Conference Paper

Safety critical avionics for the 777 primary flight controls system

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

The new technologies in flight control avionics systems selected for the Boeing 777 airplane program consists of the following: Fly-By-Wire (FBW), ARINC 629 Bus, Deferred Maintenance. The FBW must meet extremely high levels of functional integrity and availability. The heart of the FBW concept is the use of triple redundancy for all hardware resources: computing system, airplane electrical power, hydraulic power and communication path. The architecture of the 777 flight controls system follows the earliest Boeing 7J7 design. The Boeing designed global DATAC bus, also known as ARINC 629 data bus, is used to communicate among all computing systems. Each DATAC bus is isolated, both physically and electrically from the other two. The three DATAC buses are not synchronized. The control system performance under the autonomous and asynchronous DATAC bus operation has been studied. The primary flight computers (PFCs) form a triple-triple redundant system; three PFC channels and three computing lanes in each channel. Each channel is also isolated, both physically and electrically from the other two. The microprocessor hardware for three computing lanes in each channel are dissimilar to facilitate detection of generic design errors of the most complicated hardware devices; microprocessors. The Byzantine general problem has been considered in the design of the PFC redundancy management to cope with functional asymmetry and communication asymmetry. The deferred maintenance is to provide hot spare modules within an LRU such that the airplane dispatchability can be enhanced. This concept is applied to the three major avionics systems, PFC, Air Data Inertial Reference System (ADIRU) and Airplane Information Management System (AIMS)

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... It is a highly redundant, highly available system comprising the fly-by-wire avionics controls and is a rare example of a true Triple Modular Redundant (TMR) system (with little exception the highest level of redundant design, having three redundant components for each single point of failure), in both computer nodes, software, and hardware. It has service metrics requiring a maximum rate of failure of the flight computers of 1.0×10 -11 failure/hours (i.e. a failure of the flight computers less than 1 in 100 billion flight hours) [10]. This is an example of what can be done with sufficient effort and due diligencea computer system millions of passengers a year put their trust in. ...
... Large companies can and do make mistakes, and a patch failure that in individual systems may cause pain and irritation could lead to a catastrophic failure or outage if on a critical system. 10 Finally, one of the bigger trends in current computation lies in the increase in the use of virtual and cloud computing systems. Distributed systems such as these can offer significantly lower costs if (and this is still a big "if") their security and reliability metrics can meet the requirements of their customers. ...
... It is hoped that the ideas in this paper will provide assistance to administrators and system engineers, and especially the astronautical community. Aspirational goals are presented here, in the hope of providing a guideline to follow for your own design 10 It may be instructive to examine the release schedule (and following systems failure reports) for the firmware and software updates for the MELTDOWN/SPECTER vulnerability of 2018. Having a running server is in most cases preferable to one that is "currently patched", but "awaiting motherboard replacement." ...
... Wired fieldbus costs include the cable harness design, the labor-intensive cable manufacturing, and the operating and maintenance costs of fibers and connectors [3], [4], [5]. In particular, the critical flight control systems require complex redundant fieldbus channels where the channels are physically and electrically separated from each other to improve fault tolerance [6]. For instance, a large commercial transport airplane like Boeing 747 includes roughly 228 km of wire, which weighs approximately 1,587 kg [4]. ...
... Redundant components of cable harnesses are the main techniques to achieve a fault-tolerant aircraft design [6], [34]. However, duplicated cables using identical technology are generally vulnerable to common failures such as lightning strike or fire. ...
... WAIC must provide efficient fault-detection and diagnosis mechanisms to meet the high criticality level and the required probability of failure [6], [34], [160]. However, the major avionics systems still have the manual and template-driven scheme for the fault-detection and diagnosis [6], [161]. ...
Article
Full-text available
In the aeronautics industry, wireless avionics intra-communications have a tremendous potential to improve efficiency and flexibility while reducing weight, fuel consumption, and maintenance costs over traditional wired avionics systems. This survey starts with an overview of the major benefits and opportunities in the deployment of wireless technologies for critical applications in an aircraft. The current state-of-art is presented in terms of system classifications based on data rate demands and transceiver installation locations. We then discuss major technical challenges in the design and realization of the envisioned aircraft applications. Although wireless avionics intra-communication has aspects and requirements similar to mission-critical applications of industrial automation, it also has specific issues such as wireless channels, complex structures, operations, and safety of the aircraft that make this area of research self-standing and challenging. Existing wireless techniques are discussed to investigate the applicability of the current solutions for the critical operations of an aircraft. Specifically, IEEE 802.15.4-based and Bluetooth-based solutions are discussed for low data rate applications, whereas IEEE 802.11-based and UWB-based solutions are considered for high data rate applications. We conclude the survey by highlighting major research directions in this emerging area.
... Wired fieldbus costs include the cable harness design, the labor-intensive cable manufacturing, and the operating and maintenance costs of fibers and connectors [3], [4], [5]. In particular, the critical flight control systems require complex redundant fieldbus channels where the channels are physically and electrically separated from each other to improve fault tolerance [6]. For instance, a large commercial transport airplane like Boeing 747 includes roughly 228 km of wire, which weighs approximately 1,587 kg [4]. ...
... Redundant components of cable harnesses are the main techniques to achieve a fault-tolerant aircraft design [6], [23]. However, duplicated cables using the identical technology is generally vulnerable to common failures such as lightning strike or fire. ...
... To meet strict safety demands, WAIC must provide efficient fault-detection, isolation, and recovery mechanisms [6], [23]. However, the major avionics systems still have the manual and template-driven scheme for the fault-detection, isolation, and recovery [6], [167]. ...
Preprint
Full-text available
In the aeronautics industry, wireless avionics intra-communications have a tremendous potential to improve efficiency and flexibility while reducing the weight, fuel consumption, and maintenance costs over traditional wired avionics systems. This survey starts with an overview of the major benefits and opportunities in the deployment of wireless technologies for critical applications of an aircraft. The current state-of-art is presented in terms of system classifications based on data rate demands and transceiver installation locations. We then discuss major technical challenges in the design and realization of the envisioned aircraft applications. Although wireless avionics intra-communication has aspects and requirements similar to mission-critical applications of industrial automation, it also has specific issues such as complex structures, operations, and safety of the aircraft that make this area of research self-standing and challenging. To support the critical operations of an aircraft, existing wireless standards for mission-critical industrial applications are briefly discussed to investigate the applicability of the current solutions. Specifically, IEEE 802.15.4-based protocols and Bluetooth are discussed for low data rate applications, whereas IEEE 802.11- based standards are considered for high data rate applications. Eventually, we propose fundamental schemes in terms of network architecture, protocol, and resource management to support the critical avionics applications and discuss the research directions in this emerging area.
... From the design perspective, the fact that Fly-By-Wire Systems use copper wiring to convey pilot commands to control surfaces means that engineers are free to route the wires through the aircraft wherever they choose without increasing cost or degrading the performance of the controls. For airlines, the reduced weight of a Fly-By-Wire Flight Control Systems translates into lower operational costs and higher profit margins, [18][19][20][21]. Digital Flight Control Systems also facilitate the introduction of computer-based technology to monitor the pilot input to ensure that the aircraft does not stall or otherwise depart from its flight envelope, [18][19][20][21]. ...
... For airlines, the reduced weight of a Fly-By-Wire Flight Control Systems translates into lower operational costs and higher profit margins, [18][19][20][21]. Digital Flight Control Systems also facilitate the introduction of computer-based technology to monitor the pilot input to ensure that the aircraft does not stall or otherwise depart from its flight envelope, [18][19][20][21]. Digital Flight Control Systems introduce new concerns, including the use of new software in a Flight Control System, the susceptibility of electrical wiring to Electromagnetic Interference -EMI, and the difficulty in modeling the possible flight conditions a Flight Control System might encounter [18][19][20][21]. ...
... Digital Flight Control Systems also facilitate the introduction of computer-based technology to monitor the pilot input to ensure that the aircraft does not stall or otherwise depart from its flight envelope, [18][19][20][21]. Digital Flight Control Systems introduce new concerns, including the use of new software in a Flight Control System, the susceptibility of electrical wiring to Electromagnetic Interference -EMI, and the difficulty in modeling the possible flight conditions a Flight Control System might encounter [18][19][20][21]. ...
Article
Full-text available
This paper explains why the combination of programming codes represents a true engineering tool in aircraft systems investigating. Flight safety and flying quality are extremely important to modern aviation industry. The aircraft responses, which are measured during real flight, are compared to the responses that are obtained from the simulations. Typically, aircraft problems consist in finding the solutions for basic work in all kind of areas, using knowledge from fields of science such as physics, mathematics and computer science. The purpose is to present such problems solved by computer simulations. Some of the advantages of performing numerical simulations are the low risk and low cost involved as compared to performing aircraft experiments. Another major advantage is the physical insight which one can gain in the behavior of the system subjected to different conditions and different values of the characteristic parameters of the aircraft’s dynamic performances.
... One of means of protecting aircraft against the adverse and severe impact of gusts are procedures described in the aircraft flight manual. Procedures often assume during flight at a cruising altitude that the auto-throttle system needs to be reloaded or disabled to prevent exceeding the maximum allowed speed regardless of previously set limitations [12]. Hence, during the gusts, both precision and reaction time are insufficient. ...
... Based on analysis of on-board measurement systems of the aircraft and taking into consideration increasing reactive capabilities of direct measurements, it was observed that the auto-throttle input signal, which refers to the airspeed, comes from the air data inertial reference unit (ADIRU) left and right. Every ADIRU consists of two subsystems: air data reference (ADR) and inertial reference (IR) [12,13]. The IR subsystem is based on three laser gyroscopes and three accelerometers, providing the data about: attitude, heading, present position, and acceleration. ...
... By introducing gain factors k 1 , k 2 , k 3 , and k 4 , Equation (11) takes the form (12). ...
Article
Full-text available
Currently, quite accurate measurements of atmospheric gusts are carried out by airport systems only in the vicinity of the runways. There is a still open issue of availability of information about real wind gusts at cruising altitudes and during approach at a considerable distance from the airfield. Standard on-board systems of a jet transport airplane provide some information which is desirable to have knowledge of how flight parameters reflect real gust parameters and their impact on the aircraft dynamics. The paper proposes an algorithm for headwind gust magnitude estimation in relation to aircraft response. The analysed estimation algorithms assume the use of data available from the existing on-board systems only without the employment of any extra sensors or ground and satellite systems. In this way, many problems caused by different structures, configurations, and ways of installation of additional sensors and structural changes are rejected. The algorithms use the classical method for estimation of wind parameters as well as a linear longitudinal model of aircraft dynamics, taking into account the influence of wind gusts. Data fusion was realised with the use of three filtration methods. Results were evaluated to select the most accurate method of the estimation. Test data were obtained from advanced flight simulation. The experimental scenario considered a flight of a passenger twin-engine jet airplane through a layer of programmed gusts. The results of the flight simulations allowed us to determine the accuracy of the proposed gust estimation algorithms in reference to the ideal wind-speed data analysis obtained directly from the simulation environment (with the accuracy of the simulation process). The use of the proposed gust estimation algorithms may provide more accurate signal for integrated on-board systems, especially for wind shear detection and sped-up response time of flight control systems, protecting aircrafts against the adverse impact of encountered wind shear or gusts, e.g., auto-thrust or auto-throttle systems. The dedicated algorithm presented in the paper may increase the safety level of take-off and approach phases in gusty conditions and also during significant changes in wind speed at cruising altitudes in the case of crossing the area of jet stream occurrence.
