31-13
`
`G. KRISHNAPPA
`
`DISCUSSION
`
`Did you try to determine degradation in the performance of the aerody-
`namic components using vibration analysis?
`
`Author's Reply:
`
`We never use the vibration analysis as a diagnojtic tool for the com-
`pressor or fan efficiencies. But in development one can relate some
`
`engine vibration levels to the aerodynamic disturbances as approa-
`
`ching surge.
`
`J. HOUILLON
`Quelle est la corrdlation entre les ddfauts constates par diagnostic
`
`et ceux r6ellement constat6s par le rAparateur? Pouvez-vous donner
`le pourcentage de rkussite rencontr6 dans Ia R.A.F. et plus particu-
`
`li~rement sur un moteur technologiquement trds complexe tel que le
`
`moteur A trois axes RB 211.
`
`Author's Reply:
`
`I show you the slide (fig 5 of my paper) where I indicate the number
`
`of signatures taken, and the success rate of these analysies.
`Even if the RB211 is a three spool engine, it does not suffer much
`
`vibration problems. As shown on fig 5, on 13 tests there was one rejec-
`
`ted engine which was indeed due to a HP turbine blade.
`
`H. AHRENDT
`1. Do you derive your spectrum information from one specific engine
`
`running point or does it cover the whole speed range?
`
`2. Did you derive your information about malfunctions of internal compo-
`
`nents (i.e. oil squeeze bearings) by external mounted pick-ups?
`
`3. Can you relate malfunction signature of a specific engine-aircraft
`configuration to a different one as a new engine on a new aircraft?
`
`Author's Reply:
`1. The spectrum looks over the whole speed range, idle to maximum,
`
`and is derived through a continuous acceleration taking 1 to I min.
`2. We can derive them from external pick-ups but it is not the best
`
`method. A very good way is to monitor the oil pressure in the supply
`
`line of the bearing.
`
`3. The out of balance excited responses generate specific bands of
`vibration which vary with the engine type, because they are related
`
`to the design and dynamic characteristics of that structure. The combi-
`
`nation of engine and airframe or engine and test bed produce these
`
`unique characteristics.
`
`BOEING
`Ex. 1034, p. 329
`
`

`
`FAULT
`IN AI RCRAFT
`
`MANAGEMENT
`PLANT
`POWER
`
`CONTROLS
`
`S. Mazareanu. A. Nobre
`Pratt & Whitney Canada Inc
`Box 10
`Longuoull
`Quebec
`J4K 4X9
`
`32-I
`
`INTRODUCTION
`
`The advent of Digital Electronics In aviation nas opened new doors to fault
`management as a tool to enhance aircraft operability and safety of flight.
`Today It Is possible to integrate flight control systems with power plant
`management systems. Operability of a battle damaged aircraft can be enhanced
`under certain conditions through sophisticated fault management systems.
`
`This paper reviews some of the considerations applicable to engine control
`fault management systems In commercial aviation. Engine control systems have
`evolved Inthe last decade from being primarily hydromechanical to being
`primarily electronics. This rapid growth In acceptance of the electronic
`systems by the aviation Industry was due to the Improvement In reliability of
`the digital systemsover analogue systems, which were previously in use.
`
`The fault management system Is a powerful tool to organize and optimize the
`maintenance logistics. Operating costs can be significantly reduced with an
`appropriate fault management system on board.
`
`The paper presents:
`
`-
`
`A Brief Review of the Evolution of Engine Controls.
`
`- The Emergence of Fault Management Systems
`(as part of Engine Control Systems)
`
`-
`
`Maturity of Fault Management Systems (Still In Evolution).
`
`- Future Potential.
`
`EVOLUTIVE PROCESS
`
`The fault management In hydro-mechanical controls Is simple In concept and
`difficult In Implementation compared to Its counterpart microprocessor based
`digital electronics with their massive memory and computing capability.
`
`The perceived high reliability of the mechanical components drove some
`engineers to design their control systems without back-up or Independent
`protections and accepting an engine out (or a loss In power) in the case of an
`engine control failure.
