Design Considerations in Boeing 777 Fly-By-Wire Computers

Y. C. (Bob) Yeh Boeing Commercial Airplane Group Flight Systems P. O. Box 3707, M/S 02-KA Seattle, WA 98124-2207 [email protected]

Abstract critical avionics systems are defined to illustrate the The new technologies in flight control avionics necessary building blocks for the forward path, from systems selected for the Boeing 777 airplane program pilot inputs to control surface, flight controls electronics. consist of the following: Fly-By-Wire (FBW), ARINC 629 2.0 Outline of New Technologies for 777 Flight Data Bus, and Deferred Maintenance. Controls The FBW must meet extremely high levels of Traditionally, new technologies are introduced for a functional integrity and availability. The heart of the new airplane program, and the 777 is no exception. The FBW concept is the use of triple redundancy for all challenge is the selection of the new technologies which hardware resources: computing system, airplane can best meet the desire for more functionality with electrical power, hydraulic power and communication higher reliability and easier maintainability. That is to paths. say, the incorporation of new technologies is to add value The multiple redundant hardware are required to for our customers. The new technologies selected meet the numerical safety requirements. Hardware directly or indirectly for the flight controls were: redundancy can be relied upon only if hardware faults 1) FBW, 2) ARINC 629, and 3) deferred maintenance. can be contained; fail-passive electronics are necessary 2.1 Outline of the Primary Flight Control Function building blocks for the FBW systems. In addition, FBW computer architecture must consider other fault The outline of the 777 FBW system has been tolerance issues: generic errors, common mode faults, described [6],[13],[14],[15]. The primary flight control near-coincidence faults and dissimilarity. surfaces are illustrated in Figure 1, and an overview of the FBW system is shown in Figure 2. Figure 3 shows 1.0 Introduction the hydraulic power distribution for the Power Control The NASA FBW projects [1],[2] provide the Units (PCUs) to which Actuation Control Electronics numerical integrity and functional availability (ACEs) provide electrical control. requirements for FBW computers. A finding from the research, Byzantine General problem [3], also serves as a 2.2 ARINC 629 Digital Data Bus design consideration to assess robustness of FBW computer architectures. Past Boeing and other industry The ARINC 629 data bus [16] is a time division experiences in dealing with generic faults [4], near- multiplex system. It includes multiple transmitters with coincidence faults [5] provide ground rules for the broadcast-type, autonomous terminal access. Up to 120 Boeing 7J7 FBW program. The experiences on the 7J7 users may be connected together. The users program [6],[7],[8],[9] and the academic research on communicate to the bus using a coupler and terminal as design diversity [10],[11], design paradigm [12] are shown in Figure 3. Terminal access is autonomous. carried over to the 777 FBW program [13],[14],[15]. Terminals listen to the bus and wait for a quiet period before transmitting. Only one terminal is allowed to Furthermore, to certify the 777 FBW program, the transmit at a time. After a terminal has transmitted, three flight controls design and development process considers different protocol timers are used to ensure that it does all requirements from: airplane functional groups, not transmit again until all of the other terminals have certification agencies, customers, in-service experiences, had a chance to transmit. technology trends and design paradigm. The Boeing 777 FBW requirements were then derived and developed. The purpose of this article is to describe the new technologies employed directly and indirectly for the 777 primary flight control system, with an emphasis on the design considerations for the FBW computer architecture. The fail-passive electronics for flight Single Rudder

Partial Span Tab

Spoilers Elevator (7 Per Side) (Single Span)

Slats

S tabilizer

Double Slotted Flap F laperon

Flap Aileron

FIGURE 1 777 FLIGHT CONTROL SURFACES

SYSTEM SUPPORTING SYSTEMS CARDFILES ARINC HYDIM, WOW 629 (4) EICAS ELMS & MFD AFDCS PSEU ADM S ADMS R/A WES EDIU AIM S ADIRUSAARU PSAS FSEU

