Design Considerations in Boeing 777 Fly-By-Wire Computers

Y. C. (Bob) YehBoeing Commercial Airplane GroupFlight SystemsP. O. Box 3707, M/S 02-KASeattle, WA 98124-2207ying.c.yeh@boeing.com

AbstractThe new technologies in flight control avionics

systems selected for the Boeing 777 airplane programconsist of the following: Fly-By-Wire (FBW), ARINC 629Data Bus, and Deferred Maintenance.

The FBW must meet extremely high levels offunctional integrity and availability. The heart of theFBW concept is the use of triple redundancy for allhardware resources: computing system, airplaneelectrical power, hydraulic power and communicationpaths.

The multiple redundant hardware are required tomeet the numerical safety requirements. Hardwareredundancy can be relied upon only if hardware faultscan be contained; fail-passive electronics are necessarybuilding blocks for the FBW systems. In addition, FBWcomputer architecture must consider other faulttolerance issues: generic errors, common mode faults,near-coincidence faults and dissimilarity.

1.0 Introduction

The NASA FBW projects [1],[2] provide thenumerical integrity and functional availabilityrequirements for FBW computers. A finding from theresearch, Byzantine General problem [3], also serves as adesign consideration to assess robustness of FBWcomputer architectures. Past Boeing and other industryexperiences in dealing with generic faults [4], near-coincidence faults [5] provide ground rules for theBoeing 7J7 FBW program. The experiences on the 7J7program [6],[7],[8],[9] and the academic research ondesign diversity [10],[11], design paradigm [12] arecarried over to the 777 FBW program [13],[14],[15].

Furthermore, to certify the 777 FBW program, theflight controls design and development process considersall requirements from: airplane functional groups,certification agencies, customers, in-service experiences,technology trends and design paradigm. The Boeing 777FBW requirements were then derived and developed.

The purpose of this article is to describe the newtechnologies employed directly and indirectly for the 777primary flight control system, with an emphasis on thedesign considerations for the FBW computerarchitecture. The fail-passive electronics for flight

critical avionics systems are defined to illustrate thenecessary building blocks for the forward path, frompilot inputs to control surface, flight controls electronics.

2.0 Outline of New Technologies for 777 FlightControls

Traditionally, new technologies are introduced for anew airplane program, and the 777 is no exception. Thechallenge is the selection of the new technologies whichcan best meet the desire for more functionality withhigher reliability and easier maintainability. That is tosay, the incorporation of new technologies is to add valuefor our customers. The new technologies selecteddirectly or indirectly for the flight controls were:1) FBW, 2) ARINC 629, and 3) deferred maintenance.

2.1 Outline of the Primary Flight Control Function

The outline of the 777 FBW system has beendescribed [6],[13],[14],[15]. The primary flight controlsurfaces are illustrated in Figure 1, and an overview ofthe FBW system is shown in Figure 2. Figure 3 showsthe hydraulic power distribution for the Power ControlUnits (PCUs) to which Actuation Control Electronics(ACEs) provide electrical control.

2.2 ARINC 629 Digital Data Bus

The ARINC 629 data bus [16] is a time divisionmultiplex system. It includes multiple transmitters withbroadcast-type, autonomous terminal access. Up to 120users may be connected together. The userscommunicate to the bus using a coupler and terminal asshown in Figure 3. Terminal access is autonomous.Terminals listen to the bus and wait for a quiet periodbefore transmitting. Only one terminal is allowed totransmit at a time. After a terminal has transmitted, threedifferent protocol timers are used to ensure that it doesnot transmit again until all of the other terminals havehad a chance to transmit.

