Ima97 PDF

Integrated and Modular Systems
for Commercial Aviation
Frank M.G. Drenberg

AlliedSignal Commercial Avionics Systems
Redmond, WA
Presented at UCLA Modular Avionics short course

February 3-7 1997
phone: (206) 885-8489 fax: (206) 885-2061 e-mail: :frank.doerenberg@alliedsignal.com

Personal introduction
Education:
MSEE Delft Univ. of Technology (1984)
MBA Nova Southeastern Univ. (1996)
Work:
AlliedSignal Aerospace since 1984
Principal Eng on Integrated Hazard Avoidance System program (96-)
Prog Mgr / Staff Eng on Be-200 Integr. Avionics program (94-96)
Lead systems engineer on A330/340 SFCC program (89-93)
Systems engineer on Boeing 7J7 PFCS prototype program (86-89)
Engineer on autopilot and flight simulator program (84-86)
Miscellaneous:
Private pilot
Integrated and Modular Systems
for Commercial Aviation
Frank M.G. Drenberg
phone: (425) 836-4594 e-mail: frank.doerenberg@usa.net 1995-1997 F.M.G. Drenberg

Personal introduction
Education:
MSEE Delft Univ. of Technology (1984)
MBA Nova Southeastern Univ. (1996)
Enrolled in PhD/EE program at University of Washington
Work:
AlliedSignal Aerospace since 1984
Principal Eng on Integrated Hazard Avoidance System program (96-)
Prog Mgr / Staff Eng on Be-200 Integr. Avionics program (94-96)
Lead systems engineer on A330/340 SFCC program (89-93)
Systems engineer on Boeing 7J7 PFCS prototype program (86-89)
Engineer on autopilot and flight simulator program (84-86)
Miscellaneous:
Private pilot 2
1995-1997 F.M.G. Drenberg

Integrated and Modular Avionics
Introduction
Why change avionics?
Integration
Modularization
Future .....

Global aviation system
- changes must be considered in overall system context-
Airlines &
Crew Operators
Airspace Sys.,
Aircraft ATC/ATM
Airframe Integrated Ground & Space

Mfrs Aviation Infrastructure
System
Avionics
Environment
Mfrs
Govt &
Payload Industry
Agencies
4
- many stakeholders, requirements, constraints, competition - 1995-1997 F.M.G. Drenberg
Aircraft sub-systems
Flight Electrical
Control power
Fuel Mgt Air Data
Engine thrust Comm/Nav

Surveillance
Structure Cabin
& Gear lighting
Computer/ Cargo/bag
Data links handling
Cabin air Galleys &

press/temp water/waste
Phone Audio
& fax Cabin Games video
call/PA & video
= reqd for ops in air transport system 5
= reqd for cargo and pax comfort/well-being 1995-1997 F.M.G. Drenberg

Airline/Operators point of view:
to increase profit potential
lower acquisition cost
reduced maintenance cost
profitable at reduced load factor
ROI, LCC, affordability, payback
seat-mile economics
serviceable and flyable with minimal maint. and
flight crew training (inc. fleet commonality)
payload, range, route structures, fuel burn (weight &
volume of equipment/wiring/installation/structure)
contd
- familiar business criteria: benefits, cost, risks, profit - 6

Airline/Operators point of view (contd):

safety (e.g., CFIT, WX & Windshear Radar, TCAS)
reliability, dispatchability
deferred maint., reduced unscheduled maint.
improved BITE (fault isolation, MTBUR/MTBF)
compliance with new regulations (e.g., TCAS)
increased crew & pax comfort
goal: on-time-arrival-rate = dispatchability-rate
(now: 80% vs. 98%). Currently, existing capability cannot be utilized due to ATC
incompatibilities.
contd
7

Airline/Operators point of view (contd):

reduced turnaround time at gate (productivity)
to support migration towards functionally flexible
a/c (configuration changes) that allows:
easy incorporation of systems changes
response to changes in operational environment
to have systems that are mature at entry into service
instead of years later (esp. for early ETOPS)
to reduce the cost of future software mods

Operators seek revenue enhancement
Value-added in the areas of:

operational efficiency
economic utility
and above all
safety
- no new technology for its own sake -

ref.: Welliver, A.D.: Higher-order technology: Adding value to an airplane, Boeing publ., presented to Royal Aeronautical Society, London, Nov. 1991
ref.: Is new technology friend or foe? editorial, Aerospace World, April 1992, pp. 33-35
ref.: Fitzsimmons, B.: Better value from integrated avionics? Interavia Aerospace World, Aug. 1993, pp. 32-36 9
ref.: ICARUS Committee: The dollars and sense of risk management and airline safety, Flight Safety Digest, Dec. 94, pp. 1-6 1995-1997 F.M.G. Drenberg
Gains from avionics technology investments
Airplane Operational Effectiveness
Info integration technologies
Avionics technologies
Individual non-avionic technologies

aerodynamics
flight controls
structures
propulsion
Wright Flyer
1900 1950 2000

- avionics is (growing) part of the equation - 10

Why change avionics? (contd)
Authorities:
ATC & ATM
ground- & space-based infrastructure
fed & intl (de-)regulations
safety (e.g., TCAS, smoke det.)
environment
Avionics suppliers:
customer satisfaction, one-stop-shopping
cost reduction / profitability margins
technological leadership
strategic shift from BFE (commodity) SFE
integrate competitors traditional products
integrate or die
11
ref.: P. Parry: Wholl survive in the aerospace supply sector?, Interavia, March 94, pp. 22-24
ref.: R. Ropelewski, M. Taverna: What drives development of new avionics?, Interavia, Dec. 94, pp. 14-18 & Jan. 95, pp. 17-18 1995-1997 F.M.G. Drenberg
Airframe manufacturer:
customer satisfaction, product performance,
passenger appeal
significant cost reduction over previous
generation (esp. for smaller a/c, due to seat-cost considerations; e.g. 100 pax
target: $35M $20M)
reduced cycle time:

a/c development
a/c production (e.g., equipment installation & wiring)
competition (incl. from used & stored a/c, teleconf.) contd
12

Airframe manufacturer (contd):

more demanding systems characteristics:
maint. deferred for 100-200 hrs or even until C-check
(fault tol., spare-in-box)
fault-tolerance transparent to application s/w
brick-wall partitioned applications
all Aps & Ops software: on-board loadable/upgradeable
100% fault detection and complete self-test (w/o test equipment)
95% reliability over a/c life (60k-100k hrs)
- more, better, cheaper, faster -
13
ref.: P. Parry: Wholl survive in the aerospace supply sector?, Interavia, March 94, pp. 22-24
ref.: R. Ropelewski, M. Taverna: What drives development of new avionics?, Interavia, Dec. 94, pp. 14-18 & Jan. 95, pp. 17-18 1995-1997 F.M.G. Drenberg
Air traffic reasons:

world/regional air traffic growth
productivity improvement: traffic
volume, density, flow
maintain & enhance safety
Technical & technological reasons:
airframe or engine changes
obsolescence, new capabilities
- system solutions to achieve conflict-free navigation while executing
the best performance flight-plan, moderated by passenger comfort - 14

Avionics business
high-tech but low volume

typ. -life time frames:
airframe: 25 years
electronics: 2 years
data buses: 10-15 years
HOL: ?
- aircraft life-cycle: initial development, production run,

through a/c lifespan after last one delivered -
15

Changing airtransport environment
(total) c o s t i s p a r a m o u n t
emerging markets
airlines (still) show cumulative net loss (carriers gradually
returning to fin. health; 95 global airline operating profits $6B vs. 92 loss of $2B)
airline mergers, alliances, bankruptcies
airlines seek revenue enhancement and cost reductions
increasing airtraffic volume, delays
FANS/free flight: increased capacity, reduced
separation, same or better safety
airlines & airframers want RC, forcing suppliers NRC
no real competition yet from video/teleconf. (biz travel)
- airplanes are a commodity in rising cost environment - 16

100
Productivity
+5-6% p.a.
DOC
Index
10
Revenue/Expense ratio
Yield
-2.5-2.9% p.a.
0
1960 65 70 75 80 85 90
- airline performance trends -
ref.: Airline Business, January 1996, p. 29 17
ref.: A. Smith: Cost and benefits of implementing the new CNS/ATM systems, ICAO Journal, Jan/Feb 96, pp. 12-15, 24 1995-1997 F.M.G. Drenberg
Scheduled passenger traffic trends
1200 - World air traffic growth - world fleet is forecast to
outpaces economic growth - double over 20 years -
(by 2015: 20,000 * > 50 seats )
1000 * ex CIS & Baltic states
Scheduled pax (millions)
es tic =1.7 B
D o m
800
+ 6%/year
600
+7%/year
ati o n al
+ 5%/year I n ter n
400
200
1995
1996
1997
1998
1999
2000
2005
1990
1991
1992
1993
1994
ref.: Flight International, 3-9 January 1996, p. 27,28

ref.: Boeing CAG Current Market Outlook 1995
18
ref.: K. OToole: Cycles in the sky, Flight Intl, 3-9 July 1996, p. 24
ref.: IATA raises five-year passenger forecast, Flight Intl, 6-12 Nov 1996, p. 8 1995-1997 F.M.G. Drenberg
Scheduled-passenger and freight traffic - steady growth
5000 500
Most likely (5.5% p.a.)
Tonne-km (billions, log-scale)

Pax-km (billions, log-scale)
Passengers
Most likely (7% p.a.)
1000 100
Freight
ACTUAL ICAO FORECAST

300 30
1985 1995 2005
- potential for airspace and airport congestion - 19
ref.: C. Lyle: Plan for guiding civil aviation in the 21st century repesents a renewed commitment by ICAO, ICAO Journal, March 1997, pp. 5- 1995-1997 F.M.G. Drenberg
North America
Intra Asia Pacific
Intra Europe
Trans Pacific
North Atlantic 1994 traffic
Asia-Europe
Growth 1995-2014
CIS Domestic
No. Amer.-Lat. Amer.
Europe-Lat. Amer.
Europe-Africa
Latin America
CIS International RPMs, billions
0 200 400 600 800 1,000
20
source: Boeing CAG Current Market Outlook 1995 1995-1997 F.M.G. Drenberg
Commercial aircraft sector - on the rebound
80 Source: The Boeing Co. 100 Source: GE Capital Aviation Services
Average annual new aircraft investments (world fleet) Retirement of aircraft

Billions of 1995 US $
60 75
Percentage retired
40 50
20 25
0 0
20 25 Age in years 30
71-75 76-80 81-85 86-90 91-95 96-00 01-05 06-10 11-15 35
900 1,000
Source: Lehman Bros. Source: GE Capital Aviation Services
Other
800 Air transport annual deliveries Serviceable a/c available for sale or lease
McDonnell Douglas
Number of aircraft
700 750
Boeing
600
Airbus
500
500
400
300
250
200
100
0 0
195860626466687072747678808284868890929496980002 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997
21
ref.: A.L. Velocci: Restraint, Airline health key to stable rebound, AW&ST, Nov. 25 1996, pp. 36-38
ref.: P. Sparaco: Airbus plans increased production rate, AW&ST, Nov. 15 1996, pp. 48-50 1995-1997 F.M.G. Drenberg
Direct Operating Cost
12-15%
crew 10-15%
avionics & flight contr.
fuel maint.
ownership
1/3
systems
Euro-regionals: 50% of DOC is beyond
control of owner/operator (fees for
landing /ATC/ground-handling + fuel)
ref.: P. Condom: Is outsourcing the winning solution?, Interavia Aerospace World, Aug. 93, pp. 34-
22
36
ref.: 1992 ATA study of U.S. airlines 1995-1997 F.M.G. Drenberg
Direct Operating Cost
24% 23% 30% 38%
26% 24% 33%
8% 14% 29%
27% fuel & oil
23% 11%
25% 26% 20% 28%
30% 36% 27%
737-300 737-400 737-500 Fokker-100 DC-9-30 crew
($1834/hr) ($1797/hr) ($1607/hr) ($1661/hr) ($1612/hr)
20% 20% 27% 20% maint. & o'haul

16% 31% 25% 19%
17% 15%
32% 31%
34% 27%
28% 25% 31% 25% 27% 34% ownership
(insurance,
possession, etc.)
747-200/300 747-400 DC-10-30 MD-80 MD-11
($7611/hr) ($6673/hr) ($4306/hr) ($1825/hr) ($4530/hr)
landing fees etc

25% 17% 4 12
% 7 U.S. major carriers
25% 25% pax services, all items in U.S.$
11% 27% 11% 11% per block hour
25% promo, 27%
ticketing/sales year ending Sept. 31,'94
14%
40% 45% 36% 12 27%
G&A %
A320 A300-600 L-1011-1/200 Worldwide airlines
($4530/hr) ($3802/hr) ($3799/hr) avg costs (1993)
23
ref.: Air Transport World, Jan-May 1995
ref.: The guide to airline costs, Aircraft Technology Engineering & Maintenance, Oct/Nov 1995, pp. 50-58 1995-1997 F.M.G. Drenberg
Aircraft operating statistics
Aircraft Number of Speed Flight Fuel Operating
Type/model Seats Airborne Length gph Cost per hr
B747-400 398 553 4,331 3,356 $6,939

B747-100 390 520 3,060 3,490 5,396
L-1011 288 496 1,498 2,384 4,564
DC-10-10 281 492 1,493 2,229 4,261
A300-600 266 473 1,207 1,938 4,332
MD-11 254 524 3,459 2,232 4,570
DC-10-30 248 520 2,947 2,612 4,816
B767-300ER 221 493 2,285 1,549 3,251
B757-200 186 457 1,086 1,004 2,303
B767-200ER 185 483 2,031 1,392 3,012
A320-100/200 149 445 974 771 1,816
B727-200 148 430 686 1,251 2,222
B737-400 144 406 615 775 1,779
MD-80 141 422 696 891 1,793
B737-300 131 414 613 748 1,818
DC-9-50 124 369 320 893 1,901
B737-500 113 408 532 708 1,594
B737-100/200 112 387 437 800 1,757
DC-9-30 100 383 447 798 1,690
F-100 97 366 409 737 1,681
DC-9-10 72 381 439 740 1,332
24
ref.: ATA Aircraft operating statistics - 1993, http://www.air-transport.org all numbers are average 1995-1997 F.M.G. Drenberg
Big $ numbers
life-time maintenance cost (ROM), example:
maintenance $1200/block hour

airplane life-time 60+ k hours
maintenance-over-life $75 million
- Boeing 747-400 -
25
ref.: Air Transport World, Jan-May 1995 1995-1997 F.M.G. Drenberg
Life Cycle Cost* (LCC)
* Net Present Value (NPV) of cost & benefit $-flows
Fact:
inflation corrected price-tag of airplanes
has increased over the years**
not completely offset by simultaneous
reduction in DOC
New systems & technology can only be
justified if they:
take cost out of the airplane
reduce DOC
increase revenue ** contrary to e.g. consumer electronics
26

Save now and save later
increased reliability
reduced size, weight, power consumption, cooling
reduced development and production time/cost
easily upgraded/updated to new engine or airframe
easily upgraded/updated to new ATC environment
reduced crew workload
contribute to on-time departure and arrival
support accurate and simple diagnostics (w.o external test eq.)
as common as possible fleet-wide for different aircraft
mature systems at entry-into-service (esp. for ETOPS out-of-the-
box)
27
ref.: C.T. Leonard: How mechanical engineering issues affect avionics design, Proc. IEEE NAECON, Dayton, OH, 89, pp. 2043-2049 1995-1997 F.M.G. Drenberg
Airlines primary product is reliable
scheduled revenue service
Schedule deviations are expensive:

departure delays (up to $10k / hour)
flight cancellation (up to $50k)
in-flight diversion (up to $45k)
in terms of pax perception: incalculable
- 50% of delays/cancellations caused by improper maintenance -
(other causes: equipment, crew, ATC*, WX, procedures, etc.)
ref.: Commercial Airline Revenue Study by GE Aircraft Engines (Jan. 88 - Jan. 92) * mid 90s cost to airlines in Eu due to 28
ref.: B. Rankin, J. Allen: Maintenance Error Decision Aid, Boeing Airliner, April-June 96, pp. 20-27 ATC delays est. at $1.9-2.5B p.a. 1995-1997 F.M.G. Drenberg
Average schedule deviation costs
- examples -
B737 B757 B767 B747-400

departure delays ($/hr) $ 2k5 $ 5k0 $ 6k3 $ 9k3
flight cancellation $ 7k6 $ 14k9 $ 18k9 $ 37k2
turn-back $ 5k9 $ 10k9 $ 13k8 $ 22k6
in-flight diversion $ 7k6 $ 12k8 $ 16k1 $ 28k7
29
ref.: BCAG 1993 Customer Cost Benefit Model 1995-1997 F.M.G. Drenberg
Boeing 777 Development Cost
(engineering & labs)
Develop-
ment
V&V
Dev.
Systems + V&V
47 %
Hardware Software
30% 70%
6% Misc.
Structures 7%
28 % Payloads
7%
5% Propulsion
Aero
30
ref.: P. Gartz, Systems Engineering, tutorial at 13th DASC, Phoenix /AZ, Oct. 94, & 14th DASC, Boston/MA, Nov. 95
ref.: C. Spitzer, Digital Avionics - an International Perspective, IEEE AES Magazine, Vol. 27, No. 1, Jan. 92, pp. 44-45 1995-1997 F.M.G. Drenberg
Integrated Modular Avionics Architectures
- more than just a cabinet solution -
Integration
Modularization
Standardization
- all are key attributes of partitioning -
ref: Robinson, T.H., Farmer, R., Trujillo, E.: Integrated Processing, presented at 14th DASC, Boston/MA, Nov. 1995 31
ref.: L.J. Yount, K.A. Liebel, B.H. Hill: Fault effect protection and partitioning for fly-by-wire/fly-by-light avionics systems,
Proc. 5th AIAA/IEEE Computers in Aerospace Conf., Long Beach/CA, 85, 10 pp. 1995-1997 F.M.G. Drenberg
Dependability Taxonomy
Dependability
Attributes Means Impairments
Safety Fault avoidance Faults

