airbus embedded systems

Airbus Embedded Systems

AIRBUS EMBEDDED SYSTEMS

Presented by Pascal TRAVERSE

14/04/2009Airbus Embedded Systems Page 2©A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.


•Aircraft system overview•System development

�Requirement capture

�Safety requirements & safety process

�Integration

�Time issues

•Example: integrated modular avionics

•Example: Fly-by-Wire design for dependability

� The route to « fly-by-wire »

� dependability threats

•Concluding remarks


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues





•Concluding remarks14/04/2009Airbus Embedded Systems Page 4©

AIR

BU

S S

.A.S

. All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

docu

men

t.

Definition of a system

AIRCRAFT SYSTEM OVERVIEW

A combination of inter-related items arranged to perform a specific functions(s), see ARP 4754.

ATN

ATCcentres

ATCcentres

ATCcentres

Weatherobservation

National Met ServiceWIMS terminal area

National Met ServiceWIMS terminal area

UK Met ServiceWIMS

In-flightCollected data

WIMS andRoutine data

RADAR+ Lightning

SecondarySurveillance

Radar

WeatherSatellite

CommSatellite

SATCOM

VHF(Voice + data)

PIREP

Terrain

Traffic

WeatherExample, an airplane is a system:

• which is a component of the transport system,

• which is, itself, made up of several airborne systems.


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

AIRFRAME SYSTEMS 21 AIR COND. 24 ELECTRICAL POWER 27 FLIGHT CONTROLS 30 ICE & RAIN PROTECTION 33 LIGHTS 36 PNEUMATIC

22 AUTO FLIGHT 25 EQUIPMENT 28 FUEL 31 INSTRUMENTS 34 NAVIGATION .......

23 COMMUNICATIONS 26 FIRE PROTECTION 29 HYDRAULIC POWER 32 LANDING GEAR 35 OXYGEN

PERD

ATC

CAREXTA DO ----



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Systems represent

about 30% of the Aircraft price

Computers represent

about 40% of the Systems price



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues






AIR

BU

S S

.A.S

. All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

docu

men

t.

REQUIREMENT CAPTURE

•Explicit requirements - classical allocation process

General A380-800 objectives

•Mission and performance (8000 NM / 555 pax )

• Improve Aircraft safety

• Life cycle cost and COC (- 17% per seat)

• Service readiness at EIS (maturity at First Flight)

• Dispatch reliability : 99% at EIS

• A platform for 30 years of evolutions

Direct Weight

safety

Direct cost,

maintenance

quality

reliability

Obsolescence,

evolution

SYSTEMS

Integration / Trade-off between requirements


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Availability is mandatory (the direct cost of a delay)

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

To Ensure

and Preserve

AIRWORTHINESS

and

AVIATION SAFETY

Airworthiness regulation is a legal obligation contracted

by States signatories of the ICAO Convention

•Chicago Convention, signed 7th December 1944, establishedthe International Civil Aviation Organization.

•To undertake International Air Transport, each nation has to be a signatory (currently 188 nations)

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

FAR (US regulations) & CS (European regulations) are

requirements, part of the A/C specification.

Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754 – EUROCAE ED79 “certification considerations for highly-integrated or complex systems”)

REQUIREMENT CAPTURE

Airworthiness regulation: another set of requirements to be cascaded & complied

with


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

10-9 10-5 1

1.5

SF

λT

1

Increased system costAnd/or decreased reliability

Reduced aircraft weight

• SF is the achieved Safety Factor

• Loads to be considered can be due to a design gust, when a Load Alleviation System is unavailable (SF = Ultimate loads / loads due to manoeuvre, gust, … not alleviated) or the sum of loads due to a continuing failure (surface oscillation) and of all design loads

• λ is the probability per flight hour of the failure

• T is an exposure time during which loads are not alleviated

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

•Derived requirements – from design solution

•Implicit requirements– Early focus groups with airlines personnel

– Prototyping

– Route proving / early long flight

– Feedback from in-service experience

• Industrial constraints

Compliance with specification is not

sufficient

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Aircraft functionAircraft function Aircraft function

Equipment Equipment EquipmentEquipment

A/C Fct

Specification

System

Specification

Equipment

Specification

Aircraft

Specification

SYSTEM

AIRCRAFT

SYSTEMSYSTEM

Design

Design

Design

Development

Customerneeds capture /allocation

Requirement allocation

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Are the needs acceptable?