AIM S

FLIGH TC O NT R OLDAT A B U S E S(3 )

SAARUADIRU PSAS

AFD CS

PFCS

EIC AS& M FD

SPEED B R A KELEVER

TRA NSD U CER S6 C O L U M N P O S I T I O N2 C O L U M N F O R C E ( E A C HW I T H 2 O U T P U T S I G N A L S )6 W H E E L P O S I T I O N2 W H E E L F O R C E4 R U D D E R P E D A L P O S I T I O N4 S P E E D B R A K E P O S I T I O N2 R U D D E R T R I M P O S I T I O N

ACES PCUS(31)

TRIM A CT UA TOR S1-AIL E R ON1-R U D D E R

FEEL UN ITS2-E LE V AT OR ,V AR IAB LE1-AILE R O N , FIX E D1-RU D D E R , FIX E D

ELEVA T O R FEELAC TU A TOR S

A /P B AC KD R IVEA C TUA TOR S

2 - C O L U M N2 - W H E E L2 - R U D D E R P E D A L

DYNAMIC LOADDAMPER

SPR IN G

A F D C A UT O P I L O T F L I G H T D I R E C T O R C O M P UT E RA D M A I R D A T A M O D UL E ( S T A T I C A N D T O T A L P R E S S U R E S )E I C A S E NG I NE I ND I C A T I O N A ND C R E W A L E R T I N G S Y S T E ME L M S E L E C T R I C A L L O A D M A N A G E M E N T S Y S T E MM F D M UL T IP L E F U N C T IO N D I S P L A YP S A P O W E R S U P P L Y A S S E M B L YF S E U F L A P S L A T E L E C T R O N I C S U N I TA I M S A I R P L A NE I NF O R M A T I O N M A NA G E M E N T S Y S T E MP F C P R I M A R Y F L IG H T C O M P U T E RP S E U P R O X I M I T Y S W I T C H E L E C T R O N I C S U N I TR /A R A D I O A L T I M E T E RA D I R U A I R D A T A I NE R T I A L R E F E R E NC E U N I TS A A R U S E C O N D A R Y A T T I T U D E A N D A I R D A T A R E F E R E N C E U N ITA C E A C T UA T O R C O NT R O L E L E C T R O N I C SP C U P O W E R C O N T R O L U N I T S , A C T UA T O R SH Y D I M HY D R A UL I C I NT E R F A C E M O D U L EW O W W E I G H T O N W H E E L SW E S W A R N I N G E L E C T R O N IC S S Y S T E M

PIT CH & R U DD E R T R IM C MD STR IM SW IT C H ES

SUPPORTING SYSTEM S

CO LU M NBR EAK O UT

ADM S ADM S

FSEU

W ES

ELM S

CA RD FIL ESH Y DIM , W OW

EDIU

PSEU

SY ST EMAR INC629 (4)

R/A

GU ST S U P PR E SSIO N XD U CR S

AUTO

OFF

S PE E D B R AK EAC T U AT O R

AILER O NTR IM

CMD S

TA CSWIT C H

PFCDISC ON N EC T

SW IT C H

FIGURE 2 777 PRIMARY FLIGHT CONTROL SYSTEM OVERVIEW

S poilers(7 Per S ide)

Slats

D ou ble Slotted F lap

F laperon

F lap

A ileron

S ingle Ru dder

E levator(Single Span )

S tabilizer

P artia l S panTab

FIGURE 1 777 FLIGHT CONTROL SURFACES

CL1

RL2

L2C B L

O B A IL

FL A P E R O N

O B S P O IL E R S

O B A IL

IB S P O IL E R S

CL2

LC

CL

RL

C

54

32

1 O B S P O IL E R S

L1 R

R C

CR

RL 6 7

C R

L2 C

CR

RC

8 9

C B LL2

L2R

L1C

CL

RL

C

1011

1213

14L1

R

CL

LE F T E LE VA T O R R IG H T E L E VA T O R

C B L

C R

R , L 2L 1 ,C

C B L

L 1

C R

L 2

L

C R

L

R U D D E R

CC

LL 1

RR

L1, L2 , C , R D E N O T E S A C E S 0U R C E

A C E S O U R C E

H Y D R A U L ICS O U R C E

C A B L E

NOTE: S P O IL E R S 4 AN D 1 1 AR E C O M M AN D E D V IAC AB L E S F R O M T H E C O N T R O L W H E E L AN DV IA T H E AC E S F R O M T H E S P E E D B R AK ELE V E R . T H E S T AB IL IZ E R IS C O M M AN D E D V IAT H E C AB L E S T H R O U G H T H E A IS L E S T AN DL E V E R S O N L Y AN D O T H E R W IS E ISC O M M AN D E D T H R O U G H T H E AC E S .

