Download - yeh98_777-fbw (1)
-
Design Considerations in Boeing 777 Fly-By-Wire Computers
Y. C. (Bob) YehBoeing Commercial Airplane GroupFlight SystemsP. O. Box 3707, M/S 02-KASeattle, WA [email protected]
AbstractThe new technologies in flight control avionics
systems selected for the Boeing 777 airplane programconsist of the following: Fly-By-Wire (FBW), ARINC 629Data Bus, and Deferred Maintenance.
The FBW must meet extremely high levels offunctional integrity and availability. The heart of theFBW concept is the use of triple redundancy for allhardware resources: computing system, airplaneelectrical power, hydraulic power and communicationpaths.
The multiple redundant hardware are required tomeet the numerical safety requirements. Hardwareredundancy can be relied upon only if hardware faultscan be contained; fail-passive electronics are necessarybuilding blocks for the FBW systems. In addition, FBWcomputer architecture must consider other faulttolerance issues: generic errors, common mode faults,near-coincidence faults and dissimilarity.1.0 Introduction
The NASA FBW projects [1],[2] provide thenumerical integrity and functional availabilityrequirements for FBW computers. A finding from theresearch, Byzantine General problem [3], also serves as adesign consideration to assess robustness of FBWcomputer architectures. Past Boeing and other industryexperiences in dealing with generic faults [4], near-coincidence faults [5] provide ground rules for theBoeing 7J7 FBW program. The experiences on the 7J7program [6],[7],[8],[9] and the academic research ondesign diversity [10],[11], design paradigm [12] arecarried over to the 777 FBW program [13],[14],[15].
Furthermore, to certify the 777 FBW program, theflight controls design and development process considersall requirements from: airplane functional groups,certification agencies, customers, in-service experiences,technology trends and design paradigm. The Boeing 777FBW requirements were then derived and developed.
The purpose of this article is to describe the newtechnologies employed directly and indirectly for the 777primary flight control system, with an emphasis on thedesign considerations for the FBW computerarchitecture. The fail-passive electronics for flight
critical avionics systems are defined to illustrate thenecessary building blocks for the forward path, frompilot inputs to control surface, flight controls electronics.
2.0 Outline of New Technologies for 777 FlightControls
Traditionally, new technologies are introduced for anew airplane program, and the 777 is no exception. Thechallenge is the selection of the new technologies whichcan best meet the desire for more functionality withhigher reliability and easier maintainability. That is tosay, the incorporation of new technologies is to add valuefor our customers. The new technologies selecteddirectly or indirectly for the flight controls were:1) FBW, 2) ARINC 629, and 3) deferred maintenance.2.1 Outline of the Primary Flight Control Function
The outline of the 777 FBW system has beendescribed [6],[13],[14],[15]. The primary flight controlsurfaces are illustrated in Figure 1, and an overview ofthe FBW system is shown in Figure 2. Figure 3 showsthe hydraulic power distribution for the Power ControlUnits (PCUs) to which Actuation Control Electronics(ACEs) provide electrical control.
2.2 ARINC 629 Digital Data Bus
The ARINC 629 data bus [16] is a time divisionmultiplex system. It includes multiple transmitters withbroadcast-type, autonomous terminal access. Up to 120users may be connected together. The userscommunicate to the bus using a coupler and terminal asshown in Figure 3. Terminal access is autonomous.Terminals listen to the bus and wait for a quiet periodbefore transmitting. Only one terminal is allowed totransmit at a time. After a terminal has transmitted, threedifferent protocol timers are used to ensure that it doesnot transmit again until all of the other terminals havehad a chance to transmit.