... Fault tolerance is currently achieved mainly through the use of physically redundant components. For example, the Boeing 777 flight control electronics consist of three primary flight computing modules, each containing three dissimilar processors (Yeh, 1996;2001). The actuators and sensors have similar levels of redundancy. ...
... Alternatively, a triple-redundant actuation system could be used to improve the reliability. For example, the rudders on the Boeing 777 use a triple-redundant actuation system (Yeh, 1996;2001). A triple-redundant architecture will fail if any two of the three actuators fail. ...
Conference Paper
Full-text available
Analytical fault detection algorithms have the potential to reduce the size, power and weight of fault tolerant safety-critical aerospace systems. One obstacle is the need for appropriate tools to certify the reliability of these systems. To complement high fidelity Monte Carlo simulations, this paper presents a theoretical method to assess the probabilistic performance of analytically redundant systems. Specifically, this paper considers a dual-redundant fault tolerant system that uses a fault detection algorithm to switch between the hardware components. The exact system failure rate per hour is computed using the law of total probability. The analysis assumes known failure models for the hardware components as well as knowledge of the probabilistic performance of the fault detection logic. A numerical example is provided to demonstrate the proposed method.
... In designing of the systems of responsible destination or critical systems, the one of the difficult and important tasks is to ensure requirements to their reliability. There are critical systems or responsible systems such as: emergency protection system of nuclear power plants [1,2]; fault-tolerant system TRICON, which is used in emergency protection systems for petrochemical and chemical plants; fire safety systems of floating platforms; fault-tolerant system TMS-1000R, which provides protection and control of gas and steam turbines [3]; vehicle-borne information and control computer systems [4], as well as informational and control systems of military and civil aviation [5]; centralized systems of control subway and rail transport [6][7]. ...
... The researched results are presented in Fig. 1. Research were conducted for these parameters: initial number of TS in MS core n = (5,7,9); failure rate λ = 100 failures /106 hours; mean time of TS connection from hot redundancy to MS core Th = 0,0001 h; mean time of TS connection from cold redundancy to hot redundancy Tc = 0,01 h; mean time of MS core reconfiguration Trec = 0,01 h; probability of successful reconfiguration Prec = 0,999; probability of successful TS connection from hot redundancy to the core Ph = 0,999; probability of successful TS connection from cold redundancy to hot redundancy Pc = 0,999. Research demonstrates that the usage of faulttolerant RES with reconfiguration of MS in comparison with fault-tolerant RES with fixed decision rule improves the reliability (mean time before failure): to fault-tolerant RES with MS "5 out of 9" in 2,4 times (or by 140%); to fault-tolerant RES with MS "4 out of 7" in 2,1 times (or by 110%); to fault-tolerant RES with MS "3 out of 5" in 1,6 times (or by 60%). ...
Article
Full-text available
In the paper it is solved the scientific-applied task of increasing degree of adequacy of analytical reliability models of fault-tolerant radio electronic systems (RES) for solving tasks of reliability analysis and parametric synthesis of RES. These RES are based on majority structure. An analytical reliability model of fault-tolerant RES with reconfiguration of majority structure core, which takes into account the changing rules of voting, is developed. Proposed model of fault-tolerant RES allows us to design the RES, which keep on the principle of majority voting after technical systems failures. Two analytical models of reliability of fault-tolerant RES with two-level principle of majority voting are developed. Improved analytical reliability model of maintained fault-tolerant RES based on majority structure with sliding redundancy and fixed rule of vote, allows solving tasks of multivariate analysis (different variants of the algorithm of redundancy using and disaster recovery strategies). This model can solve tasks of reliability parametric synthesis by finding compromises between chosen parameters of fault-tolerant RES and carry out comparative research of their reliability.
... Blockchain couldn't only be used in financial markets (e.g., Bitcoin), but application-oriented scenarios [1] is commonly assumed. In Blockchain-enabled systems, smart contract is a big driving force as it provides automated tracking capability [3]. Blockchain's trustworthy ecosystem is closely connected to procedures or processes through clever contract implementation. ...
... The role of governance requirements in network durability is explored in Liaskos and elsewhere by means of simple, design R-based calculations in the POW competition, respectively. Stoykov, Deshpande, Schu sler et al. developed VIBES, a simulator initially planned to explore bitcoin-like blockchains ( [3], [4] besides later Ethereum) (eVibes [5]). By summing up the application of the Bitcoin relation, Neudecker et al. [8] take a very different approach. ...
Conference Paper
It was proposed that Blockchain networks would serve some of Contemporary societies' most important functions. If used in such capacity, blockchain network failures include catastrophes stretching beyond citizens, organizations and nations. As such, the highest levels of analytic and scientific validation for blockchain network protocols must be performed prior to widespread implementation subject to key protection, trust and efficiency. Though, the size of blockchain open-access systems in their imagined scale preclude the likelihood of exact reprocessing and replication in a laboratory setting when conducting analytical evaluations. Instead, it is important to consider abstract operating models-simulators-of proposed technologies. Such simulators must be verified by the scientific community, be highly transparent and reusable to ensure that concept concepts are applied and comparable easily and reliably as instruments for the research industry. We say it will help resolve this need by developing paradigms in information technology, including model-driven creation and product lineages. We define our efforts to build an efficiency and efficient derived domain meta-model and object-focused architecture for the advanced blockchain network modules.
... Fault tolerance is currently achieved mainly through the use of physically redundant components. For example, the Boeing 777 flight control electronics consist of three primary flight computing modules, each containing three dissimilar processors (Yeh, 1996;2001). The actuators and sensors have similar levels of redundancy. ...
... Alternatively, a triple-redundant actuation system could be used to improve the reliability. For example, the rudders on the Boeing 777 use a triple-redundant actuation system (Yeh, 1996;2001). A triple-redundant architecture will fail if any two of the three actuators fail. ...
Article
Full-text available
Analytical fault detection algorithms have the potential to reduce the size, power and weight of safety-critical aerospace systems. Analytical redundancy has been successfully applied in many non-safety critical applications. However, acceptance for aerospace applications will require new methods to rigorously certify the impact of such algorithms on the overall system reliability. This paper presents a theoretical method to assess the probabilistic performance for an analytically redundant system. Specifically, a fault tolerant actuation system is considered. The system consists of dual-redundant actuators and an analytical fault detection algorithm to switch between the hardware components. The exact system failure rate per hour is computed using the law of total probability. This analysis requires knowledge of the failure rates for the hardware components. In addition, knowledge of specific probabilistic performance metrics for the fault detection logic is needed. Numerical examples are provided to demonstrate the proposed analysis method.
... Hence, in the "common case" where there are no failures and the network behaves in a synchronous manner during that block generation process, all nodes will vote to accept the proposed block. Similarly, in a control system one can expect that under normal operating conditions all correct replicas will usually propose taking the same course of action as all are exposed to the same system state and sensor readings [23]. ...
... Yet, up to f benign failures can still occur, and the instantiations of the generic construction to the Byzantine failure mode ensure correctness even when Byzantine failure do occur (when Byzantine failures do occur, this may induce extra communication costs). As we mentioned before, guessing the preferred consensus value can be done, e.g., in several recent blockchain protocols [6,7,11] (here the biased value is to approve the leader's block proposal), in strongly consistent primary backup replication [17] (here the biased value is to accept the master's most recent update), and in various control systems [23]. In case the guessed preferred value cannot be decided on (a "bad guess"), the only harm is additional communication rounds. ...
Preprint
Consensus is one of the most fundamental distributed computing problems. In particular, it serves as a building block in many replication based fault-tolerant systems and in particular in multiple recent blockchain solutions. Depending on its exact variant and other environmental assumptions, solving consensus requires multiple communication rounds. Yet, there are known optimistic protocols that guarantee termination in a single communication round under favorable conditions. In this paper we present a generic optimizer than can turn any consensus protocol into an optimized protocol that terminates in a single communication round whenever all nodes start with the same predetermined value and no Byzantine failures occur (although node crashes are allowed). This is regardless of the network timing assumptions and additional oracle capabilities assumed by the base consensus protocol being optimized. In the case of benign failures, our optimizer works whenever the number of faulty nodes $f<n/2$. For Byzantine behavior, our optimizer's resiliency depends on the validity variant sought. In the case of classical validity, it can accommodate $f<n/4$ Byzantine failures. With the more recent external validity function assumption, it works whenever $f<n/3$. Either way, our optimizer only relies on oral messages, thereby imposing very light-weight crypto requirements.
... Blockchain couldn't only be used in financial markets (e.g., Bitcoin), but application-oriented scenarios [1] is commonly assumed. In Blockchain-enabled systems, smart contract is a big driving force as it provides automated tracking capability [3]. Blockchain's trustworthy ecosystem is closely connected to procedures or processes through clever contract implementation. ...
... The role of governance requirements in network durability is explored in Liaskos and elsewhere by means of simple, design R-based calculations in the POW competition, respectively. Stoykov, Deshpande, Schu sler et al. developed VIBES, a simulator initially planned to explore bitcoin-like blockchains ( [3], [4] besides later Ethereum) (eVibes [5]). By summing up the application of the Bitcoin relation, Neudecker et al. [8] take a very different approach. ...
Article
Full-text available
It was proposed that Blockchain networks would serve some of Contemporary societies’ most important functions. If used in such capacity, blockchain network failures include catastrophes stretching beyond citizens, organizations and nations. As such, the highest levels of analytic and scientific validation for blockchain network protocols must be performed prior to widespread implementation subject to key protection, trust and efficiency. Though, the size of blockchain open-access systems in their imagined scale preclude the likelihood of exact reprocessing and replication in a laboratory setting when conducting analytical evaluations. Instead, it is important to consider abstract operating models – simulators – of proposed technologies. Such simulators must be verified by the scientific community, be highly transparent and reusable to ensure that concept concepts are applied and comparable easily and reliably as instruments for the research industry. We say it will help resolve this need by developing paradigms in information technology, including model-driven creation and product lineages. We define our efforts to build an efficiency and efficient derived domain meta-model and object-focused architecture for the advanced blockchain network modules.
... With the use of COTS chips, however, comes the need to mitigate potential failures in COTS processors [3], [4], [5], [6] or mitigate vulnerabilities to single event effects (SEE) of modern process technologies [7]. One approach to address the problems is using hardware diversity [8], [9] or similar forms of replication [10]. ...