C B L

L

L 2

Fig ure 3 Prim ar y Fli g ht Controls H y draul ic / ACE Distribu tion

FL A P E R O N

IB S P O IL E R S

Figure 4 shows the interconnection of two systemsusing an ARINC 629 terminal controller and SerialInterface Module (SIM) which are installed on a circuitboard within each Line Replaceable Unit (LRU). TheSIM interfaces with the stub cable via a connector onthe LRU. The stub cable is then connected to the globaldata bus via a current mode coupler.

A representation of the main internal logic and dataflows within an ARINC 629 terminal controller isshown in Figure 5. Data enters through the demodulatorand is checked for faults. The receiver circuitrymonitors all incoming labels and determines whichwordstrings are needed. The data needed by theattached users is sent to the subsystem interface and tothe users.

2.3 Deferred Maintenance

The deferred maintenance has been a desirableattribute for customer airlines to enhance airplanedispatch reliability. The deferred maintenance conceptmandates the need for the fault tolerant design for themajor digital avionics systems such as PFC, ADIRS (AirData Inertial Reference System) and AIMS (AirplaneInformation Management System.) Based on Life CycleCost study for an optimum redundancy level for airlines,these computer architectures contain one level of

redundancy beyond that required to achieve thefunctional integrity for airplane dispatch. Consequently,repair of random hardware failures can be deferred to aconvenient time and place, resulting in reduction ofdispatch delays or cancellations.

The triple-triple redundant PFC architecture, triplechannels with triple dissimilar lanes in each channel,has been described [14]. The PFC can be dispatchedwith one failed lane: maintenance alert is generated formaintenance attention. The PFC can also be dispatchedwith one failed channel: flight deck status message isgenerated requiring replacement of a PFC channelwithin three flights.

The ADIRS and AIMS architectures can besummarized as follows.

2.3.1 Air Data Inertial Reference System

This system evolved from the Air Data Computersand Inertial Reference Systems on previous airplanes.The system consists of traditional triple-redundant pitotand static ports, whose signals are converted toelectrical signals by Air Data Modules mounted near theprobes. Digital signals are sent via Flight ControlARINC 629 buses to the ADIRU and SAARU forprocessing, as shown in Figure 6. The ADIRU andSAARU are fault tolerant computers with angular ratesensors and accelerometers mounted in a skewed-axisarrangement [17]. The ADIRU can be dispatched withone failure of each of the following assemblies: angularrate sensor, accelerometer, processor, and I/O module.

2.3.2 Airplane Information Management System

The AIMS is the data cruncher for the followingfunctions: 1) flight management, 2) thrust management,3) display, 4) data communication, 5) centralmaintenance, 6) airplane condition monitoring, 7) flightdata recording, and 8) digital data gateway.

The AIMS communicates with the majority ofavionics systems on the airplane. These interfaces areimplemented through several different media, includingARINC 629 data buses and ARINC 429 data buses.The AIMS [18]consists of two separate and independentcabinets, each with four core processors and fourinput/output modules. The AIMS can be dispatchedwith one failed processor module and one failed I/Omodule.

3.0 Design Considerations for Primary FlightComputers

Earlier on the research program for the Boeing 7J7airplane, we were to define a methodology fordetermining need and means of protection againstgeneric errors [4] and common mode faults. Theapproach taken evolved to the 777 program.

3.1 Common Mode Fault

Common mode or near-coincidence faults[4],[5]need to be considered for multiple redundant systemssuch as the FBW. Airplane susceptibility to commonmode and common area damage is addressed bydesigning the systems to both component and functionalseparation. This includes criteria for providinginstallations resistant to maintenance crew error ormishandling.

