Intelligent redundant actuation system requirements and preliminary system design by Geiger, L. J. et al.
General Disclaimer 
One or more of the Following Statements may affect this Document 
 
 This document has been reproduced from the best copy furnished by the 
organizational source. It is being released in the interest of making available as 
much information as possible. 
 
 This document may contain data, which exceeds the sheet parameters. It was 
furnished in this condition by the organizational source and is the best copy 
available. 
 
 This document may contain tone-on-tone or color graphs, charts and/or pictures, 
which have been reproduced in black and white. 
 
 This document is paginated as submitted by the original source. 
 
 Portions of this document are not fully legible due to the historical nature of some 
of the material. However, it is the best reproduction available from the original 
submission. 
 
 
 
 
 
 
 
Produced by the NASA Center for Aerospace Information (CASI) 
https://ntrs.nasa.gov/search.jsp?R=19850025823 2020-03-20T16:59:12+00:00Z
CONTRACT NAS2- 12081
SEnEMRER 1985
NASA
6	 ^	 '
NASA CONTRACTOR REPORT 177366
INTELLIGENT REDUNDANT ACTUATION SYSTEM
REQUIREMENTS AND PRELIMINARY SYSTEM DESIGN
P, DE FEO
L,J, GEIGER
J. HARRIS
(NASA-CR-177366) INTELLIGENT REDUNDANT 	 N85-34136
ACTUATION SYSTEM REQUIREMENTS AND
PRELIMINARY SYSTEM DESIGN (Ilpdrauli,c
Research Textron) 80 p HC A05/MF A01	 Unclas
CSCL 01C G3/05 25800
fa.
NASA CONTRACTOR REPORT 177366
4
F1I t V
'a
fl
INTELLIGENT REDUNDANT ACTUATION SYSTEM
; E	 REQUIREMENTS AND PRELIMINARY SYSTEM DESIGN
P. DE FEO
L.J. GEIGER
J. HARRIS
HR TEXTRON INC.
SYSTEMS ENGINEERING DIVISION
IRVINE, CALIFORNIA 92714
PREPARED FOR
AMES RESEARCH CENTER
UNDER CONTRACT NAS2-12081
SEPTEMBER 1985
4
NASA
National Aeronautics and
Space Administration
Ames Research Center
Moffett Field, California 94035
PREFACE
This document constitutes a report under Contract NAS2-120911
•	 "Modular Microprocessor Techniques Development for Intelligent
Actuation Management of Advanced Fly-By-Wire Systems." It
represents the results of defining the requirements and conducting
the preliminary system design and analysis. The work was conducted
in OR Textron's Systems Engineering Division, Irvine, California.
The Principal Investigator for this effort was Dr. Pio de Feo who
was ably assisted by Messrs. James Harris, L.J. Geiger and Ed
Buckley.
The NASA technical monitor for this task war Mr. R. C. Shih.
The authors wish to acknowledge the guidance and helpful suggestions 	 =
provided by Mr. Shih as well as the assistance of Mr. N. Rediess.
The material presented herein represents the findings of the 	 3^
authors and is not to be construed as being endorsed by the D.S.
Government or the National Aeronautics and Space Administration.
i
r
TABLE OF CONTENTS
I
PAGE
SUMMARY OF RESULTS ........................................ 	 1
INTRODUCTION..............................................	 3
i
SYSTEM DESCRIPTIONS ................................ 6...... 	 4
SYSTEM REQUIREMENTS ....................................... 7
SYSTEM ARCHITECTURE DESIGN REQUIREMENTS .............. 8
RELIABILITY AND FAULT TOLERANCE REQUIREMENTS......... 11
FAILURE DETECTION AND RECONFIGURATION REQUIREMENTS... 17
DYNAMIC PERFORMANCE REQUIREMENTS ..................... 19
HARDWAREREQUIREMENTS.......' ............................. 44
DIGITAL COMMAND PROCESSING UNIT (DCPU) .......... 6.... 44
ARBITRATOR..: ........................................ 47
CONTROL INTERFACE UNIT (CIU) .......................... 48
TESTCONTROL TERMINAL (TCT) .......................... 49
EMULATIONCOMPUTER (EC) ................. 6............ 50
FCC/DCPU INTERFACE ................................... 51
SOFTWAREREQUIREMENTS ..................................... 58
APPLICATIONSOFTWARE ..................................58
EXECUTIVESOFTWARE ................................... 60
UTILITYSOFTWARE ..................................... 61
SOFTWARE DEVELOPMENT ENVIRONMENT ..................... 62
SOFTWARE DEVELOPMENT PROCESS REQUIREMENTS............ 64
4
EMBEDDED SOFTWARE DEVELOPMENT SCENARIO ............... 65
ii	 i ,
IAPPENDICES ...................... :......................... 66
A - RELIABILITY ANALYSIS ............................. 66
B - BUS PROTOCOLS .................................... 68
ABBREVIATIONS ............................................. 71
1
11.1
y
Na
LIST OF FIGURES AND TABLES
i
FIGURE TITLE PAE
1 Diagram of
	
