20150127 cisec-aeoro spacesystems-jp-blanquart-ptraverse

cesic cesic 2014-2015 Le mardi, de 17h à 19h

Série de Conférences Ingénierie des systèmes embarqués critiques

1- 27/1/2015: Architecture de systèmes embarqués aérospatiaux JP. Blanquart (Airbus Defence and Space) and P. Traverse (Airbus) 2- 10/3/2015: Obsolescence matériel / logiciel A. Brahmi, JM. Dautelle, P. Pons, J. Toulze (Airbus) 3- 17/3/2015: Les systèmes automobiles H. Foligné (Continental)

Plus d’information à http://asso-cisec.org

http://asso-cisec.org/

CISEC Critical embedded systems engineering

ISAE, Toulouse, November 25th, 2013

Architecture for safe and dependable

aerospace systems

Jean-Paul Blanquart

Airbus Defence and Space, Toulouse

[email protected]

Pascal Traverse

Airbus, Toulouse

[email protected]

mailto:[email protected]




This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

CISEC - SEC Conferences Series - Aero-Space systems -

Lecture overview

Space systems, a quick overview Definition Various missions, spacecrafts, …

Dependable architecture solutions for space systems. Needs and constraints Redundancy, basic schemes Illustrations

Dependable architecture solutions for aircraft.

Development cycle considerations

This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Space Systems: Definition (tentative)

Space system A “system” with at least one component in “space”

System:

Not too simple

Artificial (at least partly): made, or adapted, to serve some explicitly stated purpose

Space: At least 100 km above the surface of the Earth

During some significant time (“Several orbits”)


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Various “segments”

Interacting systems Space and ground segments

Launch segment Ground + launcher

In-orbit servicing

Constellations of satellites


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Various missions

Telecommunications

Earth observation

Meteorology

Navigation and positioning

Science Astronomy Earth observation Deep space and planetary exploration

Technology

In-orbit servicing


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Various “locations”

Earth orbit Low Earth Orbit (LEO) Medium Earth Orbit (MEO) Geostationary Orbit (GEO) Highly Elliptical Orbit (HEO) GEO Transfer Orbit (GTO)

Other

Lagrange points Trajectories in space Planetary rover


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Various spacecrafts


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

This is a spacecraft too


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

And what about this one?


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

And this one?

The Westford project (1961-1963)


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Constraints

Mass, size, power consumption

Environment (radiations, temperature, …)

Knowledge, mastering of the environment

Maintenance

Ground-space communication limitations

Phased missions, critical parts

Cost


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Reminder

Dependability (IFIP, WG 10.4)

Dependability: trustworthiness of a (computer) system such that reliance can justifiably be placed on the service it delivers.

"ability to avoid services failures that are frequent and more severe

than acceptable"

Characterised by: Attributes, (attributs) Threats, (entraves) Means (moyens)


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

The dependability tree

Attributes (attributs)

Availability (disponibilité) Reliability (fiabilité) Safety (sécurité-innocuité) Security (sécurité-confidentialité) ...

Dependability (sûreté de fonctionnement)

Means (moyens)

Fault prevention (prévention des fautes) Fault tolerance (tolérance aux fautes) Fault removal (élimination des fautes) Fault forecasting (prévision des fautes)

Threats (entraves)

Faults (fautes) Errors (erreurs) Failures (défaillances)


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Needs (dependability)

Reliability

Availability

Maintainability

Safety

Security


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Means (dependability)

Prevention Processes

Procurement, component selection, screening, “derating”

Validation

Tolerance

Redundant resources on-board

Dependable architecture

Fault tolerance: on-board automatic mechanism in charge of “Fault Detection, Isolation and Recovery” (FDIR)


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Dependable architecture

Basic principle: Redundancy

Information Error detection/Correction codes

Structure

Fault tolerant architecture


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Cold standby redundancy architecture

Monitoring and Reconfiguration Unit

Most often used for space systems

Most reliable as the failure rate of an unpowered element is generally significantly lower than of a powered one (about one tenth)

Context Memory Element A Element B

ON OFF


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Hot standby redundancy

CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites

(A way to select the active outputs may be necessary) Lower long-term reliability May be used if the backup cannot be activated in case of failure

E.g., TC receivers, TC decoders Or for equipment for which no interruption of service is tolerated (ex :

flight control OBC of Ariane V launcher)

Context Memory


Element A Element B

ON OFF ON

This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Warm standby redundancy

For equipment with a long start-up time (e.g., computers)

Ensure very short reconfiguration times

More complex to manage (periodic backup and upload of context, alarm watchdog & reconfiguration)

Context Memory


Element A Element B

ON OFF Stand by


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Fault-masking using majority voting

Basic approaches (triplex architecture)

Computation

Computation

Computation Vote

Computation Vote

Computation Vote

Computation Vote


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Assembly of self-checking components

Self-checking components

self-checking component (for a given set of faults): for each considered fault, all input configurations leads to either a correct output or a detected error

Self-checking component (for a given set of faults): for each considered fault, at least one configuration of inputs leads to a detected error

Both: totally self-checking component

Function

Check

Outputs

Error

Inputs


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

From fail-stop building blocks To dependable aircraft architecture

• « Airbus COM/MON » architecture


Function

Check

Outputs

Error

Inputs

Relay

Lightning, EMI and voltage protection

Processor RAM ROM I/O

Power supply Watchdog

Control Lane

Processor RAM ROM I/O

Power supply Watchdog

Monitor Lane

28V DC

Critical outputs (e.g., actuators)

This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Fly-by-Wire (Airbus)

ELAC1Control

Monitor

SEC1Control

Monitor

ELAC2Control

Monitor

SEC2Control

Monitor

THS

Elevators

Left side stick (co-pilot)

