PLAN FOR HARDWARE ASPECTS OF CERTIFICATION

FOR THE
COMAC C919 FLIGHT CONTROL SYSTEM

HONEYWELL – CONFIDENTIAL:

THIS COPYRIGHTED W ORK AND ALL INFORMATION ARE THE

PROPERTY OF HONEYW ELL INTERNATIONAL INC., CONTAIN TRADE
SECRETS AND MAY NOT, IN W HOLE OR IN PART, BE USED,
PRODUCTION - Released - 20 Apr 2020 04:47:53 UTC

DUPLICATED, OR DISCLOSED FOR ANY PURPOSE W ITHOUT PRIOR

W RITTEN PERMISSION OF HONEYW ELL INTERNATIONAL INC. ALL
RIGHTS RESERVED.

Copyright 2014, 2020 HONEYWELL INTERNATIONAL INC.

All Rights Reserved

CAGE CODE 58960

PRINTED IN U.S.A. INITIAL RELEASE DATE: MAY 2014 PUB. NO. EB62000855-001
REVISION DATE: APRIL 2020 REV C
Honeywell International Inc. Phoenix, Arizona

Source_EB62000855-001_C = 0FD28599
REF: ECN-6078167
 TECHNICAL ENGINEERING REPORT
APPROVAL AND DISTRIBUTION CONTROL
R e f e r t o I N S - 4 2 3 7 f o r A p p r ov al A u t h o r i t y .

BUSINESS UNIT: ATS CAGE CODE 58960

GENERAL INFORMATION ECN-6078167
REPORT TITLE: PLAN FOR HARDWARE ASPECTS OF CERTIFICATION FOR THE COMAC
C919 FLIGHT CONTROL SYSTEM

COORDINATOR:
T. LAM
PUB. NO.: PROPRIETARY NOTICE PER 63-0230-14 PAGE LEGEND
EB62000855-001 Rev C PROP S PL-E
FINAL REQUIRED APPROVAL
PROCESS APPROVAL
TITLE NAME
PUBLICATIONS
REPRESENTATIVE T. SHETTY
T h e ab o v e i nd i c a t e s th a t th i s do c u m e n t co m p l i e s w i th c o n t r o l r e q u i r e m e n t s l i s t ed i n th e
P r o du c t D e v e l o p m e n t P r o c e s s e s m a n u a l .

RESPONSIBLE
T. LAM
ENGINEER
T h e ab o v e i nd i c a t e s a pp r o v a l o f th e c o n te n t a n d d i s t r i b u t i o n o f t h i s r e p o r t .

QUALITY
FL. MILLER
ASSURANCE

M ANAGEMENT APPROVAL

TECHNICAL M ANAGER H. FAIR

DOCUMENT APPROVERS, DATE OF APPROVAL AND RELEASE DATE ARE CAPTURED

ELECTRONICALLY AND STORED IN PDM.
APPROVAL DATA ALSO REFERENCED ON AUTHORIZING ECO.
T h e t yp e d n a m e s a bo v e i n d i c a t e a pp r o v a l , o n b e h a l f o f Ho n e y w el l ,
o f th e t e c h n i c a l c o n t e n t a n d d i s t r i b u ti o n o f th i s d o cu m e n t.

APPROV AL FOR OVERSEAS DISTRIBUTION

EXPORT TECHNOLOGY 7E994

CONTROL ( a s r e q u i r e d )

CUSTOMER APPROVAL
( a s r e q u i r e d)

THE ORIGINAL OF THIS FORM MUST BE RETAINED IN PERM ANENT FILES.

INF-5511 Rev 0, Release: 3/10/09 RR-1 Page 1 of 1

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Record of Revisions

Revision Level
Description
and Issue Date

– Initial creation.
May 2014

A Updates from COMAC PPR.

February 2016

RR-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

B SCR 919HW 00001250:

November 2019 • Added ACM/CM21 as CM tools
SCR 919HW 00001294:
• Removed MES Macro Assembler from Tool Assessment Table
SCR 919HW 00001281:
• Added additional critical power targets in section 3.1
SCR 919HW 00001363:
• Updated Table 5-2 (Functional Hazard Assessment Summary)
to match latest PSSA
• Added version to CCAR25 in section 1.2.3
SCR 919HW 00001713:
• Updated Table 5-4 (AEH Device DAL and Classification ) to
remove High Lift Alternate mode control laws from the Math
Engine Sequence functional description
• Updated Table 7-1 (AEH Life Cycle Data – ACE) row for
Hardware Archive Standards to call out both the FCS HDVP
and MES HDVP
• Updated Table 7-1 (AEH Life Cycle Data – ACE) to add MES
HRD as Conceptual Design Data
• Updated Figure 4-4 (ACE High Level Block Diagram) to provide
more detail
• Remove GAS information
• Updated Table 5-5 (Compliance to Issue Paper SW -03) to
better cover MES for hardware design standards
• Updated Table 8-5 (Tool Assessment Summary) to be clear that
ACTIVE PERL is the PERL script interpreter tool
• Removed references to ASIC development and development of
DAL C devices which do not apply to C919
• Added information to Table 8-5 (Tool Assessment Summary) to
indicate what activities and hardware life cycle data contain
independent assessment information
• Updated Section 6 (Hardware Design Life Cycle Description) to
better cover MES
• Updated Table 10-1 (DO-254 Compliance Matrix) to better
cover DO-254 section 4.1.4 and 7.1.3
SCR 919HW 00001714:
• Updated section 4.3 (Direct Mode Rate Sensor) to call out the
HPGD2C_M2 ASIC and new Interf ace FPGA
• Updated Table 8-1 (Previously Developed CEH) to call out the
HPGD2C_M2 ASIC and new Interface FPGA for the DMRS
HG2291AC01R Mod 1 (P1C Gyro)
• Removed section 8.5.3 (DMRS Product Service Experience)

RR-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

C SCR 919HW 00002018:

April 2020 • Added AFCS and AHRU acronyms
• Updated table 3-1 (C919 FCS Equipment Complement) to
replace FMCP part number 62000946-901 with 62000946-902
• Updated Table 5-1 (Regulatory Requirements) to replace
CFR/CCAR.25.1301(a),(b),(c),(d) with CFR/CCAR.25.1301 and
replace CFR/CCAR.25.1309 (d) withCFR/CCAR.25.1309
• Updated Table 5-1 (Regulatory Requirements) to replace all
content in Means of Compliance column with ‘AFCS and PFCS
Certification Support Plans for COMAC C919 Flight Control
System’
• Updated section 8.1 (Previously Developed Hardware) and
section 8.1.3 (Change in Aircraft Installation) to indicate that
DMRS CEH was certified as part of the Boeing 787 Flight
Control Electronics and the Gulfstream G650 AH -1000 Attitude
Heading Reference Unit (AHRU) provided by Honeywell
• Updated Table 8-1 (Previously Developed CEH) to correct
Honeywell part numbers for DMRS HPGD2C_M2 ASIC and
DMRS Interface FPGA to be 10165873-101 and 66021063-001
respectively
• Updated Table 8-1 Previously Certified column with specific
previously certified program s
• Made minor formatting corrections through out the document

RR-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

List of Effective Pages

Section Pages Change Status Revision

Title 1 C
RR 4 C
C
LEP 1
C
TC 3
C
LT 1
C
LF 1
C
1 17
C
2 1
C
3 9
C
4 18
C
5 20
C
6 22
C
7 14
C
8 16
C
9 1
C
10 5
C
11 1
Total pages: 135

LEP-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System -EB62000855-001 REV C

Table of Contents
SECTIONS

1 Introduction .......................................................................................... 1-1

1.1 Scope ................................................................................................................ 1-1
1.2 References ........................................................................................................ 1-1
1.2.1 Honeywell Documents .................................................................................. 1-1
1.2.2 COMAC Documents ...................................................................................... 1-3
1.2.3 Regulatory and Industry Documents .............................................................. 1-3
1.2.4 Other External Documents ............................................................................ 1-4
1.2.5 Acronyms and Abbreviations ......................................................................... 1-5
1.2.6 Definitions .................................................................................................. 1-10

2 Changes To Baseline ............................................................................ 2-1

3 System Overview .................................................................................. 3-1

3.1 System Functional Description ........................................................................... 3-1
3.1.1 Supporting Functions .................................................................................... 3-2
3.1.2 Primary Flight Control System Architectural Features .................................... 3-2
3.1.3 Primary Architectural Mitigation .................................................................... 3-3
3.2 Flight Control System Components ..................................................................... 3-4
3.2.1 Flight Control Module ................................................................................... 3-7
3.2.2 Actuator Control Electronics ......................................................................... 3-7
3.2.3 Direct Mode Rate Sensor .............................................................................. 3-7
3.2.4 Power Conditioning Module .......................................................................... 3-7
3.2.5 Flight Mode Control Panel............................................................................. 3-7
3.2.6 Cabinets ....................................................................................................... 3-8
3.3 Allocation of System Functions ........................................................................... 3-8
3.3.1 Functions Allocated To Hardware .................................................................. 3-8
3.3.2 Functions Allocated To Software ................................................................... 3-8
3.3.2.1 FCM Functional Allocation ............................................................................ 3-8
3.3.2.2 ACE Functional Allocation............................................................................. 3-9
3.3.2.3 DMRS Functional Allocation .......................................................................... 3-9
3.3.2.4 PCM Functional Allocation ............................................................................ 3-9
3.3.2.5 FMCP Functional Allocation .......................................................................... 3-9

4 Hardware Overview ............................................................................... 4-1

4.1 Flight Control Module (FCM)............................................................................... 4-1
4.1.1 COM Processor PBA .................................................................................... 4-1
4.1.2 MON Processor PBA .................................................................................... 4-3
4.1.3 Client I/O PBA .............................................................................................. 4-4
4.1.4 Specific Module Safety Considerations .......................................................... 4-5
4.1.4.1 COM/MON processor pair ............................................................................. 4-5
4.1.4.2 RAM EDC ..................................................................................................... 4-5
4.1.4.3 Dedicated ARINC 429 & Discrete I/O ............................................................ 4-5
4.1.4.4 Intermodule Databus Protection .................................................................... 4-5
4.1.4.5 Separation .................................................................................................... 4-5
4.1.5 Summary of FCM ASIC and PLD Usage ........................................................ 4-6
4.2 Actuator Control Electronics Module ................................................................... 4-7
4.2.1 COM Lane PBAs ........................................................................................... 4-9
4.2.2 MON Lane PBAs ......................................................................................... 4-10

TC-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.2.3 Specific Module Safety Considerations ........................................................ 4-10

4.2.3.1 COM/MON Design ...................................................................................... 4-10
4.2.3.2 Fault Effects Partitioning ............................................................................. 4-10
4.2.3.3 Architectural Mitigation Techniques ............................................................. 4-11
4.2.4 Summary of ACE PLD and Math Engine Sequence Component Usage ......... 4-11
4.3 Direct Mode Rate Sensor ................................................................................. 4-13
4.3.1 Rate Sensor Assembly ................................................................................ 4-14
4.3.2 Gyro PBA ................................................................................................... 4-14
4.3.2.1 Sensor ....................................................................................................... 4-15
4.3.2.2 HPG2 ASIC ................................................................................................ 4-16
4.3.2.3 HPGD2C_M2 ASIC ..................................................................................... 4-16
4.3.3 Interface PBA ............................................................................................. 4-16
4.3.3.1 Interface FPGA ........................................................................................... 4-16
4.3.3.2 Serial Data Bus Output ............................................................................... 4-16
4.3.3.3 Power Supply ............................................................................................. 4-17
4.3.4 Summary of DMRS ASIC and PLD Usage .................................................... 4-17
4.4 FCE Cabinets ................................................................................................... 4-18

5 Certification Considerations ................................................................. 5-1

5.1 Certification Basis .............................................................................................. 5-1
5.1.1 Applicable Regulations ................................................................................. 5-1
5.1.2 Technical Standard Orders ........................................................................... 5-1
5.1.3 Other Certification Considerations................................................................. 5-1
5.1.4 Functional Hazard Summary ......................................................................... 5-2
5.2 Hardware Design Assurance Levels .................................................................... 5-7
5.3 AEH Devices ...................................................................................................... 5-8
5.4 Compliance to CAAC Issue Paper SW -03 ......................................................... 5-10

6 Hardware Design Life Cycle Description .............................................. 6-1

6.1 Hardware Design Life Cycle ............................................................................... 6-1
6.1.1 Planning Process .......................................................................................... 6-7
6.1.2 Hardware Design Processes ......................................................................... 6-8
6.1.2.1 Hardware Requirements Capture Stage ........................................................ 6-8
6.1.2.2 Preliminary (Conceptual) Design Stage ......................................................... 6-9
6.1.2.3 Detailed Design Stage .................................................................................. 6-9
6.1.2.4 Hardware Design Environment ...................................................................... 6-9
6.1.2.5 Implementation Stage ................................................................................. 6-10
6.1.2.6 Production Transition Stage ........................................................................ 6-10
6.1.2.6.1 Production Transition – Product ......................................................... 6-10
6.1.2.6.2 Production Transition – AEH .............................................................. 6-10
6.2 Supporting Processes ...................................................................................... 6-11
6.2.1 Hardware Validation ................................................................................... 6-11
6.2.2 Hardware Verification ................................................................................. 6-11
6.2.2.1 Verification Methods ................................................................................... 6-12
6.2.2.2 Design Assurance Strategies for Level A and B Hardware ........................... 6-12
6.2.2.2.1 System Functional Hazard Assessment .............................................. 6-13
6.2.2.2.2 Functional Failure Path Analysis ........................................................ 6-13
6.2.2.2.3 Architectural Mitigation ...................................................................... 6-13
6.2.2.2.4 Elemental Analysis for PLDs .............................................................. 6-14
6.2.2.2.5 Elemental Analysis for the Math Engine Sequence Component ............ 6-15
6.2.2.3 Hardware Verification Environment ............................................................. 6-16
6.2.2.3.1 Hardware Verification Methods .......................................................... 6-16
6.2.2.3.2 Hardware Verification Standards ........................................................ 6-17
6.2.2.3.3 Robustness Testing ........................................................................... 6-17
6.2.2.4 Traceability Data ........................................................................................ 6-17
6.2.3 Hardware Configuration Management .......................................................... 6-18
TC-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

6.2.3.1 PLD and Math Engine Sequence archives ................................................... 6-19

6.2.3.2 Problem Reporting ...................................................................................... 6-20
6.2.3.3 Hardware Changes During Development ..................................................... 6-20
6.2.3.4 Post-Certification ASIC/PLD/MES Change Management .............................. 6-20
6.2.3.5 Post-Certification Change Management for non-ASIC/PLD Hardware ........... 6-21
6.3 Process Assurance .......................................................................................... 6-21
6.4 Certification Liaison ......................................................................................... 6-21

7 Hardware Design Life Cycle Data ......................................................... 7-1

7.1 Actuator Control Electronics Life Cycle Data ....................................................... 7-1

8 Additional Considerations .................................................................... 8-1

8.1 Previously Developed Hardware (PDH) ............................................................... 8-1
8.1.1 Unchanged Previously Developed CEH ......................................................... 8-1
8.1.2 Changes/Modification to Previously Developed Hardware .............................. 8-1
8.1.3 Change in Aircraft Installation ....................................................................... 8-2
8.1.4 Change of Application or Design Environment ............................................... 8-2
8.1.5 Upgrading a Design Baseline ........................................................................ 8-2
8.1.6 Additional Configuration Management Considerations ................................... 8-2
8.2 Commercial-Off the Shelf (COTS) Components Usage ........................................ 8-2
8.2.1 COTS Microprocessors ................................................................................. 8-3
8.2.2 COTS Microprocessors Errata ....................................................................... 8-4
8.2.3 COTS Microprocessors Verification ............................................................... 8-4
8.2.4 Lattice Configurable Devices ........................................................................ 8-4
8.3 COTS Intellectual Property (IP) .......................................................................... 8-5
8.4 Single Event Upset in Programmed Electronic Hardware ..................................... 8-5
8.5 Product Service Experience................................................................................ 8-6
8.5.1 FCM Product Service Experience .................................................................. 8-6
8.6 Tool Assessment and Qualification ..................................................................... 8-6
8.7 Intermixability (Optional) .................................................................................. 8-11
8.8 Use of Offsite Suppliers and Supplier Oversight ................................................ 8-11

9 Alternative Methods .............................................................................. 9-1

10 RTCA/DO-254 COMPLIANCE ............................................................... 10-1

11 Certification Schedule ........................................................................ 11-1

TC-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System -EB62000855-001 REV C

List of Tables

Table 3-1 – C919 FCS Equipment Complement ............................................................... 3-5

Table 4-1 – C919 FCM Summary of ASIC/PLD Usage ...................................................... 4-6
Table 4-2 - C919 ACE Summary of PLD/MES Usage ....................................................... 4-11
Table 4-3 - C919 DMRS Summary of ASIC/PLD Usage ................................................... 4-17
Table 5-1 - Regulatory Requirements .............................................................................. 5-1
Table 5-2 - Functional Hazard Assessment Summary ....................................................... 5-2
Table 5-3 - Hardware Design Assurance Levels ............................................................... 5-8
Table 5-4 - AEH Device DAL and Classification ............................................................... 5-8
Table 5-5 – Compliance to Issue Paper SW -03 ............................................................... 5-10
Table 6-1 – ACE AEH Design Life Cycle .......................................................................... 6-3
Table 7-1 - AEH Life Cycle Data – ACE ........................................................................... 7-1
Table 8-1 - Previously Developed CEH ............................................................................ 8-1
Table 8-2 – COTS Components Usage ............................................................................ 8-3
Table 8-3 – FCM Service History .................................................................................... 8-6
Table 8-4 - Tool Assessment Summary ........................................................................... 8-7
Table 8-5 - Activities for Satisfaction of DO -254 Objectives for Various Suppliers ............ 8-11
Table 10-1 - DO-254 Compliance Matrix ......................................................................... 10-1
Table 11-1 - Project Milestones ..................................................................................... 11-1

LT-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System -EB62000855-001 REV C

List of Figures

Figure 3-1 – Flight Control System Components .............................................................. 3-1

Figure 3-2 – FCE Cabinet Interfaces ............................................................................... 3-4
Figure 4-1 – FCM Command Processor PBA High Level Block Diagram ............................ 4-2
Figure 4-2 - FCM Monitor Processor PBA High Level Block Diagram ................................ 4-3
Figure 4-3 – FCM I/O PBA High Level Block Diagram ...................................................... 4-4
Figure 4-4 – ACE High Level Block Diagram .................................................................... 4-8
Figure 4-5 – DMRS Hardware High Level Block Diagram ................................................. 4-14
Figure 4-6 – DMRS ASIC/FPGA High Level Block Diagram ............................................. 4-15
Figure 6-1 - Life Cycle Flow Chart................................................................................... 6-2

LF-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

1 Introduction
This Plan for Hardware Aspects of Certification (PHAC) document provides a system
description for the C919 Flight Control System (FCS) and identifies additional PHACs being
developed for various parts of the system. This document fulfills the intent of the Plan for
Hardware Aspects of Certification, as outlined in DO -254 Section 10.1.1 with regard to the
Honeywell Flight Control Electronics (FCE) Cabinets, Flight Control Module (FCM), Actuator
Control Electronics Module (ACE), Direct Mode Math Engine Sequence (MES) component,
and Direct Mode Rate Sensor (DMRS). In this PHAC, the usage of the term “Flight Control
System” is synonymous with “Flight Control Electronics” and is intended to encompass only
those components of the overall system that a re provided by Honeywell, Inc., or its sub -tier
suppliers.
Although the entire C919 FCS is described in this document, separate PHACs will address
hardware certification plans for the PCM [301] and FMCP [303].

1.1 Scope
Table 3-1 – C919 FCS Equipment Complement provides a list of the equipment in the C919
FCS. Although this document provides the system description for the ent ire C919 FCS
(through Section 3), the rest of this document is only applicable for the ACE, Direct Mode
MES component, FCM, DMRS, and FCE Cabinet.
This PHAC provides a summary of the planned activities for the design assurance process
that will be used by Honeywell in developing the Airborne Electronic Hardware (AEH) for the
C919 FCE ACE and the Direct Mode MES. This document provides a concise description of
the planned FCS hardware functions, and the life cycle data to be created during the design
and verification activity. The design life cycle data to be produced for the ACE and Direct
Mode MES is listed in Section 7. Section 8.1 addresses re-use of FCM, and DMRS
previously developed hardware.
The final development activities and any dif ferences regarding this plan will be documented
in the Hardware Accomplishment Summary (HAS) documents. There will be three separate
HAS documents – one for the ACE, Direct Mode MES component, FCM, DMRS, and FCE
Cabinets; one for the PCM; and one for the FMCP.

1.2 References
Data items included in Table 7-1 are not repeated in this reference section. The following
data items are applicable to the extent specified in this document.
1.2.1 Honeywell Documents
This section contains a list of Honeywell documents referenced herein to support this
document.

1-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Ref Data Identifier Document Title

No.

[1] EB62000856-001 Hardware Development and Verification Plan for the COMAC
C919 Flight Control System

[2] EB62001711- Hardware Development and Verification Plan for the COMAC
001 C919 Flight Control Electronics Math Engine Sequence

[3] EB62000944 Hardware Configuration Management Plan for the COMAC

C919 Flight Control System Complex Electronic Hardware
(CEH)

[4] EB62000979-001 Hardware Configuration Management Plan for Aerospace

North Phoenix Product Hardware

[5] EB62000771-001 Hardware and Software Configuration Management Plan for

COMAC C919 Flight Controls

[6] C67-0210-005 Aerospace Product Development Quality Assurance Plan

[7] 94222-29 Qualification Test Plan for the COMAC C919 Flight Control
Electronics

[8] PS62000875-001 PFCS Certification Support Plan for COMAC C919 Flight
Control System

[9] PS62000876-001 AFCS Certification Support Plan for the COMAC C919 Flight
Control

[10] PS62000870-001 Preliminary System Safety Assessment (PSSA) for the C919
Flight Control System

[11] PS62002540-001 C919 Flight Control System Safety Assessment

[12] PS62002553-001 System Requirements Specification for the COMAC C919

Flight Control Electronics

[13] EB62000867-001 Intermodule Data Bus Protocol (IMB) Specification for the
Honeywell Flight Control System

[14] EB62000866-001 Actuation Data Bus Protocol (ADB) Specification for

Honeywell Flight Control System

[15] EB62002551-001 Direct Mode Rate Sensor Data Bus Protocol Specification for
the Honeywell Flight Control System

1-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Ref Data Identifier Document Title

No.

[16] EB62002552-001 ACE-PCM Serial Protocol Interface (SPI) Specification for the
Honeywell Flight Control System

[17] PRO-2006 Supply – Supplier Control Program

[18] EB53000249-102 Honeywell Aerospace Electronic Components Management

Plan (ECMP)

[19] APOL-50-3 Supplier Assessment and Oversight Process for Software and
CEH

[20] INS-1305 Change Notification

1.2.2 COMAC Documents

Ref Data Document Title

No. Identifier

[101] C227JY062 C919 Flight Control Electronics System Technical

Specification (STS)

[102] C952JY006 C919 Aircraft Airborne Software and Airborne Electronic

Hardware Management Requirements

[103] C952JY004 C919 Program Airborne Electronic Hardware Suppl ier

Management Requirements

1.2.3 Regulatory and Industry Documents

Ref No. Data Document Title

Identifier

[201] ARP-4754A Certification Considerations for Highly-Integrated or

Complex Aircraft Systems

[202] ARP-4761 Guidelines and Methods for Conducting the Safety

Assessment Process on Civil Airborne Systems and
Equipment

[203] DO-254/ED- Design Assurance Guidance for Airborne Electronic

80 Hardware

1-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Ref No. Data Document Title

Identifier

[204] DO-160G Environmental Conditions and Test Procedures for Airborne

Equipment

[205] CCAR25/R4 Airworthiness Standards, Transport Category Airplanes

FAR25/CS-25

[206] AC21-16G Environmental Conditions and Test Procedures for Airborne

Equipment

[207] AC20-152 RTCA Inc., Document RTCA/DO-254, Design Assurance

Guidance for Airborne Electronic Hardware

[208] CAAC Issue Programmed Electronic Hardware Devices in Model C919

Paper SW -03 Airborne Systems and Equipment

[209] FAA Order Simple and Complex Electronic Hardware Approval

8110.105 Guidance
CHG 1

[210] CAAC Issue Equivalent Level of Safety Finding for Equipment, System
Paper M-6 and Installation Requirements

1.2.4 Other External Documents

Ref No. Data Document Title

Identifier

[301] PHAC4-980 Plan for Hardware Aspects of Certification for the 4 -980
Power Conditioning Module (PHAC to be provided by Eldec
Corporation, via Honeywell)

[302] PHAC4- Plan for Hardware Aspects of Certification for the 4 -980042
980042 Programmable Logic Device on the Power Conditioning
Module (PHAC to be provided by Eldec Corporation, via
Honeywell)

[303] C2659/PHAC Flight Mode Control Panel (FMCP) Plan for Hardware
Aspects of Certification (PHAC to be provided by FACRI, via
Honeywell)

1-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

1.2.5 Acronyms and Abbreviations

A429 Aeronautical Radio, Incorporated (ARINC) 429

A615A Aeronautical Radio, Incorporated (ARINC) 615A

ARINC 664 Aeronautical Radio, Incorporated (ARINC) 664

AC Alternating Current

ACE Actuator Control Electronics

ACM Automatic Configuration Management (see Definitions also)

ADB Actuation Data Bus

ADC ASIC/FPGA Design Container

ADD ASIC/FPGA Design Document

ADM Air Data Module

AEH Airborne Electronic Hardware

Aero PDM Aerospace Product Data Management

AFCS Automatic Flight Control System

AFDX Avionics Full-Duplex switch Ethernet

AHRU Attitude Heading Reference Unit

ALU Arithmetic Logic Unit

AOA Angle of Attack

AP Autopilot or Aerospace Procedure

APOL Aerospace Policy

ARD ASIC/FPGA Requirements Document

ARINC Aeronautical Radio Incorporated

ASIC Application Specific Integrated Circuit

ATD ASIC/FPGA Testbench Document

ATP Acceptance Test Procedure

ATPD ASIC/FPGA Test Procedure Document

1-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Aux Auxiliary

AVC ASIC/FPGA Verification Container

AVR ASIC/FPGA Verification Results

BIT Built In Test

C919 COMAC 919 family of aircraft

CAAC Civil Aviation Authority of China

CAR Corrective Action Requests

CCAR China Civil Aviation Regulations

CCB Change Control Board

CEH Complex Electronic Hardware

CFR Code of Federal Regulation

CM Configuration Management

CM21 Configuration Management for the 21 st century

CMADS Configuration Management And Data Services

CMOS Complementary Metal-Oxide-Semiconductor

COM Command Lane

COMAC Commercial Aircraft Corporation of China

COTS Commercial Off the Shelf

CP Core Processor

CPbus Core Processor bus

CR Change Request

CRC Cyclic Redundancy Check

CS Certification Specification

DAL Design Assurance Level

DC Direct Current

DDR Double Data Rate

1-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DMRS Direct Mode Rate Sensor

DPRAM Dual-Ported Random Access Memory

DSES Honeywell’s Defense and Space Electronic Systems

Organization

DVP Development and Verification Plan

EASA European Aviation Safety Agency

EDC Error Detection and Correction

EEPROM Electrically Erasable Programmable Read Only Memory

EHB Encoded Heartbeat

EIT End Item Test

FAA Federal Aviation Administration

FACRI Flight Automatic Control Research Institute

FC Flight Control

FCE Flight Control Electronics

FCS Flight Control System

FCM Flight Control Module

FFP Functional Failure Path

FHA Fault Hazard Analysis

FMCP Flight Mode Control Panel

FMEA Failure Modes and Effects Analysis

FPGA Field Programmable Gate Array (used interchangeably with PLD)

FTA Fault Tree Analysis

GLD Ground Lift Dump

GPC General Purpose Counters

GSCM Ground Spoiler Control Module

HALT Highly Accelerated Life Test

1-7
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

HAS Hardware Accomplishment Summary

HCI Hardware Configuration Index

HCMP Hardware Configuration Management Plan

HDL Hardware Description Language

HDVP Hardware Development & Verification Plan

HECI Hardware Environment Configuration Index

HI Honeywell, Incorporated

HIRF High Intensity Radiated Fields

HRB Hardware Review Board

HRD Hardware Requirements Document

HVR Hardware Verification Report

HW Hardware

I/O Input/Output

IMB Intermodule Databus

IOC Input/Output Controller

IP Intellectual Property

ISI Integrated Standby Instrument

IV&V Independent Validation and Verification

JTAG Joint Test Action Group

LRM Line Replaceable Module

LRU Line Replaceable Unit

LVCMOS Low Voltage Complementary Metal-Oxide-Semiconductor

LVTTL Low Voltage Transistor-Transistor Logic

MAC Media Access Control or Minimum Acceptable Control

MEMS Micro Electro Mechanical System

MES Math Engine Sequence

1-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

MHz Megahertz

MIB Management Information Base

MIPS Microprocessor without Interlocked Pipeline Stages

MON Monitor Lane

N/A Not Applicable

PBA Printed Board Assembly

PCI Peripheral Component Interconnect

PCM Power Conditioning Module

PDH Previously Developed Hardware

PDQA Product Development Quality Assurance

PFC Primary Flight Control

PFCS Primary Flight Control System

PFTU Pedal Feel Trim Unit

PHAC Plan for Hardware Aspects of Certification

PLD Programmable Logic Device (used interchangeably with FPGA)

PN Part Number

PSSA Preliminary System Safety Assessment

QAP Quality Assurance Plan

RAM Random Access Memory

REU Remote Electronics Unit

RMON Remote Monitoring

RTC Real Time Clock

RTCA RTCA, Inc., formerly Radio Technical Commission for

Aeronautics

Rx Receiver

SAE Society of Automotive Engineers

1-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

SCD Source Control Drawing

SDRAM Synchronous Dynamic Random Access Memory

SEU Single Event Upset

SOV Solenoid Operated Valve

SRS System Requirements Specification

SSA System Safety Assessment

SSU Side Stick Unit

STS Systems Technical Specification

TAT Total Air Temperature

TCB Thermal Circuit Breaker

TMR Triple-Mode Redundancy

Tx Transmitter

UDP User Datagram Protocol

USA United States of America

VDC Volts direct current

VDD Version Description Document

1.2.6 Definitions
The following definitions are used to supplement the definitions in the reference documents
where this document uses new terminology or unique Honeywell terminology requiring
definition for clarity.

