Embedded Control Systems Design/Aviation
This Applications chapter discusses the entire system that enables planes to fly and communicate with each other. Taking-off and landing multiple planes at major airports for instance, is a difficult task and requires a lot of subsystems. The main functionalities of the entire flight management system are navigation, flight planning and aircraft control.
There are three main levels in the full flight management system:
- Air Traffic Control
ATC contains everything that enables planes to communicate directly with each other, or through a control tower. This level is essential to create a global coordinated system that transports people or equipment.
- Flight Control System
FCS is the entire system that enables one plane to take-off, stay in the air, and land. A lot of an airplane's embedded control systems are linked to this functionality and are a part of the Flight Control System as a component.
Each component has a specific task in an airplane. Most of them have a very straightforward functionality and are easy to describe as an embedded system. For example: door opening mechanism, engine control, inflight entertainment system, Integrated Modular Avionics (IMA), black box, ...
The goal of this applications chapter is to point out the requirements of the different system levels in aviation and their impact on the design. There are many links to other sites for detailed functionality information.
Air Traffic Control 
Of all different system levels, ATC is the top level. This is a special level because it doesn’t exist in other applications like automotive, where there is no global communication between vehicles. The primary goal of ATC is collision prevention which requires communication and radar systems. To provide redundancy most aircrafts are equipped with TCAS ( Traffic alert and Collision Avoidance Systems).
Flight Control System 
There are a lot of embedded control systems in an airplane. One of them is the flight control system which controls the flight trajectory and the stability of the airplane. The actuators of this system are the engines and the movable devices of the main wing and tail. They are actuated by the pilot and by the embedded control system of the airplane.
Different kinds of FCS exist. They are categorized according to the number of axes they control. A one-axis FCS prevents the plane of rolling. A two-axis FCS also gives the possibility to control the direction of flight. The three-axis FCS is even more complex by providing the ability of automatic climbing and descending.
The figure above is a schematic overview of the flight control system. The flight control system (FCS) controls the flight trajectory and the stability of the airplane. The actuators of this system are the engines and the movable devices of the main wing and tail. They are actuated by the pilot and by the embedded control system of the airplane. This includes stability control, automatic pilot and engine control. The control outputs are calculated from sensor inputs, like navigation systems, weather radar, velocity measuring, altitude measuring, sensors in the engine...
Technical requirements 
Airplane systems have specific requirements that are not found or are not as critical in other systems:
Airplanes are made using strong but light materials. The aviation industry was the first to use aluminium on a large scale, and modern materials such as carbon fibre are beginning to make their entry. The weight requirement is also one of the reasons for the evolution from a mechanical linkage to a fly-by-wire system.
Material quality must be high, less variation on material properties is allowed for aviation. Even though the black box is useless considering the safety of a single flight, it provides a crucial feedback loop in the entire design and maintenance process.
- Dependability (Reliability, Maintainability, Availability)
A lot of systems are made in redundancy in order to increase the reliability. Airplanes are also maintained frequently. Dependability is very important regarding safety, the flight control system must be available at all times, unlike automotive where simply stopping is an option.
- Stability control
Larger planes are always equipped with an auto-pilot of some sort. This control system can work in different ways. In most planes, a control system is optional and is used to simplify the pilot's task. Other planes, usually military, need a control system because they are inherently unstable and no human could control them without a control system. More recently, stability control also exists in automotive, where systems such as ABS and ESP are making their entry.
Other more common requirements are size, response time, cost, energy consumption, noise control, fun factor, ... (see how they are dealt with in automotive)
Legislation requirements 
Because of the high safety and dependability requirements, regulation for aircraft systems is very strict. Software(DO-178B), hardware(DO-254) and network(AFDX) design are all standardized. Therefore, the certification of a new aircraft design and the paper trail that comes with it are very complex and time consuming. The whole procedure can be found on the site of the Federal Aviation Administration: http://www.faa.gov/licenses_certificates/ Not only the airplane but also the pilot is subjected to high demands. Pilot training, testing and certification procedures can also be found on the site.
