with multiple treads
using the cube concept (Refer to appendix H). From the diagrams above, we can
assert that passive redundancy is system is effectively a serial combination of
parallel subsystem (Cube concept) giving the use of resources more efficiently
without the need of discarding an entire lane for if a subsystem fails in operation.

Consequently, provided the components are truly independent of one another, low-
level redundancy yields a greater reliability compared to high-level redundancy
system (Dubrova. E, 2008, pg 49). From the analysis, we can conclude passive
render better fault tolerance capabilities over active redundancy management.
7.4. Hybrid Redundancy management:
Module 1
Module 2 Switching
Voter
Circuit
Module N
Spare 1 Error
Detector
Spare N
Fig 32: N-Modular Redundancy with Spares.
This is an advanced version of TMR management system and works out to possess
best fault tolerant characteristics in terms of reliability and operation availability of all.
The design is similar in construction and implementation in FT of Boeing 777 flight
control system with integrated standby lane to meet the requirements of a Hybrid
system. The main difference of Hybrid from TMR is the presences of spares apart
from the N-redundant modules to switchover in the likelihood of failure of the active
module (See fig 32). The hybrid system provides additional layer of fault protection
by taking the faulty module offline after certain threshold and replace the fault with a
working spare module. In this way, the system tries to defend the voters from
multiple faulty modules defeating the voter and masking out the good modules when
majority has failed (Hitt.F.Ellis, 2001, pg 13).

In Boeing 777, the hybrid system is approached through the introduction of standby
lane incorporated to each PFC as a spare module. Basic switch works as shown in
the figure below where the results from the command lane (module) are cross-
compared from the selected output from the voter. If for whatever reason the voter or
the command lane produces dissimilar results the output shall be forced to zero logic
by a threshold voter (Dubrova. E, 2008, pg 64). This switching gives dual coverage
capability in which with either module or voter could have failed, producing invalid
results. In either of fault XOR gate force to produce 0 logic giving dual fault
protection capability. In Boeing, the following function is executed through the
monitor lane of the PFC through cross-lane comparison.
Fig 33: Basic Switching structure of Hybrid System (Dubrova. E,2008)
8. RELIABILITY SYSTEM ANALYSIS OF BOEING AND AIRBUS

FAULT TOLERANT ARCHITECTURE:
The part of the analysis covered in the above section of the report, justifies the
reliability of passive redundancy is greater than the active type provided the
conditions are adhered appropriately (independency). We have also able to justify
that Hybrid with its unique feature to safeguard the voters from being defeated by
majority faulty modules simply backs the statement that reliability of Hybrid system
is greater compared to the individual existing static and dynamic redundancy
management. The active redundancy management implemented in FT flight control
system computers of Airbus has number of potential single point failures, one such
problem is the complete reliance of the comparator to detect the faults. This could be

a potential fall short if both variants (i.e command/monitor lane) receive the same
erroneous input signal and the comparator in this scenario shall fail to compensate
the error without detection. The N-self checking software embedded to the operating
reconfiguration board makes it decision based on the error report it receives from the
error detector, hence failing to initiate the reconfiguration due to malfunction of error
reporting shall cause the erroneous state to propagate through system without
hindrance.
The scenario can be further backed by the Lufthansa flight Airbus A320 cross-wired
sidestick incident bound to Paris. The incident was followed by incorrect
maintenance carried out on captain side stick controller (Macnabb.S,2004). The
incident has occurred due to reversal wiring (polarity) conducted upstream to the
sidestick controller from the ELAC FCC on procedure to rectify the damaged pins
and failing to ascertain the error on the post maintenance check led the aircraft to
bank steeply at takeoff due to control reversal affect. Though situation was
confronted by the pilot wisely saving the life of the passengers, the situation would
have been catastrophic. Since the both command and monitor lane receives from
the same input signal, the erroneous state was not addressed (AMM A320, ATA 27-
93-00 pg 10). The downside of Airbus FT system is the complete reliance on local
checks at the flight control computers to detect errors and initiate reconfiguration with
the redundant spares remaining virtually isolated during the computation. This
system configuration makes it a weak defense against faults. Since in Airbus FCC
does not participate in computation at central level the system performs a very
inefficient use of hardware resources.
On the contrary, Boeing FT system uses the 2nd layer of protection against the faults
by the use of voting mechanism at central level to validate the finalized output. Here
all the processing modules (the PFCs) participate at central level before the
independent decision could be made by the voter and also improves effective
utilization of hardware components. Furthermore, the FT of Boeing 777 is
augmented by initiation of a step further by incorporating the hybrid technique of
replacing the faulty module and effectively adds the next layer of protection from a
faulty voter jeopardizing the system or majority faulty modules defeating the voter.
Since each PFC receives data from every other PFC to vote the correct signal

output, the voter in essence is triplicated across the FT architecture. Though we

assume the switching is perfect for active redundancy management, in reality the
switching system wears out overtime and may not work as expected. The issue of
imperfect switching is also eliminated with the replacement of a voting mechanism.
Another drawback of the active redundancy over the passive system type is the
system interruption and inevitable system pause when running the diagnostic checks
by the reconfiguration board (N-self checking programme) to determine which
module is faulty and replace with spare (Wang et al, 2007, pg 146). This shall put the
system in momentary halt, which is not good sign for real-time application like the
FCS.
At many instances active type redundancy is implemented to gain advantage on

extended life expectancy of the (cold) standby modules; however in aircraft
application the desired level of integrity requires hot spares to compensate for the
increased system pause of such life-extended design, losing the benefits of having
increased its MTTF and power consumption. Therefore, the failure rates of both
active and spares in hot standby system are regarded the same.
9. CONCLUSION
This paper has attempted to carry out a comprehensive analysis of Flight control
system processing on two most widely used commercial jets, Boeing and Airbus.
From the analysis made on the two most popular commercial jets we can deduce
that certain aspects of Boeing processing system (B-777) and fault tolerant features
are exceptionally great in terms of reliability, dependability and performance. One
reason could be the technology available at the time of production and development
phase of the aircraft. In General, Boeing aircraft are highly redundant and extremely
safe when handling of abnormal situation giving edge over Airbus systems.
However, this does not put the Airbus system operation in the bad light as they
maintain sufficient level of redundancy and proven safe to fly by conforming to the
standards of airworthiness safety requirements. Boeing design implementation to
achieve a more robust and fault tolerant system processing architecture has indeed

