One of the most anticipated airplanes, Boeing’s 777 Dreamliner incorporates a two-pilot flight deck with a five-screen electronic flight information system. If you’ve ever looked in the cockpit of a commercial airliner, you have seen the bewildering array of screens, dials, and indicators used to control the airplane. The Dreamliner flight screens replace a large number of indicators, and serve to reduce the amount of information the pilots need to deal with at one time.
To better appreciate the complexity of automatic navigation systems it is important to understand the three basic control surfaces that affect an airplane's attitude. Elevators are devices on the tail of a plane that control pitch. This is best described as the movement of an aircraft around a horizontal axis perpendicular to the direction of motion. The rudder turns the airplane left and right relative to the forward motion of the airplane – called yaw. Ailerons are the third control surfaces attached to the trailing edge of the wings. Ailerons control the airplane’s roll. Roll occurs when the ailerons move in opposite directions and cause the airplane to turn on the axis that is in the direction of travel. Roll is the flight path you see when the pilot performs a barrel roll. So, in order to control aircraft attitude, we must control: yaw, pitch and roll. In addition, if equipped with throttle control, we can control the aircraft speed. Single-axis autopilots manage one set of controls, typically the ailerons. Such systems are known as a "wing leveler" because by controlling roll it keeps the aircraft wings level. A full autopilot manages all three basic control systems: ailerons, elevators and rudder. Other aircraft, such as helicopters, are controlled differently. The control algorithms for a helicopter are also different from that of a fixed wing aircraft.
You can get an idea of the specific control software needed to control a hobbyist aircraft by reviewing sites like http://diydrones.com/. Many of the hobby autopilots offer a set of operational modes intended to make operating a Radio Controlled (RC) aircraft easier. A Carnegie Mellon University project "An Autonomous Autopilot Control System Design for Small-Scale UAVs" equipped an RC model airplane with a ground-based autopilot.
Open Source products like ARDUpilot http://code.google.com/p/ardupilot/wiki/FlightModesprovide the hobbyist with multiple control modes:
- STABILIZE (RC control with wing leveler; let go of the sticks and it will level)
- FLY BY WIRE_A (More autonomous control, including airspeed.)
- FLY BY WIRE_B (More autonomous control, no airspeed.)
- AUTO (Aircraft will follow GPS waypoints set by configuration utility.)
- RTL (Aircraft will return to launch point and circle.)
- LOITER (Aircraft will circle in current position.)
All of these functions in an RC airplane are contained in a single chip lower end microcontroller. Studying the code for the RC airplane is a straight forward task. If you are not familiar with PID control algorithms, the code base for ARDUpilot is fairly small – each function takes a few pages of code. PID control was discussed briefly in an earlier article.
How does a hobbyist RC autopilot turn into a commercial autopilot that is hardware intensive with incredible software complexity? In part the answer lies in risk. If a small single engine RC aircraft crashes, there is little risk to human life. When a several hundred thousand pound aircraft crashes, there is risk to both life and property. To mitigate risk, designers of life critical systems often add processors to their design. With added processors come more power consumed, more memory used, more peripheral control required, and more intrinsic complexity.
The growth in commercial airplane control hardware complexity and weight led to a decision to integrate all of the flight deck functions into a unified system. The 777 was the first aircraft with an ARINC data bus linked to the main and standby navigation systems. It also includes a Terrain Collision Avoidance System (TCAS) and a twelve-channel Global Positioning System (GPS). The aircraft is equipped with a color weather radar. These last three systems give a glimpse of the complexity present in the current generation of commercial aircraft flight systems.
The Boeing 777 has a triple redundant digital autopilot and flight director. The flight control system includes envelope protection commands, which prohibit maneuvers that would push the airplane beyond its flight limits. Each of the three primary flight computers contains three different and separately programmed 32 bit microprocessors. The microprocessors include three different manufacturers’ CPUs, including an Intel processor, selected to manage the fly-by-wire functions.