As one can imagine, there are a lot of possible system designs. There is also the difficult task of combining their strengths in order to be able to meet the imposed requirements. Due to the extra dependability requirements some back up systems must be preserved, which makes everything even more complex. The design of an airplane and more specific of this control system, is an iterative design. The concept is already invented in the early days of aviation. Each airplane is the product of an iteration step in order to approximate more and more the 'ideal' airplane. In the early days design was mainly based on the experience of the designer but since complexity grows, a more systematic method is needed. An example and discussion of such a computer aided design method can be found in the following paper by Airbus. http://www.mip.ups-tlse.fr/publis/files/06.26.pdf
The pilot interacts with the airplane systems and therefore can be considered as part of the flight control system
The pilot must be well trained and experienced so he can react appropriately in case of unexpected situations or system failures. The plane design is based on this assumption, unlike automotive, where far less training is required.
To make interaction possible between the pilot and the airplane systems the airplane has a HMI (human machine interface). A good HMI design can greatly reduce the amount of effort needed to control the aircraft.
In larger airplanes with an auto-pilot, the pilot can also be seen as a redundant system to fly the plane if the auto-pilot fails. Even the pilots themselves can replace each other. Even though they are supposed to do different tasks, all pilots can fly the plane in case of an emergency. In the early days, up to four pilots where needed to control an airplane, now only two are required for large airplanes.
The following sensors are commonly used by FCS. The object is mainly to navigate the aircraft autonomously. Therefore an inertial navigation system is used. An aircraft has six independent degrees of freedom, three rotational and three translational. If they are all measured, it is possible to navigate and control an aircraft. The rotational movements are measured by three gyroscopes. The translational movement is measured by accelerometers. Because of the rotational movement of an aircraft, it is necessary to place the accelerometers on a frame which is referenced parallel to the Earth's surface. This is done by measurements of the gyro's. In military aircrafts, all measurements are performed by accelerometers. These are attached rigidly to the aircraft. Three of these are then used to measure the angular acceleration. By integration, the angles (roll, pitch and yaw) are calculated and used to derive the translation measured by the other accelerometers.
Control System 
The autopilot is a system that serves to diminish the workload of the pilot. After long hours in the air, the pilot must be concentrated enough to be able to land safely. Another reason to use a control system in larger planes is the fact that the control surfaces of these planes require large control forces, which are impossible for a human pilot. Further it is to notice that a computer controlled system is more accurate.
Sensors will produce a signal according to the direction the aircraft is flying. The control system will compare this information with the desired direction. If there is a difference between both it will try to correct the present situation by controlling the actuator. In the more advanced, three-axis systems more signals will be used than in the one-axis system. The control system will control both the desired orientation of the plane and the desired course of the aircraft (in direction and altitude). Some aircrafts, especially the military fighters, are designed to fly unstable. This means that the center of lift lies before the center of gravity. In that case a small deflection from the balanced situation will cause the aircraft to become unstable and uncontrollable. This behaviour is desired in military fighters to be able to make short turns and react quickly. The response time will indeed be shorter when flying an unstable aircraft. Because a human won't be able to control such an aircraft, the control system is very important to keep the aircraft virtually stable.
Dependability requirement for control systems 
Now an important aspect, dependability requirements, is explained. This is applicable to any embedded control system where the dependability requirement is important. The design of a control system is an iterative process. Several systems have been used and replaced and nowadays fly-by-wire is hot topic. Regarding the design criteria and especially the dependability requirement, the designers have chosen to use two identical computers for the Flight Control (see image). The exact software implementation is not now, but some question can be posed:
- How do you know which signal of which computer is the correct one?
- What if one computer breaks down?
- Is there enough redundancy?
Maybe some modifications to this configuration can be made. The first possible configuration uses two computers. It can be useful to run different algorithms, who are developed separately, by different companies. But these different algorithms are doing the same calculations. The results can be compared and there can be a voting for one final output signal. An other possibility is to increase the number of computers. Nowadays as many as 5 computers can be used.
