Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering

Design Considerations in Boeing 777 Fly-By-Wire

advertisement 
Design Considerations in Boeing 777 Fly-By-Wire Computers
Y. C. (Bob) Yeh
Boeing Commercial Airplane Group
Flight Systems
P. O. Box 3707, M/S 02-KA
Seattle, WA 98124-2207
ying.c.yeh@boeing.com
Abstract
The new technologies in flight control avionics
systems selected for the Boeing 777 airplane program
consist of the following: Fly-By-Wire (FBW), ARINC 629
Data Bus, and Deferred Maintenance.
The FBW must meet extremely high levels of
functional integrity and availability. The heart of the
FBW concept is the use of triple redundancy for all
hardware resources: computing system, airplane
electrical power, hydraulic power and communication
paths.
The multiple redundant hardware are required to
meet the numerical safety requirements. Hardware
redundancy can be relied upon only if hardware faults
can be contained; fail-passive electronics are necessary
building blocks for the FBW systems. In addition, FBW
computer architecture must consider other fault
tolerance issues: generic errors, common mode faults,
near-coincidence faults and dissimilarity.
1.0
Introduction
The NASA FBW projects [1],[2] provide the
numerical integrity and functional availability
requirements for FBW computers. A finding from the
research, Byzantine General problem [3], also serves as a
design consideration to assess robustness of FBW
computer architectures. Past Boeing and other industry
experiences in dealing with generic faults [4], nearcoincidence faults [5] provide ground rules for the
Boeing 7J7 FBW program. The experiences on the 7J7
program [6],[7],[8],[9] and the academic research on
design diversity [10],[11], design paradigm [12] are
carried over to the 777 FBW program [13],[14],[15].
Furthermore, to certify the 777 FBW program, the
flight controls design and development process considers
all requirements from: airplane functional groups,
certification agencies, customers, in-service experiences,
technology trends and design paradigm. The Boeing 777
FBW requirements were then derived and developed.
The purpose of this article is to describe the new
technologies employed directly and indirectly for the 777
primary flight control system, with an emphasis on the
design considerations for the FBW computer
architecture. The fail-passive electronics for flight
critical avionics systems are defined to illustrate the
necessary building blocks for the forward path, from
pilot inputs to control surface, flight controls electronics.
2.0
Outline of New Technologies for 777 Flight
Controls
Traditionally, new technologies are introduced for a
new airplane program, and the 777 is no exception. The
challenge is the selection of the new technologies which
can best meet the desire for more functionality with
higher reliability and easier maintainability. That is to
say, the incorporation of new technologies is to add value
for our customers. The new technologies selected
directly or indirectly for the flight controls were:
1) FBW, 2) ARINC 629, and 3) deferred maintenance.
2.1
Outline of the Primary Flight Control Function
The outline of the 777 FBW system has been
described [6],[13],[14],[15]. The primary flight control
surfaces are illustrated in Figure 1, and an overview of
the FBW system is shown in Figure 2. Figure 3 shows
the hydraulic power distribution for the Power Control
Units (PCUs) to which Actuation Control Electronics
(ACEs) provide electrical control.
2.2
ARINC 629 Digital Data Bus
The ARINC 629 data bus [16] is a time division
multiplex system. It includes multiple transmitters with
broadcast-type, autonomous terminal access. Up to 120
users may be connected together.
The users
communicate to the bus using a coupler and terminal as
shown in Figure 3. Terminal access is autonomous.
Terminals listen to the bus and wait for a quiet period
before transmitting. Only one terminal is allowed to
transmit at a time. After a terminal has transmitted, three
different protocol timers are used to ensure that it does
not transmit again until all of the other terminals have
had a chance to transmit.