ACM ACM is a configuration management and change

management system.

Activity Any step taken or function performed, both mental and

physical, toward achieving some objective . Activities
include all the work the managers and technical staff
do to perform the tasks of the project and organization.

AEH Airborne Electronic Hardware – Covers both complex

and simple electronic hardware as they are defined in
DO-254. AC20-152 limits the scope to programmable
devices and ASICs.

1-10
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Analysis A process of mathematical or other logical reasoning

that leads from stated premises to the conclusion
concerning specific capabilities of equipment and its
adequacy for a particular application (IEEE -STD-100).

The approved, recorded configuration of one or more

Baseline
configuration items, that thereafter serves as the basis
for further development, and that is changed only
through change control procedures.

CEH Complex Electronic Hardware - Custom micro-coded

components including application specific integrated
circuits (ASIC), programmable logic devices (PLD),
field programmable gate arrays (FPGA), and other
similar electronic components that cannot be classified
as simple.

Certification The process of acquiring regulatory agency approval

for a function, equipment, system, or airplane, by
establishing compliance with all applicable governing
regulations. For hardware, criterion is established and
agreed upon in the project PHAC.

Certification credit Any task performed by Honeywell , a partner, a

supplier, or the customer to show compliance with
Certification Requirements (e.g. Code of Federation
Regulations (CFRs), Certification Specifications ( CSs),
Federal Aviation Administration (FAA) approved
guidelines (Radio Technical Commission for
Aeronautics (RTCA) DO-254), or other approved
methods).

CM21 CM21 is the W indows client for ACM.

CMP Configuration Management Plan - Describes the

details of the hardware configuration management
integral process.

Complex All items that are not simple are considered to be

‘complex’. See definition of Simple.

Configuration A list of Configuration Items that completely define an

implementation of a function.

Configuration (1) The process of Configuration Identification, and the

Management control of issues and changes of Configuration
Identities. (2) A discipline applying technical a nd
administrative direction and surveillance to (a) identify
and record the functional and physical characteristics
of a configuration item, (b) control changes to those
characteristics, and (c) record and report change
control processing and implementation status
(RTCA/DO-254)

1-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Configured Electronic file exists in the configuration management

tool.

COTS IP Commercial Off-The-Shelf Intellectual Property -

Commercially available functional logic blocks
(including libraries) used to design and implement part
or complete custom micro-coded components such as
PLDs, FPGAs, or similar programmable components.

RTCA/DO-254 term for particular types of work

Data item
products.

Deliverable Release of a system or component to its customer or

intended user. Deliverables are identified in the project
data management plan.

Derived requirement Additional requirements resulting from design or

implementation decisions during the hardware
development process which may not be directly
traceable to higher levels.

Discrete I/O Input or output signals that are defined to have two
states, e.g., ON or OFF. Typical discrete input and
discrete output signals are either Open/Ground or
28V/Open. Discrete I/O may refer to input/output
signals between aircraft equipment and an LRU’s
interface connector, or may refer to discrete signals
within an LRU’s internal electronics.

Electronics Components, printed boards, and printed board

assemblies which define the electrical design of the
product.

Entry criteria Term used to describe the c riteria or conditions that

allow the activity to begin. The criteria usually pertain
to a limited scope, usually elements that support a
piece of functionality (system requirements, Hardware
Requirements Document (HRD), or code elements).

Fault Tree Analysis A top down systematic analysis in which an undesired

state of a system is analyzed using a deductive
process to identify a series of lower-level immediate
and basic causes.

Failure Modes and Effects A qualitative analysis that identifies and applies a
Analysis severity to various failure modes of a system.

Findings As used in this document, defined as issues related to

DO-254 compliance.

1-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Formal hardware Verification activities performed after the following

verification criteria are met:
Requirements complete and reviewed
Hardware is configured
Verification procedures complete and reviewed

Formal verification Verification accomplished for certification credit to

demonstrate the implementation complies with the
hardware requirements. This can be accomplished
through a combination of methods, such as reviews,
analyses, and tests. Verification failures and their
impact on safety are documented. Once formal
verification has been successfully completed, it will not
be repeated unless regression analysis ind icates the
need for verification procedure modification and/or re -
execution.

Full configuration control The work products that are part of a formal baseline
and are therefore placed under the full discipline of
Configuration Management as defined in the
Configuration Management procedures . This includes
all work products that will be released as Production
hardware and formal documents.

Functional Hazard This is a type of assessment, which considers

Assessment (FHA) significant functional failures of the system. This is
done by knowing only the general architecture and the
boundaries of authority of the system . For this
assessment, it is not necessary to know the details of
the system design.

Guideline Suggested practice, method, or procedure.

Hardware In this document, hardware is used to define the unit -

level or assembly level equipment that contains the
programmable components.

Hardware The Hardware Accomplishment Summary fulfills the

Accomplishment Summary requirements specified in Section 10.9 Hard ware
Accomplishment Summary, of the Design Assurance
Guidance for Airborne Electronic Hardware, RTCA/DO-
254.

HDVP Hardware Development and Verification Plan -

Describes the details of the hardware development
processes and how each step is implemented and how
the hardware verification of the hardware requirements
will be met through analysis, inspection, and/or test.

1-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Independence Separation of responsibilities which ensures the

accomplishment of objective evaluation . (1) For
hardware verification process activities, independence
is achieved when the verification activity is performed
by a person(s) other than the developer of the item
being verified, and a tool(s) may be used to achieve
equivalence to the human verification activity. (2) For
the hardware quality assurance process, independence
also includes the authority to ensure corrective action.”
(RTCA/DO-254, page 82)

Integral process Processes designated as “integral” are those that

occur concurrently with Development Processes . This
includes activities that support project management as
well as those that ensure the correctness, control, and
confidence of the hardware life cycle processes . These
activities are not necessarily the responsibility of the
FCS organization.

Intermixability The ability of a system to continue meeting all

functional, safety, certification, and operational
requirements, when the system consists of different
software and hardware versions (new, existing, old
and/or any combination of those); this applies for any
and all system components, integrated or federated.

Legacy system A legacy system is one that has been certified and has
a service record. Any part of the legacy system life
cycle data is also considered part of the legacy system
(e.g., System Requirements Specificat ion (SRS), HRD,
Drawing, Test, tracing data).

Life-cycle A well-defined progression through a series of distinct

phases which will ensure consistent development of
quality hardware. The hardware engineering life cycle
consists of four phases: Planning, De velopment,
Verification, and Maintenance.

Life-cycle phase Any period of time during the hardware development or

operation that may be characterized by a primary type
of activity being conducted. These phases may overlap
one another; for Verification purp oses, no phase is
concluded until its development products are fully
verified.

Low level requirements Low level requirements are any requirement that is
designed or architecturally based that is an expansion
or restriction of a hardware requirement and is
traceable to that requirement.

1-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

PDH Previously Developed Hardware - Defined as AEH

previously approved and/or certified as part of an
aircraft certification. Includes hardware developed and
approved which may or may not have used DO -254 as
the means of compliance.

Product Development Defines the details of the process assurance integral

Quality Assurance process. This plan is also called the Quality Assurance
(PDQA) Plan Plan (QAP).

Platform A set of Hardware, Core Hardware functions, Basic

Tools, and Services that support an Avionics
application’s ability to perform a defined function.

PLD Programmable Logic Device – Early programmable

logic devices such as Programmable Array Logic and
Generic Array Logic devices developed in the 1970’s.
Commonly used today to describe programmable
devices in a generic sense. W ithin this document,
ASIC is not included as part of the definition.

Process Assurance Process assurance is to ensure that plans are

followed, life cycle process objectives are met and
activities have been completed.

Process owner A process owner is responsible for the activity . Does

not indicate who actually does the work, although it
could be the same.

Product Engineer Person assigned by Hardware Management to be

responsible for all activities associated with a project
or sub-section of a project. Each product in active
production must have an assigned Product Engineer.

Production Release Configuration management system used for production

documentation and publications. This CM system
meets criteria of DO-254 HC1.

Project A particular development effort for a product

developed for an airplane type.

Project archive (PA) The work products that are not placed under
configuration management, but rather are stored in a
project maintained archive. Such work products should
be retrievable, but do not require any version control
or change control.

Regression analysis A regression analysis identifies life cycle data (e.g.,

HRD, TEST, tracing) impacted by the changes
analyzed.

1-15
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Regression testing A group of selected tests to be used to assure that

changed functionality performs as intended, no
unintended behavior is introduced, and the change
does not adversely affect existing functionality.

Release The act of formally making available and authorizi ng

the use of a retrievable configuration item . Hardware
releases are baselined and reproducible .

Requirement An identifiable element of a specification that is

verifiable.

Reuse Reuse of previously developed elements, with or

without planned modifications, in a new system .

Review This is a verification mechanism that involves an

examination of part or all of data (documentation,
hardware design, requirements, test cases, etc.) with
the aim of finding ‘defects’ in that data. Also, a
qualitative evaluation to assess the plans,
requirements, design data, design concept, or design
implementation to demonstrate to a high degree of
confidence that the requirements have been or will be
met.

Safety The state in which risk is lower than the boundary risk .
The boundary risk is the upper limit of the acceptable
risk. It is specific for a technical process or state . The
risk is defined by the frequency (probability) of
occurrence and the expected damage or injury
(consequences). (Society of Automotive Engineers
(SAE) ARP4754/EUROCAE ED-79).

Safety Analysis A general analysis, which considers the details of the

system design and shows the system meets the
required level of safety. A safety analysis may include
a descriptive, argumentative review of the design; or
more rigorous methods such as a Failure Modes and
Effects Analysis (FMEA), Fault Tree Analysis (FTA), or
Functional Hazard Assessment (FHA) .

Simple A hardware item is considered simple if a

comprehensive combination of deterministic tests and
analyses can ensure correct functional performance
under all foreseeable operating conditions with no
anomalous behavior.

1-16
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Subcontractor An individual or organization external to Honeywell,

Inc. that contracts with Honeywell, Inc. to design,
develop, maintain, and/or m anufacture one or more
work products (elements) or to provide services, such
as testing or independent validation and verification
(IV&V). Subcontractors follow their own processes,
procedures, or standards.

Test case A list of inputs and the outputs expe cted to be

generated by the processing implied by the
requirement as determined by analysis of the
requirement for consistency, completeness, clarity,
and testability.

Test procedure The step-by-step procedure needed to initialize test

equipment, generate the inputs called for by a test
case, the recording of the actual result, and
comparison of the actual result to the predetermined
expected result. The test case defines what needs to
be tested; the test procedure defines how to run the
test.

Traceability The ability to identify the association between

hardware items or processes, such as a requirement
and the source of the requirement or between a
verification method and its base requirement.

Validation Validation is the process that provides assurance that

the hardware derived requirements are complete and
correct with respect to the system requirements
allocated to hardware

Verification Verification is the process that provides assurance,

through inspection, test, or analysis that the hardware
implementation meets all requirements (allocated from
the system requirements and derived during
development).

Verification credit Evidence in the form of inspection records,

documented analyses and tests result for certification .
For re-used components that are not changed,
verification credit is taken from a previous certification
for the re-used components.

Work product In general, the data, files, documents, assemblies,

components, etc., generated in the course of
performing any process.

1-17
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

2 Changes To Baseline
This section is not applicable to C919 Flight Controls System hardware.

2-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

3 System Overview
The C919 Flight Control System integrates fly by wire primary flight control, autoflight, and
processing of inertial data and air data for use by other airplane systems. These functions
are integrated into a set of airplane modules providing both high level computational based
functionality and autonomous back up control . Additional system components provide
sensors dedicated to FCS operation. The components that comprise the Flight Control
System for the C919 aircraft are illustrated in Flight Control System Components.

FMCP

Element Qty/SS
Cabinet 4
FCM 3
ACE 4
PCM 4
Direct Mode Rate Sensor 4
Flight Mode Control Panel 1 CABINET 1 CABINET 2

Cabinet
1 2 3 4
FCM FCM FCM
ACE ACE ACE ACE
PCM PCM PCM PCM

CABINET 3 CABINET 4

DIRECT MODE DIRECT MODE DIRECT MODE DIRECT MODE

RATE SENSOR RATE SENSOR RATE SENSOR RATE SENSOR

Figure 3-1 – Flight Control System Components

3.1 System Functional Description

The following functions are provided by the Honeywell FCS.
• Primary Surface Control
o Provides primary control of airplane either directly by crew or by autoflight.
o Provides actuation commands for elevator, ailerons, rudder, multi-function spoilers, stabilizer
trim, and ground spoilers in response to pilot controls (pitch and roll sticks, pedals and speed
brake lever) inputs and airplane sensors.

3-1
Use or disclosure of information on this page is subject to the restrictions on the title pa ge of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Autoflight
o Provides automatic airplane control in response to pilot mode and target selection
o Airplane control is effected via the primary surface control function
• Stabilizer Control
o Stabilizer control offloads, and extends control range of, elevator by movement of horizontal
stabilizer surface
o Provides actuation commands to stabilizer actuation to effect up or down motion
• Input Processing
o Centralized Input/Output (I/O) Processing
o Provides Angle of Attack (AOA) analog processing
• Flight Deck Actuation Control
o Rudder Trim
• Critical Power for
o DMRS
o Remote Electronics Unit (REU) for Aileron, Elevator, Rudder, Spoilers
o Actuators: Rudder Trim
o Sensors (Air Data Module(ADM))
o ACE
o FCM
o GSCM SOV
o SSU Tact Indicator
o SSU AP Detent Solenoid
o PFTU AP Detent Solenoid
o ISI

3.1.1 Supporting Functions

ARINC 615A data loading of operational software for the FCM is available. No other
programming of FCS elements, including PLDs and ASICs, occurs on the airplane.
Note: The FCM and ACE are programmed with rigging data for the airplane. The FCM
coordinates the airplane identification and programming of the data into the ACE. The FCM
also verifies that the rigging data loaded in the ACE is correct and matches the data in the
FCM. The rigging data is stored in non-volatile memory and is added as an offset to the
calculations performed for controlling the s urface and has a very limited range of adjustment.
3.1.2 Primary Flight Control System Architectural Features
The Flight Control System incorporates a number of redundancy management features,
primarily focused on integrity, which are deployed across multiple s ystem elements. The
principal features are:
• Standard interface between computing (FCM) and actuator interface (ACE) elements
• Command/Monitor (COM/MON) architecture for both FCM and ACE
• Architectural mitigation to limit failure effects of Complex Level A devices in the Normal Mode
command path

3-2
Use or disclosure of information on this page is subject to the restrictions on the title pa ge of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

These features provide a high measure of protection against the generation of erroneous
outputs. Availability is achieved primarily by means of replication of components and
provision of sufficient alternate data path s to maintain the required functionality in the
presence of failures.
3.1.3 Primary Architectural Mitigation
The FCS is comprised of high integrity computing platforms, FCMs, and actuator interfacing
elements, referred to as ACEs. FCMs communicate with the ACEs and among themselves via
the Intermodule Data Bus (IMB).
The system configuration is comprised of 3 FCMs and a total of 4 ACEs housed in 4 separate
independent FCE Cabinets. The high level architecture of the Flight Control System,
including the interfaces to the FCE Cabinets, is illustrated in Figure 3-2 – FCE Cabinet
Interfaces.
The ACE is separated into three partitions called Normal Mode Partition, Common Partition,
and Direct Mode Partition. The partitioning i s done to minimize the amount of logic
supporting the reversionary mode and to provide a design boundary to iso late faults in the
Normal Mode Partition from causing loss of Direct Mode and vice -versa. The Common
Partition host functions necessary to suppor t both ACE modes.
FCMs generate commands for all surfaces. The FCMs operate in an Active -Standby-Standby
manner where the FCMs decide which one is Active. The ACEs select the actuator
commands from the Active FCM (either Normal Mode or Secondary Mode), the MES (Direct
Mode), or default values if no valid mode exists. Each FCM processes all inputs with
operation independent of installed position.
The FCM command interface and redundancy management at the ACE level is highly similar
regardless of the particular surface being driven. FCE architectural features include the
following:
• For higher level modes utilizing FCM generated commands, all FCMs provide data
redundancy management
• COM/MON structure
• Fault effects partitioning between FCM generated command proce ssing path (e.g. primary
Normal Mode) and backup command path autonomous to ACE (e.g. Direct Mode)
• Architectural mitigation applied to complex devices supporting critical functions along
with the ACE being fully testable and analyzable, provides protection against common
mode failures

3-3
Use or disclosure of information on this page is subject to the restrictions on the title pa ge of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

External Flight Control System

Systems
Flight Control
Pilot Controls Actuation
Electronics
ADS
ADS
ADS
ADS
ADM
ADS
ADS
ADM

IRS
IRS
IRS SideStick
Side Stick G
Units
S GSA
RA
RA FCE C
M
Cabinet
GLU
GLU Pedal Feel
RudderBrake
Rudder R Aileron
Trim Unit R Aileron
R Aileron
Pedals
Pedal System R E
TCQ R EEMFSPCU
Aileron
U PCU
R Aileron
R E U PCU
DMRS
DMRS R EEAileron
U PCU
DMRS E MFS
U
U PCU
PCU
HLS DMRS E U PCU
Speed Brake U
HL U PCU
Ctrl Lever Unit
FMCP R Aileron
AOA R Aileron
R Aileron
R EE
E Aileron
PCU
Rudder E UUPCU
PCU
EPS Rudder
Cockpit
U
U PCU
Pedals
Pedal Units
HS Switches
R Aileron
R Aileron
R Aileron
R EE
E Elevator
PCU
LGS E UUPCU
PCU
Trim Control U PCU
U
Display Panel
R Aileron
Other R Aileron
R ERudder
Systems E PCU
E U PCU
U PCU
U
(FADEC,
FMS, OMS,
BCS, IDS,
HCS, LCS, H
Aileron
MCE S
...) PCU T
A

ADB A664 FCE elec. power aircraft hyd. power

A429 analog / discrete aircraft elec. power DMRS Data Bus

Rudder Brake Pedal System - Rudder Brake Pedal Units and Pedal Feel Trim Unit
Cockpit Switches - PFC Mode Sw., FCS Maintenance Sw.
Trim Control Panel - Stab Trim and Cutout Sw., Rudder Trim and Reset Sw.

Figure 3-2 – FCE Cabinet Interfaces

3.2 Flight Control System Components

The C919 FCS comprises a set of modular components with the control functional ity being
centered around Flight Control Modules (FCMs) and Actuator Control Electronics (ACEs).
The FCS IMB network provides a straightforward high speed interface between the FCMs
and the ACEs, and between the FCMs.
Table 3-1 – C919 FCS Equipment Complement, provides a list of all the components in the
C919 and indicates their pre-assigned part numbers, Design Assurance Level (DAL), whether
they contain PLDs or ASICs and Means of Compliance .

3-4
Use or disclosure of information on this page is subject to the restrictions on the title pa ge of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Table 3-1 – C919 FCS Equipment Complement

Maximum
HW Design Contains Develop- Means of
Hardware Item Part
Assurance PLDs/ ment Compliance Place of Design and Manufacture
Item No.
Level ASICs Effort (PHAC)
(Note 1)

Reuse Designed and manufactured by

EB62000855-
FCM 4091610-950 A Yes Existing Honeywell, Inc., Phoenix, AZ
001
Product

62000930- EB62000855- Designed and manufactured by

ACE A Yes New
901 001 Honeywell, Inc., Phoenix, AZ

PHAC4-980 Designed and manufactured by Crane

62000948-
PCM A Yes New PHAC4- Aerospace & Electronics, ELDEC
901
980042 Corporation, Lynnwood, Washington

Interface Printed Board Assembly (PBA)

designed by Honeywell, Inc., Phoenix,
AZ, and manufactured by Abelconn, LLC,
62000945- New Hope, MN
FCE 901 EB62000855-
A No New Mechanical Chassis Assembly designed
Cabinet 62000945- 001
and manufactured by FACRI, Xian, China
902
FCE Cabinet (Mechanical Chassis
Assembly with Interface PBA) assembled
and tested by FACRI, Xian, China

62000946- Designed and manufactured by FACRI,

FMCP C Yes New C2659/PHAC
902 Xian, China

Reuse
EB62000855- Designed and manufactured by
DMRS HG2291AC01 A Yes Existing
001 Honeywell, Inc., Coon Rapids, MN
Product

3-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Note 1: Typically, each hardware item performs multiple functions that may have dif ferent hardware design assurance levels.
This column notes the highest design assurance level for the hardware item as determined by the C919 Flight Control System
Preliminary System Safety Assessment [10].

3-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

3.2.1 Flight Control Module

The three FCMs are the processing platform for the FCS, hosting high level computational
functionality. Each of the three FCMs incorporates dual dissimilar processing . COM lane
processing is performed by a PowerPC self checking pair (lockstep) . MON lane processing is
performed by a single thread Microprocessor without Interlocked Pipeline Stages ( MIPS)
processor. Interfaces to ACEs and other FCMs are provided via the I MB.
3.2.2 Actuator Control Electronics
The four ACEs provide interface to Primary Flight Control (PFC) surfaces (ailerons,
elevators, rudders, spoilers) and associated sensors . ACEs provide control in both
Normal/Secondary mode and provide autonomous backup control (Direct Mode) independent
of FCMs. ACEs incorporate a COM/MON dual lane structure with each lane on a separate
circuit card powered by dedicated power conversion circuitry . In addition to interfaces with
primary FC surfaces, ACEs provide interface to secondary FC surface actuation (for
stabilizer and ground spoilers) and flight deck actuation, and associated sensors . REU power
switching for the REUs associated with the local ACE is controlled by ACE generated
discrete signals to the PCM. The ACEs communicate with the REUs via the Actuation Data
Bus (ADB).
3.2.3 Direct Mode Rate Sensor
The four Direct Mode Rate Sensors (DMR S) are three-axis rate sensors based on
Honeywell’s highly reliable solid-state sensor technology. For Direct Mode operation, these
dedicated sensors provide pitch, roll and yaw rate measurements . The DMRSs broadcast
data over the ADB directly to the ACEs . There is a dedicated DMRS for each of the four FCE
Cabinets on the aircraft.
3.2.4 Power Conditioning Module
The four Power Conditioning Modules (PCM) receive aircraft supplied AC and DC electrical
power. The PCMs convert and filter the aircraft power to provid e conditioned 28 and ±13.5
volt DC power for use by various FCE and FCS Line Replaceable Units (LRUs). Each PCM
provides power to the ACE and the FCM in the same FCE cabinet it resides in. The PCM also
provides power to external equipment (REU/FCS Sensor/A ctuator) controlled by the ACE in
the same cabinet. Each PCM contains a thermal circuit breaker (TCB) for the cabinet’s ACE
and FCM and fifteen electronically commanded solid state relays/electronic circuit breakers.
One manual switch and two TCBs are physically located on the PCM front panel. The fifteen
solid state relays/electronic circuit breakers are internally located in each PCM module.
3.2.5 Flight Mode Control Panel
The single Flight Mode Control Panel consists of two lanes with independent power supplie s.
The FMCP provides the means to engage the autopilot and the flight director modes.
Additionally, the FMCP provides the means for manual speed selection, manual
heading/track selection, manual altitude selection, and vertical speed/F light Path Angle
selection. The FMCP will accept pilot input via pushbuttons and thumbwheels. Under
nominal conditions each FMCP lane will receive the input commands and output this data to
ACEs which make the data available to each FCM. The FCMs transmit information to the
FMCP via A429. Each lane in the FMCP can receive A429 data independent of the other
lane’s status.