Let’s look at why multiple processors would be used in a commercial autopilot. The first obvious reason to have more than one processor in such a system is for redundancy. When one processor fails the redundant processor(s) can take over operations. But multiple processors on a single chip don’t address all of the processor failure mechanisms. We’ve talked before about hot standby which is one mechanism to ensure continuous operation. When hardware encounters a failure that does not result in a processor-stopping hardware failure, how do you tell? The classic method is to implement a three-or-more-processor design with voting logic. If two of three systems produce the same result, then the third system is known to be bad by definition. Guarding against processor data sensitivity and processor logic errors requires additional effort by engineers. Much of this effort falls to the software engineers. Many processor families have suffered from arithmetic errors intrinsic to a specific implementation. The idea of using different processors, possibly designed by different engineering teams, makes it unlikely to replicate the same set of errors under the same circumstances. So, it’s easy to see the rationale behind including three physically different processors from different manufacturers. Errors can be introduced at several places in the software development process. Most people don’t think about failures of compilers and other software tools. Software development systems introduce a whole new wrinkle into the design of critical systems. It’s easy to see how you could implement three or more software control systems operating on a single processor. Of course, each of the software systems must be programmed in different ways yet still achieve the same answer. Arbitration software can vote any single process offline if it produces answers different from the other two processes.
Certified Real Time Operating Systems (RTOSes) can provide designers with a foundation for qualified software development. For example, Green Hills Software, Inc (1), QNX(2), and Wind River Systems(3) all offer embedded RTOS products. Green Hills offers a specific aerospace package called the Integrity Real-time Operating System (RTOS) and AdaMULTI Integrated Development Environment (IDE). The AdaMULTI IDE is an integrated set of tools for the development of embedded applications using Ada 95, C, C++, Embedded C++, and FORTRAN. Many aerospace systems must employ software developed using ADA and ADA-based tools. Wind River also provides an aerospace platform that conforms to many of the world’s standards for critical avionics systems including RTCA DO-178B, EUROCAE ED-12B (“Software Considerations in Airborne Systems and Equipment Certification”), IEC 61508 http://www.iec.ch/functionalsafety/and other related software standards.
The Boeing 777 flight control capabilities come with some hardware and software complexity. Five screens provide the two pilot flight decks with instant access to essential information. The five displays include two primary flight displays, two navigation displays and an engine indication monitor. Software vendors like Green Hills, QNX, and Wind River RTOSes are the tip of the iceberg for aeronautics software, but by comparison to hardware choices; it’s a well contained series of alternatives. The proliferation of hardware alternatives is staggering. For example, GE Intelligent Platforms (4) in Charlottesville, Va., offers the ACR301 rugged 3U CompactPCI CPU board based on the Intel Atom E6XX processor for harsh-environment aerospace, defense, and industrial embedded computing applications. Chief among these applications is unmanned aircraft with demands for minimal power consumption.
On the other end of the scale, Kontron (5) offers the ACE Flight 600 ruggedized airborne server based on the Intel® Core™ 2 or Atom™ processor. Kontron also offers a selection of 3U CompactPCI cards and Computer-on-Module form factor systems.
From hobby RC airplanes, remote photography, and autonomous aircraft, to commercial airplane flight control systems, there is a continuum of systems capabilities. Basic RC autopilot facilities can be implemented in a single low end microcontroller, but commercial passenger airplanes demand more from auto-navigation systems. More means more power systems, more processors, more error detection, and more complex software.
How can you employ aircraft reliability and safety in your non-aircraft designs?
1. Green Hills Software is an Affiliate Member of the Intel Embedded Allaince
2. QNX Software Systems is an Associate Member of the Intel Embedded Alliance
3. Wind River Systems is an Associate Member of the Intel Embedded Alliance
4. GE Intelligent Platforms is an Associate Member of the Intel Embedded Alliance
5. Kontron is a Premier Member of the Intel Embedded Alliance
Roving Reporter (Intel Contractor)
Intel(r) Embedded Alliance