`
`Hydro-mechanical controls have a major handicap, they do not detect failures.
`Due to this, the concept was to surround the control system with autonomous
`devices that will prevent critical parameters from being exceeded (example:
`overspeed protection). Also, these control systems are unable of deciding if
`they still are In condition to control the engine. If a back-up control exist-
`the system relies on the pilot to diagnose the failure and transfer to the bact
`up control.
`
`The engine control Industry could not stay Indifferent to the 'invasion" of
`electronics. Analog circuits started to be used In Instrumentation and
`ancillary functions. As engineers became satisfied with the reliability of
`these electrical components they started to expand their utilization to the
`main control. As a result, analog controllers started to be used as
`supervisory units with limited authority or as protective systems and later
`stepped up to full authority control, with Its pinnacle on the*Concorde" Twin
`channel application. These systems having ilmlted fault detection restricted
`to checks on voltage thresholds and still rely heavily on pilot detection and
`action.
`
`The last decade has witnessed a giant leap forward In control concepts. MakinC
`use of the digital technology and microprocessors, the control laws became mort
`elaborate and the fault detection, isolation and accommodation, which
`constitutes the fault management was called to play a major role.
`
`rA
`
`BOEING
`Ex. 1034, p. 330
`
`

`
`32-2
`
`Fault detection on todays Full Authority Digital Electronic Controls (FADEC) Is
`extensive. Levels of fault coverage range from SO to 100%. Levels on the hlgr
`90 are possible with Internal checks. However, fault coverage of the remaining
`(up to 100%) can not be achieved Internally. The moat common configuration to
`achieve this level Is the voting agreement between two out of three control
`channels to isolate the faulty controller.
`
`The microprocessor based digital control system gives to the engineer
`extensive Dower with which to configure the control system to optimize fault
`management. Controls that use Internal checks as a mean of fault detection
`have two possible philosophies when It comes to fault accoimiodation. One of the
`philosophies advocates that cross talk between the channels should be reduced
`to Its minimum and that when a fault Is detected the channel In control should
`give up control, transferring the control to an Identical second channel. The
`other approach defends that the channel In control should remain In control for
`as long as It can before transferring to a second channel. To sustain control
`after a fault, the channel In control has to borrow parameter Inputs from the
`second channel (if It lost Its own).
`
`This second approach Increases substantially the cross talk between channels
`and the complexity of the software.
`
`AIRFRAME INTEGRATION
`
`There has always been a degree of Integration of the power plant control with
`the airframe. Its complexity, as expected rises with the number of engines, Or
`single engine aircraft the Interaction Is limited to the aircraft and the
`engine control. However In the case of a multi-engine application Interactions
`exist between the engine and the airframe as well as between engines.
`
`The functions that have a degree of Interaction between two (or more) engines
`need to be restricted to a very limited authority such that a failure on one
`engine does not have detrimental effects on the other engine(s). Typical
`examples are syncrophasing (on Turboprops), Torque matching (Helicopters), etc.
`
`Mechanical controls often have a reduced number of parameters Interacting with
`the airframe. Usually, these parameters are confined to control requirements
`and minimal If any are dedicated to fault annunciation. Mostly, fault analysis
`relies on the pilot report and subsequent Interpretation of It by the
`maintenance crew and available troubleshooting charts.
`
`Microprocessor based digital controls have demonstrated their potential for
`fault management and for information transfer to the maintenance crew. The
`transfer of Information between the control and the maintenance crew can be
`done in many different ways. They start with simple Interrogation devices
`which are connectable to the Engine Eiectronic Control (EEC) unit allowing the
`crew to read the memory locations where the fault Identification Is stored. Ir
`the more sophisticated applications the EECs are linked with the aircraft
`EICAS-Engine Indication and Crew Alerting System and/or a Central Maintenance
`Computer (CMC). Using a aerial data bus the fault Information Is downloaded tc
`these aircraft computers. The maintenance or flight crew can then interrogate
`the CMC with the faults being displayed In plain language through
`multi-function displays.
