DOC AIRBUS | AMM A320FENGAGEMENT AND INTERNAL MONITORING - DESCRIPTION AND OPERATION
** ON A/C NOT FOR ALL
1. General
Each Flight Augmentation Computer (FAC) includes two independent computation channels with digital processors.
The engagement and monitoring principles ensure:
** ON A/C NOT FOR ALL Each Flight Augmentation Computer (FAC) includes two independent computation channels with digital processors.
The engagement and monitoring principles ensure:
- Safe operation through the failure detectors
- Maximum availability through the reconfigurations further to failures.
- Duplication of the monitoring circuits (engage and monitoring logic)
- Utilization of hard-wired logic for the sensible parts of the system (engage circuit, actuator control circuit, circuit of global internal monitoring)
- Monitoring of the peripherals by the FAC:
. Failures detected by self-test through monitoring of the parameter status matrix. These failures are not latched.
. Failures not detected by self-test which deal with critical information through comparison of different sensors (two-by-two comparison or passivation through voters) or validation of a data bus by a hard-wired discrete. - Monitoring of the computer by self-monitoring of the computation channels (comparison) specific monitoring:
. Aircraft 28V power-supply application software (real-time monitor)
. Watchdog
. ARINC sequencers
. Oscillation detectors transmission monitoring.
2. System Description
Each FAC comprises these devices for function monitoring:
(watchdog, power supply monitoring).
The logic circuits specific to the functions lead to the loss of the considered function without illumination of the FAULT legend. The result of the failure is memorized in flight only (engine-running signal to allow or not allow the reset).
The logic circuits common to all the functions lead to the total loss of the FAC with illumination of the FAULT legend. The result of the failure is memorized in a material flip-flop.
The reset will be possible only upon manual action by the pilot on the FLT CTL/FAC pushbutton switch. This action reactivates the watchdog and the microprocessor.
The whole computer can be disengaged through action on the pushbutton switches.
** ON A/C NOT FOR ALL Each FAC comprises these devices for function monitoring:
- An engagement device per FLT CTL/FAC pushbutton switch common to the yaw damper, rudder trim and rudder travel limiting functions.
- Global internal monitoring of the computer in software (real-time monitor) and hard-wired circuitry (FAC HEALTHY, watchdog)
- Monitoring specific to the functions fulfilled:
. In the software
. In the hard-wired circuitry for the actuator controls, the changeover
signals and the warnings. - Monitoring of reconfiguration of certain peripherals
- Monitoring of sensors.
(watchdog, power supply monitoring).
The logic circuits specific to the functions lead to the loss of the considered function without illumination of the FAULT legend. The result of the failure is memorized in flight only (engine-running signal to allow or not allow the reset).
The logic circuits common to all the functions lead to the total loss of the FAC with illumination of the FAULT legend. The result of the failure is memorized in a material flip-flop.
The reset will be possible only upon manual action by the pilot on the FLT CTL/FAC pushbutton switch. This action reactivates the watchdog and the microprocessor.
The whole computer can be disengaged through action on the pushbutton switches.
3. Operation
A. Connection with FLT CTL/FAC Pushbutton Switches
Each FAC is associated with an engagement pushbutton switch located on the FLT CTL panel, on the overhead panel.
This pushbutton switch serves for:
In abnormal operation, these indications are given:
Each FAC is associated with an engagement pushbutton switch located on the FLT CTL panel, on the overhead panel.
FAC Engagement PrincipleThis pushbutton switch serves for:
- The engagement or the disengagement of all the FAC functions:
. Engagement status : no indication on the pushbutton switch
. Disengagement status : the OFF legend is on - The indication of FAC failures with the FAULT legend. This authorizes a pilot action (FAULT/OFF) to reset the digital section of the FAC.
If the action is operative, the FAULT legend goes off and the system can be re-engaged.
In abnormal operation, these indications are given:
- Computer not energized or not installed:
. FAULT legend on ; ECAM warning. - FAC failures specific to one function:
. FAULT legend off ; ECAM warning. - Common FAC failures which can be reset:
. FAULT legend on with possible reset by the pilot ECAM warning. - Power-supply transient failures:
. FAULT legend on with possible reset by the pilot. - FAC failures on the ground with engines shut down:
. FAULT legend with automatic reset at failure suppression.
B. Global Internal Monitoring of the Computer
The correct operation of the computer (acquisition, digital section, correct running of the program, transmission, etc.) is checked from:
The correct operation of the computer (acquisition, digital section, correct running of the program, transmission, etc.) is checked from:
- A boolean signal INTERNAL MONITORING generated by the software. This signal takes into account all the monitoring functions of the channel
- A FAC HEALTHY discrete signal used as a condition necessary for:
. The effective engagement of the FAC functions,
. The validation of the FAC data for the users.
