The BOEING 777

1
The BOEING 777

• By
• SAURABH CHHEDA

2
Overview of the System

• Electronic Flight Controls called Fly-by-Wire
  (FBW)
• Delayed maintenance concept for major electronic
  Line Replacement Units (LRU)
• Airplane Information Management System (AIMS)
• Primary Flight Computer
• Central Computing system onboard the Boeing
• Architecturally based on the TMR
• Air Data Inertial Reference System (ADIRS) /
  Secondary Altitude Air Data Reference Unit
  (SAARU)
• Global DATAC Bus .. Commonly known as the ARINC
  629 Bus.

3
Fly-by-Wire Design Philosophy

• Must meet extreme high levels of Functional
  Integrity Availability.
• Safety Considerations
• Common mode / Common Area Faults
• Separation of FBW components
• FBW Functional Separation
• Dissimilarity
• FBW Effect on Structure.
• Usage of Hardware Redundancy for all hardware
  resources, namely.
• Computing Systems
• Airplane Electrical Power
• Hydraulic Power
• Communication Paths.

4
Primary Flight Control Function
Figure 1 from 1

• Provision of Manual Electronic Control in the
  three axis ..
• PITCH Control 2 Elevators Horizontal
  Stabilizer
• ROLL Control 2 Ailerons 2 aperons, 14
  spoilers
• YAW Control tabbed rudder
• Pilot input from the Column, wheel, rudder
  pedals, speed brakes.

5
FBW Architecture Overview
SUPPORTING SYSTEMS
AFDCs
ADMs
AIMS
ADIRU
SAARU
FLIGHT CONTROL DATA BUSES
From CONTROL PILOT INPUT
PFCs
To PRIMARY FLIGHT CONTROL SURFACES

• AIMS Aircraft Information Management System
• AFDC AutoPilot Flight Direction Computer
• ADIRU Air Data Inertial Reference Unit
• SAARU Secondary Altitude Air Data Reference
• ACE Actuator Control Electronics
• PFC Primary Flight Computer
• PCU Power Control Units, Actuators

PCUs (31)
ACEs
6
Primary Flight Control Modes

• There are THREE Primary Flight Control Modes
• Normal Control Mode.
• Pilot Commands are input through control columns,
  wheels, rudder pedals and a speedbrake lever.
• Transducers sense the pilot commands for the
  Actuator Control Electronics.
• The ACEs convert the analog command signals into
  digital form and transmit to the Primary Flight
  Computers via the ERINC Bus
• The PFCs receive the airplane inertial and air
  data from the ADIRU / SAARU
• Surface Commands are transmitted to the ACEs via
  the ARINC Bus
• ACEs convert the digital commands to analog
  commands to electrically control the Actuators.

7
Primary Flight Control Modes

• Direct Control Mode.
• Selected under two conditions
• 1. Flight Deck Switch
• 2. ACEs detecting Invalid commands from the PFCs
• ACEs use the Analog Pilot Controller transducer
  signals to generate surface commands.
• Secondary Control Mode.
• Selected under two conditions
• 1. Insufficient availability of inertial or air
  data.
• 2. When ACEs are in the Direct Mode.
• Limited Control over the aircraft control
  surfaces.

8
Actuator Control Electronics

• Redundancy in the form of FOUR ACEs
• Provide an Interface between the FBW analog
  domain digital domain.
• Each ACE contains.
• Three Terminals to communicate with the data
  buses, according to the ARINC specifications.
• A Control Mode Selection which either responds to
  the commands on the digital bus or the analog
  control laws depending upon the Mode of Control
  of the PFC.
• At any given time, at least one of the remaining
  three ACEs is monitoring the operational ACE for
  faults or incorrect output commands.