`
`In recent years there has been increasing demand for the Implementation of
`systems that are able to detect and identify failures not only Internal to the
`EEC but also external. External failure can be detected to the level of Line
`Replacement Units (LRU) associated with the EEC (i.e. input sensors and Output
`effectora) as well as other power plant LRU's.
`
`Potentially, a well designed fault management system improves not only the
`maintainability of the Control system but also reduces pilot workload and
`extends the life of the engine. With FADEC controls it Is becoming common
`place to configure systems which enable aircraft take offs with the engines
`producing 90% of the maximum takeoff power capability. in the case of a
`detected power plant failure the remaining engine Is automatically commanded b
`Its EEC to raise Its power to 100%. This take off configuration extends
`substantially the life of the engines but It requires a health status of the
`opposite engine to be acknowledged by the local engine control. Fairures that
`are Immediately Identified and automatically accommodated result In a
`significant reduction In pilot workload compared to that required In fault
`handling using hydro-mechanical controls.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`BOEING
`Ex. 1034, p. 331
`
`

`
`CERTIFICATION REQUIREMENTS
`
`For all practical purposes the various civil certification regulations are not
`significantly different with respect to power plant controls.
`
`As an example the certificatlon requlrements Imposed on an Engine Control
`System are part of the fol owing FAA reguletions:
`
`32-3
`
`FAR 33
`FAR 25
`FAR 27
`FAR 29
`TSO C77a
`
`If Integration of the propeller and engine control Is considered then FAR 36
`requirements nave to be considered.
`
`The purpose of this section is not to give s detailed description of
`certification requirements and procedures but to highlight what Is considered
`to be the main impact of certification requirements on the hardware and
`software Fault Management Configuration.
`
`For the purposes of this discussion we will consider FAR 33 that addresses the
`engine certification as such and FAR 25 that addresses a transport category
`airframe certification. An Engine Control System that compiles with these
`requirements Is basically certifiable to FAR 27 and 29 for helicopters or TSO
`C77& for APU's.
`
`Given the trend towards greater Integration of airframe systems the airframe
`certification has an Impact on the Engine Control System configuration.
`
`The advent of such functions like engine-to-engine synchronization, Automatic
`Takeoff Thrust Control System (ATTCS), Autofeather etc Increases the complexitj
`of the Engine Control System and their certiflablilty Is one of the Important
`drivers for the hardware and software configuration.
`
`Some typical requirements that are specified for a twin engine commercial
`aircraft Engine Control System are:
`
`a) Unprotected overspeed (O/S) of the engines rotors must be extremely
`Improbable (.1 failure per 109 hours).
`
`b) Dual engine In flight shutdown (IFSO) must be extremely Improbable ( l
`9
`failure per 10
`hours).
`
`5
`c) Single engine IFSD shall be Improbable (-1 failure per 10
`
`hours).
`
`d) Loss of thrust of one engine In the takeoff phase and failure to
`uptrim the other engine must be extremely Improbable (.1 failure per
`109 hours).
`
`a) Complete Inability to shut the engine down must be extremely remote
`7
`(xl failure per 10
`hours).
`
`f) Faults in either the Engine Control System or the Airframe
`Instrumentation System resulting in hazardous operation of the other
`7
`system must be extremely remote (-1 failure per 10
`hours).
`
`If the Engine Control System also Includes an integrated propeller control, the
`additional set of requirements that are typically specified are:
`
`a) Unprotected overapeed of the propeller must be extremely Improbable
`(.1 failure per 109 hours).
`
`b) Unwanted travel of the propeller blade pitch to a position below the
`normal flight low pitch stop must be extremely Improbable (<1 failure
`per log hours).
`
`c) Unwanted travel of the propeller blade pitch to a position higher thar
`the maximum angle of attach causing blade stalling must be Improbable
`(xl failure per 105 hours - similar to single engine IFSD).
`
`d) Complete Inability to feather the propeller blades must be Improbable
`(-1 failure per 105 hours).
`
`--- ------
`
`.
`
`.