-
AIM S
FLIGH TCONT ROLDAT A BUSES(3 )
SAARUADIRU PSAS
AFD CS
PFCS
EIC AS& M FD
SPEEDBRAKELEVER
TRA NSD U CER S6 C O L U M N P O S I T I O N2 C O L U M N F O R C E ( E A C HW I T H 2 O U T P U T S I G N A L S )6 W H E E L P O S I T I O N2 W H E E L F O R C E4 R U D D E R P E D A L P O S I T I O N4 S P E E D B R A K E P O S I T I O N2 R U D D E R T R I M P O S I T I O N
ACES PCUS(31)
TRIM A CTUA TOR S1-AIL ERON1-RUDDER
FEEL UN ITS2-ELEVAT OR,VARIAB LE1-AILERON, FIX ED1-RUDDER, FIXED
ELEVATOR FEELACTUATORS
A /P B AC KD R IVEA C TUA TOR S
2 - C O L U M N2 - W H E E L2 - R U D D E R P E D A L
DYNAMIC LOADDAMPER
SPRING
A F D C A UT O P I L O T F L I G H T D I R E C T O R C O M P UT E RA D M A I R D A T A M O D UL E ( S T A T I C A N D T O T A L P R E S S U R E S )E I C A S E NG I NE I ND I C A T I O N A ND C R E W A L E R T I N G S Y S T E ME L M S E L E C T R I C A L L O A D M A N A G E M E N T S Y S T E MM F D M UL T IP L E F U N C T IO N D I S P L A YP S A P O W E R S U P P L Y A S S E M B L YF S E U F L A P S L A T E L E C T R O N I C S U N I TA I M S A I R P L A NE I NF O R M A T I O N M A NA G E M E N T S Y S T E MP F C P R I M A R Y F L IG H T C O M P U T E RP S E U P R O X I M I T Y S W I T C H E L E C T R O N I C S U N I TR /A R A D I O A L T I M E T E RA D I R U A I R D A T A I NE R T I A L R E F E R E NC E U N I TS A A R U S E C O N D A R Y A T T I T U D E A N D A I R D A T A R E F E R E N C E U N ITA C E A C T UA T O R C O NT R O L E L E C T R O N I C SP C U P O W E R C O N T R O L U N I T S , A C T UA T O R SH Y D I M HY D R A UL I C I NT E R F A C E M O D U L EW O W W E I G H T O N W H E E L SW E S W A R N I N G E L E C T R O N IC S S Y S T E M
PIT CH & R U DD E R T R IM C MD STR IM SW IT C H ES
SUPPORTING SYSTEM S
COLUMNBREAKOUT
ADM S ADM S
FSEU
W ES
ELM S
CA RD FILESH Y DIM , W OW
EDIU
PSEU
SY STEMAR INC629 (4)
R/A
GU ST S U P PR E SSIO N XD U CR S
AUTO
OFF
S PE E D B R AK EAC T U AT O R
AILERONTRIM
CMDS
TACSWITCH
PFCDISCONNECT
SWITCH
FIGURE 2 777 PRIMARY FLIGHT CONTROL SYSTEM OVERVIEW
S poilers(7 Per S ide)
Slats
D ou ble Slotted F lapF laperon
F lapA ileron
S ingle Ru dder
E levator(Single Span )
S tabilizer
P artia l S panTab
FIGURE 1 777 FLIGHT CONTROL SURFACES
-
CL1
RL2
L2C B L
O B A IL
FL A P E R O N
O B S P O IL E R S
O B A IL
IB S P O IL E R S
CL2
LC
CL
RL
C
54
32
1 O B S P O IL E R S
L1 R
R CCR
RL 6 7
C R
L2 CCR
RC
8 9
C B LL2L2
RL1
CC
LR
LC
1011
1213
14L1
RC
L
LE F T E LE VA T O R R IG H T E L E VA T O R
C B L
C RR , L 2L 1 ,CC B L
L 1C R
L 2
LC R
L
R U D D E R
CC
LL 1
RR
L1, L2 , C , R D E N O T E S A C E S 0U R C E
A C E S O U R C E
H Y D R A U L ICS O U R C E
C A B L E
NOTE: S P O IL E R S 4 AN D 1 1 AR E C O M M AN D E D V IA
C AB L E S F R O M T H E C O N T R O L W H E E L AN DV IA T H E AC E S F R O M T H E S P E E D B R AK ELE V E R . T H E S T AB IL IZ E R IS C O M M AN D E D V IAT H E C AB L E S T H R O U G H T H E A IS L E S T AN DL E V E R S O N L Y AN D O T H E R W IS E ISC O M M AN D E D T H R O U G H T H E AC E S .
