Page: 1 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Boeing 777 Primary Flight Computer – Paper: Triple-Triple Redundant 777 Primary Flight Computer » Y.C. Yeh » 1996 IEEE Aerospace Applications Conference » pg 293-307Page: 2 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 – Primary Flight Control Surfaces Yeh96 fig.1Page: 3 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Overview – Flight control system is a Fly-by-Wire (FBW) system. – Delayed Maintenance for major electronic Line Replacement Units (LRU) – Triple redundancy for all hardware » computing system » airplane electrical power » hydraulic power » communication paths – Primary Flight Computer (PFC) are the central computational elements of the FBW system. – PFC architecture is based on TMRPage: 4 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 – N-version dissimilarity integrated into TMR » 3 similar channels » each channel has 3 dissimilar computation lanes » software written in ADA (dissimilar compilers) – DATAC bus, also known as ARINC 629 bus, is used for all communication between all computing systems for flight control functions. » DATEC = Digital Autonomous Terminal Access Communication » designed by Boeing » busses are isolated (physically and electrically) » DATACs are not synchronized » http://www.arinc.comPage: 5 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  777 FBW design philosophy – Considerations » common mode/common area fault » separation of FBW components » FBW functional separation » dissimilarity » FBW effect on the structure – Triple-dissimilarity for PFC processors and interface hardware – By nature of TMR no Byzantine faults allowed. – Avoidance of asymmetry by: » ARINC629 requirements » Deal with root causes of functions/communication asymmetryPage: 6 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Flight Control Functions – Control electric and electro-hydraulic actuators – Provide manual and automatic control in pitch, roll and yaw axes – Control pilot input: column, wheel, rudder pedals, speed brakes – Pitch Control: 2 elevators and horizontal stabilizer – Roll Control: 2 ailerons, 2 aperons, 14 spoilers – Jaw Control: tabbed rudderPage: 7 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Three operation modes:Page: 8 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Yeh96 fig.2Page: 9 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 Sequence of events: 1) Actuator Control Electronics unit (ACE) – Position transducers (mounted on each pilot controller) sense pilot commands for the ACE » two actuator controlled feel units provide variable feel for control column » mechanical feel units provide fixed feel for wheel and paddles. – ACE performs A/D conversion – Transmits signals to PFCs via redundant ARINC 629 busesPage: 10 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 2) Primary Flight Computer – Receive inertial data from » Air Data Inertial Reference System (ADIRS) » Secondary Attitude and Air Data Reference Unit (SAARU) » ACE – Compute Control-Surface position commands – Transmit position commands back to ACE via ARINC 629 busesPage: 11 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 3) Actuator Control Electronics unit – Receives digital command from PFC – D/A conversion – Control electro-hydraulic actuators of control surfaces – In Direct Mode, the ACEs use the analog pilot controller transducer signals to generate surface commands  Line Replacement Unit (LRU) – PFC and ACE are the major LRU, connected via ARINC 629 busesPage: 12 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Actuator Control Electronics (ACE) – 4MR configuration – Interface between analog domain, e.g. crew controllers, electric/electro-hydraulic actuators, and digital domains, e.g. ARINC 629, PFCs – Controls all control surfaces – Controls variable feel actuators – 3 ARINC 629 interfaces – In Direct Mode commands on the digital bus are ignored => Provide direct surface controlPage: 13 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 Yeh96 fig. 3Page: 14 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777Page: 15 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Primary Flight Computer (PFC) – TMR configuration – Receive data on all 3 ARINC 629 buses – Transmit on only one ARINC 629 bus – Each PFC contains 3 internal computation lanes – Each lane accesses all 3 buses – Each lane has dissimilar processors – Different Ada compilersPage: 16 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777Page: 17 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  ARINC 629 Digital Data Bus – time division multiplex system, up to 120 users – terminal access is autonomous, terminal listens, waits for quite period and transmits 3 protocol timers insure fair access in round robin fashion Yeh96 fig.6Page: 18 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 – receiver listens to all traffic and determines which wordstrings are neededPage: 19 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777 – ARINC 629 bus requirements: » data bus availability requirements » tolerance to error occurrences of 1 in 108 bits » tolerance of aperiodic bus operation » transmission requirements to provide indication of output data freshness and to not output split-frame data » common CRC algorithmPage: 20 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27Page: 21 © 2007 A.W. Krings CS449/549 Fault-Tolerant Systems Sequence 27 Boeing 777  Common Mode & Common Area Fault –