`
`~
`
`.-
`
`-
`
`-
`
`BOEING
`Ex. 1034, p. 332
`
`

`
`32-4
`
`OPERATIONAL REQUIREMENTS
`
`Typical operational requirements Specified for a colmercial aircraft Engine
`Control System are;
`
`a) Probability of the Inability to dispatch <1 failure per 104 hours.
`
`b) Built-In-Test-Equipment (BITE) functional test capability In the
`maintenance mode to test more than 95% of the system's
`components/LRUs.
`C) Scheduled maintenance for possible dormant faults at time Intervals
`greater than 00 hrs.
`
`FAULT MANAGEMENT CONFIGURATION
`
`To meet the Safety and Certification requirements and the operational
`requirements both aspects of the configuration hardware and software are
`equally Important and In many cases trade off* between them can be made.
`
`The Fault Management Configuration discussion will center on a FADEC System
`since these systems have become more common.
`
`FADEC Is a system where the processor based digital electronics have full
`authority on the effectors (without mechanical constraints), therefore being
`able to drive the engine from low to maximum limits.
`
`A typical FADEC system comprises the following (see also figure 1):
`
`Input sensors (engine parameters and feedbacks).
`
`Engine Electronic Control (EEC) unit with Input interfaces. processln
`hardware and output drivers.
`
`Effectors
`
`The Engine Electronic Control (EEC) unit processes all the signals from various
`engine and airframe sensors and controls a fuel flow motor in the
`Hydromechanical Unit (HMU), one or two variable geometry motors and various
`solenoids and relays. Modern FADEC Systems are Fly-By-Wire (FBW) systems where
`all signal acquisition (including the pilot command signals) and effectors
`control are done through electrical links.
`
`HARDWARE CONFIGURATION RESULTING FROM CERTIFICATION REQUIREMENTS
`
`The hydromechanical part of a FADEC system can be substantially simplified
`because all the computations, altitude, temperature compensations etc are
`Implemented In Software based algorithms and tables.
`
`The simplicity of the hydromechanical part makes It very reliable with an IFSD
`6
`rate of typically 3 to 4 x 10-
`/hr.
`
`This allows for an IFSD rate of 6 to 7 x 10-
`/hr for the electrical Dart of the
`system to achieve the single IFSO Certification requirement.
`
`6
`
`The failure rate of the electrical/electronic part of a FADEC channel generally
`6
`falls In the 180 x 10-
`/hr range. For 70% of this failure rate I.e. 100 x
`6
`10-
`/hr (CPU, drivers. effectors etc). there Is no possible accommodation
`within the channel.
`
`This points to a major configuration Impact: with today's electronics
`reliability, a FADEC system has to have at least a dual Independent channel
`configuration for Its electrical/electronics part (See Fig. 2).
`In fact, a
`dual channel FADEC system has a significantly lower IFSD rate than a complex
`hydromechanical system.
`
`If It Is assumed that all faults are detected, the IFSD rate of such a system
`will be:
`
`Hydromechanics
`IFS0
`
`Electronics 2
`+ A IFSD
`
`4 x 10-6 + (100 x 10-6)2
`
`- 4 x 10-6 + I x 10-8
`
`4 x 10-
`
`6
`
`/Hr.
`
`.-t.
`
`BOEING
`Ex. 1034, p. 333
`
`

`
`The dual channel configuration means that there has to be no common mode
`failures between the two channels Including:
`
`32-5
`
`a) Common SIgnal Sources
`
`b) Common Processing Hardware
`
`c) Power Supply
`
`d) Lightning and Electromagnetic Interference
`
`e) Software
`
`9
`The dual IFSD requirement of I x 10-
`/hr results In the same common mode
`failure requirements applied to the two Engines Control Systems.
`
`To comply with the unprotected O/S or other protection requirements of
`1 x 10-9/hr, Independent protections are considered mandatory.
`
`The above common mode failure requirements apply again this time between the
`control channel and the Independent protection.
`
`These considerations point to the following optimized FADEC hardware
`configuration (See Fig. 1):
`
`TWO well Isolated FADEC electrical channels, each with Its own power
`supply, CPU. sensors. Interfaces and drivers.