TAC AU TO SWITCH OFF FLIGHT PFC CONTROL DISCONNECT SPEEDBRAKE DATA BUSES SWITCH (3 ) LEVER SPEEDBRAKE ACTUATOR PFCS TRANSDUCERS SPRING 6 COLUMN POSITION COLUMN 2 COLUMN FORCE ( EACH BREAKOUT WITH 2 OUTPUT SIGNALS) 6 WHEEL POSITION 2 WHEEL FORCE 4 RUDDER P EDAL POSI TION PCUS 4 SPEEDBRAKE POS ITION ACES 2 RUDDER TRIM POSI TION (31)

DYNAMIC LOAD A/P BACKDRIVE DAMPER ACTUATORS AFDC AUTOPILOT FLIGHT DIRECTOR COMPUTER ADM AIR DATA MODULE (STATIC AND TOTAL PRESSURES) TRIM ACTUATORS FEEL UNITS 2-COLUMN 2-W HE EL EICAS ENGINE INDICATION AND CREW ALERTING SYSTEM 1-AILERON 2-ELEVATOR, 2-RUDDER PEDAL 1-RUDDER ELMS ELECTRICAL LOAD M ANAGEM ENT SYSTEM VARIABLE MFD MULTIPLE FUNCTIO N DISPLAY 1-AILERON, FIXED AILERON ELEVATOR FEEL PSA POWER SUPPLY ASSEMBLY TRIM 1-RUDDER, FIXED ACTUATORS FSEU FLAP SLAT ELECTRONICS UNIT CMDS AIM S AIRP LANE INF O RM ATIO N M ANAG EM ENT SY STE M TRIM SWITCHES PFC PRIMARY FLIG HT CO MPUTER PITCH & RUDDER TRIM CMDS PSEU PRO XIMITY SW ITCH ELECTRO NICS UNIT GUST SUPPRESSION XDUCRS R/A RADIO ALTIMETER ADIRU AIR DATA INERTIAL REFERENCE UNIT SAARU SECONDARY ATTITUDE AND AIR DATA REFERENCE UNIT ACE ACTUATOR CONTROL ELECTRONICS PCU POW ER CO NTROL UNITS, ACTUATO RS HYDIM HYDRAULIC INTERFACE MODULE WOW WEIGHT ON WHEELS WES WARNING ELECTRONICS SY STEM FIGURE 2 777 PRIMARY FLIGHT CONTROL SYSTEM OVERVIEW R C C R R C C R CBL R L2 CBL L2 L1 C L2 L2 C L R 6 7 8 R C C L2 R 9 L L R L1 L1 R 5 IB S P O IL E R S IB S P O IL E R S 10 R C C L 4 11 L C 3 FLAPERON FLAPERON 12 C 2 13 C 1 R OB SPOILERS OB SPOILERS 14 L2 C C L1 L CBL CBL L L1,C R,L2 C R OB AIL OB AIL

