Presentation is loading. Please wait.

Presentation is loading. Please wait.

FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/...

Published byBrandon Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/... "— Presentation transcript:

1 Lecture 5 Airbus A320/A330/A340/... www.airbus.com
FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/... A success story, but nothing is perfect: Dr Andy Brooks

2 “glass cockpit” fly-by-wire The JAA (Joint Aviation Authorities) issued the type certificate for the A320 on 26 February The A320 was the first civil aircraft equipped with a digital electrical flight control system. The first electrical flight control system for a civil aircraft was installed on Concorde, but that was an analog system. Dr Andy Brooks

3 Success of Airbus “Airbus is one of the world's leading aircraft manufacturers, and it consistently captures approximately half or more of all orders for airliners with more than 100 seats.” downloaded 14-Jan-09 “Airbus has shipped 3,594 A318/A319/A320/A321s since its certification/first delivery in early 1988, with another 2,703 on firm order (31 August 2008).[17] Boeing has shipped 5, s since late 1967, with 4,374 of those deliveries since 1988, and has a further 2,191 on firm order (30 April 2008).[18] Based on figures since 1988 when they first entered direct competition, Airbus delivered on average 174 A320 series aircraft per annum, while on average 208 Boeing 737s were delivered.” downloaded 14-Jan-09 Dr Andy Brooks

4 Flight Control Surfaces of an A340.
Pitch Yaw Roll all electrically controlled and hydraulically activated increase lift pitch up or down flaps elevators rudder rotate about vertical axis also under mechanical control reduce lift trimmable horizontal stabilizers also under mechanical control spoilers slats ailerons stall prevention bank left or right Dr Andy Brooks

5 Why fly-by-wire? Many aircraft accidents involve human error.
Fly-by-wire allows for automation of various tasks and improves the interaction between the pilots and the flight controls. As a result, pilots workload is reduced and they are less tired. Fly-by-wire means that flight control software can provide a flight protection envelope which, for example, can prevent pilots from inadvertently stalling the aircraft (by adopting a too high angle-of-attack) or making a descent too quickly. Dr Andy Brooks

6 Computers (A320) ELAC (two of) Thomson-CSF
Elevator and Aileron Computers SEC (three of) Spoiler and Elevator Computers FAC (two of) Rudder control. Two auto-pilot computers. The ELACs and SECs were designed and manufactured by different companies so that the system would be tolerant to a design or manufacturing fault. Thomson-CSF 6810 microprocessor SFENA/Aerospatiale 80186 microprocessor Dr Andy Brooks

7 Control and monitoring channels
ELAC and SEC computers have a control and a monitoring channel: these channels can be considered as two different and independent computers. If output commands between control and monitoring channels don´t agree within a pre-determined threshold, links between the computer and exterior are cut. A detection of disagreement must last a sufficiently long period of time before being considered a failure. Detection parameters are wide enough to avoid unwanted disconnections, but tight enough to avoid undetected failures. Dr Andy Brooks

8 Distributed system functions
System function is distributed between the ELAC and SEC computers. For any particular function, one computer is active while the others act as hot backups. In a 1993 article, the switch to the hot backup is said to involve a ´limited jerk´on the control surfaces. If ELAC2 fails, ELAC1 takes over. If ELAC1 fails, SEC2 takes over. If SEC2 fails, another SEC takes over. Dr Andy Brooks

9 N-version programming
Each channel of each ELAC and SEC computer was separately programmed, resulting in 4 versions of the software. N-version programming reduces the risk of a common error which could cause control surface runaway (control and monitoring channels incorrectly agreeing) or complete shutdown of all the ELAC/SEC computers. N-version programming is very expensive and is usually only done for safety-critical systems. Dr Andy Brooks

10 Software development DO-178A “Software considerations in airborne systems and equipment certification” standard compliance. Computer-assisted specification Symbols in the specification had a formal definition and strict interconnection rules. There was a degree of automated code generation from the computer-assisted specifications. There was peer review of specifications. Dr Andy Brooks

11 Software development Code modules were tested against specifications.
Black box testing Each module had equivalence classes defined. Parameter <0 ( -5 ), 0<=Parameter<=135 ( 45 ), Parameter >135 ( 142 ) The equivalence classes were approved by: the aircraft and equipment manufacturers, the airworthiness authorities, the designers, and quality control. White box testing All branches were tested. inputs expected results actual output Verification Does the code implement the specification? Dr Andy Brooks

12 System testing Iron-bird tests were performed.
All the system equipment was installed and powered as in the actual aircraft. Flight simulator tests were performed. These tests were sometimes coupled with iron-bird. Actual test flights were performed with 1000 flight control parameters monitored and recorded. Validation Does the system perform in the way expected? “Can the plane be flown safely?” Dr Andy Brooks