`
`Dedicated electrical generator for each engine Control System/Dual
`winding, one winding for each channel.
`
`Independent protection hardware for each control channel with Its own
`Internal power supply. sensors, computational core and effectors.
`
`The airframe power supply can be used as a back-up of the dedicated generator
`providing It does not become a source or path for transmltti..g common mode
`faults from engine to engine (on line when the dedicated generator is out of
`Operation).
`
`If a functional link between the two engines Is necessary (ATTCS,
`Synchronization) this has to be Implemented In hardware such that no
`engine-to-engine common mode failure Is possible (for Instance local engine EEC
`reads directly from dedicated sensors the remote engine parameters).
`
`To comply with the engine shutdown requirement, two Independent shutdown means
`have to be provided.
`
`To Com.ly with the requirement for segregation between the Engine Control
`System and the Instrumentation System, the two systems have to be Independent
`to the extent that failures In one of them will not result In hazardous effects
`In the other one.
`
`HARDWARE CONFIGURATION RESULTING FROM OPERATIONAL REQUIREMENTS
`
`A dual channel FADEC System has typically the following reliability for the
`functions that make the system non dispatchable:
`
`A Hydromechanics < 40 x 10-6/Hr
`
`A Electrical
`One Channel
`
`100 x 10 6 /hr
`
`If & twin engined airframe Is considered and all components have to be
`operational to dispatch, then the non dispatch rate will be:
`
`Hydromechanical + 4 A Electrical
`
`- 2 x 40 x 10.6 + 4 x 100 x 10- 6 - 480 x 10-6/Hr
`This figure Is higher than the rtquired 10-
`/Hr (100 x 10-6/Hr) and the major
`contributors to the non dispatchability of the airframe are the 4 electronic
`FADEC channels.
`
`4
`
`II
`
`BOEING
`Ex. 1034, p. 334
`
`

`
`32-6
`
`The interest of having an Engine Control System configuration that allows the
`dispatch of a twin engined airframe with 3 channels operational out of 4 (1
`channel operational on one engine and 2 channels operational on the other
`engine) Is obvious. In this case only single failures In both lMIUs or dual
`Electrical Channel failures will prevent the dispatch.
`
`Therefore the non dispatch rate will be:
`
`2 x 40 x 10
`
`-
`
`5 +6 x (100 x 10-6)2 - 80.06 x 10-/Hr
`
`This result shows that the hydromechanical part dominates the system non
`dispatch rate.
`
`The dual IFSD rate of a 3-out-of-4 dispatch configuration has to be less than
`1 In 109 hours as for the normal dispatch situation.
`
`if a 100% Fault Detection Coverage Is assumed this rate can be achieved even
`if the airframe Is dispatched continuously with 3-out-of-4 channels
`operational, as shown In Fig. 3.
`
`The single IFSO requirement of 10 x 10-
`/hr results In limitation of the time
`the airframe Is allowed to dispatch with one channel out as described below.
`
`6
`
`Given an IFSD of 100 x 10-6/hr for the electrical part of the channel, It means
`that every 2600 hrs an airframe will dispatch with one FADEC channel incapable
`of control:
`
`6
`4 x 100 x 10-
`
`/hr - 2800 Nra
`
`6
`
`To limit to 10 x 10-
`/hr the average Engine Control System IFSO rate, and
`continuing to assume a 100% Fault Coverage, will result In limitation of the
`time the airframe Is allowed to dispatch with one channel out to no more than
`160 hrs:
`
`(2500-150) 4 x 10-6 . 150 X 104 X 10-6 -
`2500
`
`6
`10 x l0-
`
`/Hr
`
`6
`
`Where Ix 10-
`/Hr Is the IFSO rate of the fully operational system and
`6
`104 x 10-
`Is the IFSD rate of the systemn dispatched with one channel
`Inoperative (see also Fig. 3).
`
`SOFTWARE CONFIGURATION
`
`In practice not all the Faults resulting In IFSD can be detected or
`accommodated in a dual FADEC channel configuration (case under discussion).