L1, L2, C, R DENOTES ACE S0URCE

C R CBL L1 C R L2 CABLE C C L2 L L ACE SOURCE L L1 L RUDDER HYDRAULIC LEFT ELEVATOR RIGHT ELEVATOR SOURCE R R

NOTE: SPOILERS 4 AND 11 ARE COMMANDED VIA CABLES FROM THE CONTROL WHEEL AND VIA THE ACES FROM THE SPEED BRAKE LEVER. THE STABILIZER IS COMMANDED VIA THE CABLES THROUGH THE AISLE STAND LEVERS ONLY AND OTHERWISE IS COMMANDED THROUGH THE ACES. Figure 3 Primary Flight Controls Hydraulic/ ACE Distribution redundancy beyond that required to achieve the functional integrity for airplane dispatch. Consequently, Figure 4 shows the interconnection of two systems repair of random hardware failures can be deferred to a using an ARINC 629 terminal controller and Serial convenient time and place, resulting in reduction of Interface Module (SIM) which are installed on a circuit dispatch delays or cancellations. board within each Line Replaceable Unit (LRU). The SIM interfaces with the stub cable via a connector on The triple-triple redundant PFC architecture, triple the LRU. The stub cable is then connected to the global channels with triple dissimilar lanes in each channel, data bus via a current mode coupler. has been described [14]. The PFC can be dispatched with one failed lane: maintenance alert is generated for A representation of the main internal logic and data maintenance attention. The PFC can also be dispatched flows within an ARINC 629 terminal controller is with one failed channel: flight deck status message is shown in Figure 5. Data enters through the demodulator generated requiring replacement of a PFC channel and is checked for faults. The receiver circuitry within three flights. monitors all incoming labels and determines which wordstrings are needed. The data needed by the The ADIRS and AIMS architectures can be attached users is sent to the subsystem interface and to summarized as follows. the users. 2.3 Deferred Maintenance The deferred maintenance has been a desirable attribute for customer airlines to enhance airplane dispatch reliability. The deferred maintenance concept mandates the need for the fault tolerant design for the major digital avionics systems such as PFC, ADIRS (Air Data Inertial Reference System) and AIMS (Airplane Information Management System.) Based on Life Cycle Cost study for an optimum redundancy level for airlines, these computer architectures contain one level of 2.3.1 Air Data Inertial Reference System - impact of objects - electrical faults This system evolved from the Air Data Computers - electrical power failure and Inertial Reference Systems on previous airplanes. - electromagnetic environment The system consists of traditional triple-redundant pitot - lightning strike and static ports, whose signals are converted to - hydraulic failure electrical signals by Air Data Modules mounted near the - structural damage probes. Digital signals are sent via Flight Control - radiation environment in the atmosphere ARINC 629 buses to the ADIRU and SAARU for - ash cloud environment in the atmosphere processing, as shown in Figure 6. The ADIRU and - fire SAARU are fault tolerant computers with angular rate - rough or unsafe installation and maintenance sensors and accelerometers mounted in a skewed-axis arrangement [17]. The ADIRU can be dispatched with These common mode concerns led to the FBW one failure of each of the following assemblies: angular requirements for separation of FBW components and rate sensor, accelerometer, processor, and I/O module. FBW functional separation. 2.3.2 Airplane Information Management System 3.1.1 Separation of FBW Components The AIMS is the data cruncher for the following The separation is required for redundant flight functions: 1) flight management, 2) thrust management, control elements including LRUs, associated wiring and 3) display, 4) data communication, 5) central hydraulic lines to the greatest extent possible. maintenance, 6) airplane condition monitoring, 7) flight General system/airplane design decisions for data recording, and 8) digital data gateway. separation include the following: The AIMS communicates with the majority of - multiple equipment bays for redundant LRUs, avionics systems on the airplane. These interfaces are - physical separation of redundant LRUs, implemented through several different media, including - flight deck equipment and wiring separation and ARINC 629 data buses and ARINC 429 data buses. protection from foreign object collision, and The AIMS [18]consists of two separate and independent - separation of electrical and hydraulic line routing cabinets, each with four core processors and four through airplane structure. input/output modules. The AIMS can be dispatched with one failed processor module and one failed I/O Thus triple PFC channels are separated physically, module. and tight synchronization among PFC channels is deemed undesirable. To maintain source congruency 3.0 Design Considerations for Primary Flight and system states convergence, PFCs are required to Computers consolidate their system states, and to equalize critical Earlier on the research program for the Boeing 7J7 variables. The assumption of near-coincidence [5] PFC airplane, we were to define a methodology for shutdown is considered in the redundancy management determining need and means of protection against design for the PFC restart and for determining PFC generic errors [4] and common mode faults. The system state convergence rates. approach taken evolved to the 777 program. 3.1.2 Functional Separation 3.1 Common Mode Fault All triple redundant hardware resources are aligned Common mode or near-coincidence faults[4],[5] to the Left (L), Center(C) and Right (R) positions. need to be considered for multiple redundant systems These hardware resources are electrical power, flight such as the FBW. Airplane susceptibility to common control ARINC 629 buses, PFCs, ACEs, Hydraulic mode and common area damage is addressed by systems. designing the systems to both component and functional ACE functional actuator control is distributed to separation. This includes criteria for providing maximize controllability in all axes after loss of function installations resistant to maintenance crew error or of any ACE or supporting subsystem. In general, the mishandling. electronics components powered by the L/C/R flight The FBW design and installation has been control electrical bus controls the actuation components developed with the following fault or event powered by the L/C/R hydraulic system, respectively. considerations (to name a few): Data bus LRU n term inator Data bus cable assembly