3-7
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

3.2.6 Cabinets
FCMs, ACEs, and PCMs are installed in four cabinets which provide mounting and backplane
interconnect. Each cabinet has one ACE and one PCM. There a re three FCMs distributed
amongst the four cabinets. Two cabinets will be located in the C919 Forward E lectronic and
Equipment Bay and the other two will be located in the Central Electronic and Equipment
Bay.

3.3 Allocation of System Functions

The information contained in this section is based upon a high -level system design and is
supported by the system requirements.
3.3.1 Functions Allocated To Hardware
Table 3-1 – C919 FCS Equipment Complement summarizes the current list of planned
hardware line replaceable modules (LRM) or units (LRU) comprising the C919 Flight Control
System. Details for system allocations to hardware are contained in section 4 .
3.3.2 Functions Allocated To Software
In this section, a summary of functions al located to software for the FCM, ACE, and DMRS
are provided as an overview. Safety considerations of these functions are discussed in the
software plans.
3.3.2.1 FCM Functional Allocation
The FCM is the primary software computing platform in the FCS and provides the high-level
computational functions for operational modes and surface commands in the airplane.
Functions allocated to the FCM software include:
• Primary Flight Controls Functions
• Primary Control of Elevator, Aileron, Spoiler, and Rudder
• Rudder Trim
• Stabilizer Trim
• Handling Enhancements
• Actuator Monitoring
• Oscillatory Fault Monitoring
• Envelope Protection
• Ride Quality
• Ground Lift Dump (GLD)
• Autoflight
• Cruise Mode Logic
• Autoland
• Take Off/Go Around
• Windshear Guidance
• Autothrottle
• Flight Director commands
• Air Data Reference Functions
• Computation of Air Data Parameters

3-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Redundancy Management of Air Data Input Parameters

• Control Anti-Ice Heat to Pitot Probes, AOA Sensors, and T otal Air Temperature
(TAT) Probe
• Maintenance
• Fault detection, isolation and system stat us reporting Maintenance functions
• Field-Loadable Software
• Supports loading software only, no hardware PLDs or ASIC s are programmed via
this function
• Onboard loading method is ARINC 615A
3.3.2.2 ACE Functional Allocation
There is no software in the ACE.

3.3.2.3 DMRS Functional Allocation

There is no software in the DMRS.

3.3.2.4 PCM Functional Allocation

There is no software in the PCM.

3.3.2.5 FMCP Functional Allocation

There is no software in the FMCP.

3-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4 Hardware Overview
The following sections provide additional description for each of the major assemblies. The
items described below are not using any new technology.

4.1 Flight Control Module (FCM)

The FCM consists of three cards, one PBA for COM Processor, one PBA for MON Processor
and one PBA for a client card where the I/O is located. The COM lane contains a pair of IBM
750GL PowerPC® processors and the MON lane contains a MIPS RM7965A processor.
4.1.1 COM Processor PBA
The COM Processor PBA is a self-checking pair processor design based on the IBM 750 GL
PowerPC® processors. A pair of identical custom bridge support ASICs provides the self -
checking coverage on all I/O transactions, enhanced Error Detection -Correction (EDC)
memory support using triple modular redundancy (reference Section 4.1.4.2), and general
processor interface logic. The PowerPC ® design utilizes a derated clock frequency of 667
MHz internally to manage thermal characteristics and reliability while providing the required
throughput margin.
Figure 4-1 – FCM Command Processor PBA High Level Block Diagram is a block diagram of
the COM Processor PBA.

4-1
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

X-lane CPBus
FCM Command Processor PBA Y-lane CPBus

Conditioned
Stack Connector PWR_RST_X +28 VDC PWR_RST_Y
Client Card PBA
COM PBA
BITE Flash Point Of Point Of BITE Flash
+3.3 VDC
(32 MBytes) Load Power Supply Load (32 MBytes)
Power Power
Supplies Supplies

BOOT / PGM Flash Power Power BOOT / PGM Flash

66MHz, 32 Bit Data, CPBus X-lane

66 MHz, 32 Bit Data, CPBus - Y lane

Array Monitor +3.3 VDC Monitor Array
(64 MBytes) (64 MBytes)
IPF IPF
Gen. Gen.

Power PC Power PC
750GL 750GL

POLARIS
Ad / Ct 266 MHz DDR 266 MHz DDR Ad / Ct POLARIS
Support ASIC Osc
SDRAM Array (Proc Reference) SDRAM Array Support ASIC
Bus Comp, (TMR) (TMR)
Data Data Bus Comp,
(128 MBytes) (128 MBytes)
SuperTrace, COP

CRC Gen.,

SuperTrace only
CRC Gen.,
GPC, DDR

Connector
Connector

32 X 3 Osc 32 X 3 GPC, DDR

SDRAM (Proc Main)
20 SDRAM
Controller, TMR
Controller, TMR
Logic, 10BaseT
Logic, 10BaseT 20
MAC, Reset
MAC, Reset
6 Control,
Control,
(COP) Heartbeat
Heartbeat
Monitor, Clock RMII RMII Monitor, Clock
Monitor, RTC, PHY
Monitor, RTC,
Sync Generator) 10BaseT
Sync Generator)
Ethernet

X-Lane Client Card PBA Stack Connector Y-Lane Y-Lane

1149.1 1149.1 COP
(JTAG) X-Lane LOCKSTEP_X 10BaseT LOCKSTEP_Y Y-Lane (JTAG) Interface
SYNCs SYNCs
Ethernets (2)

Revision Date: 08/20/2005

Figure 4-1 – FCM Command Processor PBA High Level Block Diagram

4-2
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.1.2 MON Processor PBA

The MON Processor PBA is a single thread processor design based on the PMC -Sierra MIPS
RM7965A processor. A custom bridge support ASIC (POLARIS ASIC) provides the enhanced
Error Detection-Correction (EDC) memory support using triple modular redundancy
(reference Section 4.1.4.2) and general processor interface logic. The MIPS design utilizes a
derated clock frequency of 733 MHz internally to manage thermal characteristics and
reliability. Power monitoring is provided with an indication of Impending Power Failure to
software to complete writing data to Non Volatile Memory. Reset logic provides a coordinated
initialization of hardware resources at power up and a software cont rolled reset. A high level
block diagram for the FCM Monitor Processor PBA is provided in Figure 4-2 - FCM Monitor
Processor PBA High Level Block Diagram .

Monitor Processor PBA

C PBu s Cli e n t Po we r
Co n d i tio n e d
PW R_F AU L T +2 8 VDC
I/O Ca r d PBA 32 St a ck C o n n e ct o r
MO N Pr o c PBA
+3.3 VDC
NVM F l a sh Ar r a y Po we r Su p p l y

+15 VDC
(3 2 MByt e)s

VDC
16 +3.3 VDC

+5
BO O T/ PG M F l a sh +5, +/- 1 5VDC
Ar r a y Po we r Po we r Su p p l y
(6 4 MByt e)s I PF Mo n i t o ri ng
32
Data
CPBus

Point Of
Load
Po wer
PMC Si e r r a Supplies

RM7 9 6 5A

Ad / Ct 2 6 6MHz DDR
SDRA M Ar r a y
PO L ARI S (T MR)
Da t a (1 2 8MByt e)s
Su p p o r t ASI C
Connector
SuperTrac

32X 3
G PC, RT C,
1 0 Ba se T MAC ,
Re se t Co n t, r ol
Cl o ck Osc
e

21 He a r t b e a t
Mo n i t o r D i st ri b ut io n

RMII
PHY
1 0Ba se T
Et h e r n e t
I PF

MO N Pr o c PBA St a ck Co n n e ct o r
I/O Ca r d PBA

1149.1 T e st_En v
(JT AG
and Ext_Rst 1 0 Ba se T
CO P) 2 Et h e r n e t
I/O Ca r d PBA St a ck Co n n e ct o r
CO M Pr o c PBA

Figure 4-2 - FCM Monitor Processor PBA High Level Block Diagram

4-3
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.1.3 Client I/O PBA

All FCMs perform the complete suite of FCM functionality including computation of
commands for all actuators. A common Client Card contains the necessary I/O to
accommodate this requirement.
The Client Card contains FCM I/O interfaces, which includes the FCS Intermodule Databus
Transmitter/Receiver (Tx/Rx), the ARINC 664 End System, the ARINC 429 Tx , and Discrete
I/O interfaces. In addition, the Client Card routes the FCM power inputs from the A RINC 600
style connector to the processor PBAs.
A high level block diagram for the FCM I/O PBA is provided in Figure 4-3 – FCM I/O PBA
High Level Block Diagram .
COM Power

MON Power
Y CPBus
X CPBus

CPBus
Command Monitor

Sync
Sync

Processor Processor
Hardware Hardware

IO Client

Command Monitor IO
IO Hardware GTLP Hardware

CPbus CPbus
Control Control
IOC IOC
ASIC DPRAM DPRAM ASIC
G G
T T
L L
A429 PCI-Host
DPRAM P P DPRAM
PCI-Host A429
Control Bridge Bridge Control
D X X D
P c c P
R v v R SRAM/
A A
SRAM/ r r Registers
M M
Registers s s
D D
P P
R R
DPRAM A A DPRAM
M M

A429 MAC/ A429 MAC/

PCI IMB Control IMB Control PCI
Disc Disc
Interface Interface Tx(x1) Rx(x4) Rx(x4) Tx(x1) Interface Control
Disable

Disable
Rx

Rx
PCI

IMB IMB IMB

Interface ARINC 664
Tx & Rx Look-up Look-up
Interface
IMB
Ckts Interface
Buffers Flash Flash Rx Buffers Ckts

Tx Disable

Command Monitor
Local
Power Local Power
Supply
Interface Supply Interface

IO Client
Cabinet
ethernet Command A B IMB IMB Disc Disc A429 IMB Monitor ethernet
Power ARINC Tx Rx Ins Outs Out Rx Ports Power
664 Ports Ports

Figure 4-3 – FCM I/O PBA High Level Block Diagram

4-4
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.1.4 Specific Module Safety Considerations

The C919 FCM employs a self -checking processor pair design for the COM lane and a
dissimilar processor for the MON lane. The self -checking processor pair design for the COM
lane provides quick detection and containment for a variety of faul ts in the COM lane.
The COM and MON lanes perform the same critical functions , and resulting command data is
cross-compared between processor types (COM and MON) . FCS Intermodule Databus
commands generated by the COM lane must be authenticated by the MON lane. Encrypted
wrap back of commands to the ACEs are verified by the FCMs.
4.1.4.1 COM/MON processor pair
The FCM utilizes a COM/MON processor pair with the COM processor providing very high
integrity command generation and the MON processor providing a secondary dissimilar
monitor. Satisfaction of cross processor comparison monitors is a necessary condition for
generation of a valid encoded heartbeat (EHB) and Cyclic Redundancy Check (CRC)
(including the EHB in its coverage) which is appended to the output data p acket. Both
processors also monitor the encrypted command wrapback from the ACEs; failure of this
monitor results in invalid CRC and/or EHB . A second EHB (EHB B) is generated by the COM
processor to leverage the high integrity capability of the self -checking pair for monitoring of
elements, e.g., communication path, external to the COM processor itself.
The COM processor generates the frame synchronization that is used as the basis of timeline
generation for the MON processor . This timeline is generated thr ough the ASIC and is
monitored by software in each processor.
4.1.4.2 RAM EDC
Multiple copies of each data bit are employed to ensure data integrity . Additionally, both
COM and MON lanes employ background scrubs to prevent propagation of single -bit errors.
This provides a transparent fault correction and recovery mechanism at the processor level
for the vast majority of Single Event Upset (SEU) faults, and superior performance and
protection against single and multiple -bit upsets.
4.1.4.3 Dedicated ARINC 429 & Discrete I/O
Each COM and MON lane has its own dedicated ARINC 429 and Discrete I/O and is powered
by that lane’s power supply. Control logic in the I/O Controller ASIC is used to interface the
ARINC 429 transmitters/receivers and the Discrete I/O to the dedicated DPR AMs for the
COM and MON lanes.
4.1.4.4 Intermodule Databus Protection
The C919 FCM provides the capability to disable its Intermodule Databus transmitters via an
independent disable. The output is monitored and can be disabled if the outputs are
incorrect. This protects the rest of the system from any potential effects due to bad data or a
babbling bus. The FCM also provides the ability to disable each of its receivers individually .
This allows the FCM to disable a receiver if errors on this interface are detected . This
provides protection for the FCM from any potential effects due to a babbling bus .

4.1.4.5 Separation
COM and MON processors are constructed on separate PBAs. The entire I/O interface is
located on a single client card interfacing to the MON and COM processor CPBus interfaces.
Separate power is generated for the COM and MON circuitry on the processor and the I/O
cards.

4-5
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Interfaces between the COM and MON circuitry includes power boundary isolation (resistive,
open collector, etc.) between the lanes.
4.1.5 Summary of FCM ASIC and PLD Usage
Table 4-1 – C919 FCM Summary of ASIC/PLD Usage lists the summary of the various ASICs
and PLDs that are planned for the C919 FCM.
Table 4-1 – C919 FCM Summary of ASIC/PLD Usage

COM & MON Processor

I/O
PBA: (4091614-1050 and
(4091617-1051)
4091615-1050)
POLARIS/ Processor
I/O Controller PN AFDX Interface
Partition/Function Control Logic PN
4093471-400 PN 4093436-400
4093490-400
Type ASIC ASIC ASIC
Device Supplier Altera Corp. Altera Corp. Rockwell Collins, Inc.
Supplier PN HC1S60F1020CB HC1S60F1020CA 351-6382-020
0.13 µm all-layer-copper 0.13 µm all-layer- 0.18 µm CMOS,
ASIC Tech-nology
metal copper metal standard cell
1020 pin ball grid array 1020 pin ball grid 560 pin ball grid array
ASIC Pkg
array
Status Reuse Reuse Reuse
Previously Certified Yes Yes Yes
Qty/LRM 3 2 1

In the COM and MON processor PBAs, the POLARIS ASIC provides:
• Robust, high performance SDRAM memory interface includ ing management of
single and multi-bit SEU errors.
• Processor interface to all memory and I/O.
• Dual bit for bit compared interfaces to the simple memory mapped Client bus
(CPbus). CPbus is denoted as X lane and Y lane.
• Hardware Fly By CRC generation with ev entual signatures bit for bit compared.
• General Purpose Counters.
• Real Time Clock.
• Heartbeat Monitor.
• Power Status and Monitor Scrub control.
• COM and MON synchronization logic.
• Software Development Interface for enhanced processor trace.
• 10BaseT Ethernet Interface for test equipment and software development support.
The Input/Output Controller (IOC) ASIC provides:
• CP Bus interface that manages processor access to DPRAMs and register data.
• Intermodule Databus interface containing 4 receivers and 1 transmitte r

4-6
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• ARINC 664 control, a bridge from the Peripheral Component Interconnect ( PCI)
bus interface to the ARINC 664 chipset.
• ARINC 429 receivers for FCM wrap back testing only and ARINC 429 transmitters
The AFDX ASIC provides an ARINC 664 End System Node, which provides:
• User Datagram Protocol (UDP) processing
• Management Information Base ( MIB) and Remote Monitoring (RMON) data
collection
• Redundancy Management
• Integrity Checking
• Source/Destination Verification
• Transmit Scheduling
• Error Detection and Correction (EDC)
• Virtual link partitioning
• Media Access Control ( MAC) CRC Check On Incoming Packets.

4.2 Actuator Control Electronics Module

The ACE module physically consists of four cards, two PBAs for COM Lane circuitry and two
PBAs for MON Lane circuitry.
A high level block diagram of the ACE module is shown in Figure 4-4 – ACE High Level Block
Diagram, and consists of core and application specific interface sections . The ACE is divided
into Command (COM) and Monitor (MON) Lanes . The COM and MON Lanes in the core
section are further divided into Normal Mode, Direct Mode and Common Partitions . For
simplicity, the COM Lane of the Normal Mode Partition will be referred to as COM Normal .
Similar terminology will be applied to the othe r lanes/partitions. The ACE communicates with
the FCMs through unidirectional 5 Megabits Per Second Manchester II encoded Intermodule
Databus (IMB) interfaces to the ACE Input/Output Controller in the Normal Mode Partition .
Actuator commands are sent to the actuator’s REUs via the bi-directional 400 Kilobits Per
Second Manchester II encoded Actuation Databus (ADB). Response data from the actuators
is received by the ACE via the ADB. Application specific I/O circuitry interfaces the Common
Partition circuitry with the ACE external interface signals. Secondary power is separately
generated and supplied to the COM and MON Lanes .

4-7
Use or disclosure of information on this page is subject to the restrictions on the title page of thi s document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

EEPROM FLASH

EEPROM COM
Serial I/O [maintenance/
Direct Mode COM I/O:

DPRAM
To PCM configuration] VDT/Resolver inputs

[7]
PLD
Discrete outputs
Common TAT inputs
Partition Excitation Wrap input
COM I/O PLD
Common
ARINC-429 RX
DPRAM
COM PLD

DPRAM
[1]

[3]
Normal Mode Discrete I/O
PLD RS-485
TX Actuation Data Buses (ADB)
to-from REUs/MCEs (x8)
Intermodule Bus Interface

TX
TX Isolation Isolation
(x5) COM
ACE I/O
RX
RX Controller
(x4) MON
PLD

RS-485

DPRAM
MON

[5]
RX
Common
MON RS-485 DMRS Input
Paritition RX

DPRAM
Isolation
DPRAM

Normal Mode Receiver

[6]
[2]

PLD MON PLD

Discrete I/O
Common

DPRAM
PLD

[9]
MON Common MON I/O:
Partition VDT inputs
Direct Mode

DPRAM
I/O PLD Discrete outputs

[10]
PLD

Excitation Sensor
EEPROM FLASH
Conditioning Excitation

C919 ACE PLD Data Flow

Figure 4-4 – ACE High Level Block Diagram

4-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

The ACE receives command packets from each of the three FCMs for Normal Mode and BIT
functions. The ACE selects a Normal Mode command from the active FCM. The ACE also
generates a Direct Mode Command autonomously in the Direct Mode Partition . The selection
of whether the Normal Mode command or Direct Mode command will be transmitted to the
actuator is done in the Common Partition. This selection depends on mode logic and
validation signals generated in the Normal Mode Partition for the Normal Mode command and
on the direct mode validity based on COM/MON comparison generated in the Direct Mode
Partition, and on the Primary Flight Control (PFC) Mode switch.
The ACE samples analog discrete data from pilot control and other sensors independently in
both the COM and MON lanes. It sends this input data to the FCMs via the Intermodule
Databus and to the Direct Mode Partition . The ACE monitors the status of the PCM and
reports it to the FCM when requested.
A summary of other key ACE functions is as follows:
• Return of encrypted wrap packets to FCMs
• Control of REU power based on engage logic
• CRC generation on packets returned to FCMs
• Mitigation of failures between FCM and ACE
o Command packet CRC monitoring
o Encoded Heartbeat validation
o Frame Count Monitoring
o Source/Destination Identification validation
o Encrypted W rap
o REU Monitoring
• Direct mode validity based on COM/MON comparison
o Used in command selection
o Returned to FCM in Normal Mode
4.2.1 COM Lane PBAs
The COM Lane circuitry is located on two PBAs, Command Core (COM Core) PBA and
Command Auxiliary (COM Aux) PBA. The circuitry for the three partitions is distributed
amongst the COM lane PBAs. The interface between the COM and MON lanes is
implemented through dual-port RAMs with additional electrical isolation.
The major blocks of the COM Normal Mode Partition consist of the ACE I/O Controller PLD
and interface circuitry, COM Normal PLD and associated dual -port RAMs.
The major blocks of the COM Direct Mode Partition consist of the COM Direct Mode PLD and
associated EEPROM, Flash memory and dual-port RAMs. The Math Engine Sequence (MES)
component is physically stored in the Flash.
The major blocks of the COM Common Partition consist of the COM Common Partition PLD,
COM Common Partition I/O PLD, I/O circuitry ( FCS Actuation Databus, ARINC 429, Analog
Inputs and discretes) and associated dual -port RAMs.

4-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.2.2 MON Lane PBAs

The MON Lane circuitry is located on two PBAs, Monitor Core (MON Core) PBA and Monitor
Auxiliary (MON Aux) PBA. The circuitry for the three partitions is distributed amongst the
MON lane PBAs.
The major blocks of the MON Normal Mode Partition consist of the MON Normal PLD and
associated dual-port RAMs.
The major blocks of the MON Direct Mode Partition consist of the MON Direct Mode PLD and
associated EEPROM, Flash memory and dual -port RAM. The Math Engine Sequence (MES)
component is physically stored in the Flash .
The major blocks of the MON Common Partition consist of the MON Common Partition PLD,
MON Common Partition Receiver PLD, MON Common Partition I/O PLD, I/O circuitry ( FCS
Actuation Databus, Analog Inputs and discretes) .
4.2.3 Specific Module Safety Considerations
4.2.3.1 COM/MON Design
The ACE utilizes a dual-lane COM/MON design with the COM lane generating the command
and the MON lane, having independent shutdown capability, performing mo nitoring functions.
In order to preclude common mode failure due to coupling between the two lanes, the COM
and MON lanes are separated and electrically isolated with each lane powered via
independent power conversion circuitry.
4.2.3.2 Fault Effects Partitioning
The ACE hardware design is partitioned into three separate partitions defined as fault
containment zones. Data is passed between partitions using Dual Port RAMs . These
DPRAMs isolate the data paths between partitions.
The Normal Mode Partition is restricte d to containing only normal mode command processing
functions that are architecturally mitigated . The Normal Mode Partition has no direct signal
interface with the Direct Mode Partition. Faults in the command path specific to Normal Mode
must not propagate to the Direct Mode path.
The Direct Mode Partition is restricted to containing only primary flight Direct Mode . The
Direct Mode Partition has no direct signal interface with the Normal Mode Partition. Faults in
the path specific to Direct Mode also must n ot propagate to the Normal Mode path . This
precludes the possibility of a single Direct Mode fault both corrupting Direct Mode and
causing loss of Normal Mode . Otherwise, although the Direct Mode fault will be detectable
through COM/MON comparison, the end result would be transition from valid Normal Mode
operation to actuator disengagement.
The Common Partition contains functions that are shared between Normal Mode and Direct
Mode. Circuitry common to both paths performs such functions as command switching ,
actuator interface, pilot control interface, and wrap monitoring logic . The Common Partition
also contains Normal Mode functions that are not architecturally mitigated, such as a FCM
Command Selection. Fault effects must not propagate from the Normal Mod e path through
the common path, or from the Direct Mode path through the common path.

4-10
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.2.3.3 Architectural Mitigation Techniques

Several architectural mitigation measures are applied to handle failures between the FCM
and ACE: CRC protected command packets, Enco ded Heartbeat, Frame Count Monitoring,
Source/Destination Identification, Encrypted W rap, and actuator Monitoring. These measures
also provide coverage for random failures of elements common to COM and MON lanes in
the data communications path.
4.2.4 Summary of ACE PLD and Math Engine Sequence Component Usage
Table 4-2 - C919 ACE Summary of PLD/MES Usage lists the summary of the PLDs and the
Math Engine Sequence component that are planned for the C919 ACE. See Section 7
Hardware Design Life Cycle Data for a list of life cycle data associated with each device.
Table 4-2 - C919 ACE Summary of PLD/MES Usage

Prev-
Partition/ Device Supplier PLD PLD iously Qty/
PBA Type Status
Function Supplier PN Type Pkg Cert- LRU
ified
COM Normal Mode / PLD Microsemi APA300- ProASICPlus, PQFP50P New No 1
Core1 ACE I/O SOC PQ208I 300K Gates -208
Controller PLD Products (blank
HCI PN Group device)
62000935-101
COM Normal Mode / PLD Microsemi APA150- ProASICPlus, PQFP50P New No 1
Core1 COM Normal PLD SOC PQ208I 150K Gates -208
HCI PN Products (blank
62000936-101 Group device)
MON Normal Mode / PLD Microsemi APA150- ProASICPlus, PQFP50P New No 1
Core2 MON Normal PLD SOC PQ208I 150K Gates -208
HCI PN Products (blank
62000937-101 Group device)
COM Direct Mode / PLD Microsemi APA450- ProASICPlus, PQFP50P New No 1
Core1 COM Direct PLD SOC PQ208I 450K Gates -208
HCI PN Products (blank
62000938-101 Group device)
MON Direct Mode / PLD Microsemi APA450- ProASICPlus, PQFP50P New No 1
Core2 MON Direct PLD SOC PQ208I 450K Gates -208
HCI PN Products (blank
62000939-101 Group device)
COM Common / COM PLD Microsemi APA600- ProASICPlus, BGA127P- New No 1
Core1 Common SOC BG456I 600K Gates 456
Partition PLD Products (blank
HCI PN Group device)
62000941-101
COM Common / PLD Microsemi APA150- ProASICPlus, PQFP50P New No 2
Aux3, Common Partition SOC PQ208I 150K Gates -208
MON I/O PLD Products (blank
Aux4 HCI PN Group device)
62000940-101
MON Common / MON PLD Microsemi APA450- ProASICPlus, PQFP50P New No 1
Core2 Common Partition SOC PQ208I 450K Gates -208
PLD Products (blank
HCI PN Group device)
62000942-101

4-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Prev-
Partition/ Device Supplier PLD PLD iously Qty/
PBA Type Status
Function Supplier PN Type Pkg Cert- LRU
ified
MON Common / MON PLD Microsemi APA600- ProASICPlus, PQFP50P New No 1
Core2 Common Partition SOC PQ208I 600K Gates -208
Receiver PLD Products (blank
HCI PN Group device)
62000943-101
COM Direct Mode / MES N/A N/A N/A N/A New No 1
Core1 Math Engine loaded
Sequence into
PN PS62001458- Flash
101
MON Direct Mode / MES N/A N/A N/A N/A New No 1
Core2 Math Engine loaded
Sequence into
PN PS62001458- Flash
101

Note 1: COM Core PBA PN: 62000931-1xxx, where xxx indicates all variations of the base
assembly.
Note 2: MON Core PBA PN: 62000933-1xxx, where xxx indicates all variations of the base
assembly.
Note 3: COM Aux PBA PN: 62000932-1xxx, where xxx indicates all variations of the base
assembly.
Note 4: MON Aux PBA PN: 62000934-1xxx, where xxx indicates all variations of the base
assembly.
The ACE Input/Output Controller (IOC) PLD provides the Intermodule Databus interfaces for
the ACE. It provides 3 receivers and 1 transmitter . Messages are received from the FCM for
Normal and Secondary mode command processing, Direct mode control and BIT functions .
Messages are sent to the FCM containing analog and digital inputs, command monitoring and
power monitoring functions.
The COM Normal PLD and MON Normal PLD provide data packet validation for Normal and
Secondary mode command packets . The data packet is checked for freshness, identity,
correct CRC, and valid encoded heartbeat . The MON Normal PLD generates the encrypted
wrap packet that is returned to the FCM to provide additional integrity assurance .
The COM Direct PLD and MON Direct PLD provide an Arithmetic Logic Unit (ALU) for PFC
Direct Mode command generation using pilot control inputs, sensor inputs and discrete
inputs. The ALU supports a limited instruction set of 13 operations . Because there are no
branching or looping instructions, run time is always d eterministic both logically and in time.
Algorithms for Direct Mode command generation is accomplished using no more than this
basic set of operations.
The Direct Mode PLD design will be fully verifiable through test and analysis . The limited
number of simple ALU operations and test support features included in the DM PLD design
support achieving complete verification coverage of its operation.

