Pegasus Personal Air Vehicle The Future in Personal Travel The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Introduction Pegasus PAV Safety By Design Team – – – – – – Mike Olmstead: Evan Brown: Blake Stringer: Yongchang Li: James Masters: Jeff Johnson: Team Leader, Hardware FTA, Software PRISM, Hardware Markov Analysis, Software Markov Analysis, Human Reliability Dependence Diagrams, Human Reliability The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Agenda • • • • • • • • • • • Process Overview System Description New Technologies Functional Hazard Assessment Preliminary System Safety Assessment Dependence Diagrams Fault Tree Analysis Markov Analysis PRISM Model/Monte Carlo Simulation Certification Process Conclusion The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 System Safety Process: ARP 4761 Concept Development Preliminary Design Aircraft FHA System FHA •Functions •Hazards •Effects •Classifications •Functions •Hazards •Effects •Classifications Detailed Design Design Validation & Verification PSSA Aircraft FTA •Qualitative •System Budgets •Intersystem Dependencies System FTA •Qualitative •Subsystem Budgets SSA System FTAs System FMEAs FMES •Qualitative •Failure Rates DD MA Particular Risk Analysis CCA Common Mode Analysis Zonal Safety Analysis The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 System Description • 4 Bladed, single main rotor, NOTAR equipped • Light Helicopter/Personal Air Vehicle use • Upgrade of MD500E, with new rotor, engine, transmission, avionics and anti-torque system • Cruise speed: 141 knots at 80% MCP • Max range: 438 nm at 113 knots • Payload: 1156 lbs • Improved safety & reliability at low cost (<$500K) • Pegasus-2 follow-on dual mode (roadable) The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 System Description Possible Pegasus Missions Personal Travel Applications Urban mobility Business travel Long distance commuting Recreation, Sports and Leisure utility/reconnaissance Government Applications Emergency medical services Law enforcement Fire/Rescue Military light Commercial Applications Media/Traffic Air taxi Agricultural/Farming/Ranching Aerial tours Express package delivery Offshore oil rig transport Corporate Applications Corporate transport Employee commuting Ferry service The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 System Description Preflight PAV Operate PAV Perform Flight Planning Start PAV Postflight PAV Drive PAV on Ground Perform Visual Inspections Shutdown PAV Inspect Fuselage Brief Satey Procedures Accelerate PAV Steer PAV Stop PAV Inspect Main Rotor Load Passengers and Cargo Air/Ground Transition Fly PAV Land PAV Air/Ground Transition Unfold Blades Hover/Taxi Land Aircraft Fold Blades Start Engine Perform Takeoff Perform shutdown Activate ground Controls Perform BIT Checks Climb Stop Rotor Start ground engine Increase throttle to 100% Cruise Unload Pass. /Cargo Peform before takeoff checks Descend Inspect Engine Inspect NOTAR Inspect Avionics Inspect Landing Gear Inspect Cabin Area Refuel PAV Hover/Taxi Maintain Situational Awareness Manage System Failures Monitor Instruments ID Failure Navigate Perform Emergency Procedures Communicate Recover Aircraft Maintain Traffic Avoidance Perform Mission Perform PAV Mission Perform other Missions as needed Maintain PAV Perform Scheduled Maintenance Perform Unscheduled Maintenance Exchange lifelimited parts ID Fault Perform Inspections/Services Perform Diagnositics Perform Powerplant overhaul Replace failed component Figure 1. PAV Mission Scenario The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies • • • • • • Full Authority Digital Engine Control General Aviation Propulsion (GAP) engine Garmin GNS 530 Avionics Package Hanson Elastic Articulated Rotor Hub Aerofilter Engine Inlet Barrier Filter No-Tail Rotor (NOTAR) anti-torque system The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies Full Authority Digital Engine Control • Automatically controls fuel flow to engine reducing pilot workload • Senses NG, NP, TGT, etc to control fuel flow • Easier starting, fault monitoring, eliminates hot starts, rotor RPM droop and has auto relight capabilities • Dual redundant ECUs to ensure no failure of auto mode The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies General Aviation Propulsion (GAP) engine • Development by Williams and NASA Glenn • 500 shp 125 lbs .5068 SFC • Allows room for growth • Compatible with current “off the shelf” transmission