C B L
L
L 2
Figure 3 Prim ary Flight Controls Hydraulic/ ACE Distribu tion
FL A P E R O N
IB S P O IL E R S
Figure 4 shows the interconnection of two systemsusing an ARINC 629 terminal controller and SerialInterface Module (SIM) which are installed on a circuitboard within each Line Replaceable Unit (LRU). TheSIM interfaces with the stub cable via a connector onthe LRU. The stub cable is then connected to the globaldata bus via a current mode coupler.
A representation of the main internal logic and dataflows within an ARINC 629 terminal controller isshown in Figure 5. Data enters through the demodulatorand is checked for faults. The receiver circuitrymonitors all incoming labels and determines whichwordstrings are needed. The data needed by theattached users is sent to the subsystem interface and tothe users.
2.3 Deferred Maintenance
The deferred maintenance has been a desirableattribute for customer airlines to enhance airplanedispatch reliability. The deferred maintenance conceptmandates the need for the fault tolerant design for themajor digital avionics systems such as PFC, ADIRS (AirData Inertial Reference System) and AIMS (AirplaneInformation Management System.) Based on Life CycleCost study for an optimum redundancy level for airlines,these computer architectures contain one level of
redundancy beyond that required to achieve thefunctional integrity for airplane dispatch. Consequently,repair of random hardware failures can be deferred to aconvenient time and place, resulting in reduction ofdispatch delays or cancellations.
The triple-triple redundant PFC architecture, triplechannels with triple dissimilar lanes in each channel,has been described [14]. The PFC can be dispatchedwith one failed lane: maintenance alert is generated formaintenance attention. The PFC can also be dispatchedwith one failed channel: flight deck status message isgenerated requiring replacement of a PFC channelwithin three flights.
The ADIRS and AIMS architectures can besummarized as follows.
-
2.3.1 Air Data Inertial Reference System
This system evolved from the Air Data Computersand Inertial Reference Systems on previous airplanes.The system consists of traditional triple-redundant pitotand static ports, whose signals are converted toelectrical signals by Air Data Modules mounted near theprobes. Digital signals are sent via Flight ControlARINC 629 buses to the ADIRU and SAARU forprocessing, as shown in Figure 6. The ADIRU andSAARU are fault tolerant computers with angular ratesensors and accelerometers mounted in a skewed-axisarrangement [17]. The ADIRU can be dispatched withone failure of each of the following assemblies: angularrate sensor, accelerometer, processor, and I/O module.
2.3.2 Airplane Information Management System
The AIMS is the data cruncher for the followingfunctions: 1) flight management, 2) thrust management,3) display, 4) data communication, 5) centralmaintenance, 6) airplane condition monitoring, 7) flightdata recording, and 8) digital data gateway.
The AIMS communicates with the majority ofavionics systems on the airplane. These interfaces areimplemented through several different media, includingARINC 629 data buses and ARINC 429 data buses.The AIMS [18]consists of two separate and independentcabinets, each with four core processors and fourinput/output modules. The AIMS can be dispatchedwith one failed processor module and one failed I/Omodule.
3.0 Design Considerations for Primary FlightComputers
Earlier on the research program for the Boeing 7J7airplane, we were to define a methodology fordetermining need and means of protection againstgeneric errors [4] and common mode faults. Theapproach taken evolved to the 777 program.
3.1 Common Mode Fault
Common mode or near-coincidence faults[4],[5]need to be considered for multiple redundant systemssuch as the FBW. Airplane susceptibility to commonmode and common area damage is addressed bydesigning the systems to both component and functionalseparation. This includes criteria for providinginstallations resistant to maintenance crew error ormishandling.