Reliability Fault tolerance Errors
Dispatchability Fault removal Failures
Maintainability Fault forecasting
Integrity - dependability: degree of justifyable reliance that can placed
on a systems delivery of correct and timely service -
ref.: Intl Federation of Information Processing Working Group on Dependable Computing & Fault Tolerance (IFIP WG 10.4)
ref.: Prasad, D., McDermid, J., Wand, I.: Dependability terminology: similarities and differences, IEEE AES Systems Magazine, Jan. 96, pp. 14-20
ref.: F.J. Redmill (ed.): Dependability of critical computer systems - 1, 1988, 292 pp., Elsevier Publ., ISBN 1-85166-203-0 32
ref.: A. Avizienis, J.-C. Laprie: Dependable computing: from concepts to design diversity, Proc. of the IEEE, Vol. 74, No. 5, May 86, pp. 629-638 1995-1997 F.M.G. Drenberg
Fault Avoidance
- prevent (by construction) faults from entering into, developing in,
or propagating through the system -
controlled, disciplined, consistent Sys. Eng. process

simplicity, testability, etc.
reduced parts count, interconnects & interfaces (integrate!)
standards, analyses, simulations, lessons-learned, V&V
partitioning (for fault containment & isolation, cert., etc.)
shielding, grounding, bonding, filtering
controlled operating environment (cooling, heatsinks, etc.)
properly select, handle, screen, and de-rate parts
test
human factors
zero-tolerance for patch work in reqs & design
etc., etc.
- must address entire product life-cycle: from inception through disposal - 33

Fault Tolerance
- the ability of a system to sustain one or more specified faults
in a way that is transparent to the operating environment -
achieved by adding & managing redundancy: one or

more alternate means to perform a particular function
or flight operation
goal: only independent, multiple faults and design
errors remain as reasonably possible causes of
catastrophic failure conditions
fail-passive, fail-safe, fail-active are fail-intolerant
fault tolerant does not imply highly dependable,
fault free, ignorance tolerant, or full/fool proof
ref.: J.H. Lala, R. Harper: Architectural principles for safety-critical real-time applications, Proc. of the IEEE, Vol. 82, No. 1, Jan. 94, pp. 25-40
ref.: D.P. Siewiorek, R.S. Swarz (eds.): Reliable Computer Systems, 2nd ed., Digital Press, 92, 908 pp., ISBN 1-55558-075-0
ref.: M.R. Lyu (ed.): Software fault tolerance, Wiley & Sons, 95, 337 pp., ISBN 0-471-95068-8
ref.: F.J. Redmill: Dependability of critical computer systems - 1, ITP Publ., 88, 292 pp., ISBN 1-85166-203-0
ref.: B.W. Johnson: Design and Analysis of fault tolerant systems, Addison-Wesley, 89, 584 pp., ISBN 0-201-07570-9
ref.: 25th Anniversary Compendium of Papers from Symposium on Fault Tolerant Computing, IEEE Comp. Society Press, 96, 300 pp., ISBN 0-8186-7150-5
ref.: J.C. Laprie, J. Arlat, C. Beounes, K. Kanoun, C. Hourtolle: Hardware- and software-fault tolerance: definition and analysis of architectural solutions, Proc. 17th
Symp. on Fault Tolerant Computing, Pittsburg/PA, July 87, pp. 116-121
Fault Tolerance Taxonomy
Fault Tolerance
Redundancy
physical
temporal
data Similar
Dissimilar
Redundancy Management
Static (Fault Masking) Dynamic Hybrid
No fault reaction:
no fault detection Fault detection Fault isolation & Example of techniques:
no reconfiguration Reconfiguration pooled spares
Examples of techniques: Examples of techniques:

interwoven logic comparison (cross, voter, wrap-around)
hardwired multiple hardware reasonableness check (rate, range, cross)
redundancy task execution monitor (a.k.a. Watch Dog)
error correcting code checksum, parity, error detection code
majority voting (N-modular diagnostic and built-in tests
redundancy)
Active Standby
Examples of techniques: Examples of techniques:

adaptive voting & signal select switch-in backup spare(s)
dynamic task reallocation operating (hot, shadow)
graceful degradation non-operating (cold, flexed)
n-parallel, k-out-of-n
s/w recovery (retry, rollback)
operational-mode switching 35

Fault Classifications
- fault tolerance approach is driven by the number & classes of faults
to protect against, as well as by criticality and risk-exposure -
Criteria Fault type

Activity Latent vs. active
Duration Transient vs. permanent
Perception Symmetric vs. asymmetric
Cause Random vs. generic
Intent Benign vs. malicious
Count Single vs. multiple
Time (multiple faults) (Near-) Coincident vs. Distinct
Cause (multiple faults) Independent vs. common-mode
Nothing in nature is random ... A thing appears random only through the
incompleteness of our knowledge -- Spinoza, Dutch philosopher 1632-1677
36
ref.: N. Suri, C.J. Walter, M.M. Hugue (eds.): Advances in ultra-reliable distributed systems, IEEE Comp. Society Press, 95, 476 pp., ISBN 0-8186-6287
ref.: M. Hugue: Fault Type Enumeration and Classification, ONR-910915-MCM-TR9105, Nov. 1991, 26 pp. 1995-1997 F.M.G. Drenberg
Redundancy
Attributes:
form (physical, temporal, performance, data,
analytical)
similarity/diversity*
level of replication
physical distribution within a/c
allocation along end-to-end path
configuration (grouping & interconnects)
redundancy management concept (static, dynamic)
- more resources that required for fault-free single-thread operation -
* Notes:
- dissimilaritys power is based on assumption that it makes simultaneous common-mode (generic) faults extremely improbable
- dissimilarity does not reduce the probability of simultaneous random faults
- dissimilarity provides little advantage against common-mode environmental faults (EMI, temp/vibe, power)
- dissimilarity allows shift away from proving absence of generic faults, to demonstrating ability to survive them (cert. level!)
- dissimilarity of design drives source of faults back to (common) requirements and system architecture 37
- dissimilarity is fault avoidance tool, as long as independence is not compromised when fixing ambiguities or divergence 1995-1997 F.M.G. Drenberg
Higher reliability
- will it make a difference in airline maintenance? -
frequent cause of maintenance today is not avionics LRUs, but

interconnects, sensors and actuators (as much as 60%)
improving MTBUR* more important than increasing MTBF (goal:
MTBUR/MTBF ratio 1)
complete system forms a chain: high-rel is required at system level,

not just at box level
MTBF & MTBUR may lead to Avionics By The Hour:
concept: operator leases equipment, only pays for actual hours flown
avionics mfr needs this too: sells fewer spares (much) less profit
* unit pulls on maintenance alert only, not
to rotate/canibalize/swap within a fleet
- keep the good part on the plane -
ref.: P. Seidenman, D. Spanovich: Building a Better Black Box, Aviation Equipment Maintenance, Feb. 95, pp. 34-36
ref.: D. Galler, G. Slenski: "Causes of Electrical Failures," IEEE AES Systems Magazine, August 1991, pp. 3-8
38
ref.: M. Pecht (ed.): Product reliability, maintainability. and supportability handbook, CRC Press, 95, 413 pp., ISBN 0-8493-9457-0
ref.: M. Doring: Measuring the cost of dependability, Boeing Airliner Magazine, Jul-Sep 94, pp. 21-25 1995-1997 F.M.G. Drenberg
Basic ways to increase system reliability
higher intrinsic reliability (components)

fault avoidance (entire life-cycle)
fault tolerance
redundant architecture*
reconfigurable architecture (LRU failure typ. only involves single component)
at box level module level chip level (with full BIT on-die)
integration:
reduce on-board & off-board interconnects: weakest link in
the reliability chain
share resources (reduce duplication)
* redundancy may increase availability, but at
same time increases prob. that redundant
copies are inconsistent/diverge
- towards reliability of the wiring (exc. connectors) - 39

N-Parallel Redundancy
1
System
Reliability
1
0.5
0 0.5
20k
(=MTBF)
40k
3
5
s
Op e (hr
unit
tim
t
dan
era s)
Example: un
ed
ting
unit = 5 x10 -5 /h 10 of r
ber
MTBFunit = 20,000 hrs Num
100k 15
- brute force: inefficient to achieve very high system reliability - 40

37

N-Parallel Redundancy
Desired
60k region
1
System
Reliability 100k
1
0.5 0.9 - 0.95
0 0.5
20k
(=MTBF)
40k
3
5
s
Op e (hr
unit
tim
t
dan
era s)
Example: un
ed
ting
unit = 5 x10 -5 /h 10 of r
ber
MTBFunit = 20,000 hrs Num
100k 15
- goals: low cost & low redundancy but high rel. & safety - 41
38

MTTF as function of redundancy level
MTTFn-parallel ln(n) x MTTFunit
from n=1 2
3 0.5
2
(curves do not account for
MTTF n rel. penalty of complexity)
=
MTTF 1
1
= MTTF
practical limit
0
1 5 10 Number of 15
Parallel units
- diminishing returns - 42

Parallel redundancy for system reliability
Note: log-log scale F2-out-of-2
=1
N=2 F2-out-of-2
0
10 = 1
F2-out-of-N(t) -1
10
F2-out-of-2(t)
-2
10
-3 N=4
10
-4
10
-5 N=3
10
-6
10
-7
10
0.001 0.01 0.1 1.0 10
t
MTTFunit
- adding redundancy is only effective for t << MTTFunit - 43

Redundancy
Note: curves are for fail-passive configs, except those shown for simplex, cube, and n-parallel
1.0
dual-triplex - fault-tolerant configs exhibit
s-curve reliability -
Rconfig(t)
dual-quad
= MTTF
0.5 quad
dual
cube
1/e
triplex 4-parallel
dual-dual
3-parallel
2-parallel
simplex
0 1 2 3
t =MTTFunit
t
MTTFunit 44

System architecture and design decisions ........
MOTHER GOOSE & GRIMM
45

Redundancy
- redundancy for fault-tolerance
and extended system reliability -
1.0
dual-triplex
region of
Rconfig(t) practical use
dual-quad
= MTTF
0.5 quad
dual
cube
1/e
triplex 4-parallel
dual-dual
3-parallel
2-parallel
simplex
0 1 2 3
t =MTTFunit
t
46
MTTFunit 1995-1997 F.M.G. Drenberg
Redundancy
1.0 cube
Rconfig(t)
2-p 4-p
0.9
3-p
triplex
dual-triple
0.8
dual
quad
simplex dual-dual dual-quad
0.5 t 1.0
MTTFunit
- region of practical use, enlarged - 47

Relative MTTF of various configurations
Simplex
Dual
Triplex
Quad
Dual-Dual
Dual-Triplex
Dual-Quad
Triple-Dual
Quad-Dual
Triple-Triple
2-Parallel
3-Parallel
4-Parallel
Cube
48
note: MTTFs solely based on time-integration of reliability funct., and do not reflect system complexity; Markov analysis may give different result. 1995-1997 F.M.G. Drenberg
Mission times of several configurations
Simplex
Dual
Triplex
Quad
Dual-Dual
Dual-Triplex
Dual-Quad
Triple-Dual
Quad-Dual
Triple-Triple
2-Parallel
3-Parallel
4-Parallel
Cube
Time-to-R= 0.997 Time-to-R= 0.95 Time-to-R= 0.5 (Median TTF)
49

Cube configuration concept
note: output wraparounds not shown
a a a a a
1 1 1 b b b b b b
c c c c c c
3-parallel cube optimized cube

increased number of if no single-thread ops., then
paths through the system dont need 3 output modules
- use resources more efficiently: do not discard entire lane if only part fails -
50
ref.: M. Lambert: Maintenance-free avionics offered to airlines, Interavia, Oct. 88, pp. 1088- 1995-1997 F.M.G. Drenberg
Integration is necessary because....
Increase operational effectiveness via integration of

information (e.g., safety)
Must work smarter, not harder:
system reliability increases only slowly as redundancy level increases:
ln(n)
above n = 3, adding redundancy is not effective
brute force will not get us there
Unit-reliability is more powerful than redundancy

level in achieving high system reliability
- Fit-and-forget system reliability (based on conventional redundancy)

implies units with reliability of todays components ( 10-7/h)
51

Integration of what?
hardware, software, mechanical elements
data buses, RF apertures
related, interacting, closely associated, similar functions
& controls (reduce duplication)
distributed information
e.g., fusion for more meaningful pilot info (smart alerting, EMACS)
e.g., improve performance (flight + thrust control, ECS)
displays, controls, LRUs (esp. single-thread)
BIT
increase fault isolation accuracy
reduce NFF/CND/RETOK* from 50% to < 10%
organizations, people * ATA est. NFF cost to US airline
industry $100M p.a., avg $800 per
entire aviation system removal (labor, shipping, sparing)
ref.: P. Gartz: Trends in Avionics Systems Architecture, presented at the 9th DASC, Virginia Beach/VA, Oct. 90, 23 pp. 52
ref.: Avionics Systems Eng. & Maint. Committee (ASEMC) of the Air Transport Assn (ATA)
ref.: Avionics Magazine, Feb. 1996, p. 12 1995-1997 F.M.G. Drenberg
Integration trend: Multi-Mode Receiver (MMR)
ICAO philosophy change (Comm/Ops meeting,

Montreal 95):
from: single-system (e.g., VOR/DME) standard,
ensuring intl uniformity & compatibility
to: standardizing on 3 quite different approach
aids (ILS, MLS, GNSS*)
so: CAAs, airports, operators free to choose one
or more
and: world aviation authorities should promote
the use of Multi-Mode Receivers (MMRs) or
equivalent avionics * ICAO: GNSS > GPS (e.g., GNS+GLONASS,
to ensure complete redundancy, esp. in landing ops.)
ref.: W. Reynish: Three systems, One standard?, Avionics Magazine, Sept. 95, pp. 26-28
ref.: D. Hughes: USAF, GEC-Marconi test ILS/MLS/GPS receiver, AW&ST, Dec. 4 95, pp. 96
53
ref.: R.S. Prill, R. Minarik: Programmable digital radio common module prototypr, Proc. 13th DASC, Phoenix/AZ, Nov. 94, pp. 563-567
ref.: ARINC-754/755 (analog/digital MMR), ARINC-756 (GNLU) 1995-1997 F.M.G. Drenberg
Integration trend
LRUs System
On
Chip
FMGD
1970s 1980s 1990s 2000-2010

-2 -4 -5 -7
total ~~ 10 total ~~ 10 total~~ 2x10 total ~~ 10
point-to-point analog ARINC-429 digital ARINC-629 digital data
bus between LRUs high-speed fiber optic
interconnect interconnect comm. between systems
ARINC-659 backplane
single-thread systems single-thread LRUs bus between LRMs fault tolerant cards
fault tolerant LRUs
system level redundancy box level redundancy card level redundancy chip level redundancy
54
ref: BCAC/J. Shaw 1995-1997 F.M.G. Drenberg
Integration issues
integrated system is not a package deal
airline:
no more option to pick favorite supplier for each federated LRU
but gets improved availability, reduced sparing & LCC
as levels of (functional) integration increase more stringent

availability & integrity reqs than for more distributed
implementation
if integration requires fault-tolerance (= redundancy), some of the
gains from reduced duplication are lost
compared to conventional LRUs, cabinet/LRM solutions pose
challenge to effective shielding/bonding for EMI/Lightning
protection
partitioning provides change/growth flexibility: only re-certify
changed areas
55

Integration issues (contd)
loss of a shared resource affects multiple functions potential for

single-point/common-mode failure due to contaminated data flow,
control flow, resource:
fault tolerance required to meet availability & integrity reqs
partitioning must be part of architecture and independent of application
software
increased importance of FMEA, FHA, etc.
mixed levels of criticality: certify at highest level, or certify the
partitioning protection.
criticality of the whole may be higher than that of stand-alone
parts due to effects of loss (3x essential critical ?)
technology readiness (risk): development of fault-tolerant integrated
architectures drives a/c level schedules (be mature at a/c program go-ahead)
56

Fault Tolerance for Safety, Reliability, Dispatchability:
Larson
NO unpleasant surprises! 57

FAA/JAA Hazard Severity Classification
Failure * Effect of failure condition on
Condition
Classification aircraft and occupants
Prevents continued safe flight and landing
Catastrophic Loss of aircraft
Multiple deaths
Large reduction in safety margins or functional capabilities
Hazardous / Difficult for crew to cope with adverse operating conditions, and
Severe-Major cannot be relied upon to perform tasks accurately & completely
Some passengers seriously injured (potentially fatal)
Significant reduction in safety margins or functional capabilities
Major Significant increase in crew workload or conditions impairing
crew efficiency
Some passengers injured
Slight reduction of safety margins or functional capabilities
Slight increase in crew workload, well within capabilities
Minor Operational limitations, diversions, flight plan changes
Inconvenience to passengers
No effect on operational capability of aircraft
No Effect No increase in crew workload
Concern, nuisance
FAR /JAR
25-1309
AC25.1309-1A
*determined by performing Funct. Hazard Assess. (FHA)
- hazard severity: worst credible known/potential consequence of mishap - 58

FAA/JAA Probability Ranges
Quant. JAR * FAR * Qualitative Probability

Prob. Qualitative Qualitative
1
Frequent several times during operational
10-3 Reasonably Probable life of each airplane
Probable
10-5
Remote occasionally during total
10-7 Improbable operational life of all
Extremely airplanes of particular type
Remote
10-9
not expected to occur in entire
Extremely Improbable fleet operational life
0
AMJ 25.1309 AC 25.1309-1A
* FAR & JAR are being harmonized
- qualitative and quantitative - 59

FAA/JAA Criticality Index
Hazard
Probability
Probable Unacceptable Unacceptable Acceptable
Conditionally Acceptable
Improbable Unacceptable Acceptable
Extremely Acceptable Acceptable
Improbable unless single failure unless single failure Acceptable
Essential (B) Equipment
Critical (A) Non-Essential (C) Category
failure contributes to, or failure would not contribute
failure contributes to, or causes a failure condition to, or causes a failure
causes a failure condition which would significantly condition which would
which would prevent impact airplane safety or significantly impact airplane
continued safe flight and crew ability to cope with safety or crew ability to
landing adverse operating condit. cope with adverse condit.
- allowed combinations of hazard severity and probability -

60

FAA/JAA Hazard Index
Failure Objectives
Failure System Probability
Design Single-point
Condition Objective Fail-safe
Assurance Failures
Classification Level
extremely
Catastrophic A required precluded
improbable
Hazardous / extremely may be no
Severe-Major B
remote required requirement
may be no
Major C remote requirement
required
not no
Minor D none requirement
required
No Effect not no
E none
required requirement
FAR /JAR DO-178B
AC/AMJ DO-180 - hazard: potential/existing unplanned condition
25.1309 ARP 4754 that can result in death, injury, illness, damage, loss - 61
ref.: H.E. Roland, B. Moriarty: System safety engineering and management, 2nd ed., Wiley & Sons, 90, 367 pp., ISBN 0-471-61816-0 1995-1997 F.M.G. Drenberg
Dont worry!
Nothing can go wrong ....
go wrong.....
go wrong....
Hal, 2001: A Space Odyssey
62

