Lecture 5 Airbus A320/A330/A340/... www.airbus.com FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/... www.airbus.com A success story, but nothing is perfect: http://catless.ncl.ac.uk/php/risks/search.php?query=airbus 20.4.2017 Dr Andy Brooks

“glass cockpit” fly-by-wire The JAA (Joint Aviation Authorities) issued the type certificate for the A320 on 26 February 1988. The A320 was the first civil aircraft equipped with a digital electrical flight control system. The first electrical flight control system for a civil aircraft was installed on Concorde, but that was an analog system. 20.4.2017 Dr Andy Brooks

Success of Airbus “Airbus is one of the world's leading aircraft manufacturers, and it consistently captures approximately half or more of all orders for airliners with more than 100 seats.” http://www.airbus.com/en/corporate/ downloaded 14-Jan-09 “Airbus has shipped 3,594 A318/A319/A320/A321s since its certification/first delivery in early 1988, with another 2,703 on firm order (31 August 2008).[17] Boeing has shipped 5,720 737s since late 1967, with 4,374 of those deliveries since 1988, and has a further 2,191 on firm order (30 April 2008).[18] Based on figures since 1988 when they first entered direct competition, Airbus delivered on average 174 A320 series aircraft per annum, while on average 208 Boeing 737s were delivered.” http://en.wikipedia.org/wiki/Airbus_A320_family#Competition downloaded 14-Jan-09 20.4.2017 Dr Andy Brooks

Flight Control Surfaces of an A340. Pitch Yaw Roll all electrically controlled and hydraulically activated increase lift pitch up or down flaps elevators rudder rotate about vertical axis also under mechanical control reduce lift trimmable horizontal stabilizers also under mechanical control spoilers slats ailerons stall prevention bank left or right 20.4.2017 Dr Andy Brooks

Why fly-by-wire? Many aircraft accidents involve human error. Fly-by-wire allows for automation of various tasks and improves the interaction between the pilots and the flight controls. As a result, pilots workload is reduced and they are less tired. Fly-by-wire means that flight control software can provide a flight protection envelope which, for example, can prevent pilots from inadvertently stalling the aircraft (by adopting a too high angle-of-attack) or making a descent too quickly. 20.4.2017 Dr Andy Brooks

Computers (A320) ELAC (two of) Thomson-CSF Elevator and Aileron Computers SEC (three of) Spoiler and Elevator Computers FAC (two of) Rudder control. Two auto-pilot computers. The ELACs and SECs were designed and manufactured by different companies so that the system would be tolerant to a design or manufacturing fault. Thomson-CSF 6810 microprocessor SFENA/Aerospatiale 80186 microprocessor 20.4.2017 Dr Andy Brooks

Control and monitoring channels ELAC and SEC computers have a control and a monitoring channel: these channels can be considered as two different and independent computers. If output commands between control and monitoring channels don´t agree within a pre-determined threshold, links between the computer and exterior are cut. A detection of disagreement must last a sufficiently long period of time before being considered a failure. Detection parameters are wide enough to avoid unwanted disconnections, but tight enough to avoid undetected failures. 20.4.2017 Dr Andy Brooks

Distributed system functions System function is distributed between the ELAC and SEC computers. For any particular function, one computer is active while the others act as hot backups. In a 1993 article, the switch to the hot backup is said to involve a ´limited jerk´on the control surfaces. If ELAC2 fails, ELAC1 takes over. If ELAC1 fails, SEC2 takes over. If SEC2 fails, another SEC takes over. 20.4.2017 Dr Andy Brooks

N-version programming Each channel of each ELAC and SEC computer was separately programmed, resulting in 4 versions of the software. N-version programming reduces the risk of a common error which could cause control surface runaway (control and monitoring channels incorrectly agreeing) or complete shutdown of all the ELAC/SEC computers. N-version programming is very expensive and is usually only done for safety-critical systems. 20.4.2017 Dr Andy Brooks

Software development DO-178A “Software considerations in airborne systems and equipment certification” standard compliance. Computer-assisted specification Symbols in the specification had a formal definition and strict interconnection rules. There was a degree of automated code generation from the computer-assisted specifications. There was peer review of specifications. 20.4.2017 Dr Andy Brooks

Software development Code modules were tested against specifications. Black box testing Each module had equivalence classes defined. Parameter <0 ( -5 ), 0<=Parameter<=135 ( 45 ), Parameter >135 ( 142 ) The equivalence classes were approved by: the aircraft and equipment manufacturers, the airworthiness authorities, the designers, and quality control. White box testing All branches were tested. inputs expected results actual output Verification Does the code implement the specification? 20.4.2017 Dr Andy Brooks

System testing Iron-bird tests were performed. All the system equipment was installed and powered as in the actual aircraft. Flight simulator tests were performed. These tests were sometimes coupled with iron-bird. Actual test flights were performed with 1000 flight control parameters monitored and recorded. Validation Does the system perform in the way expected? “Can the plane be flown safely?” 20.4.2017 Dr Andy Brooks

SCADE Suite™ for Safety-Critical Software Development http://www 20.4.2017 Dr Andy Brooks

Destruction of part of the aircraft? The computers were placed at three different locations throughout the aircraft. Links to actuators were run under the floor, overhead, and in the cargo compartment. 20.4.2017 Dr Andy Brooks

Complete failure of the automated system? Mechanical links are retained to the Rudder and the Trimmable Horizontal Stabilisers so that the plane can still be flown in the event of a complete failure of the automated system. 20.4.2017 Dr Andy Brooks

Other safety features There are redundant sensors. There are redundant actuators. Safety objectives for the aircraft are met with only 3 of the 5 ELAC/SEC computers running. One computer is sufficient to control the aircraft. The computers are connected to at least two power sources. Computers are protected against over-voltages and under-voltages, electromagnetic aggressions, and indirect effects of lightning. 20.4.2017 Dr Andy Brooks

Other safety features There are three hydraulic systems when one is sufficient for aircraft operation. Software defects can remain hidden for a long time. To protect against latent failure, on energization of the aircraft, each computer runs a self-test and tests its peripherals. Such testing occurs typically once a day. 20.4.2017 Dr Andy Brooks

Failure of both ELACs During one flight both the ELACs failed due to an air conditioning failure and the resultant temperature rise. A component did not meet the specified temperature operating range. There was a successful takeover by the SEC computers. “AIRBUS A320/A330/A340 Electrical Flight Controls A Family of Fault-Tolerant Systems” by Dominique Britxe and Pascal Traverse in: The Twenty-Third International Symposium on Fault-Tolerant Computing (FTCS-23),1993, pp 616-623, ©IEEE 20.4.2017 Dr Andy Brooks