... Powell et al. provide an overview of design faults and includes some examples of using diversity in [8]. [9], [19], and [20] present aerospace-related diversity use with replication of hardware. [20] and [21] even report on its effectiveness in real-world applications. ...
Conference Paper
Modern Commercial-Off-The-Shelf (COTS) System on-Chip (SoC) devices like multi-core computers have a variety of built-in features like Direct Memory Access (DMA) engines or sophisticated debug units. Using COTS devices in safety-critical environments like avionics requires replication, which can be based on diverse hardware to mitigate faults such as design errors or similar hardware to compensate for permanent and transient hardware faults e.g. due to single-event effects. This paper presents a novel approach of building fault-tolerant board architectures using chip-built-in features like debug units and implementing replication of application software components without the need of adaptation of application software. The advantages of the presented approach are the ability (1) to build fault-tolerant architectures relatively cheaply out of COTS components and (2) to separate the functional program from fault-tolerance-related code and, hence, also to include legacy code transparently. A demonstrator using two modern multicore processors connected by PCIe and debug units proves the feasibility of the described conceptual approach. Additional performance measurements quantify the benefit over commonly deployed software-based approaches.
... The difference lies in whether all task replicas are always running and being kept up to date to allow an almost instantaneous fail-over or if they are left dormant until needed. This work assumes a hot backup strategy, commonly used in avionics [21]. The choice between dynamic or static redundancy also distinguishes fault-tolerance mechanisms [7] . ...
... Static redundancy uses redundant tasks to mask faults whereas a dynamically redundant system waits for the system to begin to error or give an indication an error is about to occur before taking steps to recover. This paper is only concerned with static redundancy which is commonly used in critical systems [21] and is also complementary to the off-line nature of the task allocation problem. The task allocation problem is an exercise in deciding how to assign tasks to processors so that timing requirements are met [14]. ...
Conference Paper
Previous research which has considered task allocation and fault-tolerance together has concentrated on constructing schedules which accommodate a fixed number of redundant tasks. Often, all faults are treated as being equally severe. There is little work which combines task allocation with architectural level fault-tolerance issues such as the number of replicas to use and how they should be configured, both of which are tackled by this work. An accepted method for assessing the impact of a combination of faults is to build a system utility model which can be used to assess how the system degrades when components fail. The key challenge addressed here is how to design objective functions based on a utility model which can be incorporated into a search algorithm in order to optimise fault-tolerance properties. Other issues such as how to extend the local search neighbourhood and balance objectives with schedulability constraints are also discussed.
... Nowadays, the requirements for a safe flight control design are met through high redundancy in hardware and software [17] - [18]. The question we are trying to solve is: what level of redundancy has to be achieved? ...
Article
Full-text available
Over the years, technical improvements, such as digital computer and digital communication, are drastically changing avionics architecture designs. Airplane performance and business pressures related to cost have been the main drivers to change the Flight Control Systems (FCS) from mechanical to digital fly-by-wire designs. In this context, there exists a great motivation to change current FCS architecture to “more” distributed architectures, better optimized in terms of hardware redundancy for future generation aircraft. Analysis of existing FCS architectures of Airbus and Boeing airplanes, as well as future requirements (eco-efficiency), drive us to introduce a brief overview of an incremental methodology of architectural design process based on progressive requirements injection and distribution of system’s functionality.
... Modern avionics systems are redundant systems. Usually, active redundancy is used [32]. Using the method of structural functions [33], it is easy to prove that, for a parallel structure of avionics system with n identical LRUs/LRMs, the average unavailability is calculated by the following formula: ...
Article
Full-text available
Abstract The cost of avionics maintenance is extremely high for modern aircraft. It can be as high as 30% of the aircraft maintenance cost. A great impact on the cost of avionics maintenance is provided by a high level of No Fault Found events (NFF). Intermittent faults are the leading cause of the NFF appearance in avionics. The NFF rate for avionics systems is between 20% and 50%. The practice of avionics operation and maintenance confirms the relevance of assessing the impact of intermittent faults on the maintenance cost and the choice of such option of the maintenance management, in which the negative impact of the intermittent faults is minimized. In this paper, a new mathematical model of digital avionics maintenance is developed. Key maintenance effectiveness indicators are selected. General mathematical expressions are obtained for the average availability, mean time between unscheduled removals (MTBUR), and expected maintenance cost of single unit and redundant avionics systems, which are subject to permanent failures and intermittent faults. The dependence of the maintenance effectiveness indicators on the rate of permanent failures and intermittent faults is investigated for the case of exponential distribution of time to failures and faults. The dependence of average availability on the number of spare units in the airline’s warehouse is also analyzed. On the base of the proposed maintenance model, different options of avionics maintenance management are considered. Numerical examples illustrate how to reduce the expected maintenance cost of avionics systems. View Full-Text Keywords: availability; avionics maintenance; expected cost; intermittent fault; permanent failure; redundant system
... N-modular redundancy is a widely deployed technique, where the assumptions concerning failure modes and failure rates determine the necessary replication degrees. For example, a triple-triple redundant primary fight computer is deployed in the Boeing 777 aircraft [16]. However, emerging application areas with safety-critical embedded systems and stringent cost-pressure for electronic equipment cannot afford the high cost associated with excessive replication. ...
Article
Full-text available
The static resource allocation in time-triggered systems offers significant benefits for the safety arguments of dependable systems. However, adaptation is a key factor for energy efficiency and fault recovery in Cyber-Physical System (CPS). This paper introduces the Adaptive Time-Triggered Multi-Core Architecture (ATMA), which supports adaptation using multi-schedule graphs while preserving the key properties of time-triggered systems including implicit synchronization, temporal predictability and avoidance of resource conflicts. ATMA is an overall architecture for safety-critical CPS based on a network-on-a-chip with building blocks for context agreement and adaptation. Context information is established in a globally consistent manner, providing the foundation for the temporally aligned switching of schedules in the network interfaces. A meta-scheduling algorithm computes schedule graphs and avoids state explosion with reconvergence horizons for events. For each tile, the relevant part of the schedule graph is efficiently stored using difference encodings and interpreted by the adaptation logic. The architecture was evaluated using an FPGA-based implementation and example scenarios employing adaptation for improved energy efficiency. The evaluation demonstrated the benefits of adaptation while showing the overhead and the trade-off between the degree of adaptation and the memory consumption for multi-schedule graphs.
... The use of spacegrade processors that resist to space radiation is not an option for CubeSats, as the cost of such processors is several orders of magnitude higher than the cost of common COTS processors. The obvious solution would be to adapt classic fault-tolerant architectures with massive levels of redundancy, as the ones used in large-scale satellites [58] or in the aircraft industry [59], [60]. Unfortunately, these well-proven solutions are not an option for CubeSats, even if designed around COTS components, as they are expensive, heavy, and require high power consumption. ...
Thesis
Full-text available
CubeSats are small satellites built with up to 12 units of the shape of a cube of 10cm edge and weight of 10kg maximum and represent an emergent trend in the space industry. These satellites use commercial off-the-shelf (COTS) components to reduce cost and take advantage of the superior performance/power consumption ratio of COTS, which is an order of magnitude better than the equivalent radiation hardened space-grade-components. Unfortunately, COTS components are susceptible to Single Event Upsets (SEU), which are transient errors caused by space radiation. SEU makes the study of the impact of faults caused by space radiation a mandatory step in the development of CubeSats software, in order to carefully evaluate weak points that must be strengthened through the use of specific software fault tolerance techniques. The fact that the impact of faults is strongly dependent on the software running on the COTS hardware indicates that the study of the impact of radiation faults must be carried out every time the CubeSat software has a major change, or even a minor update.This thesis presents CubeSatFI, a fault injection platform for CubeSats meant to facilitate the incorporation of this extra step in the Verification and Validation of CubeSats software. CubeSatFI allows the easy definition of fault injection campaigns that emulate the effects of space radiation. SEU are emulated realistically through bit-flip faults injected in the processor registers and in other locations of the CubeSat boards that can be reached by boundary-scan, which is available in CubeSat boards through JTAG Test Access Port. The execution of the fault injection campaigns is controlled by the CubeSatFI platform in a fully automated mode.The effectiveness of CubeSatFI is demonstrated with the EDC (Environment Data Collection), a payload system that will be used in a constellation of satellites from the Brazilian National Institute for Space Research (Instituto Nacional de Pesquisas Espaciais - INPE), providing a realistic insight on the impact of faults in the EDC software.
... The BFT method could be practically useful in many time and data-intensive areas. For example, it is the basis for some aircraft control systems (such as Boeing 777 Aircraft Information Management System [45], Boeing 787 Flight Control System). It has been also reported that SpaceX Dragon program design exploits BFT in order to satisfy NASA requirements. ...
Conference Paper
Increasing incorporation of advanced information technologies makes business and public organisations more effective and efficient, while often introducing exploitable vulnerabilities. The efficient provision of security of interconnected, and interdependent, processes and sectors against cyberattacks requires deep understanding of vulnerabilities, exposure, potential negative impact, as well as the contribution existing and emerging organisational and technological solutions will potentially have on preventing attacks, reducing vulnerabilities, protecting digital infrastructures, response and recovery, and resilience. Such understanding will allow minimisation of risks against a spectrum of plausible cyber threats and reducing negative consequences of one or a series of cyberattacks. Due to the complexity of the problem, the effective implementation of a number of functions and tasks in designing and operating distributed cyber secure and resilient systems require significant computational resources. This paper outlines six highlevel, computationally demanding functions. The first three relate to the formulation and implementation of cybersecurity policy: understanding risk; planning and implementing cybersecurity measures; and continuous adaptation to the changing technological, threat and policy landscape. The other three functions are operational: situational awareness, including detection of cyberattacks and hybrid malicious activities; operational decision making, e.g. selecting a course of action under attack; and cyber forensics.
... Other nodes need to reach a consensus whether to declare node as failed or to remove it from the network based on concerted action. Certain aircraft systems, like Boeing 777 Aircraft Information Management System, the Boeing 777 flight control system, and the Boeing 787 flight control system consider Byzantine fault tolerance in their design, as BFT works well in real time systems and where low latency is required [64], [65]. ...
Article
Full-text available
In the past few years, the implementation of blockchain technology for various applications has been widely discussed in the research community and the industry. There are sufficient number of articles that discuss the possibility of applying blockchain technology in various areas, such as, healthcare, IoT, and business. However, in this article, we present a comparative analysis of core blockchain architecture, its fundamental concepts, and its applications in three major areas: the Internet-of-Things (IoT), healthcare, business and vehicular industry. For each area, we discuss in detail, challenges and solutions that have been proposed from the research community and industry. This research studies also presented the complete ecosystem of blockchain of all the papers we reviewed and summarized. Moreover, analysis is performed of various blockchain platforms, their consensus models, and applications. Finally, we discuss key aspects that are required for the widespread future adoption of blockchain technology in these major areas.