Electro-Magnetic Interference (EMI) - sources
Aircraft radios
AM/FM radio
TV stations
Ground radar
RADIO PERSONAL
FREQUENCY ELECTRONIC
DEVICES
cell phones
laptop PCs
CD players
games
LIGHTNING
CONDUCTED EMISSIONS
ELECTRONIC
UNIT & WIRING
Switching regulators
Computer clock & data
Analog signal coupling
RADIATED
EMISSIONS
HUMAN Aircraft power 400 Hz E/M

ELECTRO- Bus switching
STATIC Inductive load switching
DISCHARGE
POWER DISTURBANCE
- average EMI incident occurrence rate 5x10-3 per flight -
ref.: Clarke, C.A., Larsen, W.A.: Aircraft Electromagnetic Compatibility, DOT/FAA/CT-86/40, June 1987
ref.: Shooman, L.M.: A study of occurrence rates of EMI to aircraft with a focus on HIRF, Proc. DASC-93, pp. 191-194 63
ref.: RTCA Document DO-233 Portable Electronic Devices Carried On Board Aircraft, Aug. 96
Graphics adapted from: J.A. Schofield: European standards shine spotlight on EMI, Design News, 9-25-1995, pp. 58-60 1995-1997 F.M.G. Drenberg
EMC: Electro-Magnetic Compatibility
increased EMI-susceptibility of electronic devices:

integration: higher chip density; (deep) sub-micron feature sizes
reduced operating voltages
lower levels of energy cause upsets
increased reliance on digital computers (for flight-critical
functions) that contain EMI-susceptible devices
higher clock speeds:
reduced susceptibility: PCB tracks become transmission lines
but absolute bandwidth for decent signal shapes goes up (10xfc)
though bandwidth pushed into range with fewer x-mitters (civil)
continued proliferation of EM transmitters (incl. PEDs),
and increase in EM power
reduced inherent Faraday-cage protection: increasing
amounts of non-metallic airframe sections
ref.: C.A. Clarke, W.E. Larsen: Aircraft Electromagnetic Compatibility, Feb. 89, 155 pp., DOT/FAA/CT-88/10; same as Chapt. 11 of Dig. Systems Validation Handbook Vol.
II
64
ref.:G.L. Fuller: Understanding HIRF - High Intensity Radiated Fields, Avionics Comm. Publ., Leesburg/VA, 95, 123 pp., ISBN 1-885544-05-7
ref.: M.L. Shooman: A study of occurrence rates of EMI to aircraft with a focus on HIRF, Proc. 12th DASC, Seattle/WA, Oct. 93, pp. 191-194 1995-1997 F.M.G. Drenberg
Requirements Taxonomy
Requirements
Mission Availability Maintenance
Safety Functionality Cost
Reliability Performance Certificability
Dispatchability Operational etc.
Req's for Fault Avoidance Req's for Fault Tolerance Req's for Integrity Checks
(incl. Containment)
and Robustness Req's for Redundancy
Req's for Redundancy Management

Fault masking
Fault detection
Fault isolation
Fault recovery
etc.
65

Modularity issues
modularization decreases the size of the Line Removable

Item from LRU box to LRM module
flexibility: add or remove functions and hardware
flexibility: change architecture (configure & reconfigure)
permits management of obsolescence: piece-meal update
on modular basis, as technology & economics justify
reconfigurability, expansion to meet future needs by
adding modules
facilitates fault tolerance (N+1 redundancy)
- module = building block - 66

Standardization issues
generic, can be used across variety of functions
economies of scale (production volume, recurring cost)
fewer unique designs and parts, re-use
fewer part numbers: m
1/k NS N
. m!
smaller number of spares: PLk i t = exp(-N)m=0
spares acquisition (may be higher) & holding cost
logistics, supportability
documentation, configuration management
training, test equipment
overkill penalty for being universal (must support
highest system reqs higher design assurance level)
- standardization ~ commonality - 67

Typical stand-alone LRU
Hardware Software
Resources Resources
Processor core Operating
System
Memory
I/O processing
Common I/O * and monitoring
Common
BIT hardware
BIT and Maint.
Power supply functions Unique
Chassis
Application
Unique I/O* Unique BIT
* wi th EM I p r otec tio n
68
ref.: M.J. Morgan: Integrated Modular Avionics for Next-Generation Commercial Aircraft, IEEE AES Systems Magazine, Aug. 91, pp. 9-12
ref.: D. Hart: Integrated Modular Avionics - Part I - V, Avionics, May-Nov. 1991 1995-1997 F.M.G. Drenberg
Integration of multiple LRUs
Hardware Software
Resources Resources
Processor Core Operating
Memory System
Resources INTEGRATION I/O processing
Shared I/O *
& monitoring
Hardware Software BIT hardware
BIT and Maint.
Power Supply functions
Standard Standard
and and Chassis
Application-1
common common
functions functions Unique I/O * Unique BIT
Unique I/O * Application-2
LRU-3 Unique I/O * Unique BIT
Unique Unique Application-3
LRU-2
functions functions
LRU-1 Unique BIT
69

Integration of multiple LRUs
Hardware Software
Resources Resources
Processor Core Operating
Memory System
Resources INTEGRATION I/O processing
Shared I/O *
& monitoring
Hardware Software BIT hardware
BIT and Maint.
Power Supply functions
Standard Standard
and and Chassis
Application-1
common common
functions functions Unique I/O * Unique BIT
Unique I/O * Application-2
LRU-3 Unique I/O * Unique BIT
Unique Unique Application-3
LRU-2
functions functions
LRU-1 Unique BIT
standardize
via end-to-end digitalization
from sensors to actuators 70

Integration & Modularization
LRUs interact interconnects

Integration of LRUs fewer interconnects:
connectors (failure prone and very expensive if high pin-count)
wiring (weight)
communication h/w at both ends
communication s/w at both ends
71

LRU integration reduces overlap/duplication

of h/w and s/w functions:
processor core
I/O (un)formatting
input signal monitoring & selection
parameter derivation
hardware monitoring
EMI/Lightning protection
power supply
faul reporting, maintenance, BIT
72

Effect of integrating additional functions - exercise
Federated Integrated Federated Integrated
Rel. software complexity

O/S 5% O/S 5%
I/O 20% I/O 20%
Maint. 10% Maint. 10%
BIT 20% BIT 20%
Appl. 45% Appl. 45%
Total 100% -- - + ++ Total 100% -- - + ++
15%
Rel. hardware cost

CPU Rel. hardware cost CPU 15%
I/O 20% I/O 20%
Power 10% Power 10%
Bus 30% Bus 30%
Chass. 25% Chass. 25%
Total 100% Total 100%
-- - + ++ -- - + ++
IMA enclosure + 1st application Each additional application 73

Effect of integrating additional functions - (gu)es(s)timates

+50%
O/S 5% same 7% O/S 5% half
I/O 20% +30% 20% I/O 20% half 10%
Maint. 10% same 13% Maint. 10% 5%
BIT 20% same 25% BIT 20% same
Appl. 45% 45% Appl. 45% 45%
Total 100% 110% Total 100% 60%
+2/3
Rel. hardware cost

Rel. hardware cost
CPU 15% same 25% CPU 15% -1/4
I/O 20% double 20% I/O 20% half 15%
Power 10% double 20% Power 10% 5%
Bus 30% +20% 60% Bus 30% -80%
Chass. 25% 30% Chass. 25% 5%
Total 100% 155% Total 100% 25%
IMA enclosure + 1st application Each additional application
74
source: BCAG (adapted) 1995-1997 F.M.G. Drenberg

Effect of integrating additional functions - (gu)es(s)timates
assumes integration of related
functions of equal size &
complexity; 25% error margin
155%
Rel. hardware cost

Rel. hardware cost
100% 100%
25%

110%
100% 100%
60%
IMA enclosure + 1st application Each additional application

75
source: BCAG (adapted)

- the more you integrate, the better - 1995-1997 F.M.G. Drenberg
Advantages of integrating additional functions
functions with equal size/complexity
10 10
Normalized hardware cost

Normalized softwar esize
8 8
Federated Federated
6 6
25% error bar 25% error bar
4 4
Integrated
Integrated
2 2
1 1
1 2 4 6 8 10 1 2 4 6 8 10
Number of system functions Number of system functions
- not effective if only integrating 2 or 3 functions -

76
source: BCAG (adapted) 1995-1997 F.M.G. Drenberg

Well..
functions with equal size/complexity
10 10
Normalized hardware cost

Normalized softwar esize
8 8
Federated
6 6
4 4
Integrated
Integrated
2 2
1 1
1 2 4 6 8 10 1 2 4 6 8 10
Number of system functions Number of system functions

- ??????????? - Cost of cert., partitioning,config mgt
77

Modularization reduces duplication of

product development effort:
specification
design
integration and test
qualification
V&V, certification
part numbers
time-to-market
program risk
$$$ 78

Other factors:
Natural tendency: trend towards more
interaction & coordination between
systems (flight & thrust control, safety, com/nav, etc.)
sub-optimal use of (now) distributed
data/knowledge
NFF/CND/RETOK, MTBUR/MTBF
typically at 50%
FANS (com/nav/surveillance)
79

A historical note
Modular electronics dates back to several

German military radios of the late 1930s!
modules
chassis with backplane
standardization of parts
BIT
- reasons: technical, logistical, maintenance,and manufacturing-
ref.: H.-J. Ellissen: Funk- u. Bordsprechanlagen in Pantzerfahrzeugen Die deutschen Funknachrichtenanlagen bis 1945, Band 3, Verlag Molitor, 1991, ISBN 3-928388-01-0 80
ref.: D. Rollema:: German WW II Communications Receivers - Technical Perfection from a Nearby Past, Part 1-3, CQ, Aug/Oct 1980, May 1981
ref.: A. O. Bauer: Receiver and transmitter development in Germany 1920-1945, presented at IEE Intl Conf. on 100 Years of Radio, London, Sept. 1995 1995-1997 F.M.G. Drenberg
German WW II radios
Modules:
die-cast Alu-Mg alloy module* for each stage
completely enclosed & shielded, with internally
shielded compartments
generously applied decoupling (fault avoidance)
mechanically & electrically very stable
easily installed/removed w. 90 lock-screws (maint.)
simple (manufacturability: strategically distributed, no high skills)
* Army/Navy
from mid-1943 on, only Goerings Luftwaffe got Alu;
got Zn alloy
81
ref.: Telefunken GmbH: Luftboden-Empf-Programm 2-7500 m fr die Bodenausrstung der deutschen Luftwaffe, Berlin, May 1995-1997 F.M.G. Drenberg
1941
German WW II radios
Chassis and Backplane:

modules plug into chassis
motherboard / backplane module
(E52 Kln receiver, 1943)
3-D arrangement
assy slides into sturdy (!) cabinet
82

German WW II radios
Receiver standardization:
40 kHz - 150 MHz covered with 4 radios
with identical form, fit, operation
Parts standardization:
1 or 2 standard types of tubes per radio
Lorenz Lo 6 K 39a: 6x RV12P2000
Telefunken Kw E a: 11x RV2P800
FuSprech. f.: 6x RV12P2000 + 1x RL12P10 (RX),
and 1x RV12P2000 + 2x RL12P10 (TX)
tricky circuitry
- spares logistics, test equipment - 83

German WW II radios
BIT:
switchable meter for Vanode & Ianode of each
radio stage, and for filament voltage
noise generator to measure RX sensitivity
pass/fail, minimum servicability markings
- simple line maintenance-

84

Modular Electronics: Not a New Concept!
Modular
construction
Lorenz E 10 aK
(11x RV12P2000)
85
photo: courtesy Foundation Centre for German Communication & Related Technology 1920-1945, Amsterdam/NL, A.O. Bauer 1995-1997 F.M.G. Drenberg
- backplane module Bu 3 from Telefunken E 52 Kln -

(1939-1945)
86
- backplane module Bu 3 from Telefunken E 52 Kln -

(1939-1945)
87
Telefunken
E 52a
Kln
88
ref.: Telefunken GmbH: Luftboden-Empf-Programm 2-7500 m fr die Bodenausrstung der deutschen Luftwaffe, Berlin, May 1995-1997 F.M.G. Drenberg
1941
IMA - Integrated Modular Avionics
LRUs
LRMs
- the basic idea - 89

IMA - Integrated Modular Avionics
Level-1: LRUs re-packaged into LRMs

Level-2: databus integration and partitioning
Level-3: all digital, global databuses
Level-4: functional integration at LRM level
Level-5: dynamic task allocation & reconfig.
- a range of concepts and configurations -

(no hard distinction between levels)
90
ref.: R.J. Stafford: IMA cost and design issues, Proc. 6th ERA Avionics Conf., London/UK, Dec. 92, pp. 1.4.1-1.4.10 1995-1997 F.M.G. Drenberg
IMA Level-1
LRUs re-packaged as LRMs in cabinet(s):

several types of standardized I/O modules (mix
of analog/discrete/digital)
external input data-concentrators
standard computational module
integration only of power-supplies (shared)
no functional integration (LRUs mapped 1:1)
no new interactions (certification!)
ARINC-429 links between LRMs retained
ARINC-429 links between cabinets
91

IMA Level-2 & -3
Level-2: databus integration and partitioning

non-A429 inter-LRM communication
broadcast databus
separation of application s/w and OS
standard OS (facilitates aps. s/w modularity)
Level-3: all digital, global databuses

fully digital I/O at cabinet level, possibly with
external data concentrators
data gateway modules to global bus networks
remote electronics: digitization close(r) to
sensors & actuators 92

IMA Level-4 & -5
Level-4: functional integration at LRM level
multi-function computational LRMs
more functions integrated (toward supra-function IMA)
strict partitioning
standard interfaces (towards F3I)
improved BIT
fault tolerance
Level-5: dynamic task allocation & reconfig.
flexibility
more efficient h/w resource utilization
certification
93

IMA cost indicators and prediction
LCC cost drivers (RC & NRC):

design & development cost & risk
hardware, mechanical, data/signal
interconnects, power interconnects
use of standard components, OS,
complexity
certification aspects
re-useability (future savings)
weight/size/power/cooling
installation
maintenance, support (NFF, spares, rel., org.)
etc.
- IMA does not have an intuitively obvious bottom line advantage - 94

Major Areas of Systems Integration
Flight & Propulsion

Control
Communication
& Navigation
VMS Utility Systems
Safety Systems
Pax Services* *Entertainment,
Info, Telecom,
Sales, Banking, etc.
Flying: Aviate, Navigate, Communicate

(and have some fun ...) 95

Functional Integration
AT FADEC SERVOS
ATC/ATM FMS
FBW
Sec. FC
AP/AL FBW
Prim. FC SERVOS
FD
- inner & outer control loops - 96

AT FADEC SERVOS
ATC/ATM FMS
FBW
Sec. FC
AP/AL FBW
Prim. FC SERVOS
FD
- center of integration depends on avionics mfrs forte - 97

AT FADEC SERVOS
ATC/ATM FMS
FBW
Sec. FC
AP/AL FBW
Prim. FC SERVOS
FD

AT FADEC SERVOS
ATC/ATM FMS
FBW
Sec. FC
AP/AL FBW
Prim. FC SERVOS
FD

Integration of CatIII Autoflight Computers
A300
Airbus AFCS example:
N1 Limit x1 1 analog and 3 digital generations
Auto Throttle x1
Test Computer x2
A310
Pitch Trim x2 A300-600
Yaw Damper x2 TCC x1
Logic Computer x2 FMC x2 A320

Longitudinal x2 FAC x2 FAC x2
Computer A330/340
Lateral x2 FCC x2 x2
Computer FMGC x2 FMGEC
14 7 4 2
100
ref.: Is new technology a friend or foe?, editorial in Aerospace World, April 1992, pp. 33-35
Integrated Flight & Thrust Control Systems
Examples:
Modular Flight Control & Guidance Computer
(EFCS by BGT/Germany)
Propulsion Controlled Aircraft (PCA)

(MDC/NASA, Boeing)
Towards multi-axis thrust vectoring (civil)
(NASA-LaRC, Calcor Aero Systems, Aeronautical Concept of Exhaust Ltd.)
ref.: E.T. Raymond, C.C. Chenoweth: Aircraft flight control actuation system design, SAE, 93, 270 pp., ISBN 1-56091-376-2
ref.: Hughes, D., Dornheim, M.A.: United DC-10 Crashes in Sioux City, Iowa, Aviation Week & Space Technology, July 24, 1989, pp. 96-97
ref.: Dornheim, M.A.: "Throttles land "disabled" jet," Aviation Week & Space Technology, September 4, 1995, pp. 26-27
ref.: Devlin, B.T., Girts, R.D.: "MD-11 Automatic Flight System," Proc. 11th DASC, Oct. 1992, pp. 174-177 & IEEE AES Systems Magazine, March 1993, pp. 53-56
ref.: Kolano, E.: Fly by fire, Flight International, 20 Dec. 95, pp. 26-29
101
ref.: Norris, G.: Boeing may use propulsion control on 747-500/600X, Flight Intl, 2-8 Oct. 1996, p. 4
ref.: Engine nozzle design - a variable feast?, editorial in Aircraft Technology Engineering & Maintenance, Oct./Nov. 1995, pp. 10-11 1995-1997 F.M.G. Drenberg
A320 "baseline"
integration
ELAC
SEC "50-100 Pax", high-end BizAv

FMGC
FM C FGC FAC FM C FCGC
SFCC Flight Mgt FC/FG
FCDC
All Airbus LRUs: dual internal, dissimilar s/w

A330/340: 3x FCPC, 2x FCSP, replacing ELACs & SECs
102
ref.: D. Brire, P. Traverse: Airbus A320/330/340 electrical flight controls - a family of fault tolerant systems, Proc. 23rd FTCS, Toulouse/F, June 93, pp. 616-623 1995-1997 F.M.G. Drenberg
ELAC
SEC
FMGC
FM C FGC FAC FM C FCGC
SFCC Flight Mgt: FC/FG total:

12 MCU
2 cabinets
Autoflight Flight Ctrl: FCDC = 12 LRMs, 4 PSMs
52 MCU 50 MCU = 18 MCU volume
FC/FG total:
11 LRUs
= 24 lanes, incl. 20 PSUs modular
= 50 MCU volume integration
103

