17.8.2015dr andy brooks1 lecture 5 airbus a320/a330/a340/... for0383 software quality assurance a...
TRANSCRIPT
19.04.23 Dr Andy Brooks 1
Lecture 5
Airbus A320/A330/A340/...
www.airbus.com
FOR0383 Software Quality Assurance
A success story, but nothing is perfect:http://catless.ncl.ac.uk/php/risks/search.php?query=airbus
19.04.23 Dr Andy Brooks 2
The JAA (Joint Aviation Authorities) issued the type certificate for the A320 on 26 February 1988. The A320 was the first civil aircraft equipped with a digital electrical flight control system.
The first electrical flight control system for a civil aircraft was installed on Concorde, but that was an analog system.
fly-by-wire
“glass cockpit”
19.04.23 Dr Andy Brooks 3
Success of Airbus“Airbus is one of the world's leading aircraft manufacturers, and it consistently captures approximately half or more of all orders for airliners with more than 100 seats.”http://www.airbus.com/en/corporate/ downloaded 14-Jan-09
“Airbus has shipped 3,594 A318/A319/A320/A321s since its certification/first delivery in early 1988, with another 2,703 on firm order (31 August 2008).[17] Boeing has shipped 5,720 737s since late 1967, with 4,374 of those deliveries since 1988, and has a further 2,191 on firm order (30 April 2008).[18] Based on figures since 1988 when they first entered direct competition, Airbus delivered on average 174 A320 series aircraft per annum, while on average 208 Boeing 737s were delivered.”http://en.wikipedia.org/wiki/Airbus_A320_family#Competition downloaded 14-Jan-09
19.04.23 Dr Andy Brooks 4
slats ailerons
spoilers
rudder
elevatorsflaps
bank left or right
pitch up or down
rotate about vertical axisalso under mechanical control
trimmable horizontal stabilizersalso under mechanical control
Flight Control Surfaces of an A340.Pitch Yaw Roll
increase lift
reduce lift
stall prevention
all electrically controlled and hydraulically activated
19.04.23 Dr Andy Brooks 5
Why fly-by-wire?• Many aircraft accidents involve human error.• Fly-by-wire allows for automation of various tasks and
improves the interaction between the pilots and the flight controls. As a result, pilots workload is reduced and they are less tired.
• Fly-by-wire means that flight control software can provide a flight protection envelope which, for example, can prevent pilots from inadvertently stalling the aircraft (by adopting a too high angle-of-attack) or making a descent too quickly.
19.04.23 Dr Andy Brooks 6
Computers (A320)ELAC (two of)Elevator and Aileron Computers
SEC (three of)Spoiler and Elevator Computers
FAC (two of)Rudder control.
Two auto-pilot computers.
The ELACs and SECs were designed and manufactured by different companies so that the system would be tolerant to a design or manufacturing fault.
Thomson-CSF6810 microprocessor
SFENA/Aerospatiale80186 microprocessor
19.04.23 Dr Andy Brooks 7
Control and monitoring channels
• ELAC and SEC computers have a control and a monitoring channel: these channels can be considered as two different and independent computers.
• If output commands between control and monitoring channels don´t agree within a pre-determined threshold, links between the computer and exterior are cut.
• A detection of disagreement must last a sufficiently long period of time before being considered a failure.
• Detection parameters are wide enough to avoid unwanted disconnections, but tight enough to avoid undetected failures.
19.04.23 Dr Andy Brooks 8
Distributed system functions
• System function is distributed between the ELAC and SEC computers.
• For any particular function, one computer is active while the others act as hot backups.
• In a 1993 article, the switch to the hot backup is said to involve a ´limited jerk´on the control surfaces.
• If ELAC2 fails, ELAC1 takes over.• If ELAC1 fails, SEC2 takes over.• If SEC2 fails, another SEC takes over.
N-version programming
• Each channel of each ELAC and SEC computer was separately programmed, resulting in 4 versions of the software.
• N-version programming reduces the risk of a common error which could cause control surface runaway (control and monitoring channels incorrectly agreeing) or complete shutdown of all the ELAC/SEC computers.
19.04.23 Dr Andy Brooks 9
N-version programming is very expensive and is usually only done for safety-critical systems.
19.04.23 Dr Andy Brooks 10
Software development• DO-178A “Software considerations in airborne systems
and equipment certification” standard compliance.• Computer-assisted specification– Symbols in the specification had a formal definition and strict
interconnection rules.– There was a degree of automated code generation from the
computer-assisted specifications.• There was peer review of specifications.
19.04.23 Dr Andy Brooks 11
Software development• Code modules were tested against specifications.• Black box testing
• Each module had equivalence classes defined.– Parameter <0 ( -5 ), 0<=Parameter<=135 ( 45 ), Parameter >135 ( 142 )
• The equivalence classes were approved by: the aircraft and equipment manufacturers, the airworthiness authorities, the designers, and quality control.
• White box testing• All branches were tested.
Verification Does the code implement the specification?
inputs
expected resultsactual output
19.04.23 Dr Andy Brooks 12
System testing
• Iron-bird tests were performed.– All the system equipment was installed and powered
as in the actual aircraft.
• Flight simulator tests were performed.– These tests were sometimes coupled with iron-bird.
• Actual test flights were performed with 1000 flight control parameters monitored and recorded.
Validation Does the system perform in the way expected?“Can the plane be flown safely?”
19.04.23 Dr Andy Brooks 13
SCADE Suite™ for Safety-Critical Software Development
http://www.esterel-technologies.com/products/scade-suite/
19.04.23 Dr Andy Brooks 14
Destruction of part of the aircraft?
• The computers were placed at three different locations throughout the aircraft.
• Links to actuators were run under the floor, overhead, and in the cargo compartment.
19.04.23 Dr Andy Brooks 15
Complete failure of the automated system?
• Mechanical links are retained to the Rudder and the Trimmable Horizontal Stabilisers so that the plane can still be flown in the event of a complete failure of the automated system.
19.04.23 Dr Andy Brooks 16
Other safety features• There are redundant sensors.• There are redundant actuators.• Safety objectives for the aircraft are met with only 3 of
the 5 ELAC/SEC computers running.• One computer is sufficient to control the aircraft.• The computers are connected to at least two power
sources.• Computers are protected against over-voltages and
under-voltages, electromagnetic aggressions, and indirect effects of lightning.
19.04.23 Dr Andy Brooks 17
Other safety features• There are three hydraulic systems when one is
sufficient for aircraft operation.• Software defects can remain hidden for a long time.
To protect against latent failure, on energization of the aircraft, each computer runs a self-test and tests its peripherals.– Such testing occurs typically once a day.
19.04.23 Dr Andy Brooks 18
Failure of both ELACs
• During one flight both the ELACs failed due to an air conditioning failure and the resultant temperature rise.
• A component did not meet the specified temperature operating range.
• There was a successful takeover by the SEC computers.
“AIRBUS A320/A330/A340 Electrical Flight Controls A Family of Fault-Tolerant Systems” by Dominique Britxe and Pascal Traverse in: The Twenty-Third International Symposium on Fault-Tolerant Computing (FTCS-23),1993, pp 616-623, ©IEEE