Future Architecture of Flight Control Systems

Kristina Ahlstrom & Jan Torin

Chalmers Universify of Technology

ABSTRACT [ 2 ] . More sensor and actuator elements are based on

The development of fault tolerant embedded control
systems such as flight control systems (FCS) are currently
highly specialized and time-consuming. We introduce a
conceptual architecture for the next decade control system
where all control and logic are distributed to a number of
computer nodes locally linked to actuators and connected
via a communication network. In this way, we substantially
reduce the life-cycle cost of embedded systems and attain
scalable fault tolerance.
All fault tolerance is based on redundancy. Our
philosophy is to cover permanent faults with hardware
replication and handle all error processing caused by both
permanent and transient faults with software techniques.
With intelligent nodes and use of inherent redundancy we
introduce a robust and simple fault tolerant system that
utilizes minimum hardware and has bandwidth
requirements of less than 300 kbitsls, which can be met
with an electrical bus. The study is based on an FCS for
JAS 39 Gripen, a multi-role combat aircraft that is
statically unstable a t subsonic speed.
MicroElectronic Mechanical Systems, MEMS, technology
that can be integrated either on the same silicon die or in the
same package as the associated micro-controller. Hence, in the
future, we will see different types of commercial-off-the-shelf
components designed for fault tolerant applications such as fly-
and drive-by-wire systems [3]. One important reason for
adding intelligence to the nodes in a distributed system is to
achieve fault detection with a minimum of hardware. Such
nodes with embedded error detection are extremely valuable in
the design of fault tolerant systems.
A distributed system is inherently suited to be designed with
scalable fault tolerance. Distribution refers to distribution of
computing power and control. Note the distinction in the use of
the term distribution in [4], the communication is distributed
not the control. The goal is to discover the benefits and
disadvantages of distributing thecontrol or computing power.

INTRODUCTION

Traditionally, flight control systems (FCS) are implemented

with a central dependable, fault tolerant computer [ 11 because
the available airborne computers are complex, large, and
expensive. These centralized complex systems are inflexible
and require a great deal of hardware because different failure
rates of FCS components cannot be balanced to the safety
requirements. Fig. 1. Future architecture of FCSs
The evolution of microelectronics will continue to have an
extreme influence on the increase in computer performance, This paper presents a future flight control system concept
and thus, future sensors and actuators will be made intelligent (Figure 1) to be designed with the available technology of next
decade highlighting: flexibility, scalability, low-weight,
predictability, and testability, at less complexity and lower
maintenance costs.
Authors' Current Addwrur:
K.Ahlsrmm and J. To"". DCpamMnl of Campufer Engineering. Chalmers Univenity of An early version of the architecture described was presented
Technology.412 96 GoLenburg, Sweden. at DASC2001 [51. The proposed architecture has completely
Based on a presenlatiun 81 DASC 2WI decentralised control without any central core with minimum
0 ~ ~ ~ ~ , / 8 ~ 8 ~ m z 1IEEE
s i 7 . ~ 0 ~ 2 hardware for certain safety I -reliability requirements and

21
minimum communication requirements. The results are based
on knowledge of the flight control system characteristics of the
JAS 39 Gripen, a multi-role supersonic combat aircraft with
over 15,000 d c accumulated flight hours. Consequently, we
address highly dependable real-time systems and are
convinced that the architecture results are general and can be
applied to other combat and commercial aircrafts, as well as
other embedded control systems, in cars and trains, etc. The
architecture aims to tolerate permanent and transient physical
faults. The architecture presented reuses the software of JAS
39 Gripens FCS and software design faults are, hence, not
addressed in this paper.
GOALS AND OBJECTIVES
An FCS must be designed to continuously provide services
despite internal failures. This is the goal of a fault tolerant
system, and a distributed system is inherently assumed to have
the following features:
Scalability and flexibility. Modularity makes it
possible to scale the system without system
redesign, and distributed autonomous nodes
make it easy to add or change functionality and to
adapt new technologies.
Testability. Inherent decomposition in functional
modules due to decentralized control reduces
communication between nodes and software
complexity, and simplifies verification at module
level. Functional modules also support graceful
- degradation.
Reduced complexity and maintenance costs.