`
`Hardware Independent protection functions (O/S protection for instance) or dual
`channel redundancy can not prevent the Engine Control System from controlling
`the engine In an undesired way (flame out, large thrust excursions within red
`limits. etc) if a fault occurs and that fault can not be detected and
`accommodated (system reconfigured).
`
`The fault detection and accommodation are components of the system's Fault
`Coverage that can be defined as the conditional probability that the system
`continues to Perform In an acceptable manner, given that some Internal part has
`failed.
`
`The Engine Control System overall Fault Coverage is calculated as a weighted
`average as follows:
`
`C A1 C1 . ....
`. AnCn
`A1 + .... + An
`Where An Is the failure rate of Component R, Co is the Fault Coverage of
`component n and C is the system's Fault Coverage.
`
`Given the hln reliability and safety requirements Imposed on Engine Control
`Systems and the present reliability of a single channel FADEC system, fault
`tolerance capabilities (achieved through Fault Coverage and redundancy) must be
`built Into the system.
`
`_y
`
`BOEING
`Ex. 1034, p. 335
`
`

`
`t
`
`32-7
`
`If only the dual IFSO rate certification requirement was considered and only
`dispatch with 4 channels operatlonal was allowed, then the required Fault
`Coverage could be as low as 73% (see Fig. 4).
`
`If In addition the single IFSO rats Certification requirement Is considered anc
`only dispatch 4 channels operational was allowed, then the Fault Coverage has
`to be greater than 94%t
`
`4 x 10-6 +
`
`100-94
`
`100
`
`x 100 x 10
`
`-6
`
`- 10 x 10-8/Hr
`
`If In addition the dispatch of the airframe with one Channel inoperative (out
`of 4) Is considered, and the dispatch time In this configuration is to be a
`meaningful figure of at least 25 hrs, then a Fault Coverage of st least 95% is
`mandatory.
`
`F
`L4
`
`100-95
`
`0
`-
`x 100 x 10-
`
`0
`- 6
`2500-25) + 104 x 10
`
`x 25
`
`6
`10 x 10-
`
`-
`
`/Hr.
`
`2500
`
`With a dual lane FADEC System a 95% Fault Coverage Is considered to be a
`challenge for today's techniques in Fault Detection and Accommodation design.
`
`The FDA techniques described below are considered necessary to achieve this
`goal.
`
`The FDA requirements are Classified In two categories!
`
`Fault Detection Requirements
`Fault Accommodation Requirements
`
`Fault Detection needs are primarily defined by the 95% Fault Coverage
`requirement and by the Control System Failure Modes and Effects Analysis
`(FMEA).
`
`Fault Accommodation needs are defined by IFSD and dlspatchabillty requirements
`and the goal to make the Control System fail-operation&! as much as possible.
`
`FAULT DETECTION:
`
`in a dual channel configuration each channel must be basically responsible for
`the detection and containment of Its own failures, and for handing over control
`to the other channel.
`
`With this configuration It is clear that a 100% fault coverage can not be
`obtained, even if complete redundancy Is available, because of the fault
`detection aspect.
`
`This fault coverage can be achieved via a combination of self tests and
`comparison tests.
`
`When a certain component Is hardware replicated In both channels Its failure
`can be detected In two ways:
`
`a) Self tests only using the channel's Internal resources (range, rate,
`etc) - No-Cross-Talk configuration.
`
`b) Self tests as in (a) and comparison tests between the two channels
`Sensors - Cross-Talk configuration.
`
`Our experience shows that the Cross Talk configuration Is much more complex
`than the No-Crols-Talk configuration and offers only marginal benefits,
`
`The point of departure In the design of a self test Is a Failure Modes and
`Effects Analysis (FMEA).
`
`A FMEA defines the various failure modes of a device, as well as their effects
`on the performance of the device and the system.
`
`Based on this analysis, a self test Is designed to detect thole failure modes
`which have an unacceptable impact on the performance of the system.