Bodenseewerk
BGT Gertetechnik GmbH
Integrated flight control & guidance functions:

primary flight control (FBW), incl. backup
secondary flight control (FBW)
high-lift flight control (slat/flap FBW)
flight envelope protection
auto pilot w. CatIIIb auto-land
flight director
auto throttle
ref.: D.T. McRuer, D.E. Johnson: Flight control systems: properties and problems - Vol. 1 & 2, Feb. 75, 165 pp. & 145 pp., NASA CR-2500/2501
ref.: D. McRuer, I. Ashkenas, D. Graham: Aircraft dynamics and automatic control, Princeton Univ. Press, 73, 784 pp., ISBN 0-691-08083-6
ref.: J. Roskam: Airplane flight dynamic and automatic flight controls - Part 1 & 2, Roskam A&E Corp., 1388 pp., LoC Card no. 78-31382 104
ref.: R.J. Bleeg: Commercial jet transport fly-by-wire architecture consideration, Proc. 8th DASC, San Jose/CA, Oct. 88, pp. 399-406 1995-1997 F.M.G. Drenberg
Current FCGC-program development status:

demonstrator program in cooperation with DASA
simulator and A340-rig tests: ongoing since 1Q91
flight test scheduled for 1Q98 on VFW614 test bed
certification: primary flight control only
(incl. dynamic task-reconfig concept)
development & test program: full-function FCGC
Bodenseewerk
105

VFW-614
Returned to service 1Q96 as test-bed for the BGT/DASA EFCS Program 106
photo: courtesy 1995-1997 F.M.G. Drenberg
Goals:
low cost
no reduction in safety & performance vs.
conventional architectures
safely dispatchable with any single module failed
safely dispatchable with any two modules failed
(reduced performance)
significantly reduced weight/size/power
Bodenseewerk
107

Concept:
significant reduction of hardware: :
integration of functions, enabled by computing performance (mixed
criticality levels!)
reduced amount of interfacing (computer computer, lane lane)
more efficient use of retained hardware:
more paths through system: move away from rigid lane structure
resource sharing, multi-use I/O hardware
no single-thread operation reduced output h/w redundancy
graceful degradation (shedding of lower criticality functions (FG) to retain
higher (FC))
lower cost hardware:
no ARINC-65X backplane databus, connectors, module lever
strict separation of I/O from computational functions
dissimilarity
Bodenseewerk
108

System architecture: 2 modular FCGCs

per FCGC:
2 dual Computing Modules (CPMs)
2 dual I/O Modules (IOM type A):
one mainly for PFC, the other mainly for FG
2 dual I/O Modules (IOM type B):
one mainly for Hi-Lift and Maintenance
the other mainly for PFC/SFC, and
can act as NGU minimum-PFC backup
2 or 3 Power Supply Modules (dep. on dispatch reqs)
A429 inter-FCGC, 10 Mbs serial inter-module
A650 cabinet form factor, shorter LRMs
BGT Bodenseewerk
Gertetechnik GmbH - all modules are dual fail-passive - 109

FCGC (x2)
2x CPM FC FG
(identical) (FC)
X-puter +
PowerPC
4x IOM
PowerPC + A A B B
GP P
- FCGC internal architecture -

Bodenseewerk
ref.: R. Reichel: Modular flight control and guidance computer,
Proc. 6th ERA Avionics Conf., London/UK, Dec. 92, 9 pp.
110

FCGC redundancy management - examples
Fault Free
FC FG FC FG FG FC FG
(FC) (FC) (FC) (FC)
A A B B A A B B A A B B A A B B
- elevator control reconfiguration in response to module failures -

Bodenseewerk - CPM failure -
111

FG FC FG FG FC FG
(FC) (FC) (FC) (FC)

Bodenseewerk - CPM + IOM failure -
112

FG FC FG FG FG
(FC) (FC) (FC) (FC)

Bodenseewerk - CPM + IOM + CPM failure -
113

Introduction
Integration
Modularization
AlliedSignal programs
Future .....
lliedSignal
A E R O S P A C E
AlliedSignal Programs
Integrated Cockpit Avionics

Integrated Hazard Avoidance System
Integrated Utilities System
lliedSignal
A E R O S P A C E
ARIA joint venture of AlliedSignal CAS

with Russian partner NIIAO
ARIA = American-Russian Integrated Avionics
NIIAO = Scientific Research Institute of Aircraft
Equipment
govt owned, frmr. part of Flight Research Institute
located in Zhukovsky, Aviation City near Moscow
ARIA JV since 3Q92
ARIA JV office in Moscow since 4Q93
first program: Beriev BE-200

amphibious multi-role jet aircraft
primary role: fire fighting (12 m3)
lliedSignal
A E R O S P A C E
lliedSignal
A E R O S P A C E
Beriev BE-200: Russian multi-role amphib
CIS Aviation Industry
- business environment as seen by AlliedSignal -
Business Partner Issues Positives Negatives
Design Bureaux 4 major OEMs real industry lack of market foreacst

several active programs good design capability excess design capacity
some CIS govt funding physical & managerial
separation from production
lack of customer support
network
Production Plants 16 major facilities skilled labor excess capacity in workforce

mixed military/civil access to raw material and facilities
production know the end- user updated production equipment
privatization process required
on-going
Airlines Aeroflot remains high demand for capacity large fleet under-utilized
national carrier over 200 new airlines in need of updating
over 200 new airlines lack of support facilities
customer image problems
Private Operators critical need for biz-jet growing market biz-jet infrastructure not in
operations OEMs addressing the place
no domestic producer neeed aging fleet of YAK-40s
ref.: K.R. Dilks: Modernization of the Russian Air Traffic Control/ Air Traffic Management System, Journal of Air Traffic Control, Jan/Mar 94, pp. 8-15
lliedSignal ref.: V.G. Afanasiev: The business opportunities in Russia: the new Aeroflot - Russian international airlines, presented at 2nd Annual Aerospace-Aviation
A E R O S P A C E
Executive Symp., Arlington/VA, Nov. 94, 5 pp.
CIS Aviation Industry
GMT + 3 h
Moscow
Kiev AS/ARIA
AN YAK
TU
Taganrog IL
BE NIIAO
Kazan Novosibirsk
Saratov TU mfg AN mfg
YAK mfg
Irkutsk
BE mfg
Beta Air
design bureau
airframe production facility
lliedSignal
A E R O S P A C E Note: map shows CIS + Ukraine
Time from 1st Flight to Certification
USA Europe CIS
B-737-200 8 A-300 17 IL-86 48
B-737-300 9 A-310 11 IL-96 51
B-737-400 7 A-320 12 IL-114 57-69
B-737-500 10 A-330 17 TU-154 40
B-747 10 A-340 11 TU-204 60
B-747-400 9 Average 14 mo. Yak-42 66
B-757 10 Average 55 mo.
BAe-41 14
B-767 10
BAe-125 12
B-777 10
BAe-146 20
DC-10 11
MD-80 10 Average 15 mo.
MD-11 10 Falcon-50 27
Average 10 mo. Falcon-900 18
Average 22 mo.
lliedSignal
A E R O S P A C E
ARIA-200 system architecture
to
IOM-2/4 to
source sel. EFIS cp EICAS cp FC cp source sel. IOM-1/3
cp
Display Alt ADI

WX-RDR System PFD ND EICAS EICAS ND PFD +
brightness 6"x8" IAS RMI
AM-LCD's
Stdby Instr.
AlliedSignal Flight & Radio Management
h/w to CNS-2 to CNS-1
to CNS-1 RMU-1 RMU-2 to CNS-2
AlliedSignal
Sensors Sensors
h/w + core s/w
ADC-1 AHRS-1 FMS/GPS-1 FMS/GPS-2 AHRS-2 ADC-2
AlliedSignal
OTS
to I/O-3 to/from to I/O-2
Engine Ctl
AP AP
PS FW DC I/O I/O OM + PS PS + VS
I/O I/O DC FW PS
1 2 AT AT 3 4
Cabinet nr. 1 to Flt Ctl

Cabinet nr. 2
from A/C Systems to Audio from
System A/C Systems
to IOM-1/2/3/4
CNS suite nr. 1 to FSM-1/2 CNS suite nr. 2
VHF ADF VOR cp opt. ACARS VOR ADF VHF
from opt. from
opt.
cp XPDR
RMU-2 RMU-1
ILS MLS DME XPDR cp RA DME ILS
DATA
cp HF
opt.
to TCAS RA TACAN HF cp LOADER
Displays opt. opt.
(portable)
lliedSignal
A E R O S P A C E ref.: F. Drenberg, L. LaForge: An Overview of AlliedSignals Avionics Development in the CIS, IEEE AES Systems Magazine, Feb. 95, pp. 8-12
ARIA-200 Integrated Modular Cabinets
PS FW DC I/O I/O OM FC PS
Cabinet-1
PS FW DC I/O I/O VS FC PS
Cabinet-2
PS = Power Supply
FC = Computer Module for Auto-Flight (AP/AT)
I/O = I/O Module OM = Computer Module for On-Board Maintenance
DC = EICAS Data Concentrator Module
FW = Computer Module for Flight Warning
VS = Voice Synthesizer Module
lliedSignal
A E R O S P A C E
ARIA-200 avionics
cabinet
Mechanical structure and modules conform to ARINC 650
volume 2/3 of AIMS
weight 60% of AIMS
Uses 3 standardized modules:
Power Supply Module
Computer Module (CM)
Input/Output Module (IOM)
Module-module communication: high speed A429 backplane
Power consumption: < 400W total (115 Vac & 27 Vdc )
Cooled by integral fans
lliedSignal
A E R O S P A C E
ARIA-200 avionics
cabinet
Maximized design re-use for reduced development risk
processor design
I/O design
BIT circuitry
Ada real-time exec
AlliedSignal graphics development tool suite
common manufacturing process
fewer part-numbers
Identical computer module for multiple functions:
Flight Warning
Flight Control: AP & AT
On-Board Maintenance
I/O consolidation
simplifies DU and FMS/MCDU
lliedSignal
A E R O S P A C E
One Processor Board Design
Processor Board for I/O-Module
minus database flash memory
minus DPRAMs
minus I/F-board connectors
lliedSignal
A E R O S P A C E
Processor Board for Computer-Module
Two Interface Board Designs
CM-Interface Board discrete out DC/DC
analog in conversion
A429 I/O
3x(4+1)
x-channel
comparator logic discrete in
lliedSignal (flt ctl module only)
A E R O S P A C E
Two Interface Board Designs
IOM-Interface Board DC/DC
conversion
analog
in & out
A429 I/O
lliedSignal 8x(4+1)
A E R O S P A C E
Computer Module (CM) sandwich
CM-Processor Board
CM-Interface Board
lliedSignal
A E R O S P A C E
ARIA-200 Computer Module - technical data -
module = computer board + interface board
SMT (exc. connectors & hold-up capacitors)
processor: 486 DX 33 @ 25 MHz
inputs/outputs:
ARINC429 in & out:16+5
discrete in & out: 48+12
RS-232: 1 (shop maint.)
memory:
512 kBRAM
256 KB Boot RAM
Flash (program mem & database)
32kB NVM
software loadable via ARINC-615
1 AMU* width
application:
auto-flight (x2)
* 1 AMU-width = 1 MCU-width
= 1/8 ATR-width = 1.1 inch
flight warning (x2)

lliedSignal on-board maintenance (x1)
A E R O S P A C E
Input/Output Module (IOM) sandwiches
IOM-Processor Board IOM-Processor Board
IOM-Interface Board IOM-Interface Board

lliedSignal
A E R O S P A C E
ARIA-200 I/O Module - technical data -
module = 2x {computer board + interface board}

SMT (exc. connectors & hold-up capacitors)
processors: 486 DX 33 @ 25 MHz
inputs/outputs:
ARINC429 in & out: 2x (36+9)
discrete in & out: 2x (22+8)
RS-232: 1+1 (shop maint.)
memory:
RAM
Boot
Flash (program mem & database)
NVM
software loadable via ARINC-615
3 AMU width
application:
to DUs, FDR, FCMs, FWMs, OMM, IOMs
from a/c systems, CNS, EIS control panels
lliedSignal
A E R O S P A C E
Russian Trivia
Russians are generally well educated, many speak English,
they know and love their culture
80% of Muscovites have a weekend datcha near Moscow
Nothing ever gets finished in Russia
From the provinces it can take 3 hours to get a phone call
to Moscow
Russians love dogs
Vodka plays a significant role in the Russian way of life
Life expectancy for a Russian male is 63 years
Somebody in Moscow collects manhole covers
The women are not short and stout in black head scarves,
they are surprisingly attractive
lliedSignal
A E R O S P A C E
lliedSignal
A E R O S P A C E

1
lliedSignal
A E R O S P A C E
Accidents* vs. flight phase
* all accidents (hull loss + fatal) Exposure percentage based on a flight duration of 1.5 hours
Excludes:
Sabotage
Military action
Turbulence injury
Evacuation injury
50%
Percentage of accidents
Load, Takeoff Initial Climb Cruise Descent Initial Final Landing

taxi, climb approach approach
unload
4.8% 12.8% 7.4% 6.4% 5.7% 6.2% 6.6% 19.7% 30.3%
Flaps retracted
Nav Outer
Fix Marker
1% 1% 14% 57% 11% 12% 3% 1%
Exposure, percentage of flight time
- worldwide commercial jet fleet, all acidents 1965-1994 -

2
ref.: Boeing Commercial Airplane Group Statistical Summary of Commericial Jet Aircraft Accidents - Worldwide operations 1959-
lliedSignal
A E R O S P A C E
Hazards external to aircraft
Terrain
In-Air
On-Ground
On-Aircraft
3
lliedSignal
A E R O S P A C E
Terrain:
Controlled Flight Into Terrain (CFIT):
worldwide, a leading cause of fatal accidents involving
commercial air transports
usually during approach phase of flight (3% departure),
usually while decending at normal flight-path angle
25% VFR (esp. night time)
65% IFR (esp. non-precision with step-down fixes)
currently lacking: flight deck info in intuitive format
ref.: D. Carbaugh, S. Cooper: Avoiding Controlled Flight Into Terrain, Boeing Airliner, April-June 96, pp. 1-11
ref.: D. Hughes: CFIT task force to develop simulator training aid, AV&ST, July 10, 95, pp. 22, 35, 38 4
lliedSignal
A E R O S P A C E
In-Air:
atmospheric:
turbulence (inc. Clear Air Turbulence, CAT)
windshear/micro-bursts
precipitation (convective cells, tornadoes, hail, dry hail)
icing conditions (super-cooled liquid water)
wake vortex
environmental:
volcanic ash
traffic:
other aircraft (all classes)
birds
ref.: J. Townsend: Low-altitude wind shear, and its hazard to aviation, Natl Academy, Washington/DC, 1983
ref.: L.S. Buurma: Long-range surveillance radars as indicators of bird numbers aloft, Israeli J. of Zoology, Vol. 41, 95, pp. 21-236 5
lliedSignal
A E R O S P A C E
Hazards to aircraft (contd)
On-Ground:
runway incursions
other aircraft
vehicles
animals
other obstacles
On-Aircraft:
fire, smoke
wing ice
6
lliedSignal
A E R O S P A C E
Jet aircraft in service & annual departures
12,000 11,852
10,000
8,000
Aircraft
6,000
4,000
2,000
0
66 68 70 72 74 76 78 80 82 84 86 88 90 92 94
20
14 14.6
Accidents
12 per million
departures
10 (annual rate)
Annual
departures 8 10
(Millions) 6
4
2
0 0
66 68 70 72 74 76 78 80 82 84 86 88 90 92 94
Accident rates of US scheduled airlines (Part 121): Accident rates of US scheduled airlines (Part 125):
1 per 2,500 M miles (95); 1 per 1,250 M miles (94) 1 per 333 M miles (95); 1 per 200 M miles (94)
1 per 4.2 M departures (95); 1 per 2M (94) 1 per 1.75 M departures (95); 1per 1.2M (94)
- worldwide operations 1965-1994 -

7
ref.: Boeing Commercial Airplane Group Statistical Summary of Commericial Jet Aircraft Accidents - Worldwide operations 1959-
lliedSignal
A E R O S P A C E
Projection
stable accident rates + more aircraft + more traffic more accidents
extrapolation of past ten years worldwide accident rates and expected

fleet growth:
* 1 per 4 - 7 days
one jet transport hull loss every week* by the year 2010
unless accident rates (=safety) improve. ** number of fatalities p.a. has been
stable since 1947 (Batemans Law)
accident rates will improve, such that fatality rate is stable**:

safety is the relative freedom frombeing subject to uncontrolled hazards: potential
or existing unplanned conditions/events that can result in death, injury, illness,
damage to, or loss of equipment or property, or damage to the environment.
safety is state in which the risk (real or perceived) < upper limit of acceptable risk
limit is driven by whoever has to pay (in whatever form) for the consequences:
equipment owners/operators, crew & pax, underwriters, society, etc.
risk must also be seen vis--vis the benefit derived from the risky function or
activity (here: air transport aviation).
- air traffic is not getting inherently more dangerous -
ref.: C.A. Shifrin: Aviation safety takes center stage worldwide, AW&ST, 4 Nov 1996, pp. 46-48
8
ref.: The dollars and sense of risk management and airline safety, Flight Safety Digest, Vol. 13, No. 12, Dec. 94, pp. 1-6
lliedSignal
A E R O S P A C E
AlliedSignal flight-safety products: core technology

Traffic Collision Avoidance System
TCAS II + Mode-S Transponder (active: up to 40 nm; planned: passive up to
100 nm)
Weather Radar (incl. Doppler for turbulence)

