Airborne Fly-by-Wire Software - Report Example

6. Research Work An aircraft like the Airbus 320 runs in a fly-by-wire system, meaning that software controls most of its vital functions. However, because the airplane cannot tolerate failure of its fly-by-wire software, its system reliability requirement is a failure rate of 10-9 per hour. The approved failure rate means that the system can stand at most one failure in 109 hours. In other words, the system can fail at most once in over 100,000 years of operations. When a system has ‘ultra-high reliability’, it means that it has at most one failure in 109 hours (Atlee 2009, p.499). The use of fly-by-wire saved weight, improved the aircraft handling, increased reliability, and reduced maintenance cost (Helfrick 2007, p.167). The Boeing’s philosophy in cockpit design is to make similar layouts on similar aircraft and in this case, the Boeing 777 layout is similar to that of another long-haul like B747 or 400. Although the B-747 and 400 is a conventional, assisted, mechanical-controlled aircraft, that plane and the Boeing 777 fly virtually the same (Helfrick 2007, p.167). 6.1 Envelope Protection The Boeing 777 fly-by-wire system employs ‘envelope protection’ which is a feature of the artificial-feel system that provided increasingly greater force when the aircraft is pushed to its limits. Unlike ‘envelope limiting’ which will not permit manoeuvres beyond the limits of the aircraft, a pilot using an envelope protection system can cause manoeuvres beyond the limits of the aircraft but is dissuaded by increasing reveres force. Since the system is controlled electronically, there is an opportunity to incorporate system control expansion and envelope protection features that would have been problematical to provide in a conventional mechanical systems (Spitzer 2007, p.43). The B777 Primary Flight Control System has made full use of the capabilities of this architecture by including features like bank angel protection, turn compensation, stall and over speed protection, pitch control and stability augmentation, and thrust asymmetry compensation. However, it is important to note that none of these features restrict the action of the pilot. The B777 design utilizes ‘envelope protection’ in all of its functionality rather than ‘envelope limiting’. Envelope protection deters pilot inputs from exceeding certain predefined limits but does not prohibit it. Envelope limiting prevents the pilot from commanding the airplane beyond the set limits. For instance, the B777 bank angel protection feature will significantly increase the wheel force a pilot encounters when attempting to roll the airplane past a predefined bank angle. This acts as a prompt to the pilot that the airplane is approaching the bank angle limit. However, if deemed necessary, the pilot may override this protection by exerting a greater force on the wheel than is being exerted by the back drive actuator. The intent is to inform the pilot that the command being given would put the airplane outside of its normal operating envelope, but the ability to do so is not precluded. This concept is central to the design philosophy of the B777 Primary Flight Control System (Spitzer 2007, p.43). 6.2 Real-time Fault Tolerance Systems The B777 also makes extensive use of a local area network or LAN, for avionics as well as for the in-flight entertainment system. Because the Boeing 777 comprises 66 distinct systems, communications between systems and the systems components present huge tasks. The major function of airborne digital communications systems is to transmit a number of data signals on a single wire or ‘multiplexing’. In a fly-by-wire or fly-by-light system, failures of full-authority subsystems can result in disasters. Therefore, the reliability of any full-authority system is paramount. However, when computers are involved in complex systems such a primary flight control or PFC, the probability of failure increases. When an aircraft is flown almost continually for years, the probability of failure in even the most reliable equipment is significant (Helfrick 2007, p.170). Fault tolerance means a system that will continue to function even though a significant component of the system has failed. For a system to be fault tolerant, it must be able to replace a failed component while continuing to operate. For instance, if a system contains three computers and one fails, the remaining computers can take up the tasks the failed computer would normally perform. This approach would require that the software for all of the systems be resident in all of the computers so that any one computer can take up the slack for another. The computers aboard the Boeing 777 are the first application of fault tolerance on an air-transport aircraft. A certain amount of fault tolerance has been used in aircraft for a long time. For instance, almost every aircraft, even the smallest, has two navigation receivers (Dort 1997, p. 2171). Although fault tolerance is somewhat similar to the hypothetical situation with the two navigation receivers, it is different. First, a computer decides