involves added cost during implementation and production, but reap long-term
economic benefits to their operators with higher degree of reliability and dispatch
rates. At the end of the report, by taking into consideration of economical viability
and implementation feasibility, author recommends a new proposition to modify the
existing flight control system to improve the reliability and efficiency of the flight
control processing system with the minimum changes to its original system
architecture
10. RECOMMENDATION: TRIPLE-DUPLEX REDUNDANCY

FOR AIRBUS
Looking at the inefficiency of the current Airbus FCS architecture in many aspects
highlighted from the report, a proposition of Triple-Duplex architecture (See fig 35) is
put-forward by the author, in effort to improve the reliability and the system
performance of the existing system. The new architecture proposed shall be
designed to address most of existing faults of the current architecture while bearing
in mind the economic viability of the system implementation and certification. The
author strongly recommends the following system architecture to be addressed to
A330/340 which undertakes the most long-haul flights across the wide pacific and
Atlantic seas where the reliability of the system operation is a major point of concern.
10.1. System Operation Overview:
Total of six modules developed independently to defend against common design

error is grouped in three pairs, are computing parallel and each pair consists of
monitor lane shadowing the command lane to confirm the validity of the output to the
voter which subsequently masks out the transient and permanent errors from the

computation. The system modification apart from duplication checks includes a

voting mechanism as the last line of defense against error propagation.
Processor 1
Switch
Command A
Monitor B Comparator (XOR GATE)
Processor 2 Switch
Command A
Processor 3
Switch
Command A
Fig 34: Triple-Duplex Architecture.
10.2. Design Consideration and Implementation:
The system implementation begins with the first step of replacing the reconfiguration
board with the voter mechanism. For greater flexibility, software-voting system using
N-version programming is highly recommended for the design. In this system, the
self-checking computer i.e PRIM 1, 2 and 3 shall still remains with the existing
configuration of self-checking through comparison by command and monitor lane to
validate the output, but the system shall be modified to allow each FCC to compute
laws independently. This process shall take place between all computers

simultaneously. In any discrepancy between the 2 lanes will lead to disconnection of

the FCC from the system through open circuit logic (XOR gate).
Presently, Airbus uses similar platform for all PRIM computers but involving SEC
computer with a different platform is used to attain the desired level of design
diversity. Since the proposition of the new architecture eliminates the use of SEC
computers from the network frame. The author strongly recommends strict use of
independent version software by each module to satisfy the concept of design
diversity and the effectiveness of the voting system. In perfect operating condition,
all three FCCs channels shall be submitted to the voter to mask out the fault. In the
case of a single computer failure (offline) the remaining modules shall take part in
the voting mechanism but the issues at the voting system over disconnection and
isolation of a single computer from the central computation process will depend upon
the type of voting mechanism used. Therefore, the choice of voting mechanism is an
important point of the consideration for effective functioning and viability of the
system implementation.
10.3. Practical Issues and Implementation of Voter System
We have two choices in selection of voting mechanism either the formalized majority
voter or generalized median voter. The choice of majority voting technique may work
perfectly on single computer failure provided the remaining computer produces
identical results for comparison. However, the downside of such voters about the
inconsistency of the remaining non-faulty computers producing inexact values. Even
if the said problem is addressed by eliminating the L.S.B, the fact that the identical
input needs to be tightly synchronized for bit-by-bit comparison of the computers for
normal processing possesses a potential threat by tying the computers too closely
which could drag each other down in the event of failure. Moreover, such
implementation is even harder with ARINC 429 data bus communication protocol
where sharing of resources is not feasible by a point-to-point topology or else
upgradation to ARINC 629 to implement the design may require complete redesign
of the system architecture, which is not economically viable.

An approach to overcome the problem is by the choice of a generalised median

voter where mid value selection (MVS) algorithm selects a single value from all
inputs. The problem of disagreement among the output modules is also resolved
(Krstic. M.D, n/k). Since median value selection algorithm could have additional time
intervals to allow all inputs to be buffered for cross comparison, the flexibility of
asynchronous communication protocol between the computers is also possible,
which means no tight synchronization is needed. Furthermore, median voters could
operate without a defined allowable error tolerance (Hammert.R, 2002, pg 21),
renders ideal exceptional handling characteristics during abnormal operation like in a
situation when a FCC has gone offline. At such scenario, the offline computer shall
continue at zero logic, while the lower value of the two functioning module will be the
selected as the output.
To preclude the voter as a single point failure, the voting mechanism is decentralized
by having three parallel voters and replaces the traditional reconfiguration board.
The reliability assessment with the traditional reconfiguration FT architecture proves
to be not very reliable when switching circuit could be imperfect with degradation
over time and potential single point of failure. The MVS strategy has bypassed the
conventional system unreliability of the active redundancy management and enabled
the processors to participate computation at central level giving better FT
capabilities.
10.4. Exceptional Handling and Recovery Reconfiguration:
To ensure the extreme levels of system integrity and availability certain design
consideration needs to be factored in. The triple-duplex design implementation
needs to assess the likelihood of a second FCC failure and able to confront the
double module failure without jeopardizing the FCS. Since no voting mechanism can
handle more than two failures in a TMR redundancy (Imran.M, 2006, pg 15), the