... Redundancy -if diversity is involved -can also address systematic faults and reduce common cause failures. This is a well known technique and applied to highly critical systems in aerospace [36] [37]. ...
... The ACE units act as an intermediate stage between the PFC and the pilot and actuators. Each PFC is identified as a channel and is composed of three dissimilar computing lanes [9]. Primary flight control system lines have all the same input signals and are all active. ...
Conference Paper
Full-text available
New airplanes must meet rigorous requirements of aviation safety, operational reliability, high performance and energy efficiency at a low cost. To meet this challenge, we should optimize current system and take advantage of available technology for the next decade. This work is aiming at proposing some evolutions for Flight Control System (FCS) and to build alternative FCS low-cost and safe architectures for the next decade with less hardware and software resources. The main contribution of this paper is twofold. First, we will provide an incremental methodology to give guidelines for architecture optimization. Second, we will present a full distributed reconfigurable architecture for FCS based on smart actuators and digital communication network where all system functions are distributed to simplex Flight Control Computer (FCC) nodes and remote actuator electronics nodes (FCRM). Communication between FCC and FCRM will be based on Airbus embedded communication network (ADCN, Advanced Data Communication Network) [1] and a 1553 bus. We will use ALTARICA language to perform dependability evaluation at architectural level in order to check the effects and benefits of the new architecture on the dependability of FCS.
... Nowadays, the requirements for a safe flight control design are met through high redundancy in hardware and software [17] [18]. The question we are trying to solve is: what level of redundancy has to be achieved? ...
Article
Full-text available
The civil aircraft's electrical flight control system has been changed to take benefit of technical improvements. New technologies, when mature, can be incorporated in aircrafts. Evolutions are considered towards a digital network between computers and actuators/sensors, and more distributed processing for actuators and sensors. Thus, new architectures are possible for future aircraft systems. The difficulty is to achieve the same safety and availability requirements with additional operational reliability (required by airlines). The challenge that faces the engineers is to design mass-produced fault-tolerant systems with reasonable cost. Analysis of existing electrical flight control system architectures of the Airbus and Boeing airplanes as well as future requirements drive us to introduce a brief overview for an incremental methodology of architectural design process based on progressive requirements injection.
... Byzantine fault-tolerant (BFT) consensus algorithms, which coordinate server actions under Byzantine (arbitrary) failures, have been extensively studied because of the booming development of blockchain applications [62,67]. Since BFT algorithms tolerate arbitrary faults (i.e., the behavior of faulty servers (processes) is not constrained [94]), they have long been used in safety critical systems (e.g., aircraft [98,106,108] and submarines [105]) to handle hardware failures as hardware may become unreliable in hostile environments (e.g., extreme weather and radiation). Recently, driven by the rising interest in blockchain technology, BFT algorithms have been widely implemented and deployed in numerous geo-distributed blockchain platforms [3,18,36,101,102]. ...
Preprint
Byzantine fault-tolerant (BFT) consensus algorithms are at the core of providing safety and liveness guarantees for distributed systems that must operate in the presence of arbitrary failures. Recently, numerous new BFT algorithms have been proposed, not least due to the traction blockchain technologies have garnered in search for consensus solutions that offer high throughput, low latency, and robust system designs. In this paper, we conduct a systematic survey of selected and distinguished BFT algorithms that have received attention in academia and industry alike. We perform a qualitative comparison among all algorithms we review along the lines of messaging and time complexities. Furthermore, we decompose each consensus algorithm into its constituent subprotocols for replication and view change backed by intuitive figures illustrating its message-passing pattern; we also elaborate on the strengths and weaknesses of each algorithm as compared to the state of the art.
Conference Paper
The purpose of this paper is to evaluate alternative networking concepts (standards and protocols), with a particular emphasis on comparing ARINC 664 network standard with legacy avionics networks. The conclusions of this comparison are reinforced with an example network solution for the avionics architecture using the Avionics Full- Duplex Switched Ethernet (AFDX) protocol. The networking of modules (hardware and software) and applications on an aircraft is crucial, and often new designs and upgrades rely on legacy network architectures. In the past, such systems in defense applications have been successfully integrated around the 1553B bus architecture, while commercial applications have satisfied FAA requirements with systems integrated around the ARINC 429 bus architecture. The new applications and capabilities being requested by stakeholders for Avionics systems of the future require increased bandwidth and latency requirements that suggest likely inadequacies in legacy bus architectures. There is continuing pressure by pilots for more information displayed on increasingly more intuitive graphical displays and interfaces; while the ground control and logistics teams want additional and more timely airplane status data - this data is consolidated from a multitude of sub-systems and sensors on board, including event logs and trend data. These new demands may require us to leverage new technologies to keep pace with stakeholder expectations today and in the future. A recent advancement in networking technology is ARINC 664, which defines a deterministic version of an Ethernet network. Boeing and Airbus have adopted Avionic Full- Duplex Switched Ethernet for their newer airplanes [1-3], and NASA is considering ARINC 664 for the new Crew Exploration Vehicle [4]. The B787 is slated to accommodate 100 applications in part due to the availability of larger network bandwidth [5]. NASA hopes to benefit from commercial-off-the-shelf (COTS) Ethernet components which includ- - e reduced overall costs, faster system development and less-costly maintenance for the system network. Both found ARINC 664 to be the best fit in ARINC 653 based systems. Integrating an Avionics Full-Duplex Switched Ethernet may benefit the defense industry avionics customer by lowering life cycle cost and accommodating increasing requirements. This paper addresses the speed, reliability, and flexibility of modern network protocols and explores new options for avionics architectures. This applies to either a complete redesign or a phased avionics upgrade in legacy airplanes. For a historical context, this paper also summarizes the value and utility of legacy networking protocols, together with their downsides. Networking standards and protocols are evaluated as a function of critical requirements pertaining to performance, certification, security, reliability, evolvability, cost, and flexibility to meet changing requirements. Methods such as Quality Function Deployment (QFD) and Analytic Hierarchy Process (AHP) are used to evaluate the three network architectures. The impacts on security and reliability are explored, and additional aspects are highlighted for future research.
Conference Paper
Structural Health Monitoring (SHM) of wind turbine blades is critical to improve the reliability of wind turbines. A health monitoring algorithm was developed that utilizes energy harvesters as sensors. An accumulated energy sensor is described in which an energy harvester mounted on the surface of the wind turbine blade converts low frequency vibrational strain energy from the blade to electrical charge, that is subsequently stored to power an RF transmitter. The premise of this sensing approach is that the timing of data output from the RF transmitter, which is tied to the charging time, is indicative of the structural health. The time between data transmission pulses will be reduced if the blade stiffness decreases. The SHM algorithm compares data transmission time for the three blades to identify the onset of blade damage. To demonstrate the effectiveness of the algorithm, an expected energy harvester signal transmission rate is established from blade strain data from a 2.5 MW wind turbine. The transmission rates for the three blades are compared to establish a threshold for "healthy" blades. Simulated damage corresponding to approximately 20% increase in harvested energy can be detected by the SHM algorithm.
Article
The FlexRay field bus has potential for integrating existing networks and as a shared local sub-system network in the next generation of airplanes - leveraging a low-cost, dependable bus designed for the automotive domain. Herein, we present an overview of FlexRay and investigate FlexRay's dependability for use as a field bus in the aerospace domain. FlexRay supports all major requirements for integrating systems on a single network, if controllers are deployed with a guardian to achieve good hardware fault coverage. Despite including a guardian, some vulnerability may remain, such as software-induced failures and physical layer properties.
Book
Full-text available
This report presents the technical basis for establishing acceptable mitigating strategies that resolve diversity and defense-in-depth (D3) assessment findings and conform to U.S. Nuclear Regulatory Commission (NRC) requirements. The research approach employed to establish appropriate diversity strategies involves investigation of available documentation on D3 methods and experience from nuclear power and nonnuclear industries, capture of expert knowledge and lessons learned, determination of best practices, and assessment of the nature of common-cause failures (CCFs) and compensating diversity attributes. The research described in this report does not provide guidance on how to determine the need for diversity in a safety system to mitigate the consequences of potential CCFs. Rather, the scope of this report provides guidance to the staff and nuclear industry after a licensee or applicant has performed a D3 assessment per NUREG/CR-6303 and determined that diversity in a safety system is needed for mitigating the consequences of potential CCFs identified in the evaluation of the safety system design features. Succinctly, the purpose of the research described in this report was to answer the question, 'If diversity is required in a safety system to mitigate the consequences of potential CCFs, how much diversity is enough?' The principal results of this research effort have identified and developed diversity strategies, which consist of combinations of diversity attributes and their associated criteria. Technology, which corresponds to design diversity, is chosen as the principal system characteristic by which diversity criteria are grouped to form strategies. The rationale for this classification framework involves consideration of the profound impact that technology-focused design diversity provides. Consequently, the diversity usage classification scheme involves three families of strategies: (1) different technologies, (2) different approaches within the same technology, and (3) different architectures within the same technology. Using this convention, the first diversity usage family, designated Strategy A, is characterized by fundamentally diverse technologies. Strategy A at the system or platform level is illustrated by the example of analog and digital implementations. The second diversity usage family, designated Strategy B, is achieved through the use of distinctly different technologies. Strategy B can be described in terms of different digital technologies, such as the distinct approaches represented by general-purpose microprocessors and field-programmable gate arrays. The third diversity usage family, designated Strategy C, involves the use of variations within a technology. An example of Strategy C involves different digital architectures within the same technology, such as that provided by different microprocessors (e.g., Pentium and Power PC). The grouping of diversity criteria combinations according to Strategies A, B, and C establishes baseline diversity usage and facilitates a systematic organization of strategic approaches for coping with CCF vulnerabilities. Effectively, these baseline sets of diversity criteria constitute appropriate CCF mitigating strategies for digital safety systems. The strategies represent guidance on acceptable diversity usage and can be applied directly to ensure that CCF vulnerabilities identified through a D3 assessment have been adequately resolved. Additionally, a framework has been generated for capturing practices regarding diversity usage and a tool has been developed for the systematic assessment of the comparative effect of proposed diversity strategies (see Appendix A).
Article
This paper considers the problem of certifying the performance of a class of model-based fault detection schemes. The underlying plant is assumed to be a linear time-varying (LTV) system subject to a Markov-switching fault input. The fault detection scheme consists of two parts: an LTV component that produces a scalar residual and a static nonlinear function that infers the presence of a fault based on this residual. Probabilistic performance metrics are presented and the complexity of computing these metrics is analyzed. It is shown that under a set of realistic assumptions, this complexity is reduced to polynomial time. An aerospace example, involving a pitot-static probe subject to random bias faults, is used to demonstrate the usefulness of this analysis.
Conference Paper
The increasing failure rates observed in very deep sub micron silicon technologies pose a major problem to the design of future high-density SoCs. Emerging new architecture based on Multiprocessor SoC (MPSoC) gives the opportunity to exploit the natural redundancy with replicated spare processor in order to maintain the system performance in presence of failures. Based on the assumption that a transient loss of functionality can be tolerated, we study the feasibility and propose a cost-effective dependable hardware/software method which self-substitutes faulty processors with spare processors in a distributed manner. It guarantees the integrity, improves the availability and eases the maintainability of the MPSoC at system-level.