Windshear detection
predictive/forward looking (via WX radar remote sensing; upto 5 nm, > 10 sec)
reactive (in GPWS, based on airmass accels + hor./vert. wind changes)
Terrain detection: Ground Proximity Warning System
RadAlt-based GPWS
Enhanced GPWS (EGPWS= GPWS + terrain d-base)
Flight recorders
(SS)CVR, (SS)FDR
Smoke detection
ref.: D. Esler: Trend monitoring comes of age, Business & Commercial Aviation, July 95, pp. 70-
75
ref.: P. Rickey: VCRs and FDRs, Avionics Magazine, March 96, pp. 34-38 9
lliedSignal
Terrain Avoidance
A E R O S P A C E
GPWS Functionality
Modes 1- 4
Mode 5 (Glide Slope)
Mode 6 (Altitude Callouts and Bank Angle)
plus Terrain Clearance Floor
around airports, aircraft in landing config
terrain database + position info
plus Forward Looking Terrain Avoidance
plus Situational Awareness/ Terrain Display
radar returns (Map Mode)
10
lliedSignal
A E R O S P A C E
Worldwide Fatal Accidents 1988-1995
20 1200
Excludes
17 Sabotage
16 Military action
15 900
Number of accidents (left-hand scale)
Number of fatalities (right-hand scale)
10 600
5 300
5 4
3 3
2
1 1
0 0
Loss of CFIT Fire Midair Landing Ice/ Windshear Fuel Runway Other
control collision snow exhaustion incursion
in flight
- CFIT accounts for majority of fatal commercial airplane accidents -

ref.: D. Carbaugh, S. Cooper: Avoiding Controlled Flight Into Terrain, Boeing Airliner Magazine, April-June 1996, pp. 1-11
11
ref.: ICAO Journal, March 1997, p. 12
lliedSignal
A E R O S P A C E
Worldwide CFIT Accidents 1945-1995
commercial airplanes only
35
*no data prior to '64
30
Accidents
25
ICAO
GPWS
20 Rest of 1979
World *
15 USA
GPWS
10 1974
USA
5 Part 121/125
0
1945 50 55 60 65 70 75 80 85 90
Year
- introduction of GPWS has reduced CFIT risk -

12
ref.: D. Carbaugh, S. Cooper: Avoiding Controlled Flight Into Terrain, Boeing Airliner Magazine, April-June 1996, pp. 1-11
World-wide civil CFIT accidents - turbo engine a/c
lliedSignal
A E R O S P A C E
35 35
CFIT ACCIDENTS PER YEAR
30
Regional Corporate Air Taxi 28 26
25
21 21
20
19
15 16
10
7 Large Commercial Jets 7
6 5
5 3 2 4 5
0
88 89 90 91 92 93 94 95
YEAR ENDING
Not GPWS
equipped
World-wide 12
commercial jet
CFIT accidents 11 16 Late warning,
1988-1995 GPWS or improper
Warning pilot response
Activated
13
lliedSignal
EGPWS color coding scheme - simplified
A E R O S P A C E
+2000
+1000
Aircraft Elevation
-500 0
(variable)
-1000
-2000
14
lliedSignal
A E R O S P A C E
Terrain map on Nav display
display
mode:
WX vs. Terr
15
lliedSignal
A E R O S P A C E
Terrain threat on Nav display
SURROUNDING
TERRAIN
(shades of green,
yellow & red)
CAUTION TERRAIN
Caution Area
(solid yellow)
TERRAIN AHEAD -
PULL UP!
Warning Area
(solid red)
16
lliedSignal
A E R O S P A C E Terrain display - 3-D vs. 2-D
ref.: freeflight (moving map software for laptop PC), FreeFlight Inc, Pasadena, CA 17
lliedSignal
A E R O S P A C E
World-wide terrain data base

End of Cold War helped provide 30 arc second data for 65%
of the world
Coverage has grown to 85 % of land mass
Includes 90% of worlds airports
Validation by Flight and Simulation
Terrain info: compressed into 20 MB flash memory
World-wide runway data base

Purchased from Jeppesen
All runways 3500 feet in length
Currently 4,750 airports and 6,408 runways
Runway info: Lat/Long of center, length, bearing, elevation
18
lliedSignal
A E R O S P A C E
EGPWS Terrain Database (7/30/96, TSO Release)
Pink: 15 arcsec nm Orange: 60 arcsec Green: 5 arcmin (enroute) Brown: Dig. Chart of the World
Red: 30 arcsec Yellow: 120 arcsec Blue: missing data 19
lliedSignal
A E R O S P A C E
EGPWS Runway Database
50.00
0.00
-50.00
-150.00 -100.00 -50.00 0.00 50.00 100.00 150.00
- 4815 airports world-wide (runways 3500 ft) -

20
lliedSignal
A E R O S P A C E
Enhanced GPWS functions
centerline: points along groundtrack
plus: lead-angle during turns
CENTERTINE
POINTS ALONG GROUNDTRACK

PLUS A LEAD ANGLE DURING TURNS
nm
= f(dx to airport, speed, turnrate,..)
\
f(dx to airport)
look-ahead distance
Look-ahead alert and warning (60 sec, instead of 10-30 sec)

Terrain-clearance independent of a/c landing configuration
Situational display of threatening terrain
21
lliedSignal
A E R O S P A C E
Emerging technologies, incl. AlliedSignal developments

Detection of:
Wing ice (refinement)
Clear Air Turbulence (passive IR radiometry)
Wake vortex
Volcanic ash
Advanced X-band radar:
derived from current WX/Windshear Radar
Runway incursion detection
Terrain detection (Forward Looking GPWS)
Landing aid (with d-base): runway ID, approach
guidance
Icing conditions (based on Zrefl of supercooled liquid H20)
Synthetic vision system
IR doppler (improved CatII vision)
22
lliedSignal
A E R O S P A C E
IHAS: integration of safety avionics

terrain database
display interface 1996 ..................... 1999 .......
a/c position
GPWS EGPWS
TCAS II
IHAS
Mode-S
WX/Windshear
Radar Warning
& Caution
- a logical integration of numerous safety-avionics LRUs -

23
lliedSignal
A E R O S P A C E
Safety Avionics - federated baseline
Aural Warn WX Radar Waveguide
RADAR
Speaker Antenna Waveguide
Sw
RADAR
Discrete & Ant.
Master Warn Light Analog Ctlr
WARNING Caution & Warning Inputs
Electronics
CAUTION
- Right -
WX Radar CP
ATC TPR / Mode S
ATC TPR / Mode S

Top ATC
Coax Switches Antenna
Bottom ATC
Stick GND PROX
Shaker
OVRD
L&R
Caution & Warning TCAS/ATC CP GPWS CP
Electronics
- left-
GPWS
A453
WARNING TCAS Processor

Relay
CAUTION
WX/Terr
Master Warn Light Displ.
Antennas
Aural Warn
Speaker
Other Aircraft Systems
24
lliedSignal
A E R O S P A C E
Safety Avionics- IHAS baseline

Top Dir. Ant. Bottom
4 4
IHAS
Aural Warn Speaker
Master Warn Light IHAS - L

WARNING
CAUTION
Coax
Stick Shaker
L&R Antenna Ctlr
Safety CP R/T switching
RF front-ends
part of antenna
Coax drive unit
IHAS
WX
Radar
Master Warn Light Antenna
WARNING
CAUTION IHAS - R
Aural Warn Speaker
High Speed
A453 Dig. Buses
Top Bottom
Omni Ant.
Other Aircraft Systems
- major reduction in complexity - 25

lliedSignal
A E R O S P A C E
Advantages of IHAS approach
Added-value from safety point of view:

greater degree of protection through sharing &
integrating of information
reduced cockpit confusion through smart
alerting
based on total situational awareness
proper prioritization of visual & aural alerts
minimize misinterpretation of (sometimes conflicting
and potentially misleading) multiple alerts
reduction of crew workload during critical moments
optimization of hazards display
contd
ref.: J.A. Donoghue: Toward integrating safety, Air Transport World, 11/95, p. 98-99 26
lliedSignal
A E R O S P A C E
Advantages of IHAS approach (contd)
lower weight*: 50 - 70%**

lower volume*: 50 - 60%**
*compared to equivalent
lower power*: 40 - 70%** federated suite on 777
**depends on config
lower installation cost (parts & labor)
reduced wiring
fewer connectors
fewer trays
elimination of some ATC antennas
elimination of radar waveguide
higer system availability (more reliable, redundancy)
lower LCC
- all the advantages of IMA (to OEMs & airlines) -
ref.: J.A. Donoghue: Toward integrating safety, Air Transport World, 11/95, p. 98-99 27
lliedSignal
A E R O S P A C E
IHAS design goals
Open architecture
Support software Level A (RTCA/DO-178B)
Simultaneously support lower software levels
Minimize complexity at A level
Provide for incremental system evolution
Hold down cost of changes
28
lliedSignal
A E R O S P A C E
Reducing the impact of change
$ Application
code / algorithm changes
I/O details (in current channels)
execution threads
$$ K_EXEC
processor time allocation
partition window positioning
connection of channels to partitions
$$$ BIC Tables
channel bandwidth allocations
node transmit permissions
- change containment to lower cost of system changes -

29
6lliedSignal
A E R O S P A C E
IHAS integrates safety sub-systems
RDR-4B TCAS-II Mode-S E-GPWS Warning

WX/Windshear Radar Transponder Enhanced Gnd Prox Computer
Warning System
W T D D D
X C u u u s s
A a a I I a p p
R S l l O O l
a a
a M M
d A C C P r r
a T P P S e e
r C M M M
Central Power
RF + DSP Processing I/O
Supplys
Modules Modules Modules Module IHAS
30
lliedSignal
A E R O S P A C E
Baselines: conventional vs. IHAS
dir. omni Ant. drive

ant. ant.
Flight
E-GPWS TCAS Mode-S Radar Warning
Computer
a/c data
&
power
Ant. drive
OASYS + special modules for
Power Bus Radar and TCAS/Mode-S
processing
integrated TCAS/Mode-S
TCAS + Radar
a/c power IOMs shared by all functions
PSM CPM IOM IOM Mode-S
CPM shared by all functions
special I/O special I/O
& & E-GPWS
processing processing Fault Warning Computer
general processing for TCAS,
Mode-S, Radar
Backplane Data Bus integration of safety information
a/c data
31
lliedSignal
A E R O S P A C E
IHAS characteristics
Interfaces:
digital: ARINC-429 and 629
analog: as required for specific aircraft
inter-modular backplane bus: modified ARINC-659
RF: 2 TCAS/Mode-S antennas (shared aperture, directional)
power: multiple 115 Vac and 28 Vdc
Mechanical:
LRM form-factor: ARINC-600
connectors: RF and modified ARINC-600
- conceptual - 32
lliedSignal
A E R O S P A C E
IHAS generic LRMs

Central Processing Module (CPM):
functions:
I/O and bus control
DSP-function control
system redundancy management
fault-tolerant
software loadable on-board
Digital Signal Processors (DSPs):
function: performing all signal processing
multiple DSP LRMs (redundancy)
hi-speed serial I/F for unique functions (radar, TCAS)
software loadable on-board
contd
- conceptual modular allocation - 33
lliedSignal
A E R O S P A C E
IHAS generic LRMs

(contd)
Input/Output Modules (IOMs):

functions:
all external interfaces
display processors
audio output
multiple LRMs (redundancy)
fault-tolerant
Power Supply Module (PSU):
functions:
power input conditioning
power interrupt transparency
dc/dc up-conversion and distribution to all LRMs
multiple power sources (ac & dc)
- conceptual modular allocation - 34
lliedSignal
A E R O S P A C E
Node Software Architecture

Partition Execs Shared Function Libraries
Thread schedulers, driven by event/priority/deadline; Shared functions in execute-only
executes strictly within a partition created by K-Exec memory may be used by any partition
App 2 Lib. 1
App 4
App 1 App 5 Lib. 2
User-Mode App 3
software
Lib. 3
P-Exec 1 P-Exec 2 P-Exec 1 P-Exec 1 BIT
Kernel Exec
Kernel-Mode Simple, deterministic, round-
software K-Exec robin scheduler and partition
management
Processor
and I/O Host CPU & supporting logic
hardware Hardware Interrupt system, MMU, I/O
- modified scheduler activation type exec -

35
ref.: A.S. Tanenbaum: Distributed Operating Systems, Prentice Hall, 1995, 614 pp., ISBN 0-13-219908-29
lliedSignal
A E R O S P A C E
Node architecture
External I/O External I/O External I/O
IPU IPU Special IOM Generic IOM Generic IOM
Special H/W
P1 P2 P3 P4 P5 P3 P6 P7 P8 P9 P10
K-Exec K-Exec K-Exec K-Exec K-Exec
Bus I/F Bus I/F Bus I/F Bus I/F Bus I/F
Fault-tolerant Backplane Databus
36
lliedSignal
A E R O S P A C E
Processor selection criteria*

*not priotitized,
n-exhaustive list
processing throughput
VAX-MIPs, Whet/Drystones, SPEC95, etc.
dont start with top-of-line (you may out-grow it before next gen is available = EOL)
processor architecture & support

must have believable roadmap for development of architecture (no AMD29K)
life-cycle of avionics >> PCs
embeddedness
desired: minimum number of external components, i.e., component integration
counters, timers (incl. watchdog)
cache
DRAM refresh
floating point unit
memory management unit
serial port UART
JTAG port for debug, BIT, shop test, software load
operating voltage
5, 3.3, 2.5, 2.2, 1.8, etc. Vdc
- desired: cheap, low-power embedded P that does -loop in 10 msec -

37
lliedSignal
A E R O S P A C E
Processor selection criteria - contd
power consumption
desired: < 0.5 W (no 35 W Pentium Pro if using 4-10 Ps per cabinet or LRU)
temperature range
cache (instruction & data) size and level
L2/L3 may not be desired
memory management
virtual addresssing (page based)
error checking capability (e.g., bus parity)

exception & interrupt handling
at Kernel & Application Exec level
at application level
availability for integration

eventually: processor-die + memory + peripherals + bus I/F into single ASIC
- hold-off actual selection as long as possible -

38
lliedSignal
A E R O S P A C E
Processor selection criteria - contd
support for multi-processor configuration

synchronization
fault detection
redundancy management
in-house experience with processor family

design
compilers, debuggers, emulators, etc.
development/maintenance
portability of existing/legacy software

incl. device driver & O/S implications
tools and supporting vendors

robust compilers (validated) , linkers, debuggers, etc. (so-so for Intel)
real-time O/S
cost
recurring cost of complete processor core
development/maintenance
availability of evaluation boards & simulators
ref.: M. Slater: The microprocessor today, IEEE Micro, Dec. 1996, pp. 32-44
39
ref.: D. Hildebrand: Memory protection in embedded systems, Embedded Systems Programming, Dec. 1996, pp. 72-76
lliedSignal
A E R O S P A C E
OASYS Backplane Databus
derived from ARINC-659 standard:

semi-duplex, serial, multi-drop, broadcast
table driven, deterministic, distributed control
fault tolerant, high integrity
same integrity
same availability
but
higher bandwidth
reduced complexity:
fewer operational modes (simplicity, dev., V&V, cert.)
simpler message protocol
simpler hardware
easier to change & add applications:
need for, and cost of changing bus traffic configuration
easier to integrate system (debug, dev.)
less costly
ref.: K. Hoyme, K. Driscoll: SAFEbus , Proc. 11th DASC, Seattle/WA, Oct. 1992, pp. 68-72
40
ref.: E.E. Rydell: Avionics backbone interconnection for busing in the backplane: advantages of serial busing, Proc. 13th DASC, Phoenix/AZ, Nov. 94, pp 216-220
lliedSignal
A E R O S P A C E
Backplane databus: backbone of the system
connects all processing nodes in the system

integration of numerous conventional point-to-point
and broadcast databuses between LRUs
(time-)shared resource:
bus must provide fault tolerance (redundancy, distributed control, etc.)
bus interfaces must provide a high-integrity front-end
bus & bus protocol must ensure robust partitioning, while
supporting cost-effective development, upgrade & addition of
applications
supports multi-node architecture
41
lliedSignal
Node architecture - generic processing module
A E R O S P A C E
Clock Clock
P P
DPRAM DPRAM
Clock Clock
Bus I/F Bus I/F Table

Table
Mem Controller Controller Mem
sets of
redundant
bus lines
- frame synchronized pair - 42
lliedSignal
A E R O S P A C E
Node architecture - generic I/O module
analog, discrete, digital, audio
Clock I/F I/F

P
FIFO
DPRAM
Clock Clock
Bus I/F Bus I/F Table

Table
Mem Controller Controller Mem
sets of
redundant
bus lines
43
lliedSignal
A E R O S P A C E
Resource partitioning in all nodes: time & space

- the need for partitioning is driven by
sharing of processing and communication resources -
Space partitioning:
guarantees integrity of allocated program & data
memory space, registers, dedicated I/O
Time partitioning:
guarantees timely access to allocated (shared)
processing & communication bandwidth
determinstic execution
- at functional level, an integrated system with a robust chain of partitioning

looks like a virtual federated system -
44
lliedSignal
Growth Potential
A E R O S P A C E
Wake-vortex prediction
Wing-ice detection
Clear Air Turbulence detection
Volcanic ash detection
Enhanced Vision System (EVS)
- expansion of IHAS baseline by integrating additional flight safety functions -
45
lliedSignal
A E R O S P A C E
IHAS: stepping stone towards an integrated

Enhanced Situational Awareness System (ESAS) ....
Enh. TCAS Volc. Ash

EGPWS
Dry-Hail
TCAS II Wake Vortex CAT
Mode-S
IHAS
Warn & Caution
Radar Posn. ESAS
Cond. & Perf. Correlation
WX/Windshear Monitoring
Radar
Radar EVS
HUD
Terrain & Obst.
Sensing
Imaging
Sensors
1999 ....................................... 2005 .....
ref.: F. George Enhanced TCAS, Business & Commercial Aviation, Oct. 96, pp. 60-63 46
lliedSignal
A E R O S P A C E
Flight Operations Quality Assurance Tool (FOQA)
Accidents are not frequent enough to measure safety

through accident rates
Absence of accidents does not necessarily imply safety
IHAS can monitor safety parameters for statistically
meaningful measurement of Merit of Safety Quality
relative safety
how close to hazardous condition
how often
statistical only: not traceable to particular flights
can be used to indentify unsafe SIDs/STARs, ATC procedures,
etc.
47
lliedSignal
A E R O S P A C E
Ex.: Safety Margin Prediction for CFIT
Terrain
Clearance 3o G
lides
lope
Runway
Probability
Probability of
CFIT
Nominal
0
Terrain Clearance
- similar statistical process as done for autoland cert. -