S in gle
Ru dder
P artial S pan
Tab
S poilers
(7 Per S ide)
E levator
(Single Span )
Slats
S tabilizer
D ou ble Slotted F lap
F laperon
F lap
A ileron
FIG U RE 1 777 FLIG HT CO N TR O L SU RFAC ES
SUPPORTING SYSTEM S
SY ST EM
A R IN C
629 (4)
C A R D F IL ES
H Y D IM , W O W
EIC A S
& M FD
ELM S
AFD CS
ADM S
ADM S
PSEU
R/A
W ES
EDIU
AIM S
ADIRU
SAARU
PSAS
FSEU
TA C
S W IT C H
AUTO
OFF
PF C
DIS C O N N EC T
SW IT C H
FL IG H T
CONT ROL
DAT A B U S E S
(3 )
SPE ED B R A KE
LE VER
S PE E D B R AK E
AC T U AT O R
PFCS
T R A N SD U C ER S
S PR IN G
CO LU M N
BR E AK O UT
6 COL UMN P OS I TI ON
2 COLU MN FORCE ( EA CH
WI TH 2 OUTP UT SI GNALS)
6 WHEEL POSITION
2 W HE EL FORCE
4 RUDDE R P E DAL POS I TION
4 SP EE DB RAKE P OS ITI ON
2 RUDDE R TRI M POS I TION
DYNAMIC LOAD
DAMPER
T R IM A C T U A T O R S
1 -AIL E R O N
1 -R U D D E R
A /P B A C K D R IVE
A C TUA TOR S
F EEL U N IT S
2-E LE V AT OR ,
V AR IAB LE
1 -AIL E R O N , FIX E D
1-R U D D E R , FIX E D
AIL ER O N
TR IM
CM D S
TR IM SW IT C H ES
2-C OL UM N
2-W HE E L
2 -R UD D E R P E D A L
ELE VA T O R FE EL
AC TU A TO R S
PIT CH & R U DD E R T R IM C MD S
GU ST S U P PR E SSIO N XD U CR S
ACES
PCUS
(31)
A F D C A UT O P I L O T F L I G H T D I R E C T O R C O M P UT E R
ADM
A I R D A T A M O D UL E ( S T A T I C A ND T O T A L P R E S S U R E S )
E I C A S E NG I NE I ND I C A T I O N A ND C R E W A L E R T I N G S Y S T E M
E L M S E L E C T R I C A L LO A D M A N A G E M E N T S Y S T E M
M FD
M UL T IP LE F U NC T IO N D I S P L A Y
PSA
P O W E R S UP P L Y A S S E M B L Y
F S E U F L A P S L A T E L E C T R O NI C S U N I T
A I M S A I R P L A NE I NF O R M A T I O N M A NA G E M E N T S Y S T E M
PFC
P R I M A R Y F L IG HT C O M P U T E R
P S E U P R O X I M I T Y S W I T C H E L E C T R O N I C S UN I T
R /A
R ADI O ALT IM ETER
A D I R U A I R D A T A I NE R T I A L R E F E R E NC E U NI T
S A A R U S E C O ND A R Y A T T I T UD E A N D A I R D A T A R E F E R E N C E U N IT
ACE
A C T UA T O R C O NT R O L E L E C T R O N I C S
PCU
P O W E R C O N T R O L UN I T S , A C T UA T O R S
HY D I M HY D R A UL I C I NT E R F A C E M O D U L E
W O W W E IG HT O N W HE ELS
WES
W A R N I NG E LE C T R O N IC S S Y S T E M
FIGURE 2 777 PRIM ARY FLIGHT CONTROL SYSTEM OVERVIEW
CB L
L2
L2
R
L1
C
C
R
L
R
C
C
7
6
R
C
R
8
9
L2
R
C
L2
C
R
L
IB S P O IL E R S
5
IB S P O IL E R S
L1
L
R
10
11
3
1
CB L
L2
C
4
FL A P E R O N
FL A P E R O N
2
C
R
C
R
L
L
C
L2
L1
R
C
C
12
13
O B S P O IL E R S
O B S P O IL E R S
C
L
CBL
CBL
L 1 ,C
R ,L2
C
O B A IL
R
14
L1
L
C
R
O B A IL
L1, L2, C , R D E N O T ES A C E S0U R C E
R
C
CBL
CABLE
L2
ACE SO U RCE
C
L2
C
L
L
L1
LEFT ELEVA T O R
L
C
RU D DE R
R IG H T E L E V A T O R
R
R
S P O IL E R S 4 A N D 1 1 A R E C O M M A N D E D V IA
C ABLES FR OM T H E C ON T R OL W H E E L AN D
V IA T H E A C E S F R O M T H E S P E E D B R A K E
L E V E R . T H E S T A B IL IZ E R IS C O M M A N D E D V IA
T H E C A B L E S T H R O U G H T H E A IS L E S T A N D
L E V E R S O N L Y A N D O T H E R W IS E IS
C OM M AN D E D T H R O U GH T H E AC ES.