Right side stick (pilot)

Mechanical trim

THS: Trimmable Horizontal Stabilizer

Mechanical link


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Dependable space system

Architecture

Collection of chains with self-tests

When needed or possible, some variations

Procedures

Explicit detection and reconfiguration

When needed or possible, some variations


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Launcher (Ariane 5)

CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites

This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Launchers: other solutions

Simplex architecture N-modular redundancy

Zenit, Proton Delta 4: RIFCA


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Manned launchers

Hermes quadruplex architecture substituted to launcher’s one CTV: adapted launcher architecture with improved computer failure detection

coverage

BFout2

Reset / Alimentation

1553

TM1

BFout1

TM2

Alimentation

BC

Bfin BFin

USRRT/OBS

Reset / Alimentation

OBC 2RT/OBS

OBC 1Contexte / RepriseContrôle commande

IPN

GNC2 Bus GNC3 Bus GNC4 Bus

Communication Busses

GNC2

BC

RT

IPC

GNC3

BC

RT

IPC

NAPMIOP

GNC4

BAP

RT

SIORPBC IPC

RT

GNC1 Bus

GNC1

BC

RT

IPC

RT RTRT


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Classical satellite architecture (1/2)

OBC N

Eqt N Eqt N Eqt N Eqt N

OBC R

Eqt R Eqt R Eqt R Eqt R COLD

MRE

Reminder: Launcher


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

ATV: Nominal + Safety chains

DPU2

ALB

Bus A

Avionics System Bus B

Avionics System Bus C

Avionics System Bus D

Avionics System

FML

AVI MSU DPU3DPU4DPU1


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Fifty years in a spacecraft

Launchers Satellites

“~10-6/h” 2xlifetime, 90%> However:

Launch: 6-7% In-orbit installation: 4-5% Early phase: 1.510-6/h Life: 0.5 10-6/h

20.030.040.050.060.070.080.090.0

100.0

1955 1960 1965 1970 1975 1980 1985 1990 1995 2000 2005

Succ

ess r

ate

Launches 10 year mean Mean (90.7%)

20%

20%

22%

25%

4%9%

Propulsion

Command

Mechanical

Power

Deployment

Environment

39%

29%

6%

3%

13%

10%Propulsion

Command

Structure

Power

Separation

Explosion


This

doc

umen

t is

the

prop

erty

of A

striu

m. I

t sha

ll no

t be

com

mun

icat

ed t

o th

ird p

artie

s w

ithou

t pr

ior

writ

ten

agre

emen

t. Its

con

tent

sha

ll no

t be

dis

clos

ed.

Oupsss…

It is a long way to space!

No source of failure should be overlooked

Factory, Road…


Airbus Embedded Systems

AIRBUS EMBEDDED SYSTEMS

Presented by Pascal TRAVERSE

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

28/01/2015 Airbus Embedded Systems Page 2


• Aircraft system overview • System development Requirement capture

Safety requirements & safety process

Integration

Time issues

• Example: integrated modular avionics

• Example: Fly-by-Wire design for dependability

The route to « fly-by-wire »

dependability threats

• Concluding remarks

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Definition of a system

AIRCRAFT SYSTEM OVERVIEW

A combination of inter-related items arranged to perform a specific functions(s), see ARP 4754.

Example, an airplane is a system:

• which is a component of the transport system,

• which is, itself, made up of several airborne systems.

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Embedded system (systèmes embarqués, systèmes enfouis)


Prototype of artificial hart (CARMAT)

PAssive Start and Entry System (Continental AG)

Video telephony as imagined in 1910

http://commons.wikimedia.org/wiki/File:Smartcard2.png

http://upload.wikimedia.org/wikipedia/commons/5/5b/Video_telephony_as_imagined_in_1910.jpg

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


AIRFRAME SYSTEMS 21 AIR COND. 24 ELECTRICAL POWER 27 FLIGHT CONTROLS 30 ICE & RAIN PROTECTION 33 LIGHTS 36 PNEUMATIC

22 AUTO FLIGHT 25 EQUIPMENT 28 FUEL 31 INSTRUMENTS 34 NAVIGATION .......

23 COMMUNICATIONS 26 FIRE PROTECTION 29 HYDRAULIC POWER 32 LANDING GEAR 35 OXYGEN

PERD

ATC

CAR EX TA DO ----


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Systems represent about 30% of the Aircraft price

Computers represent about 40% of the Systems price


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


REQUIREMENT CAPTURE

• Explicit requirements classical allocation process General A380-800 objectives

• Mission and performance (8000 NM / 555 pax )

• Improve Aircraft safety

• Life cycle cost and COC (- 17% per seat)

• Service readiness at EIS (maturity at First Flight)

• Dispatch reliability : 99% at EIS

• A platform for 30 years of evolutions

Direct Weight

safety

Direct cost, maintenance

quality

reliability

Obsolescence, evolution

SYSTEMS

Integration / Trade-off between requirements

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Availability is mandatory (the direct cost of a delay)

REQUIREMENT CAPTURE

Maintainability In very diverse conditions

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


To Ensure and Preserve

AIRWORTHINESS and

AVIATION SAFETY

Airworthiness regulation is a legal obligation contracted by States signatories of the ICAO Convention

•Chicago Convention, signed 7th December 1944, established the International Civil Aviation Organization.