IRAS System..., * ..... 5
2 IRAS Quad	 Configuration. * ........... 9
3 IRAs Quad Configuration with Arbitrator.... 9
4 Reliability Diagrams - IRAS Configurations. 13
5 Digital Simulation Functional Diagram...... 20
6 Frequency Response, Analog Input
& Implementation,	 108 Full Scale......... 21
7 Frequency Response, Analog input &
Implementation,	 508 Full Scale........... 22
8 Frequency Response, Analog Input &
Implementation,	 Effects of Flow Limiter.. 23
9 Step Respons_. , Analog Input &
Implementation ........................... 24
10 Frequency Response, Analog Implementation
Digital vs Analog Input, 108 Full Scale.. 25
11 Frequency Response	 (Phase Lag) Analog
Implementation,	 108 Full Scale.	 Effects
of	 Digital	 Input ......................... 26
12 Step Response, Analog Implementation,
Digital vs Analog Input, 108 Full Scale.. 29
13 Frequency Response, 108 Full Scale, FCC
Rate 50ms Digital vs Analog Position
Loop	 Closure........... 0 ................. 30
14 Frequency Response, 108 Full Scale,
Digital vs Analog Position Loop
Closure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
15 Step Response, 108 Full Scale, Digital vs 7
Analog Position Loop Closure ............. 32
16 Frequency/Step Response, 108 Full Scale,
FCC Sample Rate 50ms, DCPU lOms,
Effects of Forward Path Gain ............. 33
iv
FIGURE	 TITLE	 PAGE
'	 17	 Effects of Digital Input on Servovalve
Activity, 108 Full Scale, FCC Sample
Rate 50ms, Input Frequency 1 HZ.......... 35
18	 Notch Filter Characteristics... to.s000 ..... 36
19	 Notch Filter Compensation of Digital
Input/Analog Implementation, 108 Full
Scale, FCC Sample Rate 50ms, Input
Frequency 1 HZ ...........................
	 38
20	 Notch Filter Compensation of Digital
Input/Digital Implementation, 108
Full Scale, Input Frequency 1 HZ, FCC
Sample Rate 50ms, DCPU 5ms ............... 39
21	 Notch Filter Compensation, of Digital
Input/Digital Implementation, 108
Full Scale, Input Frequency 1 HZ, FCC
Sample Rate 50ms, DCPU lOms .............. 40
22	 Effects of Digital Input on Servovalve
Activity, Power Spectra Amplitude
of Flow Rate at 20 & 40 Hertz............ 41
23	 Effect of Notch Filter on Position
Control, 108 Full Scale ..................	 42
24	 Effect of Notch Filter on Time to
Reach 908 of Command, 108 Full Scale..... 43
25	 FCC/DCPU Data Flow, No Cross-Strap
Configuration, 4 Channel
Transmission ............................. 	 53
26	 FCC/DCPU Data Flow, Cross-Strap
Configuration, 4 Channel Transmission.... 54
27	 FCC/DCPU Data Flow, 1553 Broadcast,
Cross-Strap vs Non Cross-Strap
Configuration, 4 Channel Transmission.... 55
ti
28	 IRAS Software Structure .................... 59
I	 A-1	 Reliability Diagram Symbols ................ 67
A .
v
TABLES
TADL1:	 TJMZ	 EASE
1	 Component Failure Rates (Failures/Sour).... 15
2	 Configuration Failure Rates and Percent
Change fRes....or
at
100% Increase in Component
Failure  	 ........................	 16
3	 FCC/DCPU Data Flow .........................	 56
i
a
r
vi
SUMMARY OP RESULTS
Some results of this analysis are only preliminary, and
further study is needed to refine, confirm, and extend the scope
of the findings. Some results and conclusions, however, are
firm. The following is a list of the major conclusions:
TRAS CONFIGURATION
1. A minimum complexity, non-cross-strapped, quad
configuration has been selected for the ISCU.	 This
configuration meets or exceeds the reliability and
fault tolerance requirements of the ISCU.
2. An Arbitrator is need to vote on channel status. 	 It
also performs the function of fault insertion and
supports simulation control.
3. A communication path is provided among all DCPUs and
the Arbitrator through a backplane common bus.
TRAS DYNAMICS
1. The digital IRAS simulation is in good agreement with
Ames analog simulation.
2. The flow limiter has a significant effect on actuator
dynamics in the case of high amplitude, high frequency
inputs.	 The phase lag is 50 degrees, and the amplitude
gain is -2.5 db. for a 5 Hz, 508 full scale input.
3. Digitized input commands from the FCC produce a phase
lag which increases with the input frequency and the
DCPU frame time. 	 For a FCC frame time of 50 msec and a
3 Hz sine wave input, the phase lag is 21 deg.
4. A digital position loop closure does not produce
significant time lags; however, significant overshoot
characteristics develop which can be reduced by
manipulating the forward loop gain. 	 For a 50 msec FCC
and a 5 msec DCPU frame time, the overshoot is 108 with
• forward loop gain of 15.6 ma/v and less than 18 with
• forward loop gain of 10 ma/v.
t
5. The digitized FCC input command significantly increases
servovalve activity.	 The servovalve activity increases
rapidly as a function of the DCPU frame time. 	 For a
FCC sample rate of 50 msec a DCPU sample rate of 5 msec
and 1 Hz input sine wave, the normalized power spectra
peak is 98..
1
6. Notch filters are very effective in damping the
servovalve activity; however, they add to the phase lagA
which increases as a function of the DCPU frame time.
For the previous --l -use,	 the power spectra is reduced
from 98 to .28, and an additional phase lag of 10
degrees is introduced.
I
TRAS HA,8J J&U, ARCHITECTURE
1. The DCPU, EC and Arbitrator will be emulated in 68000
microprocessors.
2. The TCT will be implemented in a IBM PC/AT.
3. The architecture of the CIU is a function of the
position loop closure, digital or analog.
4. Although no absolute requirements have been established
for a FCC/DCPU bus structure, none of the examined
protocols is well suited to support that communication
path.
5. All communications to/from the IBM PC/AT are
S: implemented via RS-232 point-to-point serial links.
IRAs SOFTWARE ARCHITECTURE
1. A VAX hosted software development environment will be
used for IRAS embedded software.
2. The "C" language will be the HOL for IRAS embedded
Ii
I
software.
I
2
f
i
INTRODUCTION
Advanced Flight Control Systems (AFCS) have very high
operational capabilities and very high reliability, availability
and survivability requirements. Several redundant configurations
of actuation systems meeting those requirements have been
designed and successfully demonstrated. However, this has been
accomplished with extensive duplication of hardware components
(brute force redundancy) and has resulted in significantly
increased computational loads of the Flight Control Computers
(FCC) which perform the failure analysis and the reconfiguration
management.
Modern advanced technology has mado it possible to produce
powerful microprocessors at low cost featuring low volume,
weight, and power requirements. These microprocessors can
effectively perform locally, at the actuator level, the tasks of
failure isolation and configuration management, which were
previously'performeo by the FCC, and other related tasks. This
new actuation system; concept called an Intelligent Redundant
Actuation System (IRAS) significantly reduces the FCC
computational requirements and additionally provides the
capability to perform those local tasks in a more advanced and
comprehensive manner than previously feasible. This ultimately
results in increased reliability, availability, survivability,
and maintainability and lower life cycle costs for the total
AFCS.
The purpose of this document is:
1. to outline the requirements for a flexible IRAS
experimental breadboard system capable of demonstrating
the feasibility of the concept and of exploring a
variety of configurations and,
2. to provide a data base for future research activities
in the IRAS area.
SYSTEMS DESCRIPTIONS
A schematic of IRAS is shown in Figure 1.
The major components are:
1. Jhg Rmi1a inn Camp' -Pr J.E .
The EC includes the Emulated Diagnostic and Maintenance
Computer (EDMC) and the Emulated Flight Control Computer
(EFCC). The EDMC performs diagnostics and maintenance
tasks during flight and on the ground; and AI concepts
and structures can be used which effectively support
these functions. The EFCC emulates configurations of
Flight Control Computers and hosts the vehicle dynamics
to provide a closed loop, real-time analysis
environment. The EDMC and EFCC are linked to the
Intelligent Servoactuator Control Unit (ISCU) and are
used to drive the Digital Pilot Display (DPD).
3. Tntp1 7 {aAat ^Sarvnarrtl^tnr (nntrnl flair 7
The ISCU consists of the Digital Command Processing Unit
(DCPU) and the Control Interface Unit (CIU). The
microprocessor-based DCPU provides the computational and
logic capabilities for calculating the actuator coil
commands; for monitoring the actuator status; and, for
implementing reconfiguration management strategies as a
function of detected failures, and the vehicle state and
control mode. Since the DCPU is the key component of
IRAS, most of this document relates to it. The analog
CIU provides the interface between the DCPU and the
actuator coils, LVDT and solenoid. The current loop
closure (inner loop) is implemented within the CIU. The
position loop (outer loop) can be implemented within the
CIU or within the DCPU. The two implementations are
Discussed in detail later in this document. A key
requirement of the ISCU is that it be very powerful and
flexible so that the concept feasability can be
demonstrated and implementation issues of adaptive
digital control techniques applicable to a variety of
Servoactuator and FCC configurations may be analyzed.
Futhermore, the ISCU, when operating within the dynamic
environment of the EC, is a powerful test-bed for
analyzing the effects of advanced gain optimization and
limiting techniques on the safety and performance of
fixed and rotary wing vehicles.
3. Digital Pilot D.Japjay (DPD)
The DPD is a multipurpose display which provides the
r--rj	 o Ian
owl
IS^ ,> I
r r
^ a r
r
o r
Y V ^
jr rL. rA.. J
2
y W
N
<
C
H
0 3 v^
cc
a
a
_Q
n
r
us CC
Cm7
W ivil W
JW
s
O
m
W
J
W
R
16
a
s
n
io
zr
W
s
^ o
r -^
LJ
I;
a
O
J W
^
--^
LZ
U w
V
O	 FW..
Ln	 3<
^ ~
fi =
..
J F
Wfn J ;,^	 O 1
U
if .;.	 ^
2 ^
ii
t.:	 Z
a2	 J = W ,., 3CS' U
000 ~Z ^"
U fYa
ad W
Z a Wsi=W O J W
.^
a. w ^z W^„2p -
2^
<.jZNUJ
O UJ
C0aa
2
W
O
U
^co3o
W A U
W
U OU oayn
°
5
Y
i_
Ipilot with information and interfaces needed to control
and monitor the actuation system among other things. It
is driven by the EFCC and its functions are implemented
within the Test Control Terminal capability.
4. Tgj1t Control Terminal (TCT1,
The TCT's major functions are: (1) to control the
operation of the IRAs; and, (2) to provide a work
station for software development. It also provides a
realistic way to emulate the DPD function of the pilot
interface with the IRAs. A commercial personal computer
(PC) can provide all the capabilities needed to support
these functions.
5. Data RVs ID Interface (PST)
The DSI provides the capability of interfacing the EC
and DCPU to analog instrumentation such as strip chart
recorders. It consists of standard Digital to Analog
converters with appropriate characteristics.
The I;:A.4 lab system, (referred to as IRAs throughout this
document,) and the equipment currently available at NASA Ames
provide a versatile integrated environment to implement and
analyze a wide variety of IRAs configurations. Major issues 	 {
which can be explored are:
Redundant Actuator Monitor and Reconfiguration Strategies
Redundancy Actuator Control Configurations
Interfaces to the Actuator and FCC
Maintenance and Diagno!^tic Strategies
Cockpit Displays
The IRAS must be very flexible and easily configured to
support a variety of FCC actuators and actuator controller
configurations. Initially the IRAs is being configured to
interface with a quad, synchronized FCC configuration and the
TAFCOS Actuator. The TAFCOS Actuator, currently operational at
NASA Ames, was developed by ER Textron under NASA Contract
NAS2-11512.
Two areas with significant technical promise which can be
investigated using the IRAs are: (1) the use of Artificial	 ;+
Intelligence (AI) concepts for diagnosis and maintenance
`	 purposes; and, (2) the implementation of a digital position loop
closure for the servoactuator. These and other research areas
are discussed in detail in other sections of this document.
n
f
SYSTEM P.EQUIREMENTS
The IRAS design requirements are grouped as follows:
o System Architecture Design Requirements
o Reliability and Fault Tolerance Requirements
o Failure Detection and Reconfiguration Requirements
o Dynamic Performance Requirements
The three major high level system requirements are:
1. The system must be otpable of interfacing with a quad
redundant, synchror:rus FCC, and a four coil, flux
summing, redundant TAFCOS actuator. The IRAS
architecture must also be very flexible so that a wide
variety of FCCs and actuation system configurations can
be ,supported and analyzed,
2. The reliability and fault tolerance of the Intelligent
Servoactuator Control Unit (ISCU) must be consistent
with the reliability and fault tolerance of the FCC and
j	 TAFCOS actuator.
3. The overall dynamic characteristics of the TAFCOS
actuation system should not change significantly when
the analog servocontroller is replaced by the digital
ISCU.
While all the requirements impact on all the elements of the
IRAS, the only significant effect of interest in the current
study is on the ISCU configuration because:
1. The Test Control Terminal (TCT) performs only secondary
non—critical tasks relative to the actual control of the
actuation system.
2. The issues related to the reliability and fault
tolerance of the Emulated Diagnostic and Maintenance
Computer (EDMC) and of the Digital Pilot Display (DPD)
are not a research objective or this effort, at least at
t	 the present time.
3. The Emulated Flight Control Computer (EFCC) is included
in the IRAS only to provide the dynamic environment
fneeded for analyzing the performance of the actuation
-i	 system and not for developing and analyzing FCC
configurations.
7
1
SYSTEM ARCHITECTURE DESIGN REQUIREMENTS
The IRAS system architecture design requirements primarily
effect the architectural design of the ISCU, which is the central
element of the IRAS and is the focus of the research objectives
of this effort. The architecture of the ISCU must provide a
level of reliability and fault tolerance which is comparable to
the one existing for the FCC and for the most redundant elements
of the actuator and servovalve coils.
The FCC and the sery^ovalve coils have a quad configuration
which provides a Fail-Op /Fail-Safe performance. Therefore, the
most natural candidate configuration for the ISCU is also a quad
configuration which can be easily interfaced with the FCCs and
actuator.
Quad configurations can be easily modified into dual, and
dual-dual configurations. Furthermore, they typically include
all the major hardware components needed to implement triplex
configurations. However, conversion to triplex configurations
might require extensive software redesign especially in the areas
of voting and signal selection; and design and fabrication of
additional interfaces. The only configuration which cannot be
easily implemented starting from a quad configuration is the very
powerful, dual-triplex configuration, such as the Primary Flight
Control System of the ADOCS. In fact, that configuration
requires a set of six microprocessors, two more processors than
quad configurations. The uniform redundancy existing throughout
the channels of the IRAS quad configuration is shown in Figure 2.
A key functional requirement of the IRAS is the capability
to isolate a failed channel. It is not safe to delegate that
responsibility to the failed channel itself because the fault
might prevent the failed channel from reliably performing that
critical task. Therefore, the responsibility of channel
isolation must be delegated, and snared by, the remaining
operational channels. This approach requires the implementation
of a device, external to the four ISCU channels, which performs
the critical role of arbitration. The Arbitrator is a single
point failure in the system and, therefore, in a flight critical
environment, must be a highly reliable, fault-tolerant device.
in the IRAS environment, the functions of the Arbitrator can be
emulated by a separate microprocessor unit which interfaces
directly to the DCPU and the CIU. This configuration is very
appropriate because: (1) in the IRAS lab environment, the issues
of criticality are addressed from a functional and structural
point of view only and not from an implementation point of view;
and, (2) the IRAS is required to be very flexible so that
different architectures and algorithms can be developed and
analyzed.
8
I,
FCC	 DCPU	 Clu	 COIL CHANNEL
B
C
D
FIGURE 2 IRAS QUAD CONFIGURATION
FCC	 DCPU	 ARBITRATOR	 clu	 COIL CHANNEL
A
8
C
D
FIGURE 3 IRAS QUAD CONFIGURATION WITH ARBITRATOR
9
i
A configuration of the IRAS which includes the Arbitrator is
shown in Figure 3. The major characteristics of this
configuration are:
1. Communications among channels are minimized (no cross-
strapping) which reduces design complexity and parts
count.
2. Communications between corresponding FCC and DCPU pairs
are shown as serial or parallel digital dedicated links.
The capability to implement or emulate a bus
architecture to link the FCCs and DCPUs is also
provided. Issues related to the choice of appropriate
bus protocols are discussed later in this document.
3. A communication link which can be implemented through a
backplane common bus connection is shown between the
DCPUs. The IRAS provides that simplex bus interface to
support the configuration flexibility requirement. The
capability to emulate a redundant bus structure is also
provided so that related issues can be investigated.
This communication path provides the capability of
establishing voting planes within the DCPUs at the input
level, at the output level, or at any intermediate
computational level. The path is simplex in the IRAS,
but if it supports critical functions in a flight worthy
implementation, it must be redundant.
4. The communications between DCPU and CIU pairs are shown
as a serial or parallel dedicated links. A digital link
via the DCPU internal bus is also possible., The optimum
configuration is a function of whether the position loop
(outer-loop) closure is performed in the digital DCPU or
the analog CIU. These issues are analyzed later. The
IRAS has the capability of implementing or emulating a
variety of DCPU/CIU communications, including analog
communications and the communications via the DCPU