Figure 3
P rim ary Flig ht C o ntrols H ydraulic/ A C E D istribu tion
Figure 4 shows the interconnection of two systems
using an ARINC 629 terminal controller and Serial
Interface Module (SIM) which are installed on a circuit
board within each Line Replaceable Unit (LRU). The
SIM interfaces with the stub cable via a connector on
the LRU. The stub cable is then connected to the global
data bus via a current mode coupler.
A representation of the main internal logic and data
flows within an ARINC 629 terminal controller is
shown in Figure 5. Data enters through the demodulator
and is checked for faults. The receiver circuitry
monitors all incoming labels and determines which
wordstrings are needed. The data needed by the
attached users is sent to the subsystem interface and to
the users.
2.3
R
L
H Y D R A U L IC
SO U RC E
NOT E:
L1
Deferred Maintenance
The deferred maintenance has been a desirable
attribute for customer airlines to enhance airplane
dispatch reliability. The deferred maintenance concept
mandates the need for the fault tolerant design for the
major digital avionics systems such as PFC, ADIRS (Air
Data Inertial Reference System) and AIMS (Airplane
Information Management System.) Based on Life Cycle
Cost study for an optimum redundancy level for airlines,
these computer architectures contain one level of
redundancy beyond that required to achieve the
functional integrity for airplane dispatch. Consequently,
repair of random hardware failures can be deferred to a
convenient time and place, resulting in reduction of
dispatch delays or cancellations.
The triple-triple redundant PFC architecture, triple
channels with triple dissimilar lanes in each channel,
has been described [14]. The PFC can be dispatched
with one failed lane: maintenance alert is generated for
maintenance attention. The PFC can also be dispatched
with one failed channel: flight deck status message is
generated requiring replacement of a PFC channel
within three flights.
The ADIRS and AIMS architectures can be
summarized as follows.
2.3.1 Air Data Inertial Reference System
This system evolved from the Air Data Computers
and Inertial Reference Systems on previous airplanes.
The system consists of traditional triple-redundant pitot
and static ports, whose signals are converted to
electrical signals by Air Data Modules mounted near the
probes. Digital signals are sent via Flight Control
ARINC 629 buses to the ADIRU and SAARU for
processing, as shown in Figure 6. The ADIRU and
SAARU are fault tolerant computers with angular rate
sensors and accelerometers mounted in a skewed-axis
arrangement [17]. The ADIRU can be dispatched with
one failure of each of the following assemblies: angular
rate sensor, accelerometer, processor, and I/O module.
-
impact of objects
electrical faults
electrical power failure
electromagnetic environment
lightning strike
hydraulic failure
structural damage
radiation environment in the atmosphere
ash cloud environment in the atmosphere
fire
rough or unsafe installation and maintenance
These common mode concerns led to the FBW
requirements for separation of FBW components and
FBW functional separation.
2.3.2 Airplane Information Management System
3.1.1 Separation of FBW Components
The AIMS is the data cruncher for the following
functions: 1) flight management, 2) thrust management,
3) display, 4) data communication, 5) central
maintenance, 6) airplane condition monitoring, 7) flight
data recording, and 8) digital data gateway.
The separation is required for redundant flight
control elements including LRUs, associated wiring and
hydraulic lines to the greatest extent possible.
The AIMS communicates with the majority of
avionics systems on the airplane. These interfaces are
implemented through several different media, including
ARINC 629 data buses and ARINC 429 data buses.
The AIMS [18]consists of two separate and independent
cabinets, each with four core processors and four
input/output modules. The AIMS can be dispatched
with one failed processor module and one failed I/O
module.
3.0
Design Considerations for Primary Flight
Computers
Earlier on the research program for the Boeing 7J7
airplane, we were to define a methodology for
determining need and means of protection against
generic errors [4] and common mode faults. The
approach taken evolved to the 777 program.