`
`rI
`
`p
`
`**,-
`
`BOEING
`Ex. 1034, p. 336
`
`

`
`32-8
`
`To quantify the level of coverage Inherent In a self test, the FMEA must be
`examined to determine the fraction of the failures of the device which are
`detectable by the self test (which is associated with that device).
`
`A large part of the Fault Detection logic is primarily based on EEC
`Input/output Self Tests, I.e. range and rate tests to detect out-of-range and
`out-of-rate faults.
`
`With some exceptions, In-range Fault Detection may be necessary for some EEC
`inputs depending on the effect of their failures at the high and low limits of
`the range check. Simulation of these failures is performed to estimate If
`In-range Fault Detection for these parameters is worth implementing.
`
`A typical Fault Detection Configuration for a turbofan application Is shown In
`Table 1.
`
`For the EEC internal faults a mix of Software and Hardware logic Is used under
`the name of Built-In-Test (BIT). The SIT tests are performed in the engine
`normal operation modes (Start and Run) and In engine static modes
`(Initialization, maintenance) modes.
`
`Typically the following Internal EEC checks are performed:
`
`* PROM
`
`* RAM
`
`* EEPROM
`
`• CPU
`
`* Effectors
`Drivers
`
`* A/D Converter
`
`F/D Converter
`
`* ARINC
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`Checksum. Parity
`
`Read/Write. Parity
`
`Erase Upon a Power Down. Parity
`
`Watchdog Timer, Activity Monitor, Loss-of-clock
`Detector, Instruction Test.
`
`Current Wraparound (W/A), Initialization Test
`
`Test Input
`
`Test Input
`
`W/A
`
`• Spool-Up Channel Switchover
`
`A short description of each of the above tests Is given below.
`
`BUILT-IN TEST DEFINITIONS
`
`PROM CHECKSUM:
`
`Programmable ROM Is divided Into blocks, each block having a standard checksum
`test value location. This process adds all locations and verifies that the sun
`Is consistent with the checksum location.
`
`PROM PARITY:
`
`A fault In the main application program Is detected by a parity check circuit
`which Is enabled by the action of the processor In fetching the next
`Instruction. The result of this fault Is a reset of the application program tc
`the starting location.
`
`RAM READ/WRITE TEST:
`
`RAM read/write tests can be performed on all RAM locations:
`
`1. WRITE/READ address value
`2. WRITE/READ alternating 1-0"
`parity
`3. WRITE/READ alternating "0"-1 parity
`4. WRITE/READ any odd parity pattern
`
`Also a test pattern can he written Into fixed RAM locations and the result reac
`during normal operation EEC mode.
`
`,1|
`
`BOEING
`Ex. 1034, p. 337
`
`

`
`32-9
`
`RAM PARITY:
`
`A fault in the scratchpad memory will be detected by a parity check circuit
`which Is enabled by the action of the processor In fetching the desired piece
`of data. The result of this fault is a reset of the application program to the
`starting location.
`
`EEPROM PARITY:
`
`A fault In the electrically eraseable memory can be detected by a parity check
`circuit which Is enabled by the action of the processor In fetching the desirec
`piece of data. The result of this fault is a reset of the application program
`to the starting location.
`
`EEPROM ERASE CHECK:
`
`This Initialization process checks for a single EEPROM location that Is erased
`or Incompletely written. This would happen If an ERASE/WRITE cycle was In
`process when ECU power was last Interrupted.
`
`WATCHDOG TIMER:
`
`The watchdog timer Is basically a counting circuit which is used LO keep track
`of the overall application program. The application program will Issue a
`command to the watchdog timer at scheduled Intervals which are designed to
`correspond with an acceptable hardware window. The processor will be reset to
`the starting location If the watchdog timer command does not occur in the
`allowable windows.
`
`ACTIVITY MONITOR:
`
`The activity monitor circuit Is used as a crude backup to the watchdog timer.
`A command to this monitor switches etween one and zero on a regular basis.
`The channel outputs are depowared If this switching sequence Is Interrupted.
`
`LOSS-OF-CLOCK DETECTOR:
`
`The hardware circuit detects the loss of the CPU clock and resets the software
`to Its starting location upon clock recovery.