(1) INTERNAL MONITORING signal
This signal is generated from the signals given below:
This signal is generated from the signals given below:
- Internal power-supply monitoring
- Monitoring of the correct execution of the safety test of the digital section.
- Monitoring of the ARINC transmission:
. Through wrap-around of the main bus on the monitoring channel by comparison of the received discrete word 274 with the discrete word 274 generated in the monitoring channel - Monitoring of the ARINC acquisition through verification of the automaton which organizes the management of the acquisition
- Verification of the digital section by taking into account:
. The comparator between voters of the yaw damper
. The comparator between speed computations.
As these comparators monitor the command and the monitoring algorithms, a dissymmetry between these computations implies a failure in the digital section.
(2) FAC HEALTHY signal
This hard-wired signal is used to:
It is activated as follows:
This hard-wired signal is used to:
- Illuminate the FAULT legend of the FLT CTL/FAC pushbutton switches
- Validate the information of the main bus of the FAC:
. Through the acquisition of this discrete by the users. Through setting of the transmitted labels to F/W - Authorize the engagement of the functions (use of the FAC HEALTHY signal wrapped around to generate the changeover signals).
- The INTERNAL MONITORING signal
- The nosewheel signal to avoid latching of possible failures on the ground
- The watchdog signal which monitors the correct execution of the software operations
- The REAL TIME HLTY signal which is the real-time monitoring signal of the application software (Ref. para. (3)a.)
- The EXPT signal which is an exception procedure signal (Ref. para. (3)b.)
It is activated as follows:
(a) Activation to fault status
This is achieved by:
This is achieved by:
- The watchdog signal
- The exception signal
- The FAC HEALTHY signal generated by the opposite side (C or M)
- The LPF signal : this signal is activated by the power supply block upon long cutoff (t more than or equal to 200 ms)
- The INTERNAL MONITORING signal either directly or through an oscillation detector to take into account the oscillations of the software which cause switching from good to bad status alternately.
(b) Activation to good status
This is achieved:
At re-engagement, the system will be at the ON status if the reset has been effective.
This is achieved:
- At power rise of the computer if the watchdog, EXPT and INTERNAL MONITORING signals are good
- Through unlatching by action on the engagement pushbutton switch in flight.
- The watchdog
- The microprocessor.
At re-engagement, the system will be at the ON status if the reset has been effective.
(3) Monitoring of the digital section
The real-time monitor ensures the correct operation of the program through the execution of tasks. A watchdog hardware circuit monitors this real-time monitor.
The content of the program is checked during the tests at power rise (check sum, signature).
The real-time monitor ensures the correct operation of the program through the execution of tasks. A watchdog hardware circuit monitors this real-time monitor.
The content of the program is checked during the tests at power rise (check sum, signature).
(a) Real-time monitor
This monitor ensures the real-time monitoring of the program execution. To do this, it initiates the application through the activation of tasks. It checks each task for discrepancies (exceeded calculating-time limit):
This monitor ensures the real-time monitoring of the program execution. To do this, it initiates the application through the activation of tasks. It checks each task for discrepancies (exceeded calculating-time limit):
- By confirmation upon n consecutive discrepancies
- Through oscillation detectors within a determined time.
(b) Monitoring of the exceptions
An exception results from an instruction which cannot be performed normally for these reasons:
The boolean BEXPT gathers all the exception monitoring functions.
This boolean acts on the FAC HEALTHY logic at the level of:
An exception results from an instruction which cannot be performed normally for these reasons:
- Either it does not follow the rules of the memory protection (protected mode of the CPU 80286)
- Or it leads to an erratic result
- Or the instruction itself is garbled (for example : dividing by zero)
The boolean BEXPT gathers all the exception monitoring functions.
This boolean acts on the FAC HEALTHY logic at the level of:
- The watchdog for its activation
- The logic.
C. Monitoring of Peripherals
(1) Monitoring of ADIRS data
(a) General
Some data from the ADIRS have a critical role in the architecture of the FAC.
Specific monitoring functions are integrated for these parameters:
Some data from the ADIRS have a critical role in the architecture of the FAC.
Specific monitoring functions are integrated for these parameters:
- Yaw rate (yaw damper and engine failure recovery)
- Lateral acceleration (engine failure recovery)
- Corrected airspeed (rudder travel limiting)
- Angle-of-attack (calculation of characteristic speeds).
(b) Principle
The monitoring functions performed on the ADC and IRS labels must permit the elimination of the affected source.