3.1
Common Mode Fault
Common mode or near-coincidence faults[4],[5]
need to be considered for multiple redundant systems
such as the FBW. Airplane susceptibility to common
mode and common area damage is addressed by
designing the systems to both component and functional
separation.
This includes criteria for providing
installations resistant to maintenance crew error or
mishandling.
The FBW design and installation has been
developed with the following fault or event
considerations (to name a few):
General system/airplane design decisions for
separation include the following:
-
multiple equipment bays for redundant LRUs,
physical separation of redundant LRUs,
flight deck equipment and wiring separation and
protection from foreign object collision, and
separation of electrical and hydraulic line routing
through airplane structure.
Thus triple PFC channels are separated physically,
and tight synchronization among PFC channels is
deemed undesirable. To maintain source congruency
and system states convergence, PFCs are required to
consolidate their system states, and to equalize critical
variables. The assumption of near-coincidence [5] PFC
shutdown is considered in the redundancy management
design for the PFC restart and for determining PFC
system state convergence rates.
3.1.2 Functional Separation
All triple redundant hardware resources are aligned
to the Left (L), Center(C) and Right (R) positions.
These hardware resources are electrical power, flight
control ARINC 629 buses, PFCs, ACEs, Hydraulic
systems.
ACE functional actuator control is distributed to
maximize controllability in all axes after loss of function
of any ACE or supporting subsystem. In general, the
electronics components powered by the L/C/R flight
control electrical bus controls the actuation components
powered by the L/C/R hydraulic system, respectively.
D a ta b us
te r m ina to r
C u rr e n t m o d e
c o u p le r N o . 1
LRU n
D a ta b us c a b le
a s s e m b ly
C o up le r n (1 2 0 m a x)
S tub c a b le
A R IN C 6 2 9
T e rm in a l
C o ntro lle r
S e ria l In te rfa c e
m o d u le
L ine re p la c e a b le
unit (L R U ) n o . 1
F ig u re 4 In te rco n n ec t o f S y stem s u sin g A R IN C 629
A R IN C 629
D ata B us
R EC EIV E
P ER SO N A LITY
PR OM
C urrent M ode C oupler
S tub C able
Receiv er
D em odu lator
SIM
ST RA P
P rotoc ol
M odulator
P rotocol
Transm itter
Term in al C on tro lle r
TR AN S MIT
P ER SO N A LITY
PR OM
F ig u re 5 A R INC 629 F u n ctio n al B lo ck D iag ram
S ubs ys tem
Interfac e
A dd res s
A dd res s
/D ata
3.2
Design Diversity
Based on the Boeing experience, the most likely
design errors are, in order of likelihood:
a)
b)
c)
d)
e)
f)
i) Requirement errors
ii) Implementation
misunderstanding
Software design or coding error
Future process errors in previously qualified
Semiconductor parts.
Relatively new, programmable VLSI circuits
whose number of states approach infinity and
therefore are non-deterministic.
The 7J7 FBW program goal regarding dissimilarity
is developed as follows.
1.
2.
3.
Dissimilar software/hardware architecture
should be used.
Ada should remain the accepted standard for
embedded software.
When dissimilar hardware and software is
used to reduce error in FBW computers, steps
should be taken to ensure the designs are also
dissimilar.
In the design diversity experiment at UCLA [10],
the isolation rules were employed in which
programming teams were assigned physically separate
offices for their work and that inter-team
communications were not allowed. The research at
academe [10],[11] indicate that multiple versions of
programs developed independently can contain similar
errors.
Boeing experience is that among sources of errors
it is most often the basic requirements which are
erroneous or misinterpreted. The key to a successful
software implementation is the elimination of errors.
The errors due to misinterpretation can be reduced by
very close communication between the system
requirements engineers and the software designers. In
fact, the software designers can help the engineers
recognize limitations in the software design when the
requirements are being written. There is much benefit
from this interactive relationship, which is precluded by
the dissimilar software design approach, where systems
and software teams much be kept segregated.