Validation of the final product versus customer needs

Requirements

validation

Assumptions

validation

Verification: Get the assurance that the product is compliant to its specification

Requirements V&V

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Some V&V means

REQUIREMENT CAPTURE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues






AIR

BU

S S

.A.S

. All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

docu

men

t.

SAFETY REQUIREMENTS & SAFETY PROCESS

SAFETY

percentage of total accidents with known causes

64.4

15.7

3.4

4.8

4.7

7.1

59.8

12.3

4.9

4.9

4.1

13.9

0 10 20 30 40 50 60 70

Flight crew

Airplane

Weather

Airport/ATC

Other

1959-1995 1986-1995

Maintenance

SYSTEMS Solutions

(TAWS, TCAS …)Low system

effect


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

• « FAILURE CONDITION »• DEFINITION FROM CS 25 1309

• A « Failure Condition » is defined at each system level by its effects on the functioning of the system. It is characterised by its effects on

the other systems and on the aircraft.

All single failures or combination of failures including failures of other systems that have the same effect on the considered system are

grouped together in the same « Failure Condition »



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Classes Objectives at FClevel

Objectives atAircraft level

CATASTROPHIC< 10-9/hr +

Fail Safe criterion

< 10-7/hr +

Fail Safe criterion

HAZARDOUS < 10-7/hr no objective

MAJOR < 10-5/hr no objective

MINOR no objective no objective

SAFETY SEVERITY CLASSES AND ASSOCIATED OBJECTIVES

Gradation of effort

Assumption of less than 100 Cat. FC

Quantitative & qualitative

FC: Failure Condition



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Extremely Improbable

10-9/FHNo single failure

� Development Assurance Level(DO178/ED12, ARP4754/ED79, .. DAL A)

� Manufacturing

� Particular Risks

� Environment (DO160/ED14)

� Zonal Safety Assessment

� Human Machine Interface(pilot & maintenance)



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.


Some particular risks


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Top levelrequirements

document

Top Level Product

Requirements

Top Level Program

Requirements

Airworthiness regulation,

MMEL

Aircraft manufacturer

directives

Costrequirements

2- Aircraft FHA (Functional Hazard

Analysis

Previous A/C design and “In

service” experience

A/C Functions ListA/C constraints

1- S/R Common Data Document

√√√√

√√√√ √√√√√√√√

√√√√

√√√√√√√√

Function /Systems allocation matrix

…

…

SRD

PSSAPSSA4- System function list

and System FHA

10-Aircraft Safety/

Reliability Synthesis

PSSAPSSA

PSSAPSSA

7- Equipment level Safety/Reliability studies

(FMEA/FMES, etc.)

PSSAPSSA9b- SSA

System Safety Assessment and MMEL

safety justification

9a- PSSA first flight

PSSAPSSA3- System S/R

Requirements document

system

list

Aircraft functions list

8- COMMON CAUSE

ANALYSIS (CCA):

- PRA (ParticularRisk Analysis) - ZSA (Zonal Safety Analysis) - CMA (CommonMode Analysis)- HHA (HumanHazard Analysis

PSSAPSSA6- Equipment S/R

Requirements

PTSPTS

PTS

5- PSSA: Prelim. system Safety AssessmentFIA: Function Implantation Analysis

IHA/ECHA: Intrinsic/Environment hazard Analysis

11-Airworthiness monitoring

12-Lessons learned

Aircraft certification

Aircraft in service

√√√√

√√√√

Safety &Reliabilitymethod and process

- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,

- In service follow up

- S/R Rules and recom.

