Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Industrial Engineering
  3. Systems Engineering

Fail-Passive Electronics for Safety Critical avionics

Fail-Passive Electronics for
Safety Critical Avionics
Y. C. (Bob) Yeh, Ph. D.
Associate Technical Fellow
Boeing Commercial Airplanes
Flight Controls Systems
SAE Aerospace Control and Guidance Systems
Committee Meeting #97
6.0 Subcommittee –
Avionics and System Integration
Lake Tahoe, Nevada, USA, March 1-3, 2006
Fail-Passive Electronics for
Safety Critical Avionics
 Introduction
 Fail-Passive and Fail-Operational Avionics
 Fundamental Concept of Dependability
 FBW requirements
 Boeing FBW Design Philosophy for Safety
 Common Mode Failure and Single Point Failure
 Generic Error and Dissimilarity Considerations
 Example: 777 FBW Computers
Copyright @ 2006 The Boeing Company. All rights reserved.
2
Fail-Passive and Fail-Operational
 Fail-Passive Electronics to avoid active airplane effect
• An electronics function is said to be fail-passive if its failure
effect is loss of its output for its intended function
 Fail-Operational Electronics via multiple redundant hardware
• Multiple redundant hardware can facilitate meeting functional
availability requirements for critical avionics function, as long
as there exists no common-mode or single point failure.
 777 FBW computers are used for elaboration
Copyright @ 2006 The Boeing Company. All rights reserved.
3
Fundamental Concepts of Dependability
(Avizienis & Laprie & Randell)
 Among 4 classes of accidental or non-malicious faults,
 Human-made interaction faults
 Design faults
 Physical internal faults
 Physical external faults
 Human-made interaction and design faults dominate as sources of
failure/error for larger, controlled systems
Copyright @ 2006 The Boeing Company. All rights reserved.
4
Flight Controls Industry Experiences on
Error Types of
Complex Flight Controls Systems
 Requirement Error*
 Implementation Misunderstanding*
 Software Design or Coding Error*
 Future Process Errors in Previously Qualified Electronics Parts
 Relatively new programmable VLSI circuits whose number of states
approach infinity and therefore non-deterministic
*Can be attributed to Interaction Fault, Software/Hardware Interface
Incompatibility
Copyright @ 2006 The Boeing Company. All rights reserved.
5
777 FBW Requirement and
Design Philosophy
 777 FBW Evolved from the 7J7 FBW Architecture
 The FBW requirements are developed from:
• Certification agencies requirements
• Customer and Boeing requirements
 The FBW design philosophy for safety considers the following
constraints:
• Common mode-area fault
• Separation of FBW (LRU) components
• FBW functional separation
• Dissimilarity
• FBW effect on structures
Copyright @ 2006 The Boeing Company. All rights reserved.
6
777 Primary Flight Control System
Copyright @ 2006 The Boeing Company. All rights reserved.
7
Primary Flight Control Modes
Copyright @ 2006 The Boeing Company. All rights reserved.
8
777 FBW Requirement and
Design Philosophy
 777 FBW Evolved from the 7J7 FBW Architecture
 The FBW requirements are developed from:
 Customer and Boeing requirements
 Ceritification agencies requirements
 The FBW design philosophy for safety considers the following constraints:
• Common mode/common area fault
• Separation of FBW (LRU) components
• FBW functional separation
• Dissimilarity
• FBW effect on structures
Copyright @ 2006 The Boeing Company. All rights reserved.
9
Boeing FBW Design Philosophy
for Safety
 To meet extremely high functional integrity and functional availability
requirements (of 1.0E-10 per hour), multiple redundant hardware resources
are required for FBW systems.
 The fault tolerance for trustworthy FBW system design should consider all
known and unknown causes of problem/failure/error, known as common
mode failure and single point failure.
We know what we don’t know
We don’t know what we don’t
know (Unknown unknown)
We know
Copyright @ 2006 The Boeing Company. All rights reserved.
10
Common Mode Failure and Single Point
Failure
 Airplane susceptibility to common mode and common area damage is addressed by
designing the systems to both component and functional separation requirements.
This includes criteria for providing installations resistant to maintenance crew error or
mishandling, such as:
 impact of objects
 electrical faults
 electrical power failure
 electromagnetic environment
 lightning strike
 hydraulic failure
 structural damage
 radiation environment in the atmosphere
 ash cloud environment in the atmosphere
 fire
 rough or unsafe installation and maintenance
Copyright @ 2006 The Boeing Company. All rights reserved.
11
Generic Error and Dissimilarity
Considerations of FBW Systems
 Airbus FBW is designed to cover software design faults
via design diversity
 Boeing FBW is designed to cover (very complex)
hardware design faults and compiler faults
Copyright @ 2006 The Boeing Company. All rights reserved.
12
Dissimilarity of 777 FBW Electronics
PFC:
•
Dissimilar processors and compilers (common software)
•
DO-178 development process
•
ASIC development process
ACE:
•
Dissimilar monitor and control functions
•
ASIC development process
Inertial Data:
•
Dissimilar ADIRU/SAARU
•
DO-178 development process
AFDC:
•
DO-178 development process
•
ASIC development process
•
Dual dissimilar hardware for backdrive function
ARINC 629:
•
ACE Direct Mode which bypass ARINC 629
Copyright @ 2006 The Boeing Company. All rights reserved.
13
777 PFC Safety Requirements
 Numerical probability requirements
 < 1.0E-10 per hour for functional integrity and functional
availability requirements
 < 1.0E-10 per autoland during the critical phase of an autoland
 Non-numerical safety requirements
No single fault, including common-mode hardware fault, regardless
of probability of occurrence, shall result in:
 An erroneous transmission of output signals without a failure
indication.
 Loss of function in more than one PFC
Copyright @ 2006 The Boeing Company. All rights reserved.
14
777 Actuator Control Electronics
Architecture
Copyright @ 2006 The Boeing Company. All rights reserved.
15
Simplicity of Direct Mode and its
Transition
 The virtue of simplicity is preserved in otherwise complex
FBW systems via:
 Simplicity of Transition to Direct Mode
 Simplicity of Direct Mode hardware implementation
Copyright @ 2006 The Boeing Company. All rights reserved.
16
Triple-Triple Redundant
777 Primary Flight Computer
Copyright @ 2006 The Boeing Company. All rights reserved.
17
777 PFC Channel
Command Path
Copyright @ 2006 The Boeing Company. All rights reserved.
18
777 PFC Channel
Command/Monitor Architecture
Copyright @ 2006 The Boeing Company. All rights reserved.
19
777 PFC-ACE Signal Path
Copyright @ 2006 The Boeing Company. All rights reserved.
20
Related documents
showcasing mr. will station
showcasing mr. will station
Ultra-Reliable Fly-By-Wire Computers for Commercial
Ultra-Reliable Fly-By-Wire Computers for Commercial
AFD (France)
AFD (France)
論航空維修之國際合作引言人:袁曉峰/國立成功大學民航研究所103.07.18
論航空維修之國際合作引言人:袁曉峰/國立成功大學民航研究所103.07.18
Design Considerations in Boeing 777 Fly-By-Wire
Design Considerations in Boeing 777 Fly-By-Wire
ENTR-3120 Group 4 Presentation Boeing
ENTR-3120 Group 4 Presentation Boeing
The Proven Champion Of Low Operating Costs And Unmatched
The Proven Champion Of Low Operating Costs And Unmatched
Helicopter Dynamic Components Project
Helicopter Dynamic Components Project
The Role of Standards in Innovation
The Role of Standards in Innovation
here - The University of Texas at Austin
here - The University of Texas at Austin
Download