The development of the PFC software during the
7J7 program confirmed that the three separate teams, in
order to code their logic from the requirements, were
having to ask Boeing so many questions for clarification
of the requirements that the independence of the three
teams was irreparable compromised. This is the reason
why Boeing elected to revert to the usual and customary
method of creating and certifying flight critical source
code. It was determined that there is a net gain in total
system integrity with the single software design
approach. The overall 777 FBW program decision on
dissimilarity is described in [15], and is summarized as
follows.
3.3
Safety Analysis
The safety analysis is performed which assesses all
significant failures of the FBW system including single
failures, latent failures, and failure combinations at the
LRU level. Allowable level of dispatch with known
faults is determined. Also considered is the scheduled
maintenance necessary to limit exposure to latent faults.
The analysis shows that the probability of a given failure
condition is consistent with its severity, and that all
failure combinations producing a catastrophe are
extremely improbable.
This analysis contains a
proposed list of worst case failure conditions to be flight
demonstrated based upon simulator evaluation, and
documents confirming lab and flight test results.
Hardware component failure modes and potential
LRU malfunctions are assumed. The assumptions,
combined with the system architecture and fault
detection/isolation algorithms, are used to eliminate the
infinite possibilities of hardware gate level failure
modes. Interfacing systems such as electrical and
hydraulic power, ARINC 629 buses, and primary
sensors are included. System separation, partitioning,
and redundancy are addressed. Where possible inservice data are used to generate probability of faults.
3.4
Fail-Passive and Fail-Operational Electronics
An electronics function is fail-passive if, in the
event of a failure, the continued safe flight and landing
of an airplane can be maintained by the pilot. Firstly the
FBW architecture study considering use of ARINC 629
data busses concluded that common interface
requirements [15] should be developed including a
common CRC (Cyclic Redundancy Check) algorithm.
The ACE functional overview diagram is shown in
Figure 7, and the FBW forward path (ACE to/from PFC)
signal monitoring concept is shown in Figure 8 to
illustrate the application of fail-passive electronics.
The transducers used to sense the pilot control
commands are monitored with in-line monitors of
common mode monitor (CMMs) and demodulator
monitor (DMMs). This includes the position and force
transducers. The CMMs detect short circuits and open
circuits in the pilot control transducers, while the
DMMs are used to monitor demodulation of each AC
transducer signal. If either monitor indicates failure,
this signal will not be used by PFCs for FBW control
law function.
The servo command wraparound monitors verify
the proper operation of ACE digital-analog and analogdigital conversion hardware and verify proper
distribution of each PCU/Actuator command to the
appropriate servo loop function.
(6)
PS1
RAT E
SELECT
AND
(6)
PT1
S ignals
B od y R ates
Bo dy A c ce ler ation s
Pitch and R oll A ttitu de
G r ound sp ee d
Airs peed ( V C , V T )
(4)
M O N IT O R
ACCEL
62 9
VO T E
IN E R T IA L
S O LU T IO N
62 9
62 9
VO T E
RAT ES
AC CELS
IN E R T I A L
SENSORS
62 9
62 9
M O N IT O R
SELECT
AND
629
M O N IT O R
629
P FC L
COMMAND LAN E
A IR D A T A
S O LU T IO N
BUS
SELECT
PS