9
Actuator Control Electronics
Flight Control ARINC 629 Data Bus
Primary PCU Servo Loops Monitors Elevator Ailer
on Flaperon Rudder
Power Supply Condition
ARINC 629 Interface LEFT BUS
ARINC 629 Interface CENTER BUS
ARINC 629 Interface RIGHT BUS
Input Signal Monitoring Signal Selection
Spoiler Servo Loops
Feel Actuator Servo Loops
Control Mode Selection
PILOT COMMANDS
Direct Analog Mode Engage
Backdrive Actuator Servo Loops
Auto Speedbrake Arm
10
Role of Primary Flight Computer

• Receive Inertial Data from
• Air Data Inertial Reference System (ADIRS)
• Secondary Altitude and Air Data Reference Unit
  (SAARU)
• Actuator Control Electronics (ACE)
• Compute Control Surface position commands
  depending upon the data received.
• Transmit position commands back to the Actuator
  Control Electronics via the DATAC (commonly
  called the ARINC 629) buses.

ADIRS Air Data Inertial Reference System
SAARU Secondary Altitude Air Data Reference
Unit
Primary Flight Computer
Actuator Control Electronics
11
PFC Architecture Overview

• Three Primary Flight Computers provide Triple
  redundant computational channels for the primary
  flight control system.
• Each PFC receives data from all three ARINC
  Control buses.
• Each PFC transmits data on its associated bus
  only.
• Each PFC channel contains three dissimilar
  processor lanes
• Each lane contains dissimilar processors and
  different Ada compilers to provide triple
  dissimilarity.
• Each lane contains its own power source.
• Each lane has its own ARINC 629 terminals to
  communicate with the buses.
• These exists inter-lane communication within each
  channel.
• There also exists inter-channel communication.

12
PFC Architecture Overview
Left PFC
Power Supply
Power Supply
Power Supply
Micro- Processor AMD 29050
Micro- Processor Motorola 68040
Micro- Processor INTEL 80486
Center PFC
Right PFC
ARINC 629 Interface
ARINC 629 Interface
ARINC 629 Interface
Lane 1
Lane 2
Lane 3
L
C
R
Flight Control ARINC Data Buses
13
PFC Safety Requirements

• Safety Requirements apply to two types of
  failures
• Passive failures which cause loss of function
  without significant immediate airplane transient
• Active failures which cause malfunction with
  significant immediate failures.
• Numerical Probability requirements for both
  failures
• 1.0E10 per flight hour.
• PFC should be designed for a Nominal Mission for
  following configuration.
• All PFC lanes operational
• Any single PFC lane inoperative
• PFC should be designed for AutoLand for following
  configurations.
• Any single PFC lane inoperative in one, two or
  all the PFCs
• Any one PFC inoperative and any one lane of
  remaining two PFCs inoperative
• All PFC lanes operational
• Any one PFC inoperative.

14
PFC Safety Requirements

• The PFC should also comply to the following
• No single fault should cause an erroneous
  transmission of output signals without a failure
  indication.
• No single fault can cause a loss of function in
  more than one PFC.
• BOEING 777 uses a
• Triple Triple Redundant PFC Architecture

15
FBW Design Constraints

• The Airplane can be susceptible to Common Mode /
  Common Area faults ..
• Impact of objects
• Electrical faults
• Hydraulic failures
• Structural damage
• Electromagnetic environments
• The Boeing Design Constraints on the basis of
  these faults are
• Component Functional Separation enable
  maintenance crew error or mishandling.
• Separation of FBW Components
• Multiple equipment bays
• Physical separation of electrical wiring
  hydraulic lines routing.
• Physical separation of redundant LRUs

16
FBW Design Constraints

• Functional Separation
• Electrical Power allocated to the PFC and ACE
• Left, Right Center Flight Control Electrical
  buses
• Although all PFCs and ACEs listen to all three
  ARINC 629 Buses, each transmits on its own
  specific bus only.
• Monitoring of other buses is possible
• A single unit failure does not affect other
  Units.
• Similar to the L/C/R Flight Control Bus system,
  there is a L/C/R Hydraulic System. Advantage of
  this arrangement is obvious ..
• Single hydraulic bus failure does not affect the
  controllability of the aircraft.
• Maintaining Dissimilarity
• Generic Design Faults can defeat redundancy
  strategies
• Refer to Generic Faults Architecture Design
  Considerations in Flight Critical Systems S.
  S. Osder, AIAA Journal of Guidance, 1983.