Current mode Coupler n (120 max) coupler No. 1 Stub cable

ARINC 629 Terminal Controller

Serial Interface module Line replaceable unit (LRU) no. 1 Figure 4 Interconnect of Systems using ARINC 629

ARINC 629 RECEIVE Data Bus PERSONALITY Current Mode Coupler PROM Stub Cable

Demodulator Receiver

SIM Subsystem Address STRAP Protocol Protocol Interface Address /Data

Modulator Transmitter

Terminal Controller

TRANSMIT PERSONALITY PROM Figure 5 ARINC 629 Functional Block Diagram 3.2 Design Diversity dissimilarity is described in [15], and is summarized as follows. Based on the Boeing experience, the most likely design errors are, in order of likelihood: 3.3 Safety Analysis a) i) Requirement errors The safety analysis is performed which assesses all b) ii) Implementation significant failures of the FBW system including single misunderstanding failures, latent failures, and failure combinations at the c) Software design or coding error LRU level. Allowable level of dispatch with known d) Future process errors in previously qualified faults is determined. Also considered is the scheduled e) Semiconductor parts. maintenance necessary to limit exposure to latent faults. f) Relatively new, programmable VLSI circuits The analysis shows that the probability of a given failure whose number of states approach infinity and condition is consistent with its severity, and that all therefore are non-deterministic. failure combinations producing a catastrophe are extremely improbable. This analysis contains a The 7J7 FBW program goal regarding dissimilarity proposed list of worst case failure conditions to be flight is developed as follows. demonstrated based upon simulator evaluation, and 1. Dissimilar software/hardware architecture documents confirming lab and flight test results. should be used. Hardware component failure modes and potential 2. Ada should remain the accepted standard for LRU malfunctions are assumed. The assumptions, embedded software. combined with the system architecture and fault 3. When dissimilar hardware and software is detection/isolation algorithms, are used to eliminate the used to reduce error in FBW computers, steps infinite possibilities of hardware gate level failure should be taken to ensure the designs are also modes. Interfacing systems such as electrical and dissimilar. hydraulic power, ARINC 629 buses, and primary In the design diversity experiment at UCLA [10], sensors are included. System separation, partitioning, the isolation rules were employed in which and redundancy are addressed. Where possible in- programming teams were assigned physically separate service data are used to generate probability of faults. offices for their work and that inter-team 3.4 Fail-Passive and Fail-Operational Electronics communications were not allowed. The research at academe [10],[11] indicate that multiple versions of An electronics function is fail-passive if, in the programs developed independently can contain similar event of a failure, the continued safe flight and landing errors. of an airplane can be maintained by the pilot. Firstly the FBW architecture study considering use of ARINC 629 Boeing experience is that among sources of errors data busses concluded that common interface it is most often the basic requirements which are requirements [15] should be developed including a erroneous or misinterpreted. The key to a successful common CRC (Cyclic Redundancy Check) algorithm. software implementation is the elimination of errors. The errors due to misinterpretation can be reduced by The ACE functional overview diagram is shown in very close communication between the system Figure 7, and the FBW forward path (ACE to/from PFC) requirements engineers and the software designers. In signal monitoring concept is shown in Figure 8 to fact, the software designers can help the engineers illustrate the application of fail-passive electronics. recognize limitations in the software design when the The transducers used to sense the pilot control requirements are being written. There is much benefit commands are monitored with in-line monitors of from this interactive relationship, which is precluded by common mode monitor (CMMs) and demodulator the dissimilar software design approach, where systems monitor (DMMs). This includes the position and force and software teams much be kept segregated. transducers. The CMMs detect short circuits and open The development of the PFC software during the circuits in the pilot control transducers, while the 7J7 program confirmed that the three separate teams, in DMMs are used to monitor demodulation of each AC order to code their logic from the requirements, were transducer signal. If either monitor indicates failure, having to ask Boeing so many questions for clarification this signal will not be used by PFCs for FBW control of the requirements that the independence of the three law function. teams was irreparable compromised. This is the reason The servo command wraparound monitors verify why Boeing elected to revert to the usual and customary the proper operation of ACE digital-analog and analog- method of creating and certifying flight critical source digital conversion hardware and verify proper code. It was determined that there is a net gain in total distribution of each PCU/Actuator command to the system integrity with the single software design appropriate servo loop function. approach. The overall 777 FBW program decision on Signals (6) (4) Body Rates Body Accelerations P S1 RATE SELECT 629 Pitch and Roll Attitude VOTE Groundspeed AND INERTIAL 629 (6) Airspeed (V , V ) P T1 MONITOR SOLUTION C T Baro Altitude Filtered ACCEL 629 Mach RATES VOTE INERTIAL 629 Impact Pressure ACCELS P = Static Pressure SENSORS S 629 P T = Total Pressure MONITOR PFC L