•To undertake International Air Transport, each nation has to be a signatory (currently 188 nations)

REQUIREMENT CAPTURE

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FAR (US regulations) & CS (European regulations) are requirements, part of the A/C specification. Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754A – EUROCAE ED79A “certification considerations for highly-integrated or complex systems”)

REQUIREMENT CAPTURE

Airworthiness regulation: another set of requirements to be cascaded & complied

with

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Airbus Embedded Systems

• Industrial constraints Systems are expensive components and thus installed as

late as possible in A/C assembly process

Any failure at that time disrupts the assembly process and potentially delays the final delivery

REQUIREMENT CAPTURE

Structural Assembly

Systems equip & test & Cabin Pre-customisation

Tests and adjustments

Wing/ fuselage join-up

1 PI Production Interval

A A A A A A

B B B B B To avoid these delays:

– quality of delivered equipment & installation drawings

– systems designed for assembly

– Design Office support to Assembly line

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Design for Assembly

Define integration tests during the system development

Reduce these tests duration

Insert “hooks” (tests embedded in final software, system to output all key internal data etc)

Identify assembly line configuration (A/C jacked, specific power supply, ...)

Design for Robustness – damages,

– foreign objects, ...

REQUIREMENT CAPTURE

http://upload.wikimedia.org/wikipedia/commons/d/d0/Spuerschw%C3%A4in.jpg

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Addressing environmental topics

REQUIREMENT CAPTURE

• Reduction in drag, weight • Environmentally friendly material use

• Eco-design

• Elimination of hazardous materials in surface technologies (chromate, cadmium...)

• Disseminate best environment practices

• Integrating energy consumption as one major parameter Shape technologies to reduce the use of raw materials and waste

• Support airlines • Modernised air traffic

management (SESAR) • Biofuels

• Re-integration of materials • New recycling possibilities

Airbus: 1st Aircraft Manufacturer awarded ISO 14001 – all sites and products

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Derived requirements – from design solution

• Implicit requirements From “expectations” to “needs” and then “requirements”

– Early focus groups with airlines personnel

– Prototyping

– Route proving / early long flight

– Feedback from in-service experience

Compliance with

specification is not sufficient

REQUIREMENT CAPTURE

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


REQUIREMENT CAPTURE

Mostly waterfall-type development

- Develop an executable model of a consistent part of the final product (e.g. take-off mode of a flight control law)

- Load it in a flight simulator and test it with end-users (e.g. pilots – test & instructors) as soon as it is reasonably working; Developers of the model are participating to the test

- At the end of the test, decide together what are the most pressing issues to solve and iterate quickly

- Produce final software, based on this model (not from a re-formulation of the model)

- Note that this is not a “pure” agile development: - part of the validation of the control laws is made without the

end-users (analysis of the stability margins for example). - There is a global development plan (e.g. features of the

control laws that are sizing the primary structure are defined earlier than those that are “just” on the software critical development path) that is steering the iteration cycles

- Specifications are captured in parallel to formalize validation and avoid future regression

With an agile-like touch

Are the needs

acceptable?

Validation of the final product versus customer needs

Requirements validation

Assumptions validation

Verification: Get the assurance that the product is compliant to its specification

Manufacturing

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Some V&V means

REQUIREMENT CAPTURE

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

January 2015 Embedded systems Architecture - Fly-by-Wire Page 20

Yearly fatal accident rate per million flights

Fourth Gen = FbW A/C B777/787

A320/330/340/350/380)

Companies are merging New Airlines are coming Financial crisis Governments are changing

SAFETY REQUIREMENTS & SAFETY PROCESS

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



Partially Systems related

Partially prevented By Systems

(TAWS, TCAS, Flight Envelope Prot.)

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• « FAILURE CONDITION » DEFINITION FROM CS 25 1309

• A « Failure Condition » is defined at each system level by its effects on the functioning of the system. It is characterised by its effects on the other systems and on the

aircraft.

All single failures or combination of failures including failures of other systems that have the same effect on the considered system are grouped together in the same

« Failure Condition »


Software boundary System boundary

Latent software error in data or executable code

Fault System failure

Failure condition (effect at aircraft level)

Figure from DO178C

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Classes Objectives at FClevel

Objectives atAircraft level

CATASTROPHIC< 10-9/hr +

Fail Safe criterion< 10-7/hr +

Fail Safe criterion

HAZARDOUS < 10-7/hr no objective

MAJOR < 10-5/hr no objective

MINOR no objective no objective

SAFETY SEVERITY CLASSES AND ASSOCIATED OBJECTIVES

Gradation of effort

Assumption of less than 100 Cat. FC

Quantitative & qualitative

FC: Failure Condition


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Extremely Improbable 10-9/FH No single failure

Development Assurance Level

(DO178/ED12, ARP4754/ED79, .. DAL A)

Manufacturing Particular Risks

Environment

(DO160/ED14)

Zonal Safety Assessment

Human Machine Interface

(pilot & maintenance)


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



Some particular risks

http://images.google.com/imgres?imgurl=http://bilder.vgb.no/13326/img_44e40fdaa27e6.jpg&imgrefurl=http://vgb.no/13412/perma/92699/&h=290&w=260&sz=10&hl=fr&start=97&tbnid=UjS8wLSRi1jSPM:&tbnh=115&tbnw=103&prev=/images%3Fq%3Dpittbull%26start%3D80%26ndsp%3D20%26svnum%3D10%26hl%3Dfr%26lr%3D%26rls%3DGGLI,GGLI:2005-17,GGLI:fr%26sa%3DN

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Top level requirements

document

Top Level Product

Requirements

Top Level Program

Requirements

Airworthiness

regulation, MMEL

Aircraft manufacturer

directives

Cost requirements

2- Aircraft FHA (Functional Hazard

Analysis

Previous A/C design and “In

service” experience

A/C Functions List A/C constraints

1- S/R Common Data Document

√

√ √ √

√

√ √

Function /Systems allocation matrix

…

…

SRD

PSSA

PSSA 4- System function list

and System FHA

10-

Aircraft Safety/

Reliability

Synthesis

PSSA

PSSA

PSSA

PSSA 7- Equipment level Safety/Reliability studies

(FMEA/FMES, etc.)