internal bus.
5. The Arbitrator is emulated in a microprocessor identical
to that used cor the DCPUs. It can be located in the
same DCPU enclosure to facilitate communication with the
DCPUs through the common backplane connections. The
Arbitrator also communicates with the CIUs which control
the relays to isolate failed channels.	 y	
i
i
i
10
RELIABILITY AND FAULT TOLERANCE REQUIREMENTS
The key feature of fault tolerant systems is the capability
of failure detection and isolation, and subsequent reconfiguration.
Inter-channel comparison monitoring and intra-channel self-test
techniques are used for this purpose.
Self-test techniques can only achieve limited coverage, less
than 100% when applied to complex digital equipment such as the
DCPU. Furthermore, a significant delay can exist between the
time of fault activation and the time of fault detection. This
is due to the long execution time often required by self-test
algorithms and by the low execution priority of these algorithms
in time-critical environments. However, self-test techniques do
not require an increase in hardware resources or hardware
complexity, because they are usually entirely implemented in
software. Self-test is often used, in a background mode, to
isolate failed components in a faulted channel and to select the
non-failed channel between the last remaining two, with a
probability better than 508 (and less than 1005). Self-test is
also used to determine the availability of components to perform
future tasks. Examples are preflight tests; and in-flight tests
to determine compliance with the requirements of equipment
availability prior to engaging critical functions, such as low
visibility automatic landing.
On the other hand, comparison monitoring has the capability
to rapidly and exhaustively detect and isolate faults, if a
minimum inventory of non-failed components is available.
Comparison monitoring is easily implemented in synchronized
configurations such as the IRAS. In these configurations, the
thresholds of the comparitors can be set to rather small values
for early fault detection while still minimizing the danger of
nuisance disconnects. However, comparison monitoring techniques
require hardware duplication, the implementation of voters, and
increased complexity of the interfaces not otherwise needed.
Comparison monitoring is primarily used in critical applications
to rapidly remove faulty components and prevent propagation of
errors throughout the system.
The IRAS structure provides the capability of implementing
self-test and comparative monitor techniques. A promising set
will be implemented and analyzed. It will allow the inclusion of
additional techniques to extend fault coverage, to decrease
detection time, and to more effectively utilize the inventory of
non-failed equipment, so that under any conditions, the maximum
number of operational channels is maintained. The initial set of
failure detection techniques to be implemented in IRAS is
discussed later.
11
rThe overall reliability and fault tolerance of a redundant
configuration is a function of four major factors:
1. The coverage of the fault detection techniques used.
2. The reliability of each component.
3. The level of redundancy provided for each critical
functional component, and
4. The level of cross-strapping existing among components.
Factors three and four establish what reconfiguration
capabilities are available after the failure of one or more
components. A reliability analysis has been performed on the
basic IRAS architecture shown in Figure 2 to determine the
relative merits of three basic configurations which utilize the
same number and type of components but have different interfaces
and reconfiguration management approaches. These three
configurations, outlined in Figure 4, are:
Configuration "A". Quad configuration. No cross-strapping
among channels
Configuraticti "B". Quad configuration. Cross-strapping
between DCPU and CIU.
Configuration "C". Dual-dual configuration.
The dual-dual configuration provides only a Fail-Op/Fail-
Safe operation, while both quad configurations provide a Fail-
Op/Fail-Op/Fail-Safe operation which is consistent with the FCC
and the TAFCOS actuator. A major functional difference between
the two quad configurations is that in configuration "A" the loss
of any FCCs or DCPbs implies the loss of the corresponding
actuator coils. Therefore, if two DCPUS fail, the performance of
the actuator is somewhat degraded even if none of the coils have
actually failed. In the case of configuration "B", the
performance of the actuator remains unchanged even if two DCPUS
fail, provided that none of the coils have failed. In fact, in
this case each coil can receive valid inputs from the remaining
operational DCPU channels.
The following assumptions have been made in the reliability
analysis:
o Separate dual power supplies are available for the FCCs
and DCPUS.
o Dual hydraulic lines provide the hydraulic power to the
actuator cylinder.
o The voters and the Arbitrator have zero failure rates
(voters and Arbitrator are not shown in the diagram).
12
i
^	 1
j
{j
ii
i
.,t
ri
POWER	 FCC	 POWER	 DCPU	 CIU&COIL	 ACTUATOR HYDRAULIC
.. .......	 SUPPLY	 SUPPLY
CONFIG. A - QUAD WITH NO CROSS-STRAPPING
4
CONFIG. 0 - QUAD WITH DCPU/CIU CROSS-STRAPPED
CONFIG. C - DUAL-DUAL
FIGURE 4 RELIABILITY DIAGRAMS - IRAS CONFIGURATIONS
is
o In all configurations, corresponding components have same
the failure rates.
o The failure rate of the actuator is typical of redundant
configurations.
The reliability diagrams of configuration "A", "B" and "C"
are shown in Figure 4. The diagrams clearly show the dependency
existing among stages. The loss of either of the two electrical
power supplies results in the loss of the two corresponding
channels, except in the case of the cross-strapped "B"
configuration. The loss of any component to the left of the
actuator, other than the electrical power supply, fails one
entire channel in configuration "A". By contrast, the cross-
strapping existing between the bCPU and the CIU/coil combination
in configuration "B" prevents failure of any components to the
left of the CIU/coil from failing the entire channel. In
configuration "C", the loss of any component to the left of the
CIU/coil fails one entire pair of channels.
The component failure rates in all three configurations are
shown in Table 1. The failure rate assumed for the actuator
is .01 x 10 - Failures/Hour which is too low for the
simplex configuration of the TAFCOS actuator. The value was
chosen because it is representative of redundant actuator
configurationsfor critical applications. The failure rate of
the other IRAs components has been estimated based upon the
reference noted in Table 1. It should be noted that the purpose
of this preliminary analysis is to access the relative merit of
each IRAs configuration rather than provide an accurate failure
rate of each configuration. In the context, the results of this
analysis do not vary significantly with small changes in
component failure rates, although large changes can effect the
conclusions. Efforts are being made to acquire more accurate
component failure rates which will increase the accuracy of the
absolute reliability estimate of each of the three IRAs
configurations.
The results of the reliability analysis are summarized in
Table 2. The first horizontal row of numbers represents the
total reliability of each configuration. The results show that
the dual-dual configuration has a failure rate equal to 5.2 x
10-7 Failures/Hour, fifteen times higher than the most reliable
configuration, the quad cross-strapped configuration (3.54 x 10-8
Failures/Hour). The quad configuration with no cross-strapping
bet^een the DCPU and the CIU/coil has a failure rate of 4.08 x
10- Failures/Hour, and it is only 158 more than the cross-
strapped configuration. Therefore, a preliminary conclusion
indicates that the rather modest decline of the predicted failure
rate does not justify the additional complexity of cross-
strapping.
The other data in Table 2 represents the percentage change
of the total failure rate as a result of doubling each component
failure rate. As an example, if the actuator rate is doubled
14
TABLE 1 COMPONENT FAILURE RATES
(FAILURES/HOUR)
r^
LABEL COMPONENT FAILURE RATE
(x10 8)
A FCC POWER SUPPLY 4
B FCC 145
C DCPU POWER SUPPLY 4
D DCPU 145
r
E CIU&COIL 200
F ACTUATOR .01
G HYDRAULIC SUPPLY 130
NOTE; FAILURE RATES ARE BASED ON THE STUDY
r	 "ASSESSMENT OF ADVANCED FLIGHT CONTROL SYSTEMS
RELIABILITY AND MAINTAINABILITY DESIGN,
QUALIFICATION. AND MAINTENANCE REQUIREMENTS"
T.	 BRADY - USAAVRADCOM-TR-82-D-MAY 1962
A—
15
I I^
C
TOTAL
CONFIG. A
QUAD
NO CROSS-STRAP
CONFIG. B
QUAD
CROSS-STRAP
CONFIG. C
DUAL-DUAL
FAILURE RATE 4.08x10-8 3.64 x 10 -8 5.2 x 10(FAILURE /HOUR)
COMPONENT
(F.R. x 1CFO) 
ELECTRICAL 32% 26% 14%POWER SUPPLIES
(4)
FCC 7 13 48
(145)
DCPU 13 13 86(145)
CIUSCOILS 1a 1 69(200)
ACTUATOR 25 27 6
(.01)
HYDRAULIC
POWER 87 98 29
(130)
0
{
T
i
i
r
1
i
s'
TABLE 2 CONFIGURATION FAILURE RATES AND PERCENT
CHANGE FOR 100% INCREASE IN COMPONENT FAILURE RATES
16
from the initial value of .01 x 10 -6 Failures/flour to the value
^.	 of .02 x 10- Failures/sour, the corresponding failure rate of
the two quad configurations increases by 258 and 27%. An
interesting result of this analysis is that the sensitivity of
CIU/coil failure rate is very small (18) in the cross-strapped
quad configuration, while it is substantial (188) in the case of
the quad configuration with no cross-strapping. The reason is
that, in the case of the cross-strapped quad con£iquration, a
failure of one CIU/coil component does not propagate to the left,
leaving the integrity of the FCC and DCPU unchanged. In the non
cross-strapped quad, the loss of a CIU/coil fails the entire
channel depleting the inventory of available spare components.
Although the results of this reliability analysis are rather
preliminary, they indicate that a simple straight forward quad
configuration with minimum interchannel interfaces provides the
required reliability and the required fault tolerance. This is
the IRAS configuration that will be implemented first.
FAILURE DETECTION AND RECONFIGURATION REQUIREMENTS
All the IRAS diagnostic functions are performed within the
DCPUs. They include all the functions previously performed
within the TAFCOS analog Electronic Servoactuator Control Unit
(ESCU) and additional functions which are primarily related to
the diagnostics of the DCPUs themselves. In each area, the
diagnostic capability of the DCPUs are only limited by the
availability of appro priate feedback variables, rather than by
the DCPU internal computational power. This is particularly true
in the case of the actuator set which in the current
configuration has a very limited number of health monitors.
While some of the diagnostic functions can be defined only
after the design of the IRAS is completed, the following
functions will be most certainly included in any design:
1. A comparison monitor of each coil current with the
corresponding command value. This test detects failure
in the servovalve and the CID electronics.
2. A comparison monitor of the demodulated LVDT position
feedback with the output of a software implemented,
servoactuator model driven by the same command. This
test detects servoactuator and LVDT failures.
3. A test of the power supplies.
4. DCPU cross-channel comparison monitoring. The
capability exists to implement cross-channel voting
strategies at the DCPU input plane, DCPU output plane,
or any appropriate intermediate computational planes.
^.	 The capability is provided with a backplane
communication link among all DCPUs.
17
S. DCPU self diagnostics.
6. Wrap-around tests.
Test strategies 1, 2 and 3 are executed by each DCPU every
frame time on an intrachannel test basis only, (i.e., in each
channel the DCPU only monitors equipment in its own channel).
This is consistent with the quad, low complexity non cross-
strapped configuration of the IRAS. The implication of these
tests is that if any of them fail, the channel is disengaged.
	 In
some cases, cross-strapping would allow the disengagement of the
failed component only, instead of the entire channel. As an
example, if one CIU is detected failed then the remaining
operational CIUs could provide the current input to the coil in
the channel of the failed CIU, if the CIUs and the coils were
cross-strapped.
Test strategy 4 provides several capabilities. A voting
plane at the DCPU output provides a catch-all failure detection
mechanism for DCPU and FCC failures. This is an inteachannel test
in which every operational channel compares its output with the
output of the remaining operational channels to determine if there
is agreement or disagreement within specified thresholds. One
additional voting plane, provided by the Arbitrator, might be
necessary to resolve disagreements among channels relative to the
status of another channel. Task 4 can also be applied at the DCPU
input voting plane to mask FCC failures.
Test strategy 5 is an intrachannel DCPU test strategy in
which the test sequence is organized according to the criticality
of t),e function to be tested. An example of this test sequence
foll:.ws. The first step initiated by the EDMC is the test of the
CPU instruction fetch and execution sequences. The next step is
the test of the DCPU power supply. A monitor card is needed to
support this test. Next the program memory and data memory are
tested. The program memory can be tested using signature analysis
methods: the data memory can be tested 'h7 forcing each code memory
cell to the values of 1 and 0. The last step of the test sequence
is a test of the DCPU real-time clock. This test can either use
watch-dog timing loops or the clocks of the other DCPUs. The
timing loop test consists of the execution of pretimed fixed
sequences of instructions. A fault of the CPU or clock is
detected by a difference which exceeds a threshold value between
the actual execution time and the prestored value. The real-ti,me
clock can be also tested by forcing a rendezvous among all DCI?Us.
A fault is detected whenever one DCPU is too early or tro late
relative to the other processors at rendezvous time.
Wrap-around techniques are very powerful for testing inter-
faces, I/O ports and converters. Test strategies 1 and 2 when
appli-d to coil currents and LVDT signals are examples of this
technique. Wrap-around can also be applied to: (1) the communica-
tions between EFCCs and DCPUs, and between DCPUs and CIUs; and,
(2) all the converters within the DCPU. Within the IRAs, wrap-
around techniques will be extensively used whenever feasible.
18
All the tests which have been described can be executed
during pre-flight and post-flight maintenance and diagnostic
procedures without limitations. The same tests with appropriate
modifications can also be used for in-flight failure detection and
isolation, but special considerations must be observed to avoid
conflict with the execution of the critical real-time control
algorithms. Within an active control channel, tests of the CPU
instruction set, the program memory and the power supply can be
executed during flight in a background mode within an active
control channel. The communica-tions between the EFCC and the
DCPU can also be tested provided there is sufficient additional
bandwidth in the transmission link. The data memory test cannot
be executed in an active channel in flight, because of the
destructive nature of the test. However, the test can be executed
in a failed channel, as a part of the failure identification
procedure.
One powerful feature of the IRAS is the capability of
1	 reconfiguring itself after one or more faults. Basically the
reconfiguration strategy is the following:
1. With no failed channel, every channel bears an equal load
and every actuator coil is energized to the same level.
2. After the first failure, the failed channel is isolated
and a gain adjustment is made in the ,remaining three
channels to compensate for the loss.
3. After the second failure, the second failed channel is
also isolated and another gain adjustment is made in the
remaining two operational channels to compensate for the
loss of the second failed channel.
4. After the third failure, no attempt is made to control
the servoactuaLir which is de-energized by removing its
hydraulic power.
Several strategies have been considered for performing these
reconfiguration tasks which lead to different IRAS configur-
ations. The strategies and corresponding configurations are
described in another section of this document.
DYNAMIC PERFORMANCE REQUIREMENTS
In this section of the report the.dynamic characteristics of
several IRAS configurations are analyzed. To support this study,
a digital simulation was developed ronsistent with the analog
simulation at AMES. A functional diagram of the simulation and a
table of constants are snown in Figure 5.
The simulation was configured to represent:
I. An analog FCC structure and an analog IRAS position loop
control configuration.
19
COMPONENT TRANSFER FUNCTION VALUES
DCPU/CIU KDCPU KCIUILIMITED
K	 ' K	 = 15.6ma/v
LIMITER	 +.32ma
K 8V = .0351 CIS/ma
SERVOVALVE K 8V
L IMITED
w = 1000 RAD/SECSA( S / W	 +1) (S /W e ll)s A	 8^ WSV =440 RAD/SEC
LIMITER
	 = f. 5 6 1 CIS
KA = 6.578 IN-SEC" !/(AS
ACTUATOR 1	 K A	 ^
LIMITED
^ = .036
S	 8 2 + 2KAWAS + WA wA=3608 RAD/SEC
LIMITER=f.4 5 INCH
LVDT KLVDT KLVDT_ 
2 2.2 2 VOLT/IN
x
DCPU
FCC	 y I KWoj t	 CIU	 mr► 	 SVF"Av 4
V
^--	 LVDT
POSITION LOOP CLOSWE - ANALOG
Cw	 ssnva
EEF DCPU V K^ t me VALVE o
LV LVDT
POSITION LOOP CLOSURE - DIGITAL
(J a ®.aN,iKM
FIGURE 5 DIGITAL SIMULATION FUNCTIONAL DIAGRAM
20
I(S190A) MOV9033d NOIlISOd
t
Vr
aZ
I
(8110A) MOVS033d 140111SOd
N
S
0
U N
W Q
ti W
W U.
^ h
~ a
x
(9130A) SOV8033d NOI11SOd
W
V
Wi
I-
N	 ^
x
P
Q
6
x
1
M
+'	 b	 O	 b	 .^
(9110A) %OVfiO33d NOI11SOd
A
L
z
O
F-
a
z
{LL
w
M
W
W
3
a
V
z
0 J
a az
LL Jfd»
Z
y
LL.
O
W
u cc
zo LUW
O (a V
ul
cc
r f. U.
L1.1
N cc
LL
21
tr
U
W
H
1
N
>	 x
n
d
a^
LL
a
(9110A) ^0V90334 NOI11SOd
N
x
d
LL
H7
CL
Z
N
x
d
W
Q
IL
f
0
7
a
W
Hw
W
H
(9110A) )IOVS033d NOIIISOd
2
OP
aN
Z
W
2WJ
a!
CLz
/rteV
O W
u J J
A z U
w Q lA
~ W J
Y U.
IL O
O WW
I
(9110A) )IOV00334 NOI11SOd	 W
m
O
W
cc
LL
Wf^
O
a:
I
N
e.
{
t
22
10
FREQUENCY-HERTZ
0
f
r
0
-.s
0
-2
J
-2.5
dC
-3
-3.5
-4
0
N -20
W
Wic(5
o -40
W
J
C7
i -80
W
N
d -80
-100
LINEAR
-- 10% FULL SCALE (FLOW LIMITED)i
	