17
FBW Design Constraints

• Dissimilar Microprocessors and Compilers in the
  PFCs (common software)
• Dissimilar Control Monitor Functions in ACE
• Dissimilar ADIRU / SAARU
• ACE direct mode bypasses the ARINC Control Buses.

18
PFC Redundancy Management
Flight Control Buses
Input Signal Management (ISM)
Control Laws Calculation (CLAWS)
Output Signal Management (OSM)
PCO
629 XMT
SCO
Left ACE
ADIRU
Channel Output Selector (COPS)
SAARU
PCO
STORE
Left PFC Command Lane
PCO
Center ACE
Center PFC Command Lane
Left AIMS
Right ACE
System Buses
Right AIMS
Right PFC Command Lane
PCO Proposed Command Output SCO Selected
Command Output
L
C
R
L
C
R
19
PFC Redundancy Management

• PFC Cross-Lane Data Bus
• Separate from the ARINC 629 Control Buses
• To provide Data Synchronization Frame
  Synchronization within Channel
• PFC Frame Synchronization
• For tighter Cross-Lane Monitoring thresholds
• Synchronization is within a few microseconds.
• PFC Data Synchronization
• All PFC lanes are synchronized to same data set.
  This data is then used at the beginning of each
  computational frame.
• Can tolerate occasional PFC lane differences
• ARINC 629 operates at 2 MHz (T 20
  microseconds)
• Frame Synchronization for shortest usable word
  string is very less compared to this T of 20
  microseconds.

20
PFC Redundancy Management

• Each PFC Lane can operate in two modes
• Command Mode
• Monitor Mode
• Only one of the three lanes can be in Command
  Mode
• The command lane performs the following
  functions
• Receives proposed surface commands from the
  other two PFC Channels
• Median Select of the three inputs
• The output of the median is sent as Selected
  Surface Command
• PFC lanes in Monitor mode perform Selected
  Output monitoring of their command lane
• PFC Command lane performs Selected Output
  monitoring of other two PFC Channels.

21
PFC Redundancy Management

• The median select provides
• Fault Blocking against PFC faults until
  completion of fault detection identification.
• Reconfiguration via the PFC cross-lane
  monitoring.
• The PFC Command lane is inhibited via the
  cross-lane inhibit hardware logic.
• The faulty PFC Channel is inhibited via the
  cross-channel inhibit hardware logic.

22
Output Signal Monitoring

• Figure 10 of 1

23
ARINC 629 Digital Data Bus

• Time Division multiplexed system
• Multiple transmitters with broadcast-type
  autonomous terminal access
• Up to 120 Users may be connected together
• Users communicate to the bus using a coupler and
  terminal.
• Terminal Access is autonomous.
• Terminals listen to the bus and wait for a quiet
  period before transmitting.
• Only one terminal can transmit at a time.
• After transmitting, three protocol timers ensure
  that it transmits only after every other terminal
  had a chance to transmit.
• The Terminal Controller the SIM (Serial
  Interface Module) are installed on a circuit
  board within each LRU.

24
ARINC 629 Block Diagram
ARINC 629 Data Bus
Current Mode Coupler
Receive Personality PROM
Terminal Controller
Demodulator
Receiver
AddressData
Subsystem Interface
SIM
Protocol
Protocol
STRAP
Address
Transmitter
Modulator
Transmit Personality PROM
25
ARINC 629 Requirements

• For FBW operation
• Data Bus availability requirements
• Error Tolerance 1 bit per E8 bits
• Tolerance of Aperiodic Bus Operation
• A common CRC Algorithm Usage.

26
Fault Tolerant - ADIRS

• Consists of
• Air Data Inertial Reference Unit (ADIRU)
• Secondary Attitude Air Data Reference Unit
  (SAARU)
• six Air Data Modules (ADMs)
• Needs for the ADIRS
• Eliminate need for the many subsystem to perform
  inertial air data redundancy management.
• To provide a single high-integrity, consolidated
  source of inertial and air data to all systems.
• To relieve the pilots of the responsibility to
  detect and isolate erroneous data from their
  displays.