SELECT COMMAND LANE 629 AND SELECTED AIR DATA BUS DATA MONITOR SOLUTION SELECT S 629 P S VALIDITY S P MONITOR F 629 T ADIRU D VALID FLAG P S2 VALIDITY (4) (2) MONITOR P T2 RATE SELECT AND INERTIAL (4) MONITOR SOLUTION P S3 ACCEL COMPARATOR RATES MONITOR LANE INERTIAL P ACCELS IDENTICAL T3 SENSORS 629 STANDBY MONITOR LANE MONITOR IDENTICAL 629 SELECT AND AIR DATA 629 MONITOR SOLUTION

P S 629 P T SAARU Figure 6 ADIRU/SAARU Redundancy Management

Flight Control Digital Data Buses L C R

ARINC 629 ARINC 629 ARINC 629 A THREE MODE INTERFACE INTERFACE PCU CENTER BUS INTERFACE LEFT BUS RIGHT BUS SERVO LOOPS & MONITORS ELEVATOR A A A AILERON FLAPERON CRC RUDDER

A FLIGHT ACE SPOILER SERVO INPUT SIGNAL A/D LOOPS & CONTROLS POWER D/A SIGNAL COMM AND MONITORS DC POWER SUPPLY AND MANAGEMENT DECODE PCU SOVs (ISM) CONTROL A RUDDER TRIM /ELEVATOR FEEL PIN (SCDC) *DEM UX *M UX ACTUATOR SERVO PRO - LOOP & MONITOR GRAMMING PITCH RATE STAB TRIM FLAP SENSOR CONTROL POSITION RVDT's & LVDT's EXCIT AT ION AUTO SPEEDBRAKE ARM PILOTS' BUFFER's DIRECT MODE CMDS SCHEDULES DEMOD's GUST SUPPRESSION DMM' & CMM 's XDUCER INTERFACE DIRECT MODAL SUPPRESSION FUNCTION MODE ACCELEROMETERS SW ITCH 777-300: ACE EXTERNAL PITCH R ACE RATE SENSOR INTERFACE Figure 7 Typical ACE Architecture 3S