Conference Paper
The increasing failure rates observed in very deep sub micron silicon technologies pose a major problem to the design of future high-density SoCs. While hardening techniques originated from critical application areas (automotive, avionics) exist, they usually incur a cost overhead that renders them inadequate for consumer market segments. Thus we present a concept, an implementation and an evaluation of a scalable software-hardware detection, isolation and recovery method. The method exploits the natural redundancy that exists in MPSoCs for enhancing their reliability. Based on the assumption that a transient loss of functionality can be tolerated, the proposed scheme relies on a hardware/software framework that makes it possible to diagnose and to isolate faulty processors in a distributed manner. It guarantees the integrity, improves the availability and eases the maintainability of the MPSoC at system-level.
Conference Paper
Full-text available
In this paper, we propose a new virtual support to assist postgraduates through the Graduate Virtual Research Environment (GVRE). The virtual support will provide a 24 hour answering servicing for postgraduate students relating to their PhD journeys, for example, advice needed regarding “what is needed for your first 6 month Upgrade report”. The assisted learning mechanism found within the GVRE will use a rule base to retrieve not just text based answers but it will also search through a repository of videos (280) and relate them to the frequently asked question. This approach of blending videos to the student questions should enhance and accelerate the process of skill acquisition through critical thinking through guidance, hints and feedback.
Conference Paper
This paper takes a retrospective look at avionics for mission- and safety-critical aerospace and undersea application domains, with a focus on system architecture. Progress in technological advances is traced from NASA Apollo Guidance, Navigation & Control computer to the present-day commercial airliner fly-by-wire systems. Parallel developments in the military aircraft, industrial control systems, and undersea applications are also explored. Major research approaches and milestones achieved during the past few decades are chronicled, with a look towards the future directions and challenges of ultrareliable avionics.
Conference Paper
Model-based fault detection algorithms can be used to improve the reliability of unmanned aerial vehicles (UAVs) while still satisfying their restrictive size, power, and weight requirements. However, the use of model-based algorithms introduces new failure modes that do not exist in physically redundant architectures. Hence a certification process is needed for such systems that incorporates analysis tools, high fidelity simulations, and ight test data. This paper focuses on one aspect of such a process: the use of ight test data to validate theoretical analysis results. Specifically, this validation is performed to assess the false alarm probability of a simple, model-based UAV fault detection system. This example highlights the main certification issues that arise due to limited ight data and stringent reliability requirements. In addition, the ight test data shows non-Gaussian statistical behavior that leads to some discrepancies with the analysis results. Further discussions are presented for this observed behavior.
Conference Paper
A flight control simulation system of a civil aircraft is developed. We model aircraft dynamics system, design the control law of longitudinal and lateral channels in MATLAB, develop a mini flight control computer which is used for control law validation and installed on a scaled civil aircraft for flight test. Eventually hardware-in-the-loop simulation is accomplished. Simulation results show that the system has a good performance and it can used to guide flight experiment on the flight vehicle. © 2012 by the American Institute of Aeronautics and Astronautics, Inc. All rights reserved.
Article
In this paper, we describe a framework to efficiently assess the reliability of fault tolerant control systems on low-cost unmanned aerial vehicles. The analysis is developed for a system consisting of a fixed number of actuators. In addition, the system includes a scheme to detect failures in individual actuators and, as a consequence, switch between different control algorithms for automatic operation of the actuators. Existing dynamic reliability analysis methods are insufficient for this class of systems because the coverage parameters for different actuator failures can be time-varying, correlated, and difficult to obtain in practice. We address these issues by combining new fault detection performance metrics with pivotal decomposition. These new metrics capture the interactions in different fault detection channels, and can be computed from stochastic models of fault detection algorithms. Our approach also decouples the high dimensional analysis problem into low dimensional sub-problems, yielding a computationally efficient analysis. Finally, we demonstrate the proposed method on a numerical example. The analysis results are also verified by Monte Carlo simulations.
Article
Over the past half century, computing systems have experienced over three orders of magnitude improvement in average time to failure and over seven orders of magnitude improvement in work accomplished between outages. This chapter surveys, compares, and contrasts the architectural techniques used to improve system reliability in space and aviation applications. The generic techniques are instantiated by actual system examples taken from the space and aviation domains. The chapter concludes by observing trends and projecting future developments.
Chapter
Diversity works well in nature where it is the basis of natural selection, a phenomenon that helps biological populations survive as they are challenged by hazards in their environments. Diversity has been employed widely in engineering also and has become an important part of computer engineering. In this paper, the various forms of diversity in computer engineering are summarized.
Chapter
The highly successful Cassini/Huygens mission conducted almost 20 years of scientific research in both its journey across the solar system and its 13-year reconnaissance of the Saturnian system. This operational effort was orchestrated by the Cassini/Huygens Spacecraft Navigation team on a network of computer systems that met a requirement for no more than two minutes of unplanned downtime a year (99.9995% availability). The work of spacecraft navigation involved rigorous requirements for accuracy and completeness carried out often under uncompromising critical time pressures and resulted from a complex interplay between several teams within the Cassini Project, conducted on the Ground Data System. To support the Navigation function, a fault-tolerant, secure, high-reliability/high-availability computational environment was necessary to support operations data processing. This paper discusses the design, implementation, re-implementation, and operation of the Navigation Ground Data System. Systems analysis and performance tuning based on a review of science goals and user consultation informed the initial launch and cruise configuration requirements, and then those requirements were subsequently upgraded for support of the demanding orbital tour of the Saturn System. Configuration management was integrated with fault-tolerant design and security engineering, according to cornerstone principles of Confidentiality, Integrity, and Availability, and strategic design approaches such as Defense in Depth, Least Privilege, and Vulnerability Removal. Included with this approach were security benchmarks and validation to meet strict confidence levels. The implementation of this computational environment incorporated a secure, modular system that met its reliability metrics and experienced almost no downtime throughout tour operations.
Thesis
Full-text available
Ozirkovskyу L.D. Development of theoretical basis for empowering assessment of functional safety indicators of safety critical radio electronic systems. - On the rights of the manuscript. A thesis submitted in fulfilment of the Doctor of Engineering Science Degree in Specialty 05.12.17 – Radio and Television Systems. – Lviv Polytechnic National University, Ministry of Education and Science of Ukraine, Lviv, 2020. This thesis presents the solution of the actual scientific problem of development the theoretical basis of complex maintenance of safety critical radio electronic system (SCRES) with a required level of functional safety and reliability. The developed means (methods, models, algorithms and techniques) enable an identifying the weaknesses in the SCRES design in terms of functional safety at the stage of system design. This allows an engineer to reasonably induce a necessary types of redundancy (structural, temporary, functional) to increase both functional safety and reliability of SCRES. Thus, the developed tools give the opportunity to synthesize a fault-tolerant structure, behavior algorithm and maintenance strategy, which ensure that the SCRES will not fall into an emergency. Modern methods of assessing functional safety indexes are based on the determination of minimal cut sets, which show the weaknesses of the SCRES. To obtain minimal cut sets, these methods use fault trees, dynamic fault trees, event trees, or binary decision diagrams. However, the known methods don’t allow to take into account the impact on the SCRES functional safety of fault-tolerant majority structures with reconfiguration, fault-tolerant two-tier majority structures, maintenance strategies, temporary and functional redundancy in behavior algorithms. Also, a significant disadvantage of existing methods is that they don’t give the opportunity to obtain both functional safety indexes and reliability indexes on the basis of a single model. So, it can lead to the condition when the reliability of the SCRES is reduced with the induction of additional tools for increasing functional safety. Also, these methods aren’t suitable enough for solving synthesis tasks via multivariate analysis for a short period time, what is very important at the stage of system design. In the dissertation, a new method is proposed for automated definition of types of inoperable states. This method provides a classification of inoperable states of the SCRES according to the level of critical failures and allows obtaining trajectories of accidents. Based on this method, a new technique is proposed for development of complex dynamic models of SCRES in the form of a graph of states and transitions. This technique, unlike the existing ones, allows determining both minimal cut sets and reliability indexes of SCRES without constructing appropriate fault tree. To reflect the relationship between indexes of functional safety and reliability of fault-tolerant structures, behavior algorithms and maintenance strategies, new indexes and characteristics of functional safety are proposed: the accident function; frequency of fall into an accident state; probability of fall into a pre-accident state; the average value of the probability of a minimal cut set existence. New models of strategies for planned and preventive maintenance and emergency recovery have been developed to take into account the impact of SCRES downtime on functional safety indexes during maintenance and repair procedures. These models enabled the development of method for synthesizing a maintenance strategy which guarantees to maintain a required level of functional safety of the SCRES. New method was developed to calculate the average value of the probability of the minimal cut set existence that gives an opportunity to solve the problem of minimizing impact of latent failures on the functional safety. This method makes it possible to obtain dependable values of the