system needs compensation technique to bypass the voting mechanism at any

instance of double module failure through reconfiguration. It starts with designing a
dedicated logic circuit to instantaneously detect a double module failure upon which
reconfiguration is initiated. The system will be reconfigured to Bypass mode logic
(see fig35), which is a virtual short circuit to the voter system. The system shall
maintain a decent graceful degradation with a single operating FCC. The new
proposed architecture replaces the conventional SEC computers by 3 ACEs. The
ACE acts as interface between FBW analogue and digital domain (Bob.Y.C, 1996).
ACE receives all digital flight computation primarily from voters or directly from the
FCC depending upon the mode of operation. The ACE then converts the digital
signal to analogue signal to drive the servo valves of the actuator. The ACE is closed
loop with the position feedback received from the LVDT transducers of control
surfaces and ceases the movement at desired position. ACE shall reserve a
dedicated channel for direct analogue linkage between the side stick controller and
the control surface actuator in the event of complete loss of flight control computers.
Previously, the AIRBUS uses two different types of processor modules namely PRIM
and SEC computers to deliver dissimilar form of control, now with the new proposed
architect even more robust form of direct control is achieved through ACE. ACE with
its reserved channel for direct link with pilot controls can be considered as an
effective means of dissimilar secondary control and since it is reasonably
straightforward to demonstrate that the reliability of this link is high, the certification
process is eased. This implementation can overcome the constraints of complex
verification and validation process of different software packages used in
conventional secondary (SEC) FCCs to date.
10.5. Design of a Basic Algorithm Circuit and System Implementation
A Basic algorithm operation is designed to identify double FCC failure based on

which necessary action will be executed. For it to function 3 different logic gates
were used And, Inverter and XOR gate. The 3 inputs for required computation will

be tapped of at 3 different point A, B and C representing failure of each computer by

0 logic. The design circuit is used to generate the following logic function (V)
V=ABC+ABC
Where dot represent product and plus for addition. The overhead bar represent
inverse logic.
Table 3: Truth Table for Fault Detection
A B C Output=V
0 0 0 0
0 0 1 0
0 1 0 0
1 0 0 0
0 1 1 1
1 1 0 1
1 0 1 1
1 1 1 1
At any instance when output V turns logic 1 the reconfiguration device reads it as
double FCC failure and addresses the problem by switching to bypass mode logic
and ensures continuation flight computation with minimum system interruption during
the transition. The separate signalling channel through bypass switch will be de-
multiplexed to each ACE to ensure the high availability of full flight control.

Autopilot Computer
PRIM - 1
Switch
Command A
PRIM - 2 Switch B
Command A
PRIM - 3
Switch
C
Command A

Fig 35: New Proposal of Triple-Duplex Architecture Design

11. REFERENCES
Armoush.A et al (2008).A Hybrid Fault Tolerance Method for Recovery Block

with a weak Acceptance test. RWTCH Aachen University. Germany.
IEEEXplore. [Internet] Available at :
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4756378
(Accessed on 9th March 2012).
Author Unknown (2012), Airbus A330 Factsheet. Training Purposes only.

[Internet] Available at : http://www.airbusdriver.net/A330Facts.pdf (
Accessed on 10th April 2012)
Author unknown (1999), A330 Flight Deck and Aircraft System Briefing for
Pilots. Airbus. [Internet] Available at:
http://www.smartcockpit.com/data/pdfs/plane/airbus/A330/misc/A330_Fli
ght_Deck_and_Systems_Briefing_For_Pilots.pdf (Accessed on 20th
March 2012)
Bartley G.F. (2001).Boeing 777: Fly-by-wire Flight Controls. The Avionics

Handbook. CRC Sprintez. [Internet] Available at:
http://www.davi.ws/avionics/TheAvionicsHandbook_Cap_11.pdf
(Accessed on 9th March 2012)
Berger. S.J (1997). ARINC 629 digital communication system- application on

the 777 and beyond. Microprocessor and Micro Processing system, Seattle,
Boeing group. [Internet] Available at :
http://www.sciencedirect.com/science/article/pii/S0141933197011113
Briere.D & Traverse Pascal. (1993). Airbus A330/340 Electrical Flight Controls
Family of Fault-tolerant Systems. Toulouse France. [Internet] Available at:
http://personales.upv.es/juaruiga/teaching/TFC/Material/Trabajos/AIRBU
S.PDF (Accessed on 3rd March 2012)
Bob. Y.C (1996). Triple-Triple Redundant 777Primary Flight Computer.

Boeing Commercial Airplane Group Flight Systems Electronics. IEEExplorer.
[Internet] Available at :

(Accessed on 8th April 2012)
Bob Y.C (1998). Typical ACE (Right) Architecture. Design Consideration FBW
computers777. IEEExplore. [Internet] Available at :
Bob.Y.C (2001). Safety Critical Avionics for the 777 Primary Flight Controls.
The Boeing Company Seattle Inc. IEEExplore. [Internet] Available at :
(Accessed on 9th February 2012)
Boeing 777 (2010). Boeing 777 Training Manual. Qatar Airways. Boeing
Proprietary.
Boeing 777 (2010). PFC Lane configuration and corresponding operational

capabilities. Boeing 777 Training Manual. Qatar Airways. Boeing Proprietary.
Boeing 777 (2010). Gateway design of AIMS between Flight control and System
ARINC buses. Qatar Airways. Boeing Proprietary.
Bonneval. A et al (2008). Architecture Optimization based on Incremental

Approach for Airplane Digital Distributed Flight Control System.
IAENG.Special Edition. IEEExplore [Internet] Available at :
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=05233199
Bonneval. et al. (2009). Distributed and Reconfigurable Architecture for flight

control System. Flight Control System Department AIRBUS France.
IEEExplore. [Internet] Available at :
Doerenberg. F.M.G & Darwiche. A.A (n/k). Application of the BENDIX/ KING
Multi-computers Architecture for Fault tolerance in Digital Fly-by-wire Flight
Control System. Allied Bendix Aerospace. [Internet]. Available at:
http://www.nonstopsystems.com/cv/frank_resume-maft.pdf (Accessed on
8th Jan 2012).