used on MD520N The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies Garmin GNS 530 Avionics Package • Integrated WAAS-upgradeable color moving map GPS • Integrated VHF-COM, VOR, Localizer, and glideslope • Combines all essential navigation and communication functions • Integrated with GDL-49 displays NEXRAD weather radar information • Also integrates with GTX-330 S mode transponder to provide traffic avoidance information The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies Hanson Elastic Articulated Rotor Hub • Bearingless, stiff flexure design with effective hinge offset of 10 degrees • Slight forward sweep and matched leadlag/flapping stiffness of flexure eliminates the need for dampers • Low control forces eliminate the need for hydraulics • Auto trim feature eases pilot workload and improves safety The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies Aerofilter Engine Inlet Barrier Filter • Improved air induction system from old swirl tube technology • Increases efficiency of engine, increases power output and lowers TGT temps and gph • Reduces engine wear and increases engine life substantially The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 New Technologies No-Tail Rotor (NOTAR) anti-torque system • Safer, quieter, less fragile system than traditional tail rotor anti-torque system • Uses tailboom slot, vertical fins and direct thruster to control aircraft • Only drawbacks are reduced efficiency and need for more horsepower to power the NOTAR fan The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) • Considers both loss of functions and malfunctions • Identifies the failure condition for each phase of flight • Establishes derived safety requirements needed to limit the function failure effects that affect the failure condition classification The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) The FHA considered functions at two levels • The Vehicle level Overall Aircraft was examined and top level functions were considered • The System level – The system that was investigated further was the power plant (engine) – For the system FHA, failure conditions were looked at from the perspective of: • • • • Human Failures Hardware Failures Software Failures Interaction with other systems The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) Functional Failure Conditions for the function “Control Power” • • • • • • Loss of fuel flow control Inability to govern rotor speed Inability to limit engine torque Inability to limit engine temperature Inability to govern engine NP & NG speed Inability to monitor faults The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) Environmental and Emergency Configurations and Conditions • • • • • • • Engine Inlet Icing Snow/Water Ingestion Dust/Sand/Volcanic Ash Ingestion Salt Water Ingestion High Density Altitude/Hot Ambient Temp. Electrical Failure Fuel Line Failure The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) Aircraft Functions Pegasus Functions Control Flight Path Control Power Control Fuel Flow Control Vehicle on Ground Provide Collision Avoidance Govern Rotor Speed Provide Commo Limit Eninge Torque Control Cabin Environment Provide Spatial Orientation Provide Crew/Pass. Equipment Safety Limit Engine Temperature Provide Navigation Gover NG & NP Speed Handle Cargo Monitor Faults The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) Aircraft FHA 1 Function Control Flight Path Control Power 2 Failure Condition Loss of Collective Control (including binding, feedback, & sloppiness) Engine Fail a. Engine Out Control Vehicle on the ground Loss of Steering Control Cabin Environment Provide Spatial Orientation Loss of heat/air conditioning Loss of aircraft gyros Provide Collision Pilot task overload Avoidance Provide Collision Reduced Visibility Avoidance Provide Communication Provide Navigation Provide crew/ passengers/ equipment Safety Handle Cargo Loss of Radios GPS Failure Cabin Fire Structural Failure 3 Phase 4 Effect of Failure Condition on Aircraft/crew Hover/Taxi Throttle off-Autorotate Take-off Manual throttle, reduce throttle to min rotor RPM, conduct running landing Cruise Manual throttle, reduce throttle to min rotor RPM, conduct running landing Landing Conduct running landing Hover/Taxi/TO See Below Cruise/landing Hover/Taxi Autorotate Take-off Autorotate Cruise Autorotate, attempt restart Landing Autorotate Ground mode Stop vehicle, transition to air mode and fly to