The FBW design and installation has beendeveloped with the following fault or eventconsiderations (to name a few):

- impact of objects- electrical faults- electrical power failure- electromagnetic environment- lightning strike- hydraulic failure- structural damage- radiation environment in the atmosphere- ash cloud environment in the atmosphere- fire- rough or unsafe installation and maintenance

These common mode concerns led to the FBWrequirements for separation of FBW components andFBW functional separation.

3.1.1 Separation of FBW Components

The separation is required for redundant flightcontrol elements including LRUs, associated wiring andhydraulic lines to the greatest extent possible.

General system/airplane design decisions forseparation include the following:

- multiple equipment bays for redundant LRUs,- physical separation of redundant LRUs,- flight deck equipment and wiring separation and

protection from foreign object collision, and- separation of electrical and hydraulic line routing

through airplane structure.

Thus triple PFC channels are separated physically,and tight synchronization among PFC channels isdeemed undesirable. To maintain source congruencyand system states convergence, PFCs are required toconsolidate their system states, and to equalize criticalvariables. The assumption of near-coincidence [5] PFCshutdown is considered in the redundancy managementdesign for the PFC restart and for determining PFCsystem state convergence rates.

3.1.2 Functional Separation

All triple redundant hardware resources are alignedto the Left (L), Center(C) and Right (R) positions.These hardware resources are electrical power, flightcontrol ARINC 629 buses, PFCs, ACEs, Hydraulicsystems.

ACE functional actuator control is distributed tomaximize controllability in all axes after loss of functionof any ACE or supporting subsystem. In general, theelectronics components powered by the L/C/R flightcontrol electrical bus controls the actuation componentspowered by the L/C/R hydraulic system, respectively.

F igu re 4 In te rcon nec t o f System s u s in g AR INC 629

L R U n

C o up le r n (12 0 m a x)

D a ta b us c ab leasse m b ly

D a ta b uste rm ina to r

S tub c ab le

L ine rep lac ea b leun it (L R U ) no . 1

A R IN C 6 2 9T e rm ina l

C o nt ro l le r

S e r ia l In te r fac em o d u le

C u rren t m od ecoup le r N o . 1

AR INC 629Data Bus

C urrent M ode C oup ler

S tub C ab le

D em odu lator

M odu lator

ST RA PS IM

R EC EIV EP ER SO NA LITY

PR OM

TR ANS MITP ER SO NA LITY

PR OM

Terminal Con tro l le r

Transm itte r

P rotocol P ro toco l

Rece iv er

Subsys temInterface

A dd res s

A dd res s/Data

F igu re 5 A R INC 629 Fu nction a l B lock D iagram

3.2 Design Diversity

Based on the Boeing experience, the most likelydesign errors are, in order of likelihood:

a) i) Requirement errorsb) ii) Implementation

misunderstandingc) Software design or coding errord) Future process errors in previously qualifiede) Semiconductor parts.f) Relatively new, programmable VLSI circuits

whose number of states approach infinity andtherefore are non-deterministic.

The 7J7 FBW program goal regarding dissimilarityis developed as follows.

1. Dissimilar software/hardware architectureshould be used.

2. Ada should remain the accepted standard forembedded software.

3. When dissimilar hardware and software isused to reduce error in FBW computers, stepsshould be taken to ensure the designs are alsodissimilar.

In the design diversity experiment at UCLA [10],the isolation rules were employed in whichprogramming teams were assigned physically separateoffices for their work and that inter-teamcommunications were not allowed. The research atacademe [10],[11] indicate that multiple versions ofprograms developed independently can contain similarerrors.

Boeing experience is that among sources of errorsit is most often the basic requirements which areerroneous or misinterpreted. The key to a successfulsoftware implementation is the elimination of errors.The errors due to misinterpretation can be reduced byvery close communication between the systemrequirements engineers and the software designers. Infact, the software designers can help the engineersrecognize limitations in the software design when therequirements are being written. There is much benefitfrom this interactive relationship, which is precluded bythe dissimilar software design approach, where systemsand software teams much be kept segregated.