Doerenberg.F.M.G (1997). Integrated and Modular Systems for Commercial

Aviation. Allied signal Commercial Avionics Systems pg 42. [Internet]
Available at : http://www.scribd.com/doc/81217516/IMA97 (Accessed on
12th March 2012)
Dubrova.E (2010). Fault tolerant Design: An introduction. Royal Institute of
Technology. Stockholm. Sweden. [Internet] . Available at :
http://web.it.kth.se/~dubrova/draft.pdf. (Accessed on 15th April 2012)
Dubrova.E (2010). N-self checking programming. Fault tolerant Design: An

introduction. Royal Institute of Technology. Stockholm. Sweden. [Internet] .
Available at: http://web.it.kth.se/~dubrova/draft.pdf. (Accessed on 15th
April 2012).
Dubrova.E (2010). Basic Switching structure of Hybrid System. . Fault tolerant

Design: An introduction. Royal Institute of Technology. Stockholm. Sweden.
[Internet] . Available at: http://web.it.kth.se/~dubrova/draft.pdf. (Accessed
on 15th April 2012).
Dutchops. (2011). Airbus A320 Primary Flight Control Systems. [Internet]

Available at :
http://www.dutchops.com/Portfolio_Marcel/Articles/Flight%20Controls/A
320_Flight_Controls/A320_Primary_Flight_Controls.html (Accessed on
2nd April 2012)
Eleevens.R, C (2006).Open System Integrated Modular Avionics. NATO,

National Aerospace Laboratory NLR. Netherlands. [Internet] Available at :
http://ftp.rta.nato.int/public//PubFullText/RTO/EN/RTO-EN-SCI-176///EN-
SCI-176-02.pdf (Accessed on 27th March 2012)
Fields. L (2005). Airplane Digital Distributed Fly-by-wire Flight Control System

Architecture. SAE 549. [Internet] Available at : http://spirit-
wolf.org/education/Fields_Lanny_Research_Paper.pdf (Accessed on 8th March
2012)
Harris .D (2004). Flight Instruments & Automatic Flight Controls. 6th Ed.
Ground Studies for Pilots. [Internet]. Available at
th
http://www.scribd.com/doc/60162274/0632059516 (Accessed on 15 Dec
2011)

Hammett.R (2002). Design By extrapolation: An Evaluation of Fault Tolerant

Avionics. The Charles Stark Draper Laboratory Inc.IEEExplorer [Internet]
Available at :
Hitt. F. Ellis & Mulcare. D (2001). Chapter 28 :Fault tolerant Avionics. CRC
Press LLC. [Internet] Available at :
(Accessed on 4th February 2012)
Imran. M (2006).Using COTS Components in space Application. MSc Thesis.

Netherlands. [Internet] Available at :
http://ce.et.tudelft.nl/publicationfiles/1182_677_thesis.pdf (Accessed on
8th March 2012)
Isik. Y (2010), ARINC 629 DATA BUS Standards on Aircraft. Avionics

Department. Anadolu University. Turkey. [Internet] Available at:
http://www.wseas.us/e-
library/conferences/2010/Vouliagmeni/CSECS/CSECS-34.pdf (Accessed
on 18th Jan 2012).
Jacquert. R (2004). General Errors and Dissimilarity Consideration. Building

the Information Society: IFIP 18th World Computer Congress. Springer
Publisher [Internet] Available at
http://books.google.co.uk/books?id=z8GTMClZONcC&pg=PA214&lpg=P
A214&dq=prim+and+sec+computer+airbus+microprocessor&source=bl
&ots=CqMQeQnz9Q&sig=bVWQVYUL2lLTr8iSlorCYk5ahLo&hl=en&sa=X
&ei=lt1qT7b7Lsuk8gPt_73xBg&redir_esc=y#v=onepage&q=prim%20and
%20sec%20computer%20airbus%20microprocessor&f=false (Accessed
on 15th March 2012)
Kristic. M.D et al (n/k), A Mid Value Select Voter. pg 2. Faulty of Engineering.
University of Nis. Serbia. [Internet] Available at :
http://es.elfak.ni.ac.rs/Papers/MVSVoter.pdf (Accessed on 27th Jan 2012)
Lazzaroni.M et al (2011). General System Reliability increment in parallel

redundant system. Pg 40 Reliability Engineering. Springer-Verlag Berlin Heidelberg.
http://reader.eblib.com/%28S%28ijqmdcd5xdekmebhzsab05b2%29%29/Reader.
aspx?p=798618&o=110&u=oknalnGVKUJoZUsBOsCB%2bwhIcno%3d&t=13370

67607&h=919E52551CB6E694C5CDDBCCDDF731B274010D15&s=13076349&ut
=255&pg=47&r=img&c=-1&pat=n# (Accessed on 14th April 2012)
Laprie C.J et al (1990). Definition and Analysis of Hardware and Software Fault-
tolerant Architectures. [internet] Available at :
http://homepages.laas.fr/arlat/documents/89257/89257.pdf (Accessed on 22nd
April 2012)
Said D.Jenie &Budiyano. A (2006). Automatic Flight Control System. Dept. of

Aeronautics and Astronautics. ITB. Indonesia. [Internet]. Available at
http://konkuk.academia.edu/AgusBudiyono/Books/87064/Automatic_Flig
ht_Control_System_Classical_approach_and_modern_control_perspect
ive (Accessed on 14th March 2012)
MacNabb. S (2004). Cross-Wired Side-Stick Almost Brings Down Airbus

A320. Aviation Safety Maintainer. Transport Canada. [Internet] Available at:
http://www.tc.gc.ca/media/documents/ca-publications/2_2004_1.pdf
McClean.D (1990). Automatic Flight Control System. Prentice Hall. University

of Southampton.UK.
Moir I & Seabridge A (2008). DATAC ARINC 629.Flight Control System