Manageable complexity is gained through
splitting a central control unit into a number of
less complex computer nodes. Several nodes may
be identical, thus achieving a more cost-effective
system.
Commercial-off-the-shelf, COTS. By using
intelligent and autonomic nodes with a
standardized interface, COTS can be used for
hardware as well as already developed software.
Fault tolerance. Distributed fault tolerance
makes it possible to tailor the redundancy
according to reliability requirements and to
implement the fault tolerance at the most suitable
level, in order to minimize the cost of
redundancy. Furthermore, a distributed control
system can be designed to be less sensitive to
battle damage and it is a goal to achieve a system
architecture not dependent on any hardcore.
Communication between the distributed nodes in an FCS is
dominated by continuous signals periodically sampled and
transmitted, well-suited for a time triggered protocol. The
possibility for analyzing timing and dependability is best
served by a broadcast bus topology. The protocol that suits
safety critical, hard real-time applications, such as FCS,
belongs without question to the Multi-master, Time-triggered
family [6]. The predetermined time slots in a time-triggered
communication make it easy to design nodes with a temporal
firewall (by using double time conditions for sending) resulting
in fail-silent bus interfaces. The fault behavior of the bus is thus
simple, Byzantine faults cannot occur and fault tolerance on
system level can be designed, which is a requirement for
meeting safety demands.
Since time-triggered systems are pre-scheduled, there will
be a system cycle that is repeated with a fixed period. This
makes the system, by necessity, cyclic and thus simple to
design it as composable, easy to verify and self-testable.
TASKS AND CRITICAL FAULTS OF
A FLIGHT CONTROL SYSTEM
A stable aircraft (the F-4 Phantom, JA-37 Viggen, and
present commercial airliners) will without assistance from the
FCS, find its own stable flight path. The FCS is used by the
pilot to control the flight of the aircraft in three-dimensional
space. A statically unstable aircraft (JAS 39 Gripen, F-22, or
EuroFighter) does not, by itself, find a stable flight path.
Without artificial stabilization achieved by the FCS, the
aircraft will depart from the intended flight path (i.e., the
aircraft will enter into a set of uncontrollable maneuvers). The
FCS of an unstable aircraft, therefore, has two tasks:
To stabilize the aircraft by constantly balancing it
1.
along its flight path.
2. To execute the pilots commands (basically the same
task as in an FCS in a stable aircraft).
To fulfill task 1, the FCS needs to measure the current flight
path of the aircraft. This is done by use of a number of sensors,
e.g., Accelerometers, Rate Gyros and Angle of Attack I Side
slip sensors. To achieve task 2, the FCS needs only to use the
input from the pilot, the control stick, and pedals. The FCS then
mixes the outputs of the two tasks; stabilization and pilot
command, into one set of commands and moves the control
surfaces accordingly.
JAS 39 Gripen is based on an aerodynamic configuration
statically unstable at subsonic speed and, hence, necessitates
active stabilization. It has seven primary and three secondary
control surfaces that are controlled by the FCS. The present
FCS has three redundant control computers (the Flight Control
Electronic Assembly in Figure 2).
The effect of a failure in the JAS 39 Gripen aircraft is rated
on a 4-degree scale. In this study, essentially critical failures
are .considered in the hardware reliability analysis. The
following situations represent critical system failures:
1. Loss of pitch rate information
 Flight Control System
Fig. 2. Flight control sensors and surfaces of JAS 39 Gripen
2. Loss of roll or pitch stick position
3. Erroneous air data value I information (lossof air data
sensor is not critical, if detected)
4. Any primary control surface uncontrollable and not
streamlining '
5. Two primary control surfaces streamlining (the left
and right canard are treated as one surface)
6. Loss of communication network.
More or less all aircraft, combat or commercial, have
redundancy in the use of primary control surfaces, Le., it is
possible to maneuver and land the aircraft by commanding a
reduced number of primary control surfaces. In the JAS 39
Gripen, this is used in the design of control laws such that one
primary control surface can fail as long as it fails in a safe way,
i.e., the FCS must know when and which control surface fails
and it shall fail by streamlining. (Most other embedded control
systems for cars, and trains, etc. have similar fail-safe
conditions that can be used to reduce hardware redundancy.)
