Lecture 8 – Architecture Elements

Architecture Basics System Topologies

Mesh Topology Devices are connected Data
with many redundant interconnections
between network nodes. In a true mesh
topology every node has a connection to
every other node in the network.
Ring Topology All devices are connected Data, electrical
to one another in the shape of a closed power, hydraulic
loop, so that each device is connected
directly to two other devices, one on either
side of it.
Star Topology All devices are connected Data, electrical
to a central hub. Nodes communicate power, pneumatic
across the network by passing data
through the hub

Bus Topology All devices are connected Data, electrical

to a central cable, called the bus or power, thermal
backbone

Tree Topology A hybrid topology. Groups Data, electrical

of star-configured networks are connected power, hydraulic,
to a linear bus backbone. pneumatic

www.webopedia.com
 Bus
• Bus – a structure that connects multiple
elements simultaneously. A key feature of
the bus is that it has the same value at
every location on the bus
• Typical buses have
– Data signals – electrical or optically
communicated
– Electrical power
– Thermal control (coolant)
 Spoke Hub vs Point To Point
Architecture

In this example - N+5 n*(n-1) connections

connections
 System Architectures – Control Hierarchy

Flight Navigation
Control

INS Air GPS

Data

Centralized Distributed – multiple

Federated –
– one controllers can interact
subcontrollers
master with multiple
control local
control subsystems – either for
domains
different purposes or
as redundancy

From Spitzer, Digital Avionics 2nd ed

 Architectural Essentials - Concepts

• Layering
• Partitioning and firewalls
• Graceful degradation – fails ops and fail
safe
• Must function versus must not function
• Parallel versus series
• Similar versus dissimilar redundancy
• Electrical – Fluid Systems Similarity
 Layering as a technique to deal with complexity
• Complexity is one of the biggest challenges in
system architecture
• Layering is a well demonstrated technique for
dealing with complexity in system
architectures
• One layer of the system isolates the layers
above it from the complexity of the layers
below it
• Each layer presents a user model to the layer
above it providing services
• Each layer is designed to provide the services
required by the upper layer by using the
services of the lower layer
• Most distribution systems are layered –for
example power systems – the 120 volt ac
power that comes out of the wall is the result
of layers of transformers and distribution International Standards
systems that link it to hi voltage generation at Organization
(ISO) 7 layer Model for Open
the power plant Systems Interconnection (OSI)
 Partitioning and firewalls
• Partitions and Firewalls isolate one part of the system from another
• Their purpose is to prevent bad situations from propagating from one part of the
architecture to another
• Firewalls– a term borrowed from building construction,
– In building architecture, firewalls consist of walls made from materials (such
as brick) that won’t burn so that a fire can’t propagate across them
• Other types of firewalls
– Computer systems – only allow certain types of transactions across them
– Electrical circuits –
• Circuit Breakers (CB’s) and fuses
• in AC power systems Control Relays (CR’s) isolate system components
when interface voltages or currents exceed programmed levels
– Fluid systems – relief valves
– Mechanical systems
• weak links – parts of structure intended to break when the load gets too
high to prevent overloads in more critical parts of the structure
• Torque limiters
• Slip clutches
 Emergent System Behaviors - Graceful
degradation
• Graceful degradation is a
characteristic of a system so that
it does not lose total functionality
Nominal 30 amp-
as failures occur hours
• For example a battery system
with three batteries of 10 amp-
hour capacity in parallel would After first 20 amp-
have the following characteristics
• To perform this way, the system failure hours
must be diode tied so that a failed
short battery does not drain the
others After 10 amp-
• A parallel tank configuration with
check valves works the same second hours
way to provide graceful
degradation in the event of a tank
failure
leak
After third 0 amp-
failure hours
Diode Tied Batteries Establish a Redundant Configuration
That Degrades Gracefully

+ + +

- - -

Allowed flow direction

 Diodes prevent a shorted battery from
draining the other two

+ + + + + +

- - -
- - -

Parallel Batteries will

feed an internal Diode stops the other
battery short draining Batteries from feeding
the other batteries The short
without diodes
Equivalent Architecture In Fluid System
Allowed flow direction

Check valve
symbol
Parallel tanks
with check
valves to
establish a
gracefully
degrading
configuration
of fluid or gas
tanks
Check Valves Prevent Tanks From Feeding
a Leak
•
Fail Op - Fail Safe
When a system can tolerate a failure and continue operating it is said to be
able to Fail Operational or FAIL OP
– Example – if a car battery fails while a car is running, the car is FAIL OP
because it will keep running on the alternator
• Can’t start it without the battery though…
• When a system can tolerate a failure and go to a safe state it is said to
FAIL SAFE
• The Space Shuttle Avionics (electronics and computers) were designed to
be Fail Op, Fail Op, Fail Safe as a top level system requirement
• This was called the FO-FO-FS requirement which said that the
shuttle avionics would be operational after two failures and still
be able to return the crew after 3 failures
– Resulted in allocated requirements for 4 flight computers, 4 sets of
controls of flight surfaces, 4 sets of flight control sensors
– Actuators get 4 different commands normally and vote between the
commands
– Flight control software gets 4 sets of every measurement
• With 4 working sensors, the system computes a mean, throws it the farthest
from the mean and then selects the sensor in the middle
• With 3 working sensors the middle valued sensor is selected
• With 2 working sensors, the 2 sensors are averaged
 Elevators – Fail Safe Design
• Elevators are designed to fail safe, in the event of power loss or in
the event the cable is cut, brakes are automatically applied
– Elisha Otis was born in Halifax, Vermont. As an adult, he was
inspired to design what was then called the "safety elevator"
when he was asked to move equipment into the warehouse of
his employer, a New York bed factory. Most elevators of the time
were extremely dangerous. Otis' employer needed an elevator
that could carry people and equipment safely to the upper floors
of its new building.
– At the Crystal Palace Exposition in New York in 1853, Otis
demonstrated his solution. A large crowd watched breathlessly
from the floor far below as Otis ascended in his new elevator.
Stopping at a dizzying height, Otis told his assistant to cut the
elevator's cord!
– The crowd let out a gasp of relief when the elevator platform did
not come crashing to the floor. The key to Otis' invention was a
toothed guiderail located on each side of the elevator shaft that
caught the elevator car. If the cable failed, the teeth would
engage, locking the car in place. (www.about.com)
 Over 2.2
Million Otis
Company
elevators
and
escalators
in operation
in the world
today