Architecture Boeing 777. Aircraft Systems. West Sussex. England. John Wiley
& Sons. [Internet] Available at :
http://media.wiley.com/product_data/excerpt/66/04700599/0470059966.p
df (Accessed on 20th Jan 2012)
Moir I & Seabridge A (2008). Servo control loop of each ACE. Aircraft Systems.
West Sussex. England. John Wiley & Sons. [Internet] Availabe at :
http://media.wiley.com/product_data/excerpt/66/04700599/0470059966.p
df (Accessed on 20th Jan 2012)
Moore J. (2001). Chap 33 Advanced Distributed Architecture. The Avionics

Handbook. CRC Press Release. [Internet] Available at:

Morgan J.M (2001). Chap 29 Boeing B-777. IMA rack-type Installation. The
Avionics Handbook. CRC Press Release. [Internet] Available at:
NASA (2000). Software Fault tolerance: Tutorial. Langley Research center,
Hampton, Virginia. US. [Internet] Available at :
http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20000120144_20001
75863.pdf (Accessed on 12th March 2012)
PCGuide (2001). Reliability Issues in Computing Redundancy. [Internet]

Available at : http://www.pcguide.com/ref/hdd/perf/raid/concepts/relRel-
c.html (Accessed on 5th February 2012).
Petitt.K (2010). A320 Vs A330 Fault Redundancy. [Internet] Available at :

http://karlenepetitt.blogspot.co.uk/2010/09/more-a330-questions-
answered.html (Accessed 8th Jan 2012).
Ranter.H (2011). EASA proposes Airbus FCPC software update in wake of

AF447 accident. EASA AD.2010-0271. [Internet] Available at :
http://aviationsafetynetwork.wordpress.com/tag/af447/ (Accessed on 5th
April 2012).
Randell.B et al (1978). Reliability Issues in Computing System Design.

Computing Laboratory. University of New Castle. UK. [Internet] Available at :
http://www.diversiorum.org/sape/dissys/p123-randell.pdf (Accessed on
1st April 2012)
Sghairi.M et al (2008). Challenges in Building in Fault-tolerant Flight Control

System for a Civil Aircraft. IAENG, International Journal of Computer Science.
[Internet] Available at:
http://www.iaeng.org/IJCS/issues_v35/issue_4/IJCS_35_4_07.pdf
(Accessed on 12th March 2012).
Sommerville.I (2000). Airbus flight Control System. Presentation Slides.

[Internet] Available at: http://www.scribd.com/doc/91041852/Airbus-Flight-
by-Wire (Accessed on 2nd Jan 2012).
TTTech (2005). Protocols for Aerospace Control Systems. Time-Triggered

Technology.

Wang et al (2007). System on-chip Architecture. Chap 3 Fault-tolerant

Design. Elsevier Elibrary Books. [Interest] Available at :
http://reader.eblib.com/%28S%281cli3jakzhrpwjjriylwggkw%29%29/Read
er.aspx?p=330094&o=110&u=oknalnGVKUJoZUsBOsCB%2bwhIcno%3d
&t=1337107450&h=05B2FBFA962FD06349B6C16A77FFE5B02E8A4C22&
s=13083878&ut=255&pg=1&r=img&c=-1&pat=n# (Accessed on 7th May
2012).
Weilling A. & Burns A (2001). Real-time Systems and Programming

languages. 3rd Ed. Wesley Longman. [Internet] Available at :
http://www.cs.york.ac.uk/rts/books/RTSBookThirdEdition.html (Accessed
on 9th March 2012)
12. BIBLIOGRAPHY:
AIRBUS (2006). Aircraft Maintenance Manual A330. Technical Data Support

and Services. Qatar Airways.
Boeing (2010). Boeing 777Training Manual. Qatar Airways. Boeing

Proprietary.
Collins R.P.G (1996), Introduction to Avionic Systems. 2nd Ed, Rochester,

Kent, UK. Chapman & Hallman Publishing.
Collins. R.P.G (2011). Introduction to Avionics Systems. 3rd Ed. Maidstone,

Kent. United Kingdom. Springer Publisher.
Dubrova.E (2010). Fault tolerant Design: An introduction. Royal Institute of

Technology. Stockholm. Sweden. [Internet] . Available at:
http://web.it.kth.se/~dubrova/draft.pdf. (Accessed on 15th April 2012)
Koren.I et al (2007). Fault tolerant Systems. Morgan Kaufmann. Elibrary

http://reader.eblib.com/%28S%28y5nngc3dtnw2mf1q5qn0bvu1%29%29/
Reader.aspx?p=294597&o=110&u=oknalnGVKUJoZUsBOsCB%2bwhIcn
o%3d&t=1337105036&h=5EE4515D5E09E5834F2DF550FDC975BE9B12D

583&s=13083303&ut=255&pg=181&r=img&c=-1&pat=n# (Accessed on 26th

Jan 2012)
LBP Notes (n/k). Autopilot Systems. Module 13 B2. CAA, UK
Moir I & Seabridge A (2008). Aircraft Systems. West Sussex, England. John
Wiley & Sons Ltd.
Moir.I & Seabridge A (2003) Civil Avionics System. Suffolk ,UK. Professional
Engineering Publishing Limited.
Pallet E.H.J & Coyle S (1993), Automatic Flight Control System.4th Ed.
Blackwell IPublishing company.
Wah. (2008). Wiley Encyclopedia of Computer Science and Engineering.

Volume 1 Wiley-interscience.

APPENDIX A: MODULAR INTEGRATION OF AIRBUS FCC.
Fig 36: Evolution of AIRBUS FLY-BY-WIRE System (Seabridge A. and Moir I, 2008)
Early Airbus series A319/A320/A321 had 7 FCCs to carry out all computation
functions needed for flying the plane. In A320 ELAC computers were of no significant
importance if FAC computers were inoperative as they execute rudder trim, yaw
damper servo and rudder limiting. The modular integration of ELAC and FAC as
PRIM computers on A330/A340 has also increased the availability of flight control
and reduce the possibility of ending up landing in direct law as the number of
Primary computer has is increased to 3 (Karlene Petitt,2010). Furthermore, reduction
of total number of computers from 7 to 5 has also reduced power consumption,
wiring, and space and also maintenance cost.