The monitoring functions performed on the ADC and IRS labels must permit the elimination of the affected source.
1 Failures detected from the processing of the status matrices:
These failures are not latched.
These failures are not latched.
2 Failures not detected by self-test from:
The table given below
gives the consequences of the ADIRS failures on the FAC functions.
- A 3 IRS-source vote for the yaw rate and the lateral acceleration
- A two-by-two comparison for the corrected airspeed
- A 3 ADC-source vote for the angle-of-attack.
The table given below
gives the consequences of the ADIRS failures on the FAC functions.
NOTE: In order to get a correct cross comparison of angle-of-attack in case of important side-slip, angle-of-attack No.3 is corrected by side-slip compensation. The principle of recognition and elimination of the source is:
- Corrected airspeed
The three sources are compared two by two. When a source is involved in the tripping of comparators (OWN source and source 3, OWN source and OPPOSITE source, source 3 and OPPOSITE source), it is eliminated and the reconfiguration source can be chosen (source 3). This result is sent to the monitoring channel to change the computation source if required.
At the second failure : the gains which depend on Vc are frozen and the behaviour of the system is contingent on the type of the second failure (detected or not) - Yaw rate, lateral acceleration and angle-of-attack
The three sources are voted in the command channel. The source which is far enough from the retained mid value is eliminated and replaced by a null value at the voter input.
The result of the source elimination is used in the command and monitoring channels.
In the event of a second failure, the vote principle is no longer used. Reconfigurations are shown in reconfiguration Table
(2) Monitoring of landing gear (LGCIU) and flap/slat (SFCC) data
The FACs utilize the landing gear and flap/slat data in their computations. These data are used by the FMGC.
Each FAC only receives one SFCC or LGCIU source. The computer utilizes these data after validation and then transmits them.
In the event of non-validation of these data, the opposite source is retained.
Its information is transmitted through the bus of the opposite FAC.
If no source is available, fixed values are retained and transmitted.
The FACs utilize the landing gear and flap/slat data in their computations. These data are used by the FMGC.
Each FAC only receives one SFCC or LGCIU source. The computer utilizes these data after validation and then transmits them.
In the event of non-validation of these data, the opposite source is retained.
Its information is transmitted through the bus of the opposite FAC.
If no source is available, fixed values are retained and transmitted.
(a) Data validation
Connection between the FAC and the sources is accomplished through:
These values are used:
Connection between the FAC and the sources is accomplished through:
- An ARINC 429 bus
- A hard-wired discrete.
These values are used:
- For the SFCC: slats extended
- For the LGCIU: nosewheel compressed.
- Bit-by-bit check of the lever data for the SFCC
- Check of the surface jamming for the SFCC
- Check of consistency between the landing gears for the LGCIU.
(b) Fixed values
In case of total lack of data, these values are retained:
In case of total lack of data, these values are retained:
- position Full in landing gear extended configuration (dual SFCC failure)
- position 0/0 in landing gear retracted configuration (dual SFCC failure)
- position in landing gear retracted configuration (dual LGCIU failure).
(3) Specific monitoring of FMGCs and ELACs
The FMGCs and the ELACs generate the deflection orders which will be accomplished by the FAC.
Particular monitoring functions are integrated to ensure that the slaving is active.
The FMGCs and the ELACs generate the deflection orders which will be accomplished by the FAC.
Particular monitoring functions are integrated to ensure that the slaving is active.
(a) FMGC:
- Check for correct reception of the AP-engaged signals
- Transmission to the FMGC of a signal which indicates that the FAC no longer executes automatic orders (AUTO MODE signal by boolean).
This signal disconnects the AP.
(b) ELAC:
- Transmission to the ELAC of a hard-wired discrete signal (YAW IN NORMAL LAW) which indicates the correct execution of the order.
This order serves to switch the ELAC to the roll direct law as necessary. - Change to the alternate law controlled only by the ELAC to ensure synchronism of operation with the SEC (Spoiler Elevator Computer).
D. Monitoring of Internal Power Supplies
Each processor has an independent power supply which delivers the +5V, -15V and +15V and the emergency voltages for the safeguards.
Each processor monitors the normal voltages in a cross pattern. This ensures detection of 5 or 15V power-variation greater than 5 % for more than 0.5 second.
To this end, the algebraic sum of the power supplies is acquired and compared to an expected value stored in memory.
Beyond the defined threshold the internal monitoring is activated.
Each processor has an independent power supply which delivers the +5V, -15V and +15V and the emergency voltages for the safeguards.