probabilities of the minimal cut sets existence for cases when the minimal cut set contains only latent failures or a combination of latent and active failures. New models of fault-tolerant SCRESs with majority structures were developed, which, in contrast to the existing ones, allow to take into account the impact of the use of reconfiguration of the majority structure, two-tier majority structure, maintenance and repair on the functional safety. The proposed models make it possible to solve the problem of synthesis of fault-tolerant systems for SCRES with a required level of functional safety and appropriate level of structural redundancy, that is especially important for onboard information and control systems of aircrafts, including unmanned vehicles, for which mass and size restrictions are critical. New methodology for the synthesis of safe behavior algorithms of the SCRES was developed, which, in contrast to the existing ones, takes into account the impact of time and functional redundancy on the functional safety of SCRES. This methodology shows the way to achieve a required level of probability of the task execution with the minimum value of the frequency of accidents. Keywords: reliability, functional safety, reliable engineering, fault–tolerant systems, behavior algorithm, maintenance, majority system, safety critical radio electronic system. The list of author’s publications: Proceedings where basic scientific results of thesis were published: 1. Bobalo Yu., Volochіy B., Lozinsky O., Mandziy B., Ozirkovskyy L., Fedasyuk D., Scherbovskikh S., Yakovina V.: Mathematical Models and Methods for Reliability Analysis of Radio, Electronic and Software Systems. Lviv Polytechnic National University, 2013. – 300 p. ISBN: 9786176074687 2. Volochiy B. Designing effective strategies of maintenance. Mathematical models, algorithms and techniques // Bohdan Volochiy, Leonid Ozirkovskyy, Ihor Kulyk/ LAP LAMBERT Academic Publishing, Germany, ‒ 2015. – 160 p. ISBN: 9783659633669 3. Patent № 126099 Ukraine, IPC (2006): H02J 1/00. Power supply system of small unmanned aerial vehicle / Pashchuk Yu. M., Korolev VM, Ozirkovskyy L.D., Vasinovich V.Yu., Salnik Yu.P. (Ukraine); the applicant is the National Academy of Land Forces named after Hetman Petro Sagaidachny. - № u201712061; declared 07.12.2017; publ. 11/06/2018, bul. № 11/2018 .// http://base.uipv.org/searchINV/search.php?action=viewdetails&IdClaim= 248043 4. Volochiy В. The New Method of Building a Safety Model for Quantitative Risk Assessment of Complex Technical Systems for Critical Application/ B. Volochiy, B. Mandziy, L. Ozirkovskyy // Communications in Computer and Information Science. – 2016, Vol. 594. – pp. 56 ‒ 70 (Іноземне періодичне видання з напрямку ISSN , Scopus) 5. Ozirkovskyy L. The Algorithm of Automated Development of Fault Trees for Safety Exploitation Assessment of Complex Technical Systems// L. Ozirkovskyy, A. Mashchak, O. Shkiliuk, S. Volochiy/ Central European Researchers Journal. ‒ Volume 2, Issue 2, ‒ 2016, P. 1 – 10 6. Volochiy B. Improvement of fidelity of moving objects classification in guard signaling complexes with seismic sensors / Bohdan Volochiy, Mykhailo Zmysnyi, Leonid Ozirkovskyy, Volodomyr Onyschchenko, Yuriy Salnyk //Informatyka, Automatyka, Pomiary W Gospodarce I Ochronie Środowiska. – 8(4), ‒ 2018, ‒ P. 36 ‒ 39. 7. Ozirkovskyy L. Adequacy Increase of Assessment of Minimal Cut Sets Considering Latent Failures /Leonid Ozirkovskyy, Bohdan Volochiy, Andriy Mashchak, Ihor Kulyk/ Central European Researchers Journal. – Vol. 5, Issue 2, ‒2019. – P. 58‒66 8. Ozirkovskyy L. Synthesis of safe behavior algorithms of radioelectronic systems for critical applications// Leonid Ozirkovskyy, Bohdan Volochiy, Mykhailo Zmysnyi, Oleksandr Shkiliuk/ Informatyka, Automatyka, Pomiary W Gospodarce I Ochronie Środowiska, ‒ volume 10 №1, ‒2020, ‒ P. 28 ‒ 31 9. Volochiy B. The maintanance strategy optimization of base stations of communication cellular network/ B. Volochiy, L. Ozirkovskyy, I. Kulyk, M. Zmysnyi// Radio electronic and computer systems,‒ 2016, № 5 (79), ‒ C.120 ‒ 129 10. Volochiy B. Designing of fault– tolerant radio electronic systems with complex majority structures// B. Volochiy, L. Ozirkovkyy, M. Zmysnyi, I. Kulyk // Radio electronic and computer systems,, 2016, № 6 (80), C.43 ‒ 53 11. Mandziy B.A. Technology of analytical modeling of discrete-continuous stochastic systems based on block diagrams of algorithms of their behavior/ Mandziy B.A., Volochiy B.Yu., Ozirkovskyy L.D. // Bulletin of the National. University “Lviv Polytechnic ”. - 2008, № 621: Information systems and networks, - P. 171 - 181 12. Volochiy B.Yu. Method of building a failure tree of a complex technical system based on a graph of states and transitions / B.Yu. Volochiy, L.D. Ozirkovskyy, A.V. Мащак, О.П. Shkilyuk // Bulletin of the Academy of Customs Service of Ukraine, series "Technical Sciences", ,2014, №1 (51), P. 10 - 19 13. Volochiy B.Yu. Risk assessment of operation of navigation-computing system of unmanned aerial vehicle / B.Yu. Volochiy, LD Ozirkovskyy, Yu.M. Pashchuk, A.V. Мащак, В.А. Onishchenko // Military-technical collection: collection. Science. pr./Acad. ground forces. Hetman Peter Sagaidachny, ‒2015, issue. 13, ‒P. 77 - 87. 14. Volochiy B.Yu. Method of efficiency analysis of algorithms of behavior of safety-critical radio-electronic complexes / B.Yu. Volochiy, L.D. Ozirkovskyy, O.P. Shkilyuk, А.V. Mashchak // Scientific and Technical Journal "Radioelectronic and Computer Systems", 2014, №6 (70), P.130 - 134.. 15. Volochiy B.Yu. Estimation of reliability of software-hardware systems by means of model of their behavior / B.Yu. Volochiy, L.D. Ozirkovskyy, R.S. Chopey, A.V. Mashchak, O.P. Shkilyuk // Bulletin of the National University "Lviv Polytechnic". Radio Electronics and Telecommunications, _‒ 2014, № 796, - P. 222 - 231. 16. Volochiy B.Yu. Comparison of methods for evaluating the efficiency of algorithms for the behavior of electronic systems / B.Yu. Volochiy, L.D. Ozirkovskyy, OP Шкілюк, А.В. Mashchak // Bulletin of NTUU "KPI". Radio Engineering Series. Radio Engineering, - 2014, №59, P. 29–39. 17. Volochiy B. Technique of Construction Models of Behavior Algorithms of Radio Electronic Complex System using the Scheme of Paths Method / Bohdan Volochiy, Leonid Ozirkovskyi, Oleksandr Shkiliuk, Andriy Mashchak// International Journal of Computing, ‒ Vol. 13, Issue 3, ‒2014, ‒ pp. 183 – 190. 18. Mandziy B.A. Evaluation of the effectiveness of the combined strategy of technical maintenance of the cellular network / B.A. Mandziy, B.Yu. Volochiy, L.D. Ozirkovskyy, S.I. Hnativ, I.V. Kulyk // Eastern European Journal of Advanced Technologies. Information and control systems. - Volume 1, № 9 (61), - 2013, - P. 40 - 44. 19. Mandziy B.A. Investigation of the influence of preventive maintenance on the reliability of a fault-tolerant source of uninterruptible power supply / B.А. Mandziy, B.Yu. Volochiy, L.D. Ozirkovskyy, D.S. Kuznetsov, I..V Kulyk // Eastern European Journal of Advanced Technologies. Energy saving technologies and equipment. - Volume 1, №8 (61), 2013, P. 8 - 12. 20. Volochiy B. Yu. Method of Computation of Minimal Cut Sets of Fault-Tolerant Systems Based on Structural-Automatic Model / B. Yu. Volochiy, L. D. Ozirkovsky, A. V. Mashchak, O. P. Shkiliuk, I. V. Kulyk // Bulletin of National Technical University of Ukraine. Series Radiotechnique. Radioapparatus Building. – 2013. – № 52. – pp. 38–45. (in Ukarinian). 21. Volochiy B.Yu. Reliable model of fault-tolerant multiprocessor systems with software recovery / B.Yu. Volochiy, L.D. Ozirkovskyy, O..V Муляк, М.М. Zmysnyi, T.I. Pansky // Bulletin of NTUU "KPI". Radio Engineering Series. Radio Engineering, 2013, № 54, - P.33 - 43 22. Mandziy B.A. Estimation of economic efficiency of technical service and repair of systems of regional radio-electronic complexes / B.А. Mandziy, B.Yu. Volochiy, S.I. Hnativ, L.D. Ozirkovsky, I.V. Kulyk // Bulletin of NTUU "KPI". Radio Engineering Series. Radio Engineering, - 2013, № 54, - P. 160 - 170. 23. Volochiy B.Yu. Methods for determining the reliability of fault-tolerant software-hardware radio electronic systems / B.Yu. Volochiy, L..D Ozirkovskyy, T..I Panskyy, O.V. Mulyak // Bulletin of NTUU "KPI". Radio Engineering Series. Radio Engineering, - 2013, № 55, - P. 71–79. 24. Volochiy B.Yu. Reliable model of fault-tolerant software-hardware system on the basis of majority structure with sliding redundancy and automatic software reboot / B.Yu. Volochiy, L.D. Ozirkovskyy, OV Муляк, М.М. Zmysnyi // Radio-electronic and computer systems. - 2013. - № 5 (64). - P. 221 - 226. 25. Volochiy B.Yu. Methods for assessing the efficiency of the electronic complex of airspace monitoring / B.Yu. Volochiy, L..D Ozirkovsky, O.P. Shkilyuk, A.V. Mashchak // Bulletin of the National University "Lviv Polytechnic". Radio electronics and telecommunications. - 2013, № 766, - P. 194 - 203. 26. Ozirkovskyy L.D., Model of behavior of software and hardware electronic systems / Ozirkovskyy L.D., Pansky T..I // Bulletin of the National University "Lviv Polytechnic", Electronics. - 2013, № 764, - P. 36 - 43 27. Volochiy B.Yu. Determining the impact of software updates on the reliability of a fault-tolerant multiprocessor system / B.Yu. Volochiy, V.–M.V. Miskiv, O.V. Mulyak, L.D. Ozirkovskyy // Eastern European Journal of Advanced Technologies. - 2013, № 3/9 (63), - P. 55 - 59 28. Mandziy B.A. Automation of construction of models of reliability of reserved and restored difficult technical systems / B.А. Mandziy, L.D. Ozirkovskyy // Eastern European Journal of Advanced Technologies. - 2013, № 2/4 (62), - P. 44 - 49 29. Mandziy B. Analytical Reliability Model of a Redundant Repairable System with Limited Number of Restorations/ Bohdan Mandziy, Leonid Ozirkovskyy// Computational Problems Of Electrical Engineering. – 2013 – Vol. 3, No. 2, ‒ рp. 54 – 60 30. Mandziy B.A. Comparative assessment of the reliability of three configurations of a fault-tolerant system with a majority structure / B.A. Mandziy, B.Yu. Volochiy, L..D Ozirkovskyy, MM Zmysny, O.V. Mulyak // Radio Electronics. Informatics. Management, 2012. - № 2. - P. 44 - 50. 31. Volochiy B.Yu. Evaluation of the efficiency of using a fault-tolerant system with reconfiguration of the core of the majority structure / B.Yu. Volochiy, L.D. Ozirkovskyy, M..M Zmysnyy // Bulletin of NTUU "KPI". Radio Engineering Series. Radio engineering. - 2012. - № 48. - P. 117 - 125. 32. Volochiy B. Extending The Features of Software For Reliability Analysis of Fault–tolerant Systems/ Bohdan Volochiy, Bohdan Mandziy, Leonid Ozirkovskyy//Computational Problems of Electrical Engineering, Lviv Politechnic National University, 2012. – Volume 2, number 1, ‒ рp. 113 – 121 33. Volochiy B.Yu. A method for constructing models of behavior of complex systems of non-Markov type in the form of a graph of states and transitions / olochiy BY, Ozirkovskyy L..D, Kulik IV, // International scientific journal "Computing" Research Institute of Intelligent Computer Systems. Ternopil National Economic University, Volume 11, Issue №3. Ternopil. - 2012.– P. 262–271. 34. Volochiy B.Yu. Formalization of construction of models of discrete-continuous stochastic systems using the Erlang phase method / Volochiy BY, Ozirkovskyy L.D., Kulyk I.V. // Selection and processing of information. National Academy of Sciences of Ukraine. Interdepartmental collection of scientific works. Vip. №36 (112). - Lviv: 2012. - P. 39 - 47. 35. Ozirkovskyy L.D. Estimation of indicators of reliability and safety of information-but-control system RTP 3000 with use of RAM Commander / L.D. Ozirkovskyy, T.I. Pansky, O..V Sydorchuk, І.В. Kulyk // Eastern European Journal of Advanced Technologies. Radio engineering information tools. - Volume 6, № 11 (60), 2012. - P. 37 - 40. 