48
lliedSignal
A E R O S P A C E
Unified AlliedSignal IMA approach

Necessity for SBUs/SBEs to have IMA:
response to RFIs
competitive reasons
Single concept for multiple SBUs/SBEs:
IHAS approach with Application Specific I/O Modules
single-company & generic solution towards Customer
Reduced NRE across applications:

re-use of backplane, modules, circuit design, O/S, BIT, V&V, etc.
fewer specific test equipment
sharing / pooling of resources from various SBUs/SBEs
Reduced RE:
economies of scale for generic modules and backplane
fewer partnumbers (documentation, spares, test equipm., etc.)
interchangeability of modules across applications
Enhanced functionality, safety, and utility:

e.g., integration of information (e.g., IHAS smart alerting)
- benefits to Customer and to AlliedSignal - 49

lliedSignal
A E R O S P A C E
Unified AlliedSignal IMA approach

common specific
IOM Radar RF/DSP
IHAS TCAS RF/DSP

CPM Appl. S/W
(dual)
Utilities
PSM Control IMA
(dual) tbd
Bus
+ Com/Nav
Mech IMA
O/S
tbd
Maint S/W
BIT S/W
- maximum re-use of common resources - 50

lliedSignal
A E R O S P A C E 1
Typical transport aircraft systems
FMS Bleed Air Elec Pwr Gen Engine Control

AP/AT Bleed Leak Det Elec Pwr Distr Thermal Mgt
Perf Mgt Avionics Cooling Load Mgt Thrust Reverse
CNS Radios Cargo Fire Prot Windshld Heat Fuel Control
Comm Mgt Eng. Fire Prot DC sensors APU Control
Displays Smoke Detect Lighting
- external
Data Concentr. Anti-Ice - flight deck
- cabin
Air Data & Cabin Air
Inertial Ref - pressure Electrical Propulsion
- conditioning
On-Board Maint
Pax Comm. Environmental Control Cargo Handling Hyd Supply
Pax Entertain. Potable Water Control Surface
Lavs & Waste Actuation
Condition Mon.
PFCS Landing Gears
Flight Warning Galley
SFCS Escape System Steering
Flight Safety
- FDR, CVR AFS Brakes
- TCAS Oxygen
- GPWS
- WX
Avionics Flight Control Payload Hydro-Mechanical
ref.: D. Parry: Electrical Load Management for the 777, Avionics Magazine, Feb. 95, pp. 36-38
ref.: Avionics on the Boeing 777, Part 1-11, Airline Avionics, May 94 - June 95
ref.: M.D.W. McIntyre, C.A. Gosset: The Boeing 777 fault tolerant air data inertial reference system , Proc. 14th DASC, Boston/MA, Nov. 95, pp. 178-183
lliedSignal ref.: G. Bartley: Model 777 primary flight control system, Boeing Airliner Magazine, Oct/Dec 94, pp. 7-17
A E R O S P A C E ref.: R.R. Hornish: 777 autopilot flight director system, Proc. 13th DASC, Phoenix/AZ, Nov. 94, pp. 151-156 2
Typical Environmental Control System
lliedSignal
A E R O S P A C E 3
Typical Environmental Control System
Signal Inputs: Signal Outputs:
air data valve drives
heat load on/off actuator drives
load shedding Sub-system Functions: temp/flow/press
throttle setting engine starting fault/warning
air/gnd status bleed-air temp/press regulation fuel flow recirc.
fuel/coolant temp cabin pressure demand
flow/temp/press cabin cooling
demand anti-ice, de-ice, de-fog
cooling hydr/electr/mech power devices
avionics cooling
Internal Sensors: Internal Actuators:
temperature valves
Physical Inputs: pressure motor Physical Outputs:
bleed/APU air air flow solenoid air flow at suitable
hydr fluid/coolant fluid flow compressors temp & press
humidity motor, turbine
electr. power air-fan coolant flow at
pneum. servo pwr angular speed fluid pump suitable temp &
ram air ang./lin. position other EM devices press
fuel O2, N2 flow
APU air
lliedSignal - multi-variable, multi-channel control -

A E R O S P A C E 4
Environmental control:
very I/O intensive:
up to 90 sensors
up to 60 effectors
wide variety of I/O:
sensors: pressures, temperatures, flows, speeds, humidity
effectors: valves, compressors, pumps, ejectors, other EM devices
even next generation will still have many analog I/Os
involves switching high levels of electrical power:
25 - 100 kW
precludes long cables: switching-electronics close to (or bolted onto) engine
future engines:
electrical start instead of air (requires > 100 kW!)
bleed-air system will be deleted through mech. integration (civil only)
lliedSignal
A E R O S P A C E 5
Environmental Control System (ECS) - technology trends
System
Complexity
O JAST
Integrated Utilities
F-22
Integrated Systems
ICECS
F-18 E/F
O MD-
MD-11 777
O B767 EBAS
Microprocessor/ B-2 A330/340
Software
A320 V-22
B757/767
Hybrid Analog Digital
F-18 C/D
Solid State Analog DC-
DC-10
DC9 F-15
C5A 747
Magnetic Amplifier
1960 1970 1980 1990 2000
lliedSignal ref.: Janes Avionics, 1992-1993, Janes Information Group Inc., 664 pp., ISBN 0-7106-0990-6
A E R O S P A C E ref.: Janes All the Worlds Aircraft, 1993-1994, Janes Information Group Inc., 733 pp., ISBN 0-7106-1066-1 6
- Components of AlliedSignal F-22 ATF IECS -
lliedSignal - over 120 control channels -

A E R O S P A C E 7
AlliedSignal MD-11 ECS Controller and Sensors
lliedSignal
A E R O S P A C E 8
Related utilities sub-systems that require control at or near the engine

- external
- cabin
- conditioning
On-Board Maint
Pax Comm. Environmental Control Cargo Handling Hyd Supply
Condition Mon.
PFCS Landing Gears
Flight Safety
- TCAS Oxygen
- GPWS
- WX
Avionics Flight Control Payload Hydro-Mechanical
- technology demonstration -
lliedSignal
A E R O S P A C E 9
Environmental Control & Thermal Management System
Anti-Ice Windows
De-Ice
Engine Air
Bleed Cabin Cabin
Cycle Temp Pressure
Air Unit
demand
APU
avionics
demand Equip radar
Ground Loads
Source Vapor hydraulics
demand Cycle electr. power
Power Unit Thermal
Source Mgmt
Aircraft Diagnostics
Computers
Controls Fuel
Flight Selector
Deck Displays
lliedSignal
A E R O S P A C E 10
J/IST Suite Consensus Demonstration Architecture
Engine
Combustor
Heat Exchanger
Starter/Generator
Bleed-Air
FADEC
Fuel Other Electr. Power

Sub-system Distribution
Controllers
External
Power
A/C T/EMM
Loads
Controller
On same shaft:
APU
Engine
Oil APU starter/generator
bleed-air compressor
lliedSignal
- mechanical integration and controls integration -
A E R O S P A C E ref.: J/IST RFP 11
Integrated Modular Utilities Control System
ECS
Cabin Pressure
Vapor Cycle Sys. Power CPU Digital
Supply Module Interface
Bleed Air
APU
Electric Power Sensors & Power Other
Actuators Electronics Functions
Hydraulic Sys.
Conventional Controls Integrated Thermal/Environmental Control
- mechanical integration forces controls integration -

lliedSignal
Integration of controls
* MAFT is not limited to 4 nodes
Integrated control system has higher criticality
So, (more) fault tolerance required
T/EMM Controller is based on MAFT: Multi-computer
Architecture for Fault Tolerance:
a platform of 4* semi-autonomous computer nodes (lanes)
connected by a serial-link broadcast bus network
each of the 4 nodes (lanes) is partitioned into a Computing
Module and an I/O Module
the computing module is partitioned into an Applications
Processor and an RTEM (Real-Time Executive Module)
co-processor
ref.: C.J. Walter, R.M. Kieckhafer, A.M. Finn: MAFT: a Multicomputer Architecture for Fault-Tolerance in Real-Time Control Systems, Proc. IEEE Real Time
Systems Symp., San Diego/CA, Dec. 85, 8 pp.
ref.: C.J. Walter: MAFT: an architecture for reliable fly-by-wire flight control, proc. 8th DASC, San Jose/CA, Oct. 88, pp. 415-421
lliedSignal ref.: L. Lamport, R. Shostak, M. Pease: The Byzantine Generals Problem, ACM Trans. on Programming Languages & Systems, Vol. 4, No. 3, July 82, pp. 382-401
A E R O S P A C E ref.: M. Barborak, M. Malek, A. Dahbura: The Consensus Problem in Fault-Tolerant Computing, ACM Computing Surveys, Vol. 25, No. 2, June 93, pp. 171-220 13
RTEM-based system
fully connected broadcast network
(repeated for all nodes)
RTEM RTEM RTEM RTEM
AP AP AP AP
IOP IOP IOP IOP
lliedSignal
system busses
MAFT/RTEM
MAFT: original theory & concepts developed and patented by
Bendix Aerospace Technology Center, Columbia/MD (1970s)
Concept:
fault tolerant co-processor which provides RedMan functions
for real-time mission-critical systems
dedicated h/w, makes overhead functions transparent to APs:
looks like peripheral (memory mapped or I/O port)
deterministic, design-for-validation (certification)
to reduce system development, validation cost
supports dissimilar AP Ps & N-Version s/w to protect
against generic faults
makes no assumptions regarding types of faults/errors to be
tolerated: any fault/error is possible, no matter how malicious
lliedSignal
Real-Time Executive Module (RTEM)
Hardware-implemented executive (overhead)

functions associated with redundancy mgmt:
fault-tolerant inter-channel communication
fault-tolerant inter-channel synchronization
voting
error detection, isolation, recovery
dynamic system reconfiguration
faulty channel exclusion
healthy channel readmission
fault tolerant task scheduling
RTEM-AP interface
Provides mathematically provable correctness
lliedSignal
Global consistency
Basis for reliability in a distributed fault-tolerant system
Must be established on all critical system parameters
Two forms of agreement:
Byzantine Agreement (exact agreement) on boolean data
Agreement: all healthy lanes agree on contents of every message
sent.
Validity: all healthy lanes agree on contents of messages sent by
any other healthy lane, as originally sent.
Approximate Agreement (interactive consistency) on
numerical data
Agreement: all healthy lanes eventually (within acceptable time,
after multiple rounds of vote/exchange/vote) agree on values that
are within an acceptable deviance of each other, > 0
Validity: the voted value obtained by each healthy lane must be
within the range of initial values generated by the healthy lanes.
- the ability of non-faulty lanes to reach agreement despite presence of

lliedSignal
A E R O S P A C E (some) faulty lanes - 17
RTEM-based node
fully connected
broadcast network
RTEM
Applications
Processor
Analog I/O Input/Output Discrete I/O

Processor
system
bus(es)
lliedSignal
RTEM block-diagram
from all other nodes +
wrap from own node to all other nodes
Transmitter
Message
Checker
Synchronizer
Fault
Tolerator
Task
Scheduler to/from
Voter applications
processor
Task
Communicator
lliedSignal
Real-Time Executive Module (RTEM)
Transmitter + Receivers + Message Checker:
fault-tolerant inter-channel communication
Voter:
Approximate (with deviance limit), or Boolean
Task Scheduler:
event driven, priority based, globally verified (inc. WDT)
allows wide variety of execution times & iteration rates
Synchronizer:
loose-sync (frame based), periodic resync (exchange, vote,
correct local clocks = distr. FT global clock)
Fault Tolerator:
collects inputs from all error detection mechanisms ( 25),
and generates error reports (voted)
lliedSignal
lliedSignal
A E R O S P A C E RTEM Prototype Board - VME 6U 21
RX/TX Conn.
Recvr (x4)
X-mitter (x1) Task
Voter
Msg Chkr Sched
Mem Mgt
Flt Tol.
Buf. Ctl Sync
Seq
lliedSignal
A E R O S P A C E
RTEM Prototype Board 22
MAFT/RTEM Hardware Integration
TTL-version MAFT
mid-80s
2x3x7 ft cabinet 5x FPGA Chip Set
VME 6U
RTEM Prototype Board

mid-90s
Single-Chip RTEM
lliedSignal
A E R O S P A C E
80k gates FPGA 23
Candidate systems for Integrated Utilities
21 Air Conditioning
31 Indicating/Recording Systems
22 Autoflight
32 Landing Gear
23 Communications
33 Lights
24 Electric Power
34 Navigation
25 Equipment/Furnishings
35 Oxygen
26 Fire Protection
36 Pneumatic System
27 Flight Controls
38 Water/Waste
28 Fuel
45 Central Maintenance System
29 Hydraulic Power
49 Airborne Auxiliary Power
30 Ice and Rain Protection
indicates candidate system
lliedSignal
A E R O S P A C E
- airframe systems by ATA chapter - 24
1
Introduction
Integration
Modularization
Future .....
1997 F.M.G. Drenberg

2
Some thoughts on the future ........
further cost reduction

avionics NRC: systems & software
engineering, architecture/integration
production RC
deletion of avionics
GPS sole means of nav by 2010 in USA
demise of NDB, VOR, DME, ILS
additional avionics & functions
ATN, GPS, CMS, FBW, ESAS, ....
consolidation/integration of avionics
more datalinking
ADS, WX contd
ref.: A. Gerold: The Federal Radionavigation Plan, Avionics Magazine, May 1996, pp. 34-35 1997 F.M.G. Drenberg
3
FANS: Future Air Navigation System

source: B. Evans: The Age of Data Link, Avionics Magazine, Jan. 96, pp. 28-
4
Future ........ (contd)
device density and performance

system complexity and size
remote electronics:
end-to-end digitalization
interfacing & computing closer to data
source or to point of application
smart sensors, actuators, skins, etc.
standard real-time operating systems
application transparency to hardware
strict partitioning
contd
ref.: M. Rodriguez, M. Stemig: Evolution of embedded avionics operating systems, presented at DASC-95, Boston/MA, Nov. 95, 5 pp. 1997 F.M.G. Drenberg
5
Component and System Performance trends
Processing & Memory

Note: curves not necessarily drawn to scale
Density
Level of Functional
Integration
Reliability
System
Cost
Power
Weight
Volume
time
"now-ish"
ref.: G. Stix: "Toward 'point One' - Trends in Semiconductor Manufacturing," Scientific American, February 1995, pp. 90-95
ref.: G.D. Hutcheson, J.D. Hutcheson: "Technology and Economics in the Semiconductor Industry," Scientific American, January 1996, pp. 54-62 1997 F.M.G. Drenberg
6 9
10
TIME FRAMES FOR
LITHOGRAPHY SYSTEMS
256M
CONTACT ALIGNERS
PROXIMITY ALIGNERS
Exponential
8
10
PROJECTION ALIGNERS 64M increase of
FIRST G-LINE STEPPERS transistor density
16M
ADVANCED G-LINE STEPPERS 80786
107 POWER PC 620 80786
N U M B E R O F T R A N S I S T O R S P E R C H IP
FIRST I-LINE STEPPERS

4M PENTIUM
PRO
ADVANCED I-LINE STEPPERS POWER PC 604
POWER PC 601
PENTIUM
FIRST DEEP-UV STEPPERS
68040
1M
6
10 80486
256K
68030
68020 80386
64K 80286
Current range: 106 50x106
5
10
68000 transistor per chip; can be used to:
16K 8086
increase performance (PC Ps)
and/or
4
10
4K integrate more functions with
8080
6800
INTEL MICROPROCESSOR P and evolve towards
1K
MOTOROLA MICROPROCESSOR
SIZE OF MEMORY (DRAM) IN BITS
complete system-on-chip
4004
(embedded applications)
3
10
1970 '72 '74 '76 '78 '80 '82 '84 '86 '88 '90 '92 '94 '96 '98 2000
YEAR OF AVAILABILITY
ref.: G.D. Hutcheson, J.D. Hutcheson: "Technology and Economics in the Semiconductor Industry," Scientific American, January 1996, pp. 54-62 1997 F.M.G. Drenberg
ref.: M. Slater: The microprocessor today, IEEE Micro, Dec. 1996, pp. 32-44
7
Component and System Performance trends
- DSP integration through the decades -

1982 1992 2002
Die size 50 mm 50 mm 50 mm
Technology size 3 0.8 0.25
Mips 5 Mips 40 Mips 400 Mips
MHz 20 MHz 80 MHz 200 MHz
RAM 144 words 1k words 16k words
ROM 1.5k words 4k words 1.5M words
Price $150 $15 $1.50
Power 250 mW/Mips 12.5 mW/Mips 0.25 mW/Mips
Transistors 50k transistors 500k transistors 5M transistors
Wafer size 3-in wafer 6-in wafer 12-in wafer
source: Texas Instruments
- further price/performance improvements to be expected -

ref.: EE Times, May 22, 95, p. 16 1997 F.M.G. Drenberg
8
new, certifiable bi-directional databuses:

integrate databuses reduce wiring & h/w
ARINC-629 ASICs & coupler very expensive
SAE Avionics Systems Div.: 2 Gbit/s
serial/parallel databus iniative Unified Network
Interconnect, based on IEEE SCI
NASA/Industry AGATE initiative: ECHELON
databus
new, simpler, affordable backplane bus:

ARINC-659 h/w and ARINC-650 connectors
very expensive
ref.: C. Adams: Emerging Databus Standards, Avionics Magazine, March 96, pp. 18-25
ref.: K. Hoyme, K. Driscoll: SAFEbusTM, Proc. 11th DASC, pp. 68-72
ref.: Automated cockpits special report - Part 1 & 2, Aviation Week & Space Technology, Jan 30 95, pp. 52-65, Feb. 6 95, pp. 48-55 1997 F.M.G. Drenberg
9
improved human factors (safety)

open standard LRMs, LRM BFE?
electrical power: 270 Vdc, Vac, battery backup?
HOL source code ownership?
more electric aircraft ? (e.g., development of powerful rare-earth PM motors)
full-time APUs (much higher APU rel., APU bleed-air more efficient engines)
new processor architectures (e.g., wormhole computer?)
??
10

- external
- cabin
- conditioning
On-Board Maint
Pax Comm. Cargo Handling Hyd Supply
Environmental Control
Condition Mon.
PFCS Landing Gears
Flight Safety
- TCAS Oxygen
- GPWS
- WX
Avionics Flight Control Payload Hydro-

Hydro-Mechanical
6-7 IMAs + remotes

11
System Complexity and Size - trends -
partially driven
by Ada req't
150 k 777-200 100 MB 777-200

System installed System
Total airplane software
Complexity Size
> 2M SLOCs
signal interfaces 80 MB
(digital words / labels
& analog)
100 k 20 MB A330/340
747-400 2x every 2 years
50 k 10 MB A320
747-400
A310
757/767-200
747-200 747-200
757/767-200
Apollo
0 0
1970 1980 1990 1970 1975 1980 1985 1990 1995
Year