Each processor monitors the normal voltages in a cross pattern. This ensures detection of 5 or 15V power-variation greater than 5 % for more than 0.5 second.
To this end, the algebraic sum of the power supplies is acquired and compared to an expected value stored in memory.
Beyond the defined threshold the internal monitoring is activated.
E. Monitoring of Sensors
The analog inputs serve for the acquisition of 400 Hz signals of LVDT and RVDT sensors (these sensors give the position feedback of the yaw damper, rudder trim and RTL actuators).
Each sensor delivers two analog voltages V1 and V2.
The principle of the sensor is such that the ratio
is proportional to the position X of the actuator.
The voltage VR is proportional to the supply voltage of the 26V sensor.
The ratio VX/VR is always strictly inferior to value 1 in normal operation. Each channel integrates a software monitoring which compares VX/VR to a theoretical value function of the type of sensor (LVDT or RVDT). This monitoring function therefore detects the cutoff of wiring inside and outside the sensor. It serves to eliminate the channel related to this sensor.
A 26V compensation is introduced by a comparison in the software between value VR (V1 + V2) and the theoretical VR value obtained for a nominal 26V/400 Hz.
For a difference lower than 25 %, a compensation value is added.
For a difference greater than 25 %, a logic of behaviour under short cutoffs is used (Ref. AMM D/O 22-67-00-00).
This logic ensures:
The analog inputs serve for the acquisition of 400 Hz signals of LVDT and RVDT sensors (these sensors give the position feedback of the yaw damper, rudder trim and RTL actuators).
Each sensor delivers two analog voltages V1 and V2.
The principle of the sensor is such that the ratio
| VX V1 - V2 |
| -- = ------- |
| VR V1 + V2 |
is proportional to the position X of the actuator.
The voltage VR is proportional to the supply voltage of the 26V sensor.
The ratio VX/VR is always strictly inferior to value 1 in normal operation. Each channel integrates a software monitoring which compares VX/VR to a theoretical value function of the type of sensor (LVDT or RVDT). This monitoring function therefore detects the cutoff of wiring inside and outside the sensor. It serves to eliminate the channel related to this sensor.
A 26V compensation is introduced by a comparison in the software between value VR (V1 + V2) and the theoretical VR value obtained for a nominal 26V/400 Hz.
For a difference lower than 25 %, a compensation value is added.
For a difference greater than 25 %, a logic of behaviour under short cutoffs is used (Ref. AMM D/O 22-67-00-00).
This logic ensures:
- For short cutoffs (less than 200 ms) : the inhibition of the system without disconnection
- For long cutoffs : the disconnection of the system.
A specific software has been implemented in order to detect any jamming of rudder position transducer unit.
F. Safety Tests
(1) General
These tests permit to check the correct operation of the digital section and safety devices.
These tests are activated on the ground (nosewheel shock absorber compressed and both engines shut down) after power cut-off greater than 4 seconds. Hardware inhibitions are provided (nosewheel signals to avoid any untimely activation in flight).
These tests are automatic and last for 1 mn approximately. They are initiated in sequence in the command and monitoring channels.
All the sequences must be present to validate the final result and enable the engagement of the system and functions.
The test results are stored in non-volatile EEPROM and used in:
These tests permit to check the correct operation of the digital section and safety devices.
These tests are activated on the ground (nosewheel shock absorber compressed and both engines shut down) after power cut-off greater than 4 seconds. Hardware inhibitions are provided (nosewheel signals to avoid any untimely activation in flight).
These tests are automatic and last for 1 mn approximately. They are initiated in sequence in the command and monitoring channels.
All the sequences must be present to validate the final result and enable the engagement of the system and functions.
The test results are stored in non-volatile EEPROM and used in:
- The global logic of the FAC (common part test)
- The logic specific to the function (yaw, rudder trim, rudder travel).
(2) General organisation
These tests check:
These tests check:
- The digital section
- The synchronization between command and monitoring channels
- the safety hardware devices (hard-wired logic, watchdog, etc.)
(3) Components tested
These tests deal with:
These tests deal with:
- The memory module (recognition of the memory modules and acknowledgement of their consistency with the computer and the expected software version)
- The CPU RAM (bit-by-bit test of data and addresses)
- The ARINC RAM (same as above)
- The ARINC EEPROM (test of ARINC label conformity)
- The watchdog (tripping)
- Power monitoring (activation)
- The FAC HEALTHY signals (FAC internal monitoring)
- The engage hard-wired logics of the yaw, rudder trim and RTL systems
- The return-to-low speed logic of the rudder travel limitation unit
- The memory module (OBRM): soft identification, checksum
- The pin programming with parity check (odd parity).