36. Volochiy B.Yu. Markov model as a means of complex modeling of information systems with functional redundancy / Volochiy BY, Ozirkovskyy L.D., Ulibin DO // Bulletin of the National. Lviv Polytechnic University № 470. Computer aided design systems. Theory and practice. - Lviv. - Type of Nat. Lviv Polytechnic University, 2003. - P.101 - 109 37. Mandziy B.A. Determining the parameters of the disaster recovery strategy for fault-tolerant systems based on the majority structure / B.A. Mandy, B.Yu. Volochiy, L.D. Ozirkovskyy, M.M. Zmysnyy, I.V. Kulyk // Bulletin of Lviv Polytechnic National University. Radio engineering and telecommunications. - 2011. - № 705. - P. 216 - 224. 38. Volochiy B.Yu. Models of fault-tolerant system with the use of three majoritarian structures embedded in the majority structure to solve problems of reliable design / B.Yu. Volochiy, L..D Ozirkovskyy, M.M. Zmisnyy, O.V. Mulyak // Bulletin of Lviv Polytechnic National University. Radio engineering and telecommunications. - 2012. - № 738. - P. 223 - 230. 39. Ozirkovsky LD Estimation of probability of downtime of systems with redundancy and technical maintenance / L.D. Ozirkovsky, TI Pansky, OV Sydorchuk // Bulletin of NTUU "KPI". Radio Engineering Series. Radio engineering. - 2012. - № 49. - P. 151– 156. 40. Volochiy B.Yu. Improving the technology of modeling discrete-continuous stochastic systems using the Erlang phase method / B.Yu. Volochiy, L.D. Ozirkovskyy, I.V. Kulyk // Bulletin of NTUU "KPI". Radio Engineering Series. Radio engineering. - 2012. - № 48. - P. 159 - 167. 41. Volochiy B.Yu. Model of digital switching system of telecommunication network node / Volochiy B.Yu., Matychin O.V., Ozirkovskyy L.D., Stetsyuk S.O., Ulibin D.O. // Bulletin of the National. Lviv Polytechnic University, № 508, Radio Electronics and Telecommunications, Lviv. - Publishing House Nat. University "Lviv Polytechnic", - 2004. - P. 144 - 152. 42. Mandziy B.A. Program models for interactive design of fault-tolerant systems with combined structural redundancy / Mandziy B.A., Volochiy B.u.Y, Ozirkovskyy L.D. // International. scientific and technical Computing - 2008. - Vol.7. - Issue.1. - P. 153 - 160 43. Mandziy B.A. Modeling of discrete-continuous stochastic systems in problems of research of their fault tolerance / Mandziy B.A., Volochiy B.Yu., Ozirkovskyy L..D // Interdepartmental collection of scientific works "Selection and processing of information". - Lviv: FMI NASU Publishing House. - 2008, issue. 28, - p. 39 - 47 44. Mandziy B.A., Methods for estimating structural survivability of hierarchical information networks of regional electronic complexes./ Mandziy B.A., Volochiy B.Yu., Ozirkovskyy L.D. // Interdepartmental collection of scientific works "Selection and processing of information". - Lviv: FMI NASU Publishing House. - 2009, issue. 30, - P. 104 - 112 45. Volochiy B.Yu. Models for reliable design of server memory node and uninterruptible power supply / B.Yu. Volochiy, L..D Ozirkovskyy, O.V. Mulyak, V.D. Gila // Bulletin of Lviv Polytechnic National University. Radio engineering and telecommunications. - 2011. –№ 680. - P. 206 - 216. 46. Ozirkovskyy L. Increasement of Functional Safety of the Behavior Algorithms of Radio Electronic Safety–Critical Systems Leonid Ozirkovskyy, Bohdan Volochiy, Mykhailo Zmysnyi, Oleksandr Shkiliuk/ Proceedings 15 th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2020, Lviv–Slavsko, Ukrain, February 25 – 29, 2020 (SCOPUS) 47. Ozirkovskyy L. Methodology of Defining the Accident Rate Function for Fault Tolerant System with High Responsibility Purpose// Leonid Ozirkovskyy, Bohdan Volochiy, Mykhailo Zmysnyi, Andriy Maschak/ Proc eedings of 15th International Conference ICTERI–2019, 5th International Workshop on Theory of Reliability and Markov Modeling for Information Technologies (TheRMIT 2019), Kherson, Ukraine, June 12–15, 2019, ‒ pp. 778 – 793 48. Ozirkovskyy L.D. Methods of synthesis of safe algorithms of behavior of radio-electronic systems of responsible purpose // Ozirkovskyy L..D, Volochiy B.Yu., Zmysnyy M.M., Shkilyuk O.P. / Physico-technological problems of transfer, processing and storage information in infocommunication systems: Proceedings of the VIII International Scientific and Practical Conference, November 8 - 10, 2019. - Chernivtsi: "City", 2019. - P. 60 - 61. 49. Ozirkovskyy L. Analysis of the maintenance strategy effectiveness based on the reliability/cost ratio / Ozirkovskyy L., Kulyk I., Mazur A., Petryshyn N., Malynovska Y.// Proceedings 14th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2018 50. Volochiy B. Research of efficiency indexes of radio telemetry system with short–term use / B. Volochiy, L. Ozirkovskyy, O. Shkiliuk, V.–M. Miskiv // Proceedings 14th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2018 51. Volochiy B. Method of developing unified model for estimating safety and reliability of complex systems for critical application / B. Volochiy, L. Ozirkovskyy // Proceedings 14th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2018 52. Volochiy B. The scheme of paths method based technique for evaluating of the behavior algorithms efficiency / B. Volochiy, L. Ozirkovskyy, O. Shkiliuk, V. Kharchenko // Proceedings of 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies, DESSERT 2018 53. Ozirkovskyy L. The Automation of the Exploitation Risks Assessment of the Navigation Information System of Air Drones / L. Ozirkovskyy, Yu. Pashchuk, A. Mashchak, S. Volochiy // Modern Problems of Radio Engineering, Telecommunications, and Computer Science: proc. of the XIIIth Intern. Conf. TCSET’2016, Lviv–Slavsko, Ukrain, February 23 – 26, 2016. – P. 140 – 144. 54. Volochiy B. Automation of Quantitative Requirements Determination to Software Reliability of Safety Critical NPP I&C Systems [Electronic sourse] / Bohdan Volochiy, Oleksandr Mulyak, Leonid Ozirkovskyi, Vyacheslav Kharchenko // Proceedings of the Second International Symposium on Stochastic Models in Reliability Engineering, Life Science and Operations Management, SMRLO 2016, 15 – 18 February 2016, Israel, Beer Sheva. IEEE, 2016. – pp. 337 – 346. 55. Volochiy B. Safety Estimation of Critical NPP I&C Systems via State Space Method [Electronic sourse] / Bohdan Volochiy, Leonid Ozirkovskyi, Oleksandr Mulyak, Sergiy Volochiy // Proceedings of the Second International Symposium on Stochastic Models in Reliability Engineering, Life Science and Operations Management, SMRLO 2016, 15 – 18 February, 2016, Israel, Beer Sheva. IEEE, 2016. – P. 347 - 356. 56. Volochiy B. Automation of Building the Safety Models of Complex Technical Systems for Critical Application / B. Volochiy, B. Mandziy, L. Ozirkovskyy // ICT in Education, Research and Industrial Applications: Integration, Harmonization and Knowledge Transfer: рroc. of the 11th Intern. Conf. ICTERI 2015, Lviv, Ukraine, May 14 – 16, 2015. – Lviv, 2015. – P. 550 – 565. – CEUR–WS.org, online 57. Volochiy B. Minimal Cut Sets Determination for Renewable Systems with Limited Repairs /B. Volochiy, L. Ozirkovskyy, A. Mashchak, O. Shkiliuk // Proceedings 12th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2014, Lviv – Slavsko, 2014. – P. 216 – 218. 58. Volochiy B.Yu. Obtaining minimal cut sets, which lead to loss of telecommunication system dependability / Volochiy B.Yu., Ozirkovskyy L.D. Mashchak A.V., Shkilyuk O.P/ // Proceedings of the Ukrainian scientific-practical conference "Modern problems of telecommunications and training of specialists in the field of telecommunications SPTEL-2013", Lviv, - 2013. - P. 263 - 266. 59. Bobalo Y. Reliability Analysis of Technical Systems without Redundancy with Limited Number of Repairs / Yuriy Bobalo, Bohdan Mandziy, Bohdan Volochiy, Leonid Osirkovskyy // Proceedings 11th International Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2012, Lviv – Slavsko, 2012.. – P. 83 – 84.. 60. Mandziy B. A. Determination of the parameters of the disaster recovery strategy for fault-tolerant systems based on the majority structure / B.A. Mandziy, B.Yu. Volochy, L.D. Ozirkovskyy, M.M. Zmysny, I.V. Kulyk // Proceedings of the international symposium “Reliability and Quality”. Ed. N.K. Yurkova. Penza: Publishing House of Penz. state University, Russia, 2011, Vol. 2. - P. 52 - 57. 61. Volochiy B.Yu. Calculation of minimal cut sets for fault-tolerant systems based on a structural-automatic model / Volochiy B.Yu., Ozirkovskyy L.D., Mashchak A.V., Shkilyuk O.P., Kulyk I.V. // Proceedings of the International Scientific and Technical Conference "Radio Fields, Signals, Apparatus and Systems RTPSAS-2013", Kyiv, - 2013. - P. 160 - 161. 62. Volochiy B.Yu. Evaluation of the efficiency of using a fault-tolerant system with reconfiguration of the core of the majority structure / B.Yu. Volochiy, L..D Ozirkovskyy, M..M Zmysnyy // International Scientific konferen-tion "Radio field signals, devices and systems (theory, practice, isto-dence, education), conference materials. - Kyiv. - 2012. - P. 39 - 40. 63. Mandziy B.A. Fail-safe system with an adaptive majority structure / B.A. Mandziy, B.Yu. Volochy, L.D. Ozirkovskyy, M.M. Zmysnyy // Proceedings of the international symposium "Reliability and Quality". Ed. N.K. Yurkova. Penza: Publishing House of Penz. state University, Russia. - 2012, T. 1. - P. 351 - 353. 64. Volochiy B. Models of Fault–Tolerant Systems with Reconfiguration of the Core of Structure of «K of N» / B. Volochiy, L. Ozirkovskyy, M. Zmysnyi // Modern problems of radio engineering, telecommunications and computer science: proceedings of the XI–th. International Conference TCSET’2012, Lviv–Slavsko, Ukraine.: Publishing National University «Lviv Politechnic». – 2012. – pp. 89 – 90. 65. Volochiy B. Estimation of Indexes of Efficiency of Radioelectronic Hardware–Software Systems Based on the Algorithm of Behavior /B. Volochiy, L. Ozirkovskyy, O. Shkiliuk, A. Mashchak // Proceedings of the XI–th. International Conference TCSET’2012, Lviv–Slavsko, Ukraine.: Publishing National University «Lviv Politechnic». 2012. – P. 322 – 323. 66. Volochiy B.Yu. Development of reliable models of fault-tolerant system with reconfiguration of the core of the majority structure / B.Yu. Volochiyy, L.D. Ozirkovskyy, M.M. Zmysnyy, I.V. Kulyk // V International Scientific and Technical Conference “Modern Problems of Radio Electronics, Telecommunications and Instrument Making SPRTP-2011 .: Vinnytsia. - 2011. - P. 51 - 52. 67. Mandziy B.A. Determining the effectiveness of the maintenance strategy of the control system with a majority structure / B.A. Mandziy, B.Yu. Volochiy, L.D. Ozirkovskyy, M.M. Zmysnyy, I.V. Kulyk // Proceedings of the XVIII International Conference on Automatic Control "Automation - 2011", September 28 - 30, 2011, Lviv. - C. 154 - 155. 68. Mandzij B. Kompleksowe modelowanie systemu informatycznego z rezerwowaniem funkcjonalnym/ Mandzij B., Woloczij B., Ozirkowskyj L., Ulybin D. //Prace II Krajowego Sympozjumu „Modelowanie i symulacja komputerowa w technice” MiS’2003, Lodz, 2003. – pp. 133 – 136. 69. Mandziy B.A. The concept of a program module for modeling the structure and behavior of information systems / B. Mandziy, B. Volochiy, A. Matichin, L. Ozirkovskyy // Proceedings of the International Symposium “Reliability and Quality”, Penza, RF, 2006. - P.13 - 15. 70. Volochiy B. Designing of Fault–Tolerant Radioelectronic Systems with Majority Structure/ Bohdan Volochiy, Leonid Ozirkovskyy, Mykhailo Zmysnyi, Ihor Kulyk // Modern Problems of Radio Engineering, Telecommu¬nications and Computer Science: Proceedings of the International Conference TCSET’2010 , February 23 – 27, 2010, Lviv–Slavsko, Ukraine. – pp. 35 ‒ 39
Conference Paper
In this paper, we addressed the problem of Byzan- tine Failures specifically in the context of vehicular networks. The objectives of the paper were: discuss practicality of the problem; discuss why it is not considered in the mainstream? review how the problem is solved in a classical way? review the already existing approaches to the problem in the context of VANETs. Based on the results of the objectives achieved, we made a conclusion about the current state of the problem.