PSSA

PSSA 9b- SSA System Safety

Assessment and MMEL safety justification

9a- PSSA first flight

PSSA

PSSA 3- System S/R Requirements

document

s y s t e m l i s t

Aircraft functions list

8- COMMON CAUSE

ANALYSIS (CCA):

- PRA (Particular Risk Analysis) - ZSA (Zonal Safety Analysis) - CMA (Common Mode Analysis) - HHA (Human Hazard Analysis

PSSA

PSSA

6- Equipment S/R Requirements

PTS PTS PTS

5- PSSA: Prelim. system Safety Assessment

FIA: Function Implantation Analysis IHA/ECHA: Intrinsic/Environment

hazard Analysis

11-Airworthiness

monitoring

12-Lessons learned

Aircraft certification

Aircraft in service

√

√

Safety & Reliability method and process - Research, - Standards, - Processes, - Methods, - Guidelines, - Tools, - In service follow up - S/R Rules and recom. - Regulation

Multi disciplinary activities Multi program, multi disciplinary activities

Multi system activities on one program

System/equipment activities on one program

Common Cause activities on one program

A/C Requirements/CRI, Significant Items, Aircraft S/R Reviews , Interface S/R Activities

System S/R Reviews

TOP (AIRCRAFT) –

DOWN (COMPONENT)

PROCESS

requirements allocation

BOTTOM - UP

evaluation


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



document

Top Level Product

Requirements

Top Level Program

Requirements

Airworthiness

regulation, MMEL


directives

Cost requirements


Analysis





√

√ √ √

√

√ √


…

…

SRD

PSSA


and System FHA

10-

Aircraft Safety/

Reliability

Synthesis

PSSA

PSSA

PSSA


(FMEA/FMES, etc.)

PSSA




PSSA


document

s y s t e m l i s t


8- COMMON CAUSE

ANALYSIS (CCA):


PSSA

PSSA


PTS PTS PTS



hazard Analysis

11-Airworthiness

monitoring

12-Lessons learned


Aircraft in service

√

√







System S/R Reviews

IN-SERVICE AIRCRAFT

LESSONS LEARNED


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



document

Top Level Product

Requirements

Top Level Program

Requirements

Airworthiness

regulation, MMEL


directives

Cost requirements


Analysis





√

√ √ √

√

√ √


…

…

SRD

PSSA


and System FHA

10-

Aircraft Safety/

Reliability

Synthesis

PSSA

PSSA

PSSA


(FMEA/FMES, etc.)

PSSA




PSSA


document

s y s t e m l i s t


8- COMMON CAUSE

ANALYSIS (CCA):


PSSA

PSSA


PTS PTS PTS



hazard Analysis

11-Airworthiness

monitoring

12-Lessons learned


Aircraft in service

√

√







System S/R Reviews

COMMON CAUSE ANALYSIS: - Common Mode Analysis - Human Hazard Analysis - Particular Risk Analysis - Zonal Safety Analysis


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Certification major objective is to ensure safety 25.1309, 25.xyz, ARP4754/ED79, DO178/ED12, ED.zyx, … “Business” margins are taken on top of certification requirements Assumptions Operational reliability

Safety margins are taken too, based on each manufacturer unique history. Confidence in the safety case: meaning of 10-9, what is a single failure,

coverage of tests etc. Not a pure mathematical demonstration Rigorous analysis with independent checks


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


coordination with judicial authorities

“arrangements with judicial authorities shall respect the independence of the safety investigation authority and allow the technical investigation to be conducted diligently and efficiently.”

“all statements taken from persons by the safety investigation authority in the course of the safety investigation shall not be used for purposes other than safety investigation”

Mandatory reporting Regulation regular update “Just culture”


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Baghdad Nov 2003 - A300 Loss of 3 hydraulic circuits + fire

Outstanding flight crew landed the aircraft using engine thrust to control the flight

Companies are merging Financial crisis Governments are changing


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


•Proper interfacing and integration Software modules

computer/actuator

systems

systems in aircraft

Aircraft in air traffic

Aircraft in overall society

INTEGRATION

http://upload.wikimedia.org/wikipedia/commons/9/99/Mecha.gif

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


INTEGRATION

From airplane to “nuts and bolts”

… and back

Integration in the airplane

In air traffic

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

January 2015 Embedded systems Architecture - Fly-by-Wire Page 35

Fly, Navigate, Communicate, Manage Systems

Suppliers Airbus, Thales, UTAS, Honeywell,

Rockwell, Sogerma, Zodiac, Sagem …

Pilots Human Factors

Certification Safety Aircraft

Flight Mechanics Structural loads Wiring, actuators

installation

Aircraft Pilot vision

System installation in limited space

Other Systems Interaction

Systems state

Other Systems Actuation, Engine,

Power systems Configuration

Systems

Fly-by-Wire Point of view

Cockpit Point of view

INTEGRATION

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


INTEGRATION – Value Engineering

trades, exchange

rates operator

A/C fly-away price

OWE

MTOW

high-speed drag

SFC

landing charges

fuel cost

flight crew cost

cost of ownership

DMC Maintenance intervals

and checks

reliability (OR)

manufacturer

RC primary and resizing

NRC level and distribution

time-to-market EIS

Production volume and cadence

A/C fly-away price as link

between operator and manufacturer economics

environmental charges

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


INTEGRATION

lighting EMI

hot cold

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


INTEGRATION

Integration in the society

Integration in the world economy

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

INTEGRATION (skills)