The development of the PFC software during the7J7 program confirmed that the three separate teams, inorder to code their logic from the requirements, werehaving to ask Boeing so many questions for clarificationof the requirements that the independence of the threeteams was irreparable compromised. This is the reasonwhy Boeing elected to revert to the usual and customarymethod of creating and certifying flight critical sourcecode. It was determined that there is a net gain in totalsystem integrity with the single software designapproach. The overall 777 FBW program decision on

dissimilarity is described in [15], and is summarized asfollows.

3.3 Safety Analysis

The safety analysis is performed which assesses allsignificant failures of the FBW system including singlefailures, latent failures, and failure combinations at theLRU level. Allowable level of dispatch with knownfaults is determined. Also considered is the scheduledmaintenance necessary to limit exposure to latent faults.The analysis shows that the probability of a given failurecondition is consistent with its severity, and that allfailure combinations producing a catastrophe areextremely improbable. This analysis contains aproposed list of worst case failure conditions to be flightdemonstrated based upon simulator evaluation, anddocuments confirming lab and flight test results.

Hardware component failure modes and potentialLRU malfunctions are assumed. The assumptions,combined with the system architecture and faultdetection/isolation algorithms, are used to eliminate theinfinite possibilities of hardware gate level failuremodes. Interfacing systems such as electrical andhydraulic power, ARINC 629 buses, and primarysensors are included. System separation, partitioning,and redundancy are addressed. Where possible in-service data are used to generate probability of faults.

3.4 Fail-Passive and Fail-Operational Electronics

An electronics function is fail-passive if, in theevent of a failure, the continued safe flight and landingof an airplane can be maintained by the pilot. Firstly theFBW architecture study considering use of ARINC 629data busses concluded that common interfacerequirements [15] should be developed including acommon CRC (Cyclic Redundancy Check) algorithm.

The ACE functional overview diagram is shown inFigure 7, and the FBW forward path (ACE to/from PFC)signal monitoring concept is shown in Figure 8 toillustrate the application of fail-passive electronics.

The transducers used to sense the pilot controlcommands are monitored with in-line monitors ofcommon mode monitor (CMMs) and demodulatormonitor (DMMs). This includes the position and forcetransducers. The CMMs detect short circuits and opencircuits in the pilot control transducers, while theDMMs are used to monitor demodulation of each ACtransducer signal. If either monitor indicates failure,this signal will not be used by PFCs for FBW controllaw function.

The servo command wraparound monitors verifythe proper operation of ACE digital-analog and analog-digital conversion hardware and verify properdistribution of each PCU/Actuator command to theappropriate servo loop function.

Figure 7 T yp ica l A C E A rch itec tu re

A D IR U

6 2 9

6 2 9

6 2 9

R A T E

A C C E L

IN E R T IA LS E N S O R S

S E L E C TA N D

M O N IT O R

R A T E SA C C E L S

62 9M O N IT O R

IN E R T IA LS O LU T IO N

V O T E

V O T E

62 9

62 9

62 9

62 9

S E L E C TA N D

M O N IT O R

P S

P T

A IR D A T AS O LU T IO N

PFC LC O M M A N D L A N E

B U SS E L E C T

V A L ID IT YM O N IT O R

SSFD

S E L E C T E DD A T A

V A L IDF L A G

V A L ID IT YM O N IT O R

M O N IT O R L A N E

S T A N D B Y M O N IT O R LA N E

ID E N T IC A L

ID E N T IC A L

S igna ls B od y R ates Bo dy A c ce lera tion s P itch and R o ll A ttitu de G round sp ee d A irs peed (VC , V T )

Baro A ltitu de F ilte red M ac h Im pac t P res su re PS = Sta tic P res s ure

P T = T o ta l P ress ure

S A A R U

6 2 9

6 2 9

6 2 9

R A T E

A C C E L

IN E R T IA LS E N S O R S

S E L E C TA N D

M O N IT O R

R A T E SA C C E L S

62 9M O N IT O R

IN E R T IA LS O LU T IO N

S E L E C TA N D

M O N IT O R

P S

P T

A IR D A T AS O LU T IO N

(6) (4)

(4 )

(4 )

(2 )