nput

ne i

r la

mila

M M V

M M

tors S

S VO

C D D ACE

issi

LAW

3 d

Moni

g of

ply ply

orin

Sup

onit

Power

ne m

tor

MON

s la

UPDA

oni

ito

D A

d M

ity

Cros

ito

lid

ly M ly

BUFF

a o

oun

Ar 9

F 2

r S

6 C

C CD

Wrap

ISM

O S

629

nitoring

629

CRC

MON

629

STB

629

P CMD

629

BLE

ENA

629 OUTPUT

CRC

2S 2M

Figure 8 PFCS Signal Path Mo 8 Path PFCS Figure Signal

CRC

y W

tor

red

LUE

NNEL

oni

INHIBIT

oni

SELE

CHA

a m

MID-VA

el el

h m

dat

No No

a p

Dat

Cro

ito

mon

nit

MON MON

X-LANE X-LANE

mon

Dem

Com

FLT DECKFLT 3S

3M Digital commands received from the PFCs are converted AIAAJournal of Guidance, Vol.6,No.2, March- to analog commands for use by the actuator servo loops. April 1983. The analog servo loop commands are also converted 5. J. McGough, "Effects of Near-Coincident Faults In ("wrapped") back to digital form for use by the Multiprocessor Systems", Fifth AIAA/IEEE Digital Wraparound Monitor. The monitor then compares the Avionics Conference, October 1983. original digital commands with the wraparound commands to verify operation of digital to analog and 6. R.J. Bleeg, "Commercial Jet Transport Fly-By-Wire analog to digital conversion. Architecture Consideration", Ninth AIAA/IEEE Digital Avionics System Conference, October All LRUs transmitting critical data on ARINC 629 1988. bus are required to comply with the Flight Controls Bus 7. C.J. Walter, "MAFT: An Architecture for Reliable Requirements [15] inclusive of providing CRC Fly-By-Wire Flight Control", Ninth AIAA/IEEE checkwords. All flight critical LRUs (eg, PFC & ACE) Digital Avionics Conference, October 1988. perform CRC monitoring of each received wordstring. 8. A.D. Hill, N.A. Mirza, "Fault Tolerant Avionics", Input Signal Management (ISM) processing is Ninth AIAA/IEEE Digital Avionics Conference, performed by each PFC on ARINC 629 input signals October 1988. received by the PFCs including those originating from the ACEs, ADIRU, SAARU, ADMs, AFDCs, and 9. R.A. Hammond, D.S. Newman, Y.C. Yeh, "On Fly- AIMS. ISM includes Signal Selection and Fault By-Wire Control System and Statistical Analysis of Detection (SSFD) algorithms which perform signal System Performance", Simulation, October 1989. selection and static and dynamic fault monitoring. This 10. A. Avizienis, M.R. Lyu, W. Schutz, "In Search of algorithm must be designed to adequately isolate failed Effective Diversity: A Six-Language Study of components for an extended period of time where Fault-Tolerant Flight Control Software", FTCS-18, delayed maintenance is desired. 1988. 11. J.C. Knight, N.G. Leveson, "An Experimental 4.0 Summary Evaluation of the Assumption of Independence in The successful certification of the first Boeing Multversion Programming", IEEE Trans. On FBW airplane, airplane in general and FBW in specific, Software Engineering, January, 1986. in four and half years depends to a large extent on the 12. A. Avizienis, "A Design Paradigm for Fault- following: 1) a new facility to accommodate a large Tolerant Systems", AIAA Computers in Aerospace number of test labs, the Integrated Aircraft Systems Lab Conference, October 1987, Paper 87-2764. (IASL), 2) a viable FBW architecture, 3) working 13. J. McWha, "777 Systems Overview", RAeS together with customer airlines for their help in Presentation, November 1993. designing the airplane, 4) certification planning, 5) research work from the fault tolerant computing 14. Y.C. Yeh, "Triple-Triple Redundant 777 Primary community. Flight Computer", 1996 IEEE Aerospace Applications Conference, February 1996. References: 15. Y.C. Yeh, "Dependability of the 777 Primary Flight 1. J.H. Wenseley et al "SIFT: Design and Analysis of Control System", DCCA-5, September 1995. a Fault-Tolerant Computer for Aircraft Control", 16. J.L. Shaw, H.K. Herzog, K. Okubo, "Digital Proceeding of the IEEE, Vol. 66, No. 10, October Autonomous Terminal Access 1978. Communication(DATAC)", Seventh AIAA/IEEE 2. A.L. Hopkins Jr., T.B. Smith,III, J.H. Lala, "FTMP- Digital Avionics System Conference, November A Highly Reliable Fault-Tolerant Multiprocessor 1986. for Aircraft", Proceeding of the IEEE, Vol. 66, 17. D.L. Sebring, M.D. McIntyre, "An Air Data Inertial No. 10, October 1978. Reference System for Future Commercial 3. L. Lamport, R. Shostak, M. Pease, "The Byzantine Airplane", Ninth AIAA/IEEE Digital Avionics Generals Problem", ACM Trans. on Programming Conference, October 1988. Languages and Systems, Vol. 4, No. 3, July 1982. 18. K. Hoyme, K. Driscoll, "SAFEbus", Eleventh 4. S.S. Osder, "Generic Faults and Architecture AIAA/IEEE Digiatl Avionics Conference, October Design Considerations in Flight-Critical Systems", 1992.