Airbus Embedded Systems

AIRBUS EMBEDDED SYSTEMS Aircraft system overview
System development
Presented by Pascal TRAVERSE
Requirement capture Safety requirements & safety process Integration Time issues
AIRBUS S.A.S. All rights reserved. Confidential and proprietary document.
AIRBUS EMBEDDED SYSTEMS
Example: integrated modular avionics Example: Fly-by-Wire design for dependability

The route to fly-by-wire dependability threats
Concluding remarks
Airbus Embedded Systems 14/04/2009 Page 2
Airbus Embedded Systems

System development
AIRCRAFT SYSTEM OVERVIEW
Definition of a system
A combination of inter-related items arranged to perform a specific functions(s), see ARP 4754.
Co mm Satellite Weather Satellite
SATCOM
Traffic Weather
In-flight Collected data

RADAR + L ightning
Terrain
Secondary Surveillan ce Radar
WIMS and Routine data

VHF (Voice + data) PIREP
N ational Met Service WIMS terminal area
U K Met Service WIMS
Weather observation
ATC centres
National Met Service WIMS terminal area
Concluding remarks
ATN
ATC centres
Example, an airplane is a system: which is a component of the transport system, which is, itself, made up of several airborne systems.
14/04/2009 Page 4
ATC centres

AIRFRAME SYSTEMS
21 24 27 30 33 36 AIR COND. ELECTRICAL POWER FLIGHT CONTROLS ICE & RAIN PROTECTION LIGHTS PNEUMATIC 22 AUTO FLIGHT 25 EQUIPMENT 28 FUEL 31 INSTRUMENTS 34 NAVIGATION ....... 23 26 29 32 35 COMMUNICATIONS FIRE PROTECTION HYDRAULIC POWER LANDING GEAR OXYGEN
Systems represent about 30% of the Aircraft price

TA
EX CAR DO ----
PERD ATC
Computers represent about 40% of the Systems price


System development
REQUIREMENT CAPTURE
Explicit requirements - classical allocation process between requirements
General A380-800 objectives
SYSTEMS Direct Weight safety
Integration / Trade-off
Mission and performance (8000 NM / 555 pax ) Improve Aircraft safety Life cycle cost and COC (- 17% per seat) Service readiness at EIS (maturity at First Flight)
Direct cost, maintenance quality reliability Obsolescence, evolution

Dispatch reliability : 99% at EIS A platform for 30 years of evolutions
Concluding remarks
14/04/2009
Page 8
REQUIREMENT CAPTURE
Availability is mandatory (the direct cost of a delay)
REQUIREMENT CAPTURE
Airworthiness regulation is a legal obligation contracted by States signatories of the ICAO Convention
To Ensure and Preserve AIRWORTHINESS and AVIATION SAFETY

Chicago Convention, signed 7th December 1944, established
the International Civil Aviation Organization.
To undertake International Air Transport, each nation has to be

a signatory (currently 188 nations)
14/04/2009
Page 9
REQUIREMENT CAPTURE
REQUIREMENT CAPTURE
SF
Airworthiness regulation: another set of requirements to be cascaded & complied with
1.5 Reduced aircraft weight 1
FAR (US regulations) & CS (European regulations) are requirements, part of the A/C specification. Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754 EUROCAE ED79 certification
considerations for highly-integrated or complex systems)
SF is the achieved Safety Factor Loads to be considered can be due to a design gust, when a Load Alleviation System is unavailable (SF = Ultimate loads / loads due to manoeuvre, gust, not alleviated) or the sum of loads due to a continuing failure (surface oscillation) and of all design loads is the probability per flight hour of the failure T is an exposure time during which loads are not alleviated
10-9
10-5
Increased system cost And/or decreased reliability

14/04/2009 Page 12
REQUIREMENT CAPTURE
REQUIREMENT CAPTURE
Aircraft Specification
Derived requirements from design solution Implicit requirements