It is
estimated
that they
move the
equivalent
of the entire
earth’s
population
every nine
days

http://www.otisworldwide.com/
 Must function versus
Must Not function
• Must Function – are those systems which
employ design features such as redundancy or
factor of safety to ensure that they will function
• Must Not Function – are those systems which
employ design features such as redundancy to
ensure that hazardous functions are not
engaged before it is safe to do so
Parallel versus Series
• Parallel Options
– Both active
– Active standby
– Share load versus load
shifts to one or the
other
 Similar versus dissimilar redundancy

• Similar redundancy – multiple copies of

the same item performing the same
function
• Dissimilar redundancy – different design
components performing the same function
(potentially with significantly different
principles of operation)
• Similar redundancy is vulnerable to
generic failures i.e. a failure common to all
parts of the same design
 Similarity – electrical and fluid
systems

Function Electrical Fluid

Flow Current Mass flow

Potential Voltage Pressure

Flow Control – on/off Switch, relay valve

Flow direction diode check valve

Flow regulation transistor regulator

Potential regulation amplifier Fixed orifice

Isolation Fuse or circuit breaker Relief valve

or opto -isolator
 Architectural Essentials
- Components

Switch, relay valve

diode check valve

transistor regulator

amplifier Fixed orifice

Fuse or circuit breaker Relief valve

 Flow Control – On/Off – Switch,
Relay and Valve
•Whether flow is materials or electrons in a system, we need an
architectural element to turn it on and off
•In electrical systems this is accomplished with switches
(manual) or if electrically controlled it is called a relay
•In fluid systems, this function is accomplished by a valve, either
manual or remotely controlled
•Remote control may be electrical (solenoid), pneumatic
(gas) or hydraulically (fluid)
•Switch elements in parallel are redundant for MUST FUNCTION
applications
•Switch elements in series are redundant for MUST NOT
FUNCTION applications A B
If A fails to
A
close
And B closes, If A fails closed,
function still Then B prevents function
B occurs
 Switches are not just
manual devices
• Switches may be manually closed or
opened OR
– They may be activated by a mechanism
forcing the switch contacts closed (or open)
– They may be pressure activated (pressure
switch)
– They may be activated by temperature
(thermostat)
 Normally open, normally closed
valves and relays versus bistable
devices
• Valves and relays may be spring loaded to go to
a default position when they are de-energized
– These are called normally open or normally closed
– These are very useful in establishing a fail safe
system in the event of power loss
• Valves and relays may also be stable in either
position when power is removed
– These are called bistable – they are stable in either
state
– They are good for holding position when power is lost
 Flow direction - One way flow –
diodes and check valves
• In systems it is necessary to establish an
architecture that guarantees one way flow
• This is necessary to avoid SNEAK FLOWS
– SNEAK FLOWS are unintended flow paths
through the system
• Diodes perform this task for us in electrical
and electronic systems
• Check valves perform this function in fluid
and gas systems
 Isolation - Fuses, circuit breakers,
relief valves
• In systems it is often necessary to isolate flow in a
system when certain conditions are exceeded
– Fuses “blow” when current is exceeded
– Circuit Breakers “pop” when current is exceeded
– Relief Valves “pop” when pressure is exceeded
• Fuses and circuit breakers interrupt the flow. Relief
valves just reduce the amount of potential energy
– Zener diodes in electrical systems can also be used to limit
voltages to a certain value
– Pressure regulators also can be used in fluid mechanical
systems
• Opto-isolators consist of a light emitting diode coupled to
a photosensor
– there is no electrical connection between inputs and outputs
– This isolates the downstream electronics from any transients
that occur on the upstream side
• In worst case, the LED burns out..but high voltage transients are not
passed thru the isolator
 Zener Diode
Voltage reguated here

Primary coil Secondary coil

input output

Transformer – AC Only, 2 way Opto-Isolator

 Flow Regulation – regulators and
transistors
• In systems it is sometimes necessary to
limit the amount of flow
– In electrical systems this can be done with
current limiting resistors but a better
technique is transistor based control
– In mechanical systems, this is performed by
flow regulators
 Potential Regulation – Amplifiers
and Orifices
• In order to regulate the amount of potential energy in an
architecture, we use devices such as
– Electrical systems - all of these devices change voltage
which is potential energy
• amplifiers
• DC-DC converters
• transformers (ac systems only)
– Fluid mechanical systems
• Over their effective range, Orifices take a wide range
of input pressure and always provide output at the
same pressure by varying the output flow rate so that
mass flow rate into and out of the orifice is the same
Any Questions ?