Why so many computers for flight controls in A320?
 

I wonder why a single computer couldn't be used for the flight controls with a back up or two?

Really ? You really wonder that ? :rolleyes:

Its a safety critical system. The fundamental rule of safety critical systems is the KISS principle (KISS = Keep It Simple Silly).

The more features and functions you introduce, the greater the complexity of programming that needs to be done, and the greater the risk of bugs etc.

You also need to consider the maintenance aspect. Safety critical parts tend to be expensive, if you have one big computer doing everything, that's going to be very expensive to replace. Having a larger number of discrete components means you can replace individual parts with less expense.

Why does she have two engines? Two wheels per undercarriage leg? Three hydraulic systems? Three generators? Three GNADIRS?

Same reason.

Flight Critical Systems Redundancy
 

It all boils down to meeting safety requirements for flight critical systems. No single failure (regardless of probability) or combination of failures more likely than 10^-9 (that's literally one in a billion flight hours) shall leave the system in a catastrophic state. Consider that the failure rate for any single LRU such as a flight computer is on the order of 10^-6. The overall system must be 1000 times more reliable than any single component. To put 10^-9 in perspective, a fleet lifetime for a very successful commercial airplane model will be about 10^9 hours!

In order to meet this level of safety, redundant systems are required including sufficient levels of dissimilarity to protect against generic faults.

All commercial transport aircraft must meet these requirements regardless of the company that produces them or the airline operating them.

Setting aside the issue of redundancy for a moment, multiple computers (controllers, etc.) are still a good idea. Many of the flight control functions involve control loops that have to read a few sensors and operate an actuator very rapidly with pilot/autopilot inputs (error correction) entered at a much slower rate.

Designing one big controller that can handle multiple loops, read numerous sensors and drive many actuators becomes problematic, with the possibility of bugs creeping into the software and unknown and undesired coupling between the various functions. Its much easier to write smaller modules and run each on hardware optimized for that particular function.

Pilot Input Path with FBW Control
 

Airplane handling qualities are particulary sensitive to delay between pilot control input and airplane response. As a result, the fastest signal flow and processing paths are used for the linkage between pilot cockpit controller input and associated surface motion.

Division of control processing among different system LRUs is not driven by complexity concerns. It is driven by failure impact / propagation issues.

mixture, was that really necessary? Indigo is asking for information, and you effectively call them an idiot - why did you do that? Would you like people to treat you the same way when you ask a question?

The other replies have been far more sensible - despite flying the Airbus for 8 years, I personally hadn't thought of the parallel processing angle - the computers are distributed around the flight controls, which would indeed give quick response, rather than one doing everything.

Many designers and engineers at Airbus will have had many "strokey beard" sessions to decide how many items and back-up items would be needed in every part of the aircraft. They would have done a risk analysis and not included more than was considered necessary. There are 5 FBW computers and 2 FAC's - (flight augmentation computers), all of which translate the side stick or autopilot commands into flight control responses. This gives a high level of redundancy. I think I'm right in saying (please correct me) that each computer is of a different design and has different software written by different software suppliers, so not only do the computers back each other up, they do so with different methods and philosophies, which is an additional safeguard.

I was also told, but don't know if it is actually true; of the FBW fighter jet that was the new whizz-bang thing, but one day it crossed the equator and flipped inverted - someone had missed a minus sign out of the program and it hadn't been spotted.

I doubt if the 'code' would change from ELAC 2 to ELAC 1 or between any SECs.

Redundancy could not be the reason for so many different computers. After all, you can have a single computer and its copies for redundancy.

Speed of processing could also not be the reason for so many computers. A High speed micro-processor processes millions of instructions in a second while inputs coming in from many sources. In case of A320, input is just flowing in from the sidestick mainly (rudder too for the yaw damping rate).

A task is shared among many small entities instead of a Big single entity. Lets see the 7 computer FBW as a big single computer with 7 components inside it. if just a single component fails, why reject all other ones? backing up individual components in different ratios is much more economical (cost, space, weight-wise) than backing up the entire big single computer.

A single-large computer may not be cheaper than many individual discrete components.

The largest cost to manufacture these computers is actually the cost of programming them. If you integrate multiple functions into a single chip you suddenly have very weird ways the functions may interact.

In order to have a high confidence they don't interact, you now have to write tests that exercise the multiple functions in different ways.

Separate chips don't have this limitation, they cannot possibly interact with each other (outside of their control signals).

Remember that the A320 was designed in the 80's. Back then nobody could have dreamed of a gigabyte or even a terabyte.
I too have been told that all the flight control computers are supposedly designed and built by different companies to maintain redundancy.
As for processing speed, I think that is also plausible as a reason due to the age of the design and also the fact it is not just the controlsthat need to be instantaneous but also other critical systems like instrumentation.
The FMGS on the A320s I fly have a whopping 2.8 meg (not gig) of memory. There are also 3.5 inch floppy drive data loaders on the centre pedestals!