APPENDIX B: BOEING 777 FLIGHT CONTROL PHILOSOPHY.
Fig 37: PFC Lane Reundancy Management (Output Signal Monitoring) (Y.C Bob, 1996)

Functional Description of PFCs:
Every PFC is designed to receive PCOs from all other subsystem integrated to
DATAC ARINC 629 data bus. The Three DATAC data buses interconnect to 9 PFCs
lanes with one another such that each PFC receive data from all 3 data buses but
transmits to only its side data bus. On arrival of data, the front-end interface Data
synchronization takes place within the each PFC channel to acquire a state whereby
all the lanes within a channel read the same set of data at a given time under a fault
free condition (Bob Y.C, 1996). This frame synchronous within each channel allows
tighter cross-lane monitoring within each channel which is unique feature of a high
speed data transfer and sharing capabilities of ARINC 629 communication. The ISM
of each lane (see figxx) receives data from the 3 data buses checks for the validity of
signals by various error checks integrated (parity check, CRC check etc), then failure
detection and isolation of invalid input from redundant systems is flagged and stored
in the memory for maintenance purposes. Next the valid set of signals are voted and
passed through signal consolidation process for signal selection. Finally selected
signal is submitted to use in control laws.(Doerenberg. F.M.G, n/k,). Signal selection
and Fault Detection (SSFD) algorithm of ISM is designed to isolate the failed
components and ensure greater availability of healthy signals for processing and
minimizes the PFCs being affected from transient errors. It also helps to defer
maintenance to a later scheduled maintenance check(Bob Y.C ,1998). The chosen
input values are processed by the control law module and sends the PCOs to the
Arinc 629 databus for other PFCs and for its monitor lane. The Channel Output
selector of the command lane will receive PCOs from 2 other PFCs and its own lane
to carry out the median values selection (MVS). The selected command is then
transmitted as SCO. The monitor lane of the PFC performs the function of monitoring
the validity of the control law computation (phase 1) and the SCO (phase 2) signal
processed by the command lane. The MVS provides masking of faults against the 3
PFC until the completion of the fault module identification, isolation and
reconfiguration via the monitor lane after crossing certain fault tolerance threshold
(Edward.C et al,2010, pg 15). Meanwhile the command channel does the selected
output monitoring of the other 2 channels (Y.C Bob, 1996). By implementing the
technique, PFCs tries to generate identical command signals to one another (Boeing

777 Manual, pg 317). In any mismatch between the computation of the command
and monitor lane, the standby lane takes over in order to prevent the false majority
defeating the voter module.
Function Description of ACE:
ACE acts as intermediate interface between the pilot controls, actuators and PFCs
(See fig).It is an essentially an analogue-digital convertor and vice-versa. Its main
function being to convert the analogue input by the pilot controls to digital format for
necessary computation in the PFCs or to transmit direct analogue signals to the
actuators when systems is downgraded to or in Direct Law configuration.
Fig 38: Typical Function of ACE (Boeing 777 Training manual, pg 293)

APPENDIX C: BOEING 777 PFC FUNCTIONAL DESCRIPTIONS AND LANE

AVAILABILITY.
Fig 39: Boeing 777 PFC lane configuration and corresponding flight modes. (Boeing 777 Training
manual, pg 318)

APPENDIX D: FLIGHT CONTROL COMPUTER INTERFACE BOEING AND

AIRBUS
Fig 40: Basic PFC Interface of Boeing 777 (Boeing 777 Training Manual)
Fig 41: Airbus- FCPC Interface (AMM A330)

Safety Design Consideration of Boeing flight control buses and Availability

Requirement:
Design implementation should accomplish the following requirement:
Loss of one flight control data bus should not be greater than 10 -5 per flight
hour
Loss of 2 flight control data bus should be no greater than 10 -9 per flight hour
Loss of all three flight control data bus should be no greater than 10-11 flight
hours.
Following shall be applied and extended to all LRUs, hardware resources and
to all other associated stubs cables, terminals and couplers.
(Bob. Y.C, 2001)

APPENDIX E: INTEGRATED MODULAR AVIONICS ARCHITECTURE:
The conventional federated architecture has dedicated hardware to perform specific

functions. For instance, in conventional aircraft avionics requires separate LRUs for
each aircraft system like autothrottle computer, Autopilot computer, flight control
computer and Display management computer to perform specific tasks. This adds
significant burden to the operators in maintaining spares, no possibility of
interchange of LRUs and inefficiency associated with increase in cooling power and
weight factor. With the advancement in technology and high-level programming
languages the efforts were made to develop software that could be reused or
compatible with much different hardware. The trend is to achieve hardware-
independent software application for acquiring greater functional integrity within a
processor. This calls for careful implementation of embedded operating system (OS)
acting as a generic platform for support different software application to control and
execute different functions (Moore.J, CRC 2001).Between the OS and system
specific application lies the standard application-executive interface (APEX) which
provides compatibility to be reused on different hardware modules. By doing so,
large number of system application could be integrated on a common hardware
platform known as core processor module CPM. Previously LRUs are now reduced
to portable LRMs which is mounted to rack cabinet for easy installation and removal.
This architecture entails numerous advantages over federated system. The modules
are plug and play modules using a backplane which is an ARINC 659 Data bus
used for intercommunication between the modules.
This could be one strategy to implement Integrated Modular Avionics (IMA) like the
AIMS of Boeing 777 where numbers of functions are executed over common
computing platform using the concept of shared resource to reduce the cost, space
and weight incurred due to individual computing system to run each specific function.
Unlike in conventional Federated architecture, where each LRU (FMGEC) has
dedicated hardware to carry out specific function, the partition of system functioning
is inherent with the architecture. The IMA implementation resembles to home PC
which is a common avionics computer supporting many application, in this case
different system functionality like flight controls, FMGCs and Auto throttle