In order to explain why there is the quest for fully fly by wire, a short overview of the systems used in the early days and nowadays is given. Basically the pilot action consists of moving the stick. The stick can be directly coupled to the movable wing devices, there can be a servo mechanism or the action of the pilot can be measured and an electric signal is generated. The direct mechanical coupling between the pilot and the movable wing devices is removed. This is fly by wire. Pro's and con's of fly by wire
- (+) The size of the airplane or weather conditions are not important. The force that has to be delivered by the pilot can be perfectly controlled.
- (+) Using a haptic interface, the 'feel' of all airplanes can be generalized. This can reduce the required amount of pilot training or experience and thus decreases the cost of the 'pilot' component.
- (+) The action of the pilot can be processed as an electrical signal together with outputs of sensors, in order to obtain optimal control, which can be safer, less energy consumption and fun to fly for the passengers.
- (+) Electrical systems have less weight.
- (-) Because the direct coupling between pilot and actuator are vanished and the system is more complex, a failure of one of the signal processing or transmitting elements can be fatal. Much attention must be paid to dependability.
- (-) Since electric systems depend fully on electricity, a power breakdown is fatal.
Another aspect of fly-by-wire systems, is the architecture used. In 'Principles of Avionics' (see references), other names are giving to the different possible architectures then here in this book. The two names will be given.
Central architecture -- centralized hardware/centralized software 
- One computer is used for, let say, maybe 10 subsystems. As all hardware is centralized, the environment can be controlled very well. Also the maintenance of these systems is easy.
- If you want to meet the dependability requirement, maybe three computers can be used, what still is less than 10 computers for 10 subsystems.
- All calculations are centralized, so that analog sensor signal must be transported over al long range, making them sensitive to noise.
Distributed architecture -- distributed hardware/distributed software 
- Calculations are finding place in the sensors. Only results are transmitted.
- There is no central system, so the subsystems must be capable of communicating with each other.
- If every sensor has software for its own calibrations, then changing the sensor is easy, because no modifications must be made to a central system.
Federated architecture -- distributed hardware/centralized software 
- It is a compromise between central and distributed architecture.
- There are less subsystems than in the case of distributed hardware, but more than in the case of centralized hardware.
- Because the whole system is divided in functional block, e.g. a system for engine control and a system for communications, the failure of one of those will not influence the others
Additional information about fly-by-wire is already extensively covered on Wikipedia in Aircraft flight control systems.
The control surfaces of aircraft are actuated by servo motors. Important in the design of the actuating chain, is the following. If the servo motor would fail, the system should fall back to manual control. Otherwise the pilot would lose control over whole the plane. In larger planes, control surfaces are always steered by the use of motors. The forces acting on these planes are to high for a human to bear. Still a mechanical connecting exists. The system is called “servo assisted”. In the more advanced aircraft, a system called “fly by wire” is used. Here there is no mechanical connection anymore, and the aircraft is fully controlled by servo motors. The pilot only uses a small sidestick, which generates the controlling signals.
The example of the flight control system applied to a boeing 737 was removed due to its length and relevance regarding the flight control system described on a system level.
There are many embedded control systems in an airplane on the component level. Only some of the more interesting ones will be explained in further detail.
Black Box 
The FDR (flight data recorder) or black box is a special component in the way that it interacts with aircraft systems. It is designed to record specific aircraft data, often used for crash investigation. The design is subjected to internationally recognized standards. The requirements and design are described in the link above.
Integrated Modular Avionics 
IMA represent standardized computer network systems which simplify the development of avionics software. It is a concept which proposes an integrated system architecture analogue to the AUTOSAR architecture in automotive applications. Apart from the easier software development it also simplifies hardware and software integration and maintenance.
- Flight-control system architecture optimization for fly-by-wire airliners by Christophe BAUER, Kristen LAGADEC†, Christian BES and Marcel MONGEAU§.
- Redundancy Management Technique for Space Shuttle Computers by J. R. Sklaroff.
- Principles of Avionics by Albert Helfrick