SYSTEM ARCHITECHTW
The physical structure and the minimum number of nodes in
an FCS are given by the necessary basic elements (cockpit,
sensors, control surfaces, engine) connected for functionality.
The functional layout of the JAS 39 Gripen includes 16 nodes.
With distributed sensor and actuator nodes, there are several
choices as to how to allocate the tasks of control laws and logic.
A single computer today can handle all data processing in the
' Each primary conlml svrfase F M OF- in one of rwo modes. me w d mode and me
s k d n i n g &. In n o d made. &e surfaa is controlled by the FCS.a
! smamlining
made. rhe surface i s free 10 follow Ihc d y n a m i c forcer affecting if. In lhir modc. the
/5
flight control system and, in the future, a single chip will be
able to do the same in a fraction of the time necessary today.
Thus, it is not mandatory to allocate the tasks according to
processing load balance. In a future FCS system based on
distributed control, task allocation will be better optimized
according to a minimum bandwidth criterion, which
implements the cheapest and most robust communication
system and reduces the risk of transferring erroneous data
among the nodes.
The minimum bandwidth criterion in our study of Gripen
represents location of all FCS computing locally at each
actuator node. To attain inherent redundancy, we let each local
control node compute not only its own local command, but also
all control commands, giving seven replicas at nearly no
additional cost. The FCS software is duplicated to all seven
actuator nodes.
In addition, maintenance and development costs are
substantially reduced when there are seven identical actuator
nodes instead of seven specialized ones. Furthermore, the
software developed for today's centralized FCS has been
proven usable in this future distributed FCS, as well.
Hardware Redundancy
Extra hardware (nodes) is added to the system mainly as
hardware replication in order to meet the safety requirements
imposed by permanent faults. It is clear that a permanent fault
needs hardware replication in order to be both error recovered
and fault reconfigured, whereas the error detection can be
handled by mechanisms implemented in software, hardware,
or by coding. By minimizing hardware, the life-cycle cost will
be reduced because all hardware adds to system failure rate.
The error processing caused by all types of faults should
mainly be implemented in software [7].
The safety requirements of loss of control are used in the
 estimate considering only permanent faults (all transient faults
are assumed to be recovered) and, second, a pessimistic
estimate considering both permanent and transient faults
(assuming that as soon as only one working replica of a critical
node exists, the next fault, permanent or transient, will cause a
catastrophic failure). The fault rate of any component is
assumed to be constant with respect to time. The fault rate
might be considered conservative for sensors and actuators
taking into account the evolution of MEMS in the next decade.
From the optimistic and pessimistic redundancy
calculations of simplex, duplex, and TMWduplex systems, a
mix configuration is selected. The criteria for selection are to
fulfill the requirements of: I ) not including any single point of
failure; and 2 ) a probability of critical failure not greater than
0.5.10 per flight hours. Thus, because of criterion I), the
sensors and bus must be in duplex, whereas the seven actuator
nodes, one by,each primary control surface, are simplex. This
is possible since the aircraft is still controllable and able to
make safe landings with six of seven primary control surfaces.
In our reliability calculations, an electrical bus is assumed.
The duplicated sensors, the duplicated bus, and the seven
simplex actuators form the minimum hardware configuration
that fulfills the two safety requirements. Altogether, the
distributed FCS has 20 independent computer nodes attached
to a time-triggered multi-master broadcast bus with Time
Division Multiple Access (TDMA) communication.
Interaction between tasks in different nodes is thus fixed in
time and must be pre-scheduled. Each node broadcasts its
messages to other nodes in each TDMA cycle. The two buses
are synchronized and carry the same data.
The configuration meets the requirements with respect to
permanent faults, although the requirements are not fully met
in the pessimistic estimate including transient faults.
Consequently, transient faults must be handled better than in
the pessimistic view; there must be high likelihood that they
will be recovered before another transient is introduced.
Furthermore, design errors (mainly software bugs) either must
be proven not to exist or must be proven to be tolerated with
high coverage by the software.
FAULT HANDLING
The classification of a fault as permanent or transient is
dependent on the fault diagnosis techniques used. In a basically
cyclic system such as FCS, it is convenient to use the following
definition: Thefirst time an error occurs in a redundant system
it is classified as having been caused by a transient fault and
the only action taken is recovery. However, if the error also
occurs in next cycle, the diagnosis will be a permanent fault,
and the defective replica will be declared faulty and a
reconfigurationwith recovery is performed.