- Regulation

Multi disciplinary activitiesMulti program, multi disciplinary activities

Multi system activities on one program

System/equipment activities on one program

Common Cause activities on one program

A/C Requirements/CRI, Significant Items, Aircraft S/R Reviews , Interface S/R ActivitiesSystem S/R Reviews

TOP (AIRCRAFT) –

DOWN (COMPONENT)

PROCESS

requirements

allocation

BOTTOM - UP

evaluation



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.


document

Top Level Product

Requirements

Top Level Program

Requirements


MMEL


directives

Costrequirements


Analysis





√√√√

√√√√ √√√√√√√√

√√√√

√√√√√√√√


…

…

SRD


and System FHA

10-Aircraft Safety/


PSSAPSSA

PSSAPSSA


(FMEA/FMES, etc.)

PSSAPSSA9b- SSA






system

list


8- COMMON CAUSE

ANALYSIS (CCA):



Requirements

PTSPTS

PTS




12-Lessons learned


Aircraft in service

√√√√

√√√√


- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,



- Regulation






IN-SERVICE AIRCRAFT

LESSONS LEARNED



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.


document

Top Level Product

Requirements

Top Level Program

Requirements


MMEL


directives

Costrequirements


Analysis





√√√√

√√√√ √√√√√√√√

√√√√

√√√√√√√√


…

…

SRD


and System FHA

10-Aircraft Safety/


PSSAPSSA

PSSAPSSA


(FMEA/FMES, etc.)

PSSAPSSA9b- SSA






system

list


8- COMMON CAUSE

ANALYSIS (CCA):



Requirements

PTSPTS

PTS




12-Lessons learned


Aircraft in service

√√√√

√√√√


- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,



- Regulation






COMMON CAUSE ANALYSIS:

- Common Mode Analysis

- Human Hazard Analysis- Particular Risk Analysis - Zonal Safety Analysis



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Certification major objective is to ensure safety

25.1309, 25.xyz, ARP4754/ED79, DO178/ED12, ED.zyx, …

“Business” margins are taken on top of certification requirements

Assumptions

Operational reliability

Safety margins are taken too, based on each manufacturer unique history.

Mandating these margins should be carefully balanced



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Baghdad

Nov 2003 - A300

Loss of 3 hydraulic circuits + fire

� Outstanding flight crew landed the aircraft using engine thrust to control

the flight

� Mandatory reporting

� Regulation regular update

� “Just culture”

� Companies are merging

� Financial crisis

� Governments are changing



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues







IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

•Proper interfacing and integration

�Software modules

� computer/actuator

� systems

� systems in aircraft

� Aircraft in air traffic

� Aircraft in overall society

INTEGRATION


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

INTEGRATION

From airplane to “nuts and bolts”

… and back

Integration in the airplane


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

INTEGRATION

lighting EMI

hotcold


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Integration in the world economyAirbus orders and deliveries (March. 05)

Q QQ

QQQQQ

QQQQ Q

Q

QQQQQQQ Q

Q

QQQQ

QQQQQQQQQQ QQQQQQQQQQQQQQQQQQ

QQQQQQQ QQQ Q

QQQ QQQ Q

Q

Q

Q

QQQQQQQQQQQQQQQQQQ

INTEGRATION

Integration in the society

in air traffic


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Dependability

Quality

SKILLS

Human-Machine interface

“design”

English, French, German …, management, ethics, …

Production, … intellectual property …, maths, …

Mechanics

Electricity

Fluids

Aeronautics

Automatic control

Electronics

Computer science

Internet

INTEGRATION


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues







IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Payments

Concept Definition Development ProductionStudy

Go AheadEntry Into Service

Freedom of choice

Product Cost already fixed

0

20

40

60

80

100Total costs (%)

•Need to make trade-off

� System weight vs. cost; reliability vs. weight … never safety

�System complexity (reliability etc.) vs. overall aircraft weight

�Early

TIME ISSUES


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

TIME ISSUES

Plan the system

development

Specify the system

Design the system

Integrated processes : Validate, Verify, Safetystudies, Maintainability studies, Modifications

Other supporting processes : Certificationcoordination, Configuration management, Process Assurance, Reviews, Suppliermonitoring…

Specify the

equipment

Specify the installation & wiring

Develop, Verify the equipment

The project, definition: unique process, consisting of

• a set of coordinated and controlled activities

• with start and finish dates,

• undertaken to achieve an objective

• conforming to specific requirements, including the constraints of time, cost and resources.