V A L ID IT Y
M O N IT O R
PT
629
Baro Altitu de F iltered
M ac h
Im pac t P res su re
P S = St atic P res s ure
P T = T o tal P ress ure
A D IRU
S
S
F
D
PS2
(4 )
PT2
SELECT
AND
(4 )
P S3
ACCE L
PT3
IN E R T I A L
SENSORS
M O N IT O R
IN E R T IA L
S O LU T IO N
CO M PAR AT O R
M O N IT O R L A N E
RAT ES
AC CELS
ID E N T IC A L
62 9
M O N IT O R
SELECT
AND
629
M O N IT O R
629
S T A N D B Y M O N I T O R LA N E
ID E N T IC A L
A IR D A T A
S O LU T IO N
PS
PT
629
V A L ID
FLA G
V A L ID IT Y
M O N IT O R
(2 )
RAT E
SELE C T ED
DAT A
SAARU
Fig u re 6
A D IR U /S A A R U R e d u n da n c y M a n a g e m e nt
Flight C ontrol D igita l D a ta Bus e s
L
C
R
AR IN C 6 2 9
IN T E R F AC E
C E N T E R BU S
AR IN C 6 2 9
IN T E R F AC E
L E F T BU S
AR IN C 6 2 9
IN T E R F AC E
R IG H T BU S
A
A
T H R E E MO D E
PC U
SER VO LO O P S &
MO N IT O R S
EL EVAT O R
AIL ER O N
F LAPER O N
R U D D ER
A
A
C RC
F LIG H T
CONT ROLS
D C PO W E R
AC E
PO W E R
S U P PL Y
AN D
PC U S O V s
PIN
PR O G R AM M IN G
IN PU T
S IG N AL
M ANAG E M E NT
(IS M )
S IG N AL
C O M M AN D
DECODE
CON TROL
(S C D C )
A/D
*D E M U X
*M UX
R V D T 's & L V D T 's
E X C IT AT ION
BU F F E R 's
D E M O D 's
D M M ' & C M M 's
A
SPO ILE R SER V O
L O OP S &
MO N IT O R S
A
PIT C H R AT E
SENSOR
F LA P
PO S IT IO N
PILO T S '
CM DS
D/A
RUDDER TRIM /ELEVATOR FEEL
ACTUATOR SERVO
LOOP & MONITOR
ST AB T R IM
CONTROL
AU T O SPE ED B R AK E AR M
D IR E C T M O D E
S C H E D U LE S
GUST SUPPRESSION
XDUCER INTERFACE
D IR E C T
M ODE
S W ITC H
MODAL SU PPRESSION FUNC TION
ACCEL EROMETER S
777-300: AC E EXT ER N AL P IT C H
R AT E SEN SO R IN T ER FAC E
R ACE
Fig ure 7
T yp ica l A C E A rch ite c tu re
X -LA N E
MON
3S
3M
2M
2S
3C
1
AD C
SC D C
C RO SS
C HAN NEL
M ON
M ID -V ALU E
S E LEC T
C H AN N E L
IN H IB IT
PFC
OUTPU T
E N AB LE
MON
629
AC E
CRC
629
MON
629
S TB Y
CMD
PFC
CR C
B U F FE R
U P D AT E
MON
IS M
SC DC
AD C
DA C
PFC V al id ity
Po w er S up p l y M o ni to r
62 9 M o ni to r
1
SS FD
SE R VO
EL EC
PC U
AC E PC U
SVM
CM M
DM M
SOV
CM D RESP .
CO N T R O L
LAW
P ow er S up ply M onitors
3M
3S
3C
C ros s la ne m onitoring of 3 d issim ila r la ne input
W rap Around M onitor
629
MON
CRC
P F C S S ig n a l P a th M on ito rin g
CR C
SA AR U
AD IR U
629
CRC
AC E
629
F ig u re 8
2M
2S
CRC
N o data m onitor in g.
D ata p ath m onito red b y W A M
C ro ss c ha nn el m o nito ri ng
DEMOD
ACE
X -LA N E
MON
PIL O T
LV D T
F LT D E C K
C om m on m o de m on ito r
D em od m o nit or
Digital commands received from the PFCs are converted
to analog commands for use by the actuator servo loops.
The analog servo loop commands are also converted
("wrapped") back to digital form for use by the
Wraparound Monitor. The monitor then compares the
original digital commands with the wraparound
commands to verify operation of digital to analog and
analog to digital conversion.
All LRUs transmitting critical data on ARINC 629
bus are required to comply with the Flight Controls Bus
Requirements [15] inclusive of providing CRC
checkwords. All flight critical LRUs (eg, PFC & ACE)
perform CRC monitoring of each received wordstring.
Input Signal Management (ISM) processing is
performed by each PFC on ARINC 629 input signals
received by the PFCs including those originating from
the ACEs, ADIRU, SAARU, ADMs, AFDCs, and
AIMS. ISM includes Signal Selection and Fault
Detection (SSFD) algorithms which perform signal
selection and static and dynamic fault monitoring. This
algorithm must be designed to adequately isolate failed
components for an extended period of time where
delayed maintenance is desired.