Early focus groups with airlines personnel Prototyping Route proving / early long flight Feedback from in-service experience
AIRCRAFT
Design
A/C Fct Specification Aircraft function Aircraft function Aircraft function
Customer needs capture / allocation
Design
Sy stem Specification
Compliance with specification is not sufficient

SY ST EM
SY ST EM
SY ST EM
Design
Equipment Specification
Equipment
Equipment
Equipment
Equipment
Industrial constraints
Requirement allocation
Development
14/04/2009
Page 13
14/04/2009
Page 14
REQUIREMENT CAPTURE
Are the needs acceptable? Validation of the final product versus customer needs
REQUIREMENT CAPTURE
Some V&V means
Assumptions validation
AIRBUS S.A.S. All rights reserved. Confidential and proprietary document. AIRBUS S.A.S. All rights reserved. Confidential and proprietary document.
Requirements validation Requirements V&V
Verification: Get the assurance that the product is compliant to its specification
14/04/2009 Page 15
14/04/2009
Page 16

System development
SAFETY REQUIREMENTS & SAFETY PROCESS

ETY SAF
percentage of total accidents with known causes 0 Flight crew Airplane Maintenance Weather Airport/ATC
10
20
30
40
50
60
64.4 59.8
70
15.7 12.3 3.4 4.9 4.8 4.9 4.7 4.1 7.1 13.9
SYSTEMS Solutions (TAWS, TCAS )

Low system effect
Other
1959-1995
1986-1995
Concluding remarks
14/04/2009
Page 18

SAFETY SEVERITY CLASSES AND ASSOCIATED OBJECTIVES
FAILURE CONDITION DEFINITION FROM CS 25 1309 A Failure Condition is defined at each system level by its effects
on the functioning of the system. It is characterised by its effects on the other systems and on the aircraft. All single failures or combination of failures including failures of other systems that have the same effect on the considered system are grouped together in the same Failure Condition
Classes
Assumption of less than 100 Cat. FC

CATASTROPHIC
Objectives at FC level < 10-9/hr + Fail Safe criterion
Objectives at Aircraft level < 10-7/hr + Fail Safe criterion
HAZARDOUS
< 10-7/hr
no objective
Quantitative & qualitative

MAJOR
< 10-5/hr
no objective
MINOR
no objective
no objective
Gradation of effort
FC: Failure Condition

14/04/2009 Page 20
14/04/2009
Page 19

Extremely Improbable 10-9/FH
No single failure Development Assurance Level
(DO178/ED12, ARP4754/ED79, .. DAL A)
Manufacturing Particular Risks

Some particular risks

Environment
(DO160/ED14)
Zonal Safety Assessment Human Machine Interface

(pilot & maintenance)
14/04/2009
Page 22

Cost requirements

Cost requirements
Top Level Program Requirements Top Level Product Requirements
S afety & Reliability method and process - Research, - Standards, - Processes, - M ethods, - Guidelines, - Tools, - In service follow up
TOP (AIRCRAFT)
Previous A/C design and In service experience
Airworthiness regulation, MMEL
Aircraft manufacturer directives
BOTTOM - UP
11-Airworthiness monitoring 12-Lessons learned
Aircraft in service
11-Airworthiness monitoring
12-Lessons learned
Aircraft in service
DOWN (COMPONENT)
A/C constraints Function /Systems allocation matrix
Top level requirements document
1- S/R Common Data Document
evaluation
8- COMMON CAUS E ANALYS IS (CCA): - PRA (Particular Risk Analysis) - ZS A (Zonal S afety Analysis) - CMA (Common Mode Analysis) - HHA (Human Hazard Analysis
Aircraft certification
S afety & Reliability method and process - Research,

A/C constraints
Top level requirements document
1- S/R Common Data Document
Aircraft certification 8- COMMON CAUS E ANALYS IS (CCA): - PRA (Particular Risk Analysis) - ZS A (Zonal S afety Analysis) - CMA (Common Mode Analysis) - HHA (Human Hazard Analysis
A/C Functions List
2- Aircraft FHA (Functional Hazard Analysis
PROCESS
10Aircraft Safety/ Reliability Synthesis
- Standards, - Processes, - M ethods, - Guidelines,
s y s t e m l i s t
requirements allocation
Aircraft functions list
PSSA 3- System S/R PSSA Requirements document
4- System PSSA list function and System FHA
PSSA
Function /Systems allocation matrix
LESSONS LEARNED

