Distributed and Reconfigurable Architecture for Flight Control System

Distributed and Reconfigurable Architecture for Flight Control System

EEL 6935 - Embedded SystemsDept. of Electrical and Computer

EngineeringUniversity of Florida

Liza RodriguezAurelio Morales

2 of 23

OutlineOutline

• IntroductionIntroduction• State of the Art: Airbus FCSState of the Art: Airbus FCS• Massive Voting ArchitectureMassive Voting Architecture• Modeling and SimulationModeling and Simulation• ConclusionsConclusions

3 of 23

OutlineOutline


4 of 23

Flight Control SystemsFlight Control Systems

•Initially : Mechanical • Heavy, uses systems of pulleys,

cranks, tension cables and pipes

•Now: Fly-by-Wire• replaces manual control of the

aircraft with an electronic interface

• movements of flight controls are converted to electronic signals

• flight control computers determine how to move the actuators at each control surface to provide the expected response

5 of 23

System RequirementsSystem Requirements

• General Aviation Safety• Operational reliability, high performance, energy efficiency, low cost

• Dependability• Integrity – must not output erroneous signals, should not send

incorrect information to actuators

• Availability – system must always be available to process requests

• Radiation• Can cause over voltages and under voltages

• Electromagnetic radiation should not affect data communication

• Indirect effects of lightning is a possible source

6 of 23

OutlineOutline


7 of 23

State of the Art: Airbus FCSState of the Art: Airbus FCS•FCS is based on self checking flight control computers

• System functions are divided between computers so that only 1 FCC is active at a time and the others are standby

• Computers control each actuator with priority order, thus loss of a single computer does not mean loss of a particular function

• System can run using only 1 FCC if necessary

•Error checking is performed by 2 units of FCC • Command & Monitoring - both units have the same inputs and

calculate the same outputs

• If outputs are different, system control switches to another FCC

•Actuator nodes are simple• Perform according to command

• No processing, no communication feedback

8 of 23

State of the Art: Airbus FCS ArchitectureState of the Art: Airbus FCS Architecture

•Initially : Mechanical

9 of 23

State of the Art: Airbus FCCsState of the Art: Airbus FCCs

•System functions are divided between computers so that only 1 FCC is active at a time and the others are standby

•Computers control each actuator with priority order, thus loss of a single computer does not mean loss of a functionTE FLAP LE FLAP AE FLAP RUDDER ELEVTR

FCC 1 FCC 2 FCC 3 FCC 4 FCC 5

Pilot Contro

l

10 of 23

State of the Art: Airbus FCCsState of the Art: Airbus FCCs

•Control and monitoring units can be thought of as two identical computers placed side by side

•Comparator detects errors and performs the final action:

• Same – control order is sent to actuator

• Different – computer cuts connection to actuator, prevents error from propagating

Processor

Power Supply

Memory

Watchdog

Processor

Power Supply

Memory

Watchdog

Control

Monitoring

Input / Output

Input / Output

Pilot Contro

l

Com

para

tor

11 of 23

RedundancyRedundancy

• Multiple flight control computers

• FCCs are often the only control path between the pilot and the actuators.

• If FCCs fail, the pilot will not be able to control the aircraft.

• Duplex flight control computers• Error checking is handled by control and monitoring units of FCCs

• Result: A lot of extra hardware

12 of 23

OutlineOutline


13 of 23

Massive Voting ArchitectureMassive Voting Architecture•Enabled by “Smart” actuators

• Includes processing elements implemented on ASIC or FPGA

• Data processing and control functionality is distributed into subsystems making them more and more intelligent

• Redundancy management is allocated to actuators

•FCCs still maintain system authority• Overall critical function and control remains in the primary computers

• Simplex FCCs generate commands but are not excluded if erroneous

•Error checking is performed by flight control remote modules (FCRM)