The FBW design and installation has beendeveloped with the following fault or eventconsiderations (to name a few):
- impact of objects- electrical faults- electrical power failure- electromagnetic environment- lightning strike- hydraulic failure- structural damage- radiation environment in the atmosphere- ash cloud environment in the atmosphere- fire- rough or unsafe installation and maintenance
These common mode concerns led to the FBWrequirements for separation of FBW components andFBW functional separation.
3.1.1 Separation of FBW Components
The separation is required for redundant flightcontrol elements including LRUs, associated wiring andhydraulic lines to the greatest extent possible.
General system/airplane design decisions forseparation include the following:
- multiple equipment bays for redundant LRUs,- physical separation of redundant LRUs,- flight deck equipment and wiring separation and
protection from foreign object collision, and- separation of electrical and hydraulic line routing
through airplane structure.
Thus triple PFC channels are separated physically,and tight synchronization among PFC channels isdeemed undesirable. To maintain source congruencyand system states convergence, PFCs are required toconsolidate their system states, and to equalize criticalvariables. The assumption of near-coincidence [5] PFCshutdown is considered in the redundancy managementdesign for the PFC restart and for determining PFCsystem state convergence rates.
3.1.2 Functional Separation
All triple redundant hardware resources are alignedto the Left (L), Center(C) and Right (R) positions.These hardware resources are electrical power, flightcontrol ARINC 629 buses, PFCs, ACEs, Hydraulicsystems.
ACE functional actuator control is distributed tomaximize controllability in all axes after loss of functionof any ACE or supporting subsystem. In general, theelectronics components powered by the L/C/R flightcontrol electrical bus controls the actuation componentspowered by the L/C/R hydraulic system, respectively.
-
Figu re 4 In te rcon nect o f System s u sin g AR INC 629
L R U n
C o up le r n (12 0 m a x)
D a ta b us c ab leasse m b ly
D a ta b uste rm ina to r
S tub c ab le
L ine rep lac ea b leun it (L R U ) no . 1
A R IN C 6 2 9Te rm ina l
C o nt ro l le r
S e r ia l In te r fac em o d u le
C u rren t m od ecoup le r N o . 1
AR INC 629Data Bus
C urrent M ode C oup ler
S tub C ab le
D em odu lator
M odu lator
ST RA PS IM
R EC EIV EP ER SO NA LITY
PR OM
TR ANS MITP ER SO NA LITY
PR OM
Terminal Contro ller
Transm itte r
P rotocol P ro toco l
Rece iv er
Subsys temInterface
Add res sAdd res s/Data
Figu re 5 A R INC 629 Fu nction al B lock D iagram
-
3.2 Design Diversity
Based on the Boeing experience, the most likelydesign errors are, in order of likelihood:
a) i) Requirement errorsb) ii) Implementation
misunderstandingc) Software design or coding errord) Future process errors in previously qualifiede) Semiconductor parts.f) Relatively new, programmable VLSI circuits
whose number of states approach infinity andtherefore are non-deterministic.
The 7J7 FBW program goal regarding dissimilarityis developed as follows.
1. Dissimilar software/hardware architectureshould be used.
2. Ada should remain the accepted standard forembedded software.
3. When dissimilar hardware and software isused to reduce error in FBW computers, stepsshould be taken to ensure the designs are alsodissimilar.
In the design diversity experiment at UCLA [10],the isolation rules were employed in whichprogramming teams were assigned physically separateoffices for their work and that inter-teamcommunications were not allowed. The research atacademe [10],[11] indicate that multiple versions ofprograms developed independently can contain similarerrors.
Boeing experience is that among sources of errorsit is most often the basic requirements which areerroneous or misinterpreted. The key to a successfulsoftware implementation is the elimination of errors.The errors due to misinterpretation can be reduced byvery close communication between the systemrequirements engineers and the software designers. Infact, the software designers can help the engineersrecognize limitations in the software design when therequirements are being written. There is much benefitfrom this interactive relationship, which is precluded bythe dissimilar software design approach, where systemsand software teams much be kept segregated.