Sensor Faults
In order for a fault to be tolerated and handled, it must first
be detected. The distributed intelligent sensor nodes of a future
FCS are assumed to meet a fault detection coverage demand of
at least 99% for both transient and permanent faults. Moreover,
the smart actuator nodes are assumed to improve the coverage
of detecting and locating a faulty sensor value to at least 99.9%
by using the information from all sensors in the system. A fault
in a sensor node can result in either: 1) that the nodes fault
detection mechanism discovers the fault and reports it in its
next broadcast message; or 2 ) that the fault is not detected and a
faulty value is sent at the bus.
Bus Faults
No recovery action is taken in the case of bus faults. The
physical architecture of the buses should be such that neither a
single fault, transient or permanent, nor battle damage will
have an effect on both buses. Thus, in the case of a fault
affecting one of the buses, the duplication guarantees the
system to continue without functional degradation. Fault I error
detection is assured through message synchronization
mechanisms and checksums at all messages. All nodes are
aware of any faults affecting the buses.
The following faults may occur:
Transient fault causing bit errors; detected
- through CRC checksum
Longer intermittent fault destroying a whole
message; detected by synchronization
mechanisms
Permanent fault: the bus is killed, and this is
detected by the synchronization mechanisms.
Considering transient faults at the bus, it might be difficult
to satisfy the assumption that only one bus is affected. Ideally
no redundant signals should be routed close to each other.
However, redundant signals must come together because both
buses are attached to each node and the physical distance at
these pans is limited. If the duplicated sensor values are sent at
different timeslots, or if the synchronous buses are displaced in
time, the actuator node still receives both values from a sensor
in the case of a temporal fault that affects both buses.
Structure of a n Actuator Node
Allocation of tasks under an optimizing criterion of
minimizing the bus traffic load implies that adaptation of
sensor signals, control law computation, adaptation of
references input signals to control surfaces, and loop closure of
the servo actuator for the control surface should all be executed
in the actuator nodes. The output from the control law
computation (Figure 3) are all seven command words, one for
each primary control surface. All seven actuator nodes perform
exactly the same control law computation, but the actuator
node at the left canard, for example, only gives the
corresponding left canard servo command as input to the loop
closure. In addition, the handling of faults I errors from sensors,
buses, and actuators will also be executed in the actuator nodes.
The computer will use data from sources in other nodes of
the system transferred via the FCS bus in order to vote on the
position of the control object (surfaces) of the node. The
 -
._ Computer node
Error processing
r
f
a
C
Fig. 3. Structure of an actuator node (computer, servo, and control surface)
position of the surface is fed together with the position of the
controlled object to the (servo) loop closure, which will be
implemented as a software process in the computer, see Figure
3. Node error and health information would also be generated
and transferred on the FCS bus.
At a transient fault, the node must recover from the error and
continue the specified service within a 60 Hz cycle (it is
assumed that transient faults only occur in the computer
because the Actuator Functions mainly consist of analog or
hydro / mechanical machinery). At a permanent fault in the
node, ones that occur in the computer and in Actuator
Functions, the power from the servo shall be zero such that the
control surface streamlines in a damped mode.
Internally, the node shall detect faults and errors in the
whole node. By continuously checking the control surface
position, the computer can detect all faults in the Actuator
Functions. Via an alive signal and an alive valve the
computer can inactivate the servo such that the surface
streamlines. At a permanent fault in the computer, the alive
signal shall be inhibited, Le., the computer shall stop.
Consequently, the problem is to detect the faults and errors in
the computer, stop at permanent faults, and recover in the case
of a transient fault within a 60 Hz cycle.
With double execution, the transient faults in the computer
will be detected with a coverage of 99%.The double execution
will also detect a good deal of the permanent faults and,
combined with self-test programs, it is estimated that the
detection coverage of permanent faults also approaches 99%.
A watchdog timer should be added to the computer.
The control laws are computed in all other actuator nodes;
by exchanging data over the bus, the results can be voted upon.
A total fault detection coverage of over 0.999 is reasonable.