•-- 50% a	 ff	 er	 N
FIGURE 8 FREQUENCY RESPONSE, ANALOG INPUT &
k.	 IMPLEMENTATION, EFFECTS OF FLOW LIMITER
23
f.
^	 d	 N	 V	 `^	 j	 1
(S110A) NOd8033d NOIIISOd
i
a'
zO
QH
z
w
2
wJ
CL
off
I—
a
z
(a 0
^ W Q
F^ Q
	
r	 w
	
•	 N
z0
^ a
	
.	 en
w
cc
CL
N w
N
.	 w
O
C7
O LL
A,
;i
24
	 i,
INPUT FREQ. 1
.a
I HZ	 o
-.S
.1
--•^A' V o..w•ro
r
Y
u
r0W
WW
F
r
O
a
3 HZ
Y
r
Y
V
<r
W
rr,
^	 F
YO
P
f-T
9 HZ
50ms
	
FCC SAMPLE RATE
	
20ms
TIME (SAC)
r
u
v 0W
A	 i
0 .1	 .3	 .3	 .A	 .6	 .6	 .7	 .!
TIME (SEC)
TIME (SEC)
I ^.• 't0s' ^p '27A• ea °-164,
TWA (SEC)
TWE (SEC)
	 TIME (SEC)
ANALOG INPUT (PA
----DIGITAL INPUT (pp
FIGURE 10 FREQUENCY RESPONSE, ANALOG IMPLEMENTATION,
DIGITAL VS ANALOG INPUT, 10% FULL SCALE
25
80
co
W
Lu
60
uj
b
QJ
LU 40
Q
a
20
Y
M6
100
0	 2	 4	 8	 8	 10
INPUT FREQUENCY (HERTZ)
FIGURE 11 FREQUENCY RESPONSE (PHASE LAG)
ANALOG IMPLEMENTATION, 10% FULL SCALE.
EFFECTS OF DIGITAL INPUT
i
r
^j
26
2. A digital FCC structure , and an analog IRAS position loop
control configuration.
3. A digital FCC structure and a digital IRAS position loop
control configuration.
Analog FCC/Analog IRAS
This configuration is impleme
with the AMES study simulation and
which the other configurations are
configuration, all the integration
A of Figure 5-A are set to 1 msec,
duplicate analog behavior.
ited to demonstrate the agreement
to establish a benchmark against
evaluated. To analyze this
steps and the interval of Sampler
which was found adequate to
The dominant closed loop roots are related to the actuator
dynamics. The damping ratio and the natural frequency are
respectively S = .85, w = 26.2 Hertz. The time responses to
sinusoidal inputs are shown in Figure 6 for a 108 full scale (FS)
input size and in Figure 7 for a 508 FS input size. These results,
summarized in Figure 8 1 are consistent with those of % the AMES simula
-tion. The effects of the servovalve flow limiter, set at .,561 cis,
are clearly visible especially for high frequency inputs (5Hz) of
high amplitude (508 FS). In this case, the flow limiter is respon-
sible for a phase lag of about 50 degrees and an amplitude gain of
-2.5 db. Throughout this report, the phase lag values represent the
phase shifts between the input signals and the corresponding system
outputs; negative values represent outputs lagging input signals.
When a comparison is made with a "benchmark" configuration, then
negative delta values represent additional output lag with respect to
the outputs of that "benchmark" configuration.
The system response to step
sistent with the previous cases,
more pronounced for large inputs
inputs is shown in Figure 9. Con-
the effects of the flow limiter are
(508 FS) than small inputs (108 FS).
Digital FCC/Analog IRAS
This configuration is implemented to analyze the effects of
digitized FCC input commands. A major effect of digitized commands
is to introduce phase lag in the system dynamic response as a result
of (1) time skewness between the FCC and DCPU frame times, and (2)
the sampling process which permits the system to sense and react to
a continuously varying input at sampling times only.
In this analysis, it is assumed that the FCC and the DCPU are
synchronized and that no time skewness exists between the correspond-
ing frame times. If this were not the case, an additional lag would
have to be added to the results of this analysis to account for that
factor. The analysis is performed for an input amplitude equal to
108 FS to minimize the non-linear effects of the flow limiter. In
Figure 10, the dynamic behavior of this configuration is directly
27
compared to the dynamic behavior of the previous configuration which
was based on an analog FCC. The analysis considers 2 FCC sample
rates: 20 cosec and 50 msec; and, 3 input frequencies: 1 Hz, 3 Hz,
and 9 Hz. The additional phase lag of this configuration, compared
to the previous, is an increasing function of the input frequency
and a decreasing function of the FCC sample rate (Figure 11). The
divergent trend of the phase lag versus input frequency for a FCC
sample rate of 50 msec might be due, at least in part, to the input
frequency (9 Hz) approaching the Nyquist frequency (half of the
sampling frequency, .5 x 20 Hz = 10 Hz). Step responses are shown
in Figure 12, and in this case no appreciable differences exist
j	 between a digital and an analog FCC, and the two curves overlap
almost exactly. It is interesting to note that the relatively high
ratio of feedback loop gain to forward loop gain is responsible for
the slight overshoot observable with both sinusoidal and step
inputs. The word length does not appear to be a significant factor
in this analysis. in fact, if the FCC and DCPU are assumed to be 16
bit processors then the system can measure 32767 discrete levels in
either direction. If. 12 bit Analog to Digital (A/D) and Digital to
Analog (D/A) converters are used then 2048 discrete levels are
available in the positive and negative direction. This corresponds
to an accuracy of ,t, .058 or t .005 Volts of t 10 Volt FS. In the
case of an 8 bit processor and conversion, an accuracy of ± 1.8 or
± .1 Volt of t 10 Volt FS is achievable, which is probably not
adequate.
Digital FCC/Digital IRAS
This configuration is implemented to analyze the effects of
digital position loop closure and the relationship between the FCC
and DCPU frame times. In Figures 13 through 15, the dynamic
behavior of this configuration is directly compared to the dynamic
behavior of the previous configuration, based upon an analog
position loop closure. The analysis is performed for an input
amplitude equal to 108 FS to minimize the non-linear effects of the
flow limiter and DCPU sample rates of 5 msec and 10 msec are
considered. The following conclusions can be drawn:
1. No significant phase lag is added to the system dynamics by
digitizing the position loop closure.
2. The overshoot characteristics, also observed in the previous
configuration, are much more pronounced in this configuration.
In the case of a sinusoidal input, the overshoot is a
decreasing function of the DCPU and FCC sample rates. For a 50
msec FCC sample rate, the overshoot is 10.8% in the case of a 5
msec DCPU frame time and 25.58 for a 10 msec DCPU frame time
(Figure 13). For a 20 msec FCC sample rate, the corresponding
values are .18 and 7.38 respectively (Figure 14). The %
overshoot does not change with the frequency of the input as
long as the operating point is within the linear range of the
servovalve. In the case of a step response (Figure 15), the
overshoot characteristics improve with faster DCPU frame times
but do not change as a function of FCC frame time.
u
d
i
.R
t
i
{
i^
i,
28
(SllOA) MOV13433d NOIIISOd
	 P
a
r'
r
T
n
O
Q J
W
W
PI J
IL
J
J
a
=
Q
W a
aW
=F•
y
V
'
O
0
0
a
Z
LU
c+^ CC s
WN >
N
'
y aN ^
W
t
CS
O
'1„
29
(1) nee
-32A*	 21.7'
T..^
INPUT FREQ.IF
L
0
ti
O
4.
le
u
O
•O
I	
a	 .1	 .2	 .3	 .4	 A	 .4	 .7 	 .1	 .9	 1
I HZ
3 HZ
9 HZ
sms	 DOPU SAMPLE RATE	 1 oms
T" (SEC)	 TWE (MC)
—ANALOG LOOP CLOSURE (PA
---- DIGITAL LOOP CLOSURE 4p
FIGURE 13
FREQUENCY RESPONSE,10% FULL SCALEFCC SAMPLE RATE 50ma
DIGITAL VS ANALOG POSITION LOOP CLOSURE
30
(1110A) s10Y1033i H0111104i
.p 
O
a
co0
a
Ui U
I IL
ORIGINAL PAGE 13
OF POOR QUALITY
d r,
L
n
9' •
"•s
xn
0
.1i.
.s IC	 m	 "
IF 	 .,,.0	
n
"	 r4	 O	 V	 O
1110A) 510v1033i N0111104
31
1""y l	 ''f SX-'1
N y
O
=
V
aR O
O
N zOZ
o
N O
Ic}„
V
ui
0
0 0
Z
0
CC
0
C
y
0
a
0
U.
d
V U UA 1..L7
0 0
O 0
0
0
J
0
I
1
a
coEa
N
U
U
i	 U.
r
N
=
Eio
a
N
*to
E
a
U UO O
F
t
U
FCC 60ms
DCPU 6ms
P
s
uu
FCC 60ms	 EY
Di CPU loins
P
s
i
JrL
Y
FCC 20ms	 3
DCPU10ms
3
i
Y
.11
T
a
Tr[ ("M
--
ANALOG LOOP CLOSURE
----Gr^IGITAL LOOP CLOSURE
FIGURE 16 STEP RESPONSE, 10% FULL SCALE,
DIGITAL VS ANALOG POSITION LOOP CLOSURE
32
LO
aN
w
a z
Q L7
N
v a
WT
 d.
J GCC
V
N CCto J 0
U.
c O
C7 O 10-
V- WU.
Z WO e
a EN CW T
W VN D
O < V
z
z0 w
C
I^ wU.
3
w ^ ^
^• o^ d
h
r^	 I-w
e•-
r	 V)i
E
m
uo
Y
y
mE
0r
aU
D
Y
IuwAl yorwau *a+I+a(1110A) NOVOC333A N01119041
0
33
ii
The overshoot characteristics can be reduced substantially by
reducing K CPU? the forward path gain (Figure 16). In the case
of a 1 Hz input sine wave, the overshoot was reduced from 25.58
to.28 by reducing P(DC U from 15.6 ma/V to 10 ma/V. The
corresponding overshoo values in case of a step input are 25.58
and 58 respectively. A side effect of the KD pU reduction is an
Additional phase lag of 3 degrees for a 1 Hz ^nput.
Effects of Digitized Input Commands on Servovalve Activity
In any configuration which uses digital FCCs, the input to
the servoactuator controller is in a digitized form, irrespective
of the servocontroller architecture. When a continuous input,
such as a sine wave or ramp, is digitized, it is converted into a
series of small step inputs. The results of the analysis
previously described confirms that the high frequency and the
small size of these steps are such that the dynamic response of
the actuator is generally only slightly effected by the
digitization process. However, the effect of the digitization
process on the servovalve activity is quite dramatic, and may
cause undue wear and fatigue not only of the servovalve spool but
also of the hydraulic lines. This -n turn might produce
premature failure or might negatively effect the preventative
maintenance schedule and the projected life of the equipment.
In Figure 17, a comparison is made between the servovalve
flow in an 311 analog system and the corresponding flow in three
configurations whi p^t, use digital FCCs. A FCC with a frame time
of 50 cosec and 1 Hz sine wave input of amplitude equal to 108 FS
were considered for this analysis. In all three digital input
cases, the servovalve activity is clearly much higher than in the
case of an analog input. It is also evident that the activity is
higher when digital, rather than analog position loop closures are
considered. In the case of digital loop closures, the servovalve
activity increases with the DCPU frame time. In all cases, the
power spectra density has a very high peak at 20 Hz, which is the
input sample rate. Minot; peaks also occur at integer multiples
of 20 Hz; the amplitude of these peaks is a decreasing function
of the frequency.
A possible solution to minimize the servovalve activity in
the case of a digital loop closure, is to sample command and
feedback signals at the same time. By doing this, the servovalve
driver, the difference between command and feedback, is also
computed at the sample time only and does not vary between sample
times as the analog feedback does. For a ramp input, and in a
condition of dynamic equilibrium, a constant error is developed
between sampled input command and sampled feedback signal, and
the resultant servovalve response is a constant spool
displacement to develop a constant flow rate. The disadvantage
of this solution is that it effectively requires the closure of
the position control loop at a rate equal to the FCC frame time,
and this relatively low computational rate will degrade the
actuator dynamic performance to unacceptable levels.
34
uY
31 x
DIGITAL +
LOOP
CLOSURE e
DCPU Ems s
0
2
0
0
WJ
0Q
a
•	 Y
0
Y
a
aW
e
TIME SERIES
1	 A
-,e
POWER SPECTRAto
ANALOG
LOOP W 4CLOSURE 3V 00
2
0
.6
r
s	 1
Qd
WJ
0a
aW
r
-,s
O .1	 .2	 A ,4	 ,6	 rb	•7 .6 ,0	 1
tc
DIGITAL I
LOOP W
CLOSURE
DCPU 10mts ; .0
1
IT 16%
•
I 10 20
TIYE(SEC)	 FREQUENCY-KERTZ
— ANALOG INPUT/ANALOG IMPLEMENTATION
----DIGITAL, INPUT/ANALOG OR DIGITAL LOOP CLOSURE
FIGURE 17 EFFECTS OF DIGITAL INPUT ON SERVOVALVE ACTIVITY,
k,	 10% FULL SCALE, FCC SAMPLE RATE 50ms, INPUT FREQUENCY 1 HZ
35
36
1	 1	 1	 1
S33mam-3-lJNY 3SYHd
CD 
C 
O O
z O Oa
a	 (	 i	 I
IJJ
R
•	 6
i1
r^
ry
I
,
CO	 O	 s	 H	 O N	 • O m
"o
^zz
W
O
W
LL
^O
W
N
Js
¢O10 zr
"
0
Uw
FN
W
F-V
a
v
W
LL
VH
Gz
co
W
tL
i'
N	
C
N r	 .Oe
1	 i	 i
qP-3CA119d VIV
0
^z
W
4W
¢
^ LL
p W
N
.1
t
i O
O Z
a
O
n
O
'D
A more realistic solution to the problem, ap plicable to both
digital and analog closures,, is to apply notch filters on the
digital input command. Notch filters can drastically reduce the
frequency content of input functions at a given frequency while
having little impact on all other frequencies. In Figure 18, the
rt	 characteristics of a generic notch filter are shown. To satisfy our
requirements, the corner frequency of the filter is equal to the FCC
frame time and the natural damping is selected to be .1, a
compromise between the requirements of high suppression at the
corner, and low distortion in the remaining frequency region. In
Figures 19, 20, and 21, the effect of applying a notch filter to a
i	 digitized input is shown for an analog position loop closure and for
digital position loop closures with DCPU frame times of 5 and 10
msec. The results are summarized in Figure 22. It is evident that
the notch filter drastically damps the sampling frequency in all
cases. As an example, in the case of a 1 Hz sine wave input of
amplitude equal to 108 FS and a DCPU frame time of 5 msec, the 20 Hz
power spectrum peak is reduced from a value of 9.08 to a value .28
by the notch filter. However, it is interesting to note that the
second harmonic (at 40 Hz) is reduced by a much smaller amount; in
this case, the power spectra value is reduced from 1.6% to .78.
The effects of the notch filter on the actuator dynamics are
shown in Figure 23 for a 1 Hz sinusoidal and a step input. Only
small variations exist between the analog loop closure and the
digital loop closure with a 5 msec frame time. Additional
distortion appears in the case of a 10 msec frame time. The phase
lag induced by the notch filter is about 9 degrees, for a sinusoidal
input and DCPU frame time equal to 5 msec. In the case of a step
input and digital loop closure, the time to reach 908 of the command
input is more than doubled when a notch filter is applied to the
input (Figure 24). The results of this analysis are preliminary in
nature, however, the following conclusions can be drawn:
1. A notch filter, applied to the digitized input command
from the FCC, can effectively damp the servovalve
activity at the sample frequency. The effect on higher
harmonic is not significant.
2. A notch filter adds a phase
response which increases as
time.
issues which need to be further
1. Analysis of the effect of h
activity on the maintenance
of the actuation system.
lag to the overall system
a function of the DCPU frame
investigated include:
igh frequency servovalve
schedule and life expectancy
2. Effects of notch filter induced phase lags on overall
system performance.
`k	 3. Methods, other than input filtering, to reduce the
effects of digitized inputs on servovalve activity.
37
,	 .	 _	 j
§W
$ -
Z ^	 \
uj
	 i
a
k	 0Q n 	 ^
§ gj
 .	 \	 \
	