The development of the PFC software during the7J7 program confirmed that the three separate teams, inorder to code their logic from the requirements, werehaving to ask Boeing so many questions for clarificationof the requirements that the independence of the threeteams was irreparable compromised. This is the reasonwhy Boeing elected to revert to the usual and customarymethod of creating and certifying flight critical sourcecode. It was determined that there is a net gain in totalsystem integrity with the single software designapproach. The overall 777 FBW program decision on
dissimilarity is described in [15], and is summarized asfollows.
3.3 Safety Analysis
The safety analysis is performed which assesses allsignificant failures of the FBW system including singlefailures, latent failures, and failure combinations at theLRU level. Allowable level of dispatch with knownfaults is determined. Also considered is the scheduledmaintenance necessary to limit exposure to latent faults.The analysis shows that the probability of a given failurecondition is consistent with its severity, and that allfailure combinations producing a catastrophe areextremely improbable. This analysis contains aproposed list of worst case failure conditions to be flightdemonstrated based upon simulator evaluation, anddocuments confirming lab and flight test results.
Hardware component failure modes and potentialLRU malfunctions are assumed. The assumptions,combined with the system architecture and faultdetection/isolation algorithms, are used to eliminate theinfinite possibilities of hardware gate level failuremodes. Interfacing systems such as electrical andhydraulic power, ARINC 629 buses, and primarysensors are included. System separation, partitioning,and redundancy are addressed. Where possible in-service data are used to generate probability of faults.
3.4 Fail-Passive and Fail-Operational Electronics
An electronics function is fail-passive if, in theevent of a failure, the continued safe flight and landingof an airplane can be maintained by the pilot. Firstly theFBW architecture study considering use of ARINC 629data busses concluded that common interfacerequirements [15] should be developed including acommon CRC (Cyclic Redundancy Check) algorithm.
The ACE functional overview diagram is shown inFigure 7, and the FBW forward path (ACE to/from PFC)signal monitoring concept is shown in Figure 8 toillustrate the application of fail-passive electronics.
The transducers used to sense the pilot controlcommands are monitored with in-line monitors ofcommon mode monitor (CMMs) and demodulatormonitor (DMMs). This includes the position and forcetransducers. The CMMs detect short circuits and opencircuits in the pilot control transducers, while theDMMs are used to monitor demodulation of each ACtransducer signal. If either monitor indicates failure,this signal will not be used by PFCs for FBW controllaw function.
The servo command wraparound monitors verifythe proper operation of ACE digital-analog and analog-digital conversion hardware and verify properdistribution of each PCU/Actuator command to theappropriate servo loop function.
-
Figure 7 T yp ica l A C E A rch itectu re
A D IR U
6 2 9
6 2 9
6 2 9
R A T E
A C C E LIN E R T IA LS E N S O R S
