Pascal TRAVERSE And Isabelle Lacaze & Jean Souyrisacgsc.org/Meetings/Meeting_96/Subcommitte...

SAE/ACGS - Hilton Head

SAE Aerospace Control & Guidance Systems committee

Presented by

Pascal TRAVERSEAnd Isabelle Lacaze & Jean Souyris

AIRBUS FLY-BY-WIREA TOTAL APPROACH TO DEPENDABILITY

Reference: by Pascal TRAVERSE, Isabelle LACAZE and Jean SOUYRIS, IFIP “World Computer Conference”, in Toulouse, August 2004.

October 2005SAE/ACGS - Hilton Head Page 2© AI

RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• BackgroundWhat is « fly-by-wire »

Dependability attributes

• Coverage of (some) dependability threatsPhysical faults

Design & manufacturing errors

Particular risks

Human-Machine Interface

• Concluding words


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

AIRBUS FLY-BY-WIRE: BACKGROUND

SAFETY

AVAILABILITY


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

PHYSICAL FAULTS

SAFETY

COM

MON

COMMAND & MONITORING COMPUTER


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

PHYSICAL FAULTS

AVAILABILITY

P1 S1C M

C M

P2 S2C M

C M

REDUNDANCYACTIVE / STAND-BY

P1/Green P2/Blue S1/Green S2/Blue


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

DESIGN & MANUFACTURING ERROR

Fault avoidance

Airbus Fly-by-Wire:system is developed to ARP 4754 level AComputers to DO178B & DO254 level A

(plus internal guidelines)

Two types of dissimilar computers are usedPRIM ≠ SEC

Fault tolerance

P1 S1C M

C M


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FUNCTIONAL SPECIFICATION

- interface between aircraft & computer sciences- automatic code generation

- Classical V&V means, plus- virtual iron bird (simulation)- some formal proof


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


PROOF of PROGRAM

Applied on A380 FbW software, on a limited basiscredit for certification

Method appraisal on-going on system functional specification


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


FAULT TOLERANCE

- SEC simpler than PRIM- PRIM HW ≠ SEC HW- 4 different software- data diversity

P1 S1C M

P2 S2C M

C M

C M

- From “random” dissimilarity to managed one- Comforted by experience


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

PARTICULAR RISKS

COMMON POINT AVOIDANCE

- Qualification to environment- Physical separation- Ultimate back-up

PRIM3-SEC3-CPIOMC12100 VU

PRIM2-SEC2-CPIOMC22200 VU

PRIM1-SEC12500 VU


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

PARTICULAR RISKS

ULTIMATE BACK-UP

- Continued safe flight while crew restore computers- Expected to be Extremely Improbable - No credit for certification- From mechanical (A320) to electrical (A380 & A400M)

r

28VDC3000psi


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Avionics

Avionics Flight Controls Actuators

ELECTRICAL GENERATION HYDRAULIC GENERATION

HYDRAULIC GENERATIONELECTRICAL GENERATION

EMERGEN

GEN1

GEN2

APUGEN

EMERGEN

GEN1

GEN2

APUGEN

GREENPUMP

YELLOWPUMP

BLUEPUMP

GREENPUMP

YELLOWPUMP

• A320 ... A340

• A380 A400M

Flight Controls Actuators

ELECTRICAL ACTUATION

MORE REDUNDANCYDISSIMILAR (HYDRAULIC / ELECTRICAL)

INCREASED SEGREGATION


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

HUMAN-MACHINE INTERFACE

Stick released :Aircraft will fly inside normal

Flight Envelope

Stick on the stops :Aircraft will fly

at the maximum safe limit

Peripheral

Normal

- Reduction of crew workload & fatigue

- Situation awareness

- System reconfiguration

- Flight envelope protections

- TCAS, TAWS …

- Airbus protections

Let the crew concentrate on trajectory


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

DEPENDABILITY PROCESS

Top levelrequirements

document

Top Level Product

Requirements

Top Level Program

Requirements

Airworthiness regulation,

MMEL

Aircraft manufacturer

directives

Costrequirements

2- Aircraft FHA (Functional Hazard

Analysis

Previous A/C design and “In

service” experience

A/C Functions ListA/C constraints

1- S/R Common Data Document

√

√ √√

√

√√

Function /Systems allocation matrix

…

…

SRD

PSSAPSSA4- System function list

and System FHA

10-Aircraft Safety/

Reliability Synthesis

PSSAPSSA

PSSAPSSA7- Equipment level Safety/Reliability studies

(FMEA/FMES, etc.)