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

End of ramp-up

Entry into service

Flight testsIntegration tests

Definition freeze

Equipment& HarnessProduction

Concept freeze

Start ofProduction

Start ofAssembly

TIME ISSUES

End of studies

Authorization

to offer ATO


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent. 0

50

100

150

200

250

300

1 5 9 13 17 21 25 29 33 37 41 45

Age

Nom

bre

d'ap

pare

ils

70-100 Turboprop70-100 JET60-70 Turboprop60-70 JET40-60 Turboprop40-60 JET20-40 Turboprop

Total des appareils en flotte= 3551 avionsJet : 841 avions

Turboprop : 2710 avionsAge moyen de la flotte 11 ans

TIME ISSUES

Aircraft On Ground … 4 hours to get it back into service


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Technical challenges

Side-stick:

•1st test in flight on a modified Concorde in 1978, then an A300 in 1982

•Entry into Service in 1988

Brake To Vacate:

•PhD thesis in 1998-2002

•Research in Airbus 2002-2005

•Development on A380 2006 to Entry into Service mid

2009

TIME ISSUES


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues







IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Number of electronicequipment

80

60

40

20

100

INTEGRATED MODULAR AVIONICS

Functionality(number of lines of code)(arbitrary log scale)

1970 1975 1980 1985 1990 1995

104

103

102

101

Concorde

A300B

2000 2005 2010

A380

A310

A320

A330

A340

-600

105

A380 withIMA

Integrated Modular Avionics (IMA): increasing functionality, while stabilizing the number of pieces of electronic

equipment

A350


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

• Stringent economical & industrial objectives for new aircraft types (A380, A400M, A350)

�Minimize Development & Maintenance Costs

�Reduce Development Life Cycle Cost

�Harmonize design of aircraft avionics

�Manage obsolescence of hardware and evolutions of functions

�Ensure Safety and Reliability

• Chosen way to fulfil these objectives�Provide data communication capabilities

–Avionics Data Communication Network (ADCN)

�Provide centralised computing capabilities

–Integrated Modular Avionics (IMA)



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

A

LRU A

LRU BB

AirborneFunctions

(several Function Suppliers)

Conventional Avionics(several LRU Suppliers)

LRU CC

IMA Modules

CPIOM : Core Processing Input/Output Module (Centralized Architecture)

CPM : Core Processing Module (Distributed Architecture)

Functions Integration Level(per module) :

• A380: 2-4 functions

• A350: 3-6 functions

• A30X: 6-12 functions

Data processing is on a ATA xx Specific LRU

Data processing is on a Generic LRU

Federated Architecture Integrated (and Standardized) Architecture



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Specified by Airbus

Specified by Airbus

IMA Module

Function 1

Function 2

Function 3

Developed byModule Supplier

Developed by Function Suppliers (example Liebherr, Rockwell-Collins, Airbus …

Global integration (integrated Module)is performed by Airbus

Arinc 653 API



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

• High communication capacity: speed, bandwidth and number of connected LRM/LRU

�100 Mb/s, potential to go up to 1Gb/s

• Based on existing and established telecommunication technology and standards (Ethernet)

• Deterministic behavior

�Offer guaranteed quality of service to network subscribers

• Flexible

�Re-configurable to support new needs with no or limited physical impacts



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

FlightControl

Engines

Cabin

Fuel&LG

Cockpit

Energy

Network A Switch

Network B Switch

LRU - IMA Modules

Virtual Link (VL) = communication channel between one emitter and

several receivers.