to replace a failed component, and the replacement is completely transparent to the aircrew. Second, there is not always a noticeable reduction in performance after the fault occurs. This means that no one on the flight deck will know that a major component has failed, and the aircraft may be flown normally. The problem is that, once a failure has occurred, the system is no longer fault tolerant. Should additional component fail, the entire system will cease operation. (Dort 1997, p. 2172). Basically, achieving a reliable system has two approaches- fault avoidance and fault tolerance. Fault avoidance assures reliability by eliminating the causes of fault while fault tolerance attempts to attempts to overcome the effects of fault. Fault tolerance can be implemented using one of two basic approaches- fault masking and fault detection and recovery. Hardware tolerance can be achieved through the use of some form of redundancy such as hardware redundancy using spare hardware, time redundancy by repeating operations in time on existing hardware, software redundancy using extra lines of software code. A TMR triplicates the hardware necessary to perform the required operations and uses a voter to determine the output of the system (Kent et al. 1991, p.171). 6.3 Triple-Triple Redundancy In the Boeing 777, the fly-by-wire primary flight control computers are ‘triply redundant’. The computers are monitored using a simple voting scheme. Other subsystems used by the fly-by-wire system are at least ‘doubly redundant’. Since the fly-by-wire system can operate with degraded components, the system operation is categorized into three modes- normal, secondary, and direct. In the normal mode, all components of the fly-by-wire system are operating (Raheya & Alloco 2006, p.90). The PFC computer controls the control surfaces from information supplied by the flight-deck controls. In secondary, the system has failed to a degree that the more sophisticated features cannot be implemented. The control surfaces are controlled from the inputs from the flight deck and processed through the PFC computers. In the direct mode, the inputs from the flight deck are essential electrically connected directly to the control surfaces. There is no significant processing of the inputs from the flight deck, and many of the features of the fly-by-wire system are lost. However, in all three modes the aircraft can be flown safely (Helfrick 2007, p.171). 6.4 Primary Flight Control Design The design of FBW considers the Common Mode/Common Area Faults, separation of FBW components and functions, dissimilarity, and the effect of FBW on structure. The Primary Flight Control design considered the safety requirements, communication asymmetry, and the functional asymmetry. These are the safety requirements that could prevent continuous safe flight and landing. The PFC design takes into account both numerical and non-numerical safety requirements. For numerical safety requirements, the PFC considers the 1.0E-10 per flight hour for functional integrity and availability- 1.0E-10 per autoload operation. For non-numerical requirements, PFC design takes into consideration the possibility of transmitting a signal without failure indication and loss of function in more than one PFC as a result of a single fault or common mode hardware fault (Yeh 1996, p.11). The 777 primary flight control system uses ACE and the PFC or Primary Flight Computer. There are four ACEs and three PFCs employed in the system. The ACE interface with the pilot control transducers and PFC calculates control laws through conversation of pilot control position into actuation commands, which are then transmitted to the ACE. The ACEs and PFCs communicate with each other, as well as with all other systems via triplex, bi-directional ARINC 629 flight controls data buses, referred to as L, C, and R. The Triple-Triple Redundant PFC design is the product of ‘dissimilarity’ experiments that confirms the significance of ‘dissimilarity’ concept in risk reduction. Since dissimilarity is an FBW concept for triple redundancy for all hardware resources that include computing system, electrical power, hydraulic power, and communication path, various complex hardware devices were selected. These are the Intel 8846, Motorola 68040, and AMD 29050 microprocessors. The diversity of microprocessors is expected to result in various hardware circuitries and ADA compilers. To meet the flight controls ARINC 629 bus and PFC safety requirements, PFC hardware resources redundancy management was developed to ensure that there is a PFC inter-lane communication data bus and data and frame synchronous operation within every PFC channel. This is required to enable tighter cross-lane monitoring limit and ensure compliance with 777 structural requirements. Moreover, there is consolidation and equalization of PFC cross-channel and external resources monitoring by PFC. To achieve a tight synchronization of a few microseconds, the PFC was designed with convergent frame synchronous scheme (Yeh 1996, p.11) . To complement other PFC redundancy management, the ARINC629 provides cross-lane data transfer and frame and data synchronization within a PFC channel. Frame and data synchronization is necessary to enable one wordstring adjustment to ensure that all lanes in a PFC channel will use similar set of wordstring data at the onset of every computation frame under fault-free conditions. This approach would permit tighter tracking of all three lanes and trip-free tolerance of occasional lane differences due to mis-reception of a wordstring by a certain lane (Yeh 1996, p.12). 