Proposal Fly-by-Wire

(FBW)
BOEING 707-320C
Overview of the System

Electronic Flight Controls called Fly-by-Wire (FBW)

Delayed maintenance concept for major electronic Line Replacement Units (LRU)

Airplane Information Management System (AIMS)

Primary Flight Computer

◼ Central Computing system onboard the Boeing
◼ Architecturally based on the TMR

Air Data Inertial Reference System (ADIRS) / Secondary Altitude & Air Data
Reference Unit (SAARU)

Global DATAC Bus .. Commonly known as the ARINC 629 Bus.

Fly-by-Wire Design Philosophy

Must meet extreme high levels of Functional Integrity & Availability.

Safety Considerations:
◼ Common mode / Common Area Faults
◼ Separation of FBW components
◼ FBW Functional Separation
◼ Dissimilarity
◼ FBW Effect on Structure.

Usage of Hardware Redundancy for all hardware resources, namely.

◼ Computing Systems
◼ Airplane Electrical Power
◼ Hydraulic Power
◼ Communication Paths.
Primary Flight Control Function

Figure 1 from [1]

Provision of Manual & Electronic Control in the three axis ..

◼ PITCH Control : 2 Elevators & Horizontal Stabilizer
◼ ROLL Control : 2 Ailerons & 2 aperons, 14 spoilers
◼ YAW Control : tabbed rudder

Pilot input from the Column, wheel, rudder pedals, speed brakes.
FBW Architecture Overview
SUPPORTING SYSTEMS

AFDCs ADMs

AIMS ADIRU SAARU

FLIGHT CONTROL DATA BUSES

From CONTROL PILOT INPUT

To PRIMARY FLIGHT CONTROL SURFACES

PFCs
AIMS : Aircraft Information Management System
AFDC : AutoPilot Flight Direction Computer
ADIRU : Air Data Inertial Reference Unit
SAARU : Secondary Altitude & Air Data Reference
ACE : Actuator Control Electronics ACEs PCUs (31)
PFC : Primary Flight Computer
PCU : Power Control Units, Actuators
Primary Flight Control Modes

There are THREE Primary Flight Control Modes …

1. Normal Control Mode.
❑ Pilot Commands are input through control columns, wheels, rudder pedals and a
speedbrake lever.

❑ Transducers sense the pilot commands for the Actuator Control Electronics.

❑ The ACEs convert the analog command signals into digital form and transmit to the
Primary Flight Computers via the ERINC Bus

❑ The PFCs receive the airplane inertial and air data from the ADIRU / SAARU

❑ Surface Commands are transmitted to the ACEs via the ARINC Bus

❑ ACEs convert the digital commands to analog commands to electrically control the
Actuators.
Primary Flight Control Modes

2. Direct Control Mode.

❑ Selected under two conditions:
1. Flight Deck Switch
2. ACEs detecting Invalid commands from the PFCs

❑ ACEs use the Analog Pilot Controller transducer signals to generate surface
commands.

3. Secondary Control Mode.

❑ Selected under two conditions:
1. Insufficient availability of inertial or air data.
2. When ACEs are in the Direct Mode.

❑ Limited Control over the aircraft control surfaces.

Actuator Control Electronics

Redundancy in the form of FOUR ACEs

Provide an Interface between the FBW analog domain & digital domain.

Each ACE contains.

◼ Three Terminals to communicate with the data buses, according to the ARINC
specifications.
◼ A Control Mode Selection which either responds to the commands on the digital bus or
the analog control laws depending upon the Mode of Control of the PFC.

At any given time, at least one of the remaining three ACEs is monitoring the
operational ACE for faults or incorrect output commands.
Actuator Control Electronics

Flight Control ARINC 629 Data Bus

Power Supply ARINC 629 ARINC 629 ARINC 629 Primary PCU Servo
Loops & Monitors:
& Interface Interface Interface Elevator
Condition LEFT BUS CENTER BUS RIGHT BUS Aileron
Flaperon
Rudder

Input Signal Monitoring & Signal Selection

Spoiler Servo Loops

Feel Actuator
PILOT COMMANDS Control Servo Loops
Mode
Direct Analog Mode Engage Selection Backdrive Actuator
Servo Loops

Auto Speedbrake Arm

Role of Primary Flight Computer

Receive Inertial Data from

◼ Air Data Inertial Reference System (ADIRS)
◼ Secondary Altitude and Air Data Reference Unit (SAARU)
◼ Actuator Control Electronics (ACE)
Compute Control – Surface position commands depending upon the
data received.
Transmit position commands back to the Actuator Control Electronics
via the DATAC (commonly called the ARINC 629) buses.

SAARU
ADIRS
Secondary Primary Flight Computer Air Data Inertial
Altitude & Air Data
Reference System
Reference Unit

Actuator Control
Electronics
PFC Architecture Overview

Three Primary Flight Computers provide Triple redundant computational

channels for the primary flight control system.
◼ Each PFC receives data from all three ARINC Control buses.
◼ Each PFC transmits data on its associated bus only.