management application etc requires robust partitioning for ensuring complete

isolation integrity between the applications . Partitioning still enables sharing of
common resources like common processor module, memory, communication means
I/O interface, power supply and chassis. The core processor (CPU) providing the
generic platform for hosting several system functionalities is often replicated for
redundancy and higher availability of the system. The flexibility of communication
means the application could be hosted on any platform in the network as long as the
common resources to support for the processing are available. The fact that
application could be hosted on any platform and not essentially aware of which
platform (CPM) its being based on enables the fault tolerant architecture
(Eveelens.R, 2006). Generally the IMA cabinet may have 2 or 3 CPMs where
different applications are integrated into the CPM. Dedicated I/O modules are in
place acting as interface for different communication protocol and internal
communication between the CPM and I/O are inter-connected through serial data
bus network ARINC 659. I/O modules acts as conversion gateway to the format the
data received from various other subsystems for internal processing by the CPMs.
To maintain the high system integrity and fault tolerance capabilities each module is
self monitored for instantaneous fault detection to ensure fault isolation and fault
confinement in a lock step performed by two processing channels.
Pros:
Reduced the need for hardware duplication when most application are
compatible on a common hardware platform
Reduced the number of LRUs for maintenance and hence improves the cost
effective maintenance of the operators
Since it eliminates connection between LRUs, fewer interconnections. Lesser
wiring and pin connectors.
Upgradation of functional performance of system could be attained through
software update.
With the interchangeability of CPMs the likely hood for manufacturer
competitiveness increases.
Providing greater flexibility on system specific modification through software
implementation

Cons:
To ensure integrity of inter- independency of functional integration through

partitioning adds complexity and time cost for validation and certification of the
system.
System vulnerability to lose all system related and unrelated functions due to
loss of shared resources may substantiate the need of additional hardware for
redundancy and further adds to the complexity for addressing the fault
tolerance techniques.
For developing applications, software developers require sound
understanding and knowledge about the platform the application will be
running on. This hinders effective intellectual property rights on the platform
developers, by having to reveal most of their confidential data resources.
(Eveelens.R, 2006)

BLOCK DIAGRAM REPRESENTATION OF MODULAR INTEGRATION OF DIFFERENT LRUs.
Typical Stand-alone LRU
Hardware Software Resource

Resource
Core Processor Operating system
Memory Application Interface
Common I/O Application Program*
Power Supply Application Built in test
Chassis
Unique I/O*
EMI Protection *Unique
Fig 42: Typical Integration Process of Modular Avionics

Common Processor Platform/Module (CPM)
Hardware Software
Standard and Standard and
Hardware Software common common
functions functions
Standards Standard and
and common common
functions functions Integration of LRUs
Unique I/O Module 1 Unique Sys App-1
LRU 3
Unique I/O Module 2 Unique Sys App-2
LRU 2
Unique I/O Unique System Unique I/O Module 3 Unique Sys App-3
Device Application & BIT LRU 1
EMI Protection EMI Protection

Fig 43: IMA Approach & Application Partitioning

In the previous figures the abbreviation CPU and CPM are interchangeable in the context and App. Stands for application. An example
of an AIMS cabinet used in Boeing 777 is showed below where each module is distinct and mounted on to cabinet supported by a
backplane for communication between modules.
Fig 44: AIMS BOEING 777- IMA Rack Approach (Morgan. J.M, 2001)

APPENDIX F: CLASSIC BACKWARD ERROR RECOVERY BLOCK

TECHNIQUE
Pass Output
Input Data Embedding Checkpoint Version 1 Acceptance
Error codes Creation test
Fail
Pass
Checkpoint Version 2 Acceptance
Recovery test
Fail
Pass
Checkpoint Version n Acceptance
Recovery test
Fail
System Failure
Fig 45: Classical Recovery Block Structure(Modified from Armoush.A et al, 2008)
Error codes needed to be embedded to the input data for error detection by the
acceptance test and executed before checkpoints are created. Checkpoints are
necessary to recover the state after a version fails the acceptance test. Checkpoint is a
state stored in the memory providing future recovery and starting point for alternate
version if an error is detected. All alternate versions effectively compute the same
functions in a different way to give a similar output. However, the level of accuracy may
degrade down with the alternate versions and may not be equivalent to high accuracy
of the primary version. Dynamic checkpoints could be implemented by creating
intermediate checkpoints over large processing requirements and save time from
needing to roll back to the very starting point of the program execution discarding all
processed information up until the error is detected. Each failure by the acceptance
test, alternate version takes over and if all subsequent versions tried unsuccessful,
overall system failure is declared. The system is extremely time costly and downgrades
the performance on real-time processing application. Acceptance test cannot select a
single correct value but accept range of values reducing the precision and accuracy of
the data output. The system also inherent the existence of unrecoverable actions
associated with external environment like firing of a missile due to flaws in the
confirmation checks on which roll back strategy will not work. Lastly, the acceptance
test is highly application dependent limiting the independency of output selection
algorithm (Dubrova. E,2008,).