6.5 Future Works on Long-haul Autopilot System Predicting the future is not a dependable activity when breakthroughs and inventions are forecast. However, when a missing link in the chain of evolution is identified, the dependability of the prediction is likely to be more trustworthy. Although fully fly-by-wire flight control systems have become common on every fats or large airplanes, question remains as to their safety. No matter what the level of redundancy is provided, one can always imagine improbably situations in which all hydraulic or electrical systems are wiped out. In view of rare but possible multiple hydraulic and electrical system failures, not to mention sabotage, midair collisions, and incorrect maintenance, existing technologies should go beyond electronic redundancy and probably consider a much safer approach to control a disaster. The ‘Triple-Triple’ redundancy approach is undoubtedly useful. However, in triple redundancy it is assumed that never more than one system becomes faulty, and that this is repaired or replaced before a second system fault occurs. This is like saying that the likelihood of losing two engines in a two engine airliner is very remote or once in a billion. For instance, it is assumed that the failure rate of electronic circuits and systems in service is constant. The failure rate of a component is measured by the number of failures per unit time as a fraction of the total components which is usually a percentage failure rate per hour or per 1000 hours or per year (Hurst 1998, p.171). For example, if λ=0.05% per 1000 hours and the number of components is 10,000 then 1000x0.05/100= 5 failures per 1000 hours or 0.005 failures/hour. The mean time between failure or MTBF is given by the reciprocal of the failure rate which is MTBF=1/0.005=200 hours. The reliability of a component is the probability of no failure over a given time and it is normally computed for λ constant over this period. A single channel FBW system mean time between failures is approximately 3,000 hours (Kornecki 2007, p.78) and therefore must utilise redundancy with multiple parallel channels to survive at least two failures. TMR achieved higher reliability only when the value of time is low thus it is only suitable when the flight time is less than the MTBF of the individual modules. For instance, flight computers or other systems, which are required to operate for a specific period between routing offline test and maintenance. Moreover, systems in the field may demonstrate a variety of different MTBFs and may have failures at different times and at different rates (Levin & Kalal 2003, p.59). If we consider that a flight control system has the probability of failure that is 1 in 109 in 10-hour period, an ultra-reliable system must have an incredible failure rate of less than 1 failure in approximately 1,141, 552 years. In reality, since there are varying failure rates in the field, dependability levels achieved by systems are therefore different. There should be an assessment of the actual dependability levels achieved by systems to enable better decisions regarding computer failures and avoid over or under-designed systems. The voting mechanism of a triple redundancy system has also its disadvantage because once an actuator has been shut down, it cannot recover even if the corresponding error falls below the threshold. Another disadvantage is that the actuator may be declared failed and get shut down even if it is partially operational. It is therefore necessary to have fast and accurate fault detection, isolation, and recovery observers for each actuator that would assess failure related parameters and utilise it to produce the output signal from the assembly. The goal is to guarantee that the output of the redundant actuator assembly is close to its required value regardless of failures of individual actuators in the assembly. The re-configuration re-allocates the control signals to the healthy actuators locally to offset the effects of the failure. In this way, the reconfiguration is accomplished within the AMS without the need for sending the information about the failure to the flight control system. Reference List: Kent A., Williams J. G., & Kent R. 1991. Encyclopedia of microcomputers. CRC Press, US Levin M & Kalal T. 2003. Improving product reliability: strategies and implementation. John Wiley and Sons, UK Hurst S. L. 1998. VLSI testing: digital and mixed analogue/digital techniques. IET, UK Kornecki A.J. 2007. Airborne Software: Communication and Certification. Scalable Computing: Practice and Experience, Volume 9, Number 1, pp.77-78 Read More