Article
Multiple aircraft collision avoidance is a challenging problem due to a stochastic environment and uncertainty in the intent of other aircraft. Traditionally a layered approach to collision avoidance has been employed using a centralized air traffic control system, established rules of the road, separation assurance, and last minute pairwise collision avoidance. With the advent of Urban Air Mobility (air taxis), the expected increase in traffic density in urban environments, short time scales, and small distances between aircraft favor decentralized decision making on-board the aircraft. In this paper, we present a Markov Decision Process (MDP) based method, named FastMDP, which can solve a certain subclass of MDPs quickly, and demonstrate using the algorithm online to safely maintain separation and avoid collisions with multiple aircraft (1-on-n) while remaining computationally efficient. We compare the FastMDP algorithm's performance against two online collision avoidance algorithms that have been shown to be both efficient and scale to large numbers of aircraft: Optimal Reciprocal Collision Avoidance (ORCA) and Monte Carlo Tree Search (MCTS). Our simulation results show that under the assumption that aircraft do not have perfect knowledge of other aircraft intent FastMDP outperforms ORCA and MCTS in collision avoidance behavior in terms of loss of separation and near mid-air collisions while being more computationally efficient. We further show that in our simulation FastMDP behaves nearly as well as MCTS with perfect knowledge of other aircraft intent. Our results show that FastMDP is a promising algorithm for collision avoidance that is also computationally efficient.
Conference Paper
Computer is the vital element for safety-critical controlsystem. This paper presents a component-based fail-safe computer in railway signal interlocking system (Safety interlock computer-SIC). We discuss the methodology and the safety tactics of SIC in detail, moreover, the architecture and safety computation principle are deeply analyzed. The hardware safety integrity level of SIC has been verified according to standard IEC 61508, and the result shows that SIL4 is achieved, and SIC fulfils the rigorous safety requirements of signal interlocking.
Article
Full-text available
SIFT (Software Implemented Fault Tolerance) is an ultrareliable computer for critical aircraft control applications that achieves fault tolerance by the replication of tasks among processing units. The main processing units are off-the-shelf minicomputers, with standard microcomputers serving as the interface to the I/O system. Fault isolation is achieved by using a specially designed redundant bus system to interconnect the proeessing units. Error detection and analysis and system reconfiguration are performed by software. Iterative tasks are redundantly executed, and the results of each iteration are voted upon before being used. Thus, any single failure in a processing unit or bus can be tolerated with triplication of tasks, and subsequent failures can be tolerated after reconfiguration. Independent execution by separate processors means that the processors need only be loosely synchronized, and a novel fault-tolerant synchronization method is described. The SIFT software is highly structured and is formally specified using the SRI-developed SPECIAL language. The correctness of SIFT is to be proved using a hierarchy of formal models. A Markov model is used both to analyze the reliability of the system and to serve as the formal requirement for the SIFT design. Axioms are given to characterize the high-level behavior of the system, from which a correctness statement has been proved. An engineering test version of SIFT is currently being built.
Article
Specific examples of generic faults involving interaction of hardware and software in flight-critical systems are described. Such faults can cause an avalanche shutdown of all redundant computer channels. The popular technique of redundant computer frame synchronization is shown to be particularly vulnerable. Architecture solutions that allow dissimilar redundancy and incorporate "brick-wall" isolation are described. Practical techniques of coping with time-skew effects in unsynchronized computer channels are given, and it is shown that they offer many simplicity advantages. © 1983 American Institute of Aeronautics and Astronautics, Inc., All rights reserved.
Article
The flight control system proposed for future Boeing commercial airplanes is a Fly-By-Wire (FBW) system. The entirely electronic FBW system will replace the mechanical cable/quadrant/pushrod system used on earlier airplanes. The FB W system, also called an Electronic Flight Control System (EFCS), must meet extremely high standards of integrity and reliabil ity. The heart of the FBW concept is the use of redundant, dissimilar computing and communication channels. Predicting the performance of such a system is beyond the capabilities of conventional simulation and control system design methods. Moreover, the number of independent, random parameters in the system makes straight forward Monte Carlo analysis prohibitively expensive. This paper describes the simulation methods used to model the EFCS, and the use of statistically designed experiments to extract more infor mation about the performance of the EFCS with a smaller number of simulation runs than is possible with a less structured approach. The results of the analysis defined the performance of the EFCS, especially the tails of the distribu tions of the performance measures, with much greater confidence than could have been gained by more conventional methods.
Conference Paper
The new technologies in flight control avionics systems selected for the Boeing 777 airplane program consist of the following: fly-by-wire (FBW), the ARINC 629 data bus, and deferred maintenance. The FBW must meet extremely high levels of functional integrity and availability. The heart of the FBW concept is the use of triple redundancy for all hardware resources: the computing system, airplane electrical power, hydraulic power and communication paths. The multiple redundant hardware is required to meet the numerical safety requirements. Hardware redundancy can be relied upon only if hardware faults can be contained; fail-passive electronics are necessary building blocks for the FBW systems. In addition, the FBW computer architecture must consider other fault tolerance issues: generic errors, common mode faults, near-coincidence faults and dissimilarity
Conference Paper
The flight control system for the Boeing 777 airplane is a Fly-By-Wire (FBW) system. The FBW system must meet extremely high levels of functional integrity and availability. The heart of the FBW concept is the use of triple redundancy for all hardware resources: computing system, airplane electrical power, hydraulic power and communication path. The Primary Flight Computer (PFC) is the central computation element of the FBW system. The triple modular redundancy (TMR) concept also applies to the PFC architectural design. Further, the N-version dissimilarity issue is integrated to the TMR concept. The PFCs consist of three similar channels (of the same part number), and each channel contains three dissimilar computation lanes. The 777 program design is to select the ARINC 629 bus as the communication media for the FBW
Article
FTMP is a digital computer architecture which has evolved over a ten-year period in connection with several life-critical aerospace applications. Most recently it has been proposed as a fault-tolerant central computer for civil transport aircraft applications. A working emulation has been operating for some time, and the first engineering prototype is scheduled to be completed in late 1979. FTMP is designed to have a failure rate due to random causes of the order of 10<sup>-10</sup>failures per hour, on ten-hour flights where no air-borne maintenance is available. The prefered maintenance interval is of the order of hundreds of flight hours, and the probability that maintenance will be required earlier than the preferred interval is desired to be at most a few percent. The design is based on independent processor-cache memory modules and common memory modules which communicate via redundant serial buses. All information processing and transmission is conducted in triplicate so that local voters in each module can correct errors. Modules can be retired and/or reassigned in any configuration. Reconfiguration is carried out routinely from second to second to search for latent faults in the voting and reconfiguration elements. Job assignments are all made on a floating basis, so that any processor triad is eligible to execute any job step. The core software in the FFMP will handle all fault detection, diagnosis, and recovery in such a way that applications programs do not need to be involved. Failure-rate models and numerical results are described for both permanent and intermittent faults. A dispatch probability model is also presented. Experience with an experimental emulation is described.
Article
Reliable computer systems must handle malfunctioning components that give conflicting information to different parts of the system. This situation can be expressed abstractly in terms of a group of generals of the Byzantine army camped with their troops around an enemy city. Communicating only by messenger, the generals must agree upon a common battle plan. However, one of more of them may be traitors who will try to confuse the others. The problem is to find an algorithm to ensure that the loyal generals will reach agreement. It is shown that, using only oral messages, this problem is solvable if and only if more than two-thirds of the generals are loyal; so a single traitor can confound two loyal generals. With unforgeable written messages, the problem is solvable for any number of generals and possible traitors. Applications of the solutions to reliable computer systems are then discussed.
Digital Autonomous Terminal Access Communication (DATAC)
  • L John
  • H K Shaw
  • K Herzog
  • Okubo
Certification of Boeing 777 Primary Flight Control System
  • Y C Yeh
  • L R Schultz
777 Flight Controls Validation Process
  • Henning Buss