C O M P A R A T O R

P S 1

P T 1

P S 2

P T 2

P S 3

P T 3

Fig ure 6 A D IRU /S A A R U R ed un dancy M an agem ent

GUST SUPPRESSIONXDUCER INTERFACE

SPO ILE R SER V OL O OP S &MO N IT O R S

*M UX*D E M U X

AR IN C 6 2 9IN T E R F AC EL E F T BU S

AR IN C 6 2 9IN T E R F AC E

C E N T E R BU S

CRC

AC EPO W E RS U P PL Y

AN DPC U S O V s

R V D T 's & L V D T 'sE X C IT AT ION

BU F F E R 'sD E M O D 's

D M M ' & C M M 's

D IR E C T M O D ES C H E D U LE S

D/AIN PU TS IG N AL

M ANAG E M E NT(IS M )

S IG N ALC O M M AN D

D E C O D EC O N T R O L

(S C D C )

T H R E E MO D EPC U

SER VO LO O P S &MO N IT O R SEL EVAT O R

AIL ER O NF LAPER O N

R U D D ER

RUDDER TRIM /ELEVATOR FEELACTUATOR SERVOLOOP & MONITOR

ST AB T R IMC O N T R O L

AU T O SPE ED B R AK E AR M

R ACE

A

PIT C H R AT ES E N S O R

A/D

F LA PPO S IT IO N

PILO T S 'C M D S

D IR E C TM O D E

S W ITC H

PINPR O -

G R AM M IN G

LCR

Fli g h t C ontro l D i g ita l D a ta Buse s

F LIG H TC O N T R O L SD C PO W E R

A A A

A

A

MODAL SU PPRESSION FUNC TIONACCEL EROMETER S

AR IN C 6 2 9IN T E R F AC ER IG H T BU S

777-300: AC E EXT ER N AL P IT C HR AT E SEN SO R IN T ER FAC E

(6 )

MID

-VA

LUE

SE

LEC

T

Cro

ss c

hann

el m

oni

tori

ng

CH

AN

NE

LIN

HIB

IT

CR

OS

SC

HA

NN

EL

MO

N

629

629

CR

CC

RC

629

MO

N

SC

DC

ISM

AD

C

DA

C

1

Wra

p A

roun

d M

oni

tor

AC

EP

FC

3SX

-LA

NE

MO

N

X-L

AN

EM

ON

3MO

UT

PU

TE

NA

BLE

2S 2M

PF

C V

alid

i ty

Po

wer

Su

pp

l y M

on

i to

r62

9 M

on

i to

r

SE

RV

OE

LE

CP

CU

AC

EP

CU

629

629

1

3CP

ILO

TLV

DT

DE

MO

DA

DC

SC

DC

CR

C

AD

IRU

SA

AR

U

629

MO

NC

RC

BU

FFE

R

UP

DA

TE

MO

N

SS

FD

CO

NT

RO

LLA

W

CR

C

AC

EP

FC

No

data

mon

itor

ing.

Dat

a p

ath

mon

ito

red

by

WA

MC

omm

on m

ode

mon

itor

Dem

od m

oni

tor

AC

EF

LT D

EC

K

Cro

ss

lane

mo

nito

rin

g o

f 3

dis

sim

ilar

lane

inp

ut

2S 2M

SV

MC

MM

DM

MS

OV

CM

D R

ES

P.

3S 3M

Po

we

r S

upp

ly M

onit

ors

3C

CM

D ST

BY

MO

N

CR

C

Fig

ure

8

PF

CS

Sig

na

l P

ath

Mo

nit

ori

ng

Digital commands received from the PFCs are convertedto analog commands for use by the actuator servo loops.The analog servo loop commands are also converted("wrapped") back to digital form for use by theWraparound Monitor. The monitor then compares theoriginal digital commands with the wraparoundcommands to verify operation of digital to analog andanalog to digital conversion.

All LRUs transmitting critical data on ARINC 629bus are required to comply with the Flight Controls BusRequirements [15] inclusive of providing CRCcheckwords. All flight critical LRUs (eg, PFC & ACE)perform CRC monitoring of each received wordstring.