S E L E C TA N D
M O N IT O R
R A T E SA C C E L S
62 9M O N IT O R
IN E R T IA LS O LU T IO N
V O T E
V O T E
62 9
62 9
62 9
62 9
S E L E C TA N D
M O N IT O R
P SP T
A IR D A T AS O LU T IO N
PFC LC O M M A N D L A N E
B U SS E L E C T
V A L ID IT YM O N IT O R
SSFD
S E L E C T E DD A T A
V A L IDF L A G
V A L ID IT YM O N IT O R
M O N IT O R L A N E
S T A N D B Y M O N IT O R LA N E
ID E N T IC A L
ID E N T IC A L
S igna ls B od y R ates Bo dy A c ce lera tion s P itch and R o ll A ttitu de G round sp ee d A irs peed (VC , V T ) Baro A ltitu de F ilte red M ac h Im pac t P res su re PS = Sta tic P res s ure
P T = T o ta l P ress ure
S A A R U
6 2 9
6 2 9
6 2 9
R A T E
A C C E L
IN E R T IA LS E N S O R S
S E L E C TA N D
M O N IT O R
R A T E SA C C E L S
62 9M O N IT O R
IN E R T IA LS O LU T IO N
S E L E C TA N D
M O N IT O R
P SP T
A IR D A T AS O LU T IO N
(6) (4)
(4 )
(4 )
(2 )
C O M P A R A T O R
P S 1
P T 1
P S 2
P T 2
P S 3
P T 3
Fig ure 6 A D IRU /S A A R U R ed un dancy M an agem ent
GUST SUPPRESSIONXDUCER INTERFACE
SPOILE R SER V OLOOPS &MON IT O RS
*M UX*D EM U X
ARINC 629INT E RFACELEFT BU S
ARINC 629INT E RFACE
CE NT ER BUS
CRC
ACEPO W E RS U P PL Y
AN DPC U S O V s
RV DT 's & LV DT 'sE X C IT AT ION
BUF FE R 'sDE M OD's
DM M ' & CM M 's
D IRE CT M ODES CHE DU LE S
D/AINPUTS IG N AL
M ANAG E M E NT(ISM )
S IG NALCOM M AN D
DE C ODECON T R O L
(S C DC )
T H RE E MO DEPC U
SER VO LOOP S &MON IT O RSELEVAT OR
AILERONFLAPER ON
RU DDER
RUDDER TRIM /ELEVATOR FEELACTUATOR SERVOLOOP & MONITOR
ST AB T R IMCON T ROL
AUT O SPE ED BRAKE ARM
R ACE
A
PIT CH RAT ES E NS O R
A/D
FLA PPOS IT ION
PILOT S 'CM D S
DIRE CTM ODE
S W ITCH
PINPR O -
G R AM M ING
LCR
Flight C ontro l D igita l D ata Buse s
F LIG H TCON T ROLSDC PO W E R
A A A
A
A
MODAL SUPPRESSION FUNCTIONACCELEROMETERS
ARINC 629INT E RFACERIG H T BUS
777-300: ACE EXT ERNAL P IT C HRAT E SEN SOR INT ERFACE
(6 )
-
MID
-VA
LUE
SELE
CT
Cro
ss
cha
nn
el m
on
itori
ng
CHAN
NEL
INH
IBIT
CRO
SSC
HAN
NEL
MO
N
629
629
CRC
CRC
629
MO
N
SCDC
ISM
ADC
DAC
1
Wra
p A
rou
nd
Mo
nito
r
AC
EPF
C
3SX-
LAN
EM
ON
X-LA
NE
MO
N3M
OUT
PUT
ENAB
LE2S 2M
PFC
Val id
ity
Pow
er
Supp
ly
Mo
ni t
or
629
Mo
ni t
or
SERV
OEL
ECPC
U
ACE
PCU
629
629
1
3CPI
LOT
LVD
TD
EMO
DAD
CSC
DC
CRC
ADIR
U
SAAR
U
629
MO
NCR
CBU
FFER
UPD
ATE
MO
N
SSFD
CON
TRO
LLA
W
CRC
ACE
PFC
No
data
mo
nito
ring
.D
ata
pa
th m
on
itore
d by
WA
MCo
mm
on
mo
de m
on
itor
Dem
od
mo
nito
r
AC
EFL
T D
ECK
Cro
ss
lan
e
mo
nito
ring
of
3 di
ssim
ilar
lan
e
inpu
t
2S 2M
SV
MC
MM
DM
MS
OV
CM
D
RE
SP.
3S 3M
Pow
er
Supp
ly
Mon
itors
3C
CM
D STB
YM
ON
CRC
Fig
ure
8
PF
CS
Sig
nal P
ath
Mo
nit
ori
ng
-
Digital commands received from the PFCs are convertedto analog commands for use by the actuator servo loops.The analog servo loop commands are also converted("wrapped") back to digital form for use by theWraparound Monitor. The monitor then compares theoriginal digital commands with the wraparoundcommands to verify operation of digital to analog andanalog to digital conversion.
All LRUs transmitting critical data on ARINC 629bus are required to comply with the Flight Controls BusRequirements [15] inclusive of providing CRCcheckwords. All flight critical LRUs (eg, PFC & ACE)perform CRC monitoring of each received wordstring.
