A320 Glass Cockpit Software Download
It is based on the Boeing Airplane Operations Manual and is as close as possible to the real aircraft. It is designed to work on 1920X1080 monitors but should stretch to other sizes. It includes a full instruction manual and also cockpit sounds. There is a virtual cockpit which works on the Thomas Ruth model only. Please read instructions.
Presentation on theme: 'FOR0383 Software Quality Assurance Lecture 5 Airbus A320/A330/A340/... '— Presentation transcript:
1 Lecture 5 Airbus A320/A330/A340/... www.airbus.com
FOR0383 Software Quality AssuranceLecture 5Airbus A320/A330/A340/...A success story, but nothing is perfect:Dr Andy Brooks
2 “glass cockpit”fly-by-wireThe JAA (Joint Aviation Authorities) issued the type certificate for the A320 on 26 February The A320 was the first civil aircraft equipped with a digital electrical flight control system. The first electrical flight control system for a civil aircraft was installed on Concorde, but that was an analog system.Dr Andy Brooks
3 Success of Airbus“Airbus is one of the world's leading aircraft manufacturers, and it consistently captures approximately half or more of all orders for airliners with more than 100 seats.”downloaded 14-Jan-09“Airbus has shipped 3,594 A318/A319/A320/A321s since its certification/first delivery in early 1988, with another 2,703 on firm order (31 August 2008).[17] Boeing has shipped 5, s since late 1967, with 4,374 of those deliveries since 1988, and has a further 2,191 on firm order (30 April 2008).[18] Based on figures since 1988 when they first entered direct competition, Airbus delivered on average 174 A320 series aircraft per annum, while on average 208 Boeing 737s were delivered.” downloaded 14-Jan-09Dr Andy Brooks
4 Flight Control Surfaces of an A340.
Pitch Yaw Rollall electrically controlled and hydraulically activatedincrease liftpitch up or downflapselevatorsrudderrotate about vertical axis also under mechanical controlreduce lifttrimmable horizontal stabilizers also under mechanical controlspoilersslatsaileronsstall preventionbank left or rightDr Andy Brooks
5 Why fly-by-wire? Many aircraft accidents involve human error.
Fly-by-wire allows for automation of various tasks and improves the interaction between the pilots and the flight controls. As a result, pilots workload is reduced and they are less tired.Fly-by-wire means that flight control software can provide a flight protection envelope which, for example, can prevent pilots from inadvertently stalling the aircraft (by adopting a too high angle-of-attack) or making a descent too quickly.Dr Andy Brooks
6 Computers (A320) ELAC (two of) Thomson-CSF
Elevator and Aileron ComputersSEC (three of)Spoiler and Elevator ComputersFAC (two of)Rudder control.Two auto-pilot computers.The ELACs and SECs were designed and manufactured by different companies so that the system would be tolerant to a design or manufacturing fault.Thomson-CSF6810 microprocessorSFENA/Aerospatiale80186 microprocessorDr Andy Brooks
7 Control and monitoring channels
ELAC and SEC computers have a control and a monitoring channel: these channels can be considered as two different and independent computers.If output commands between control and monitoring channels don´t agree within a pre-determined threshold, links between the computer and exterior are cut.A detection of disagreement must last a sufficiently long period of time before being considered a failure.Detection parameters are wide enough to avoid unwanted disconnections, but tight enough to avoid undetected failures.Dr Andy Brooks
8 Distributed system functions
System function is distributed between the ELAC and SEC computers.For any particular function, one computer is active while the others act as hot backups.In a 1993 article, the switch to the hot backup is said to involve a ´limited jerk´on the control surfaces.If ELAC2 fails, ELAC1 takes over.If ELAC1 fails, SEC2 takes over.If SEC2 fails, another SEC takes over.Dr Andy Brooks
9 N-version programming
Each channel of each ELAC and SEC computer was separately programmed, resulting in 4 versions of the software.N-version programming reduces the risk of a common error which could cause control surface runaway (control and monitoring channels incorrectly agreeing) or complete shutdown of all the ELAC/SEC computers.N-version programming is very expensive and is usually only done for safety-critical systems.Dr Andy Brooks
10 Software developmentDO-178A “Software considerations in airborne systems and equipment certification” standard compliance.Computer-assisted specificationSymbols in the specification had a formal definition and strict interconnection rules.There was a degree of automated code generation from the computer-assisted specifications.There was peer review of specifications.Dr Andy Brooks
11 Software development Code modules were tested against specifications.
Black box testingEach module had equivalence classes defined.Parameter <0 ( -5 ), 0<=Parameter<=135 ( 45 ), Parameter >135 ( 142 )The equivalence classes were approved by: the aircraft and equipment manufacturers, the airworthiness authorities, the designers, and quality control.White box testingAll branches were tested.inputsexpected results actual outputVerification Does the code implement the specification?Dr Andy Brooks
12 System testing Iron-bird tests were performed.
All the system equipment was installed and powered as in the actual aircraft.Flight simulator tests were performed.These tests were sometimes coupled with iron-bird.Actual test flights were performed with 1000 flight control parameters monitored and recorded.Validation Does the system perform in the way expected?“Can the plane be flown safely?”Dr Andy Brooks
Free Download Glass Movie 2019
13 SCADE Suite™ for Safety-Critical Software Development http://www
Dr Andy Brooks
14 Destruction of part of the aircraft?
The computers were placed at three different locations throughout the aircraft.Links to actuators were run under the floor, overhead, and in the cargo compartment.Dr Andy Brooks
15 Complete failure of the automated system?
Mechanical links are retained to the Rudder and the Trimmable Horizontal Stabilisers so that the plane can still be flown in the event of a complete failure of the automated system.Dr Andy Brooks
A320 Cockpit Poster
16 Other safety features There are redundant sensors.
There are redundant actuators.Safety objectives for the aircraft are met with only 3 of the 5 ELAC/SEC computers running.One computer is sufficient to control the aircraft.The computers are connected to at least two power sources.Computers are protected against over-voltages and under-voltages, electromagnetic aggressions, and indirect effects of lightning.Dr Andy Brooks
Watch Glass Online
17 Other safety featuresThere are three hydraulic systems when one is sufficient for aircraft operation.Software defects can remain hidden for a long time. To protect against latent failure, on energization of the aircraft, each computer runs a self-test and tests its peripherals.Such testing occurs typically once a day.Dr Andy Brooks
18 Failure of both ELACsDuring one flight both the ELACs failed due to an air conditioning failure and the resultant temperature rise.A component did not meet the specified temperature operating range.There was a successful takeover by the SEC computers.“AIRBUS A320/A330/A340 Electrical Flight Controls A Family of Fault-Tolerant Systems” by Dominique Britxe and Pascal Traverse in: The Twenty-Third International Symposium on Fault-Tolerant Computing (FTCS-23),1993, pp , ©IEEEDr Andy Brooks