Each PFC channel contains three dissimilar processor lanes

◼ Each lane contains dissimilar processors and different Ada compilers to provide triple
dissimilarity.
◼ Each lane contains it’s own power source.
◼ Each lane has it’s own ARINC 629 terminals to communicate with the buses.

These exists inter-lane communication within each channel.

There also exists inter-channel communication.

 PFC Architecture Overview
Left PFC

Power Power Power

Supply Supply Supply

Micro- Micro- Micro-

Processor Processor Processor
AMD 29050 Motorola 68040 INTEL 80486 Center PFC Right PFC

ARINC 629 ARINC 629 ARINC 629

Interface Interface Interface

Lane 1 Lane 2 Lane 3

L
C
R
Flight Control ARINC Data Buses
PFC Safety Requirements
Safety Requirements apply to two types of failures:
◼ Passive failures which cause loss of function without significant immediate airplane
transient
◼ Active failures which cause malfunction with significant immediate failures.

Numerical Probability requirements for both failures:

1.0E–10 per flight hour.

PFC should be designed for a Nominal Mission for following configuration.

◼ All PFC lanes operational
◼ Any single PFC lane inoperative

PFC should be designed for AutoLand for following configurations.

◼ Any single PFC lane inoperative in one, two or all the PFCs
◼ Any one PFC inoperative and any one lane of remaining two PFCs inoperative
◼ All PFC lanes operational
◼ Any one PFC inoperative.
PFC Safety Requirements

The PFC should also comply to the following:

◼ No single fault should cause an erroneous transmission of output signals without a
failure indication.
◼ No single fault can cause a loss of function in more than one PFC.

BOEING 707 uses a

“Triple-Triple Redundant PFC Architecture”
FBW Design Constraints

The Airplane can be susceptible to Common Mode / Common Area faults ..

◼ Impact of objects
◼ Electrical faults
◼ Hydraulic failures
◼ Structural damage
◼ Electromagnetic environments

The Boeing Design Constraints on the basis of these faults are:

1. Component & Functional Separation enable maintenance crew error or
mishandling.

2. Separation of FBW Components

◼ Multiple equipment bays
◼ Physical separation of electrical wiring & hydraulic lines routing.
◼ Physical separation of redundant LRUs
FBW Design Constraints

3. Functional Separation
◼ Electrical Power allocated to the PFC and ACE
◼ Left, Right & Center Flight Control Electrical buses
◼ Although all PFCs and ACEs listen to all three ARINC 629 Buses, each transmits on
it’s own specific bus only.
 Monitoring of other buses is possible
 A single unit failure does not affect other Units.

◼ Similar to the L/C/R Flight Control Bus system, there is a L/C/R Hydraulic System.
Advantage of this arrangement is obvious ..
 Single hydraulic bus failure does not affect the controllability of the aircraft.

4. Maintaining Dissimilarity
◼ Generic Design Faults can defeat redundancy strategies
◼ Refer to “Generic Faults & Architecture Design Considerations in Flight Critical
Systems” – S. S. Osder, AIAA Journal of Guidance, 1983.
FBW Design Constraints
◼ Dissimilar Microprocessors and Compilers in the PFCs (common software)
◼ Dissimilar Control & Monitor Functions in ACE
◼ Dissimilar ADIRU / SAARU
◼ ACE direct mode bypasses the ARINC Control Buses.
 PFC Redundancy Management
Flight Control Buses

Input Signal Control Laws Output Signal PCO

Management Calculation Management 629 XMT
(ISM) (CLAWS) (OSM) SCO
Left
ACE
ADIRU Channel Output
Selector
(COPS)
SAARU
PCO
STORE
Left PFC Command Lane PCO

Center
ACE
Left Center PFC Command Lane
System Buses

AIMS

Right
ACE
Right
AIMS Right PFC Command Lane

PCO: Proposed Command Output

SCO: Selected Command Output
L C R L C R
PFC Redundancy Management

1. PFC Cross-Lane Data Bus

◼ Separate from the ARINC 629 Control Buses
◼ To provide Data Synchronization & Frame Synchronization within Channel

2. PFC Frame Synchronization

◼ For tighter Cross-Lane Monitoring thresholds
◼ Synchronization is within a few microseconds.

3. PFC Data Synchronization

◼ All PFC lanes are synchronized to same data set. This data is then used at the
beginning of each computational frame.
◼ Can tolerate occasional PFC lane differences
◼ ARINC 629 operates at 2 MHz … (T = 20 microseconds)
◼ Frame Synchronization for shortest usable word string is very less compared to this
T of 20 microseconds.
PFC Redundancy Management
Each PFC Lane can operate in two modes:
◼ Command Mode
◼ Monitor Mode

Only one of the three lanes can be in Command Mode

The command lane performs the following functions:

◼ Receives proposed surface commands from the other two PFC Channels
◼ Median Select of the three inputs
◼ The output of the median is sent as Selected Surface Command

PFC lanes in Monitor mode perform ‘Selected Output’ monitoring of their

command lane

PFC Command lane performs ‘Selected Output’ monitoring of other two PFC
Channels.
PFC Redundancy Management

3. The median select provides:

◼ Fault Blocking against PFC faults until completion of fault detection & identification.
◼ Reconfiguration via the PFC cross-lane monitoring.