4-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

The COM Direct Mode Math Engine Sequence (MES) and MON Direct Mode Math Engine
Sequence (MES) provide the operations and operands to be executed on the ALU for PFC
Direct Mode command generation using pilot control inputs, sensor inputs and discrete
inputs. They also provide alternate Horizontal Stabilizer control and Rudder Trim functions .
The Math Engine Sequence component in each lane is identical. The sequence is contained
in the Flash component.
The COM Common Partition PLD, MON Common Partition PLD and MON Common Partition
Receiver PLD provide Actuation Databus receivers and transmitters, actuator command
selection and wrap monitoring, plus packet creation and CRC generation for data packets .
Several ARINC 429 receivers are also provided .
The COM Common Partition I/O PLD and MON Common Partition I/O PLDs provide pilot
control data collection and sensor data colle ction. The Common Partition I/O PLD in each
lane is identical.

4.3 Direct Mode Rate Sensor

Each Direct Mode Rate Sensor (DMRS) contains these sub -assemblies:

• Rate Sensor Assembly

• Gyro Printed Board Assembly (PBA)
• Interface PBA

The following sections provide descriptions for each of the sub -assemblies.

A hardware block diagram of the DMRS is shown in Figure 4-5 – DMRS Hardware High Level
Block Diagram.

4-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Figure 4-5 – DMRS Hardware High Level Block Diagram

4.3.1 Rate Sensor Assembly

The Rate Sensor Assembly consists of the following major components:

• Gyro Printed Board Assembly (PBA)

• Suspension System – shock absorbing isolators which attach the Gyro PBA to the
chassis, protecting the Sensors from disturbances due to temperature, vibration, and
shock.
4.3.2 Gyro PBA
The Gyro PBA contains the three MEMS Sensors each of which connects to a HPG2 analog
ASIC, and these in turn connect with the HPGD2C_M2 ASIC, reference Figure 4-6 – DMRS
ASIC/FPGA High Level Block Diagram . The HGPD2C_M2 ASIC transmits the rate data to the
Interface FPGA. The following sections provide additional descriptions for each of these
components.

4-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Figure 4-6 – DMRS ASIC/FPGA High Level Block Diagram

4.3.2.1 Sensor
This is a silicon MEMS (Micro-Electro-Mechanical System) angular motion rate sensor. Three
sensors are used to achieve sensing in three orthogonal axes. No electron ics are packaged
within the sensor.

4-15
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.3.2.2 HPG2 ASIC

The analog HPG2 ASIC was designed to interface with several different Honeywell Gyro
sensors. The HPG2 ASIC performs three major functions in the Gyro Sensor system. The
first function is the motor control fun ction. The HPG2 motor control function excites the
sensor at its primary resonance mode (motor) and continuously controls the amplitude of the
motor to a predetermined nominal value. The second function of the HPG2 ASIC is to provide
quadrature nulling. The quadrature nulling function of the HPG2 ASIC, along with the
HPGD2C ASIC, continuously null the quadrature charge of the sensor. The third function is
the rate signal processing function. The rate signal processing function of the HPG2 ASIC
converts the differential charge caused by Coriolis force in the sensor to a proportional rate
voltage. The analog HPG2 ASIC interfaces with only one sensor; therefore, a total of three
HPG2 ASICs are used in the DMRS system. The HPG2 ASIC was developed at Draper
Laboratory using a structured development process for a non -commercial aviation
application; its part number is 10161604-101.
4.3.2.3 HPGD2C_M2 ASIC
The HPGD2C_M2 ASIC receives rate and compensation variable data from each of the 3
gyro / HPD2 ASIC combinations. After demodulation and filtering, this data is formatted into
packets and stored in a buffer until requested by the Interface PBA. In addition, the
HPGD2C_M2 closes the quadrature nulling loop by separating the quadrature error
component from the rate channel da ta and feeding back the error signal to the gyro analog
electronics. Finally, the HPGD2C _M2 ASIC provides the configuration interface necessary to
allow the Interface PBA to download HPG2 analog electronics with operating parameters
optimized for each of the gyro types supported.
The HPGD2C_M2 ASIC was developed at Honeywell’s Defense and Space Electronic
Systems Organization (DSES) in Minneapolis using a structured development process for a
non-commercial aviation application; its part number is 10165873-101.
4.3.3 Interface PBA
This PBA provides transient Suppression. The Transient Suppression function provides
sufficient insertion loss to allow the DMRS to function in the electromagnetic environments
defined in the customer’s specification. The types of circuit s used are transorbs for lightning
protection and low pass filters.
4.3.3.1 Interface FPGA
The Interface FPGA receives the rate and compensation data for the three axes from the
Gyro PBA. The FPGA applies scale factor, bias and temperature compensation to the gyro
data. The FPGA formats the compensated data into a data packet as defined by the C919
Flight Control Intermodule Data Bus (IMB) Protocol Specification [13]. The packet is
broadcast to the physical layer of the Actuation Data Bus at a fixed rate defined by the Direct
Mode Rate Sensor Data Bus Protocol Specification for the Honeywell Flight Control System
[15]. The Interface FPGA was developed by Honeywell Aerospace – Coon Rapids; its part
number is 66021063-001.
4.3.3.2 Serial Data Bus Output
The DMRS physical layer provides the interface to transmit the ADB data packet to the FCS
cabinet, and consists of a RS-485/422 transceiver followed by a transformer and passive
components. The DMRS interface uses a simpler variation of the master -slave ADB protocol
similar to an ARINC 429 protocol. Basic message structure is the same.

4-16
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

The DMRS autonomously broadcasts messages at a fixed rate and the ACE recovers the
asynchronous messages. The logical bit rates and physical layers are the same as those for
the ADB.
4.3.3.3 Power Supply
The Power Supply converts the +28VDC from the FCS PCM to the voltages required by the
Gyro and Interface PBA.
4.3.4 Summary of DMRS ASIC and PLD Usage
Table 4-3 - C919 DMRS Summary of ASIC/PLD Usage lists the summary of the ASICs and
FPGAs that are planned for the C919 DMRS.
Table 4-3 - C919 DMRS Summary of ASIC/PLD Usage
PLD/ PLD/ Prev-
Partition/ Device Supplier ASIC ASIC iously Qty/
PBA Type Status
Function Supplier PN Tech- Cert- LRU
nology Pkg ified
Gyro HPG2 ASIC ON Semi- 19490- 0.5 m LFBGA128 Reuse Yes 3
Motor control conductor, 001 CMOS
function, Inc. mixed
provides signal
quadrature
nulling, rate
signal
processing
function
PN 10161604-
101
Gyro HPGD2C_M2 ASIC ON Semi- 19714-003 0.35 m LFBGA81 Reuse Yes 1
Receives rate conductor, CMOS
and Inc. standard
compensation cell
variable data,
formats and
stores received
data, provides
PBA
configuration
interface
PN 10165873-
101
Interface Interface FPGA PLD Microsemi APA450- ProASIC BGA100P- Reuse Yes 1
Receives rate SOC FG144I Plus, 144
and Products (blank 450K
compensation Group device) Gates
data, applies
scale factor,
bias and
temperature
compensation
to data, formats
the
compensated
data
PN 66021063-
001
(programmed)
PN 53000345-
25 (blank)

4-17
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

4.4 FCE Cabinets

The FCE Cabinets provide for mounting of the ACEs, FCMs, and PCMs into the airplane, and
interfacing power and I/O signals between those modules and air craft wiring, as well as
installation on aircraft cooling air plenums . The Cabinets consist of the following two major
subassemblies:
• Mechanical Chassis Assembly
• Interface PBA
The Mechanical Chassis Assembly will mount to the C919 aircraft’s cooling air pl enum and
will provide for cooling air flow to the installed ACE, FCM, and PCM . It includes provisions
for mounting the Interface PBA, as well as provides a means for mounting and securing the
ACE, FCM, and PCM to the FCE Cabinet.
The Interface PBA is comprised of a Printed Board, mating connectors for the ACE, FCM,
and PCM, and connectors to interface to aircraft wiring harnesses . The Printed Board
provides interconnects between installed modules and from installed modules to aircraft
connectors.
There will be two FCE Cabinet part numbers – one part number that accommodates
installation of an ACE, an FCM, and a PCM; another part number that accommodates
installation of an ACE and a PCM.
The FCE Cabinets do not contain any software, PLDs, or ASICs.

4-18
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

5 Certification Considerations
The planned certification basis, safety considerations , design assurance levels (DALs), and
means of compliance for the C919 FCS hardware is detailed below and consists of regulatory
requirements, a summary of the preliminary System Saf ety Analysis conclusions, and
guidance documentation .

5.1 Certification Basis

The following sections form the certification basis.
5.1.1 Applicable Regulations
The C919 FCS will be designed to be in compliance with the regulations listed in Table 5-1 -
Regulatory Requirements.
Table 5-1 - Regulatory Requirements

Means of
Regulation Subject Explanation
Compliance
CFR/CCAR.25.1301 Function and Functional Verification AFCS and PFCS
Installation and Validation Certification Support
Plans for COMAC
C919 Flight Control
System.

CFR/CCAR.25.1309 Equipment, Design for Safety and AFCS and PFCS

Systems and Reliability Certification Support
Installations Plans for COMAC
C919 Flight Control
System.

CAAC Issue Paper Programmed Programmed AFCS and PFCS

SW -03 Electronic Electronic Hardware Certification Support
Hardware Devices Device development Plans for COMAC
in Model C919 guidance C919 Flight Control
Airborne Systems System.
and Equipment

CAAC Issue Paper Equivalent Level of System Safety AFCS and PFCS
M-06 Safety Finding for Requirements Certification Support
Equipment, Plans for COMAC
System and C919 Flight Control
Installation System.
Requirements

5.1.2 Technical Standard Orders

There are no TSOs applicable to the C919 Flight Control System hardware elements.
5.1.3 Other Certification Considerations
There are no additional certification considerations.

5-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

5.1.4 Functional Hazard Summary

The C919 FCS commands the various airplane surfaces for basic airc raft manual control.
The functional hazard conditions to which the FCS contributes are summarized in Table 5-2 -
Functional Hazard Assessment Summary which was extracted from the C919 Flight Control
Electronics System Technical Specification (STS) [101] and was evaluated in the context of
the preliminary FCS system design. The results are documented in the C919 Flight Control
System Preliminary System Safety Assessment [10] with the FCS Design Assurance Level
results identified in Table 5-3 - Hardware Design Assurance Levels . These Design Assurance
Levels are then assigned to the ASICs, PLDs and Math Engine Sequence component in each
item of equipment.
A combination of architectural approaches and application of DO -254 are employed in the
C919 FCS to mitigate these hazards.
Table 5-2 - Functional Hazard Assessment Summary
Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
Total loss of roll control
27-F07-
A - (Be less than the MAC of CAT
01
roll)
Mode Logic
One elevator hardover or
27-F02-
- A oscillation beyond CAT
04
acceptable limit
Total loss of pitch control
27-F02-
A - (Be less than MAC of CAT
01
Side Stick Unit pitch)
Priority One aileron hardover or
27-F07-
- A oscillation beyond CAT
04
acceptable limit
Side Stick - - - N/A N/A
Dual Input
27-F18- Erroneous sidestick
Indication - B HAZ
01 priority or indication
Note 2
Total loss of roll control
27-F07-
A - (Be less than the MAC of CAT
Aileron 01
roll)
Control
One aileron hardover or
Function 27-F07-
- A oscillation beyond CAT
04
acceptable limit
Total loss of pitch control
27-F02-
A - (Be less than MAC of CAT
Elevator 01
pitch)
Control
One elevator hardover or
Function 27-F02-
- A oscillation beyond CAT
04
acceptable limit
27-F11- Loss of flutter
A - CAT
Rudder 04 suppression of rudder
Control Rudder hardover or
27-F11-
Function - A oscillation beyond CAT
03
acceptable limit
27-F21- Unannunciated loss of
B - HAZ
02 stall protection

5-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
Spoiler Uncommanded GLD (four
27-F17-
Control - A pairs or more of MFS or CAT
06
Function GS)
Total loss of pitch control
Horizontal 27-F02-
C - (Be less than MAC of CAT
Stabilizer 01
pitch)
Control
27-F03- Runaway of horizontal
Function - A CAT
02 stabilizer
22-F03- Unannunciated loss of
A - CAT
02 autoland.
Crew Alerting
Unannunciated
/ Synoptic /
27-F18- erroneous position
PFD - A CAT
03 indication of horizontal
stabilizer
22-F03- Unannunciated loss of
A - CAT
02 autoland.
Erroneous flight director
Displays
22-F01- command (misleading)
- A CAT
04 during approach with DH
below 200ft.
- - - N/A N/A
Takeoff Unannunciated
Warning 27-F18- erroneous position
C CAT
Note 2 03 indication of horizontal
stabilizer
Loss of damping and
27-F19-
A - centering of both CAT
05
sidesticks
Pilot Control
One aileron hardover or
27-F07-
- A oscillation beyond CAT
04
acceptable limit
Total loss of roll control
27-F07-
A - (Be less than the MAC of CAT
01
roll)
Actuation
One aileron hardover or
27-F07-
- A oscillation beyond CAT
04
acceptable limit
Maintenance Any
A A N/A CAT
Critical hazard
Maintenance No
27-F29- Loss of maintenance
Non-Critical E E safety
01 function
Note 2 effect
No
OMS 27-F29- Loss of maintenance
E E safety
Note 2 01 function
effect
Loss of body rate
27-F31-
A - damping in non Normal CAT
02
Common Mode
Functions One elevator hardover or
27-F02-
- A oscillation beyond CAT
04
acceptable limit

5-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
22-F03- Unannunciated loss of
A - CAT
02 autoland
Erroneous flight director
Flight Director
22-F01- command (misleading)
- A CAT
04 during approach with DH
below 200ft
22-F03- Unannunciated loss of
A - CAT
02 autoland
Unannunciated excessive
Autopilot autopilot deviation from
22-F02-
- A the prescribed path CAT
08
(approach with DH below
200ft)
22-F05- Inability to disengage of
C - MAJ
04 autothrottle by all means
Autothrottle /
Autothrottle
Thrust
22-F05- uncommanded thrust
Director - C CAT
03 reduction with single
engine failure
22-F07-
D - Loss of ETTS MIN
01
Electronic
Autothrottle
Thrust Trim
22-F05- uncommanded thrust
Note 2 - C CAT
03 reduction with single
engine failure
22-F04-
D - Loss of thrust rating MIN
01
Thrust Rating Autothrottle
Note 2 22-F05- uncommanded thrust
- C CAT
03 reduction with single
engine failure
Annunciated loss of fail-
AFCS 22-F03-
C - passive autoland below MAJ
Common 01
100 feet.
Functions
- - - N/A N/A
34-12-F5- Loss of ability to provide
B - HAZ
01 AOA data
AOA
34-12-F5- Erroneous provision of
- A CAT
02 AOA data
Loss of body rate
27-F31-
C - damping in non Normal CAT
02
Mode
ADS
One elevator hardover or
27-F02-
- A oscillation beyond CAT
04
acceptable limit
Annunciated loss of GLD
27-F17-
D - (3 or more pairs of MAJ
02
BCS spoilers, MFS or GS)
27-F17- Uncommanded motion of
- C CAT
04 both GS

5-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
Loss of body rate
27-F31-
A - damping in non Normal CAT
02
Mode
DMRS
One elevator hardover or
27-F02-
- C oscillation beyond CAT
04
acceptable limit
No
22-F20- Loss of providing AFCS
E - safety
EAFR 01 data to FDR
effect
Note 2
22-F20- Erroneously providing
- D MIN
02 AFCS data to FDR
Total loss of pitch control
27-F02-
C - (Be less than MAC of CAT
01
pitch)
EPS (data
Auto throttle
only)
22-F05- uncommanded thrust
- C CAT
03 reduction with single
engine failure
27-F21- Unannunciated loss of
B - HAZ
02 stall protection
FADEC Uncommanded GLD (four
27-F17-
- A pairs or more of MFS or CAT
06
GS)
22-F01-
D - Loss of flight director MIN
01
FMCP Erroneous flight director
Note 2 22-F01- mode or command
- C MAJ
02 (Approach except for DH
below 200ft)
22-F01-
D - Loss of flight director MIN
01
FMS Excessive autopilot
Note 2 22-F02- deviation from the
- B HAZ
06 prescribed path below
400FT
22-F03- Unannunciated loss of
A - CAT
02 autoland
Erroneous flight director
GLU
22-F01- command (misleading)
- A CAT
04 during approach with DH
below 200 FT
34-12-F5- Loss of ability to provide
B - HAZ
01 AOA data
HCS
34-12-F5- Erroneous provision of
- A CAT
02 AOA data
Loss of body rate
27-F31-
C - damping in non Normal CAT
02
Mode
HLS
One elevator hardover or
27-F02-
- A oscillation beyond CAT
04
acceptable limit
- - - N/A N/A

5-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
Hydraulic
One multi-function
System (data 27-F09-
- C spoiler oscillation beyond CAT
only) 03
acceptable limit
Note 2
27-F20-
C - Loss of stall warning MAJ
01
IAMS
27-F20-
- C Erroneous stall warning MAJ
02
27-F20-
C - Loss of stall warning MAJ
01
IDS
27-F20-
- C Erroneous stall warning MAJ
02
Loss of body rate
27-F31-
C - damping in non Normal CAT
02
Mode
IRS
Rudder hardover or
27-F11-
- A oscillation beyond CAT
03
acceptable limit
22-F01-
D - Loss of flight director MIN
01
ISS Erroneous flight director
Note 2 22-F01- mode or command
- C MAJ
02 (approach except for DH
below 200 FT)
E - - N/A N/A
LCS
27-F18- Erroneous sidestick
Note 2 - B HAZ
01 priority or indication
Priority - - - N/A N/A
Indicator
- - - N/A N/A
Note 2
Autoland Fail - - - N/A N/A
Light
- - - N/A N/A
Note 2
Annunciated loss of GLD
27-F17-
C - (3 or more pairs of MAJ
02
spoilers, MFS or GS)
LGS Erroneous flight director
22-F01- command (misleading)
- A CAT
04 during approach with DH
below 200 FT
Annunciated loss of GLD
27-F17-
C - (3 or more pairs of MAJ
02
spoilers, MFS or GS)
Radio
Erroneous flight director
Altimeter
22-F01- command (misleading)
- A CAT
04 during approach with DH
below 200 FT
22-F05- Inability to disengage
C - MAJ
04 auto throttle by all means
TCQ
22-F05- Erroneous auto throttle
- C MAJ
02 command

5-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Min Min
Related Functional Hazard Hazard
Functions FDAL FDAL
FHA ID Description Class.
(Avail.) (Integ.)
Multiple
Hydraulic hazards
System (complete
A - N/A CAT
(power) loss of
Note 3 actuation
power)
Multiple
hazards
(complete
EPS, including
loss of
PMG (power) A - N/A CAT
power to
Note 3
control
electronic
s)
27-F21- Unannunciated loss of
B - HAZ
02 stall protection
ADN Unannunciated
Note 4 27-F18- erroneous position
- A CAT
03 indication of horizontal
stabilizer
ISI - - - N/A N/A
Note 2 - - - N/A N/A

Note 1: N/A (note deleted)

Note 2: Since the hazard sections presented in this PSSA contain only failure conditions
classified as catastrophic , hazardous and major, it was necessary to perform an additional
check on the functions that were assigned FDAL D, E or without FDAL assignment as
follows: functions that were assigned FDAL D should not directly impact any Major failure
condition, functions that were assigned FDAL E should not impact any Major and Minor
failure conditions. If the check failed, respective FDAL was raised appropriately.
Note 3: These functions providing electrical and hydraulic power to FCS were omitted from
the hazard sections of the PSSA since their criticality is apparent. This was done to maintain
clarity of the analysis.
Note 4: The ADN is a common resource used by multiple external systems which
provides/receives critical data through ARINC 664 network, therefore the ADN is omitted
from the hazard sections of the PSSA. The FDAL of the ADN was assig ned based on the
level of the highest FDAL of an associated external system . This was done to maintain clarity
of the analysis.

5.2 Hardware Design Assurance Levels

This section provides the hardware planned design assurance levels and their justification .
The C919 Flight Control System Preliminary System Safety Assessment [10] will include
identification of functional failure paths (FFPs) in the hardware that support justification of
the DAL.
Table 5-3 - Hardware Design Assurance Levels provides a summary of the planned design
assurance levels of the hardware detailed in Section 4 and the justification for the levels.
Note that the FCE Cabinet is not listed in Table 5-3 because it contains no Complex
Electronic Hardware.

5-7
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Table 5-3 - Hardware Design Assurance Levels

LRU FCM ACE PCM DMRS

FUNCTION A I A I A I A I
Mode Logic A - A - A - NA NA
Side Stick Unit Priority A B A B A B NA NA
Side Stick Tactile/Dual Input Indication - B - B - B NA NA
Aileron Control A A A A A A A A
Elevator Control A A A A A A A A
Rudder Control A A A A A A A A
Spoiler Control C A C A C A NA NA
Stabilizer Control C A C A C A NA NA
Crew Alerting / Synoptic B A NA NA B A NA NA
Pilot Control NA NA A A A A NA NA
Actuation NA NA NA NA A A NA NA
Maintenance Critical A A A A A A A A
OMS Data Loader A A NA NA A A NA NA
Maintenance Communication E E NA NA E E NA NA
Common Functions - C - C - C NA NA
AOA B A NA NA B A NA NA
Flight Test Interface / Lab Support E E NA NA E E NA NA
LRU COMPOSITE A A A A A A A A
Assigned DAL A A A A

5.3 AEH Devices

Table 5-4 - AEH Device DAL and Classification below provides a summary of the planned
design assurance levels assigned to each AEH device contained in the C919 FCS. Simple or
Complex classification was determined by a review of the component and its functions.
Table 5-4 - AEH Device DAL and Classification

AEH Type of
System Part Functional Part
DAL Classifi- Develop-
Component Descriptor Description Number
cation ment
Processor control
logic, Triple-Mode
Redundancy (TMR),
Double Data Rate
4093490-
FCM POLARIS ASIC (DDR) control A Complex Reused
400
Processor, memory
control, CP bus
interface, Lockstep
logic
FCS Intermodule
Databus interface, CP
I/O Controller 4093471-
FCM bus interface, ARINC A Complex Reused
ASIC 400
429 interface, ARINC
664 control
4093436-
FCM AFDX ASIC ARINC 664 interface A Complex Reused
400

5-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

AEH Type of
System Part Functional Part
DAL Classifi- Develop-
Component Descriptor Description Number
cation ment
ACE Input/
Output FCS intermodule 62000935-
ACE A Complex New
Controller Databus interface 101
PLD

PFC Normal mode,

COM Normal 62000936-
ACE packet validation, A Complex New
PLD 101
Mode logic

PFC Normal mode,

MON Normal packet validation, 62000937-
ACE A Complex New
PLD Heartbeat monitor, 101
Frame count monitor
Direct mode math
COM Direct 62000938-
ACE engine, Direct mode A Complex New
PLD 101
sync generation
Direct mode math
engine, Direct mode
MON Direct 62000939-
ACE command monitor, A Complex New
PLD 101
Direct mode sync
monitor
FCS Actuation
Databus transmitters,
FCM Command
COM Common Seleciton logic, mode 62000941-
ACE A Complex New
Partition PLD selection, ACE sync 101
generation, ARINC
429 interfaces,
Discrete I/O interfaces
COM Common
Analog and Discrete 62000940-
ACE Partition I/O A Complex New
I/O interfaces 101
PLD
FCM Command
Selection, mode
MON Common 62000942-
ACE selection, ACE sync A Complex New
Partition PLD 101
monitor, Discrete I/O
interfaces
FCS Actuation
MON Common
Databus receivers, 62000943-
ACE Partition A Complex New
Command wrap 101
Receiver PLD
monitors, engage logic
Math Engine Direct Mode control PS6200145
ACE A Complex New
Sequence laws, monitors 8-101
Motor control
function,
quadrature nulling, 10161604-
DMRS HPG2 ASIC A Complex Reused
rate signal 101
processing
function

5-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

AEH Type of
System Part Functional Part
DAL Classifi- Develop-
Component Descriptor Description Number
cation ment
Receives rate and
compensation
variable data,
HPGD2C Formats and stores 10162582-
DMRS A Complex Reused
ASIC received data, 101
provides PBA
configuration
interface
Receives rate and
compensation data,
Applies scale
Interface factor, bias and 26022223-
DMRS A Complex Reused
FPGA temperature 101
compensation to
data, Formats the
compensated data

5.4 Compliance to CAAC Issue Paper SW-03

The ACE and Math Engine Sequence component will comply with CAAC Issue Paper SW -03,
Programmed Electronic Hardware Devices in Model C919 Airborne Systems and Equipment.
Clarifications are included in Table 5-5 – Compliance to Issue Paper SW -03. The FCM and
DMRS are re-used products, so devices used in those products may not comply with Issue
Paper SW -03.

Table 5-5 – Compliance to Issue Paper SW-03

Compliance Compliance
Issue Additional Information
Planning Evidence
Team Position
Applicant identifies each Not applicable Responsibility of COMAC.
programmed electronic hardware
device to be used, and specifies
any architectural and/or
mitigation techniques to be used,
hardware design assurance
levels, rationale for each device’s
level assignment, and proposal
for the design assurance strategy
for each device in their
certification plans, and gets
approval from the Type
Certification Team.