Year

ref.: P. Gartz: Systems Engineering, tutorial at 13th & 14th DASC, Boston/MA, Nov. 1995; ref.: Airbus Industries (pers. conv.)
ref.: P. Gartz: Trends in avionics systems architecture, presented at 9th DASC, Virginia Beach/VA, Oct. 90, 23 pp.
ref.: P. Pelton, K. Scarborough.: Systems Engineering Experiences from the 777 AIMS program, proc. 14th AIAA/IEEE DASC, Boston/MA, Nov. 1995 1997 F.M.G. Drenberg
12
System complexity - trends -
777-200
150k
Total airplane
signal interfaces
(digital words / labels
& analog)
100k
747-400
50k
747-200 757/767-200
0
1970 1980 1990
13
System size - trends -
partially driven
by Ada req.
100 MB
777-200
80 MB
2x every 2 years
20 MB A330/340
10 MB A320
A310 747-400
747-200
757/767-200
Apollo
0
1970 1980 1990
14
Software Size - example: 777-200

excl. BFE equipment
600
Source Lines of Code
Total: 2.1 MSLOCs

490
(kSLOCs)
500
415
400 377 combined Elec/Mech 634k > AIMS
300 278
230
200 168
126
100
49
30
S S I S EC tl yd eck p
AIM CM CN EC EL Flt C
ch/ H D Pro
Me Flt
- mech/elec systems SLOC combined is larger than AIMS -

source: BCAG 1997 F.M.G. Drenberg
15
System Complexity and Size
Typical large jetliner:

8,000 inputs & outputs
these I/Os interface to 700 peripheral units
at various parts of the aircraft
90 different avionics units
160 microprocessors ( 8 types)
adding/changing of avionics is complicated &
expensive
many flight-deck switches & controls
(e.g., 250 on 747-400, down from 900 on 747-200)
source: Airbus Industries 1997 F.M.G. Drenberg

16
Avionics interconnection system*

* exc. main power feeds
Example: Boeing 747
some 1,500 circuit breakers
200,000 individually marked lengths of cable
total 225 km (140 miles)
400,000 connections
14,000 connectors
3,000 splices
35,000 ring terminals
over 1,000,000 individual parts
system accounts for 10% of a/c price tag
ref.: A. Emmings: Wire power, British Airways World Engineering, Iss. 8, July/Aug. 95, pp. 40- 1997 F.M.G. Drenberg
43
17
Extrapolation ......
Given:
777 processing power equivalent to
1,000 x 486
Assuming:
Moores Law (2x every 18 months)
Hence:
single-processor 777 within 15 years....
Computers in the future may weigh no more than 1.5 tons

Popular Mechanics magazine, 1949
- forecasting the wonders of modern technology -
13
ref.: Gordon Moore, 1966, on performance, complexity, and number of transistors per 1997 F.M.G. Drenberg
18
Enabling technologies
Components
Architectures
Communication
Design / development processes
- bottom line: technology, people, processes -

19
- components -
integration (incl. RF)

miniaturization, high-density packaging,
improved chip-to-package size efficiency
(Multi Chip Module, Chip-On-Board, Flip-Chip,
Chip-Scale- Package, 3-D stacking, etc.)
high temperature electronics (THE, e.g. SiC)
fault-tolerant electronics (FTE), chip-level
redundancy
chip & inter-chip BIT
ref.: G. Derman: Interconnects & Packaging - Part 1: Chip-Scale Packages, EE Times, 26 Feb. 96, pp. 41,70-72
ref.: T. DiStefano, R. Marrs: Building on the surface-mount infrastructure, EE Times, 26 Feb. 96, pp. 49
ref.: HITEN (High Temp. Electronics Network)Aerospace applications of High Temperature Electronics, 13 May 96, http://www.hiten.com/hiten/categories/aero
ref.: S. Birch: The hot issue of aerospace electronics, SAE Aerospace Engineering, July 95, pp. 4-6
ref.: J.A. Sparks: High temperature electronics for aerospace applications, proc. ERA Avionics Conf., London,Nov./Dec. 94, pp. 8.2.1-8.2.5 1997 F.M.G. Drenberg
20
- components -
MCMs:
reduced size, increased performance
low inductive/capacitive parasitics
lower supply noise & ground bounce
very expensive (mfg & test)
3-D stacking (e.g., memory) poses thermal problems
military niche market for time being
thru-hole MCM
device substrate SMT device
PCB
thru-hole
device MCM SMT device
PCB

ref.: J.H. Mayer: Pieces fall into place for MCMs, Military & Aerospace Electronics, 20 March 96, pp. 20-
- drivers for high-volume = low-cost components -
(mobile) PC and Com industry :
circuit integration & packaging
PC-Card: highest density PCB technology (PCMCIA)
powerful general-purpose processors

Automotive industry:
high temperature electronics
coming: ruggedized laptop LCDs *
(temp/vibe/sunlight environment similar to aviation application)
* there is no reason why (smart) Display Units cannot 1997 F.M.G. Drenberg
be reduced to the size of notebook PC
22
Electronics evolution

23
- design / development -
Integration causes a shift in responsibilities:

component suppliers circuit integrators
hardware designers chip/module integrators
avionics suppliers system integrators

24
Examples of integration at component level
processor modules
power supply modules
RF modules
I/O modules

25
Example: PC mother-board in a module
Cardio-486, 5/96
486DX2/DX4
25-100 MHz
up to 32 MB RAM
up to 4 MB Flash
512 kB VRAM
256 kB BIOS ROM
5.4 cm LCD/RGB SVGA
(2 1/8 in.) IDE Hard/Floppy Dr
Keyboard ctlr
Power Mgt
Complete
486 PC AT
with PC-card
form factor
(frmr PCMCIA)
8.5 cm (3 3/8 in.)
236-pin
connector
photo: courtesy Seiko/Epson via S-MOS Systems Inc, San Jose/CA 1997 F.M.G. Drenberg
26
Example: integrated power supply modules

28 5 Vdc/dc converter (100 W) photo: courtesy Analog Devices, Norwood/MA, 1996
ADDC02805S
3.8 cm
(1 in.)
7 cm (2 3/4 in.)
ref.: D. Maliniak: Modular dc-dc converter sends power density soaring, Electronic Design, Aug. 21 95, pp. 59- 1997 F.M.G. Drenberg
27
Example: integrated X-band power module
Texas Instruments transmitter module
6x HFET MMIC @ 12 W > 30% PAE (9.5-9.9 GHz) waveguide output

13 dB gain built-in modulator MTBF > 400k hrs
400 MHz bandw. built-in gate regulator 6.5 x 3.8 x 0.5 cm (2 x 1.1 x 0.2 in.)
ref.: J. Sweder et al.: Compact, reliable 70-watt X-band power module with greater than 30-percent PAE, proc. MTT symposium, June 1996 1997 F.M.G. Drenberg
28
Example: integrated discrete-to-digital interface
DD-03201
Inputs:
96 non-redundant, or
32 triplex inputs
Configurable:
28V/Open
28V/Gnd, or
Open/Gnd
Interface:
P or
A429 output
Programmable debounce
BIST
MTBF @ 64 C, est.:
270,000 hrs (96 in)
333,000 hrs (32 in)
Size: 2.8x2.8 cm (1.1 x 1.1)
ref.: DDC (ILC Data Device Corp.) databook 1996 1997 F.M.G. Drenberg
29
Cold-Cathode Field Emission Displays (FEDs)

Individual pixel
Red sub-pixel Green sub-pixel Blue sub-pixel
Anode
Glass face plate Indium-ten-oxide layer
Red phosphor Green phosphor Blue phosphor
Gate row line +
Resistive
layer
Cathode
Cathode conductor
Glass
Column line Microtips
- CRT performance & image quality in low-power flat-panel display -

(emerging challenge to AM-LCDs?)
ref.: FED up with LCDs?, Portable Design, March 96, pp. 20-25 1997 F.M.G. Drenberg
30
PCMCIA vs. AIMS Avionics Cabinet
AIMS:
47x18x9.6
111 lbs
PCMCIA:
6.5x4.5x3.0
2 lbs

31
- component integration issues -
more components become complex* (not

100% analyzable or 100% testable)
* not necessarily high gate count
hardware-near-software
must apply design assurance to devices &
tools, as already reqd for software (DO-
178); but who will do this for COTS?
ref.: RTCA DO-180

ref.: BCAG: "777 Application Specific Integrated Circuits (ASIC) Certification Guideline," Boeing Doc. 18W001; also: RTCA Paper No. 535-93/SC180-11, December 1993
ref.: Honeywell Commercial Flight Systems: "ASIC Development and Verification Guidelines," Honeywell Spec. DS61232-01 Rev A, January 1993; also: RTCA Paper No. 536-93/SC180-12
ref.: Harrison, L.H., Saraceni, P.J.: "Certification Issues for Complex Digital Hardware," Proc. 13th AIAA/IEEE DASC, Phoenix/AZ, Nov. 1994, pp. 216-220
32
- architectures -
dynamic resource allocation
move away from brute force redundancy
scalable redundancy (GenAv AT)
partitioning

33
Resource Partitioning
- part of system architecture and safety strategy -
Physical and logical organization of a system such that:

a partition does not contaminate an others data & code
storage areas, or I/O
failure of a resource that is shared by multiple partitions
does not affect flight safety
failure of a dedicated partition-resource does not cause
adverse effects in any other partition
failure of a partition does not reduce the timely access to
shared resources by other partitions
- architectural means for providing isolation of functionally independent resources,

for fault containment & isolation, and potential reduction of verification effort -
ref.: RTCA DO-178, DO-180 1997 F.M.G. Drenberg
34
Resource Partitioning (contd)
Partitions cannot be trusted:

an independent protection mechanism must be provided
against breaches of partitioning
all failures of the protection mechanism must be detectable
Advantages of partitioning:
provides an effective means to meet safety reqs
maximizes ability to detect & contain errors/faults
allows partitions to be updated & certified separately
allows re-V&V to be limited to changed partition
allows incremental & parallel design, test, integration
supports cost-effective development, cert., maint., updates
allows mixed-criticality (not within same partition!)
provides flexibility in responding to evolving system reqs
ref.: M.J. Morgan: Integrated modular avionics for next-generation commercial airplanes, IEEE AES Magazine, Vol. 6, No. 9, Aug. 91, pp. 9-12 1997 F.M.G. Drenberg
35
- communication -
fiber-optic communication (incl. on-chip)

low(er) cost multi-directional databus
air-ground, air-air
ref.: M. Paydar: Air-ground data links offer operational benefits as well as new possibilities, ICAO Journal, May 1997, pp.13-15 1997 F.M.G. Drenberg
36
capturing complete set of validated reqs

software auto-code
software V&V
hardware V&V (DO-180: hardware-near-
software, complex hardware)
EMI/Lightning certification
re-use
ref.: NATO AGARD Advisory Report 274: Validation of flight critical control systems, Dec. 91, 91 pp., ISBN 92-835-0650-2 1997 F.M.G. Drenberg
37
10,000
High Cost to Fix
Problems
1,000
In fluence
on
Medium Ou tcome 100
10
Low 1
Require- Design,
Development Production &
ments Test Deployment
* but plan for inevitable need
to correct/change reqs, as
insight into the need and the
best solution grows during
- it clearly pays to do the right thing up front* - development (and customer
changes its mind)
ref.:Port, O., Schiller, Z., King, R.W.: A smarter way to manufacture, Business Week, April 30, 1990, pp. 110-117 1997 F.M.G. Drenberg
38
- design & development -
Equivalent Percentage of Return-on-Sales p.a. Sales Growth p.a.

Maturity Level Surveyed firms 1987-1991 1987-1991
World Class - 3 17 9.3% 16 %
Structured - 2 36 6.7% 8.1%
Defined - 1 52 4.7% 7.3%
Undefined - 0 36 0.5% 5.1%

(141 companies total) Sample Sample
Average Average
4% 8%
- business performance is linked to engineering maturity level -

ref.: Excellence in quality management, McKinsey & Co., Inc., 1992
ref.: Dion, R.: Process improvement and the corporate balance sheet, IEEE Software, Vol. 10, No. 4, July 1993, pp. 28-35 1997 F.M.G. Drenberg
39
s/w 2/3 of system development cost: prime

area for improvement
systems engineering to provide reqs set:
F3I, performance (inc. timing), technology, etc.
complete, validated, traceable, consistent, unambiguous
eliminate errors via (V&V-ed) autocode
standard libraries of software modules (re-use)
automated V&V tools
- certified software is too expensive -

ref.: EIA Interim Std 632 Systems Engineering, Dec. 1994
ref.: IEEE 1220 Std for Appl. and Mgt of the Systems Engineering Process, Dec. 1994 1997 F.M.G. Drenberg
40
Programming today is a race

between software engineers striving
to build bigger and better idiot-proof
programs, and the universe trying to
produce bigger and better idiots.
So far, the universe is winning.
Rich Cook, comedian

BIBLIOGRAPHY
BOOKS
F.J. Redmill (ed.): Dependability of critical computer systems - 1, 1988, 292 pp., ITP Publ., ISBN 1-85166-203-0
D.P. Siewiorek, R.S. Swarz (eds.): Reliable computer systems, 2nd ed., Digital Press, 92, 908 pp., ISBN 1-55558-075-0
M.R. Lyu (ed.): Software fault tolerance, Wiley & Sons, 95, 337 pp., ISBN 0-471-95068-8
B.W. Johnson: Design and analysis of fault tolerant systems, Addision-Wesley, 89, 584 pp., ISBN 0-201-07570-9
25th Anniversary Compendium of Papers from Symposium on Fault Tolerant Computing, IEEE Comp. Society Press, 96, 300 pp., ISBN 0-8186-7150-5
N. Suri, C.J. Walter, M.M. Hugue (eds.): Advances in ultra-reliable distributed systems, IEEE Comp. Society Press, 95, 476 pp., ISBN 0-8186-6287
M. Pecht (ed.): Product reliability, maintainability, and supportability handbook, CRC Press, 95, 413 pp., ISBN 0-8493-9457-0
H.E Roland, B. Moriarty: System safety engineering and management, 2nd ed., Wiley & Sons, 90, 367 pp., ISBN 0-471-61816-0
G.L. Fuller: "Understanding HIRF - High Intensity Radiated Fields," publ. by Avionics Communications, Inc., Leesburg, VA, 1995, 123 pp., ISBN 1-885544-05-7
J. Curran: Trends in advanced avionics, Iowa State Univ. Press, 92, 189 pp., ISBN 0-8138-0749-2
J.R. Newport: Avionic system design, CRC Press, 94, 332 pp., ISBN 0-8493-2465-3
C.R. Spitzer: Digital Avionics Systems - Principles and Practices, 2nd ed., McGraw-Hill, 93, 277 pp., ISBN 0-07-060333-2
I.C. Pyle: Developing safety systems - a guide using Ada, Prentice Hall, 91, 254 pp., ISBN 0-13-204298-3
E.T. Raymond, C.C. Chenoweth: Aircraft flight control actuation system design, SAE, 93, 270 pp., ISBN 1-56091-376-2
D.T. McRuer, D.E. Johnson: Flight control systems: properties and problems - Vol. 1 & 2, 165 pp. & 145 pp., NASA CR-2500 & -2501
D. McRuer, I. Ashkenas, D. Graham: Aircraft dynamics and automatic control, Princeton Univ. Press, 73, 784 pp., ISBN 0-691-08083-6
J. Roskam: Airplane flight dynamics and automatic flight controls - Part 1 & 2, Roskam A&E Corp., 1388 pp., Library of Congress Card No. 78-31382
NATO Advisory Group for Aerospace R&D : AGARD Advisory Report 274 - Validation of Flight Critical Control Systems, dec. 91, 126 pp., ISBN 92-835-0650-2
C.A. Clarke, W.E. Larsen: Aircraft Electromagnetic Compatibility, feb. 85, 155 pp., DOT/FAA/CT-88/10; same as Chapter 11 of Digital Systems Validation Handbook
Vol. II
R.A. Sahner, K.S. Trivedi, A. Puliafito: Performance and reliability analysis of computer systems, Kluwer Academic Publ., 1995, ISBN 0-7923-9650-2
E.L. Wiener, D.C. Nagel (eds.): Human factors in aviation, Academic Press, 1988, 684 pp., ISBN 0-12-750031-6
Reliability Analysis Center (RAC) of the DoD Information Analysis Center (1-800-526-4802):
The Reliability Sourcebook 'How and Where to Obtain R&M Data and Information, RAC Order Code: RDSC-2, periodic updates
Practical Statistical Analysis for the Reliability Engineer, RAC Order Code: SOAR-2
RAC Thermal Management Guidebook, RAC Order Code: RTMG
Developing Reliability Goals/Requirements, October 1996, 34 pp., RAC Order Code: RBPR-2
Designing for Reliability, October 1996, 74 pp., RAC Order Code: RBPR-3
Measuring Product Reliability, September 1996, 47 pp., RAC Order Code: RBPR-5
Reliability Toolkit: Commercial Practices, RAC Order Code: CPE
Fault Tree Analysis Application Guide", RAC Order Code: FTA
Failure Mode, Effects and Criticality Analysis", RAC Order Code: FMECA
1 1997 F.M.G. Drenberg