Page 39

Aeronautics Automatic Control …

Human Machine Interface

Graphic Design …

Mechanics Electricity

Fluids Mechanics …

Electronics Computer Science

Internet …

Safety

Manufacturing, Quality Intellectual property

…

English, French, German Management, ethics

…

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Need to make trade-off System weight vs. cost; reliability vs. weight … never safety

System complexity (reliability etc.) vs. overall aircraft weight

Early

TIME ISSUES

1kg ≈ 2kg “snow ball effect”

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


TIME ISSUES

Plan the system

development

Specify the

system

Design the

system

Integrated processes : Validate, Verify, Safety studies, Maintainability studies, Modifications

Other supporting processes : Certification coordination, Configuration management, Process Assurance, Reviews, Supplier monitoring…

Specify the

equipment

Specify the installation & wiring

Develop, Verify the

equipment

The project, definition: unique process, consisting of • a set of coordinated and controlled activities • with start and finish dates, • undertaken to achieve an objective • conforming to specific requirements, including the constraints of time, cost and resources.

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Page 43

End of ramp-up

Type Certification

Definition freeze

Equipment & Harness Production

Concept freeze Start of Production

Start of Assembly

TIME ISSUES - Aircraft development plan (priority on Time, resources available, no provision for risks)

Entry into Service Authorization

to offer ATO

5 to 6 years

FLIGHT TESTS Check assumptions

Final tuning Complete V&V

Complete documents

INTEGRATION Ensure safety of flights V&V of A/C functions

Complete SW

EQUIPMENT DESIGN From specifications to 1st

prototype

SYSTEM DESIGN Functions,

Architecture Interfaces

A/C CONFIGURATION Wing … sizing

System functions, requirements & Major architecture choices

SUPPORT MANUFACTURING

Start of Flight tests

28/01/2015 Airbus Embedded Systems

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Technical challenges

TIME ISSUES

Side-stick: •1st test in flight on a modified Concorde in 1978, then an A300 in 1982

•Entry into Service in 1988

Brake To Vacate: •PhD thesis in 1998-2002

•Research in Airbus 2002-2005

•Development on A380 2006 to 2009 ( 30 Oct. 2009, A380 – MSN 033)

“COVAS” law (flexible A/C control)

• PhD thesis in 1995

• Entry into Service in 2002 (A340-600) “Oscillatory Failure Detection”

. PhD thesis in 2011

. Entry into Service in 2014 [A350]

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Continuous improvement Safety innovation, customer new expectation ...

TIME ISSUES

On A380 in 2010

On A380 in 2010 for the mail, 2012 for the mobile

2012 - Flight plan preparation (A/C performance computation)

TCAS Alert Prevention (TCAP)

On all Airbus FbW 2012 - 2013

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Number of electronic equipment

80

60

40

20

100

INTEGRATED MODULAR AVIONICS

Functionality (number of lines of code)

(arbitrary log scale)

1970 1975 1980 1985 1990 1995

104

103

102

101

Con

cord

e

A30

0B

2000 2005 2010

A38

0

A31

0

A32

0

A33

0

A34

0 -6

00 105

A380 with IMA

Integrated Modular Avionics (IMA): increasing functionality, while stabilizing the number of pieces of electronic equipment

A350

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Stringent economical & industrial objectives for new aircraft types (A380, A400M, A350) Minimize Development & Maintenance Costs Reduce Development Life Cycle Cost Harmonize design of aircraft avionics Manage obsolescence of hardware and evolutions of

functions Ensure Safety and Reliability

• Chosen way to fulfil these objectives Provide data communication capabilities

–Avionics Data Communication Network (ADCN) Provide centralised computing capabilities

– Integrated Modular Avionics (IMA)


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


A LRU A

LRU B B

Airborne Functions

(several Function Suppliers)

Conventional Avionics (several LRU Suppliers)

LRU C C

IMA Modules

CPIOM : Core Processing Input/Output Module (Centralized Architecture) CPM : Core Processing Module (Distributed Architecture)

Functions Integration Level (per module) :

• A380: 2-4 functions

• A350: 3-6 functions

• A30X: 6-12 functions

Data processing is on a ATA xx Specific LRU

Data processing is on a Generic LRU Federated Architecture Integrated (and Standardized) Architecture


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Specified by Airbus

Specified by Airbus

IMA Module

Func

tion

1

Func

tion

2

Func

tion

3 Developed by Module Supplier

Developed by Function Suppliers (example Liebherr, Thales, Rockwell-Collins … including Airbus (FbW, cockpit …)

Global integration (integrated Module) is performed by Airbus

Arinc 653 API


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• High communication capacity: speed, bandwidth and number of connected LRM/LRU 100 Mb/s, potential to go up to 1Gb/s

• Based on existing and established telecommunication technology and standards (Ethernet)

• Deterministic behavior Offer guaranteed quality of service to network subscribers

• Flexible Re-configurable to support new needs with no or limited physical

impacts


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Flight Control

Engines

Cabin

Fuel&LG

Cockpit

Energy

Network A Switch

Network B Switch

LRU - IMA Modules

Virtual Link (VL) = communication channel between one emitter and several receivers.