13 SCADE Suite™ for Safety-Critical Software Development http://www
Dr Andy Brooks

14 Destruction of part of the aircraft?
The computers were placed at three different locations throughout the aircraft. Links to actuators were run under the floor, overhead, and in the cargo compartment. Dr Andy Brooks

15 Complete failure of the automated system?
Mechanical links are retained to the Rudder and the Trimmable Horizontal Stabilisers so that the plane can still be flown in the event of a complete failure of the automated system. Dr Andy Brooks

16 Other safety features There are redundant sensors.
There are redundant actuators. Safety objectives for the aircraft are met with only 3 of the 5 ELAC/SEC computers running. One computer is sufficient to control the aircraft. The computers are connected to at least two power sources. Computers are protected against over-voltages and under-voltages, electromagnetic aggressions, and indirect effects of lightning. Dr Andy Brooks

17 Other safety features There are three hydraulic systems when one is sufficient for aircraft operation. Software defects can remain hidden for a long time. To protect against latent failure, on energization of the aircraft, each computer runs a self-test and tests its peripherals. Such testing occurs typically once a day. Dr Andy Brooks

18 Failure of both ELACs During one flight both the ELACs failed due to an air conditioning failure and the resultant temperature rise. A component did not meet the specified temperature operating range. There was a successful takeover by the SEC computers. “AIRBUS A320/A330/A340 Electrical Flight Controls A Family of Fault-Tolerant Systems” by Dominique Britxe and Pascal Traverse in: The Twenty-Third International Symposium on Fault-Tolerant Computing (FTCS-23),1993, pp , ©IEEE Dr Andy Brooks

Download ppt "FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/... "

Similar presentations

Making the System Operational

Making the System Operational
AUTOMATIC FLIGHT CONTROL SYSTEM (AFCS)

AUTOMATIC FLIGHT CONTROL SYSTEM (AFCS)
Lecture 8: Testing, Verification and Validation

Lecture 8: Testing, Verification and Validation
EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage: www.mwftr.com/CNE.html.

EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage:
Cessna Citation II Flight Controls

Cessna Citation II Flight Controls
Distributed and Reconfigurable Architecture for Flight Control System EEL 6935 - Embedded Systems Dept. of Electrical and Computer Engineering University.

Distributed and Reconfigurable Architecture for Flight Control System EEL Embedded Systems Dept. of Electrical and Computer Engineering University.
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
NERC Lessons Learned Summary December 2014. NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.

NERC Lessons Learned Summary December NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.
Protection and Relay Schemes. Agenda  Introduction of Protective Relays  Electrical System Protection with Protective Relays  Conclusion.

Protection and Relay Schemes. Agenda  Introduction of Protective Relays  Electrical System Protection with Protective Relays  Conclusion.
Boy Scouts Aviation Merit Badge Control Surfaces.

Boy Scouts Aviation Merit Badge Control Surfaces.
IE 447 COMPUTER INTEGRATED MANUFACTURING CHAPTER 9 Material Handling System 1 IE 447 - CIM Lecture Notes - Chapter 9 MHS.

IE 447 COMPUTER INTEGRATED MANUFACTURING CHAPTER 9 Material Handling System 1 IE CIM Lecture Notes - Chapter 9 MHS.
Testing: Who 3, What 4, Why 1, When 2, How 5 Lian Yu, Peking U. Michal Young, U. Oregon.

Testing: Who 3, What 4, Why 1, When 2, How 5 Lian Yu, Peking U. Michal Young, U. Oregon.
8. Fault Tolerance in Software 8.1 Introduction Is it true that a program that has once performed a given task as specified will continue to do so? Yes,

8. Fault Tolerance in Software 8.1 Introduction Is it true that a program that has once performed a given task as specified will continue to do so? Yes,
1 Software Testing and Quality Assurance Lecture 30 - Introduction to Software Testing.

1 Software Testing and Quality Assurance Lecture 30 - Introduction to Software Testing.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
OHT 9.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Chapter 9.3 Software Testing Strategies.

OHT 9.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Chapter 9.3 Software Testing Strategies.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
Testing safety-critical software systems

Testing safety-critical software systems
Utilizing your notes and past knowledge answer the following questions: 1) What part of the aircraft that is located on the outer portion of the trailing.

Utilizing your notes and past knowledge answer the following questions: 1) What part of the aircraft that is located on the outer portion of the trailing.
Utilizing your notes and past knowledge answer the following questions: 1) What part of the aircraft that is located on the outer portion of the trailing.

Utilizing your notes and past knowledge answer the following questions: 1) What part of the aircraft that is located on the outer portion of the trailing.

Similar presentations

Ads by Google