PSSAPSSA9b- SSASystem Safety

Assessment and MMEL safety justification

9a- PSSA first flight

PSSAPSSA3- System S/R Requirements

document

system

list

Aircraft functions list

8- COMMON CAUSE

ANALYSIS (CCA):

- PRA (Particular Risk Analysis) - ZSA (Zonal Safety Analysis) - CMA (CommonMode Analysis)- HHA (Human Hazard Analysis

PSSAPSSA6- Equipment S/R

Requirements

PTSPTSPTS

5- PSSA: Prelim. system Safety AssessmentFIA: Function Implantation Analysis

IHA/ECHA: Intrinsic/Environment hazard Analysis

11-Airworthiness monitoring

12-Lessons learned

Aircraft certification

Aircraft in service

√

√

Safety &Reliability method and process

- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,

- In service follow up

- S/R Rules and recom.

- Regulation

A/C Requirements/CRI, Significant Items, Aircraft S/R Reviews , Interface S/R Activities System S/R Reviews

TOP (AIRCRAFT) –

DOWN (COMPONENT)

PROCESS

requirements allocation

BOTTOM - UP

evaluation

Multi program, multi disciplinary activities

Multi system activities on one program

System/equipment activities on one program

Common Cause activities on one program

Multi disciplinary activities


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



document

Top Level Product

Requirements

Top Level Program

Requirements


MMEL


directives

Costrequirements


Analysis





√

√ √√

√

√√


…

…

SRD


and System FHA

10-Aircraft Safety/


PSSAPSSA


(FMEA/FMES, etc.)





document

system

list


8- COMMON CAUSE

ANALYSIS (CCA):



Requirements

PTSPTSPTS




12-Lessons learned


Aircraft in service

√

√


- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,



- Regulation


IN-SERVICE AIRCRAFT

LESSONS LEARNED







RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.



document

Top Level Product

Requirements

Top Level Program

Requirements


MMEL


directives

Costrequirements


Analysis





√

√ √√

√

√√


…

…

SRD


and System FHA

10-Aircraft Safety/


PSSAPSSA


(FMEA/FMES, etc.)





document

system

list


8- COMMON CAUSE

ANALYSIS (CCA):



Requirements

PTSPTSPTS




12-Lessons learned


Aircraft in service

√

√


- Research,

- Standards,

- Processes,

- Methods,

- Guidelines,

- Tools,



- Regulation


COMMON CAUSE ANALYSIS:

- Particular Risk Analysis - Zonal Safety Analysis - Common Mode Analysis- Human Hazard Analysis







RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


CONCLUDING WORDS

Joint effort for improvement

- FAA/JAA/… Airbus/Boeing/…

- Regulations and practices improvement based on

- Type certifications experience

- In-service incidents & accidents

- For in-service airplane & under design


RB

US

S.A.

S. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document and the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied.

The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof.

AIRBUS FLY-BY-WIREA TOTAL APPROACH TO DEPENDABILITYAIRBUS FLY-BY-WIREA TOTAL APPROACH TO DEPENDABILITYAIRBUS FLY-BY-WIRE: BACKGROUNDPHYSICAL FAULTSPHYSICAL FAULTSDESIGN & MANUFACTURING ERRORDESIGN & MANUFACTURING ERRORDESIGN & MANUFACTURING ERRORDESIGN & MANUFACTURING ERRORPARTICULAR RISKSPARTICULAR RISKSELECTRICAL ACTUATIONHUMAN-MACHINE INTERFACEDEPENDABILITY PROCESSDEPENDABILITY PROCESSDEPENDABILITY PROCESSAIRBUS FLY-BY-WIREA TOTAL APPROACH TO DEPENDABILITY

Pascal TRAVERSE And Isabelle Lacaze & Jean Souyrisacgsc.org/Meetings/Meeting_96/Subcommitte...

Documents

Transcript of Pascal TRAVERSE And Isabelle Lacaze & Jean Souyrisacgsc.org/Meetings/Meeting_96/Subcommitte...