5-10
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
Where alternative methods to Not applicable No alternative methods
those described in RTCA/DO- used.
254 are proposed, the applicant
should explain their
interpretation of the basic
objectives, describe the
alternative methods, and present
to the Type Certification Team
early in the program, their
justification of compliance to the
applicable regulations.
1. Modifiable Devices Not applicable - there are no modifiable devices used in the
ACE, FCM, or DMRS.
2. Device Level Assurance
Objectives of DO-254 processes PHAC for the Table of compliance to
satisfied at the device level per COMAC C919 DO-254 objectives.
Table 2-1 of DO-254. Flight Control
System, Section
10
3. Certification Plan
System Certification plan should Not applicable Responsibility of COMAC.
be developed and approved.
PHAC should identify each PHAC for the PHAC for the
programmed electronic hardware COMAC C919 COMAC C919
device, along with its failure Flight Control Flight Control
condition classification and System, Section System, Section
description of its function. 5.3 5.3
PHAC should identify planned PHAC for the PHAC for the
means of compliance for each COMAC C919 COMAC C919
device. Flight Control Flight Control
System, Section System, Section
5.1.1 5.1.1
PHAC should identify assigned PHAC for the PHAC for the
design assurance levels and COMAC C919 COMAC C919
rationale/ justification of the Flight Control Flight Control
assigned level for each device. System, Section System, Section
5.2 5.2
PHAC should reference hardware PHAC for the HDVP for the
design standards appropriate to COMAC C919 COMAC C919
each device. Flight Control Flight Control
System, Table System, Section
7.1 4.3.4; HDVP for
the COMAC
C919 FCE MES,
Section 4.4.2.1
PHAC should identify certification PHAC for the PHAC for the
data to be delivered and/or made COMAC C919 COMAC C919
available to the certification Flight Control Flight Control
authority. System, Table 7- System, Table 7-
1 1
4. Validation Processes

5-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
a. The specification, safety- HDVP for the Requirements
related requirements and derived COMAC C919 Review Records,
requirements should be identified Flight Control C919 FCS HAS
and validated. Completion of System [1],
validation processes should be Section 5
based on defined criteria.
HDVP for the
COMAC C919
FCE MES [2],
Section 5
b. Validation processes should be HDVP for the Requirements Requirements review
documented as specified by the COMAC C919 Review Records, records controlled per
hardware control category as Flight Control C919 FCS HAS HDVPs.
defined in RTCA/DO-254. System [1],
Section 5

HDVP for the

COMAC C919
FCE MES [2],
Section 5
c. Validation processes for DAL A HDVP for the Requirements Results include completed
and B should be satisfied with COMAC C919 Review Records checklist and
independence per DO-254 Flight Control participation.
Appendix C, Appendix A, and System [1],
Table A-1. Section 5.6

HDVP for the

COMAC C919
FCE MES [2],
Section 5
5. Verification Processes
a.1 HDL coding standards HDVP for the VHDL Coding
consistent with the system safety COMAC C919 and Design
objectives should be defined. Flight Control Standards, Math
System [1], Engine
Section 4.3.4 Sequence
Coding
HDVP for the Standards
COMAC C919
FCE MES [2],
Section 4.4.2.1
a.2 Conformance to HDL coding HDVP for the Code Review Results include
standards should be verified. COMAC C919 Records conformance to checklist.
Flight Control
System [1],
Section 4.3.4 -
4.3.5

HDVP for the

COMAC C919
FCE MES [2],
Section 4.4.2.1

5-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
b. Requirements based HDVP for the Verification test
robustness tests should be COMAC C919 cases
defined and executed (to cover Flight Control
normal and non-normal operating System [1],
conditions), per DO-254 6.2.2(4) Section 6.13
and 5.1.2(4).
HDVP for the
COMAC C919
FCE MES [2],
Section 6.2
c. Test procedures and cases HDVP for the Verification Results include
should be reviewed to confirm COMAC C919 Procedure conformance to checklist.
appropriate test case selection, Flight Control Review Records
per DO-254 6.2.2(4b). System [1],
Section 6.6

HDVP for the

COMAC C919
FCE MES [2],
Section 6.3
d.1 A target level of verification HDVP for the C919 FCE HAS
coverage of design requirements COMAC C919
appropriate to DAL A/B should be Flight Control
defined and justified. System [1],
Section 6.6

HDVP for the

COMAC C919
FCE MES [2],
Section 6.3
d.2 The level of verification HDVP for the C919 FCE HAS
coverage of the design COMAC C919
requirements achieved by test on Flight Control
the device itself should be System [1],
measured and recorded Section 6.6

HDVP for the

COMAC C919
FCE MES [2],
Section 6.3
d.3 Alternative means of design HDVP for the N/A An unverifiable
assurance for specific COMAC C919 requirement needs to be
unverifiable detailed design Flight Control fixed so that it is verifiable
requirements should be justified, System [1], or a deviation needs to be
and provided. Section 5.2 obtained.
d.4 Verification processes should HDVP for the Verification Results include completed
be satisfied with independence COMAC C919 Procedure checklist and
per DO-254, Appendix A and Flight Control Review Records participation.
Table A-1. System [1],
Section 6.12

HDVP for the

COMAC C919
FCE MES [2],
Section 6.7

5-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
6. Traceability
a. Traceability between system HDVP for the Hardware
requirements and higher level COMAC C919 requirements
requirements of programmed Flight Control trace data &
electronic hardware devices System [1], review
should be established and Section 4.1.5
documented.
HDVP for the
COMAC C919
FCE MES [2],
Section 4.3.4
b. Traceability between device HDVP for the PLD detailed
specification requirements, the COMAC C919 design and
conceptual design, the detailed Flight Control VHDL code trace
design, and the implementation System [1], data & review
should be established and Section 4.3
documented.
HDVP for the
COMAC C919
FCE MES [2],
Section 4.4
c. Traceability between the HDVP for the Verification trace
requirements and design items of COMAC C919 data
6.a above, and the corresponding Flight Control
verification and validation System [1],
procedures and results, should be Section 6
established and documented.
HDVP for the
COMAC C919
FCE MES [2],
Section 4.4
7. Configuration Management
For programmed electronic HW Configuration
hardware devices, defined Configuration management
change control and problem Management records
reporting should be implemented Plan for the
early in the project when the C919 Flight
process of configuration Control System
identification as defined in CEH [3]
RTCA/DO-254 commences.
Implementation of change control
and problem reporting should
precede the baseline from
which certification credit is
claimed.

5-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
The appropriate configuration PHAC for the C919 FCE HAS, HECI = Hardware
management documents (such as COMAC C919 C919 HCI Environment
Hardware Environmental Flight Control Configuration Index HCI=
Configuration Index and System, Table 7- Hardware Configuration
Hardware Configuration Index), 1 Index
according to the hardware life
cycle data requirements in Order HW
8110.105 Section 4.5, should be Configuration
available for review by TCT. Management
Plan for the
C919 Flight
Control System
CEH [3]
8. Tool Assessment and
Qualification
Claim for credit of relevant tool Not applicable No claim in tool
history for tools not qualified assessment for relevant
should be made per DO-254, tool history.
Section 11.4.1(5).
9. Simple Electronic Hardware Not applicable – there are no simple devices used in the ACE,
FCM, or DMRS.
10. Previously Developed Airborne Systems and Equipment Programmed Electronic Hardware Devices
a. Programmed electronic PHAC for the
hardware devices that are COMAC C919
unchanged, and used in exactly Flight Control
the same way, and at the same or System [1],
equivalent DAL as in the Section 8.1
previously approved system
require no additional design
assurance.
b. Programmed electronic Not applicable Not applicable No changes to previously
hardware devices, where the developed electronic
change is minor, should only devices.
need minimal additional
assurance to verify that the
device is indeed “form, fit and
functionally interchangeable” with
the previous device and that the
changed device will meet the
environmental qualification test
(EQT) criteria appropriate to its
operating environment.

5-15
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
c. Device with additional Not applicable Not applicable No changes to previously
functional behavior (still “form, fit developed electronic
and functionally interchangeable”) devices.
treated as minor change. Change
impact analysis of the device and
its potential effects on the
airborne system should be
conducted, and appropriate re-
verification (regression testing)
achieved to ensure the device
satisfies its previous intended
function with no anomalous
behavior, and that any added
functions, modes, states,
capabilities and/or operational or
performance characteristics
perform correctly.
d.1 W hen a change other than Not applicable Not applicable No changes to previously
“minor” (“major” at the device developed electronic
level) is proposed, the guidance devices.
of RTCA/DO-254 should be
followed. A change impact
analysis should be conducted to
assess the significance of the
device change on the airborne
system and its other components.
d.2 If a hardware change results Not applicable Not applicable No changes to previously
in a significant impact at the developed electronic
system level, then device level devices.
verification combined with system
level verification should be
conducted to ensure correct
intended function with no
anomalous behavior to the
appropriate system development
assurance level and hardware
DAL.
e. W hen major changes are Not applicable Not applicable No changes to previously
implemented in the hardware developed electronic
devices, the hardware is used in devices.
the same way, and the hardware
is at the same DAL, the changes
should be made using RTCA/DO-
254 and appropriate device and
system level verification
conducted to ensure all impacted
areas and aspects have been
reverified.
f. If the legacy airborne system N/A N/A The environment seen by
hardware is used in a different the CEH is the same as
environment or in a system with a for the legacy system.
higher DAL, RTCA/DO-254 should
be applied, and the system
demonstrated to comply with all
other applicable regulations,
policy and guidance.

5-16
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
11.1 Commercial Off-The-Shelf Microprocessors
a. All of the software testing of C919 FCE A summary of Between the on-target
the operating system and the PSAC, Software the on target platform and the single
microprocessor-hosted Verification testing coverage board computer (off-
applications conducted to meet Plans section: of the software target) platform, nearly all
the objectives of RTCA/DO-178B Software testing items will be in requirements based
should be executed or repeated is performed on the C919 FCE testing of software is
using the actual microprocessor a combination of SAS and will covered.
and actual airborne hardware to on-target and cover each Note that testing is done
be approved. off-target test microprocessor with simulated inputs.
resources. The in the FCM.
selection of the The amount of software
appropriate test not tested on the target
resource is processor will be
covered by the predicted in the C919 FCE
verification plans PSAC and the actual
but is based on amount documented in the
the capabilities Software Accomplishment
of the test Summary. Justification of
resource and the the validity of non-target
needs of the processor testing will also
software under be documented.
test.
The software
accomplishment summary
will document the
coverage achieved, scope
and amount of software
tested on the target
hardware, scope and
amount tested on a host
processor, and rationale
for why the host is
relevant and valid for
assurance of the target
microprocessor.
b.1 All technical notes that PHAC for the Summary in Joint participation by
describe known problems, COMAC C919 C919 FCE HAS hardware and software
undocumented features or Flight Control and details in engineers.
limitations of the microprocessor System, Section Microprocessor
should be reviewed. 8.2.2 mitigation matrix
b.2 Any features of the PHAC for the Microprocessor SCRs are written by the
microprocessor that do not COMAC C919 mitigation matrix hardware engineers or the
function properly should not be Flight Control Software coding software engineers to put
invoked by the software. System, Section standards these restrictions in the
Instructions should be included in 8.2.2 PA records show programmer’s guide.
the programmer's guide to compliance to
prohibit the use of these features. standards
c.1 A configuration control plan PHAC for the Honeywell
for the microprocessor should be COMAC C919 Aerospace
established and followed Flight Control Electronic
throughout the life cycle of the System, Section Components
system. 8.2.1 Management
Plan [18]

5-17
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
c.2 There should be an PHAC for the Honeywell
agreement that the manufacturer COMAC C919 Aerospace
of the microprocessor will provide Flight Control Electronic
notification of any changes to the System, Section Components
microprocessor or its packaging, 8.2.1 Management
even if there is no change to the Plan [18]
part number.
c.3 There should be a process PHAC for the Honeywell
established to review these COMAC C919 Aerospace
changes and determine their Flight Control Electronic
effect on the operation of the System, Section Components
system, before the revised 8.2.1 Management
microprocessor is used for Plan [18]
production or repair of the
system.
c.4 If the microprocessor or its PHAC for the Honeywell
packaging can be revised without COMAC C919 Aerospace
changing the part number, the Flight Control Electronic
system manufacturer should System, Section Components
establish a unique part numbering 8.2.1 Management
scheme for the microprocessors Plan [18]
to be used in the airborne
system.
d.1 Microprocessors used for PHAC for the C919 FCE HAS
functions the failure of which COMAC C919 and
could result in catastrophic or Flight Control Microprocessor
hazardous failure conditions System, Section Mitigation Matrix
should have a reasonable service 8.2.2
history with a number of different
applications. Reasonable
service experience would consist
of at least two years of
widespread use of the
microprocessor with several
million hours of estimated
operation.

5-18
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
d.2 The system manufacturer and PHAC for the Honeywell
the applicant should have a COMAC C919 Aerospace
process in place to accept and Flight Control Electronic
analyze problem reports from its System, Section Components
customers, and other suppliers 8.2.2 Management
including a process to routinely Plan [18]
analyses the microprocessor
manufacturer’s web site for
listings of device
problems/changes. The service
problems should be reviewed by
the applicant to determine if the
failure rate of the microprocessor
is higher than predicted or if there
is evidence of failures that result
from design deficiencies. Any
design deficiencies identified
from the review of the service
history of the microprocessor(s)
should be considered in the
development and verification of
the airborne system.
e. The microprocessor should be Qualification Verification
operated within the environmental Test Plan for the reports
limits established by the COMAC C919
microprocessor manufacturer, Flight Control
particularly with respect to Electronics [7]
temperature, operating voltages,
clock speed and vibration. If
these limits will be exceeded
when the microprocessor is
installed in the airplane, the
applicant should verify by testing
that the reliability of the
microprocessor will meet the
system requirements.
11.2 COTS IP
Depending on the complexity of Not applicable No COTS IP usage
the COTS IP and the availability
of IP documentation, the
applicants should have significant
work to show compliance for the
system or equipment.
12. Single Event Upset
The use of RAM based devices PHAC for the SSA
and memory storage elements COMAC C919
internal to programmed electronic Flight Control
hardware devices should require System, Section
additional checks and/or design 8.4
features to ensure the integrity of
the functions they implement
(either fully or partially). This
should include both integrity
checks at power-up as well as
continuous run-time checks.

5-19
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Compliance Compliance
Issue Additional Information
Planning Evidence
The applicant should show how PHAC for the SSA
the impact of SEU on COMAC C919
programmed electronic hardware Flight Control
devices is contained and/or System, Section
mitigated. 8.4

5-20
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

6 Hardware Design Life Cycle Description

This section provides a description of the hardware design life cycle process that will be
used for this project. Specific activities for the design and verification of the AEH are
included in the description. The sub-sections explain how the objectives of each life cycle
process will be satisfied and define the key data items produced in each life cycle process .
The Hardware Development and Verification Plan for the COMAC C919 Flight Control System
[1], and the Hardware Development and Verification Plan for the COMAC C919 Flight Control
Electronics Math Engine Sequence [2] are the primary documents containing the details of
the hardware design life cycle process and the AEH life cycle process that is applicable to
new development for the ACE and the FCE Cabinet’s Interface PBA; separate Hardware
Development and Verification Plans will be produced for t he PCM and FMCP, and will be
addressed in the PHACs for those products . A brief overview of these processes is
described herein to aid in the understanding of the overall process . This PHAC will augment
the HDVP in order to describe compliance with DO-254 for the AEH.
The Hardware Design Life Cycle will be composed of the following stages:
1) Planning
2) Hardware Design Processes
a) Requirements Capture
b) Preliminary (Conceptual) Design
c) Detailed Design
d) Implementation
e) Production Transition
3) Supporting Processes
a) Validation and Verification Processes
b) Configuration Management
c) Process Assurance
d) Certification Liaison

6.1 Hardware Design Life Cycle

The hardware design life cycle is documented in the Hardware Development and Verification
Plan for the COMAC C919 Flight Control System [1], and the Hardware Development and
Verification Plan for the COMAC C919 Flight Control Electronics Math Engine Sequence [2].
The Life Cycle in these Development and Verification Plans is based upon the guidance of
RTCA/DO-254.
Figure 6-1 - Life Cycle Flow Chart provides a simplified view of the hardware life cycle that is
representative of the HDVPs. For simplicity of illustration, this diagram shows the life cycle
as a strict classical waterfall process. The classic waterfall process assumes that steps from
the previous process are completed before entering the next process. However, to reduce
development time without sacrificing quality, overlap between steps often occur s. In addition,
the diagram shows a straight down flow from one process to the next. However, in reality,
iteration occurs between process steps.

6-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

As problems are identified, a previous process step must be re -entered in order to update the
results of that process before continuing to the next step.

Develop Hardware
Requirements
Perform Design Entry
(PBA),
Develop Hardware PBA Layout
Architecture/Concepts Perform Software
Perform ASIC/PLD Integration
Design & Analysis
Design
Hardware Create Mechanical
Models & Doc.

Build Hardware

Perform Hardware
Integration

Perform HW/SW
Integration

Test & Evaluate HW

(incl. HALT1)

Planning Production Transition

Process Assurance

Certification Liaison

Configuration/Change Management

Formal Verification and Validation Process/Traceability

Figure 6-1 - Life Cycle Flow Chart

Note 1: Highly Accelerated Life Testing

Table 6-1 – ACE AEH Design Life Cycle shows a brief overview of the hardware design life
cycle activities at the ACE AEH level and at the product level that are required for DO-254
compliance of the ACE AEH. Product level activities such as hardware testing that produ ce
data for DO-254 compliance of the ACE AEH are included.

6-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Table 6-1 – ACE AEH Design Life Cycle

ITEMS to be New/Changed/
STAGE ACTIVITIES
PRODUCED Reused/NA

PLANNING PROCESS

Determine
Standards ACE – New
Standards

Plan for Hardware

New
Aspects of Certification

Design and Verification

Plans, including New
Development associated checklist(s)
Planning Plans
Quality Assurance Plan Reused

Configuration
New
Management Plan

Change Impact Anal ysis NA

Review of the
Standards and Updated Standards and
New
Development Plans
Plans
Planning Review of PHAC and HDVP Configuration Management Plan
Transition
and Quality Assurance Plan
Criteria
HARDW ARE DESIGN PROCESSES

Allocate
requirements
Requirements Baseline
from New
(prelim)
system
requirements
Requirements
Capture Review updated Requirements Baseline
New
requirements (updated)
Trace CEH to HW
and system Traceability data New
requirements
Requirements
Capture Review of HW Requirements and AEH Requirements baselines,
Transition Baseline requirements traceability data
Criteria

6-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

ITEMS to be New/Changed/
STAGE ACTIVITIES
PRODUCED Reused/NA

(Preliminary)
Conceptual Develop concept
Design Block diagrams,
design, New
(including Functional description
constraints
behavioral
design)

Design description,
Schematics, Hardware
Derive design New
Description Language
details (HDL) code, MES code

Design reviews New

Trace CEH to
Traceability data New
detailed design

Update HDL,
HDL code, MES code New
MES code
Detailed
Design Inspect HDL,
Inspect MES
Initiate/revise source
code, inspect New
code
schematics,
informal testing

Synthesis AEH netlist, N/A for MES New

AEH layout &

route, PLD
PLD programming file,
programming file New
MES Intel HEX file
generation, build
MES load

Detailed
Design
Baseline design description, HDL, and PLD programming file
Transition
Criteria

Program PLDs, Programmed AEH

Devices, MES loaded New
Implementa- FLASH
into FLASH
tion (AEH
Fabrication) Review supplier
Supplier Review Artifacts N/A
artifacts

Implementa-
tion Transition Fabrication of devices
Criteria

6-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

ITEMS to be New/Changed/
STAGE ACTIVITIES
PRODUCED Reused/NA
Manufacturing Data (e.g.
Develop HCI, SCD), Review New
Manufacturing Records
Data
Production Top Level Drawing New
Transition
Develop
Acceptance Acceptance Criteria
New
Criteria Specification
Specification

Production
Transition Baseline Manufacturing Data, acceptance criteria
Criteria
SUPPORTING PROCESSES
Architectural
Validation Safety Assessment New
Decisions
Requirements trace and
Validation of requirements review
New
requirements record, regression
analysis
Validation
Transition Validated requirements
Criteria
Verification
Entry
Requirements baseline reviewed, Implementation baseline
Transition
reviewed, Baseline verification traceability data
Criteria (Note
1)

6-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

ITEMS to be New/Changed/
STAGE ACTIVITIES
PRODUCED Reused/NA

Trace AEH
requirements to Traceability data New
verification

Analyze AEH
Timing Analysis New
timing

Perform AEH
Behavioral Simulation
behavioral New
(NA for MES)
simulation

Perform AEH gate Gate Level Simulation (NA

Verification New
level simulation for MES)

Test AEH AEH Verification Results New

Hardware Verification
New
Coverage Analysis
Analyze
verification Hardware Verification
New
coverage, Level Regression Analysis
A/B tests
Hardware Verification
New
Procedures

Identify, document
and control CM Records New
configuration items

Establish baselines Review Records New

Identify, track and

Problem Reports New
AEH report problems
Configuration
Management
Maintain change
control and Change Notices, CCB
New
traceability of records
changes

Archive, retrieve Released data items

and release New
configuration items CM Records

6-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

ITEMS to be New/Changed/
STAGE ACTIVITIES
PRODUCED Reused/NA

Perform audits
for hardware
plans; reviews;
detecting,
recording,
evaluating,
approving,
tracking and Product Development
Quality Assurance
resolving of
(PDQA) Activities & Audit New
deviations from
Records/Reports (Per
plans and
Aerospace PDQA Plan)
standards,
conformity
review;
satisfaction of
Process transition criteria
Assurance of hardware life
cycle processes

Perform
inspection to
verify item is AEH media validation
New
built in records
compliance with
design data

Maintain and
produce, when
required, records PDQA files, Corrective
New
of process Action Requests (CARs)
assurance
activities

Resolve issues
raised by the Liaison Meeting action
New
certification/cust items
omer authority
Certification Submit or make
Liaison available data or
evidence of
Requested Items New
compliance
requested by the
customer

Note 1: Verification entry transition criteria are for entry into formal requirements based
verification activity for credit. Additional activities such as procedures reviews may precede
the entry criteria in the overall verification activities.
6.1.1 Planning Process
The planning process will begin with a review of the Statement of W ork and other available
project documents to establish the baseli ne for the project objectives.

6-7
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

During the planning process, development plans and standards will be established, as
needed, to support meeting the objectives of DO -254. A combination of new documents and
existing documents will be utilized. Schedules, staffing plans, Hardware Development and
Verification Plans (HDVPs), and the PHAC will be generated and/or referenced.
The HDVPs provide the basic life cycle roadmap and description of general program
activities, including the development of program plans. Har dware plans will be written and
reviewed to standards defined in the HDVP.
Standard Configuration Management Plans and Practices will be followed, while local W ork
Instructions will be updated, as needed, to incorporate program specifics, as needed. The
standard Product Development Quality Assurance Plan will be followed and Quality
Assurance Engineers will perform the activities required to support the program.
The C919 FCS will be developed to the hardware life cycle depicted in the Hardware
Development and Verification Plan for the COMAC C919 Flight Control System [1], the
Hardware Development and Verification Plan for the COMAC C919 Flight Control Electronics
Math Engine Sequence [2], and Table 6-1 – ACE AEH Design Life Cycle. Refer to Table 7-1 -
AEH Life Cycle Data – ACE for a listing of the Life Cycle Data that will be produced to
support this development.

6.1.2 Hardware Design Processes

In accordance with Section 5 of RTCA/ DO-254 and in addition to the planning process (see
Section 6.1.1), the C919 FCS hardware design process will encompass a requirements
capture phase, a conceptual design phase, a det ailed design phase, an implementation
phase, and a production transition phase. Together, these activities are described by the
HDVPs to reduce the probability of design and implementation errors t hat affect the safety
analysis.
As described in the HDVPs, these processes are iterative and controlled. Each process has
inputs and outputs and provides methods for addressing defects and/or problems that may
be identified during the development process. The overall hardware development process will
provide for the management of hardware development changes and will ensure any impact(s)
due to a design change do not adversely affect the safety analysis.
6.1.2.1 Hardware Requirements Capture Stage
By following the Requirements Standards defined in the HDVPs, requirements will be
formally captured into requirement docu ments and reviewed for both the Hardware end items
and the AEH as described in the hardware plans, identified in Section 7 Hardware Design
Life Cycle Data. Specific safety related hardware design requirements will be included in the
C919 Flight Controls System Requirements Specification [12]. Requirements documents are
identified in Table 7-1 - AEH Life Cycle Data – ACE.
The hardware requirements will be defined from the C919 Flight Control Electronics System
Technical Specification [101] and the C919 Flight Controls System Requirements
Specification [12]. The allocated and derived hardware requirements will be contained in the
requirements documents defined in Table 7-1 - AEH Life Cycle Data – ACE. The
requirements process will include reviews and address any issues, including safety issues.
The derived hardware requirements will be validated against system and safety requirements
using validation processes defined in the HDVPs. Requirements trace data will be
established and reviewed for all levels of requirements per the HDVPs.

6-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

During this stage any errors or omissions, including any new derived requirements, found in
the higher level requirements will be fed back to the appropriate process by means of
Change Requests (CR) as defined in the Hardware Configuration Management Plan (HCMP)
for the COMAC C919 Flight Control System Complex Electronic Hardware (CEH) [3].
6.1.2.2 Preliminary (Conceptual) Design Stage
The conceptual design evolves as the systems requirements and hardware requirements are
captured and allocated. The processes for conceptual design are defined in the HDVPs. High
level logic partitioning, block diagrams, and the top level mechanical packaging approach are
used to capture the conceptual design . The conceptual design is documented within
ASIC/FPGA Design Documents (ADD) for the ACE PLDs and in the MES HRD for the MES .
The conceptual design is reviewed with the customer to ensure the design is valid and m eets
established requirements.
As the requirements capture step completes, the conceptual design becomes firm. Derived
requirements are defined to reflect the constraints on the design of the hardware items
including AEH devices and on the interfaces to meet the systems, safety and software
requirements. These derived requirements are reviewed as a pa rt of the requirements
capture process. The conceptual design information is updated to reflect the partitioning and
feedback from customer reviews . The conceptual design data are identified in Table 7-1 -
AEH Life Cycle Data – ACE.
During this stage any errors or omissions, including any new derived requirements, found in
the higher level requirements will be fed back to the appropriate process by means of
Change Requests (CR) as defined in the Hardware Configurati on Management Plan (HCMP)
for the COMAC C919 Flight Control System Complex Electronic Hardware (CEH) [3].
6.1.2.3 Detailed Design Stage
The hardware design process will produce hardware design representation data that will be
based on the hardware requirements contained in the System Requirements Specification for
the COMAC C919 Flight Control Electronics [12] and the C919 Actuator Control Electronics
Hardware Requirements Documents. The methods and procedures which will be used to
create the design data are defined in the HDVPs.
Derived requirements may be defined to reflect design features to meet feasible hardware
implementation and safety requirements . New derived hardware requirements will be fed
back to the safety assessment process to ensure the system safety re quirements are not
compromised.
The AEH hardware design process will include HDL code reviews , MES code reviews and
AEH design reviews.
During this stage any errors or omissions, including any new derived requiremen ts, found in
earlier stages will be fed back to the appropriate process by means of Change Requests
(CR) as defined in the Hardware Configuration Management Plan (HCMP) for the COMAC
C919 Flight Control System Complex Electronic Hardware (CEH) [3].
6.1.2.4 Hardware Design Environment
Tools will be used for the hardware development when applicable . Table 8-4 - Tool
Assessment Summary shows the design tools planned to be used in the C919 Actuator
Control Electronics AEH design environment. Hardware design tools are defined as tools
whose outputs are part of hardware design and therefore can introduce errors . For the
assessment of the design tools, reference Section 8.6, Tool Assessment and Qualification .