Transient Fault Handling in Actuator Nodes
A transient fault must not abort the function of a node. For
instance, it must not cause any primary control surface to
streamline. On the other hand, a permanent fault in the actuator
node, computer or servo, must streamline the control surface
position
(the only acceptable reason for not streamlining must be
mechanical locking).
With seven actuator replicas that broadcast their data,
detection coverage of close to 100%is motivated and nearly all
transient faults are detected and located. If a transient fault
occurs in an actuator node that aborts or distorts the seven
control commands, that node will either make a notification of
a fault (be silent) or will broadcast faulty command words.
Either way, the local voter in each computer node, including
the faulty one, will mask the fault and deliver a correct
command word to the loop closure. Consequently, there is no
performance degradation resulting from any temporary fault.
Depending on whether or not the actuator nodes work
according to replica determinism, the recovely from transient
faults can be approached in several ways, mainly according to
one of following three basic principles:
1. Context from a non-faulty actuator node, the
actuator nodes fulfill the requirements of replica
determinism
2. Inherent context by double execution, the
actuator nodes fulfill the requirements of replica
determinism
3. No action for recovery, the actuator node will
continue as before. The actuator might work
according to eventual determinism. With
eventual determinism, a disturbed context from a
transient fault will be updated by subsequent
sensor input and approach eventually to the
group.
I ) Contextfrom a Non-Faulty Actuator Node
Hence, all seven units are identical and use the same input
data for task execution; at all times the seven replicas are in
exactly the same state. To recover from a transient fault in an
actuator, this alternative is to collect accurate context from one
of the other replicas. The context is rather large (in the order of
25
 120 variables) and the context collection and update must be
done within the TDMA round.
Consequently, altemative I ) has large influence of required
bandwidth; hence, the full context from one actuator node must
be sent at the buses in each 60 Hz cycle. This implies that the
necessary time slots on the bus for accurate context must be
scheduled at a later time than the actuator node slots. However,
this recovery altemative covers all transient faults discussed,
affecting sensors, buses or actuator nodes.
2 ) Inherent Context by Double Execution
In altemative 2) two contexts are inherently created by a
double execution and, in the case of a transient fault in an
actuator, only one of the contexts is affected. Thus, recovery is
achieved by simply picking the non-faulty one for next
execution. The double execution should probably be done
anyway in order to achieve 99% error detection coverage of
transient faults. This alterative has no impact on bandwidth
requirements or scheduling of buses.
There exists a small probability of inconsistency among the
actuator nodes. Suppose that a transient disturbs both buses
when, for example, air data sensor number I broadcasts its
value and only a subset of the actuator nodes successfully
receives the value from air data sensor number 1. In this way
the actuator nodes could go ahead with the control law
computation with slightly different sensor values. Hence, in
order to cover all transient faults with recovery alternative 2),
either the bus must support atomic broadcast or duplicated
values ought to be sent at different timeslots.
3) No Recovery
One option with seven replicas is to choose not to recover,
altemative 3) in which the system can lose quite a few
computers without any degradation of perFormance. The full
distribution of control, with seven replicas as compared to
three replicas in a corresponding centralized system, inherently
has a great deal of redundancy -enough not to have to recover.
Note that, without recovery, there is no distinction between
transient and permanent faults if the actuators fulfill replica
determinism. With this approach, a transient fault might abort a
node. This will not happen, however, if the nodes operate in
accordance with eventual replica determinism with less rigid
timing and context constraints, i.e., the states and data in all
seven nodes do not have to be identical at all times as in I) and
2). With altemative 3) the voter may use a different algorithm
in the process of selecting correct command words.
The seven local command words sent to the voter are most
likely not identical in this eventual deterministic approach, but
a mid-value or mean value with the exclusion of two to three
extreme values will also give correct command words with one
or two transient faults. After a transient fault, the actuator node
continues as before without any special recovery action and its
command words will eventually be determined.
Permanent Fault Handling in Actuator Nodes
The FCS cannot recover from permanent faults during
runtime; these must be handled on the ground in parked mode,
which is, of course, the case for permanent faults in all parts of
the aircraft. Hence, the discussion of permanent fault handling
highlights detection and reconfiguration rather than detection
and recovery. Once a permanent fault has appeared, then the
infected area or node is lost, resulting in degradation of the
system.