APPENDIX G: RELIABILITY OF A BLOCK DIAGRAM SYSTEM
Reliability is defined as the probability of a component not failing in a defined

environment. It is function of time (t), where is hazardous rate or inverse of MTBF
-t
R (t)= e
Series System operation
Conditions apply if and only if all system works the overall reliability of the system is
calculated as follows
RA RB RC
Reliability of the System (Rs) = RA.RB.RC
In General Reliability of system is given by RSERIES (t) =
Parallel system Operation
Conditions apply provided as long as one system functions
Reliability of the system RPARALLEL (t) = (1 )

R1
R2
R3
RN

APPENDIX H: REDUNDANCY LEVELING: CUBE CONFIGURATION CONCEPT
3 PARALLEL LANE-SINGLE THREAD CUBE CONCEPT.
Legend: Input/output
Processor
Fig 46: Cube Concept System Configuration

DEFINITION:
Active Redundancy: Attempts to achieve fault tolerance through hardware or software

Fault tolerance through fault detection, isolation and fault recovery. Methods involve
Duplex redundancy through replication checks through comparators.
Channels: In the context of the report the term channel refers to signals paths used to
communicate between the modules.
Fail Active: Its condition where by the fail module is causing the malfunction of the
system
Fail operational: Condition in which a single failure causes no complete loss of function
as redundant system can take over while faulty module is identified and isolated from
main operation.
Fail safe: The system maintains its integrity while accepting a temporary halt in its
operation. (Weillings.A ,Burns. A, 2001)
Graceful degradation: The system continues to operate with failures or errors without
jeopardizing the entire safety of the system however accepting partial loss of system
performance or capabilities.
Passive Failure: condition defined as one where the output is assumed at some
predetermined state. This is effectively putting a system to Freeze state when the
input signals could not be validated rather than entering a malfunction state on
unreliable data.
Transient Failure: These are random temporary faults which are caused by non-
recurring errors, start at particular time, remains for a certain period and then
disappears.
Information redundancy: Addition of extra data bits to an existing data word for so that
error in data could be detected or even rectified. e.g odd or even parity check.
(Koren.I,Krishna.C,2007)
Intermittent Failure: These are random temporary faults which are caused by recurring
errors.

Lanes: The lane in this report is defined as the various independent signal paths within
a module. Eg: Command and Monitor lane.
Latent Failure: The ability of system to detect failures and allows masking of the errors
while continuing the system operation with the majority of resources being healthy.
Lock-step: the system by which redundant processing takes on real-time basis in

parallel, to compare the final output between the processors and determine if it is faulty.
Permanent Failure: Fault that remains in system until the repair action is taken. The
cause of fault could be related to manufacturing defects or wear-out with time
Temporary failures: Only present for a short time caused by instantaneous external
disturbances but then disappears
Fault Coverage: Its a factorial presentation of joint probability of that error will be
detected, followed by isolation within an acceptable time frame and final reconfiguration
of system to recover without causing an acceptable system disturbance.
Passive Redundancy: a system of fault tolerance where no fault detection and

reconfiguration is required. Mechanism of fault masking through voting technique
renders fault accumulation while the main system is under operation.

Automatic Flight Control System Analysis Boeing and Airbus Project

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Automatic Flight Control System Analysis Boeing and Airbus Project

Загружено:

Авторское право:

AE3382 Individual Project Automatic Flight Control System Architecture

Tissara Tilakaratne K0827514 Page | iii

7. SYSTEM RELIABILITY AND REDUNDANCY CHARACTERIZATION ............. 35

Tissara Tilakaratne K0827514 Page | iv

APPENDIX G: RELIABILITY OF A BLOCK DIAGRAM SYSTEM ............................ 80

ACE: Actuator Control electronics

ADC: Air Data Computer.

ADIRU: Air Data Inertial Reference Unit.

AFCS: Automatic Flight control system

AFDS: Automatic Flight Director System

AIMS: Aircraft Information Management system

AMM: Aircraft Maintenance manual

CAS: Control augmented system

CFM: Common Failure Mode

CPM: Core Processor Module

CRC: Cyclic Redundancy Check

FBW: Fly by Wire

FCC: Flight Control Computer

FCS: Flight control system

FCU: Flight Control Unit

FMC: Flight management computer

FMGES: Flight Management Guidance and Envelope system.

FMGS: Flight Management guidance system

FT: Fault Tolerance

Tissara Tilakaratne K0827514 Page | v

ISM: Input signal Management

LRM: Line replaceable Module

LRU: Line replaceable Unit

LSB: Least Significant Bits

MTBF: Mean Time between Failures

MTTF: Mean time to Failure

MSB: Most Significant Bits

MVS: Median Value Selection

PCO: Proposed Command Output

PFC: Primary Flight Control computer

PRIM: Primary Computer

SAS: Stability augmented system

SEC: Secondary computer

SCO: Selected Command Output

SAARU: Standby Attitude and Air Data reference Unit

TMR: Triple Modular Redundancy

Tissara Tilakaratne K0827514 Page | vi

Tissara Tilakaratne K0827514 Page | vii

FIG 42: TYPICAL INTEGRATION PROCESS OF MODULAR AVIONICS ...................................................................... 76

TABLE NO 1: RELIABILITY PROBABILITY OF SYSTEM NETWORKS .......................................................................... 27

Tissara Tilakaratne K0827514 Page | viii

1.1. Background of the Project:

Aim : Analysis of Commercial Autopilot evolution and Automatic flight control

Deliverable: To provide comprehensive analysis on contemporary Autopilot

1.2. Evolution of Automatic Flight control system.

Tissara Tilakaratne K0827514 Page | 1

customers; the development of aircraft systems to ensure maximum crew and

Tissara Tilakaratne K0827514 Page | 2

1.3. Revolution with Digital Electronics and Aircraft Systems.

Later with evolution of Digital computers, consolidation of multiple systems took

For stability augmented systems in AFCS is greatly depended on aircraft response

Tissara Tilakaratne K0827514 Page | 3

2. OVERVIEW OF AUTOMATIC FLIGHT CONTROL SYSTEMS

Sensor Computation Output

Aerodynamic feedback- Aircraft reaction

Fig 1: Simplified Block Diagram AFCS (Pallet E.H.J, 1993, pg 75)

2.1. Inner Loop stability and Outer loop stability.

Tissara Tilakaratne K0827514 Page | 4

Fig 2: Single-axis Autopilot system (After Harris.D, 2004)

Gyros Error Flight control

Servo motor Cont