Some ‘Golden Rules’ for Designing a Highly Dependable SystemSystem

The EFCS is a safety-critical system in the sense that catastrophic consequences may result from its failures, such as a control surface runaway (e.g. rudder or Trimmable Horizontal Stabilizer), loss of control on the pitch axis, lack of control after an engine burst or an oscillatory failure at a frequency critical to the structure (see Section 5.6). The detection of all related failures is therefore a very important point to be considered in the aircraft design. All these failures must be extremely improbable, i.e. with a probability of less than 10⁻⁹ per flight hour and consid-ering qualitative requirements (FAR/CS 25.1309). Specifically for flight controls, FAR/CS 25.671 requires that a catastrophic consequence must not be due to a single failure or a control surface jam or a pilot control jam. This qualitative requirement is on top of the probabilistic assessment. In order to be compliant with Airworthiness

Fig. 5.1 V-cycle representing the aircraft development process.

requirements for aircraft certification and to design a fault-tolerant aircraft, Airbus uses a number of ‘golden rules’[5, 6] outlined below:

• A Safety System Assessment (SSA) to assess the effect of each functional fail-ure on the system. The SSA is a kind of fault tree that studies all the possible combinations of failures to determine the probability of occurrence of an event.

The probability of each elementary failure is given by the manufacturer of the equipment concerned and is re-evaluated or confirmed by experience. This safety analysis can lead to a modification of the flight control architecture (e.g. degree of redundancy) and thus contributes to the design of a more fault tolerant system, compliant with the safety requirements in the regulations.

• A stringent development process, based on the guidelines: ARP4754/ED7911[7]

for aircraft system development, DO178/ED1212[8] for software development and DO254/ED8013[9] for hardware development. For instance, for software de-velopment, the dedicated guidelines do not concern the content of the software, but rather the development process to comply with (planning, development, ver-ification, configuration management, quality assurance issues) in order to obtain the aircraft certification.

• Hardware redundancy: for example the use of multiple FBW computers (5 on an A330/A340, and 6 on an A380), and the use of different power sources for control surface actuation. Three hydraulic sources are used on the A320/A340.

Four power sources are used on A380 (2 hydraulic and 2 electric). Furthermore, as a last backup, in an emergency situation, a Ram Air Turbine provides enough

energy to pressurize one of the hydraulic circuits and/or to supply the electric network. Redundant sensors also provide air data and inertial information to other systems through dedicated, separate but identical units².

• Monitoring: all the elements of the flight control system are monitored in real-time, for example the sensors, actuators, probes, and the other computers. An example of such monitoring is given in Section 6.

• Reconfiguration: meaning automatic management following a failure. This is a key point in the design of a fault-tolerant aircraft. There are two levels of recon-figuration:

– First level, system reconfiguration: consider a control surface with two ac-tuators (Fig. 2). The first one is in active mode and is servo-controlled by computer P1. The second one is in passive mode (it follows the movement of the active actuator) and is associated with a second computer P2, in stand-by mode. If a failure is detected (stand-by the dedicated monitoring schemes, see above) on the active actuator, then it changes to passive mode and the passive one becomes active. There is a hand-over: P2 becomes active and controls its associated actuator while P1 changes to stand-by mode. P1 loses its func-tionality on this actuator but not all the others functionalities (control of other actuators, flight control law calculations, etc). This reconfiguration is clearly based on hardware redundancy (computers and actuators).

– Second level, flight control law reconfiguration: in normal conditions, with the EFCS the aircraft is protected against critical events[5] such as stall, over-speed, etc. The corresponding flight control law is called the ‘normal law’.

However some protection can be lost following failures, for example the loss of a control surface, IRS (Inertial Reference System), ADR (Air Data Refer-ence) or a Flight Control Computer. As a result of the loss of protection, there is a reversion to low-level laws. Flight is still possible, but with less protec-tion. The last level law is the ‘direct law’ where there is no protecprotec-tion. The probability of reverting to a low-level law is very small. This reconfiguration is a way to be fault tolerant and is due to a loss of hardware redundancy. For more information on the control laws, see chapter 1.

• Dissimilarity: this is also a very important point to ensure fault tolerance. All Airbus aircraft have at least two types of computer: a primary and a secondary computer. Their hardware and software are different, and they are not developed by the same teams. The system reconfiguration (hand-over) described above uses primary and secondary computers (Fig. 2). The secondary computer is simpler than the primary computer. The dissimilarity also concerns actuators. On the A380, two types are used: the conventional hydraulic actuator and a new genera-tion of electrically powered actuators - the Electro-Hydrostatic Actuator (EHA).

EHA has been developed mainly from the viewpoint of reducing the number of hydraulic systems, generating significant weight and cost savings, and providing additional dissimilarity[10]. Electrical Backup Hydraulic Actuators (EBHA) are

2A.k.a as ADIRU (Air Data Inertial Reference Units).

also used on the A380. An EBHA can be viewed as an actuator with two modes:

a conventional hydraulic one that can switch to an EHA mode.

• Installation segregation: computers are not physically installed at the same place on the aircraft, to avoid total loss in the case of any damage. Such an event could be for example an engine rotor-burst that cuts the electrical wires supplying the computers. The same reasoning leads to segregation of hydraulic and electrical routes.

• Flight Control Computer architecture: this is divided into two parts, a command channel (COM) and a monitoring channel (MON). Each channel monitors the other but each channel has a specific task. The COM channel provides the main functions allocated to the computer (flight control law computation and the servo-control of moving surfaces). The MON channel ensures (mainly) the permanent monitoring of all the components of the flight control system (sensors, actuators, other computers, probes, etc.). It is designed to detect failure cases and to trigger reconfiguration by signalling the failure detection to the COM channel and to the other computers.

• A perfect robustness for software and system equipment: e.g. no monitoring false alarms, protection against ElectroMagnetic Interference and severe light-ning strikes, no upset in the case of total air cooling loss, etc.