A/C Functions List
2- Aircraft FHA (Functional Hazard Analysis
Aircraft functions list
PSSA
9b- PSSA SSA PSSA System Safety Assessment and MMEL safety justification
- Tools, - In service follow up

SRD
5- PSSA: Prelim. system Safety Assessment PSSA PSSA FIA: Function Implantation Analysis IHA/ECHA: Intrinsic/Environment hazard Analysis
- S/R Rules and recom. - Regulation
9a- PSSA first flight
s y s t e m l i s t
SRD
- S/R Rules and recom. - Regulation
6- Equipment S/R PSSA PSSA Requirements
IN-SERVICE AIRCRAFT
PSSA 7- Equipment level PSSA Safety/Reliability studies (FMEA/FMES, etc.)
PTS
PTS PTS
PTS
PTS PTS
A/C Requirements/CRI, Significant Items, Aircraft S/R Reviews
System S/R Reviews
, Interface S/R Activities
System S/R Reviews
Multi program, multi disciplinary activities Airbus Embedded Systems
Multi system activities on one program
System/equipment activities on one program
Common Cause activities on one program 14/04/2009
Multi disciplinary activities
Page 23
Page 24

Cost requirements

Certification major objective is to ensure safety 25.1309, 25.xyz, ARP4754/ED79, DO178/ED12, ED.zyx, Business margins are taken on top of certification requirements
Assumptions Operational reliability
11-Airworthiness monitoring
12-Lessons learned
Aircraft in service
S afety & Reliability method and process - Research,
COMMON CAUSE ANALYSIS:

Top level requirements document 1- S/R Common Data Document A/C constraints A/C Functions List 2- Aircraft FHA (Functional Hazard Analysis
Aircraft certification 8- COMMON CAUS E ANALYS IS (CCA): - PRA (Particular Risk Analysis) - ZS A (Zonal S afety Analysis) - CMA (Common Mode Analysis) - HHA (Human Hazard Analysis
- Standards, - Processes, - M ethods,
- Guidelines, - Tools,
- Common Mode Analysis - Human Hazard Analysis - Particular Risk Analysis - Zonal Safety Analysis
Function /Systems allocation matrix Aircraft functions list
PSSA
- In service follow up
s y s t e m l i s t
SRD
- Regulation
PTS
PTS PTS
- S/R Rules and recom.
Safety margins are taken too, based on each manufacturer unique history.
System S/R Reviews
Mandating these margins should be carefully balanced

Page 25

System development
Baghdad Nov 2003 - A300 Loss of 3 hydraulic circuits + fire Outstanding flight crew landed the aircraft using engine thrust to control the flight
Mandatory reporting Regulation regular update Just culture

Companies are merging Financial crisis Governments are changing

Concluding remarks
INTEGRATION
INTEGRATION
Proper interfacing and integration

Software modules computer/actuator systems systems in aircraft Aircraft in air traffic
From airplane to nuts and bolts and back
Aircraft in overall society
Integration in the airplane
14/04/2009
Page 29
14/04/2009
Page 30
INTEGRATION
INTEGRATION
Q Q Q QQQQQ QQ Q Q Q Q QQ Q Q QQ QQ Q QQ Q Q Q Q QQQ QQ Q QQQQ QQ Q Q Q Q Q Q Q QQ Q Q QQ Q Q Q
Q QQQ QQQ Q QQQQQ Q QQ Q QQ Q Q QQ QQ Q Q Q Q Q
lighting cold
EMI hot
Integration in the society in air traffic
Airbus orders and deliveries (March. 05)
Q Integration in the world economy
14/04/2009
Page 31
14/04/2009
Page 32
INTEGRATION
SKI LLS