4.0
Summary
The successful certification of the first Boeing
FBW airplane, airplane in general and FBW in specific,
in four and half years depends to a large extent on the
following: 1) a new facility to accommodate a large
number of test labs, the Integrated Aircraft Systems Lab
(IASL), 2) a viable FBW architecture, 3) working
together with customer airlines for their help in
designing the airplane, 4) certification planning,
5) research work from the fault tolerant computing
community.
References:
1.
2.
J.H. Wenseley et al "SIFT: Design and Analysis of
a Fault-Tolerant Computer for Aircraft Control",
Proceeding of the IEEE, Vol. 66, No. 10, October
1978.
A.L. Hopkins Jr., T.B. Smith,III, J.H. Lala, "FTMPA Highly Reliable Fault-Tolerant Multiprocessor
for Aircraft", Proceeding of the IEEE, Vol. 66,
No. 10, October 1978.
3.
L. Lamport, R. Shostak, M. Pease, "The Byzantine
Generals Problem", ACM Trans. on Programming
Languages and Systems, Vol. 4, No. 3, July 1982.
4.
S.S. Osder, "Generic Faults and Architecture
Design Considerations in Flight-Critical Systems",
AIAAJournal of Guidance, Vol.6,No.2, MarchApril 1983.
5.
J. McGough, "Effects of Near-Coincident Faults In
Multiprocessor Systems", Fifth AIAA/IEEE Digital
Avionics Conference, October 1983.
6.
R.J. Bleeg, "Commercial Jet Transport Fly-By-Wire
Architecture Consideration", Ninth AIAA/IEEE
Digital Avionics System Conference, October
1988.
7.
C.J. Walter, "MAFT: An Architecture for Reliable
Fly-By-Wire Flight Control", Ninth AIAA/IEEE
Digital Avionics Conference, October 1988.
8.
A.D. Hill, N.A. Mirza, "Fault Tolerant Avionics",
Ninth AIAA/IEEE Digital Avionics Conference,
October 1988.
9.
R.A. Hammond, D.S. Newman, Y.C. Yeh, "On FlyBy-Wire Control System and Statistical Analysis of
System Performance", Simulation, October 1989.
10. A. Avizienis, M.R. Lyu, W. Schutz, "In Search of
Effective Diversity: A Six-Language Study of
Fault-Tolerant Flight Control Software", FTCS-18,
1988.
11. J.C. Knight, N.G. Leveson, "An Experimental
Evaluation of the Assumption of Independence in
Multversion Programming", IEEE Trans. On
Software Engineering, January, 1986.
12. A. Avizienis, "A Design Paradigm for FaultTolerant Systems", AIAA Computers in Aerospace
Conference, October 1987, Paper 87-2764.
13. J. McWha, "777 Systems Overview", RAeS
Presentation, November 1993.
14. Y.C. Yeh, "Triple-Triple Redundant 777 Primary
Flight Computer", 1996 IEEE Aerospace
Applications Conference, February 1996.
15. Y.C. Yeh, "Dependability of the 777 Primary Flight
Control System", DCCA-5, September 1995.
16. J.L. Shaw, H.K. Herzog, K. Okubo, "Digital
Autonomous
Terminal
Access
Communication(DATAC)", Seventh AIAA/IEEE
Digital Avionics System Conference, November
1986.
17. D.L. Sebring, M.D. McIntyre, "An Air Data Inertial
Reference System for Future Commercial
Airplane", Ninth AIAA/IEEE Digital Avionics
Conference, October 1988.
18. K. Hoyme, K. Driscoll, "SAFEbus", Eleventh
AIAA/IEEE Digiatl Avionics Conference, October
1992.
Related documents
Ultra-Reliable Fly-By-Wire Computers for Commercial
Ultra-Reliable Fly-By-Wire Computers for Commercial
FLY-BY-WIRE
FLY-BY-WIRE
Homework 1 Draw an ER diagram for an airline reservation system
Homework 1 Draw an ER diagram for an airline reservation system
BW Flight OPS Team
BW Flight OPS Team
AFD (France)
AFD (France)
Bio on George Buswell
Bio on George Buswell
Fail-Passive Electronics for Safety Critical avionics
Fail-Passive Electronics for Safety Critical avionics
Tutorial 2
Tutorial 2
The Great Paper Airplane Lab
The Great Paper Airplane Lab
Download
advertisement