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

•Total Loss of Braking is classified Catastrophic•As a consequence, Braking System shall not solely use IMA equipment

�Implementation of Emergency Braking Control Unit, independent from IMA equipment

Emergency Braking Control Unit

IMA-based Normal Braking Control Unit



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

•Consistent erroneous attitude information displayed in the cockpit is classified as potentially Catastrophic

•Consequently, undetected erroneous attitude information shall not result of a single failure within ADCN

�Attitude information from independent sources to independent display units shall use independent routing within ADCN

Attitude A/C side1 Attitude A/C side2ADCN

routing 1ADCN

routing 2



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

•Undetected erroneous fuel quantity information may lead to fuel imbalance and is classified as potentially Catastrophic

•As a consequence, undetected erroneous fuel quantity information shall not result from a single failure within IMA

�Fuel System based on Command - Monitoring architecture

�Command lane within one IMA equipment - Monitoring lane within another IMA equipment

IMA-based Fuel Quantity & ManagementCommand lane

IMA-based Fuel Quantity & ManagementMonitoring lane



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues







IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

THE ROUTE TO « FLY-BY-WIRE »

A never ending quest

�To move the control surfaces

�To help pilots

�To ensure safety


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Fully mechanical system

Power: from the pilot Help: means to reduce control loads (tab…)



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Hydromechanical system Power: centralized hydraulic systems and servocontrolsHelp: yaw damper, trim, auto-pilot (speed, altitude), protections against excessive structural loads. Devices moving the mechanical control.

AP

AP A/C response

Feel and

Limitation

Computer

Flight Augmentation

Computer

Caravelle 1955*



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.


AP

AP A/C response

Feel and

Limitation

Computer

Flight Augmentation

Computer

to … “Fly-By-Wire”….or Electrical Flight Control System (EFCS) ….or “Commandes de Vol électriques” (CDVE)

Auto-pilot

computer

Fly-by-wire

computers

A/C Response

A/P order

From Mechanical Flight Control System….

A320 1987*


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

From Fly-by-Wire ….

Auto-pilot

computer

Fly-by-wire

computers

A/C Response

A/P order

HYDRAULIC POWER

to … “Fly-by-Wire” associated to “Power-by-Wire”.

Auto-pilot

computer

Fly-by-wire

computers

A/C Response

A/P order

HYDRAULIC and

ELECTRICAL POWER

A380 2005*


A380 2005*


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

1969* 1978*

* First flight year

1982*

2001*1987*1991*

2005*2012* 2009*



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues






AIR

BU

S S

.A.S

. All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

docu

men

t.

FbW: DEPENDABILITY THREATS

SAFETYSAFETY

AVAILABILITYAVAILABILITY


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

SAFETYSAFETY

(physical faults)(physical faults)

COM

MON

COMMAND & MONITORING COMPUTER COMMAND & MONITORING COMPUTER



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

AVAILABILITYAVAILABILITY

(physical faults)(physical faults)

P1 S1C M

P2S2

C M

C M

REDUNDANCYREDUNDANCY

ACTIVE / STANDACTIVE / STAND--BYBY

P1/Green P1/Green �� P2/Blue P2/Blue �� S1/Green S1/Green �� S2/Blue S2/Blue

C M



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Fault prevention & removal

Design and Manufacturing errors.

Airbus Fly-by-Wiresystem is developed to ARP 4754 level AComputers to DO178B & DO254 level A

(plus internal guidelines)

Two types of dissimilar computers are used

PRIM ≠ SEC

Fault tolerance

P1 S1C M

C M



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

FUNCTIONAL SPECIFICATIONFUNCTIONAL SPECIFICATION

-- interface between aircraft & interface between aircraft &

computer sciencescomputer sciences

-- automatic code generationautomatic code generation

-- Classical V&V means, plusClassical V&V means, plus

-- virtual iron bird virtual iron bird

(simulation)(simulation)

-- some formal proofsome formal proof



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

PROOF PROOF

Of PROGRAMOf PROGRAM

Applied on A380 FbW software, on a limited basis, credit for cerApplied on A380 FbW software, on a limited basis, credit for certificationtification

A380 Iron Bird



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

FAULT TOLERANCEFAULT TOLERANCE

-- SEC simpler than PRIMSEC simpler than PRIM

-- PRIM HW PRIM HW ≠≠ SEC HWSEC HW-- 4 different software4 different software

-- data diversitydata diversity

P1 S1C M

P2S2

C M

C M

C M

-- From From ““randomrandom”” dissimilarity dissimilarity

to managed oneto managed one

-- Comforted by experienceComforted by experience



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

-- Qualification to Qualification to

environmentenvironment

-- Physical separationPhysical separation

-- Ultimate backUltimate back--upup

Particular risks.Particular risks.