System development
Requirement capture
Mechanics
Safety requirements & safety process Integration Time issues
Aeronautics Automatic control
Human-Machine interface design Electronics
Electricity Fluids
Internet
Computer science Dependability Quality English, French, German , management, ethics,


Concluding remarks
Production, intellectual property , maths, 14/04/2009
Page 33
TIME ISSUES
Need to make trade-off
System weight vs. cost; reliability vs. weight never safety System complexity (reliability etc.) vs. overall aircraft weight Early
Total costs (%) 100 80 60 Product Cost already fixed
TIME ISSUES
Specify the system Plan the system development
Specify the equipme nt Specify the installation & wiring
Design the system
Develop, Verify the equipment
Freedom of choice
Integrated processes : Validate, Verify, Safety studies, Maintainability studies, Modifications Other supporting processes : Certification coordination, Configuration management, Process Assurance, Reviews, Supplier monitoring
40 20 Payments 0
Study Concept Definition Development Production
Go Ahead Entry Into Service

The project, definition: unique process, consisting of a set of coordinated and controlled activities with start and finish dates, undertaken to achieve an objective conforming to specific requirements, including the constraints of time, cost and resources.
TIME ISSUES
Integration tests Flight tests Entry into service
TIME ISSUES
300 250
Total des appareils en flotte= 3551 avions Jet : 841 avions Turboprop : 2710 avions Age moyen de la flotte 11 ans 70-100 Turboprop 70-100 JET 60-70 Turboprop 60-70 JET 40-60 Turboprop 40-60 JET 20-40 Turboprop
Definition freeze
Equipment & Harness Production Start of Production
Nombre d'appareils
200 150 100 50 0

1 5 9 13 17 21 25 29
Concept freeze
End of studies
Authorization to offer ATO
33
37
41
45
Start of Assembly
End of ramp-up
Age
Aircraft On Ground 4 hours to get it back into service

14/04/2009
Page 37
TIME ISSUES
Technical challenges

System development
Side-stick:
test in flight on a modified Concorde in 1978, then an A300 in 1982 Entry into Service in 1988 1st
Brake To Vacate:
PhD thesis in 1998-2002 Research in Airbus 2002-2005 Development on A380 2006 to Entry into Service mid 2009

Concluding remarks
INTEGRATED MODULAR AVIONICS

Functionality
A380 A340 -600 10 10
5

Stringent economical & industrial objectives for new aircraft
types (A380, A400M, A350) Minimize Development & Maintenance Costs Reduce Development Life Cycle Cost Harmonize design of aircraft avionics Manage obsolescence of hardware and evolutions of functions Ensure Safety and Reliability
(number of lines of code) (arbitrary log scale)
Number of electronic equipment
103 102 101 Concorde A310 A320
A330
A380 with IMA A350
100 80 60 40
A300B
Chosen way to fulfil these objectives

Provide data communication capabilities Avionics Data Communication Network (ADCN) Provide centralised computing capabilities Integrated Modular Avionics (IMA)
20
1970
1975
1980 1985
1990
1995
2000 2005 2010
Integrated Modular Avionics (IMA): increasing functionality, while stabilizing the number of pieces of electronic equipment Airbus Embedded Systems 14/04/2009 Page 41
14/04/2009
Page 42

Federated Architecture
LRU A

Function 2
Specified by Airbus
Integrated (and Standardized) Architecture Data processing is on a Generic LRU

A B Airborne Functions (several Function Suppliers)
Function 3
Function 1
LRU B
Developed by Function Suppliers (example Liebherr, Rockwell-Collins, Airbus
LRU C
Arinc 653 API

Functions Integration Level (per module) :
Conventional Avionics (several LRU Suppliers)

Specified by Airbus
IMA Module
Developed by Module Supplier
Data processing is on a ATA xx Specific LRU

IMA Modules
A380: 2-4 functions A350: 3-6 functions A30X: 6-12 functions
CPIOM : Core Processing Input/Output Module (Centralized Architecture) CPM : Core Processing Module (Distributed Architecture)
Global integration (integrated Module) is performed by Airbus