Input Signal Management (ISM) processing isperformed by each PFC on ARINC 629 input signalsreceived by the PFCs including those originating fromthe ACEs, ADIRU, SAARU, ADMs, AFDCs, andAIMS. ISM includes Signal Selection and FaultDetection (SSFD) algorithms which perform signalselection and static and dynamic fault monitoring. Thisalgorithm must be designed to adequately isolate failedcomponents for an extended period of time wheredelayed maintenance is desired.
4.0 Summary
The successful certification of the first BoeingFBW airplane, airplane in general and FBW in specific,in four and half years depends to a large extent on thefollowing: 1) a new facility to accommodate a largenumber of test labs, the Integrated Aircraft Systems Lab(IASL), 2) a viable FBW architecture, 3) workingtogether with customer airlines for their help indesigning the airplane, 4) certification planning,5) research work from the fault tolerant computingcommunity.
References:
1. J.H. Wenseley et al "SIFT: Design and Analysis ofa Fault-Tolerant Computer for Aircraft Control",Proceeding of the IEEE, Vol. 66, No. 10, October1978.
2. A.L. Hopkins Jr., T.B. Smith,III, J.H. Lala, "FTMP-A Highly Reliable Fault-Tolerant Multiprocessorfor Aircraft", Proceeding of the IEEE, Vol. 66,No. 10, October 1978.
3. L. Lamport, R. Shostak, M. Pease, "The ByzantineGenerals Problem", ACM Trans. on ProgrammingLanguages and Systems, Vol. 4, No. 3, July 1982.
4. S.S. Osder, "Generic Faults and ArchitectureDesign Considerations in Flight-Critical Systems",
AIAAJournal of Guidance, Vol.6,No.2, March-April 1983.
5. J. McGough, "Effects of Near-Coincident Faults InMultiprocessor Systems", Fifth AIAA/IEEE DigitalAvionics Conference, October 1983.
6. R.J. Bleeg, "Commercial Jet Transport Fly-By-WireArchitecture Consideration", Ninth AIAA/IEEEDigital Avionics System Conference, October1988.
7. C.J. Walter, "MAFT: An Architecture for ReliableFly-By-Wire Flight Control", Ninth AIAA/IEEEDigital Avionics Conference, October 1988.
8. A.D. Hill, N.A. Mirza, "Fault Tolerant Avionics",Ninth AIAA/IEEE Digital Avionics Conference,October 1988.
9. R.A. Hammond, D.S. Newman, Y.C. Yeh, "On Fly-By-Wire Control System and Statistical Analysis ofSystem Performance", Simulation, October 1989.
10. A. Avizienis, M.R. Lyu, W. Schutz, "In Search ofEffective Diversity: A Six-Language Study ofFault-Tolerant Flight Control Software", FTCS-18,1988.
11. J.C. Knight, N.G. Leveson, "An ExperimentalEvaluation of the Assumption of Independence inMultversion Programming", IEEE Trans. OnSoftware Engineering, January, 1986.
12. A. Avizienis, "A Design Paradigm for Fault-Tolerant Systems", AIAA Computers in AerospaceConference, October 1987, Paper 87-2764.
13. J. McWha, "777 Systems Overview", RAeSPresentation, November 1993.
14. Y.C. Yeh, "Triple-Triple Redundant 777 PrimaryFlight Computer", 1996 IEEE AerospaceApplications Conference, February 1996.
15. Y.C. Yeh, "Dependability of the 777 Primary FlightControl System", DCCA-5, September 1995.
16. J.L. Shaw, H.K. Herzog, K. Okubo, "DigitalAutonomous Terminal AccessCommunication(DATAC)", Seventh AIAA/IEEEDigital Avionics System Conference, November1986.
17. D.L. Sebring, M.D. McIntyre, "An Air Data InertialReference System for Future CommercialAirplane", Ninth AIAA/IEEE Digital AvionicsConference, October 1988.
18. K. Hoyme, K. Driscoll, "SAFEbus", EleventhAIAA/IEEE Digiatl Avionics Conference, October1992.