27
FT - ADIRU
GYROS
ACCELS
G
G
G
G
G
G
A
A
A
A
A
A
MICROPROCESSORS
PS
REDUNDANCY MGMT.
REDUNDANCY MGMT.
PS
AIR DATA VOTERS
PS
Power Supplies
LEFT
RIGHT
CENTER
I/O
I/O
I/O
I/O
VOTER
VOTER
VOTER
VOTER
INPUT
INPUT
WRAPARR
WRAPARR
WRAPARR
WRAPARR
28
FT - ADIRU

• The FT - ADIRU is responsible for its own
  redundancy management.
• Responsible for associated Air Data Sensors.
• Processors in the ADIRU
• Vote Monitor the Triplex air data sensors.
• Monitor the ARINC modules by full data
  wrap-around
• Monitor the Power Supplies as to which should
  power the entire Unit.
• ARNIC Modules do a bit-by-bit vote of processor
  outputs.
• The FT - ADIRU transmits identical data on two
  ARINC 629 buses.

29
FT - ADIRS Architecture
LEFT PITOT PROBE
ADM
ADM
ADM
ADM
L1
L2
C1
C2
R1
R2
L
C
R
P1
P2
P3
P4
PY
PZ
STDY ADM
STANDBY DISPLAYS
ADIRU
SAARU
STBY. ADM
ARINC 429 Display Buses
ADM
ADM
CENTER PITOT PROBE
RIGHT PITOT PROBE
30
FT - ADIRS

• A backup unit .. SAARU is also implemented
• It is physically separated source of critical
  data.
• Entirely dissimilar in design from the FT-ADIRU
• Under Normal conditions the ADIRU is used
  (except for the standby attitude display)
• Once ADIRU goes Invalid, the SAARU performs air
  data sensor voting and monitoring.
• The ADMs are connected to the Pitot Probes
  flush static probes.
• The ADMs use the ARINC 629 to communicate with
  the ADIRU SAARU.
• Two standby ADMs use a dedicated ARINC 429 to
  communicate with the standby displays.

31
AutoPilot Flight Director System

• Provides functions necessary for automatic
  control.
• The system consists of
• Mode Control Panel (MCP)
• THREE Autopilot Flight Director Computers (AFDCs)
• Flight Director
• Back drive Control Actuators (BACs) etc.
• AFDS does not have direct control of Primary
  flight Control Surfaces.
• The Flow is
• Autopilot Flight Director System
• Primary Flight Control Computers
• Actuator Control Electronics

32
Frontdrive System Architecture
Input Sensor Voting And Signal Selection Plane
Command Voting Plane
ADIRU
I/O
Analog
429 Sensors L
MANUAL
V
COMPUTATION
V
ACE
PCU
AP
SAARU
MANUAL
Analog
COMPUTATION
V
V
ACE
PCU
429 Sensors C
ARINC 629 Buses
ARINC 629 Buses
AP
MANUAL
COMPUTATION
V
V
ACE
PCU
AP
ADIRU
Analog
429 Sensors R
AFDCs
PFCs
33
References.

• Y.C.Yeh, Triple-Triple Redundant 777 Primary
  Flight Computer
• 1996 IEEE Aerospace Applications Conference,
  February 1996.
• Y.C.Yeh, Dependability of the 777 Primary Flight
  Control System
• DCCA-5, September 1995.
• Y.C.Yeh, Design Considerations in Boeing 777
  Fly-By-Wire Computers
• 3rd IEEE International High-Assurance Systems
  Engineering Symposium, 1998
• Melville McIntyre Cynthia Gossett, The Boeing
  777 Fault Tolerant Air Data Inertial Reference
  System A New Venture in Working Together.
• Ronald Hornish, 777 AutoPilot Flight Director
  System

34
On the Lighter Side

• I Always thought
• what is it that makes these airplanes so
  expensive and safe
• ..
• ..
• ..
• ..
• ..
• ..
• ..
• ..
• ..
• ..
• Now I have the answer hope you do to !!