O <	 LL	 <}
q f 3 0
	
e	 z	 /•\
(0
t	 \
w
^	 @
,	 e
§	 ^
\	 ^	 \
§	 }	 \
)^
LU	 {	
.
§	 § ^	 l
.	
.
2I	 \
z_	 \	 \)
a ^	 ^
14 uj
UJ	 R	 }
cc 2 cc
«
©	 \	 \	 \
^ba
n 	 }	 \	 {
§ ^ § § {
910-IAO,3AIQaW30^
,
n
e
ja
snow W3MOd
a
W}
^ n
m
m
v
.	 \
m
30CL
,r m«e_d`
0
\ \
k
% V11103dS U3MOd
OW HCC D
wa
J ?
SIO- M01d 3AIVAOAU3S
39
SIO- M01d 3AIVAOAUSS
O^
Qa
F. U
Zo
o	 W 
E
LU of
CLJ O
N
W
Q Q
^W
^r J
—aa^
~a
H
CLp Z U
W J Wq
cc 
''
~RR Zi P
LL
O Z
zW
O 
3
— O
^LLy
W ~
^. G.
Z
O om
3	 U i
r	 ^ Q
Q.
O <	 J_
Z
< D	 UZ
I0z oV.
% VUL03dS U3MOd
0
W
^ z
LLZ
7
It ,
0
m	 b	 V	 N	 p
U
w
IL
CO
x
W
O
CL
0
r
N
w
FE
w
V)
w
F-
mw
a
oc
w3
a
% VW103dS',3MOd% VW103dS U3MOd
4
V.
cc
v
W
LL
910- M09d 3AIVAOAU39 910- M01A 3AIVAOAM38't,.
0
W Z)
5z
W
z
m
{
W FU^
wa
J Z
LL
QiJ h
z
ac
i
m
w
E
w
0)
w
H
W
w
W
e
Ezo
o
^a
^v
zaW
W O
CL
m FW-
4 CC
WJ
oa
^:E
F,. a
ay
CL
z V
N d^
J 6:
a
^ta
52
aLL
O Z
z W
O O
Z H
UJ
IL Zr
V J
Q a
w
LL, JJ
= a
vw
0 0
 
OV.
40
11
A2 (w) x 1002
A MAX
40HERTZ
is
1(
f
3
4
20 HERTZ
10	 20	 30	 i0	 20	 30
INPUT— % FULL SCALE	 INPUT— % FULL SCALE
1 -DIGITAL IMPLEMENTATION (DCPU Smeec) -FILTERED INPUT
2- ANALOG IMPLEMENTATION-UNFILTERED INPUT
3-DIGITAL IMPLEMENTATION(DCPU Bmeec) - UNFILTERED INPUT
O-1 HERTZ INPUT
17-RAMP INPUT (100%F.S./SEC)
A MAX •681 CIS
FIGURE 22
EFFECTS OF DIGITAL INPUT ON SERVOVALVE ACTIVITY,
POWER SPECTRA AMPLITUDE OF FLOW RATE AT 20 &40 HERTZ
41
1 HZ
ttwx ("M
WITHOUT NOTCH
---- WITH NOTCH
FIGURE 23
EFFECT OF NOTCH FILTER ON POSITION CONTROL,
10% FULL SCALE
42
1
f
I
i
M
F,
P
i
1
•
I
I5
Ei
r
Y
u
s
n
W
V
nOa
r
•
V
Y
u
t
n
0WW
W
O
L
Y
Oa
i
:r•i
I
Y
udn
0W
W
h
nOa
a
u
ANALOGg
IMPLEM.
N
r
O
J
n
O
DIGITAL
IMPLEM. n
DCPU 6me
0
Oa
h
DIGITAL
IMPLEM. n
DCPU 10me LL
O
H
W
a
STEP
TIME (4EM
60
40
v 30
mHE
w2
f- 20
10
0
0	 b	 10
DCPU SAMPLE RATE (msec)
FIGURE 24 EFFECT OF NOTCH FILTER ON TIME
TO REACH 90% OF COMMAND, 10% FULL SCALE
'A.
43
I.
HARDWARE REQUIREMENTS
The objective of this effort is to provide a flexible,
powerful environment where the feasibility of an Intelligent
Redundant Actuation System can be demonstrated and where related
issues can be analyzed and competing •.onfigurations evaluated.
Furthermore, this objective must be achieved in the most cost
effective manner. This effort is not involved in resolving or
addressing packaging and environmental issues and compliances
with reliability and safety requirements typical of flight worthy
implementations.
The high level program requirements translate into the two
following hardware requirements:
1. Use of off-the-shelf commercially available products
must be maximized. Examples of this type of equipment
are the DCPUs and the Arbitrator's microprocessors.
2. Use of the existing TAFCOS hardware or hardware design
must be maximized without compromising the IRAS research
objectives. Examples of this type of equipment are all
the interfaces with the actuator.
These requirements are applied to all the major hardware elements
of the IRAS: DCPU; Arbitrators CIUS Tests; and Interfaces.
DIGITAL COMMAND PROCESSING UNIT (DCPU)
The major decision relative to the DCPU is the selection of
an appropriate microprocessor which can meet all the current and
projected computational requirements and which is well supported
by a vast assortment of software and hardware tools. For this
purpose, a set of evaluation criteria have been established and
the selection has been performed consistent with those criteria.
The two major high level evaluation criteria for the
microprocessor are: the computational capacity and the
availability of high quality development tools.
The computational capacity of the selected microprocessor
system determines the maximum achievable algorithmic complexity
and iteration rate. Processor attributes which effect the
computational capacity are the architecture, the clock frequency,
the characteristics of the compiler when a high order language
(HOL) is used.
A processor architecture consists of the instruction set,
word size, address space, registers set and addressing modes.
These components combine to determine the minimum number of
instructions required to implement specific algorithms.
Architectural attributes favoring high computational capacity are
a large word size (16 or 32 bits/word rather than 8 bits/word); a
powerful instruction set; a large address space; a register set
44
which includes several 16 or 32 bit general purpose registersi
and several addressing modes which allow great flexibility in
accessing data. The instruction execution time is determined by
the CPU clock speed, by the number of clock cycles required to
execute an instruction, and by the memory access time. The
architecture and the instruction execution time, ultimately
determine the computational capability of the system.
Software and hardware development tools must also be
evaluated. Software development tools are programs such as SOL
compilers, SOL symbolic debuggers, assemblers, linkers, coverage
analyzers, etc. Hardware development tools are processor
specific electronic devices such as logic analyzers and in-
circuit emulators, which aid the development of system hardware
and software. A SOL compiler and SOL symbolic debugger are the
two priority software tools required for the IRAs project. A
logic analyzer is a very desirable hardware tool.
The SOL compiler is notably the most critical software tool
and the quality of the code generated is the primary attribute.
Code quality is determined by the number of machine level
instructions generated for each high level language statement. A
high quality compiler will usually generate two or three
instructions for each SOL statement, tf the target architecture
is powerful. A good compiler will not generate unnecessary
assembly code, which unduly increase the execution time. It must
be very reliable and produce clear diagnostic messages. Also
t very important is a SOL symbolic debugger which allows the user
to control program execution and examine and modify the program
at the SOL level.
The most important hardware tool is a logic analyzer which
is used to trace program execution in real-time, and to detect
timing and synchronization errors. A logic analyzer is also
useful in monitoring the execution time of critical program
sections.
An evaluation has been made of commercially available
microprocessors for performing the function of the DCPU in the
IRAs system. The evaluation activity measured each
microprocessor against the DCPU requirements and reached the
conclusion that one microprocessor is superior to all others for
this effort. The following describes the results of the
evaluation and the justification of the selection.
The experimental nature of the IRAs system requires a high
level of computational capacity. This requirement limited the
in-depth analysis to the high performance microprocessors,
specifically the Intel 8086 family, the Motorola 68000 family,
the National 16000/32000 family, and the Zilog 28000 family.
^Y
45
ntf
Early consideration was also given to the Intel 8051, 8048 	 jl
and 8096 processors. This series of processors are considered
suitable for flight worthy implementations because they contain
several on—chip support functions which reduce the number of
components required to implement a system, and ultimately reflect
in reduced cost and increased reliability. However, their weak
support and low computational capacity make them inappropriate
for the IRAS lab environment.
T ;i the early stages of the evaluation, the National
Semit-nductor 16000/32000 processor family was determined to be
unacceptable. While this family of processors has a very powerful
&,rchitecture, it lacks hardware and software support. The same
lack of hardware and software support was also determined for the
Zilog 28000 family.
Therefore, the analysis was focused on the Intel 8086 and
the Motorola 68000 families. Both processors were found to be
strongly supported in the hardware and software. Hardware
support includes several board level products, logic analyzers
and in—circuit emulators. Software support includes several
resident and cross SOL compilers, operating systems, and SOL
symbolic debuggers. Hardware and software support, instruction
set, and addressing mode, are equiv€lent for both processors.
However, evaluation of the computational capacities of the 8086
and 68000 revealed that the 68000 is a more powerful machine than
the Intel 8086. Architectural advantages of the 68000 are the
register set, the partial support of 32 bit integers, and a 208
faster clock rate, so that the average execution time of several
programs was 308 faster in the 68000 than in the Intel 8086.
Some of the major architecture differences between the two
machines are:
o The 68000 has sixteen 32 bit registers which are used
in a consistent manner by the instruction set; while
the 8086 has twelve 1G bit registers that are not used
consistently by its instruction set.
o	 The 68000 has more available registers with more bits
per r,egistefc than tF,e 8086. This reduces the number of
instructions to load and store registers, thus reducing
the number of instructions required to implement an
algorithm.	 / /'
The consistency in which the 68000 uses its register set
also minimizes the number of instructions required to
implement an algorithm. In fact, this eliminates the
need for "register transfer" instructions that would be
required if the register containing the instruction data
could not be used by the instruction.
The architectural advantages of the 68000 are proven by
various benchmarks where the 68000 outperforms the 8086 by 20 to
40 percent relative to execution time. Thus, the high level of
46
If.
k.
hardware and software support and the superior computational
capability of the 68000 processor family is the justification for
its selection for the IRAS project.
ARBITRATOR
The primary function of the Arbitrator is to determine the
failed or operational status of each channel and set appropriate
status flags to the correct value based on information from all
channels. The four health status flags, one for each channel of
the quad system, are:
1. Transmitted back to the DCPUa no that appropriate gain
compensation can be made by all operational channels.
2. Transmitted to the CIUs so that the failed channels can
be appropriately isolated.
The function of the Arbitrators is very critical, and
therefore, in a flight critical environment the Arbitrator should
be highly reliable and fault-tolerant. In the laboratory
environment of the IRAS, issues related to flight worthy
implementations are not addressed; instead emphasis is placed on
capabilities to emulate and analyze a variety of functional
implementations so that the relative merits can be established.
Under these circumstances it is best to implement the logic of
the Arbitrator in software programs hosted in a dedicated
microprocessor. In this case, the logic can be easily modified
so that different concepts can be analyzed; the effects of
computational and data transfer delayR, can be realistically
asse.ased; and redundant configurations for the Arbitrator can be
emulated and evaluated.
A secondary function of the Arbitrator is to support the
tasks of simulation mode control and fault insertions for this
purpose directives are sent from the TCT to the Arbitrator and
then routed to the DCPUS via common backplane connectors, and to
the CIUs via dedicated digital and analog links. A dedicated
Motorola 68000 has been selected for the Arbitrator. Clearly the
power of the 68000 exceeds all the current and projected needs of
any conceivable Arbitrator configurations. In addition, there
are many significant justifications for using the same
microprocessor used for the DCPU such as:
1. The use of a common language, development environment
and supporting tools.
2. The commonality and flexibility of the interfaces
including those achievable through backplane
connections.
3. The possibility of using the excess power for future
research tasks and for auxiliary tasks such as
simulation mode control and fault insertion.
47
rr
i
4. Cost of savings resulting from buying a number of
Industrial single board processors.	 'I
CONTROL INTERFACE UNIT (CIU)
The primary function of the CIU is to perform all the data
conversion necessary to interface directly with the actuator,
including the coil current drivers, the LVDT modulation and
demodulationr and the actuator solenoid. An optional function of
the CIU is to perform the outer loop, or position loop, closure.
An alternate approach is to close that loop within the DCPU. The
implication of the choice between these two methods are
significant not only relative to the overall system dynamic
behavior, but also to the internal structure of the CIU and to
the DCPU/CIU interfaces. Some important implications are
discussed here.
If the loop closure is performed within the DCPU, then the
CIU is only required to convert and to scale the input command
received from the DCPU using a constant scale factor. In fact,
the tasks of computing the position errors and of adjusting the
control loop gain as a function of the failure modes or other
factors, is performed internally by the DCPU. The structure of,
the CIU current driver is rather simple in this case and it can
be implemented by using fixed gain operational amplifiers. The
i	 only needed data exchange to support these tasks is the transferfrom the DCPU to the CIU of one variable appropriately scaled:
the position error. A simple analog interface which uses
standard D/A converters can be used for this purpose.
If the position loop closure is performed within the CIU,
then the internal structure of the CIU and the DCPU/CIU interface
becomes'more complex. In fact, the variable loop gain is still	 d
computed by the DCPU as a function of the failure mode, airplane
state and control mode, However, it must be actually implemented
in hardware, within the CIU and then applied within the CLU, to
either the position command (from the DCPU) and the L,VDT position
feedback or, preferably, directly to the position error. In
either case, the resultant structure of the CIU current driver is
rather complex and requires the use of variable gain operational
amplifiers. The gains must be selectable within a discrete but
rather large set of values to fine tune the loop gain according
to the failure modes, the airplane state and control mode. The
interfaces between the DCPU and the CIU to support this function
involve:
1. The digital transmission. of a word to select the loop
gain, and
2. The digital or analog transmission of the position
!.t command.
s.
The digital interface can be implemented either by using the
DCPU backplane bus or a point-to-point digital parallel
48
interface.	 A serial point-to-point interface is less desirable
than the parallel interface because the nature of the task
requires parallel data.
The analog interface will be implemented with standard D/A
and A/D converters. A wide variety of off-the-shelf components
exist which can be used for these tasks. The accuracy achievable
with 8 bit converters is ±18. The accuracy achievable with 12
bit converters is ±.058, which certainly exceeds the needs. The
accuracy -equirements will be determined during the design phase
of this program.
TEST CONTROL TERMINAL (TCT)
The Test Control Terminal (TCT) performs three major
functions in the IRAS lab. It is the IRAS control station; a
software work station and host communications interface; and it
emulates the functions of the DigltiAl Pilot Display (DPD). The
TCT communicates with the DCPU, the Arbitrator, the EC and the
host development environment via RS-232 point-to-point serial
links. The test engineer controls the entire IRAS environment
from the TCT. He can select initial conditions; control program
execution; direct the data gathering and recording processes; and
trigger faults. The TCT also functions as a work station and
intelligent terminal for host communications. Software for the
	