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Total Loss of Braking is classified Catastrophic • As a consequence, Braking System shall not solely use

IMA equipment Implementation of Emergency Braking Control Unit,

independent from IMA equipment

Emergency Braking Control Unit

IMA-based Normal Braking Control Unit


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Consistent erroneous attitude information displayed in the cockpit is classified as potentially Catastrophic

• Consequently, undetected erroneous attitude information shall not result of a single failure within ADCN Attitude information from independent sources to

independent display units shall use independent routing within ADCN

Attitude A/C side1 Attitude A/C side2 ADCN routing 1

ADCN routing 2


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Undetected erroneous fuel quantity information may lead to fuel imbalance and is classified as potentially Catastrophic

• As a consequence, undetected erroneous fuel quantity information shall not result from a single failure within IMA Fuel System based on Command - Monitoring architecture Command lane within one IMA equipment - Monitoring lane

within another IMA equipment

IMA-based Fuel Quantity & Management Command lane

IMA-based Fuel Quantity & Management Monitoring lane


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


THE ROUTE TO « FLY-BY-WIRE »

A never ending quest

To move the control surfaces

To help pilots

To improve safety

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Fully mechanical system

Power: from the pilot Help: means to reduce control loads (tab…)


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Hydromechanical system Power: centralized hydraulic systems and servocontrols Help: yaw damper, trim, auto-pilot (speed, altitude), protections against

excessive structural loads. Devices moving the mechanical control.

AP

AP A/C response

Feel and Limitation Computer

Flight Augmentation

Computer

Caravelle 1955*


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



AP

AP A/C response

Feel and Limitation Computer

Flight Augmentation

Computer

to … “Fly-By-Wire”….or Electrical Flight Control System (EFCS) …. or “Commandes de Vol électriques” (CDVE)

Auto-pilot computer

Fly-by-wire computers

A/C Response

A/P order

From Mechanical Flight Control System…. A320 1987*

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


From Fly-by-Wire ….

Auto-pilot computer


A/C Response

A/P order

HYDRAULIC POWER

to … “Fly-by-Wire” associated to “Power-by-Wire”.

Flight Management computer


A/C Response

Guidance targets

HYDRAULIC and

ELECTRICAL POWER

A380 2005*


A380 2005*

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


to … Distributed Power-and-Fly-by-Wire



A/C Response

Guidance targets

HYDRAULIC and

ELECTRICAL POWER


A350 2013*

Actuator Control Surface position targets

MIL-STD 1553 bus

From “Power-and-fly-by-Wire”.



A/C Response

Guidance targets

HYDRAULIC and ELECTRICAL POWER

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


1969 1978 1982

2001 1987 1991

2005 * First flight year

2013 2009


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FbW: DEPENDABILITY THREATS

AVAILABILITY

IN OUT

OUT

IN

t

Loss of control

SAFETY

t

IN OUT

IN

Runaway

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


SAFETY (physical faults)

COM

MON

COMMAND & MONITORING COMPUTER


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


SAFETY (physical faults)

FAILURE DETECTION


Monitored system

Model of the system

+ -

Sub-band Filter

Oscillation counting “solid” “liquid”

P. Goupil. AIRBUS State of the Art and Practices on FDI and FTC in Flight Control System. Control Engineering Practice 19 (2011), pp. 524-539 DOI information: 10.1016/j.conengprac.2010.12.009

Alleviation of structure sizing cases (manoeuvre, gust, failure cases)

SF is the achieved Safety Factor Loads to be considered can be due to a design gust, when a

Load Alleviation System is unavailable (SF = Ultimate loads / loads due to manoeuvre, gust, … not alleviated) or the sum of loads due to a continuing failure (surface oscillation) and of all design loads

λ is the probability per flight hour of the failure T is an exposure time during which loads are not alleviated

10-9 10-5 1

1.5

SF

λT

1

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


AVAILABILITY (physical faults)

P1 S1

P2 S2

REDUNDANCY ACTIVE / STAND-BY

P1/Green P2/Blue S1/Green S2/Blue


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Fault prevention &

removal

Design and Manufacturing errors.

Airbus Fly-by-Wire system is developed to ARP 4754 level A Computers to DO178B & DO254 level A

(plus internal guidelines)

Two types of dissimilar computers are used PRIM ≠ SEC

Fault tolerance P1 S1


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FUNCTIONAL SPECIFICATION - interface between aircraft & computer sciences - automatic code generation

- Classical V&V means, plus - virtual iron bird (simulation) - some formal proof


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


A380 Iron Bird


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


PROOF Of PROGRAM – MODEL CHECKING (Airbus FbW practice) At SYSTEM level: current Airbus state of the art is mainly as a way to debug complex logic. From a formal model of the system, a “model checker” lists all possible states, then looks for some particular states (those that do not satisfy a “property” ) . Example:

-Formal model: SCADE logic that determines if the ground spoilers must be deployed - Particular state: ground spoilers are deployed in flight

At SOFTWARE level: partial proof (with credit for A380 certification) of FbW software

-Unit verification by automated formal proof (deductive method and theorem proving) - Safe maximum stack usage (statistical analysis by abstract interpretation) - Worst case execution time computation (statistical analysis by abstract interpretation)


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


-PROOF Of PROGRAM – MODEL CHECKING Comparison with test & simulation

- Static check – no execution - pros: exhaustivity when the model satisfies the property; allow to detect very complex errors when models do not satisfy the property - cons:

- state explosion – system (model + property) may be too complex for the model checker - properties formalisation (what means “in flight”?)

