01-12-2012, 04:12 PM
Design Considerations in Boeing 777 Fly-By-Wire Computers
1Design Considerations.pdf (Size: 179.92 KB / Downloads: 17)
Abstract
The new technologies in flight control avionics
systems selected for the Boeing 777 airplane program
consist of the following: Fly-By-Wire (FBW), ARINC 629
Data Bus, and Deferred Maintenance.
The FBW must meet extremely high levels of
functional integrity and availability. The heart of the
FBW concept is the use of triple redundancy for all
hardware resources: computing system, airplane
electrical power, hydraulic power and communication
paths.
The multiple redundant hardware are required to
meet the numerical safety requirements. Hardware
redundancy can be relied upon only if hardware faults
can be contained; fail-passive electronics are necessary
building blocks for the FBW systems. In addition, FBW
computer architecture must consider other fault
tolerance issues: generic errors, common mode faults,
near-coincidence faults and dissimilarity.
Introduction
The NASA FBW projects [1],[2] provide the
numerical integrity and functional availability
requirements for FBW computers. A finding from the
research, Byzantine General problem [3], also serves as a
design consideration to assess robustness of FBW
computer architectures. Past Boeing and other industry
experiences in dealing with generic faults [4], nearcoincidence
faults [5] provide ground rules for the
Boeing 7J7 FBW program. The experiences on the 7J7
program [6],[7],[8],[9] and the academic research on
design diversity [10],[11], design paradigm [12] are
carried over to the 777 FBW program [13],[14],[15].
Furthermore, to certify the 777 FBW program, the
flight controls design and development process considers
all requirements from: airplane functional groups,
certification agencies, customers, in-service experiences,
technology trends and design paradigm. The Boeing 777
FBW requirements were then derived and developed.
ARINC 629 Digital Data Bus
The ARINC 629 data bus [16] is a time division
multiplex system. It includes multiple transmitters with
broadcast-type, autonomous terminal access. Up to 120
users may be connected together. The users
communicate to the bus using a coupler and terminal as
shown in Figure 3. Terminal access is autonomous.
Terminals listen to the bus and wait for a quiet period
before transmitting. Only one terminal is allowed to
transmit at a time. After a terminal has transmitted, three
different protocol timers are used to ensure that it does
not transmit again until all of the other terminals have
had a chance to transmit.
Air Data Inertial Reference System
This system evolved from the Air Data Computers
and Inertial Reference Systems on previous airplanes.
The system consists of traditional triple-redundant pitot
and static ports, whose signals are converted to
electrical signals by Air Data Modules mounted near the
probes. Digital signals are sent via Flight Control
ARINC 629 buses to the ADIRU and SAARU for
processing, as shown in Figure 6. The ADIRU and
SAARU are fault tolerant computers with angular rate
sensors and accelerometers mounted in a skewed-axis
arrangement [17]. The ADIRU can be dispatched with
one failure of each of the following assemblies: angular
rate sensor, accelerometer, processor, and I/O module.
Safety Analysis
The safety analysis is performed which assesses all
significant failures of the FBW system including single
failures, latent failures, and failure combinations at the
LRU level. Allowable level of dispatch with known
faults is determined. Also considered is the scheduled
maintenance necessary to limit exposure to latent faults.
The analysis shows that the probability of a given failure
condition is consistent with its severity, and that all
failure combinations producing a catastrophe are
extremely improbable. This analysis contains a
proposed list of worst case failure conditions to be flight
demonstrated based upon simulator evaluation, and
documents confirming lab and flight test results.
Hardware component failure modes and potential
LRU malfunctions are assumed. The assumptions,
combined with the system architecture and fault
detection/isolation algorithms, are used to eliminate the
infinite possibilities of hardware gate level failure
modes. Interfacing systems such as electrical and
hydraulic power, ARINC 629 buses, and primary
sensors are included. System separation, partitioning,
and redundancy are addressed. Where possible inservice
data are used to generate probability of faults.
Fail-Passive and Fail-Operational Electronics
An electronics function is fail-passive if, in the
event of a failure, the continued safe flight and landing
of an airplane can be maintained by the pilot. Firstly the
FBW architecture study considering use of ARINC 629
data busses concluded that common interface
requirements [15] should be developed including a
common CRC (Cyclic Redundancy Check) algorithm.
The ACE functional overview diagram is shown in
Figure 7, and the FBW forward path (ACE to/from PFC)
signal monitoring concept is shown in Figure 8 to
illustrate the application of fail-passive electronics.