•(	 EC and DCPU is stored on disks in the TCT, and loaded from these
into the system.
The Digital Pilot Display (DPD) is implemented in the TCT.
System status information and failure annunciations are
transmitted directly from the EC to the TCT and displayed on the
TCT.
The TCT must have sufficient hardware/software flexibility
and availability to support future growth. One promising area of
future research is the application of Artificial Intelligence
concepts to maintenance and diagnostics procedures. Ground-
based, expert system, maintenance and diagnostic programs could
be developed and executed in the TCT.
After considering all the current functional requirements
and future expansions, the IBM PC AT has been selected as the
best system to implement the functions of the TCT. The IBM PC is
the industry standard for medium sized microcomputers and a large
number of hardware and software packages are available for that
processor. In the area of Artificial'Intelligence, the PC hosts
both LISP and PROLOG, and there is a number of expert system
development packages currently available for the PC. The
computational power, execution speed and memory space of the IBM
PC/AT meet or exceed the current and projected requirements of
	
tl	 the TCT.
49
EMULATION COMPUTER (EC)
The primary function of the Emulation Computer (EC) is to
emulate the Flight Control Computers (FCC), the diagnostic and
maintenance computers, and the I/ 1) interfaces between the FCC,
ISCU and TCT. The EC houses the aeilated Flight Control Computer
(EFCC) software and the Emulated ..,ignoatic and Maintenance
Computer (EDMC) softwaret and, it contains the necessary hardware
for interfacing with the ISCU and the TCT.
The function of the EFCC software is to provide inputs to
the ISCU which emulate those from Digital Flight Control
Systems. The EFCC is initially configured as a synchronized
quadraplex system and hosts a simple driver program for the DCPU
which can be used by the test engineers to exercise the IRAS with
prestored inputs such as: step, ramp and sine wave. The
capability exists in the EFCC to implement dynamic, real-time
simulations of fixed wing and rotary wing vehicles. This
provides an environment to analyze the IRAS dynamic behavior, and
the interactions with the vehicle dynamics during realistic
flight maneuver. The EFCC also has the capability of emulating
various FCC architectures, such as triplex, dual-dual,
asynchronous, etc.
The EDMC software provides the on-line diagnostic
environment of advanced DFHW avionics systems by interacting with
the DCPU diagnostic software. The EDMC is initially configured
to gather data in real-time for off-line processing. Status and
failure information are stored in the EC memory during test
execution, then downloaded to TCT for later evaluation. The EDMC
can also initiate in-line diagnostics of a failed DCPU by
triggering the execution of self-test software resident in the
DCPU and it can monitor the results. More complex EDMC software
can actively participate in the diagnostic test by sending a
stimulus to the DCPU in the form of bit patterns and interpreting
the DCPU reactions.
The EDMC is initially configured to provide the real-time
functions performed by the Pilot Status Panel of the TAFCOS
actuator. This is accomplished by the EDMC transmitting to the
TCT in the number of failed channels: Or 1, 2 or more than 2.
The TCT utilizes this information to drive the appropriate CRT
frames which simulates the cockpit pilot displays. The
interfaces between the EC and other IRAS elements are described
in another section of this report.
As in the case of the Arbitrator, and for the same reasons,
the EC functions will be implemented in a dedicated 68000
processor.
1
r
r
50
FCC/DCPU IUTERFACE
f'	 The following tasks were performed to develop the functional
requirements for the FCC/DCPU interface.
1) A benchmark was developed to evaluate candidate
interfaces.
2) A preliminary analysis of five interfaces was conducted.
The benchmark can be used to assess the relative performance
of various interfaces. Absolute performance criteria could not
be established in this analysis, because of their dependence on
specific flight control system implementations. As an example,
the required bus transmission time can be a very important factor
in an implementat<,on where the bus is operating at or near full
capacity. Conversely, it can be a negligible factor if the bus
is operating at a small fraction of the maximum transmission
capacity.
For the purpose of establishing the system and message
benchmark structure, the following was assumed:
1) The FCC and DCPU architecture are quad.
2) The time critical communications from each FCC to the
DCPUs consist of four actuator commands, one for each
control axis. Each command requires the transmission of
two bytes.
3) The time critical communications from each DCPU to the
FCCs consist of four LVDT position feedbacks, one for
each of the four FCC channels. Each feedback signal
requires the transmission of two bytes.
4) Cross-strapping and non cross-strapping configurations
are used between FCCs and DCPUs.
For the purpose of establishing the interface benchmark
structure, the following was assumed:
1) In the case of bus interfaces, for a non-cross-strapped
configuration, each FCC has a bus controller and each
channel of each DCPU has a bus terminal. In a cross-
strapped configuration, each FCC must also have a bus
terminal interface.
2) In the case of dedicated interfaces and no cross-
strapping, each FCC is directly connected to the
corresponding channel of each DCPU.
3) In the case of dedicated interfaces with cross-
^w.	 strapping, each FCC is directly connected to all
channels of each DCPU.
51
t,,
The resultant data flow structures are shown in Figure 25
and 26 for non cross-strapped and cross-strapped configurations,
respectively.
Preliminary analysis
Five interfaces have been evaluated. They are:
1) MIL-STD-1553B serial date bus in broadcast and standard
mode.
2) Ethernet serial data bus
3) IEEE-488 parallel data bus
4) RS-232 serial point-to-point connection
5) RS-422 serial point-to-point connection
The broadcast mode of the 1553 bus has a different message
structure than those discussed earlier. In this mode, the FCC
transmits a message, and all terminals receive it simultaneously.
This structure is shown in Figure 27 for both cross-strapped and
non cross-strapped configurations.
Each interface was evaluated to determine the amount of
transmission time required to transmit all the FCC to DCPU and
DCPU to FCC messages. The detailed results are shown in Table 3
and are summarized in Figure 25 for non cross-strap
configuration, Figure 26 for the cross-strap configuration and
Figure 27 for 1533 broadcast mode.
The major conclusions of this analysis are:
1) The bus overhead is significant for all the evaluated
bus interfaces. The minimum value was obtained for the
IEEE-488 and that is 608 of the total transmission time.
2) None of the bus structures studied have adequate
performance to support 4-axis cross-strapped
configurations.
3) The 1553 bus does not perform adequately even in the
case of non cross-strapped configurations.
4) Ethernet is not appropriate for flight critical
applications because the mechanism to resolve bus
contention does not result in predictable transmission
times.
5) The only interface which might be marginally acceptable
is the RS-422 serial point-to-point connection.
s
52
kig
O
^q3 1 / 1
FCC
(I CHANNEL)
(4 AXES)	 1/1
I
i
1/1
1/1
DCPU
(4 CHANNEL)
(4 AXES)
CHAN-1
-= CONTROL
-S AXISOI
-0
-1
-2 02
-^
-4	 MESSAGE COMPOSITION
PER FCC CHANNEL
COMMAND 4 WORDS IS BYTES)
FCC+OCPU
FEEDBACK 4 WORDS IS BYTES)
-1	 DCPU-► FCC
_Z
_3
	
03
_4
f
CHAN-1
04
S
TRANSMISSION
CONFIGURATION '% OVERHEADTOTAL TIME
RATE MB/8EC TOTAL BYTES mosc
1853 NON- 1 320 3.2 80
BROADCAST
ETHERNET 1.25 1088 .87 94
IEEE-488 .25 180 .84 80
RS-232
.001 84 84 -(POINT TO POINT)
RS-422 126 B4 .268 -(POS(T TO POINT)
i	 n
FIGURE 25
E	 FCC/DCPU DATA FLOW, NO CROSS-STRAP CONFIGURATION,t
4 CHANNEL TRANSMISSION
53
II^
X	 DCPU
(4 CHANNEL)
(4 AXES)
CHAN-1
-2 CONTROL
Otvg	 -3 AXISO1
g!	 -4
4ig
1/1	 CHAN-1
FCC	 -2	 02(1 CHANNEL)	
-3(4 AXES)	
-4	 MESSAGE COMPOSITION
PER FCC CHANNEL
1/1
COMMAND 10 WORDS (32 BYTES)
FCC+DCPU
FEEDBACK 10 WORDS (32 BYTES)
	