6-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

6.1.2.5 Implementation Stage

Hardware and AEH will be implemented based on the detailed design data using methods
and procedures that are defined in the HDVPs.
The drawings produced during implementation are identified in Table 7-1 - AEH Life Cycle
Data – ACE. The implementation stage culminates with AEH production readiness reviews
and hardware readiness reviews.
During this stage any errors or omissions, including any ne w derived requirements, found in
earlier stages will be fed back to the appropriate process by means of Change Requests
(CR) as defined in the Hardware Configuration Management Plan (HCMP) for the COMAC
C919 Flight Control System Complex Electronic Hardware (CEH) [3].
6.1.2.6 Production Transition Stage
6.1.2.6.1 Production Transition – Product
The Production Transition Phase will use outputs from the Product Implementation and
Verification Stages to transfer the product to production . Manufacturing data will be prepared
from HC1 configuration controlled design data and will be checked for completeness and
consistency with this data. Acceptance test criteria necessary to ensure correct pr oduct
manufacturing and assembly, and to test key product features to meet functional and safety
requirements are documented in the Test Requirements Document and implemented in the
Acceptance Test Procedure which will be released by this stage.
The following documents will be generated for this phase:
• Configuration of PLDs and MES identified in drawings per Table 7-1 - AEH Life Cycle
Data – ACE, Top-level Drawings (LRU) [DO-254 Section 10.3.2.2.1].
• Safety related Production Critical issues per Table 7-1 - AEH Life Cycle Data – ACE,
Assembly Drawings [DO-254 Section 10.3.2.2.2].
• CRs per Table 7-1 - AEH Life Cycle Data – ACE, Problem Reports [DO-254 Section
10.6].
• CRs per Table 7-1 - AEH Life Cycle Data – ACE, Hardware Configuration
Management Records [DO-254 Section 10.7].
During this stage any errors or omissions, including any new derived re quirements, found in
earlier stages will be fed back to the appropriate process by means of Change Requests
(CR) as defined in the Hardware Configuration Management Plan (HCMP) for the COMAC
C919 Flight Control System Complex Electronic Hardware (CEH) [3].
6.1.2.6.2 Production Transition – AEH
The Production Transition Phase for devices identified per Table 5-4 - AEH Device DAL and
Classification will use outputs from the Product Implement ation and Verification phases such
as media release and Hardware Configuration Index (HCI) to transfer the device to
production. Manufacturing data will be prepared from HC1 configuration controlled design
data and will be checked for completeness a nd consistency with this data.
Derived requirements may be defined to reflect manufacturing requirements to meet feasible
AEH implementation and safety requirements . The control drawings for pur chasing parts will
be released by this stage.

6-10
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

During this stage any errors or omissions, including any new derived requirements, found in
earlier stages will be fed back to the appropriate process by means of Change Requests
(CR) as defined in the Hardware Configuration Management Plan (HCMP) for the COMAC
C919 Flight Control System Complex Electronic Hardware (CEH) [3].

6.2 Supporting Processes

6.2.1 Hardware Validation
Validation of derived hardware requirements will consist of the process of derived
requirements identification, and determining that the derived requirements are correct and
complete with respect to the intent of system requirements allocated to the hardware item .
Hardware derived requirements will be validated through a review and performed by the
Hardware Engineer, Systems Engineer, and Safety Engineer as described in the HDVPs.
Validation of derived hardware requirements is also achieved through integration -level
testing. For products with design assurance level A, B or C, review of the requirements
traceability data will be used to identify the derived requirements . Omissions and errors will
be dispositioned or resolved using the process defined in the HCMP.
AEH derived requirements will be validated to meet the hardware requirements by review of
these AEH derived requirements performed by the product Hardware Engineer, System
Engineer, and Safety Engineer as specified in the HDVPs. For CEH, the review of derived
requirements to hardware requirements and to implementation traceability data will be used
to validate the derived requirements. Derived requirements will be evaluated with respect to
system requirements allocated to hardware per DO -254 guidance. The reviews will be
archived in Clear Case. Validation of derived AEH requirements is also achieved through
hardware integration testing. Omissions and errors will be dispositioned or resolved using the
process defined in the HCMP.
6.2.2 Hardware Verification
As a part of the verification process, the AEH, circuit card assemblies and packaging are
subjected to various analyses, design v erification testing and check -out activities.
The ACE CEH will be verified using a combination of architectural mitigation, bounded
complexity, requirements based testing and design assurance to prevent common mode
failures.
• The ACE hardware architecture will be defined by the FCS system -level requirements
that are allocated to the ACE. The ACE hardware architecture will be designed to
facilitate detection, reporting and mitigation of design errors.
• The ACE hardware complexity is bounded by the design and implementation. The
ACE hardware will be limited to the functionality and feature set needed to perform
the intended operation.
• The ACE hardware will follow a requirements based verification process as described
in the HDVPs. The process consists of def ining a method and procedure to verify
each hardware requirement, establishing traceability data, performing the verification
and completing a verification coverage analysis. Testability features will be included
in the ACE hardware to facilitate control a nd observation points within the design.
Detailed verification activities are defined in the HDVP s.

6-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• The ACE hardware design assurance approach will be based on DO -254 DAL A and
enhanced for Flight Controls. Rigor will be applied to the assessment of the A CE
hardware for potential errors that could affect flight control integrity, function, and
availability. Derived requirements and rational e will be defined for mitigation of
potential design errors and to support verification activities. The designs will b e kept
simple (i.e. simple architecture, simple bus protocols and limited feature set). All
aspects of the design implementation will be testable during design verification, at
production or during service events .
The ACE verification will be performed on a representative hardware configuration that will
be equivalent to the configuration being submitted for certification . The planned verification
life cycle data is listed in Table 7-1 - AEH Life Cycle Data – ACE.
The FCM and DMRS CEH verification will be based on re -use.
Hardware environmental qualification testing will, at some point in the final design cycle,
commence using hardware built from released drawings that represent the final hardware
and packaging design. A formal assessment is conducted to ensure conformance to
configuration controlled drawings.
During this hardware verification any errors or omissions, including any new derived
requirements, found in the hardware design documents will be fed back to t he appropriate
process by means of Change Requests (CR) as defined in the Hardware Configuration
Management Plan (HCMP) for the COMAC C919 Flight Control System Complex Electronic
Hardware (CEH) [3].
6.2.2.1 Verification Methods
Verification methods will consist of the following:
• Review / Inspection
• Analysis / Simulation
• Laboratory Test
• Environmental Qualification Test
• End Item Test

6.2.2.2 Design Assurance Strategies for Level A and B Hardware

The design assurance strategy for Level A and B PLDs and the Math Engine Sequence
component will be defined per DO-254 Section 2.3.4 and Appendix B. This strategy includes
addressing potential anomalous behavior and potential design errors of the hardware,
defining architectural requirements of e ach hardware item to support system -level
architectural mitigation, and defining an advanced design assurance strategy for the Design
Assurance Level A/B complex devices. The process descriptions below will be focused on
the activities covering the PLDs an d the Math Engine Sequence (MES) component.

6-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

6.2.2.2.1 System Functional Hazard Assessment

The C919 Flight Control Electronics System Technical Specification [101] defines the
functional hazards associated with the C919 FCS system functions and identifies the
anomalous behavior and functional failures at a system level. Using these top level safety
allocations, operational, architectural, and functional failure probability requirements will be
derived and captured for the hardware in the C919 Flight Controls System Requirements
Specification [12]. The SRS requirements will be further allocated to the Flight Controls
products’ subassemblies, circuits, and CEH within lower level hardware requirements
documents. A System Safety Assessment (SSA) will be used to show that the design defined
by the System Requirements Specification for the COMAC C919 Flight Control Electronics
[12] requirements is capable of meeting the safety objectives identified by the STS
allocations.
Analysis of the functional hazards and system archite ctural mitigation features of the
hardware will be documented in the C919 Flight Control System Preliminary System Safety
Assessment [10]. This assessment will identify design assurance levels for each LRU/LRM.
The AEH will be assigned the same design assurance level as the LRU/LRM.
6.2.2.2.2 Functional Failure Path Analysis
Functional Failure Path Analyses are not required on the hardware covered by this PHAC
because each product has a single design assurance level applied to the entire product
(reference RTCA/DO-254, section 2.3.1).
6.2.2.2.3 Architectural Mitigation
Architectural Mitigation will not be used as a strategy to achieve Level A/B design assurance
of the PLDs or Math Engine Sequence component; however device level requirements
required to support system level arch itectural mitigation are documented and verified.
Mitigation requirements will be captured in the SRS and hardware requirements documents
and validated by the SSA.
Specifically, these architectural requirements will define the architectural features neede d to
support system-level safety requirements. These architectural requirements will include fail-
safe design features, fault tolerant design features, redundant features, dissimilar functions
and partitioning requirements.
The safety analysis will establish the effectiveness of the architectural mitigation defined in
the system requirements and implemented in hardware. The safety analysis will include a
common mode analysis that addresses the potential for common mode errors in
requirements, implementation, manufacturing and maintenance that could defeat the
mitigation. The safety analysis data will include:
• Description of the architectural approach and coverage provided.
• Common mode failure analysis specifically addressing the architectural
mitigation aspects of the hardware design.
• Conventional failure rate data and latent fault exposure assessment data for
architecturally mitigated hardware.

6-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

The safety-related architectural requirements allocated to the hardware design will be

identified in the hardware requirements documents (HRD and ASIC/FPGA Requirements
Document (ARDs)) and will be verified by the hardware verification procedures. Each
complex PLD and Math Engine Sequence component will have an ARD or HRD containing
functional requirements including s afety-related requirements for the device. These
requirements will be verified by hardware verification procedures traced to the requirements.
The Hardware Verification Reports will summarize the verification results.
6.2.2.2.4 Elemental Analysis for PLDs
For Design Assurance Level A and B PLDs, elemental analysis will be applied to define
verification completion criteria for the requirements based verification . The ASIC/FPGA Test
Procedures Document (ATPD) will define verification test cases for the requirements bas ed
verification of the PLD.
During the detailed design phase, the requirements for a PLD will be partitioned by function
into smaller pieces called modules . A top-level block diagram and secondary-level block
diagrams, for complex modules , are captured in the ARD to illustrate the modules and to
define the signal interfaces between them . A detailed implementation for each module is
written in HDL.
For PLDs, an element is defined as a registered logic expression or combinational logic
expression that is capt ured in HDL. The elements are not defined at a level below that
specified by the design. The elemental analysis will show that all elements of each HDL
module of the design are verified using requirements based simulation procedures .
Simulation-based code coverage will measure the completeness of the simulation procedures
in covering the elements.
Code coverage is performed using statement, branch, decision , and expression coverage.
Obtaining completeness of these coverage metrics will meet the criteria of fully covering the
elements.
The set of verification test cases defined in the ATPD are the basis for writing the simulation
procedures. These same test cases are also the basis for hardware tests and other d esign
verification procedures.
The simulation code coverage will report the elements within the design that have been
exercised by simulation procedures and the elements that are uncovered . During the
elemental analysis, uncovered elements will be addressed by:
• Adding or modifying test cases and corresp onding simulation procedures (that can be
traced to existing requirements)
• Modifying or adding derived requirements, then supplementing the test cases and
corresponding simulation procedures relative to the requirement(s)
• Ensuring that any unused functions are positively isolated or deactivated
• Providing rationale to justify uncovered functionality, and showing that any anomalous
behavior of the uncovered element can be bound by analysis to not cause a safety
effect
An Elemental analysis artifact will inclu de:
• Final code coverage reports that show coverage on all elements of the design
• Unused function analysis

6-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Justification for remaining uncovered elements

Note that the simulation test cases and simulation procedures are reviewed as a part of the
Test Case review, and Verification Procedures review, respectively .

6.2.2.2.5 Elemental Analysis for the Math Engine Sequence Component

Elemental analysis will be applied to the Math Engine Sequence component to define the
verification completion criteria for the requirements based verification.
During the detailed design phase, the requirements for each function in the Math Engine
Sequence are decomposed from the systems requirements and captured in the Math Engine
Sequence Requirements Document. The requirements for each function are defined as a
sequence of mathematical and/or logical operations and parameters over which the
sequence will operate. The implementation of the function, i.e. the Perl code, directly
implements the sequence of operations defined for the function in the Math Engine Sequence
Requirements Document. Hence, the mapping of the requirements to the implementation is
explicitly defined by the requirements.
For the Math Engine Sequence, an element can be defined as one mathematical or logical
operation and its operands, in other words, one line of Perl code . The same sequence of
operations is performed every Direct Mode frame without variation and fully implements the
functionality allocated to the Math Engine Sequence . During requirements based testing,
each function must be shown to operate over the required range of the parameters for the
function. It will take multiple passes through the Math Engine Sequence to cover each
function over its range of parameters.
The Verification Report for the Math Engine Sequence will define verification test cases for
the requirements based verification . Elemental analysis will be performed by reviewing the
verification test cases for each function of the Math Engine Sequence against the required
sequence of operations and the range of parameters for it. The analysis will show that the
set of verification test cases traced to the function completely covers it.
During the elemental analysis, incomplete verification will be addressed by:
• Adding or modifying test cases and cor responding test procedures to cover the hole
• Modifying or clarifying the Math Engine Sequence requirements, then supplementing
the test cases and corresponding test procedures relative to the updated requirement
An Elemental analysis artifact will include:
• Final test case review report that shows coverage of each function of the Math Engine
Sequence over the specified range of parameter
• Actions taken from analysis of the initial reports including added test case or
requirements
• Justification for remaining u ncovered conditions, such as a parameter limit or value
that cannot be reached under normal operation due to system or higher level
hardware constraints on the stimuli at the Math Engine Sequence inputs

6-15
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

6.2.2.3 Hardware Verification Environment

In accordance with Section 6.2 of RTCA/DO-254, verification of requirements is the process
that provides assurance that the implemented design satisfies all requirements . Since the
design concept of C919 hardware involves circuit card assemblies, PLDs, electrical
components, and packaging, the exact verification strategy and methodology will be different
depending on the requirements and hardware entity being verified . Verification of
requirements is conducted on hardware that is equivalent to the configuration intended for
certification. Verification is performed using reviewed and baselined verification procedures.
Verification coverage analysis and the methods for establishing requirements verification for
each envisioned type of hardware entity is described by processes contained in the HDVP.
Verification coverage is analyzed during a verification results review to ensure that each
requirement has been verified with an appropriate procedure, each verification procedure has
been executed and the results reviewed, discrepanci es between actual and expected results
are explained or corrected, and verification completion criteria has been met.
In accordance with the HDVP, the final safety assessment process also verifies the
implemented design meets all safety-related requirements.
Design or verification data changes or omissions identified during the verification phase are
controlled using established change management and configuration management methods as
described in the HDVPs and their supplemental processes.
The results of all verification activities will be summarized in the Hardware Accomplishment
Summary (HAS). In accordance with the HDVP and in conjunc tion with Section 6.2.2 of
RTCA/DO-254 any discrepancies between actual verification results verses expected results
will be explained in the HAS.
Hardware verification is complete when all requirements have been verified and verification
coverage criteria have been met.
6.2.2.3.1 Hardware Verification Methods
Verification methods include End Item Test (EIT), system test, manual lab t est, analysis
(including simulation) and review (including inspection).
Verification of the End Item, PBA or PLD level requirements by hardware test methods is
performed on the completed as sembly that includes any PLDs.
End Item Test (EIT) is an automated, closed-box test that is used as an acceptance test
procedure (ATP) during production. The EIT fixtures provide stimuli and collect outputs at the
primary LRM interfaces, emulating the system interfaces to the LRM . Test cases are
provided via test software and may be supported by embedded software . End Item Test logs
report actual observed values in most cases . During hardware development, Built In Test
(BIT) features, test inputs and observability points are considered to facilitate requirements
based testing in a closed box test environment.
System test is a closed box test and is considered hardware/software integration testing .
System test may consist of both automated and directed tests in a test fixture designed to
contain or emulate system interfaces to the LRM. Test cases are provided either by
application software hosted on the FCM or external test software . Testing may be supported
by embedded test software on the FCM such as Power Up BITE.

6-16
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Manual lab tests are open-box tests conducted in the development lab. Custom fixtures may
be created to facilitate accessibility and control at a PBA level. External power supplies,
external I/O generators, run-time monitors, or embedded software may be used to provide
test stimulus. Appropriate responses are chec ked by capturing the response through the use
of traditional or customized test equipment.
Analyses such as Power Dissipation/Consumption Analysis, PLD Timing Analysis, Signal
Integrity Analysis, and Thermal Analysis will be performed during the design phase.
Hardware requirements coverage, including coverage of PLDs will be claimed for as many
test cases as possible with EIT, system test and manual lab tests on the target hardware.
Other methods such as analysis , simulation and review will be used to cover the test cases
that could not be covered with tests on the target hardware.
The percentage of requirements for each PLD/Math Engine Sequence component that are
verified by hardware test will be recorded in the Hardware Accomplishment Summary .
6.2.2.3.2 Hardware Verification Standards
Hardware verification is complete when all requirements have been verified and verification
coverage criteria have been met.
Hardware verification is performed to standards defined in Table 7-1 - AEH Life Cycle Data –
ACE item 10.2.3. The verification activities will be performed with independence as defined
in the HDVPs.
6.2.2.3.3 Robustness Testing
To demonstrate robustness, requirements -based tests will be defined and executed to cover
normal and non-normal operating conditions. The derived hardware requirements will
include: expected behavior under fault and exception conditions; necessary test points to
support requirements verification; failure and error detection methods; and specific
constraints used to control unused functions . Each requirement will be traced to one or more
test cases that will be run to demonstrate correct behavior of the hardware against these
requirements.
For the PLDs and the Math Engine Sequence, requirements will cover the specification of
design behavior under abnormal input conditions, fault and exception conditions, out of range
or invalid inputs and improper interface protocols. These requirements will be verified in
requirements-based simulation and testing.
For the PLDs, qualification testing will verify the PLD performance over robust environmental
operation conditions. Static timing analysis will be performed to ensure proper operation over
process, voltage and temperature conditions.
6.2.2.4 Traceability Data
Traceability data will be generated to show a complete trail of system level requirements
through hardware requirements and design , to verification activity, as described in the HDVP.
Each hardware requirement is traced to test cases, verification methods, procedures and
results. The PLD trace information is documented in a n ASIC/FPGA Verification Report
(AVR), and the MES trace information is documented in an MES Trace Report .
A trace report will be generated from the trace data and checked for accuracy and
completeness during verification reviews. Requirements verification traceability is applicable
for all PLD and MES requirements.

6-17
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

During the verification reviews, the verification trace report will be assessed to check the
completeness of the procedures in covering the requirements linked to it. During the final
verification review the verification trace report will be reviewed to assess the verification
coverage of the requirements in terms of the execution of the procedures and their pass/fail
status.
6.2.3 Hardware Configuration Management
Hardware Configuration management encompasses these specific activities:
• Identification of design items requiring configuration to support design replication;
• Identification of the design baseline, or baselines;
• Problem reporting and track ing (change management); and
• Management of configured data items, including archiving and retrieval.
Together, these individual strategies, processes, and methods will ensure design data will be
captured, configured, and protected once the baseline is established. This provides the
mechanisms for feedback to the System Safety Analysis, System Requirements, or software
development processes.
Three configuration management plans are used to describe the configuration management
processes and tools used for C919 Flight Controls Electronics.
• Hardware and Software Configuration Management Plan for COMAC C919 Flight
Controls [5]
• Hardware Configuration Management Plan for COMAC C919 Flight Control System
Complex Electronic Hardware (CEH) [3]
• Hardware Configuration Management Plan for Aerospace North Phoenix Product
Hardware [4]

The Hardware and Software Configuration Management Plan for COMAC C919 Flight
Controls [5] is applicable to hardware HC1 life cycle data items and software CC1 life cycle
data that are released and controlled in Aerospace Product Data Management (AeroPDM).
The plan covers the activities of configuration identification, baseline establishment, change
control, and release, archival and retrieval for that data.
The Hardware Configuration Management Plan for C919 CEH [3] covers CM activities of
configuration identification, baseline establishment change control and use of CM tools for
HC1 life cycle data items in development up to the point of being released into AeroPDM.
The Hardware Configuration Management Plan for the COMAC C919 Flight Control System
Complex Electronic Hardware (CEH) [3] also covers the CM aspects for HC2 life cycle data
and problem reporting during hardware development for both HC1 and HC2 life cycle data
items
The Hardware Configuration Management Plan for Aerospace North Phoenix Product
Hardware [4] outlines the Honeywell Aerospace CM policy, organization and procedures for
identifying and documenting the functional a nd physical characteristics of hardware
configuration items, controlling changes to those items and recording and reporting change
implementation status.
The CM tools used for configuration management of life cycle data items are described in the
Hardware Configuration Management Plan for C919 CEH [3] and are summarized herein:

6-18
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Aerospace Product Data Management (AeroPDM) is used to implement formal control

of HC1 and optionally HC2 life cycle data. This tool is managed by the Configuration
Management and Data Services (CMADS) organization.
• IBM Rational ClearCase or ACM/CM21 are used to manage HC1 life cycle data
during development up to the point of being released into AeroPDM and HC2 life
cycle data.
• IBM Rational ClearQuest or ACM/CM21 are a change management system used to
manage HC1 life cycle data during development up to the point of b eing released into
AeroPDM, and HC2 life cycle data items. ClearQuest™ is the tool used as the CEH
problem reporting system.
Problem reporting and change control w ill be established at the beginning of the
development phase, prior to putting the hardware design data under configuration control.
ClearQuest TM or ACM/CM21 are used for problem reporting, configuration of design data,
and change control during development. Design data that are production-related drawings,
such as schematics, are under configura tion control in the Production Release system. As a
general rule, once reviewed, the work product will go under the engineering configuration
management and change control in the configuration management tool, or submitted to the
Production Release system, which provides these same controls. Review packages will be
archived in the configuration management tool. Drawings needed for Production to build the
hardware will be released in the Production Release system before production built units.
Key work products required by the regulatory agencies or customer and the PLD and Math
Engine Sequence designs are normally controlled with engineering processes until the
design is mature and subsequently released in the Production Release system. Prior to
certification, additional local work instructions will be used to document configuration
management and change control processes of the physical hardware.
When the reviews for design data such as A RDs, HDL, MES code and ATPDs are completed,
they will be baselined and under configuration and change control. From that point on,
changes to them will be controlled through Change Requests (CRs) and the Hardware
Review Board (HRB) process.
6.2.3.1 PLD and Math Engine Sequence archives
The PLD and Math Engine Sequence designs will be configuration and change controlled
following their reviews. When the PLD or Math Engine Sequence development is complete
and released into production, all source data, control files and tool information used to create
the PLD programming file or truth ta ble, or Math Engine Sequence will be archived using the
configuration management (CM) procedures defined in the HCMP. For each PLD and Math
Engine Sequence archive, the hardware life cycle data will be defined in a Hardware
Configuration Index or equivalent. The hardware life cycle data is one part of the required
Hardware Configuration Index (HCI) content. It also contains the following HCI content:
• Equipment level part number
• ASIC/PLD product - part number
• PLD programming file or Math Engine Sequence memory image
• Each source code component, including constraints, scripts
• Source media (design archive) and release media (media for PLD programming file or
ASIC netlist)

6-19
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Instructions for building PLD programming file or ASIC netlist

• Data integrity checks for PLD programming file (N/A for ASICs)
Hardware Environment Configuration Index (HECI) content will be documented in this HAS.
Electronic Design Automation tools are identified by a unique Honeywell part number and
archived.
Additional data, equivalent to cont ents of a component data sheet, such as functional
description, pinout and timing information is referenced or included in an ASIC/PLD/Math
Engine Sequence archive. Design process outputs that are not formal documents are also
included. A descriptive file or index is included in the archive that defines the contents of the
archive and explains the steps followed to create the ASIC/PLD/Math Engine Sequence
device.
The data is organized in an electronic database. If a change is made to a released
ASIC/PLD/Math Engine Sequence and a new configuration is released to production, a new
baseline of these source files and data is archived.
6.2.3.2 Problem Reporting
A problem reporting system will be set up using ClearQuest. Problem reports will be entered
into the system as Change Requests (CR) and will then be evaluated and dispositioned by
the appropriate CCB for each specific artifact.
6.2.3.3 Hardware Changes During Development
Changes to hardware drawings will be executed per the processes defined in the Hardware
Configuration Management Plan for Aerospace North Phoenix Product Hardware [4] .
Change management will be conducted by the CCB to ensure that the problem reports are
correctly applied to configuration items and baselines under configuration control. The CCB
will evaluate the impact of the change and determine the appropriate life cycle activities to
be repeated including re -verification if necessary.
6.2.3.4 Post-Certification ASIC/PLD/MES Change Management
Changes to ASICs/PLDs/Math Engine Sequence in certified systems or equi pment developed
under this PHAC will be controlled by the change management process defined in the
applicable Hardware Development and Verification Plan [1, 2] and consistent with DO-254
Chapter 11.1.1, Modifications to Previously Developed Hardware. This process covers
changes to the ASIC/PLDs/Math Engine Sequence with no change to the hardware design
assurance level and with no change to the specific certification basis. The ASIC/PLD/Math
Engine Sequence changes cover modifications due to requirement chan ges, detection of
errors, hardware or ASIC/PLD/Math Engine Sequence technology enhancements and parts
obsolescence. These changes cause a new configuration to be released to production. The
changed ASIC/PLD/Math Engine Sequence must maintain the same funct ional scope or
nearly the same functional scope as defined in this PHAC and will be considered minor
changes at the ASIC/PLD/Math Engine Sequence level. All other changes will be considered
major changes at the ASIC/PLD/Math Engine Sequence level and will be considered to be a
new design. New ASIC/PLD/Math Engine Sequence designs are to be developed to a new
PHAC.
Changes to the ASIC/PLD/Math Engine Sequence will be made only as a result of approved
change requests under the program change control practices .

6-20
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

A hardware change impact analysis will document the change request and the regression
activities consistent with the applicable HDVP. The safety engineer is responsible for
identifying impacts to safety requirements prior to the approval of the change r equest to the
ASIC/PLD/Math Engine Sequence. The HDVP defines the process for completing the change
and regression verification and qualification activities.

6.2.3.5 Post-Certification Change Management for non-ASIC/PLD Hardware

Changes to the hardware design, exc luding ASICs/PLDs/Math Engine Sequence, developed
under this PHAC will be controlled by the change management process defined in the work
instruction Change Notification [20].

6.3 Process Assurance

The Aerospace Product Development Quality Assurance Plan [6] defines the activities and
procedures that will be performed per PDQA plan.
The process activities will include:
• Develop a process assurance schedule containing the quality activities to be
performed throughout the project life cycle
• Assure that the hardwar e development and integral processes comply with approved
plans and standards
• Assure that the processes are being followed by doing audits/reviews
• Participate in project reviews
• Conduct test set-up witnessing/reviews
• Assure that problem reports are reporte d, tracked, and resolved
• Assure that defined transition criteria are met
• Assure that deviations from hardware plans and standards are tracked and resolved
• Generate and maintain quality records
• Assure that subcontractor processes are consistent with hardwa re plans
All quality records will be archived as defined in the Aerospace Product Development Quality
Assurance Plan.
The quality group is an independent group and does not report through the project
management reporting structure.

6.4 Certification Liaison

The Certification Liaison group will handle communications between the project and the
certification authorities. The Certification Liaison is responsible for the following items:
• Resolving certification related issues raised by the certification authority or customer
• Submitting data or evidence of compliance requested by the customer or certification
authority
• Performing internal SOI audits to asse ss readiness

6-21
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

The following individuals will provide review and approval during the development of this
project as delegated.
• Doug Pope, Honeywell, Inc., Supplier Airworthiness Liaison (candidate)
• Bill Nolte, Honeywell, Inc.