4. The PFC Command lane is inhibited via the cross-lane inhibit hardware logic.

5. The faulty PFC Channel is inhibited via the cross-channel inhibit hardware
logic.
Output Signal Monitoring

Figure 10 of [1]
ARINC 629 Digital Data Bus

Time Division multiplexed system

◼ Multiple transmitters with broadcast-type autonomous terminal access

Up to 120 Users may be connected together

Users communicate to the bus using a coupler and terminal.

Terminal Access is autonomous.

◼ Terminals listen to the bus and wait for a quiet period before transmitting.
◼ Only one terminal can transmit at a time.
◼ After transmitting, three protocol timers ensure that it transmits only after every
other terminal had a chance to transmit.

The Terminal Controller & the SIM (Serial Interface Module) are installed on a
circuit board within each LRU.
ARINC 629 Block Diagram
Current Mode Coupler ARINC 629 Data Bus

Receive
Personality
PROM

Terminal Controller

Demodulator Receiver

Address
Data

SIM
STRAP
Protocol Protocol Subsystem
Interface

Address

Modulator Transmitter

Transmit
Personality
PROM
ARINC 629 Requirements

For FBW operation …

◼ Data Bus availability requirements

◼ Error Tolerance: 1 bit per E+8 bits

◼ Tolerance of Aperiodic Bus Operation

◼ A common CRC Algorithm Usage.

Fault Tolerant - ADIRS

Consists of:
◼ Air Data & Inertial Reference Unit (ADIRU)
◼ Secondary Attitude & Air Data Reference Unit (SAARU)
◼ six Air Data Modules (ADMs)

Needs for the ADIRS

◼ Eliminate need for the many subsystem to perform inertial & air data redundancy
management.
◼ To provide a single high-integrity, consolidated source of inertial and air data to all
systems.
◼ To relieve the pilots of the responsibility to detect and isolate erroneous data from
their displays.
FT - ADIRU

GYROS ACCELS

G G G G G G A A A A A A

PS REDUNDANCY MGMT. REDUNDANCY MGMT.

MICROPROCESSORS
PS AIR DATA VOTERS

PS

Power Supplies

LEFT CENTER RIGHT

VOTER VOTER VOTER VOTER

I/O I/O I/O I/O

INPUT INPUT
WRAPARR WRAPARR WRAPARR WRAPARR
FT - ADIRU

The FT - ADIRU is responsible for its own redundancy management.

Responsible for associated Air Data Sensors.

Processors in the ADIRU:

◼ Vote & Monitor the Triplex air data sensors.
◼ Monitor the ARINC modules by full data wrap-around
◼ Monitor the Power Supplies as to which should power the entire Unit.

ARNIC Modules do a bit-by-bit vote of processor outputs.

The FT - ADIRU transmits identical data on two ARINC 629 buses.

FT - ADIRS Architecture
LEFT PITOT PROBE
ADM

L C R L1 L2 C1 C2 R1 R2
ADM ADM ADM
STANDBY DISPLAYS

PY PZ P1 P2 P3 P4

STDY
ADM

STBY. SAARU ADIRU

ADM

ADM ADM ARINC 429 Display Buses

CENTER PITOT PROBE

RIGHT PITOT PROBE

FT - ADIRS

A backup unit .. SAARU is also implemented

◼ It is physically separated source of critical data.
◼ Entirely dissimilar in design from the FT-ADIRU

Under Normal conditions … the ADIRU is used (except for the standby attitude
display)

Once ADIRU goes Invalid, the SAARU performs air data sensor voting and
monitoring.

The ADMs are connected to the Pitot Probes & flush static probes.

The ADMs use the ARINC 629 to communicate with the ADIRU & SAARU.

Two standby ADMs use a dedicated ARINC 429 to communicate with the
standby displays.
AutoPilot Flight Director System
Provides functions necessary for automatic control.
The system consists of:
◼ Mode Control Panel (MCP)
◼ THREE Autopilot Flight Director Computers (AFDCs)
◼ Flight Director
◼ Back drive Control Actuators (BACs) … etc.

AFDS does not have direct control of Primary flight Control Surfaces.

The Flow is:

Autopilot Flight Director System

Primary Flight Control Computers

Actuator Control Electronics

Frontdrive System Architecture
Input Sensor Voting
And Signal Command Voting Plane
ADIRU Selection Plane
Analog
429
Sensors MANUAL
L
V COMPUTATION V ACE PCU
AP

ARINC 629 Buses

ARINC 629 Buses

SAARU MANUAL
Analog
429 I/O V COMPUTATION V ACE PCU
AP
Sensors
C MANUAL

V COMPUTATION V ACE PCU

AP
ADIRU
Analog
429
Sensors AFDCs PFCs
R