ARTICLES (referenced in presentation slides)
A.D. Welliver: Higher-order technology: adding value to an airplane, Boeing publ., presented to Royal Aeronautical Society, London, Nov. 1991
Anon.:Is new technology friend or foe? editorial, Aerospace World, April 1992, pp. 33-35
B. Fitzsimmons: Better value from integrated avionics? Interavia Aerospace World, Aug. 1993, pp. 32-36
ICARUS Committee: The dollars and sense of risk management and airline safety, Flight Safety Digest, Dec. 94, pp. 1-6
P. Parry: Wholl survive in the aerospace supply sector?, Interavia, March 94, pp. 22-24
R. Ropelewski, M. Taverna: What drives the development of new avionics?, Interavia, Dec. 94, pp. 14-18, Jan. 95, pp. 17-18
A. Smith: Cost and benefits of implementing the new CNS/ATM systems, ICAO Journal, Jan/Feb 96, pp. 12-15, 24
K. OToole: Cycles in the sky, Flight Inl, 3-9 July 1996, p. 24
C.A. Shifrin: FAA paints upbeat air travel picture, AW&ST, March 11 96, pp. 30-31
J. Moxon: Outrageous ATC charges anger European regional, Flight Intl, 23-29 Oct 1996, p. 12
P. Condom: Is outsourcing the winning solution? Interavia Aerospace World, Aug. 1993, pp. 34-36
Anon.: The guide to airline costs, Aircraft Technology Engineering & Maintenance, Oct/Nov 95, pp. 50-58
C.T. Leonard: How mechanical engineering issues affect avionics design, Proc. IEEE NAECON, Dayton/OH, 89, pp. 2043-2049
B. Rankin, J. Allen: Maintenance Error Decision Aid, Boeing Airliner, April-June 96, pp. 20-27
P. Gartz, Systems Engineering, tutorial at 13th & 14th AIAA/IEEE DASC
C. Spitzer, Digital Avionics - an International Perspective, IEEE AES Magazine, Vol. 27, No. 1, Jan. 92, pp. 44-45
T.H. Robinson , R. Farmer, E. Trujillo: Integrated Processing, presented at 14th AIAA/IEEE DASC, Boston/MA, Nov. 1995
L.J. Yount, K.A. Kiebel, B.H. Hill: Fault effect protection and partitioning for fly-by-wire/fly-by-light avionics systems, Proc. 5th AIAA/IEEE Computers in Aerospace Conf., Long
Beach/CA, 85, 10 pp.
D. Prasad, J. McDermid, I. Wand: Dependability terminology: similarities and differences, IEEE AES Magazine, Jan. 96, pp. 14-20
A. Avizienis, J.-C. Laprie: Dependable computing: from concepts to design diversity, Proc. of the IEEE, Vol. 74, No. 5, May 86, pp. 629-638
J.H. Lala, R. Harper: Architectural principles for safety-critical real-time applications, Proc. of the IEEE, Vol. 82, No. 1, Jan. 94, pp. 25-40
J.-C. Laprie, J. Arlat, C. Beounes, K. Kanoun, C. Hourtolle: Hardware- and software-fault tolerance: definition and analysis of architectural solutions, Proc. 17th Symp. on Fault Tolerant
Computing, Pittsburg/PA, July 87, pp. 116-21
J.F. Meredith: "Fault Tolerance as a Means of Achieving Extended Maintenance Operation," Proc. 1994 ERA Avionics Conf. and Exhib. "Systems Integration - is the sky the limit?", London,
Nov./Dec. 1994, pp. 11.8.1-11.8.9, ERA Report 94-0973
F. Wang, K. Ramamritham: Determining the redundancy levels for fault tolerant real-time systems, IEEE Trans. on Computers, Vol. 44, No. 2, Feb. 95, pp. 292-301
P.S. Babcock: "An introduction to reliability modeling of fault-tolerant systems," Charles Stark Draper Lab. Report CSDL-R-1899
J. Rushby: Critical system properties: survey and taxonomy, Reliability Engineering and System Safety, Vol. 43, 1994, pp. 189-219
M. McElvany Hugue: Fault Type Enumeration and Classification, ONR-910915-MCM-TR9105, 26 pp.
J.B. Bowles: A survey of reliability-prediction procedures for microelectronic devices, IEEE Trans. on Reliability, Vol. 41, No. 1, March 92, pp. 2-12
S.F. Morris: Use and Application of MIL-HDBK-217, J. of the IES, Nov/Dec 90, pp. 40-46
D. McRuer, D. Graham: Eighty years of flight control: Triumphs and Pitfalls of the Systems Approach, J. Guidance and Control, Vol. 4, No. 4, Jul/Aug 81, pp. 353-362
R.W. Butler, G.B. Finelli: The infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software, IEEE Trans. on Software Engineering, Vol. SE-19, No. 1, Jan. 93, pp. 3-12
P. Seidenman, D. Spanovich: Building a better black box, Aviation Equipment Maintenance, Feb. 95, pp. 34-36
M. Doring: Measuring the cost of dependability, Boeing Airliner Magazine, July-Sept 1994, pp. 21-25
D. Galler, G. Slenski: Causes of electrical failures, IEEE AES Systems Magazine, Aug. 91, pp. 3-8
P. Gartz: Trends in avionics systems architecture, presented at the 9th DASC, Virginia Beach/VA, Oct. 90, 23 pp.
M. Lambert: Maintenance-free avionics offered to airlines, Interavia, Oct. 88, pp. 1088-1089

M.L. Shooman: "A study of occurrence rates of EMI to aircraft with a focus on HIRF," Proc. 12th DASC, Seattle/WA, October 1993, pp. 191-194
W. Reynish: Three systems, One standard?, Avionics Magazine, Sept. 95, pp. 26-28
D. Hughes: USAF, GEC-Marconi test ILS/MLS/GPS receiver, AW&ST, Dec. 4 95, pp. 96
R.S. Prill, R. Minarik: Programmable digital radio common module prototypr, Proc. 13th DASC, Phoenix/AZ, Nov. 94, pp. 563-567
B.D. Nordwall: HIRF threat to digital avionics less than expected, AW&ST, Feb. 14, 94, pp. 52-54
M.J. Morgan: Integrated modular avionics for next-generation commercial aircraft, IEEE AES Systems Magazine, Aug. 91, pp. 9-12
D.C. Hart: A Primer on IMA, Avionics, April 1994, pp. 30-41
D.C. Hart: Integrated Modular Avionics - Part I - V Avionics, May 1991, pp. 28-40, November 1991, pp. 25-29
D. Rollema: German WW II Communications Receivers - Technical Perfection from a Nearby Past, Part 1-3, CQ, Aug/Oct 1980, May 1981
A.O. Bauer: Receiver and transmitter development in Germany 1920-1945, presented at IEE Intl Conf. on 100 Years Radio, London/UK, Sept. 95.
H.-J. Ellissen: Funk- u. Bordsprechanlagen in Pantzerfahrzeugen, Die deutschen Funknachrichtenanlagen bis 1945, Band 3, Molitor Verlag, 91, ISBN-3-928388-01-0
R.J. Stafford: IMA cost and design issues, Proc. ERA Avionics Conf., London/UK, Dec. 92, pp. 1.4.1-1.4.9
P.J. Prisaznuk: Integrated Modular Avionics, proc. IEEE NAECON-92, Dayton/OH, May 1992, pp. 39-45
J.R. Todd: Integrating controls and avionics on commercial aircraft, proc. IEEE NAECON-92, Dayton/OH, May 1992, pp. 46-62
R. Little: Advanced avionics for military needs, Computing & Control Engineering Journal, January 1991, pp. 29-34
R.D. Trowern: Designing an Inflight Entertainment System, Avionics Magazine, Oct. 94, pp. 46-49
D. Hughes, M.A. Dornheim: United DC-10 crash in Sioux City, Iowa, AW&ST, July 24, 89, pp. 96-97
M.A. Dornheim: Throttles land disabled jet, AW&ST, Sept. 4, 95, pp. 26-27
B.T. Devlin, R.D. Girts: MD-11 Automatic Flight System, Proc. 11th DASC, Oct. 92, pp. 174-177; also: IEEE AES Magazine, March 93, pp. 53-56
E. Kolano: Fly by fire, Flight International, Dec. 20, 95, pp. 26-29
G. Norris: Boeing may use propulsion control on 747-500/600X, Flight Intl, 2-8 Oct 96, p. 4
Anon.: Engine nozzle design - a variable feast?, Aircraft Technology Engineering & Maintenance, Oct/Nov 95, pp. 10-11
B. Gal-Or: Civilizing military thrust vectoring flight control, Aerospace America, April 96, pp. 20-21
D. Brire, P. Traverse: Airbus A320/330/340 electrical flight controls - a familiy of fault tolerant systems, Proc. 23rd FTCS, Toulouse/F, June 93, pp. 616-23
R.J. Bleeg: "Commercial JetTransport Fly-By-Wire Architecture Considerations," Proc. AIAA/IEEE 8th DASC, San Jose/CA, October 1988, pp. 309-406
R. Reichel: Modular flight control and guidance computer, Proc. 6th ERA Avionics Conf., London/UK, Dec. 92, 9 pp.
K.R. Dilks: Modernization of the Russian Air Traffic Control/ Air Traffic Management System, Journal of Air Traffic Control, Jan/Mar 94, pp. 8-15
V.G. Afanasiev: The business opportunities in Russia: the new Aeroflot - Russian international airlines, presented at 2nd Annual Aerospace-Aviation Executive Symp., Arlington/VA,
Nov. 94, 5 pp
F. Drenberg, L. LaForge: An Overview of AlliedSignals Avionics Development in the CIS, IEEE AES Systems Magazine, Feb. 95, pp. 8-12.
S.L. Pelton, K.D. Scarbrough: Boeing systems engineering experiences from the 777 AIMS program, presented at 14th AIAA/IEEE DASC, Boston/MA, Nov. 1995, 10 pp.
D. Parry: Electrical Load Management for the 777, Avionics Magazine, Feb. 95, pp. 36-38
Anon.: Avionics on the Boeing 777, Part 1-11, Airline Avionics, May 94 - June 95
M.D.W. McIntyre, C.A. Gosset: The Boeing 777 fault tolerant air data inertial reference system , Proc. 14th DASC, Boston/MA, Nov. 95, pp. 178-183
G. Bartley: Model 777 primary flight control system, Boeing Airliner Magazine, Oct/Dec 94, pp. 7-17
R.R. Hornish: 777 autopilot flight director system, Proc. 13th DASC, Phoenix/AZ, Nov. 94, pp. 151-156
C.J. Walter, R.M. Kieckhafer, A.M. Finn: MAFT: a Multicomputer Architecture for Fault-Tolerance in Real-Time Control Systems, Proc. IEEE Real Time Systems Symp., San
Diego/CA, Dec. 85, 8 pp.
C.J. Walter: MAFT: an architecture for reliable fly-by-wire flight control, proc. 8th DASC, San Jose/CA, Oct. 88, pp. 415-421
L. Lamport, R. Shostak, M. Pease: The Byzantine Generals Problem, ACM Trans. on Programming Languages & Systems, Vol. 4, No. 3, July 82, pp. 382-401
M. Barborak, M. Malek, A. Dahbura: The Consensus Problem in Fault-Tolerant Computing, ACM Computing Surveys, Vol. 25, No. 2, June 93, pp. 171-220
J.A. Donoghue: Toward integrating safety, Air Transport World, Nov. 95, pp. 98-99
D. Carbaugh, S. Cooper: Avoiding Controlled Flight Into Terrain, Boeing Airliner, April-June 96, pp. 1-11
M. Slater: The microprocessor today, IEEE Micro, Dec. 1996, pp. 32-44
D. Hildebrand: Memory protection in embedded systems, Embedded Systems Programming, Dec. 1996, pp. 72-76
D. Esler: Trend monitoring comes of age, Business & Commercial Aviation, July 95, pp. 70-75
C.A. Shifrin: Aviation safety takes center stage worldwide, AW & ST, 4 Nov 96, pp. 46-48
M. Rodriguez, M. Stemig: Evolution of embedded avionics operating systems, presented at 14th AIAA/IEEE DASC, Boston/MA, Nov. 1995
M. Tippins: FMS Moving toward complete integration, Professional Pilot, June 1993, pp. 48-52
F.B. Murphy: A perspective on the Autonomous Airplane operating in the Global Air Transportation System, presented to ICCAIA, Everett/WA, March 1992, 13 slides
J. Townsend: Low-altitude wind shear, and its hazard to aviation, Natl Academy, Washington/DC, 1983
F. M.G. Doerenberg, A. Darwiche: "Application of the Bendix/King Multicomputer Architecture for Fault Tolerance in a Digital Fly-By-Wire Flight Control System," Proc.
MIDCON/IEEE Technical Conf., Dallas, TX, Aug.-Sept. 1988, pp. 267-272
L.H. Harrison, P.J. Saraceni: "Certification Issues for Complex Digital Hardware," Proc. 13th DASC, Phoenix/AZ, November 1994, pp. 216-220
V. Riley: "What avionics engineers should know about pilots and automation," Proc. AIAA/IEEE 14th DASC, Boston/MA, November 1995, pp. 252-257
R.W. Morris: "Increasing Avionic BIT Coverage Increases False Alarms," SAE Communications in Reliability, Maintainability, and Supportability, Vol. 1, No. 2, July 1994, pp. 3-8
A. Gerold: The Federal Radionavigation Plan, Avionics Magazine, May 96, pp. 34-35
Anon.: Enhanced situation awareness technology for retrofit and advanced cockpit design, Proc. Human Behavior Conf. at AEROTECH 92, SAE Publ, No. SP-933, 191 pp.
Anon.: Industrial-strength formal specification techniques, Proc. IEEE Workshop, Boca Raton/FL, April 95, IEEE Computer Society Press, 172 pp., ISBN 0-8186-7005-3
Anon.: Automated cockpits special report Aviation Week & Space Technology, Part 1 (Jan. 30, 95, pp. 56-65), Part 2 (Feb. 6, 95, pp. 48-55)
E.E. Rydell: Avionics backbone interconnection for busing in the backplane: advantages of serial busing, Proc. 13th DASC, Phoenix, AZ, Nov. 1994, pp. 17-22
M. Rodriguez, M. Stemig: Evolution of embedded avionics operating systems, presented at DASC-95, Boston/MA, Nov. 95, 5 pp.
P. Parry, C. Vincenti-Brown: Window to the 21st century, World Aerospace Development 1995, 41st Paris Airshow, Cornhill Publ. , pp. 27-33 , ISBN 1-85938-0409
G. Stix: "Toward 'point One' - Trends in Semiconductor Manufacturing," Scientific American, February 1995, pp. 90-95
G.D. Hutcheson, J.D. Hutcheson: "Technology and Economics in the Semiconductor Industry," Scientific American, January 1996, pp. 54-62
C. Adams: Emerging Databus Standards, Avionics Magazine, March 96, pp. 18-25
K. Hoyme, K. Driscoll: SAFEbusTM, Proc. 11th DASC, pp. 68-72
A. Emmings: Wire power, British Airways World Engineering, Iss. 8, July/Aug. 95, pp. 40-43
G. Derman: Interconnects & Packaging - Part 1: Chip-Scale Packages, EE Times, 26 Feb. 96, pp. 41,70-72
T. DiStefano, R. Marrs: Building on the surface-mount infrastructure, EE Times, 26 Feb. 96, pp. 49
S. Birch: The hot issue of aerospace electronics, SAE Aerospace Engineering, July 95, pp. 4-6
J.A. Sparks: High temperature electronics for aerospace applications, proc. ERA Avionics Conf., London/UK, Nov./Dec. 94, pp. 8.2.1-8.2.5
J.H. Mayer: Pieces fall into place for MCMs, Military & Aerospace Electronics, 20 March 96, pp. 20-22
D. Maliniak: Modular dc-dc converter sends power density soaring, Electronic Design, Aug. 21 95, pp. 59-63
J. Sweder, et al.: Compact, reliable 70-Watt X-band power module with greater than 30-percent PAE
Anon.: FED up with LCDs?, Portable Design, March 96, pp. 20-25
K. Sewel: FED technology threatens LCD in flat-panel race, Military & Aerospace Electronics, Dec. 1996, p. 19
BCAG: "777 Application Specific Integrated Circuits (ASIC) Certification Guideline," Boeing Doc. 18W001; also: RTCA Paper No. 535-93/SC180-11, December 1993
Honeywell Commercial Flight Systems: "ASIC Development and Verification Guidelines," Honeywell Spec. DS61232-01 Rev A, January 1993; also: RTCA Paper No. 536-93/SC180-12
O. Port, Z. Schiller, R.W. King: A smarter way to manufacture, Business Week, April 30, 1990, pp. 110-117
R. Dion: Process improvement and the corporate balance sheet, IEEE Software, Vol. 10, No. 4, July 1993, pp. 28-35
SAE 4761: Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment, Dec. 1996
ARINC 650: IMA Packaging and Interfaces
ARINC 652: Guidance for Avionics Software Management
ARINC 653: Standard Application Software Environment for IMA
ARINC 659: Backplane Data Bus
ARINC 629: Multi-Transmitter Data Bus
ARINC-754/755: (analog/digital MMR), ARINC-756 (GNLU)

Ima97 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ima97 PDF

Uploaded by

Copyright:

Available Formats

Integrated and Modular Systems

for Commercial Aviation

Frank M.G. Drenberg

Presented at UCLA Modular Avionics short course

phone: (206) 885-8489 fax: (206) 885-2061 e-mail: :frank.doerenberg@alliedsignal.com

Frank M.G. Drenberg

phone: (425) 836-4594 e-mail: frank.doerenberg@usa.net 1995-1997 F.M.G. Drenberg

1995-1997 F.M.G. Drenberg

1995-1997 F.M.G. Drenberg

Airframe Integrated Ground & Space

Engine thrust Comm/Nav

Cabin air Galleys &

= reqd for cargo and pax comfort/well-being 1995-1997 F.M.G. Drenberg

- familiar business criteria: benefits, cost, risks, profit - 6

1995-1997 F.M.G. Drenberg

Airline/Operators point of view (contd):

1995-1997 F.M.G. Drenberg

Airline/Operators point of view (contd):

1995-1997 F.M.G. Drenberg

Value-added in the areas of:

- no new technology for its own sake -

Info integration technologies

Individual non-avionic technologies

1900 1950 2000

1995-1997 F.M.G. Drenberg

reduced cycle time:

1995-1997 F.M.G. Drenberg

Airframe manufacturer (contd):

Air traffic reasons:

1995-1997 F.M.G. Drenberg

high-tech but low volume

- aircraft life-cycle: initial development, production run,

1995-1997 F.M.G. Drenberg

- airplanes are a commodity in rising cost environment - 16

1995-1997 F.M.G. Drenberg

ref.: Flight International, 3-9 January 1996, p. 27,28

Tonne-km (billions, log-scale)

Most likely (7% p.a.)

ACTUAL ICAO FORECAST

- potential for airspace and airport congestion - 19

Average annual new aircraft investments (world fleet) Retirement of aircraft

20% 20% 27% 20% maint. & o'haul

landing fees etc

B747-400 398 553 4,331 3,356 $6,939

life-time maintenance cost (ROM), example:

maintenance $1200/block hour

1995-1997 F.M.G. Drenberg

Schedule deviations are expensive:

B737 B757 B767 B747-400

- more than just a cabinet solution -

Attributes Means Impairments

Safety Fault avoidance Faults

controlled, disciplined, consistent Sys. Eng. process

- must address entire product life-cycle: from inception through disposal - 33

1995-1997 F.M.G. Drenberg

achieved by adding & managing redundancy: one or

Static (Fault Masking) Dynamic Hybrid

Examples of techniques: Examples of techniques:

Examples of techniques: Examples of techniques:

1995-1997 F.M.G. Drenberg

Criteria Fault type

frequent cause of maintenance today is not avionics LRUs, but

complete system forms a chain: high-rel is required at system level,