`
`INSTRUCTION TEST:
`
`A subset of the processor Instructions Is executed end proper execution
`verified. The subset Is designed to exercise all Instruction code bits througt
`an "0" and "I" state and extensively test all critical and frequently-used
`Instructions.
`
`CURRENT WRAPAROUND FOR DRIVERS:
`
`Fault detection for the effector drivers Is accomplished by measuring the
`voltage across an accurate resistor In the output driver. This voltage Is
`directly proportional to current and is Compared to the commanded value In
`order to detect faults such as opens and ground short circuits.
`
`INITIALIZATION TEST FOR DRIVERS:
`
`The Initialization test for actuators allows each channel to enable its output
`drivers for a preset time, so that the output logic can test the electrical
`Integrity of each driver.
`
`ANALOG-TO-DIGITAL (A/D) TEST INPUT:
`
`A known voltage Is Input to the A/D converter. The voltage Is converted by the
`CPU and compared to a known value to verify correct A/D operation.
`
`FREQUENCY-TO-DIGITIAL (F/D) TEST INPUT:
`
`A known frequency Is Input to the F/D converter. The frequency Is converted b
`the CPU and compared to a known value to verify correct F/D operation.
`
`ARINC WRAPAROUND TEST:
`
`The control verifies that what It has sent out through the ,RINC transmitter Is
`what It receives at the wraparound receiver. All messages which are
`transmitted appear In the wraparound buffers. The ARINC link Is disabled If
`the wraparound does not match the Intended transmission.
`
`I
`
`I
`
`~--.
`
`-
`
`-.
`
`-..
`
`7
`
`-...-.---.--
`
`BOEING
`Ex. 1034, p. 338
`
`

`
`32-10
`
`LVDT/RVOT CHECKSUM:
`
`The sum Of the two LVOT voltage signals Is range checked.
`
`SPOOL-UP SWITCHOVER:
`
`The secondary channel starts the engine up to a certain N 2 speed and then
`switches to the primary channel for the completion of the spool-up. This
`swltchover detects possible dormant failures In the secondary channel.
`
`FAULT ACCOMMODATION
`
`The main goal of the Fault Accommodation logic Is to make the system fall
`operational upon the detection of all first single electrical faults when the
`system Is dispatched with two channels up.
`
`When a certain component Is duplicated In each channel and the one in the
`channel In control falls the action can be:
`
`a)
`
`b)
`
`To swItch to the back-up channel that will assume control of the
`engine (no-cross-talk configuration).
`
`To 'borrow" the failed component from the back-up channel (cross-talk
`configuration). However the cross-talk configuration Is far more
`complex and Its benefits In terms of IFSD rate, dispatchablllty etc.
`are marginal.
`
`In the case of single parts of the system (a single P 3 probe for both channels
`for Instance), analytical redundancy must be achieved when possible. For
`single Items that can not be analytically replaced, safe defaults or
`alternative Control Modes that do not need these parts must be created.
`
`Table 2 gives an overview of a typical Fault Accommodation configuration for a
`turbofan application.
`
`CHANNEL SWITCHOVER
`
`The channel switchover logic determines the relative health of each channel ano
`uses this as a basis for determining which channel shall be In control. A
`channel In control Is a channel that has Its outputs enabled.
`
`Some of the rules for the channel swltchover are the following:
`
`1. The two channels must not simulataneously have their outputs enabled
`(this function to be Implemented in hardware independent of the
`software controlled hardware).
`
`2.
`
`The pilot can use a cockpit channel select switch that overrides the
`automatic channel selection. This will be achieved through hardware
`means Independent of the software controlled hardware.
`
`3. Each channel asseses Its own health status and cross-talks this
`Information to the other channel.
`
`4. If the channel In control Is less healthy, it must give up control.
`If
`the standby channel does not assume control within a reasonable period,
`the channel that gave up control must resume control.
`
`5. The standby channel cannot enable Its outputs unless the channel In
`
`control allows It.
`
`FAULT ACCOMMODATION WITHIN THE CHANNEL
`
`EEC