Distributed and Reconfigurable Architecture for Flight Control System EEL Embedded Systems Dept. of Electrical and Computer Engineering University of Florida Liza Rodriguez Aurelio Morales

2 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

3 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

4 of 23 Flight Control Systems Initially : Mechanical Heavy, uses systems of pulleys, cranks, tension cables and pipes Now: Fly-by-Wire replaces manual control of the aircraft with an electronic interface movements of flight controls are converted to electronic signals flight control computers determine how to move the actuators at each control surface to provide the expected response

5 of 23 System Requirements General Aviation Safety Operational reliability, high performance, energy efficiency, low cost Dependability Integrity – must not output erroneous signals, should not send incorrect information to actuators Availability – system must always be available to process requests Radiation Can cause over voltages and under voltages Electromagnetic radiation should not affect data communication Indirect effects of lightning is a possible source

6 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

7 of 23 State of the Art: Airbus FCS FCS is based on self checking flight control computers System functions are divided between computers so that only 1 FCC is active at a time and the others are standby Computers control each actuator with priority order, thus loss of a single computer does not mean loss of a particular function System can run using only 1 FCC if necessary Error checking is performed by 2 units of FCC Command & Monitoring - both units have the same inputs and calculate the same outputs If outputs are different, system control switches to another FCC Actuator nodes are simple Perform according to command No processing, no communication feedback

8 of 23 State of the Art: Airbus FCS Architecture Initially : Mechanical

9 of 23 State of the Art: Airbus FCCs System functions are divided between computers so that only 1 FCC is active at a time and the others are standby Computers control each actuator with priority order, thus loss of a single computer does not mean loss of a function TE FLAPLE FLAPAE FLAPRUDDERELEVTR FCC 1FCC 2FCC 3FCC 4FCC 5 Pilot Control

10 of 23 State of the Art: Airbus FCCs Control and monitoring units can be thought of as two identical computers placed side by side Comparator detects errors and performs the final action: Same – control order is sent to actuator Different – computer cuts connection to actuator, prevents error from propagating Processor Power Supply Memory Watchdog Processor Power Supply Memory Watchdog Control Monitoring Input / Output Pilot Control Comparator

11 of 23 Redundancy Multiple flight control computers FCCs are often the only control path between the pilot and the actuators. If FCCs fail, the pilot will not be able to control the aircraft. Duplex flight control computers Error checking is handled by control and monitoring units of FCCs Result: A lot of extra hardware

12 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

13 of 23 Massive Voting Architecture Enabled by “Smart” actuators Includes processing elements implemented on ASIC or FPGA Data processing and control functionality is distributed into subsystems making them more and more intelligent Redundancy management is allocated to actuators FCCs still maintain system authority Overall critical function and control remains in the primary computers Simplex FCCs generate commands but are not excluded if erroneous Error checking is performed by flight control remote modules (FCRM) Each FCRM contains 1 voter Voters compare received commands and select the most reliable one

14 of 23 TE FLAPLE FLAPAE FLAPRUDDERELEVTR FCC 1FCC 2FCC 3FCC 4FCC 5 ADCN Network FCRM 1 Actuator V FCRM 4 Actuator V FCRM 3 Actuator V FCRM 2 Actuator V Pilot Control

15 of 23 Voting Example Error checking is performed by FCRM FCRM 1 Actuator Voter FCRM 2 Actuator V FCRM 3 Actuator V FCRM 4 Actuator V FFC 1 – LE FLAP 20 FFC 2 – LE FLAP 20 FFC 3 – LE FLAP 31 FFC 4 – LE FLAP 20 FFC 5 – LE FLAP 20 FCC1

16 of 23 Hardware Minimization Simplex FCCs are half the size of previous FCCs Distributed System Previously, when an FCC produced an erroneous message, it would be marked as unreliable and all communication to the actuator would be cut By moving error detection and logic to actuator nodes, the non-faulty parts of all computers can still contribute Thus, fewer FCCs are required to implement a system with the same amount of reliability Voting Algorithms Most do not demand high processing capabilities thus hardware size is not a limitation at FCRM nodes

17 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

18 of 23 Modeling Model Construction ALTARICA – modeling language for safety critical systems Part 1: A textual description to describe both functional and dysfunctional behaviors of each component (FCC, Voters, etc.) Part 2: A graphical representation to reflect the flow of information for each state Simulation Test case: FCC1 sends a fault command to actuator nodes Result: FCC1 failure has no influence in the surface control since the vote masks the faulty value and delivers the correct one. A negative acknowledgement was sent to faulty FCC.

19 of 23 Data Results Aviation Safety Requirement Failure rate for “Loss of both elevator control” must be less than per flight hour Results exceeded requirement!

20 of 23 Outline Introduction Introduction State of the Art: Airbus FCS State of the Art: Airbus FCS Massive Voting Architecture Massive Voting Architecture Modeling and Simulation Modeling and Simulation Conclusions Conclusions

21 of 23 Conclusions Design of flight control systems is complex due to the strict requirements for aviation safety Most flight control systems rely on a lot of redundancy to account for system failures at the cost of additional hardware The massive voting architecture is a new way to incorporate redundancy into a flight control system while minimizing the amount of hardware required Simulation of the massive voting architecture proved that it is just as reliable as other FCS implementations

22 of 23 References Traverse, P., I. Lacaze and J. Souyris, 2004, Airbus Fly-By-Wire: A Total Approach to Dependability, in Proceedings of the 18th IFIP World Computer Congress (WCC 2004), Building the Information Society, Kluwer Academic Publishers, Toulouse, France, August 22-27, pp Traverse, P., I. Lacaze and J. Souyris, 2004, Airbus Fly-By-Wire: A Total Approach to Dependability, in Proceedings of the 18th IFIP World Computer Congress (WCC 2004), Building the Information Society, Kluwer Academic Publishers, Toulouse, France, August 22-27, pp Traverse, P., I. Lacaze and J. Souyris, 2004, Airbus Fly-By-Wire: A Total Approach to Dependability, in Proceedings of the 18th IFIP World Computer Congress (WCC 2004), Building the Information Society, Kluwer Academic Publishers, Toulouse, France, August 22-27, pp Traverse, P., I. Lacaze and J. Souyris, 2004, Airbus Fly-By-Wire: A Total Approach to Dependability, in Proceedings of the 18th IFIP World Computer Congress (WCC 2004), Building the Information Society, Kluwer Academic Publishers, Toulouse, France, August 22-27, pp Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International Symposium on Fault-Tolerant Computing TCS-23), Toulouse, France, June 22-24, pp Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International Symposium on Fault-Tolerant Computing TCS-23), Toulouse, France, June 22-24, pp Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International Symposium on Fault-Tolerant Computing TCS-23), Toulouse, France, June 22-24, pp Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International Symposium on Fault-Tolerant Computing TCS-23), Toulouse, France, June 22-24, pp Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO,Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO,Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO,Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO, USA, February 3-10, pp USA, February 3-10, pp

23 of 23 Questions?