How to cope with states explosion: -By simplifying the model while keeping the properties (“abstract interpretation”) - By valuing the states graph (probability of states)


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FAULT TOLERANCE - SEC simpler than PRIM - PRIM HW ≠ SEC HW - 4 different software - data diversity

P1 S1

P2 S2

- From “random” dissimilarity to managed one - Comforted by experience


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


- Qualification to environment - Physical separation - Ultimate back-up

Particular risks. The issue: COMMON POINT AVOIDANCE


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


ULTIMATE BACK-UP - Continued safe flight while crew restore computers - Expected to be Extremely Improbable - No credit for certification - From mechanical (A320) to electrical (A380, A400M …)

r

28VDC Hydraulic

power


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Avionics

Avionics Flight Controls Actuators

ELECTRICAL GENERATION HYDRAULIC GENERATION

HYDRAULIC GENERATION ELECTRICAL GENERATION

EMER GEN

GEN 1

GEN 2

APU GEN

EMER GEN

GEN 1

GEN 2

APU GEN

GREEN PUMP

YELLOW PUMP

BLUE PUMP

GREEN PUMP

YELLOW PUMP

• A320 ... A340

• A380 A400M A350

Flight Controls Actuators

ELECTRICAL ACTUATION MORE REDUNDANCY

DISSIMILAR (HYDRAULIC / ELECTRICAL) INCREASED SEGREGATION


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Aircraft handling, SOPs, environment

Situation Awareness, Advisory

Protection

Detection, warning

DECISION HELP • Reduction of workload, stress, complexity • Pilot as a supervisor

AUTOMATISATION • Ultimate safety net • Instant flight management of danger • Routine tasks


HUMAN-MACHINE INTERFACE

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Stick released : Aircraft will fly inside normal

Flight Envelope

Stick on the stops : Aircraft will fly

at the maximum safe limit

Peripheral

Normal

-Flight envelope protections

- TCAS, TAWS …

- Airbus protections

Let the crew concentrate on trajectory


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FLY-BY-WIRE ARCHITECTURE FUTURE TREND?

Architecture : network, standard ressources

Functions : systems manage short term situation (stab, protections), the pilot manages the flight.

Completions of protections. Integration with structure and the airframe (loads alleviation).

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.





Integration

Time issues






© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Some lessons

The system will function if properly integrated within its environment (other systems, platform,

people …)

requirements are correctly integrated (no inconsistency, correct balance between requirements)

The system will be successful if the overall aircraft (at least) is successful (= if optimisation is done at

aircraft level)

for the whole development & in-service life of the aircraft

the customer needs are well understood


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Safety is the priority in aviation – flying is safe Nothing is granted Duty for continuous improvement

Need to forecast future threat

Continuous need to Look at the global picture (complete airplane, design .. Certification ..

In-service, stack of redundancy vs. common point) Management to be supportive and pro-active

Never compromise on safety & ethics


© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


Club Inter-associations Systèmes Embarqués Critiques - CISEC

• Association Aéronautique et Astronautique de France • Société de l’électricité, de l’Electronique et des Technologies de l’information et de la communication • Société des Ingénieurs de l’Automobile

Séminaires, journées d’étude, ateliers … http://asso-cisec.org/

cesic cesic




© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


THANK YOU – QUESTIONS?

CISEC - http://asso-cisec.org Airbus Innovation - www.thefuturebyairbus.com

THANK YOU - QUESTIONS?


http://www.thefuturebyairbus.com/

© A

IRB

US

S.A

.S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document and the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof.

Embedded Systems Integration – Fly-by-Wire

January 2015

Pascal Traverse, Airbus

© AIRBUS S.A.S. All rights reserved. Confidential and proprietary document.

January 2015 Embedded systems Architecture - Fly-by-Wire

Purpose of the presentation To show that designers have to integrate requirements

From outside the company (customers, airworthiness authorities …) From plants and assembly lines (workers’ safety, assembly time reduction …)

that are both important and challenging.

Page 2



Page 3

REQUIREMENT CAPTURE • Explicit requirements classical allocation process General A380-800 objectives

• Mission and performance (8000 NM / 555 pax )

• Improve Aircraft safety

• Life cycle cost and COC (- 17% per seat)

• Service readiness at EIS (maturity at First Flight)

• Dispatch reliability : 99% at EIS

• A platform for 30 years of evolutions

Direct Weight

safety

Direct cost, maintenance

quality

reliability

Obsolescence, evolution

SYSTEMS

Integration / Trade-off between requirements



Embedded Systems Dependability (Fly-by-Wire) State of the art

Page 4

Yearly fatal accident rate per million flights

Fourth Gen = FbW A/C B777/787 A320/330/340/350/380)

Companies are merging New Airlines are coming Financial crisis Governments are changing



Page 5

FAR (US regulations) & CS (European regulations) are requirements, part of the A/C specification. Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754A – EUROCAE ED79A “certification considerations for highly-integrated or complex systems”)

REQUIREMENT CAPTURE

Airworthiness regulation: another set of requirements to be cascaded & complied with



Embedded Systems Dependability (Fly-by-Wire) Certification

Page 6

no single failure (even < 10-9/FH) Installation - Particular Risks; Zonal Safety Assessment

Qualitative assessment of the quality of the design (Development Assurance Level - DO178/ED12, ARP4754/ED79, .. DAL A)

Human Machine Interface assessment

A Catastrophic Failure Condition must be Extremely Improbable On top of the rigorous & mathematical number 10-9/FH (probability per Flight Hour)



Page 7

Mostly waterfall-type development

REQUIREMENT CAPTURE

- Develop an executable model of a consistent part of the final product (e.g. take-off mode of a flight control law)

- Load it in a flight simulator and test it with end-users (e.g. pilots – test & instructors) as soon as it is reasonably working; Developers of the model are participating to the test

- At the end of the test, decide together what are the most pressing issues to solve and iterate quickly

- Produce final software, based on this model (not from a re-formulation of the model)

- Note that this is not a “pure” agile development: - part of the validation of the control laws is made without the

end-users (analysis of the stability margins for example). - There is a global development plan (e.g. features of the

control laws that are sizing the primary structure are defined earlier than those that are “just” on the software critical development path) that is steering the iteration cycles

- Specifications are captured in parallel to formalize validation and avoid future regression

With an agile-like touch

Are the needs

acceptable?