Input Signal Management (ISM) processing isperformed by each PFC on ARINC 629 input signalsreceived by the PFCs including those originating fromthe ACEs, ADIRU, SAARU, ADMs, AFDCs, andAIMS. ISM includes Signal Selection and FaultDetection (SSFD) algorithms which perform signalselection and static and dynamic fault monitoring. Thisalgorithm must be designed to adequately isolate failedcomponents for an extended period of time wheredelayed maintenance is desired.

4.0 Summary

The successful certification of the first BoeingFBW airplane, airplane in general and FBW in specific,in four and half years depends to a large extent on thefollowing: 1) a new facility to accommodate a largenumber of test labs, the Integrated Aircraft Systems Lab(IASL), 2) a viable FBW architecture, 3) workingtogether with customer airlines for their help indesigning the airplane, 4) certification planning,5) research work from the fault tolerant computingcommunity.

References:

1. J.H. Wenseley et al "SIFT: Design and Analysis ofa Fault-Tolerant Computer for Aircraft Control",Proceeding of the IEEE, Vol. 66, No. 10, October1978.

2. A.L. Hopkins Jr., T.B. Smith,III, J.H. Lala, "FTMP-A Highly Reliable Fault-Tolerant Multiprocessorfor Aircraft", Proceeding of the IEEE, Vol. 66,No. 10, October 1978.

3. L. Lamport, R. Shostak, M. Pease, "The ByzantineGenerals Problem", ACM Trans. on ProgrammingLanguages and Systems, Vol. 4, No. 3, July 1982.

4. S.S. Osder, "Generic Faults and ArchitectureDesign Considerations in Flight-Critical Systems",

AIAAJournal of Guidance, Vol.6,No.2, March-April 1983.

5. J. McGough, "Effects of Near-Coincident Faults InMultiprocessor Systems", Fifth AIAA/IEEE DigitalAvionics Conference, October 1983.

6. R.J. Bleeg, "Commercial Jet Transport Fly-By-WireArchitecture Consideration", Ninth AIAA/IEEEDigital Avionics System Conference, October1988.

7. C.J. Walter, "MAFT: An Architecture for ReliableFly-By-Wire Flight Control", Ninth AIAA/IEEEDigital Avionics Conference, October 1988.

8. A.D. Hill, N.A. Mirza, "Fault Tolerant Avionics",Ninth AIAA/IEEE Digital Avionics Conference,October 1988.

9. R.A. Hammond, D.S. Newman, Y.C. Yeh, "On Fly-By-Wire Control System and Statistical Analysis ofSystem Performance", Simulation, October 1989.

10. A. Avizienis, M.R. Lyu, W. Schutz, "In Search ofEffective Diversity: A Six-Language Study ofFault-Tolerant Flight Control Software", FTCS-18,1988.

11. J.C. Knight, N.G. Leveson, "An ExperimentalEvaluation of the Assumption of Independence inMultversion Programming", IEEE Trans. OnSoftware Engineering, January, 1986.

12. A. Avizienis, "A Design Paradigm for Fault-Tolerant Systems", AIAA Computers in AerospaceConference, October 1987, Paper 87-2764.

13. J. McWha, "777 Systems Overview", RAeSPresentation, November 1993.

14. Y.C. Yeh, "Triple-Triple Redundant 777 PrimaryFlight Computer", 1996 IEEE AerospaceApplications Conference, February 1996.

15. Y.C. Yeh, "Dependability of the 777 Primary FlightControl System", DCCA-5, September 1995.

16. J.L. Shaw, H.K. Herzog, K. Okubo, "DigitalAutonomous Terminal AccessCommunication(DATAC)", Seventh AIAA/IEEEDigital Avionics System Conference, November1986.

17. D.L. Sebring, M.D. McIntyre, "An Air Data InertialReference System for Future CommercialAirplane", Ninth AIAA/IEEE Digital AvionicsConference, October 1988.

18. K. Hoyme, K. Driscoll, "SAFEbus", EleventhAIAA/IEEE Digiatl Avionics Conference, October1992.