CHAN-1	 DCPU-•FCC
-2
1/1	 -3	 03
^	 1l/ CHAN-1
	
2	 04
-3
TAANSMISSION
CONFIGURATION % OVERHEADTOTAL TIME
RATE MB/SEC TOTAL BYTES
maac
1663 NON- 1 1280 12.8 80BROADCAST
ETHERNET 1.26 4352 3.48 04
IEEE-488 .25 640 2.66 60
RS-232
,001 256 256 -(POINT TO POINT)
RS-422
.125 256 1.02 -(POINT TO POINT)
FIGURE 26
^.	 FCC/DCPU DATA FLOW, CROSS-STRAP CONFIGURATION,
4 CHANNEL TRANSMISSION
54
AORIGINAL PAGE IS
t1F POOR OUALRY
r
DCPU
(4 CHANNEL)
(4 AXES)NO CROSS-9 TRAP
CHAN-1/I
-2 CONTROL
-J AXI1*1bW  -4D
0
W
W
x
70- CHAN-1
FCC /
 -2(1 CHANNEL) -J •!(4 AXES)
4/
DCPU
(1 CHANNEL)
CROSS-STRAP (4 AXES)
M
CONTRC
WAXIS#1
<	 /14
w
W
CHAN-1
FCC
	 -2
h CHANNEL)
-3(4 AXES) 
y	 "//4
CHAN-1
11	 -2
	
♦ J	 •J
/4
I1 I -.-(
I-...1 11
MESSAGE COMPOSITION
PER FCC CHANNEL(NO CROSS- STRAP)
COMMAND 1 WORD (B BYTEB)
FCC.oCFu
FEEDBACK 4 WORDS IS DYTEB)
OCFu—FCC
2	 •4
-9
/4	 1
MISGA09 COMPOSITION
PER FCC CHAIINEL(CROSS-STRAPI
COMMAND 1 WORD (32 BYTES)
FCC+OCFu
FEEDBACK It WORDS (J2 BYTEB)
OCPu — FCO
TRANSMISSION
CONFIGURATION 111 OVERHEAD
_
TOTAL TIMERATE MB/SEC TOTAL BYTES mBBc
NO
11 224 2.24 71CROSS-STRAP
CROSS-STRAP .1 704 7.04 78
FIGURE 27
FCC/DCPU DATA FLOW, 1553 BROADCASTF CRO,SS — STRAP VS.
NON CROSS —STRAP CONIFIGURATION, 4 CHANNEL TRANSMISSION
ss
f
56
%,
O O Oh A q h
Fi-
N ^ h Y f N q f q tl O
Ip r,
 NN N
J 	 Z O Y to O O43 Y
N
10
O q fa
1 I-= NM
N
N
q
O q a q N Oh M fq
nN mNH m i
r
w w f
F0 O 10 n O O
q 10q p Y YF
o Y a O b N Y r r NM hr O r q tl
m
LU
f
N
> W ~
Osm 10 Y
n
N N
O O bN
M
.-
O q0 p O
r
# of
W TS
q q M O O q q M O O
F
m<O
w q m q q q q NM NM
N
M
N
M
N
M
N
M
6 ♦ m
U
O
W Y '
Y Y a fv ♦
U. 2
yM
J > 4 Y f Y Y Y Y rq„ ,^
m
F
m
c P
. to q q m q q NM q
N
M NM
N
M
N
M♦ m
an
w`
W Y ^' Y Y Y f qr ^, qw qr qr Or
a Y Y f Y Y Y r f a r r
61
"
St a< < W O a
toO< 03< W O N N
< =U y S ± N ♦ zu n V S N r
Q< < W W m m n< n< = W
W
yJ Q Q
r m
W W Q S
10
m dvata
m
U
-99 WO ON dvwj asoNo
i,
t
1Mn
bw
i n
NN
II
N
Nf1
Ol
R
1
U
W
m
M
I
W
F
Ir
3
O
m
m
Wz
<
IC
F
00
NMN1toM
n
N
11
q
q
f
W
W
W
m
N
r
I I
FW
2
ujW
F
W
In the succeeding phases of this program, additional bus
_	
protocols will be analyzed, which might be better suited for this
application. The new DATAC bus, under development at Boeing,
looks very promising.
r
14.
57
1\r^
SOFTWARE REQUIREMENTS	 11
li
The software needed to support IRAS can be functionally
partitioned into three areas as outlined in Figure 28.
o Application
o Executive
o Utility
The application software includes the servoactuator control;
the failure detection and isolation algorithms; the
reconfiguration management strategies; the simulation of the FCC;
and the pilot displays. The executive software provides
executive functions such as: scheduling of tasks; interchannel
and intrachannel synchronization; I/O interfaces and device
drivers; and interrupt servicing. The utility software includes
program execution control; fault insertion mechanism; data
collection and analysis; program execution monitoring; and,
software development tools.
All the application software, a considerable percentage of.
the executive software and a small percentage of the utility
software w-11 be developed exclusively for IRAS. The rest will
r	 be acquired from software houses and computer manufacturers in
(	 the form of standard software packages. Examples of this type
are language processors, debuggers, and operating systems. The
application software is hosted primarily in the DCPU processors,
except that the FCC simulation is hosted in the EFCC, and the
pilot display function hosted in the TCT.
APPLICATION SOFTWARE
The design of the application software will reflect the
requirements of being "user friendly" to the maximum possible
extent. In fact, the IRAS must be flexible and the flexibility
and reconfiguration capabilities are, for the most part, achieved
through changes of the application software. For this reason,
the following design guideline will apply:
1. The software will be highly modularized. The module
size will be limited to 50 lines of code or less and the
modules will be arranged in a hierarchical manner.
2. The software will be coded in a high order language
(HOL) using only structured constructs. As an example,
unconditional 'go to w
 to transfer control from one
module to another or within the same module will not be
p	 allowed.
^	 1
58
59
1%.
z
J
O
LYI.- z
z OO -^
v ^
Z W
'Al O NW
~ J H
,J ^ J
N U-
NW
z
0.' O
u^
0 N
W Z ...Z
.^ J O
X
11.! N N
atf
O
z F-
z ^-
u
W N z EJ .. z W 7..JN O FO
O^UJ HQ O J>
WQ 6
X
w
Q W q
NW
u
LL. N
LUw
W W
I= H
C! O.
Q u W
ZIm
^f
CL z
4
J UO O }
J W ♦•- F Q
JW Qp CL
"" A C=7 = .N_.Z N
W •• F A
O ^A Z N F
J
OU OJ
Wh (x ¢ u
a N U. w LL 01.
Wa
co cc
N crol
CC CC
U ar F
W
O
N
N
4
OG
3. Each module will include a preamble to explain the
function of the module and the module interfaces. It
will include a definition of each input and output
variable including: origin, destination, physical units,
and range of values. A section of each module will
contain the numerical values of all constants and all
"intziol conditions"r as well as the execution
requiftw%ments such as the execution sequence and the
required minimum execution rate.
4. Comment statements will be dispersed throughout the code
to facilitate the understanding of each statement or
group of statements.
EXECUTIVE SOFTWARE
The requirements for the executive software reflect purposes
and user requirements quite different from those of the
application software. The executive software providers the
structure needed for the proper and timely execution of the
application software. The most critical tasks performed by the
executive software are:
1. Provide a framework which guarantees the execution of
each application package within the required frame time.
If different algorithms require different execution
rates, then a structure which includes fast and slow
frame times must be provided. Within this structure, an
orderly progression of task executions must be
maintained (input/processing/output) to minimize
computational lags.
2. Provide several levels of synchronization such as the
FCCe, the DCPUS, and the FCCs with DCPUS.
3. Support the digital interfaces between the EFCC and the
DCPUS. These digital interfaces are implemented either
by a bus architecture or a direct link.
4. Support the digital interfaces within the DCPUS and the
Arbitrator. These interfaces are all implemented by the
backplane common bus.
5. Support the interfaces between the TCT and the IRAS,
These interfaces are implemented through an RS-232
digital serial link.
6. Support the driver of any special device such as D/A and
A/D converters.
7. Provide the modules needed to service clock and I/O
interrupts.
60
The executive software can support a wide variety of
applications and IRAs configurations and the only foreseeable
future changes are those which might be required to support
hardware extensions. The user is rarely concerned with the
implemroP34:ation intricacy of the executives; since his only
interett is in the capability that they provide. Therefore, the
executive software modules are not subjected to a high level of
visibility which was the case for the software application
modules. For this reason, and because the executive is much
closer to the hardware than the application software, assembly
code implementations are acceptable and indeed they might be the
only available solution in many situations. Visibility will be
provided in those user interface areas such as: setting of
execution iteration rate, input/output tables, etc.
UTILITY SOFTWARE
Utility software provides the following functions:
1. The overall control of the closed loop, real-time,
simulation environment.
2. The capability of simulating, evaluating or directly
inserting faults in the FCC output plane, DCPU,
Arbitrator, and CIU.
34 Some general capability of collecting data in real-time
for later analysis.
4. The capability of monitoring the execution time of
modulee or a group of modules and generating an alarm
when the maximum allowable time limits are exceeded.
5. The support of software development and verification
processes.
6. The support of off-line data analysis functions.
As previously stated, most of the utility software programs
and relative program documentation will be purchased from
vendors. However, some configuration dependent functions will be
developed exclusively for IRAS support. These functions include:
the simulation control, fault insertion capability, and the real-
time execution monitoring of the DCPU modules. The documentation
provided with these programs will primarily consist of "user
guide" directives with minimum documentation on implementation
details.
:L.
61
SOFTWARE DEVELOPKENT ENVIRONMENT p
f '	 Two software development environments are needed to support
J
the IRAS system.	 The first supports the IBM personal computer
architecture for the TCT and the second; the software development ¢
for the EC, DCPU, and Arbitrator. u
s
u
The development environment for the IBM PC consists of the
standard IBM Disk Operating System (DOS) and DOS utility
functions.	 This core system will be augmented with the following
packages:
1 3 	 FORTRAN, Pascal or "C" compiler;
2)	 TCT communications; and
n
3)	 Graphic capabilities.
t
The final decision between "FORTRAN", 	 "Pascal', or "C' as the BOL
for the TCT programs will be made during the design phase. 	 All
TCT communication links are implemented via a RS-232 se'*ial
interface including communications to the VAX and IRAS. 	 The TCT
graphic capabilities are needed to simulate pilot displays.
Two environments have been evaluated to support EC, DCPU and
Arbitrator software developments:	 one resident in a dedicated
68000 processor and the other hosted in a VAX minicomputer. 	 The
VAX environment was selected primarily for the following reasons:
^I
1)	 Better tool selections quality and pnwer,.
2)	 Excellent customer support which is practically
nonexistent for the 68000 environment.
4
3)	 Availability	 of integrated software development and
engineering analysis tools.
The core of the VAX resident software development environment
systems will consist of:
1)	 68000 cross-compiler, cross-assembler and linkers
	