• Each FCRM contains 1 voter

• Voters compare received commands and select the most reliable one

14 of 23

TE FLAP LE FLAP AE FLAP RUDDER ELEVTR

FCC 1 FCC 2 FCC 3 FCC 4 FCC 5

ADCN Network

FCRM 1Actuator

V

FCRM 4Actuator

V

FCRM 3Actuator

V

FCRM 2Actuator

V

Pilot Contro

l

15 of 23

Voting ExampleVoting Example•Error checking is performed by FCRM

FCRM 1

Actuator

Voter

FCRM 2Actuator

V FCRM 3

Actuator

V FCRM 4

Actuator

V

FFC 1 – LE FLAP 20 FFC 2 – LE FLAP 20 FFC 3 – LE FLAP 31 FFC 4 – LE FLAP 20 FFC 5 – LE FLAP 20

FCC1

FCC1

FCC1

16 of 23

Hardware MinimizationHardware Minimization

•Simplex FCCs are half the size of previous FCCs

•Distributed System• Previously, when an FCC produced an erroneous message, it would

be marked as unreliable and all communication to the actuator would be cut

• By moving error detection and logic to actuator nodes, the non-faulty parts of all computers can still contribute

• Thus, fewer FCCs are required to implement a system with the same amount of reliability

•Voting Algorithms• Most do not demand high processing capabilities thus hardware size is

not a limitation at FCRM nodes

17 of 23

OutlineOutline


18 of 23

ModelingModeling

• Model Construction• ALTARICA – modeling language for safety critical systems

• Part 1: A textual description to describe both functional and dysfunctional behaviors of each component (FCC, Voters, etc.)

• Part 2: A graphical representation to reflect the flow of information for each state

• Simulation• Test case: FCC1 sends a fault command to actuator nodes

• Result: FCC1 failure has no influence in the surface control since the vote masks the faulty value and delivers the correct one. A negative acknowledgement was sent to faulty FCC.

19 of 23

Data ResultsData Results

• Aviation Safety Requirement• Failure rate for “Loss of both elevator control” must be less than 10-9 per

flight hour

• Results exceeded requirement!

20 of 23

OutlineOutline


21 of 23

ConclusionsConclusions

• Design of flight control systems is complex due to the strict requirements for aviation safety

• Most flight control systems rely on a lot of redundancy to account for system failures at the cost of additional hardware

• The massive voting architecture is a new way to incorporate redundancy into a flight control system while minimizing the amount of hardware required

• Simulation of the massive voting architecture proved that it is just as reliable as other FCS implementations

22 of 23

ReferencesReferences

• http://en.wikipedia.org/wiki/Aircraft_flight_control_system• Traverse, P., I. Lacaze and J. Souyris, 2004, Airbus Fly-By-Wire: A Total Approach to Dependability, in Proceedings of the 18th IFIP World Computer Congress (WCC 2004), Building the Information Society, Kluwer Academic Publishers, Toulouse, France, August 22-27, pp. 191-212.Toulouse, France, August 22-27, pp. 191-212.• Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – Brière, D. and P. Traverse, 1993, Airbus A320/A330/A340 Electrical Flight Controls – A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International A Family of Fault-Tolerant Systems, in Proceedings of the 23rd IEEE International Symposium on Fault-Symposium on Fault-Tolerant Computing TCS-23), Toulouse, France, Tolerant Computing TCS-23), Toulouse, France, June 22-24, June 22-24, pp. 616-623.pp. 616-623.•Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Yeh, Y.C., 1996, Triple-Triple Redundant 777 Primary Flight Computer, in Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO,Proceedings of the IEEE Aerospace Applications Conference, Aspen, CO,

USA, February 3-10, pp. 293-307.USA, February 3-10, pp. 293-307.

23 of 23

Questions?Questions?

Distributed and Reconfigurable Architecture for Flight Control System

Documents

Transcript of Distributed and Reconfigurable Architecture for Flight Control System