High communication capacity: speed, bandwidth and number of connected LRM/LRU 100 Mb/s, potential to go up to 1Gb/s Based on existing and established telecommunication technology and standards (Ethernet) Deterministic behavior Offer guaranteed quality of service to network subscribers Flexible Re-configurable to support new needs with no or limited physical impacts

Flight Control Cockpit Engines Virtual Link (VL) = communication channel between one emitter and several receivers. Energy Fuel&LG
Cabin
Network A Switch Network B Switch LRU - IMA Modules
14/04/2009
Page 45

Total Loss of Braking is classified Catastrophic As a consequence, Braking System shall not solely use IMA
equipment
Implementation of Emergency Braking independent from IMA equipment
IMA-based Normal Braking Control Unit

Consistent erroneous attitude information displayed in the
cockpit is classified as potentially Catastrophic
Consequently, undetected erroneous attitude information

Control Unit,
shall not result of a single failure within ADCN

Attitude information from independent sources to independent display units shall use independent routing within ADCN
Emergency Braking Control Unit
Attitude A/C side1
ADCN routing 1
ADCN routing 2
Attitude A/C side2
14/04/2009
Page 47
14/04/2009
Page 48

Undetected erroneous fuel quantity information may lead
to fuel imbalance and is classified as potentially Catastrophic As a consequence, undetected erroneous fuel quantity information shall not result from a single failure within IMA
Fuel System based on Command - Monitoring architecture Command lane within one IMA equipment - Monitoring lane within another IMA equipment

System development
IMA-based Fuel Quantity & Management Command lane IMA-based Fuel Quantity & Management Monitoring lane

Concluding remarks
THE ROUTE TO FLY-BY-WIRE

A never ending quest To move the control surfaces To help pilots To ensure safety
Fully mechanical system
14/04/2009
Page 51
Power: from the pilot
Help: means to reduce control loads (tab)
14/04/2009
Page 52

Caravelle 1955*

From Mechanical Flight Control System.
A320 1987*
Flight Augmentation Computer
AP
Hydromechanical system Power: centralized hydraulic systems and servocontrols Help: yaw damper, trim, auto-pilot (speed, altitude), protections against excessive structural loads. Devices moving the mechanical control.
Feel and Limitation Computer AP
A/C response
to Fly-By-Wire.or Electrical Flight Control System (EFCS) .

or Commandes de Vol lectriques (CDVE)
Flight Augmentation Computer
Auto-pilot computer A/P order Fly -by-wire computers
AP
Feel and Limitation Computer AP
A/C Response
A/C response
14/04/2009 Page 53
14/04/2009
Page 54

From Fly-by-Wire .
A380 2005*

A380 2005* 1969*
A/C Response
1982*
1978 *
HYDRAULIC POWER
to Fly-by-Wire associated to Power-by-Wire.

A/C Response
HYDRAULIC and
1991*
1987*
2001*
2012*
* First flight year
2005*
2009*
14/04/2009 Page 56
ELECTRICAL POWER 14/04/2009
Page 55

System development
FbW: DEPENDABILITY THREATS

SAFETY
Concluding remarks
AVAILABILITY
14/04/2009
Page 58

SAFETY (physical faults)

AVAILABILITY (physical faults)
C M
P1
C M
S1
COM MON
C M
P2
C M
S2
COMMAND & MONITORING COMPUTER

P1/Green
REDUNDANCY ACTIVE / STAND-BY STANDP2/Blue S1/Green
S2/Blue
14/04/2009 Page 60

Design and Manufacturing errors. Airbus Fly-by-Wire system is developed to ARP 4754 level A Computers to DO178B & DO254 level A
(plus internal guidelines)

Fault prevention & removal
FUNCTIONAL SPECIFICATION - interface between aircraft & computer sciences - automatic code generation
Two types of dissimilar computers are used PRIM SEC

Fault tolerance
C M
P1
C M
S1
- Classical V&V means, plus - virtual iron bird (simulation) - some formal proof
14/04/2009
Page 61