and
2)	 68000 debug monitor.
The debug monitor is needed to perform the functions of program
downloading, reading and writing contents of registers, and k
memory execution control.
Probably the most important element of the development
environment is the EOL.	 A preliminary analysis has been
completed to determine which of four promising languages is best
suited for the IRAS application. 	 The four languages are: 4;
FORTRAN, Pascal, "C" and Ada. 	 The following was determined: `;5
62
Fortran The strengths are:
1) The language is well understood by most engineers,
even those without any formal computer science
background;
2) Good compilers and cross-compilers are available for
most processors; and
3) A large selection of engineering analysis tools is
available.
The weaknesses are:
1) The language has poor control and data structures;
2) It does not support type checking; and
3) It does not support recursive or reentrant
procedures.
Pascal The strengths are:
1) The language has good control and data structures;
2) It supports type checking;
3) It supports recursive procedure; and
A) Compilers are available for most processors.
The weaknesses are:
1) It does not support separate compilation modules.
Each module can not be compiled separately and then
linked with previously compiled modules. As a
result, a change in a single module requires the
recompila;.;.on of all modules.
2) It does not support external procedures; and
3) It does not allow the undesirable but sometime
necessary mixing of SOL and assembly statements.
(Some of the Pascal weaknesses have been removed in
dialects of the standard language; there are, however,
distinct disadvantages when a non-standard SOL is used.)
63
V"(ry
	 The strengths are:
1) The language has good control and data structures;
2) It supports low level programming features such as
logical AND/OR at a bit level and arithmetic shifts;
and,
3) It allows direct access of I/O registers.
The weaknesses are:
1) The knowledge of the language is not as widespread
among engineers as FORTRAN and Pascal.
Ada	 The strengths are many. However, Ada is not a mature
language, and no known validated production compiler
exists for the 68000.
Based on the preliminary analysis, "C" clearly is the bast
language. It is powerful and has features which make it very
well suited for a real-time, embedded application such as, the
logical statements at the bit level and direct addressability of
I/O registers. The language enjoys a rapidly growing popularity,
and many tools and advanced environments, such as UNIX, are built
around it. Unless some hidden incompatability with the overall
requirements of IRAS is detected, "C" will be the BOL language
for that system.
SOFTWARE DEVELOPMENT PROCESS REQUIREMENTS
The software development process is structured in three
phases: design, coding and verification/validation.
In the design phase, a hierarchical, top-down, module
structure will be developed first, followed by the specification
of each module. This orderly process is necessary to comply
with: 1) the IRAS flexibility .requirements, and ease of use and
modification; 2) all the functional requirements including
critical performance functions such as hardware interfaces and
iteration rates; and 3) the requirements for a minimum module
complexity. In this phase, testing procedures will be
established for each module and to the maximum possible extent,
for module integration.
The software coding process includes: the development of a
top-down module development plan; module coding; and module
integration. The module development plan is needed to provide an
orderly progression of module development and integration
consistent with the hierarchical module organization developed in
the previous phase. The module development plan will also
generate the testing procedure for module integration which could
not be developed in the design phase due to the lack of detailed
64
definition of some structures. 	 The complete integration test
r.. procedures will include tests of the interfaces, timing
synchronization mechanisms and execution sequences.	 Each module
_ will be coded in the order specified by the module development
plan.
The verifica'-ion/validation process will have the same top-
down structure as the development process. 	 This will guarantee a
"most critical--first tested" approach. 	 The top-down approach
will require the development of "test stubs" which simulate the
t interface with lower level modules, while testing high level
modules.	 The verification process will mainly consist of module
and integration testing. 	 It will be accomplished by following
the test procedures established during the design phase and the
initial phase of the coding process. 	 Each module and group of
integrated modules will be statically and dynamically tested.
Module testing will concentrate on the module specification,
while integration testing will primarily address interface and
synchronization issues.	 Formal and informal design coding
reviews will be conducted to assure compliance with system
requirements, module definitions, and design and coding
guidelines.	 All the test procedures will be described, and the
results discussed in a dedicated document which will also be used
as the basis for the system acceptance.
EMBEDDED SOFTWARE DEVELOPMENT SCENARIO
IRAS embedded software will be developed in a Digital
Equipment Corporation VAX computer system using cross-development
tools.	 The resulting execution module will then be downloaded
to the IRAS through the TCT, for execution in the embedded
computers.
The first task of the development process will be the coding
of a source module using the VAX system editor. The completed
source module will then be compiled using the microprocessor SOL
cross-compiler which will result in either a relocatable object
module or on an assembly la.aguace module: If an assembly
language module is generated, then it muat be assembled with the
microprocessor cross-assembler to produce the relocatable object
module.
The next task is linking the relocatable object modules with
the SOL runtime library and the IRAS executive software using the
microprocessor cross-linker. The resulting executable module
will,then be downloaded from the VAX to the TCT using a standard
communication package. Then it can be stored on either a floppy
or hard disk drive and downloaded from the TCT to the embedded
computers for execution. Program execution and monitoring is
controlled through the TCT.
L„
65
i1I
^
APPENDIX A	
j
it
RELIABILITY ANALYSIS
A preliminary reliability analysis of several IRAS
configurations was completed for this study. A graphic manual
documentation technique and an advanced computer program have
been used to support this analysis and are briefly discussed here
for completeness and clarity.
The documentation technique is based on reliability diagrams
which show the interdependency existing among the major
components of each system. These reliability diagrams closely
resemble data flow diagrams and can be used at different levels
of abstraction and detail.
The elements of the reliability diagrams are boxes labeled
with a letter and arrows -a- as shown in Figure A-1. Each box is
a function or component of the system. Boxes using the same
label represent redundant components which perform identical
functions using identical sets of inputs to produce an identical
set of outputs. Boxes with unique labels represent single point
failure functions or components for which redundancy is not
provided. The arrows represent the inputs to, and the outputs
of, each box. Arrows entering the box from the same side
represent identical inputs. Inputs of different types are
represented by arrows entering the box from different sides. The
failure of a function occurs when all the identically labeled
boxes representing or performing that function fail. Each box
has a predicted failure rate and, therefore, has an inherent
probability of failure. A box also fails if all the inputs to
one side fail, indicating that all the inputs of a certain type
have failed. If a box fails, its output fails as well, and all
the boxes which depend upon that output also fail unless
redundant signals are provided. Terminal boxes (such as "box B`
in Figure A-1) have no output and represent the ultimate
functions of the system or the system components which perform
those ultimate functions.
The computer program used to support this analysis is a
powerful tool hosted in ER Textron's computer facility for
scientific applications. The program is capable of analyzing
highly redundant configurations and the effects of transient
faults. The program takes into account that the loss of certain
components causes the loss of other components (component
dependency) and has some capability for handling functional
redundancy among different components. The program was.validated
in the ER Textron, Valencia Facility, both by comparing the
output with those generated by other models and by hand
computation of a wide variety of cases.
66
C4
0
a
w
O'M
a
a w 0wH N N
Y. >4
' a^ a a ^+
4 P d
p7 X >4 N
x x x
r
a
w
H
Q
z
M
z k
z
M
w a
a ^a
M >4
J
mi
cc
a
a
0
r
a
IL
OC
r
1
a
W
CC0
LLO
C7
i	 I
I
f
I	 ^
E
mN
H x >6
It.
67
APPENDIX B
The following is a summary description of the implementation
mechanizations and protocols of the bus architectures which have
been exercised for the EFCC/DCPU interfaces.
MIL-STD-1553B
The MIL-STD-1553B defines a 1 MHZ, bit serial, time division
command/response multiplex data bus for use in integration of
aircraft subsystems. Bus nodes are either a remote terminal or a
bus controller. A maximum of 31 remote terminals and one bus
controller are supported by the standard.
All communications on the 1553B data bus are initiated by the
bus controller. Data transfers can be from the bus controller to
a remote terminal; from a remote terminal to the bus controller; a
remote terminal to another remote terminal; the bus controller to
all remote terminals (broadcast mode); and from a remote terminal
to all other remote terminals (broadcast mode). For a
4 channel, 4 axis, non-cross-strapped configuration, a total of
32 messages are transmitted: 16 command messages from the FCC to
the ISCU and 16 feedback signals from the ISCU to the FCC. The
transmission time is 100 usec. per message, for a remote
terminal to remote terminal transmission, and the constant total
transmission time is 3.2 cosec. In the case of a quad redundant bus
structure with one 1553B bus per channel, the transmission time is
reduced to slightly more than 1 millisecond. The transmission
time can further be reduced if the FCC also acts as the bus
controller.. In this configuration, the total transmission time
for each bus is 576 usec.
For cross-strapped configurations using a single 15535 data
bus, the total transmission involves 128 messages or a total
transmission time of 12.8 msec. Using a quad 1553B bus structure
with each of the FCCa acting as the controller for one bus,
reduces the transmission time to 3.0 milliseconds.
'M.R ET
Ethernet, also known as IEEE-802.3, has become the de facto
standard for an office environment local area network. Ethernet
uses a 10 MHZ bit serial baseband bus structure for node
interconnection, and resolves bus contention through the use of
carrier sensing multiple-access with collision detection (CSMA/CD)
When a collision occurs, all nodes must cease transmitting and
wait a random amount of time before attempting to regain control
of the bus.
68
iThe minimum ethernet packet size, containing 46 data bytes,
If	 is 72 bytes and 67.2 microseconds long. The maximum packet size,
containing 1500 data bytes, is 1526 bytes and 1.2 milliseconds
long.
Ethernet, or any other bus protocol using CSMA/CD for bus
arbitration, is inappropriate for use in an aircraft control
system. The primary deficiency of CSMA/CD is that it assumes
collisions will occur infrequently and thus will have very little
effect on performance. In an aircraft flight control system,
however, collisions are very likely to occur and at the most
critical time: when the position commands are transmitted to the
servo control processors.
IEEE-488
The IEEE-488 bus, also known as the General Purpose
Interface Bus (GPIB), was developed by the Hewlett-Packard
Corporation for interfacing laboratory instruments to data
acquisition and control systems. The interface has 24 lines; 8
bidirectional data bus lines, 3 data byte control lines, 5
general interface management lines, and 8 ground lines. A device
on the GPIB may perform three types of functions; talker,
listener, and controller. As the names imply, a talker is a
device that transmits data on the bus; a listener, a device that
receives data from the bus; and a controller, one that controls
which device is allowed to talk and which device or devices are
to listen. The GPIB protocol uses a large amount of handshaking
and does not appear to be intended for applications that have
frequent changes of the talking device.
There are several attributes of the GPIB that make it, or any
derivative of it, undesirable for a flight system:
1. The bus requires too many lines (24), which has a negative
impact on reliability and weight.
2. The maximum length of the bus is limited to 20 meters.
3. The bus controller is a single point failure.
RS-232
X_
RS-232 is the standard developed
Association (EIA) in cooperation with
interfacing Data Terminal Equipment (e
with Data Communication Equipment (i.e
implements a bit serial bidirectional
capable of supporting up to 9.6k baud
RS-232 is not supported by a standard
to the particular application.
by the Electrical Industry
the Bell System, for
.g., computers and CRT's)
., modems). RS-232
point to point connection
over a 50 foot distance.
protocol and this is left
69
RS-422
The RS-422 standard was developed in response to the need for
a communication protocol supporting longer distances and higher
transmission speed than was provided by existing standards. It
defines a bit aerial, point—to—point interface capable of
supporting up to a 1 megabit transmission rate over 400 feet or up
to , 100k bits per second over 4000 feet. Like the RS-232 standard,
the RS-422 does not define a communication protocol.
ARINC-429
The ARINC-429 standard defines a bit serial, multidrop,
unidirectional bus capable of transmitting at 100k or 14k bits
per second. It is designed to provide aircraft sensor input data
to flight control computers and therefore supports only one
transmitter (the sensor), and several receivers (the FCCs). The
unidirectional feature of the ARINC-429 makes it unacceptable for
IRAS, which requires bidirectional communication.
y
le
70
ABBREVIATIONS
A/D	 - Analog To Digital
ADOCS	 - Advanced Digital/Optical Control System
AFCS -	 Advanced Flight Control System
Al -	 Artificial Intelligence
CIS -	 Cubic Inches Per Second
CIU -	 Control Interface Unit
CPU -	 Control Processing Unit
CRT -	 Cathode Ray Tube
CSMA/CD -	 Carrier Sensing Multiple Access with
Collision Detection
D/A -	 Digital to Analog
DATAC -	 Digital Autonomous Terminal Access Communication
DCPU -	 Digital Command Processing Unit
DOS -	 Disk Operating System
DPD -	 Digital Pilot Display
DSI -	 Data System Interface
EC -	 Emulation Computer
EFCC -	 Emulated Flight Control Computer
EIA -	 Electronic Industries Association
EMDC -	 Emulated Diagnostic and Maintenance Computer
ESCU -	 Electronic Servoactuator Control Unit
FAIL OP -	 Fail Operational
FAIL OP2 -	 Fail Operational/Fail Operational
FCC -	 Flight Control Computer
FS -	 Full Scale
GPIB -	 General Purpose Interface Bus
HOL -	 Higher Order Language
I/O -	 Input/Output
IRAS -	 Intelligent Redundant Actuation System
ISCU -	 Intelligent Servoactuator Control Unit
LVDT -	 Linear Variable Displacement Transducer
ma -	 milliampere
MSEC -	 Millisecond
PC -	 Personal Computer
Quad -	 Quadruplex
µSEC -	 Microsecond
V -	 Volt
1V
71
'For sale by the National Technical Infommlon Savior, Springfield, Virginia 22101
1. Aaport No. Z Oov mrrwrtt Acaplon No. 7. Recipient's catalog No,
NASA CR - 177366
4. Title and SuhtlO. 0. Report Date
IRAS Requirements and Preliminary _September 1985
System Design 0. Performing orgenleatlon code
7. Author(s) 0, Perorming organization R#Pwi No,
P. de Fee, J. Harris, L. J. Geiger HR 73600253
10. Work Unit No,
T — 36369, Performing orgonlzation Name and Add(m
HR Textron Inc. 1L contact or Grant No,2485 McCabe Way NAS2	 12081
Irvine, California 	 92714
10. Tyq O f  Peport and Period Covered
GDntractor Report12, Sponsoring Agency Name and Address
National Aeronautics and Space Administration 1e	
ntra	 Agency soda
307 - 04 - 1Washington D.C.	 20546
15, Suppiemmtary Note
Point of Contact: 	 Technical Monitor, K. C. Shih,M/S 210-5
es Research Center, Moffe	 Field, CA
	 94035tt
15	 694-6687 or FTS 4
	 -6
10. Abstract
-Several redundant actuation system configurations have been designed and
demonstrated to satisfy the stringent operational requirements of advanced
flight control systems.	 However, this has been accomplished largely through
"brute force" hardware redundancy, resulting in significantly increased
computational requirements on the flight control computers which perform
the failure analysis and reconfiguration management. 	 Modern technology
now provides powerful, low-cost microprocessors which are effective in
performing failure isolation and configuration management at the local
actuator level.	 One such concept, called an Intelligent Redundant
Actuation System (IRAS), significantly reduces the flight control computer
requirements and performs the local tasks more comprehensively than
previously feasible.	 This document outlines the requirements and preliminar
design of an experimental laboratory system capable of demonstrating the
concept and sufficiently flexible to explore a variety of configurations.
17 eYun^ant	 ctuat^o4 systems, Digital 18. Distribution Sutemunt
Servoactuator Cont.'rn}.lers, Unclassified - Unlimited
Criticality, Microprocessor,
Reliability, Fault-tolerant Systems STAR	 Category 05
19. Saa.rlty maulf, lot this rePoril 20, Security Clatsif. (of this Peel 2:, No, of PagN 22 Nice'
Unclassified Unclassified 71
..
1
I
4
1}
i