6-22
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

7 Hardware Design Life Cycle Data

This section of the PHAC identifies the hardware life cycle data that will be produced . This
section includes the data (by document number and title) that will be used, generated, or
updated during the hardware development process supporting compliance to DO -254.

7.1 Actuator Control Electronics Life Cycle Data

AEH life cycle data for the ACE is shown per Table 7-1 - AEH Life Cycle Data – ACE. Entries
in the “Submit” column of Table 7-1 correlate to DO-254 Appendix A life cycle data submittal
requirements for each DO-254 section number. Note that some Honeywell documents
address multiple DO-254 life cycle data items.
Table 7-1 - AEH Life Cycle Data – ACE

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
10.1 Hardware Plans
Plan for Plan for Hardware
Hardware Aspects of
EB62000855
10.1.1 Aspects of Certification for the HC1 New S
-001
Certification COMAC C919 Flight
(PHAC) Control System
Hardware
Development and
EB62000856
Verification Plan for HC2 New
-001
the COMAC C919
Flight Control System
Hardware Hardware
10.1.2
Design Plan Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
Development and
EB62000856
Verification Plan for HC2 New
-001
the COMAC C919
Flight Control System
Hardware Hardware
10.1.3
Validation Plan Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
Hardware Development and
EB62000856
10.1.4 Verification Verification Plan for HC2 New S
-001
Plan the COMAC C919
Flight Control System

7-1
Use or disclosure of information on this page is subject to the restrictions on the title page of t his document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
Hardware
Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New S
-001
Flight Control
Electronics Math
Engine Sequence
Hardware and Software
Configuration
EB62000771
Management Plan for HC1 New
-001
COMAC C919 Flight
Controls
Hardware
Configuration
Hardware Management Plan for
Configuration EB62000944 the COMAC C919 HC1 New
10.1.5
Management Flight Control System
Plan Complex Electronic
Hardware (CEH)
Hardware
Configuration
EB62000979 Management Plan for
HC1 New
-001 Aerospace North
Phoenix Product
Hardware
Hardware Aerospace Product
C67-0210-
10.1.6 Process Development Quality HC2 Reused
005
Assurance Plan Assurance Plan
Hardware
10.2
Standards
Hardware
Development and
EB62000856
Verification Plan for HC2 New
-001
the COMAC C919
Flight Control System
Requirement Hardware
10.2.1
Standards Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
Hardware Development and
EB62000856
10.2.2 Design Verification Plan for HC2 New
-001
Standards the COMAC C919
Flight Control System

7-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
Hardware
Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
Development and
EB62000856
Verification Plan for HC2 New
-001
the COMAC C919
Flight Control System
Verification and
10.2.3 Validation Hardware
Standards Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
Development and
EB62000856
Verification Plan for HC2 New
-001
the COMAC C919
Flight Control System
Hardware
10.2.4 Archive Hardware
Standards Development and
Verification Plan for
EB62001711
the COMAC C919 HC2 New
-001
Flight Control
Electronics Math
Engine Sequence
Hardware
10.3
Design Data

System Requirements
PS62002553 Specification for the HC1 New
-001 COMAC C919 Flight
Control Electronics
Hardware
Requirements
EB62001454
Document for the HC1 New
Hardware -001
10.3.1 C919 Actuator Control
Requirements Electronics
COMAC C919 FCS
EB62000954 ACE I/O Controller HC1 New
(IOC) PLD ARD
COMAC C919 FCS
ACE Command Lane
EB62000955 HC1 New
Normal Mode PLD
ARD

7-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
COMAC C919 FCS
ACE Monitor Lane
EB62000956 HC1 New
Normal Mode PLD
ARD
COMAC C919 FCS
EB62000957 ACE Command Lane HC1 New
Direct Mode PLD ARD
COMAC C919 FCS
EB62000958 ACE Monitor Lane HC1 New
Direct Mode PLD ARD
COMAC C919 FCS
Command Lane
EB62000959 HC1 New
Common Partition PLD
ARD
COMAC C919 FCS
EB62000960 Monitor Lane Common HC1 New
Partition PLD ARD
COMAC C919 FCS
ACE Monitor Lane
EB62000961 HC1 New
Common Partition
Receiver PLD ARD
COMAC C919 FCS
EB62000962 ACE Common Partition HC1 New
I/O PLD ARD
COMAC C919 FCE
EB62001712
Math Engine HC1 New
-001
Sequence HRD
Hardware
Design
10.3.2
Representation
Data
COMAC C919 FCS
EB62000963 ACE I/O Controller HC1 New
(IOC) PLD ADD
COMAC C919 FCS
ACE Command Lane
EB62000964 HC1 New
Normal Mode PLD
ADD
COMAC C919 FCS
Conceptual ACE Monitor Lane
10.3.2.1 EB62000965 HC1 New
Design Data Normal Mode PLD
ADD
COMAC C919 FCS
EB62000966 ACE Direct Mode PLD HC1 New
ADD
COMAC C919 FCS
Command and Monitor
EB62000968 HC1 New
Lane Common
Partition PLD ADD

7-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
COMAC C919 FCS
ACE Monitor Lane
EB62000970 HC1 New
Common Partition
Receiver PLD ADD
COMAC C919 FCS
EB62000971 ACE Common Partition HC1 New
I/O PLD ADD
COMAC C919 FCE
EB62001712
Math Engine HC1 New
-001
Sequence HRD
DC62000935 ACE IO Controller PLD
HC1 New
-101 ADC
DC62000936 ACE COM Normal
HC1 New
-101 Mode PLD ADC
DC62000937 ACE MON Normal
HC1 New
-101 Mode PLD ADC
DC62000938 ACE COM Direct Mode
HC1 New
-101 PLD ADC
DC62000939 ACE MON Direct Mode
HC1 New
-101 PLD ADC
DC62000940 ACE CP IO PLD ADC
HC1 New
-101
DC62000941 ACE COM Common
HC1 New
-101 Partition PLD ADC
DC62000942 ACE MON Common
HC1 New
-101 Partition PLD ADC
Detailed Design DC62000943 ACE MON Common
10.3.2.2
Data -101 Partition Receiver PLD HC1 New
ADC
TT62000935 ACE IO Controller PLD
HC1 New
-101 Bitstream
TT62000936 ACE COM Normal
HC1 New
-101 Mode PLD Bitstream
TT62000937 ACE MON Normal
HC1 New
-101 Mode PLD Bitstream
TT62000938 ACE COM Direct Mode
HC1 New
-101 PLD Bitstream
TT62000939 ACE MON Direct Mode
HC1 New
-101 PLD Bitstream
TT62000940 ACE CP IO PLD
HC1 New
-101 Bitstream
TT62000941 ACE COM Common
-101 Partition PLD HC1 New
Bitstream

7-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
TT62000942 ACE MON Common
-101 Partition PLD HC1 New
Bitstream
TT62000943 ACE MON Common
-101 Partition Receiver PLD HC1 New
Bitstream
62001512- Math Engine Operation
101 Sequence for the
HC1 New
COMAC C919 FCE
ACE DM FLASH
Module Assembly -
Top-level 62000930-
Actuator Control HC1 New S
Drawing (LRU) 901
Electronics (ACE)
Printed Board
62000932-
Assembly – Command HC1 New S
1001
Auxiliary
Printed Board
62000931-
Assembly – Command HC1 New S
1001
Top-level Core
Drawing (PBA) Printed Board
62000934-
Assembly – Monitor HC1 New S
1001
Auxiliary
Printed Board
62000933-
Assembly – Monitor HC1 New S
1001
Core
62000935- ACE I/O Controller
HC1 New S
101 (IOC) PLD HCI
10.3.2.2.1 62000936- ACE COM Normal
HC1 New S
101 Mode PLD HCI
62000937- ACE MON Normal
HC1 New S
101 Mode PLD HCI
62000938- ACE COM Direct Mode
HC1 New S
101 PLD HCI
62000939- ACE MON Direct Mode
Top-level HC1 New S
101 PLD HCI
Drawing (AEH)
62000941- ACE COM Common
HC1 New S
101 Partition PLD HCI
62000942- ACE MON Common
HC1 New S
101 Partition PLD HCI
ACE MON Common
62000943-
Partition Receiver PLD HC1 New S
101
HCI
62000940-
ACE CP IO PLD HCI HC1 New S
101

7-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
62001512- Math Engine Operation
101 Sequence for the
HC1 New
COMAC C919 FCE
ACE DM FLASH
Module Assembly -
Assembly 62000930-
10.3.2.2.2 Actuator Control HC1 New
Drawings 901
Electronics (ACE)
Outline and
Installation
Installation of Actuator
10.3.2.2.3 Control 62000929 HC1 New
Control Electronics
Drawings
Module
Hardware
Requirements
EB62001454
Document for the HC1 New
-101
C919 Actuator Control
Electronics
COMAC C919 FCS
EB62000954 ACE I/O Controller HC1 New
(IOC) PLD ARD
COMAC C919 FCS
ACE Command Lane
EB62000955 HC1 New
Normal Mode PLD
ARD
COMAC C919 FCS
ACE Monitor Lane
EB62000956 HC1 New
Normal Mode PLD
ARD
COMAC C919 FCS
EB62000957 ACE Command Lane HC1 New
Direct Mode PLD ARD
Hardware /
10.3.2.2.4 Software COMAC C919 FCS
Interface Data EB62000958 ACE Monitor Lane HC1 New
Direct Mode PLD ARD
COMAC C919 FCS
Command Lane
EB62000959 HC1 New
Common Partition PLD
ARD
COMAC C919 FCS
EB62000960 Monitor Lane Common HC1 New
Partition PLD ARD
COMAC C919 FCS
ACE Monitor Lane
EB62000961 HC1 New
Common Partition
Receiver PLD ARD
COMAC C919 FCS
EB62000962 ACE Common Partition HC1 New
I/O PLD ARD
COMAC C919 FCE
EB62001712
Math Engine HC1 New
-001
Sequence HRD

7-7
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
Validation and
10.4 Verification
Data
C919 ACE I/O
EB62001467 Controller (IOC) PLD HC2 New
AVR
C919 ACE Command
EB62001469 Lane Normal Mode HC2 New
PLD AVR
C919 ACE Monitor
EB62001468 Lane Normal Mode HC2 New
PLD AVR
C919 ACE Command
and Monitor Lane
EB62001470 HC2 New
Direct Mode PLDs
AVR
Hardware
C919 ACE Command
10.4.1 Traceability
EB62001471 Lane Common HC2 New
Data
Partition PLD AVR
C919 ACE Monitor
EB62001472 Lane Common HC2 New
Partition PLD AVR
C919 ACE Monitor
Lane Common
EB62001474 HC2 New
Partition Receiver PLD
AVR
C919 ACE Common
EB62001473 HC2 New
Partition I/O PLD AVR
C919 FCE Math
NA 1 Engine Sequence HC2 New
trace data
Hardware
Development and
EB62000856
Verification Plan for HC1 New
-001
the COMAC C919
Flight Control System
Hardware Verification
Hardware EB62001455 Report for the C919 HC1 New
Review and ACE
10.4.2
Analysis
Procedures COMAC C919 FCS
EB62001460 ACE I/O Controller HC1 New
(IOC) PLD ATPD
COMAC C919 FCS
ACE Command Lane
EB62001461 HC1 New
Normal Mode PLD
ATPD

7-8
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
COMAC C919 ACE
FCS Monitor Lane
EB62001476 HC1 New
Normal Mode PLD
ATPD
COMAC C919 FCS
ACE COM/MON Lane
EB62001462 HC1 New
Direct Mode PLD
ATPD
COMAC C919 FCS
ACE Command Lane
EB62001463 HC1 New
Common Partition PLD
ATPD
COMAC C919 FCS
ACE Monitor Lane
EB62001464 HC1 New
Common Partition PLD
ATPD
COMAC C919 ACE
FCS Monitor Lane
EB62001465 HC1 New
Common Partition
Receiver PLD ATPD
COMAC C919 FCS
EB62001466 ACE Common Partition HC1 New
I/O PLD ATPD
COMAC C919 FCS
EB62000972 ACE Normal Mode HC1 New
Partition PLD ATD
COMAC C919 FCS
EB62000973 ACE Direct Mode HC1 New
Partition PLD ATD
COMAC C919 FCS
EB62000974 ACE Common Partition HC1 New
PLD ATD
C919 FCE MES HW
EB62001502 Verification and Test HC1 New
Procedures
NA. 1 Review artifacts HC2 New
C919 FCS ACE I/O
Controller (IOC) PLD
ClearCase
Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Hardware Records
RC/Hardware/ACE/PL
10.4.3 Review and
D/ Review Packets)
Analysis
Results C919 FCS Command
Lane Normal Mode
ClearCase
PLD Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Records
RC/Hardware/ACE/PL
D/ Review Packets)

7-9
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
C919 FCS Monitor
Lane Normal Mode
ClearCase
PLD Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Records
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Command
Lane Direct Mode PLD
ClearCase
Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Records
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Monitor
Lane Direct Mode PLD
ClearCase
Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Records
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Command
Lane Common
ClearCase Partition PLD Review
Review Artifacts HC2 New
Records (/C919_FC_Hardware_
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Monitor
Lane Common
ClearCase Partition PLD Review
Review Artifacts HC2 New
Records (/C919_FC_Hardware_
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Monitor
Lane Common
ClearCase Partition Receiver PLD
Review Review Artifacts HC2 New
Records (/C919_FC_Hardware_
RC/Hardware/ACE/PL
D/ Review Packets)
C919 FCS Common
Partition I/O PLD
ClearCase
Review Artifacts
Review HC2 New
(/C919_FC_Hardware_
Records
RC/Hardware/ACE/PL
D/Review Packets)
C919 FCE Math
Engine Sequence
ClearCase
Review Artifacts
Review HC2 New
(C919_FC_Hardware_
Records
RC\Hardware\MES\Re
view Packets)

7-10
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
C919 ACE I/O
EB62001467 Controller (IOC) PLD HC2 New
AVR
C919 ACE Command
EB62001469 Lane Normal Mode HC2 New
PLD AVR
C919 ACE Monitor
EB62001468 Lane Normal Mode HC2 New
PLD AVR
C919 ACE Command
and Monitor Lane
EB62001470 HC2 New
Direct Mode PLDs
AVR
C919 ACE Command
EB62001471 Lane Common HC2 New
Partition PLD AVR
C919 ACE Monitor
EB62001472 Lane Common HC2 New
Partition PLD AVR
C919 ACE Monitor
Lane Common
EB62001474 HC2 New
Partition Receiver PLD
AVR
C919 ACE Common
EB62001473 HC2 New
Partition I/O PLD AVR
C919 FCE Math
Engine Sequence Test
ClearCase Results
HC2 New
Results Data (C919_FC_Hardware_
RC\Hardware\MES\Ver
ification\Results)
EB62001455 C919 ACE HVR HC1 New
FCE Equipment
Electromagnetic and
94222-38 Power Input HC1 New
Qualification Test
Procedure
Integrated Test
IT62000930- Specification for the
Hardware Test HC1 New
10.4.4 901 C919 Actuator Control
Procedures
Electronics LRM
COMAC C919 FCS
EB62001460 ACE I/O Controller HC1 New
(IOC) PLD ATPD
COMAC C919 FCS
ACE Command Lane
EB62001461 HC1 New
Normal Mode PLD
ATPD

7-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
COMAC C919 ACE
FCS Monitor Lane
EB62001476 HC1 New
Normal Mode PLD
ATPD
COMAC C919 FCS
ACE COM/MON Lane
EB62001462 HC1 New
Direct Mode PLD
ATPD
COMAC C919 FCS
ACE Command Lane
EB62001463 HC1 New
Common Partition PLD
ATPD
COMAC C919 FCS
ACE Monitor Lane
EB62001464 HC1 New
Common Partition PLD
ATPD
COMAC C919 ACE
FCS Monitor Lane
EB62001465 HC1 New
Common Partition
Receiver PLD ATPD
COMAC C919 FCS
EB62001466 ACE Common Partition HC1 New
I/O PLD ATPD
ACE Normal Mode
VC62001477 HC1 New
Partition PLD AVC
ACE Direct Mode
VC62001478 Partition HC1 New
PLD AVC
ACE Common Partition
VC62001479 HC1 New
PLD AVC
C919 FCE MES HW
EB62001502 Verification and Test HC1 New
Procedures
EB62001455 C919 ACE HVR HC2 New
C919 ACE I/O
EB62001467 Controller (IOC) PLD HC2 New
AVR
C919 ACE Command
Hardware Test EB62001469 Lane Normal Mode HC2 New
10.4.5 PLD AVR
Results
C919 ACE Monitor
EB62001468 Lane Normal Mode HC2 New
PLD AVR
C919 ACE Command
EB62001470 and Monitor Lane HC2 New
Direct Mode PLD AVR

7-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254 Honeywell New/

DO-254 Config Subm
Hardware Life Data Item Honeywell Document Changed/
Section # Cat. it
Cycle Data Identifier Reused
C919 ACE Command
EB62001471 Lane Common HC2 New
Partition PLD AVR
C919 ACE Monitor
EB62001472 Lane Common HC2 New
Partition PLD AVR
C919 ACE Monitor
Lane Common
EB62001474 HC2 New
Partition Receiver PLD
AVR
C919 ACE Common
EB62001473 HC2 New
Partition I/O PLD AVR
C919 FCE Math
Engine Sequence Test
ClearCase Results
HC2 New
Results Data (C919_FC_Hardware_
RC\Hardware\MES\Ver
ification\Results)
FCE Equipment
Electromagnetic and
94222-48 Power Input HC2 New
Qualification Test
Report
Integrated Test
Hardware
IT62000930- Specification for the
10.5 Acceptance HC2 New
901 C919 Actuator Control
Test Criteria
Electronics LRM
CRs per the Hardware
Problem ClearQuest Configuration
10.6 HC2 New
Reports Records Management Plan for
the C919 CEH
CM records per the
Hardware
NA. Configuration HC2 New
Management Plan for
Hardware the C919 CEH
Configuration
10.7 ECOs per Hardware
Management
Records and Software
Configuration
NA. HC2 New
Management Plan for
COMAC C919 Flight
Controls
Hardware
Records In PDQA
Process
10.8 NA. database for C919 HC2 New
Assurance
FCS
Records
Hardware C919 FCS Hardware
10.9 Accomplishmen EB62001500 Accomplishment HC1 New S
t Summary Summary

7-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Note 1: These items are archived within ClearCase with no unique par t number or identifier
or identifiers that are not pre-assigned.

7-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

8 Additional Considerations
8.1 Previously Developed Hardware (PDH)
The Flight Control Module (FCM) and Direct Mode Rate Sensor (DMRS) designs are
unchanged (except as noted in Section 8.1.2) from previously certified, DO -254-compliant
designs. All CEH in the FCM and DMRS is re-used and unchanged from the previously
certified designs. FCM CEH was certified as part of the Boeing 787 Flight Control
Electronics provided by Honeywell. DMRS CEH was certified as part of the Boeing 787 Flight
Control Electronics and the Gulfstream G650 AH -1000 Attitude Heading Reference Unit
(AHRU) provided by Honeywell.
8.1.1 Unchanged Previously Developed CEH
The CEH for the Flight Control Module (FCM) and Direct Mode Rate Sensor (DMRS) designs
are unchanged from previously certified designs . Refer to Table 8-1 - Previously Developed
CEH for a listing of the previously developed CEH for each LRM. FCM and DMRS CEH life
cycle data will be made available for review as part of the Stage of Involvement audits
conducted on hardware covered by this PHAC.
Table 8-1 - Previously Developed CEH

Honeywell Previously Previous C919

LRM Name Type
Part Number Certified DAL DAL
FCM POLARIS ASIC 4093490-400 ASIC Yes, 787 A A
FCM I/O Controller ASIC 4093471-400 ASIC Yes, 787 A A
FCM AFDX Interface ASIC 4093436-400 ASIC Yes, 787 A A
DMRS HPG2 ASIC 10161604-101 ASIC Yes, 787 A A
and G650
DMRS HPGD2C_M2 ASIC 10165873-101 ASIC Yes, G650 A A
DMRS Interface FPGA 66021063-001 FPGA Yes, 787 A A

8.1.2 Changes/Modification to Previously Developed Hardware

There are no planned changes or modifications to the Flight Control Module (FCM) or Direct
Mode Rate Sensor (DMRS) CEH designs. These products will undergo qualification testing
per the C919 environmental requirements.
Non-CEH changes for each product are summarized as follows:
• Flight Control Module
• New end-item part number for C919 usage (change to I/O connector keying)
• New Mechanical Chassis and Side Cover part numbers (no design changes)
• New Printed Board Assembly and Printed Board part numbers (no design changes , no
bill of material changes)

• Direct Mode Rate Sensor

• New end-item part number for C919 usage

8-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• New Chassis Assembly part number (changes to chassis finish and connector keying)
• New Printed Board Assembly and Printed Board part numbers (no design changes, no
bill of material changes)
The changes described above ha ve no impact on system safety, and changes to design
features such as chassis finish will be verified as a part of environmental qualification
testing.
8.1.3 Change in Aircraft Installation
The Flight Control Module (FCM) CEH was certified as part of the Boeing 787 Flight Control
Electronics provided by Honeywell. The Direct Mode Rate Sensor (DMRS) CEH was certified
as part of the Boeing 787 Flight Control Electronics and the Gulfstream G650 AH -1000
Attitude Heading Reference Unit (AHRU) provided by Honeywell . The C919 Flight Control
System Preliminary Safety Assessment (PSSA) [10] has assigned the same DAL to the CEH
for the FCM and DMRS. The certification basis for the C919 is as defined in Section 5.1.
8.1.4 Change of Application or Design Environment
Verification testing will be repeated for hardware/software interfaces which are different from
the previous application as a result of new or changed software for C919 . FCM and DMRS
CEH and hardware requirements and verification will be regressed to address traceability to
the new application. The traceability data from system requirements down to hardware and
CEH requirements will be added for the reused CEH.
Qualification testing for the C919 will ensure correct functional performance over
environmental operating condi tions for the reused CEH.
8.1.5 Upgrading a Design Baseline
The DAL on the previously developed hardware is A. The DAL will not change for C919.
8.1.6 Additional Configuration Management Considerations
Development activities and documentation for the previously develo ped FCM and DMRS\
hardware and CEH will be documented in the C919 Flight Control System Hardware
Accomplishment Summary, and Hardware Configuration Index.
In support of regression activity, problem report and change control procedures for the C919
will be followed, as described in section 6.2.3 of this PHAC.

8.2 Commercial-Off the Shelf (COTS) Components Usage

COTS components are used in the design of the FCS system. The process by which
components are selected and managed is described in the Honeywell Aerospace Electronic
Components Management Plan (ECMP) [18]. Activities detailed in this plan include but are
not limited to the component supplier assessment, quality considerations , and component
obsolescence assessments. The component engineering group , as indicated in the HDVP [2],
will perform a bill of materials analysis that is described in the Honeywell Aerospace
Electronic Components Management Plan (ECMP) [18].
The ACE and DMRS designs utilize COTS unprogrammed (blank) PLDs. Because those
PLDs are custom microcoded devices their design assurance is achieved by applying the
guidance of RTCA/DO-254, and by following development process es as described in this
PHAC; therefore, those parts are not discussed under the COTS components usage topic.

8-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

COTS microprocessors and other COTS parts that are used in the Flight Control Module are
shown in Table 8-2 – COTS Components Usage. There are no COTS microprocessors used
in the DMRS.

Table 8-2 – COTS Components Usage

COTS COTS
COTS COTS Previousl Qty
Component Component
LRM Component Component y Used Use
Manufacturer Honeywell
Function Manufacturer On d
Part Number Part Number
Command Lane IBM25PPC750G
FCM IBM 53001024-3 787 2
Processor LECB2H33T

Monitor Lane 62000580-

FCM PMC-Sierra RM7965A-900UI 787 1
Processor 977
In system Lattice ispPAC-
FCM configurable Semiconduct CLK5510V- 53000874-2 787 3
Clock Generator or Corp 01T48I

Lattice ispPAC-
Power monitor
FCM Semiconduct POW R1208- 53000972-1 787 3
and sequencer
or Corp 01T44I

8.2.1 COTS Microprocessors

COTS microprocessor selection, qual ification, application, build and usage in the FCM
application was made in accordance with the Honeywell Aerospace Electronic Components
Management Plan (ECMP) [18], consistent with the guidance for all COTS devices.
Configuration control of the selected p art is in accordance with the microprocessors’
Specification Control Drawings. Additional design assurance considerations, such as problem
reporting and tracking, were used as defined in the previous program’s Hardware
Development and Verification Plans.
The COTS microprocessors are operated within the environmental limits established by the
microprocessor manufacturer. Analysis or testing will be performed to show that the limits of
temperature, voltage, clock frequency and vibration are met for the C919 aircraft
environment.
• Temperature - An FCM thermal analysis will be performed to determine component
operating temperatures relative to the manufacturers’ stated limits over the
operational environment of the equipment.
• Voltage - An analysis of the voltage monitors will be performed to validate that the
voltage monitors trip before the voltages at the components exceed the
manufacturers’ stated limits.

8-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Clock frequency - An analysis of the clock oscillator will be performed to validate that
for the life of the equipment, the tolerance on the clock inputs to the microprocessor s
stay within the manufacturer s’ stated limits. Signal integrity testing will be performed
to show that the clock inputs to the microprocessor are clean, meaning jitter, skew
and noise will not affect the edges enough to put the clock frequency out of tolerance.
• Vibration - The microprocessor data sheets do not specify vibration limits .
Environmental qualification testing will be performed to validate that the vibration
requirements for the system will be met, and microprocessor activity will be monitored
during the test.
8.2.2 COTS Microprocessors Errata
It is known that microprocessors are complex logic devices, and as such can contain design
errors that can lead to software and/or hardware fai lures when these errors are encountered .
The manufacturers of these microprocessors maintain lists of known problems and document
them as errata. Since these errata are generic in nature, i.e., processors of a given type
contain the same design error, the impact to system safety must be understood and
mitigation strategies must be deployed. The design history of different versions of the
microprocessors will be reviewed for possible design errors that would affect the operating
system or hosted application( s) for the C919 Flight Control System.
In addition, the microprocessors used in the FCM have a reasonable service history with a
number of different applications.
A processor errata mitigation matrix will be utilized jointly by the hardware engineers and
software engineers to document the processor errata, identify the affected areas (i.e., the
hardware and/or the various software components that comprise the hardware element), and
document the hardware and/or software means of mitigation that were designed into the
product to rectify the errata impact. Examples of means of mitigation include software coding
standards, hardware or software design review checklist items, and software compiler
restrictions.
Communication of errata from the hardware group to th e software process will be via CR.
Analyses will be completed during the detailed design phase of the C919 Flight Control
System, and will be documented in Processor Errata Mitigation Matrices, one for each
microprocessor. The matrices will be stored in the C919 program’s development data
archives.
8.2.3 COTS Microprocessors Verification
Verification of the hardware aspects of the COTS microprocessors will be achieved with a
combination of software verification testing and hardware analysis . Software testing will be
performed on a combination of on-target and off-target test resources. The selection of the
appropriate test resource will be covered by the software verification plans and will be based
on the capabilities of the test resource and the needs of the sof tware under test. Between
software verification testing on the target platform and the off -target single board computer
platform, nearly all requirements based testing of software will be achieved using test
resources. The remaining requirements will be covered by other verification methods.
8.2.4 Lattice Configurable Devices
These devices are different than typical PLDs in that they are very limited relative to the
extent of their programmability and the functions they can perform.