A380 Iron Bird
FAULT TOLERANCE
C M
P1
C M
S1
C M
- SEC simpler than PRIM - PRIM HW SEC HW - 4 different software - data diversity - From random dissimilarity random to managed one - Comforted by experience
P2
C M
S2
PROOF Of PROGRAM Applied on A380 FbW software, on a limited basis, credit for certification certification
14/04/2009
Page 64

Particular risks. The issue: COMMON POINT AVOIDANCE - Qualification to environment - Physical separation - Ultimate back-up back-

ULTIMATE BACK-UP BACK- Continued safe flight while crew restore computers - Expected to be Extremely Improbable - No credit for certification - From mechanical (A320) to electrical (A380 & A400M)
PRIM1-SEC1 2500 VU
28VDC Hydraulic power

PRIM3-SEC3CPIOMC1 2100 VU
PRIM2-SEC2CPIOMC2 2200 VU
14/04/2009
Page 65

A320 ... A340
ELECT RICAL GENERATION EMER GEN GEN 1 GEN 2 APU GEN HY DRAULIC GENERATION GREEN PUMP YELLOW PUMP BLUE PUMP

HUMAN-MACHINE INTERFACE HUMAN-
Avionics
Flight Controls Actuators
Protection
A380 A400M A350

ELECT RICAL GENERATION EMER GEN GEN 1 GEN 2 APU GEN HY DRAULIC GENERATION GREEN PUMP YELLOW PUMP
Detection, warning Situation Awareness, Advisory Aircraft handling, SOPs, environment

Avionics
AUTOMATISATION Ultimate safety net Instant flight management of danger Routine tasks
DECISION HELP Reduction of workload, stress, complexity Pilot as a supervisor
Flight Controls Actuators
ELECTRICAL ACTUATION MORE REDUNDANCY DISSIMILAR (HYDRAULIC / ELECTRICAL) INCREASED SEGREGATION

14/04/2009
Page 68
FLY-BY-WIRE ARCHITECTURE FUTURE TREND?
-Flight envelope protections - TCAS, TAWS - Airbus protections
Stick released : Aircraft will fly inside normal Flight Envelope
Architecture :
network, standard ressources
Normal
Let the crew concentrate on trajectory

Peripheral
Stick on the stops : Aircraft will fly at the maximum safe limit
Functions : systems manage short term situation (stab, protections), the pilot manages the flight. Completions of protections. Integration with structure and the airframe (loads alleviation).
14/04/2009
Page 69
14/04/2009
Page 70

System development
Some lessons
The system will function if
properly integrated within its environment (other systems, platform, people ) requirements are correctly integrated (no inconsistency, correct balance between requirements)

The system will be successful if

the overall aircraft (at least) is successful (= if optimisation is done at aircraft level) for the whole development & in-service life of the aircraft the customer needs are well understood
Concluding remarks

Safety is the priority in aviation flying in safe Nothing is granted Duty for continuous improvement Need to forecast future threat
Club Inter-associations Systmes Embarqus Critiques - CISEC
Sminaires, journes dtude, ateliers http://cisec.enseeiht.fr/
cisec
Continuous need to
Look at the global picture (complete airplane, design .. Certification .. In-service, stack of redundancy vs. common point) Management to be supportive and pro-active Never compromise
Association Aronautique et Astronautique de France Socit de llectricit, de lElectronique et des Technologies de linformation et de la communication Socit des Ingnieurs de lAutomobile
14/04/2009
Page 74
THANK YOU QUESTIONS?
This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted b y the delivery of this document and the disclosure of its content. This document shall not b e reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will b e pleased to explain the b asis thereof.
14/04/2009
Page 75
14/04/2009
Page 76

Airbus Embedded Systems

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Airbus Embedded Systems

Uploaded by

Copyright:

Available Formats

AIRBUS EMBEDDED SYSTEMS Aircraft system overview

AIRBUS S.A.S. All rights reserved. Confidential and proprietary document.