The issue: COMMON POINT AVOIDANCEThe issue: COMMON POINT AVOIDANCE

PRIM3-SEC3-CPIOMC12100 VU

PRIM2-SEC2-CPIOMC22200 VU

PRIM1-SEC12500 VU



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

ULTIMATE BACKULTIMATE BACK--UPUP

-- Continued safe flight while crew restore computersContinued safe flight while crew restore computers

-- Expected to be Extremely Improbable Expected to be Extremely Improbable

-- No credit for certificationNo credit for certification

-- From mechanical (A320) to electrical (A380 & From mechanical (A320) to electrical (A380 &

A400M)A400M)

r

28VDC

Hydraulic

power



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Avionics

Avionics Flight Controls Actuators

ELECTRICAL GENERATION HYDRAULIC GENERATION

HYDRAULIC GENERATIONELECTRICAL GENERATION

EMER

GEN

GEN

1

GEN

2

APU

GEN

EMER

GENGEN

1

GEN

2

APU

GEN

GREEN

PUMP

YELLOW

PUMP

BLUE

PUMP

GREEN

PUMP

YELLOW

PUMP

• A320 ... A340

• A380 A400M A350

Flight Controls Actuators

ELECTRICAL ACTUATIONELECTRICAL ACTUATION

MORE REDUNDANCYMORE REDUNDANCY

DISSIMILAR (HYDRAULIC / ELECTRICAL)DISSIMILAR (HYDRAULIC / ELECTRICAL)INCREASED SEGREGATIONINCREASED SEGREGATION



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Aircraft handling, SOPs, environment

Situation Awareness, Advisory

Protection

Detection, warning

DECISION HELPDECISION HELP

•• Reduction of workload, stress, Reduction of workload, stress,

complexitycomplexity

•• Pilot as a supervisorPilot as a supervisor

AUTOMATISATIONAUTOMATISATION

•• Ultimate safety netUltimate safety net

•• Instant flight management of Instant flight management of

dangerdanger

•• Routine tasksRoutine tasks


HUMANHUMAN--MACHINE INTERFACEMACHINE INTERFACE


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Stick released :Aircraft will fly inside

normal Flight Envelope

Stick on the stops :Aircraft will fly

at the maximum safe limit

Peripheral

Normal

--Flight envelope protectionsFlight envelope protections

-- TCAS, TAWS TCAS, TAWS ……

-- Airbus protections Airbus protections

Let the crew concentrate on trajectoryLet the crew concentrate on trajectory



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

FLY-BY-WIRE ARCHITECTURE FUTURE TREND?

Architecture : �network,� standard ressources

Functions : systems manage short term situation (stab, protections), the pilot manages the flight.Completions of protections.Integration with structure and the airframe (loads alleviation).


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.





�Integration

�Time issues






AIR

BU

S S

.A.S

. All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

docu

men

t.

•Some lessons

�The system will function if

� properly integrated within its environment (other systems,

platform, people …)

� requirements are correctly integrated (no inconsistency,

correct balance between requirements)

�The system will be successful if

� the overall aircraft (at least) is successful (= if optimisation is

done at aircraft level)

� for the whole development & in-service life of the aircraft

� the customer needs are well understood



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Safety is the priority in aviation – flying in safe

Nothing is granted

�Duty for continuous improvement

� Need to forecast future threat

Continuous need to

�Look at the global picture (complete airplane, design .. Certification .. In-service, stack of redundancy vs. common point)

� Management to be supportive and pro-active

� Never compromise



IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

Club Inter-associations Systèmes Embarqués Critiques - CISEC

• Association Aéronautique et Astronautique de France• Société de l’électricité, de l’Electronique et des Technologies de l’information et de la communication• Société des Ingénieurs de l’Automobile

Séminaires, journées d’étude, ateliers …

http://cisec.enseeiht.fr/cesic cesic


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

THANK YOU – QUESTIONS?


IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

rydo

cum

ent.

This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document and the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied.

The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof.

airbus embedded systems

Documents