8-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

They are more similar in nature to configurable devices than true programmable PLD
devices. The characteristics of the configuration are captured as hardware requirements and
verified at the PBA level.
Both of these devices are not configurable in the field. The programming can only b e
performed during initial production or at a service center and not when the FCM is installed
in the airplane. The devices are programmed in circuit using an IEEE JTAG interface. The
JTAG interface is not accessible while the FCM is installed in the FCE C abinet on the
airplane.
The Lattice ispClock 5510 family are configurable clock generators. They provide up to 10
clock outputs. The device can be configured relative to frequency (dividers on the input,
outputs, and phase lock loop feedback), output drive characteristics (e.g. Low Voltage
Transistor-Transistor Logic (LVTTL), Low Voltage Complementary Metal-Oxide-
Semiconductor (LVCMOS), etc.), output slew rate, and output to output skew. Each of these
selections is limited to specific points in the device a nd has a limited selection of values. The
configuration is programmed into internal Complementary Metal-Oxide Semiconductor
(CMOS) EEPROM. This device is very similar to configurable clock generators that
previously used program pins to configure these cha racteristics.
The ispPAC 1208 is a configurable power supply sequencing controller and monitor device.
The device supports up to 8 outputs, 12 analog inputs, and 4 digital inputs. This part is
normally used for power supply sequencing and monitoring. In th e FCM design, this part is
used only to control power sequencing for the processor cards and is not used for power
validity monitoring. The design utilizes the reset input, 4 digital inputs, and 7 outputs.
Although the device utilizes an AND/OR/Flip -Flop macrocell design approach, the usage of
these arrays is very basic. The FCM design uses this device to provide a small delay
between the enabling of the various power supplies. This sequencing reduces the stresses
on the interfaces between circuitry powered by different power supply outputs. The
configuration is programmed into internal CMOS EEPROM.
The FCM designers use the Lattice-provided tool for developing the program to be loaded in
the device. This tool, PAC-Designer, provides a simple programming int erface to select the
configurable items for the device from a fixed set of choices. The user interface for the clock
generator indicates the various configurable items and allows the user to select the
appropriate drive characteristics or divider ratio. Th e programmer interface for the ispPAC
1208 allows the user to create basic algorithms, such as delay X amount from input Y, then
drive output Z, and to select output drive characteristics.

8.3 COTS Intellectual Property (IP)

There is no new development for the C919 program using COTS IP.

8.4 Single Event Upset in Programmed Electronic Hardware

Electronic components such as microprocessors, memories, and FPGAs are known to have
susceptibilities to atmospheric radiation. No RAM-based FPGAs are used in the C919
hardware.
System design features to further mitigate the possibility of SEU effects include the following:
• Flight Control Software implements a tri-modular redundant (TMR) solution that
covers FCM instruction FLASH memory, such that any corruption is detected a nd
corrected.

8-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

• Faults that may occur in internal PLD memories are covered by higher level system
checks (COM/MON comparison monitors or checks done by the FCMs between
ACEs).
• Only data that is periodically refreshed is stored in ACE PLD internal RAM, limiting
the duration of potential SEU effects.
• For critical ACE data, capability exists to cover the PLD internal RAM with the ACE's
RAM test scheme, i.e., invert the data into and out of the memory to expose stuck -at
faults in states that are not normally achi eved in standard operation.
• Critical status data are forced to a known state either periodically or upon detection of
inactivity in a given time-out.

8.5 Product Service Experience

8.5.1 FCM Product Service Experience
The FCM has previously been used in a configuration identical to C919 as shown in Table 8-
3 – FCM Service History.
Table 8-3 – FCM Service History

Aircraft Service Hours

Boeing 787-8 Greater than 3,710,028 hours

Boeing 787-9 Greater than 117,669 hours

8.6 Tool Assessment and Qualification

Tools that will be used during the hardware design or verification life cycle processes for
complex devices are listed in Table 8-4 - Tool Assessment Summary. The information
provided includes the tool name, tool source or vendor, tool version, host environment, life
cycle processes supported, complex devices to which the tool applies, the output produced
by the tool, and whether the tool out put is independently assessed.
Qualification of a hardware design or verification tool is required when the outputs of the tool
are not independently verified and the tool eliminates, reduces, or automates required life
cycle processes. The qualification status of each tool is assessed and indicated in the final
column of the table. Tool assessment is ongoing with process development and
improvement. If a process is updated to use new tools, or a new tool -based process is
proposed for complex device design or verification, additional tool assessment will be
performed and documented in the Hardware Accomplishment Summary (HAS).
If a tool has a direct bearing on the design or verification of a complex device, the current
version is listed. If the tool is updated, the potential impacts will be assessed . Updates, if
any, will be included in the HAS.

8-6
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Table 8-4 - Tool Assessment Summary

Process
Tool Tool Processes Output Output Applicable Qual
Source Host Maturity
Name Ver. Supported Produced Independently Hardware Req’d
Assessed By

Widely used on PLD and HW

several projects Verification
within Design Tool: activities:
PLD
2012.0 UNIX / Honeywell. Detailed Hardware Test
Synplify Synopsys Synthesis PLD N
3 SP2 LINUX Large installed Design PLD procedures and
Netlist
base in Implementation results that
Honeywell and cover PLDs are
in industry. in the HVR

Relatively new
tool – based on PLD and HW
existing tools Verification
PLD Place
Micro- widely used on activities:
Design Tool: and Routed
Libero semi 9.1 UNIX / several projects Hardware Test
PLD Netlist, PLD PLD N
(Designer) (formerly SP5 LINUX within procedures and
Implementation programming
Actel) Honeywell. results that
file
Replaces cover PLDs are
existing tool in the HVR
suite.

PLD
Verification
activities:
Widely used on
ASIC/FPGA
several projects
Verification Verification
within PLD
and Coverage Results Review
Questa Mentor UNIX / Honeywell. Simulation,
10.1d tool: Functional (review of PLD/ASIC N
AFV Graphics LINUX Large installed Coverage
Verification, transcript),
base in Assessment
Coverage tool Hardware Test
Honeywell and
procedures and
in industry.
results that
cover PLDs are
in the HVR

8-7
Use or disclosure of information on this page is subject to th e restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Process
Tool Tool Processes Output Output Applicable Qual
Source Host Maturity
Name Ver. Supported Produced Independently Hardware Req’d
Assessed By

PLD
Verification
activities:
ASIC/FPGA
Widely used on
Verification
all ASIC project
Verification Results Review
2010.1 UNIX / in Honeywell. PLD Timing
PrimeTime Synopsys tool: Timing (includes PLD/ASIC N
2 SP3 LINUX Large installed Reports
Verification results of gate
base in
level
industry.
simulations),
HW
Qualification
Test

Widely used on PLD and HW

several projects Verification
within activities:
Verification Formal
2013.1 UNIX / Honeywell. Hardware Test
Formality Synopsys tool: Formal Verification PLD/ASIC N
2 SP2 LINUX Large installed procedures and
Verification Report
base in results that
Honeywell and cover PLDs are
in industry. in the HVR

Used on several Configuration

projects within Configuration Management
Clear- Win 7 All
7.1.2.0 Honeywell. Management, Records,
Quest / IBM or N/A Hardware N
4 Based on Problem Problem
ClearCase later Levels
system used for Reporting Report
> 10 years. Records

Configuration
Configuration Management
Widely used on All
Honey- Management, Records,
ACM 5.13 VAX many projects in N/A Hardware N
well Problem Problem
Honeywell Levels
Reporting Report
Records

8-8
Use or disclosure of information on this page is subject to th e restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Process
Tool Tool Processes Output Output Applicable Qual
Source Host Maturity
Name Ver. Supported Produced Independently Hardware Req’d
Assessed By

Configuration
Configuration Management
Win 7 Widely used on All
Honey- Management, Records,
CM21 2.9 or many projects in N/A Hardware N
well Problem Problem
later Honeywell Levels
Reporting Report
Records

Tool has been

Internally in use on
develope Requirement, All MES
Win 7 multiple Code, All
Trace d using Honeywell Air Trace Data activities: all
3.3.3 or Verification Hardware N
Reports Visual Transport Trace Report MES review
later Levels
Studio.N programs for records
Reporting
et more than 5
years

MES
MES
Matlab/Simulink Requirements
Requirements
tool has been in Capture: Fixed
Fixed point activities: MES
Version Win 7 use on multiple Point modeling
scaling requirement Math
Matlab / Honeywell Air and scaling
Matlab 7.9 or or analysis, and review, MES Engine N
Simulink Transport analysis
later later functional Verification Sequence
programs for supporting HW
models activities:
more than 5 requirements
Verification
years definition, and
Results review
Verification

MES and HW
HW Verification
activities: on-
target test
procedures and
Host- HSS Math results C919
Internally Win 7 Verification Math
based Version Engine Support Verification FCE MES HW
develope or tool: Functional Engine N
Simulation 8.7 used for more data Verification
d later Verification Sequence
System than 6 years and Test
Procedures,
C919 FCE
Math Engine
Sequence Test
Results

8-9
Use or disclosure of information on this page is subject to th e restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Process
Tool Tool Processes Output Output Applicable Qual
Source Host Maturity
Name Ver. Supported Produced Independently Hardware Req’d
Assessed By

MES and HW
HW Verification
activities: on-
PERL target test
script Support Math procedures and
ACTIVE- Supporting Math
interpreter Engine results C919
STATE Win 7 Engine Intel HEX Math
(ACTIVE Version Sequence FCE MES HW
SOFT- or Sequence format Flash Engine N
PERL 5.8.7 Macro Verification
WARE later development for Load Sequence
Build 815 Assembler and Test
INC over 7 years
for Operation Procedures,
Windows ) C919 FCE
Math Engine
Sequence Test
Results

8-10
Use or disclosure of information on this page is subject to th e restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

8.7 Intermixability (Optional)

There are no planned intermixability options associated with this development.

8.8 Use of Offsite Suppliers and Supplier Oversight

Honeywell will provide supplier oversight for the f ollowing companies that will be performing
work on the C919 Flight Controls hardware designs.
• Honeywell International, S.R.O (HISRO) in Prague, Czech Republic, for development
of the ACE PLD components. The PLDs for the ACE are DAL A.
• Crane Aerospace & Electronics (Eldec Corporation) in Lynnwood, W A will develop the
Power Conditioning Module PLD. The PLD for the PCM is DAL A.
• Flight Automatic Control Research Institute (FACRI) in Xi’an, China, will develop the
Flight Mode Control Panel PLD. The PLD for t he FMCP is DAL C.
• HonFei Flight Controls Technology Co., LTD , (HonFei) in Xi’an, China, will perform
requirements based verification testing of the ACE Printed Board Assemblies.
Table 8-5 - Activities for Satisfaction of DO -254 Objectives for Various Suppliers shows the
planned outsourced activities to meet the DO -254 objectives. It defines the percentage of
planned and required oversight for each supplier, per the Supplier Assessment and Oversight
Process for Software and CEH [19].
Table 8-5 - Activities for Satisfaction of DO -254 Objectives for Various Suppliers

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
Planning Process
4.1
Objectives
HISRO 100 100 100
Hardware design life Eldec 100 100 100
4.1.1 cycle processes are
defined. FACRI 100 100 100
HonFei 100 100 100
HISRO 100 100 100
Standards are selected Eldec 100 100 100
4.1.2
and defined. FACRI 100 100 100
HonFei 100 100 100
HISRO 100 100 100
Hardware development
and verification Eldec 100 100 100
4.1.3
environments are FACRI 100 100 100
selected or defined.
HonFei 100 100 100

8-11
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
The means of compliance HISRO 100 100 100
of the hardware design Eldec 100 100 100
assurance objectives,
including strategies FACRI 100 100 100
4.1.4
identified using guidance
in DO-254 section 2.3.4,
are proposed to the HonFei 100 100 100
certification authority.
Requirements Capture
5.1.1
Objectives
HISRO 100 100 100
Requirements are Eldec 100 100 100
5.1.1.1 identified, defined and
documented. FACRI 100 100 100
HonFei N/A N/A N/A
HISRO 100 100 100
Derived requirements Eldec 100 100 100
5.1.1.2 produced are fed back to
the appropriate process. FACRI 100 100 100
HonFei N/A N/A N/A
HISRO 100 100 100
Requirement omissions
and errors are provided Eldec 100 100 100
5.1.1.3
to the appropriate FACRI 100 100 100
process for resolution.
HonFei N/A N/A N/A
Conceptual Design
5.2.1
Objectives
HISRO 60 60 100

The hardware item

conceptual design is Eldec 100 100 100
5.2.1.1
developed consistent
with its requirements.
FACRI 100 100 100
HonFei N/A N/A N/A
HISRO 60 60 100
(Conceptual) Derived
requirements produced Eldec 100 100 100
5.2.1.2
are fed back to the FACRI 100 100 100
requirements capture or
HonFei N/A N/A N/A

8-12
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
other appropriate
process.
(Conceptual Design) HISRO 60 60 100
Requirement omission Eldec 100 100 100
5.2.1.3 and errors are provided
to the appropriate FACRI 100 100 100
process for resolution. HonFei N/A N/A N/A
5.3.1 Detailed Design
Objectives
HISRO 60 60 100
Detailed design is
developed from the Eldec 100 100 100
5.3.1.1
hardware item FACRI 100 100 100
requirements.
HonFei N/A N/A N/A
(Detailed Design) HISRO 60 60 100
Derived requirements
Eldec 100 100 100
produced are fed back to
5.3.1.2 FACRI 100 100 100
the requirements capture
or other appropriate
process. HonFei N/A N/A N/A

HISRO 60 60 100
Requirement omissions
or errors are provided to Eldec 100 100 100
5.3.1.3
the appropriate FACRI 100 100 100
processes for resolution
HonFei N/A N/A N/A
5.4.1 Implementation
Objectives
Hardware is produced HISRO 60 60 100
which implements the
Eldec 100 100 100
hardware detailed design
5.4.1.1
using representative FACRI 100 100 100
manufacturing
processes. HonFei N/A N/A N/A

HISRO 60 60 100
Hardware item
implementation, Eldec 100 100 100
5.4.1.2
assembly and installation FACRI 100 100 100
data is complete.
HonFei N/A N/A N/A

8-13
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
5.4.1.3 (Implementation) Derived HISRO 60 60 100
requirements produced
are fed back to the Eldec 100 100 100
requirements capture or FACRI 100 100 100
other appropriate
process. HonFei N/A N/A N/A

(Implementation) HISRO 60 60 100

Requirement omission Eldec 100 100 100
5.4.1.4 and errors are provided
to the appropriate FACRI 100 100 100
process for resolution.
HonFei N/A N/A N/A
Production Transition
5.5.1
Objectives
Baseline is established HISRO 60 60 100
that includes all design
and manufacturing data Eldec 100 100 100
5.5.1.1
needed to support the FACRI 100 100 100
consistent replication of
the hardware item . HonFei N/A N/A N/A
Manufacturing HISRO 60 60 100
requirements related to
safety are identified and Eldec 100 100 100
5.5.1.2
documented and FACRI 100 100 100
manufacturing controls
are established HonFei N/A N/A N/A

Derived requirements are HISRO 60 60 100

fed back to the Eldec 100 100 100
5.5.1.3 implementation process
or other appropriate FACRI 100 100 100
processes HonFei N/A N/A N/A
HISRO 60 60 100
Errors and omissions are
provided to the Eldec 100 100 100
5.5.1.4
appropriate processes for FACRI 100 100 100
resolution.
HonFei N/A N/A N/A
6.1.1 Validation Process
Objectives
HISRO 80 80 100

8-14
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
6.1.1.1 Derived hardware Eldec 100 100 100
requirements against
FACRI 100 100 100
which the hardware item
is to be verified are
HonFei N/A N/A N/A
correct and complete.
HISRO 80 80 100
Derived requirements are Eldec 100 100 100
6.1.1.2 evaluated for impact on
safety. FACRI 100 100 100
HonFei N/A N/A N/A
HISRO 80 80 100
Omissions and errors are
fed back to the Eldec 100 100 100
6.1.1.3
appropriate process for FACRI 100 100 100
resolution.
HonFei N/A N/A N/A
Verification Process
6.2.1
Objectives
HISRO 80 80 100
Evidence is provided that
the hardware Eldec 100 100 100
6.2.1.1
implementation meets FACRI 100 100 100
the requirements.
HonFei 100 100 100
HISRO 80 80 100
Traceability is
established between Eldec 100 100 100
6.2.1.2
hardware requirements, FACRI 100 100 100
etc.
HonFei 100 100 100
Acceptance test criteria HISRO 80 80 100
are identified, can be
Eldec 100 100 100
implemented and are
6.2.1.3 consistent with the FACRI 100 100 100
hardware design
assurance levels of the HonFei N/A N/A N/A
hardware functions.
HISRO 80 80 100
Omissions and errors are
fed back to the Eldec 100 100 100
6.2.1.4
appropriate processes for FACRI 100 100 100
resolution.
HonFei 100 100 100

8-15
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

Planned HI HI USA
DO-254 Objective USA Technical Supplier
Objective [Insert FPGA(s) Supplier Technical Oversight Activity
Section nomenclature and level] Oversight Required (%)
(%) (%)
Configuration
7.1.
Management Objectives
HISRO 100 100 100
Configuration items are Eldec 100 100 100
7.1.1 uniquely identified and
documented. FACRI 100 100 100
HonFei N/A N/A N/A
HISRO 100 100 100
Consistent and accurate
replication of Eldec 100 100 100
7.1.2
configuration items is FACRI 100 100 100
ensured.
HonFei N/A N/A N/A
A controlled method of HISRO 100 100 100
identifying and tracking Eldec 100 100 100
7.1.3 modification to
configuration items is FACRI 100 100 100
provided. HonFei N/A N/A N/A
Process Assurance
8.1
Objectives
HISRO 100 100 100
Life cycle processes Eldec 100 100 100
8.1.1 comply with the approved
plans. FACRI 100 100 100

HonFei 100 100 100

HISRO 100 100 100

Hardware design life
cycle data produced Eldec 100 100 100
8.1.2
complies with the FACRI 100 100 100
approved plans.
HonFei 100 100 100
The hardware item used HISRO 100 100 100
for conformance
assessment is built to Eldec 100 100 100
8.1.3
comply with the FACRI 100 100 100
associated life cycle
data. HonFei N/A N/A N/A

8-16
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

9 Alternative Methods
This project will not use Alternative M ethods.

9-1
Use or disclosure of information on this page is subje ct to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

10 RTCA/DO-254 COMPLIANCE
This section describes how this PHAC complies with the objectives of DO -254.
Table 10-1 - DO-254 Compliance Matrix

DO-254
Objective Objective Compliance Planning PHAC Reference
Section
Planning Process
4.1
Objectives
Life cycle processes,
standards and life cycle
Hardware design life data are defined in PHAC,
4.1.1 cycle processes are Hardware Development Section 6.1
defined. and Verification Plan, CM
Plan and Process
Assurance Plan
Requirements, HDL
Standards are selected Coding, Hardware Design,
4.1.2 Section 6.1.1
and defined. Validation, Verification
and Archive standards
Hardware development Environments including
and verification design tools and Sections 6.1.2.4 and
4.1.3
environments are verification tools defined 6.2.2.3
selected or defined. in PHAC [and HDVP]
The means of compliance
of the hardware design
assurance objectives,
Means of compliance Section 6.2.2.2
including strategies
4.1.4 defined in PHAC and Section 9.0
identified using guidance
summarized in this table Section 10.0
in Section 2.3.4, are
proposed to the
certification authorities.
Requirements Capture
5.1.1
Objectives
Device-level requirements
Requirements are
documents; Identification
5.1.1.1 identified, defined and Section 6.1.2.1
of safety related
documented.
requirements
Identification and review
Derived requirements
of derived requirements
5.1.1.2 produced are fed back to Section 6.1.2.1
against safety assessment
the appropriate process.
and system requirements

10-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254
Objective Objective Compliance Planning PHAC Reference
Section
Requirement omissions Feedback to system
and errors are provided development process from
5.1.1.3 Section 6.1.2.1
to the appropriate device-level requirements
process for resolution. review
Conceptual Design
5.2.1
Objectives
The hardware item Section 6.1.2.2
Hardware-level design
conceptual design is
5.2.1.1 documents and
developed consistent
presentation material
with its requirements.
Derived requirements Section 6.1.2.2
produced are fed back to
Identification of device-
5.2.1.2 the requirements capture
level derived requirements
or other appropriate
processes.
Requirement omissions Section 6.1.2.2
and errors are provided Feedback to device-level
5.2.1.3
to the appropriate requirements capture
processes for resolution.
Detailed Design
5.3.1
Objectives
Detailed design is
CEH detailed design, HDL
developed from the
5.3.1.1 code, Synthesis, Layout Section 6.1.2.3
hardware item
and Route
requirements.
Derived requirements are
Identification of derived
fed back to the
requirements during CEH
5.3.1.2 conceptual design Section 6.1.2.3
design reviews and HDL
process or other
code reviews
appropriate processes.
Requirement omissions Feedback to device-level
or errors are provided to requirements from CEH
5.3.1.3 Section 6.1.2.3
the appropriate design and HDL code
processes for resolution reviews
Implementation
5.4.1
Objectives

10-2
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254
Objective Objective Compliance Planning PHAC Reference
Section
Hardware is produced
which implements the
PLD programming and
5.4.1.1 hardware detailed design Section 6.1.2.5
ASIC Foundry production
using representative
manufacturing processes.
Hardware item PLD HCI media validation,
implementation, HW production readiness
5.4.1.2 Section 6.1.2.5
assembly and installation review, ASIC Foundry
data is complete. reviews
Derived requirements are
Identification of derived
fed back to the detailed
5.4.1.3 requirements to support Section 6.1.2.5
design process or other
implementation process
appropriate processes.
Requirement omissions Feedback to detailed
and errors are provided design process from
5.4.1.4 Section 6.1.2.5
to the appropriate ASIC/PLD readiness
processes for resolution . review
Production Transition
5.5.1
Objectives
Baseline is established
that includes all design PLD version description
and manufacturing data document; ASIC source Sections 6.1.2.6.1 and
5.5.1.1
needed to support the control drawing; ASIC/PLD 6.1.2.6.2
consistent replication of data release
the hardware item .
Manufacturing
requirements related to Safety-related production
safety are identified and critical issues; Acceptance
5.5.1.2 Section 6.1.2.6.1
documented and test criteria to meet safety
manufacturing controls requirements
are established
Derived requirements are
Identification of derived
fed back to the
requirements during Sections 6.1.2.6.1 and
5.5.1.3 implementation process
production readiness 6.1.2.6.2
or other appropriate
review
processes
Errors and omissions are
provided to the Feedback from production Sections 6.1.2.6.1 and
5.5.1.4
appropriate processes for readiness review 6.1.2.6.2
resolution.

10-3
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254
Objective Objective Compliance Planning PHAC Reference
Section
Validation Process
6.1.1
Objectives
Validation of derived
Derived hardware
requirements during
requirements against
device-level requirements Sections 6.1.2.1 and
6.1.1.1 which the hardware item
review, requirements trace 6.2.1
is to be verified are
review or integration-level
correct and complete.
testing
Derived requirements
Derived requirements are
reviewed for impact on
6.1.1.2 evaluated for impact on Section 6.2.1
safety during device-level
safety.
requirements review
Feedback to system
Omissions and errors are
development process from
fed back to the
6.1.1.3 device-level requirements Section 6.2.1
appropriate process for
review or integration-level
resolution.
testing
Verification Process
6.2.1
Objectives
Verification methods,
Evidence is provided that procedures and results; Sections 6.2.2,
the hardware Verification coverage 6.2.2.1, 6.2.2.2,
6.2.1.1
implementation meets the analysis including DO-254 6.2.2.2.4, 6.2.2.3.1,
requirements. Appendix B method and 6.2.2.3.2
results
Traceability is
established between
Requirements-based
hardware requirements,
6.2.1.2 verification traceability Section 6.2.2.4
the implementation, and
data and trace reports
the verification
procedures and results.
Acceptance test criteria
are identified, can be
implemented and are Acceptance Test
6.2.1.3 consistent with the Specification and Minimum Sections 6.1.2.6.1
hardware design Performance Specification
assurance levels of the
hardware functions.

10-4
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

DO-254
Objective Objective Compliance Planning PHAC Reference
Section
Omissions and errors are
fed back to the Feedback from verification
6.2.1.4 Section 6.2.2
appropriate processes for reviews
resolution.
Configuration
7.1.
Management Objectives
Configuration
Configuration items are
Management identification
7.1.1 uniquely identified and Section 6.2.3
for hardware, documents
documented.
and data items
Configuration
Consistent and accurate
Management procedures
replication of
7.1.2 for documents, ASIC/PLD Section 6.2.3
configuration items is
life cycle data, tools and
ensured.
archival procedures
A controlled method of
identifying and tracking Problem reports, change
Sections 6.2.3.1,
7.1.3 modification to orders, and change
6.2.3.2, 6.2.3.3
configuration items is management procedures
provided.
Process Assurance
8.1
Objectives
PDQA Plan and data;
Life cycle processes
Supplier and
8.1.1 comply with the approved Section 6.3
subcontractor
plans.
assessments
Hardware design life PDQA inspections, audit
cycle data produced data, life cycle data
8.1.2 Section 6.3
complies with the review, deviation
approved plans. approvals
Hardware conformance
The hardware item used
assessment for
for conformance
Qualification testing; PLD Sections 6.1.2.5,
assessment is built to
8.1.3 conformance assessment 6.1.2.6.1, 6.1.2.6.2,
comply with the
to HCI, ASIC foundry 6.2.2
associated life cycle
inspection, ASIC receiving
data.
inspection

10-5
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167
 PHAC for the COMAC C919 Flight Control System - EB62000855-001 REV C

11 Certification Schedule
This section identifies the major program milestones and the dates when hardware design
life cycle data will be submitted to the certification authority.
Table 11-1 - Project Milestones

Event Date
Program Kickoff Q3 2010
Submission of PHAC to Civil Aviation
Q1 2016
Authority of China (CAAC)
SOI-1 Planning Review Q1 2016
SOI-2 Design Review Q2 2016
SOI-3 Validation and Verification
Q4 2016
Review
SOI-4 Final Review Q4 2017
Submission of HAS, HCI to CAAC Q4 2017

END OF DOCUMENT

11-1
Use or disclosure of information on this page is subject to the restrictions on the title page of this document.

REF: ECN-6078167