Might also be a reflection of the internal company structure. This group makes this subsystem and it would probably good idea if they made the controller for it too.

Of course, this is uninformed speculation based on experience from fields.

Well Indigo; I back you up and you dismiss me. Thanks very much.

I don't know why you 'doubt that the code would change between ELACs'. Consider two computers which are identical electronically and have been loaded with exactly the same software which has a tiny flaw that no-one has spotted. One day, the aircraft enters the zone where this flaw produces a fault. No matter, because the second computer can take over....ah no wait, it has the same flaw.

Now consider two computers which may be different electronically, have been programmed differently by different people perhaps even using a different computer language. Now when the aircraft enters the area where the flaw in the first computer shows itself, the second computer can take over and work properly, because it does not have the same flaw.

Your 'seven subsections of the same computer' idea has less redundancy than seven separate computers: 7 separate computers have 7 separate power supplies, 7 separate mother boards, 7 separate sets of data wiring, and 7 separate outputs etc. etc. Can you see how this is a far more redundant system than your one computer with 7 parts is?

With your one 'mega-system'; if the internal power supply fails, you lose the whole lot. With Airbus's 7 separate systems, if you lose one power supply, you lose one computer, still leaving you with 6.


As for high speed computers being able to process many inputs; I can easily overload my modern desktop PC or my smartphone with too many rapid inputs. It would not be very clever if rapid joystick/yoke inputs in an approach in gusty turbulent conditions overloaded the one flight computer and it froze, now would it?

Once again, I'm amazed questions like this come from line pilots who clearly do NOT understand aviation. You do understand how important flight controls are, don't you?

I FLY INDIGO, why not give up your day job and replace the huge work force in Toulouse that do nothing but design systems for certified planes?

IIRC during my initial training on the A320 in Toulouse back in 1991 they told us that only two computers from the same manufacturer could be fitting in each aircraft and the others had to be from another source and that those two from the same company could not be loaded with software written by the same software provider. This would minimize the risk of a bug being affecting more than one computer at a time.

I was taking the present arrangement of 7 computers as the most ideal case and was trying to find out the hidden logic in this unique selection. What I meant was to look at the 7 computers as 7 components of a big notional single computer.

On the redundancy, Elevator has 3 back ups, stabilizer has 3 back ups, aileron has a single back up, spoilers have no back up. if a SEC fails its spoilers are gone. Rudder is mechanical with no back up.

from Popsiclestix I guess Programming and hardware constraints of the past (1980s) are being carried forward.

I Know for sure that both ELACs have to be from the same vendor - thales, honeywell etc. same with SECs. (out of discussion with our chief aircraft engineer).

In absolute normal situation, ELAC 1 and 2 does all the signal processing. after processing, ELAC 1 provides roll orders to ailerons directly and to the spoilers via SECs. ELAC 1 also provides yaw order to the FAC1 for coordination. ELAC2 provides pitch order to the elevators and THS.

in case of the failure of one of the ELACs, remaining ELAC will carry out all the signal processing and give all the orders. only LAF would not available.

the point is ' there is not so much spreading of processing as it seems '. in normal situations, only two computers do the processing and pass the order other computers.

Well if separate computors are so important, why does the B777 only have ONE ADIRU.
Admitted there are many sensors and channels inside it, but when it fails there is only one box to change.
I know the SAARU is more complicated than the average standby gyro,m but there is still only one ADIRU.

That is a bunch of computers in one box. Aside from multiple redundant channels, each channel is comprised of several CPUs, each processing its inputs and providing outputs on busses within the box.

This architecture achieves a few things: It is fault tolerant in that the loss of one CPU (or other function) does not disable the entire LRU. Ships wiring being more prone to faults, it is more reliable to keep all these busses within one housing. The other thing this design does is to simplify maintenance. Only one box to diagnose/replace in the field. The internal modules are better repaired in an electronics workshop.

Real scenario: Water drips from overflowing galley plumbing through improperly sealed floorboards onto a cracked Main Equipment Centre drip shield and onto multiple rows of computers. Instead of complete systems failing, parts of systems survive.

Real scenario: A pax oxygen bottle blows up in flight and damages flight control cables on the right hand side of the fuselage. The left hand flight control cables are ok.

Real scenario: Someone accidentally stands on an antenna cable in the Forward Cargo Area and damages it. Two antenna cables remain serviceable.

Don't put all your eggs in one giant basket. For starters, one person may not be able to lift it. Also, you won't be able to fit the basket through the (Equipment Centre) door.
Also, don't stack smaller egg baskets on top of each other. Spread them out so one doesn't affect the other.

And always apply Murphy's Law.