Validation of the final product versus customer needs

Requirements validation

Assumptions validation

Verification: Get the assurance that the product is compliant to its specification

Manufacturing



Page 8

From airplane to “nuts and bolts”

… and back

Integration in the airplane

In air traffic

Integration



Page 9

Integration

Fly, Navigate, Communicate, Manage Systems

Suppliers Airbus, Thales, UTAS, Honeywell,

Rockwell, Sogerma, Zodiac, Sagem …

Pilots Human Factors

Certification Safety Aircraft Flight Mechanics Structural loads Wiring, actuators installation

Aircraft Pilot vision System installation in limited space

Other Systems Interaction Systems state

Other Systems Actuation, Engine, Power systems Configuration Systems

Fly-by-Wire Point of view

Cockpit Point of view



Page 10

End of ramp-up

Type Certification

Definition freeze

Equipment & Harness Production

Concept freeze Start of Production

Start of Assembly

Aircraft development plan (priority on Time, resources available, no provision for risks)

Entry into Service Authorization

to offer ATO

5 to 6 years

FLIGHT TESTS Check assumptions Final tuning Complete V&V Complete documents

INTEGRATION Ensure safety of flights V&V of A/C functions Complete SW

EQUIPMENT DESIGN From specifications to 1st prototype

SYSTEM DESIGN Functions, Architecture Interfaces

A/C CONFIGURATION Wing … sizing System functions, requirements & Major architecture choices

SUPPORT MANUFACTURING

Start of Flight tests



We got the Type Certificate! • All hardware has been specified, then designed, qualified • All software is written and tested • All hazards have been taken into account

• Failure, software error, engine rotor burst, maintenance error … • All item have been integrated • The airplane has been flown with multiple pilots, human factor

specialists were involved

• Your experts, your management and yourself are justifiably confident, Aviation Safety Agencies have delivered the Type Certificate

• This is the end! Let start a new product! And highly disruptive!

Page 11

Reminder: Innovation is funded by the profit made on units delivered to customers (provided customer support and manufacturing disruption are not eating all the margin).



A few Quality basics • Engineers have produced a “definition” of the airplane

• Set of drawings • Lines of code … • (Flight Crew Manual, Maintenance Procedure …)

Page 12

Configuration management and manufacturing quality are basic processes, supported by the Engineering work.

Errors in the manufacturing process will occur. Hence a Quality process is in place: Rigorous configuration management,

• from top level requirements, then to the definition and down to the inspected work orders

Rigorous assembly and inspection process • Compliance to segregation rules between redundant resources, no damage to wires, equipment ...

Test of the installation • Proper wires connection, no leakage in pipes …

Note: • It is: check that the right software is loaded in the right computer; check the actual distance between 2 items • It is not: run again the software tests done for type certification; compute the needed distance



The airplane is compliant to the definition … at the end

• The airplane is compliant when it is finished • But then time is very expensive (all costs are paid by the manufacturer but the airline will pay the

price only after delivery) • Some checks are no more possible (area are closed …)

Page 13

Confidence in the airplane is built all along the manufacturing process, on very diverse evidences.

Compliance checks (inspection, test) cannot wait for airplane completion but are spread all along the manufacturing process, the earlier the better √ A sequence of filters ( … supplier of equipment … installation in plane … flight test before delivery) √ Sufficient coverage by the combined filters and despite mishaps that occur between them

Inspections & tests have to be adapted to an exotic configuration √ Wiring is installed but not the computer √ Airplane is powered from factory power (neither airport power nor airplane power system) √ Airplane is on jacks (neither ground nor flight) √ …..



Personnel Safety • Safety for regular passengers flight is not sufficient

• Workers are everywhere in the airplane (intervening on electrical power

system …) and around the airplane (beware of moving parts: rudder, aileron …)

• The airplane doesn’t behave exactly like in airline operation • Airplane on jacks … • Missing parts, equipment not fully qualified • The airplane is flown from one plant to another without some

components (passengers cabin item).

Page 14

Systems logics and tests have to be adapted to each configuration of the airplane in the assembly line.



Time is money • Most costly item in an assembly line is the cost incurred

to finance the procured parts before final delivery (inventory cost). Sequencing of operations is optimized

most expensive item are installed the latest Cost to assemble and test is minimized

Poke yoke, colour code Software to help the tests in FAL is embedded in flight

control computers and remains inside after delivery Design to cost, design to manufacture is mandatory

Page 15

Manufacturing constraints must be taken into account as early as any other constraints (flight safety, performance …).



Line disruption

• Any disruption (equipment delivered late or found faulty, time to fix the issue …) is delaying the assembly line. Financial cost associated to late delivery Customer (airline) dissatisfaction Financial deal may be time-limited

• Computers are able to send internal data to support trouble shouting. • Components are protected. • A support from design office is located in the assembly line

Page 16

In term of quality of the design, Assembly line is (almost) as important as an airline.

Structural Assembly Systems equip & test & Cabin Pre-customisation

Tests and adjustments

Wing/ fuselage join-up

1 PI Production Interval

A A A A A A

B B B B B



Concluding remarks – system development process • Airplane are designed for the airlines and their passengers

• Safety, reliability, performance, maintainability …

• They are designed so that confidence can be justifiably placed on them by: • Airlines & passengers • Aviation safety agencies (EASA, FAA …) • The manufacturer (Airbus and its employees)

• They are also designed to be manufactured. A set of requirements as challenging as safety or performance

ones.

Page 17



Page 18

28/01/2015 Page 18

THANK YOU – QUESTIONS?

CISEC - http://asso-cisec.org Airbus Innovation - www.thefuturebyairbus.com





http://www.thefuturebyairbus.com/


© AIRBUS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.

Page 19