The actuator nodes can operate in one of two modes, the
n o m 1 mode and the streamlining mode. As mentioned earlier,
any control surface streamlining is not a critical situation. The
aircraft can still be controlled and achieve safe landings.
The architecture supports autonomic nodes and, thus, the
decision to enter the streamlining mode is made locally. The
questions of which faults must cause the control surface to
streamline and how information on the streamlining mode
comes to everyones notice must be answered. Furthermore, in
the case of a control surface streamlining, the reconfiguration
must be made in a safe and correct way. The correctly working
actuator nodes must agree upon which is the faulty one, and
they must change mode simultaneously within a time limit
small enough not to jeopardize the stabilization of the aircraft,
i.e., reconfigure synchronously.
The actuator is mechanically connected to the control
surface and shall operate in its normal mode as long as the
computer provides it with a regular alive signal (in the form
of a pulse train). Should the alive signal pulse train be
interrupted, the servo will enter streamlining mode.
Fault in the Servo
Any fault in the actuator or position sensors must lead to
streamlining. The model monitor in the computer node detects
faults affecting these functions.
Fault in the Computer Node
In addition, in the case of a permanent fault affecting the
voter, the model monitor or the loop closure must cause the
control surface to streamline. However, it is not necessary for
all permanent faults to bring the actuator node to streamlining
mode. If a permanent fault only affects the control law
computation and manifests as a defective command word, this
node can get a correct command word from any of the
remaining six actuator nodes, thus making streamlining
unnecessary. In order not to streamline by an affected control
law computation in the node that is caused by either a transient
or permanent fault, the output command word from the voter is
used as input to the model-monitoring block.
CONCLUSION
In this study, conceptual system architecture has been
developed at both the functional and physical levels with
minimum hardware by distributing control at the application
level and by taking advantage of inherent redundancy. From a
system point of view, the migration toward distributed control
networks provides the means for reductions in the overall
development and maintenance costs and helps to manage the
increasing complexity that faces control systems used for
safety-critical applications. Finally, the flexibility advantages
of distributed nodes with software implemented fault tolerance
will soon emerge as a major option for the design of
cost-efficient, highly dependable systems.
ACKNOWLEDGEMENTS
The national aerospace program in Sweden supported the
work reported in this paper, Project NFFP 349.
We thank Lars Holmlund, Magnus Landberg, Krister
Fersan, and Nils Ankarback at Saab AB Gripen for their
contributions.
REFERENCES
[I]D. Briereand P. Traverse, June l 9 9 L
AIRBUS A320/A3301A340 El&trical Flight Controls - A Family
o f Fault-Tolemt Systems,
Pmc. IEEE Irrr'l Symp. On Fault-T,dermt Computing,
pp 616-623.
[Z]J. Torin, l9Y9.
The Evolution of Microelectronics and its Impact on Avionics.
Spme Techndogy, Vol. 19, NO.3-4, pp, 199-214.
131 D. Powell, 1. Arlat, L. Beus-Dskic, A. Bondavalli, P. Coppala.
A. Fantechi, E. Jenn, C. Rabejlac and A. Wellings. June 1999,
GUARDS: A Generic Upgradeable Architecture for R w l - T i m
Dependable Systems,
IEEE Trans on Parollel and Distributed Systems.
Val. IO. No.6, pp. 580-597.
[41 K.O. Hall and P.D. Stigall, June 1992,
Distributed Flight Control System Using Fiber Distributed Daa
Interface (FDDI).
IEEE A E S S y s f e m Magazine, pp 2 1-33.
[ 5 ] K. Ahlstrbm and J. Tarin, 2001,
Future Architecture far Flight Control Systems,
i n Pmceeding.s 4 2 b Digital Avionics Systemr
C,,"feEnCe.
[61 H. Kopetz. November 1993,
Should Responsive Systems be Event-Triggered or Time-Triggered?,
IElCE Trans. on I n f i r m t i o n and Sysrenrr.
Vol. E76-D. No. II.pp. 1325.1332.
[7l M.Hiller, June 2000.
Executable Assenions for Detecting Data Ermrs in Embedded
Control Systems,
Pmc. IEEE Inf'l Conf on Dependable Sysremr m d Nerwnrkr.
pp 24-33. P
27