nearest maintenance facility All phases Attempt to fix system, adjust mission as necessary Hover/Taxi Land, fix gyros Take-off Return to airfield, fix gyros Cruise Continue to destination VFR, fix gyros, if IFR inform ATC "no gyro," request ground controlled approach Landing Land, fix gyros Hover/Taxi Land, revise mission Take-off Abort takeoff, revise mission Cruise Land as soon as practicable Landing Land Hover/Taxi Land, refile for IFR Take-off Prepare to switch to instruments Cruise Prepare to switch to instruments Landing Land Hover/Taxi Land, fix radios Take-off Go around, flash lights at tower, follow light gun instructions, land Cruise Attempt to fix radios, squawk 7600 on transponder Landing Follow light gun instructions, land Hover/Taxi Land, fix GPS Take-off If mission critical abort, otherwise transition to map Cruise troubleshoot GPS, trans to map Landing Land, fix GPS Hover/Taxi Land, egress cabin Take-off Land, egress cabin Cruise Land as soon as possible, egress Landing Land, egress cabin Hover/Taxi Land, shut down aircraft Take-off Land, shut down aircraft Cruise Land as soon as possible Landing Land, shut down aircraft 5 Classification Major Catastrophic 6 Reference to Supporting Material Operator's Manual EPs Operator's Manual EPs 7 Verification Aircraft FTA Aircraft FTA Catastrophic Operator's Manual EPs Aircraft FTA Catastrophic See Below Operator's Manual EPs Emergency Procedures IAW Operators Manual Aircraft FTA Aircraft FTA Major Catastrophic Hazardous Catastrophic Minor Operator's Manual Aircraft FTA No safety effect Operator's Manual Aircraft FTA No safety effect Minor Major FAR/ATM FAR/ATM FAR/ATM Aircraft FTA Aircraft FTA Aircraft FTA Minor Minor Minor Major Minor Minor Minor Minor Minor Minor Minor FAR/ATM ATM ATM ATM ATM FAR/ATM FAR/ATM FAR/ATM FAR/ATM FAR/ATM FAR/ATM Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA VFR-Minor IFR-Major Minor No safety effect Minor FAR/ATM Aircraft FTA FAR/ATM Operator's Manual EPs Operator's Manual EPs Aircraft FTA Aircraft FTA Aircraft FTA Minor No safety effect Hazardous Hazardous Catastrophic Hazardous Major Major Major Major Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Operator's Manual EPs Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA Aircraft FTA The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) System (Engine) FHA - Hardware 1 Function Control Power 2 Failure Condition Engine Fail a. Engine Out (failure of combustion chamber to burn fuel) b. Engine Chips (engine material failure) c. Compressor Stall (failure to compress air) d. Partial Failure e. Engine deflagration Engine Overspeed 3 Phase Hover/Taxi/TO Cruise/landing Hover/Taxi Take-off Cruise Landing Hover/Taxi Take-off Cruise Landing Hover/Taxi 4 Effect of Failure Condition on Aircraft/crew See Below Autorotate Autorotate Autorotate, attempt restart Autorotate Land as soon as possible Land as soon as possible Land as soon as possible Land as soon as possible Reduce collective and land as soon as possible Take-off Reduce collective and land as soon as possible Cruise Reduce collective and land as soon as possible Landing Reduce collective and land as soon as possible Hover/Taxi Land as soon as possible Take-off Land as soon as possible or Autorotate Cruise Land as soon as possible or Autorotate Landing Land as soon as possible or Autorotate While running High speed objects inside/outside vehicle impact crew/passengers Hover/Taxi Autorotate Take-off Abort takeoff - perform manual throttle operations and land as soon as possible Cruise Perfom manual throttle operations and land as soon as possible Landing Perfom manual throttle operations and land as soon as possible 5 Classification See Below 6 Reference to Supporting Material Emergency Procedures IAW Operators Manual 7 Verification Aircraft FTA Major Catastrophic Hazardous Catastrophic Minor Minor Minor Minor Minor Hazardous Hazardous Minor Minor Catastrophic Major Catastrophic Catastrophic Major Major Operator's Manual EPs Operator's Manual EPs Aircraft FTA Aircraft FTA Major Operator's Manual EPs Aircraft FTA Major Operator's Manual EPs Aircraft FTA The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) System (Engine) FHA - Software 1 Function Engine Parameters Control 2 Failure Condition Mode Failure 3 Phase Hover/Taxi Take off/ Cruise/ Landing 4 Effect of Failure Condition on Aircraft/crew 5 Classification Landing Hover/Taxi Cause main rotor RPM to droop/over speed as collective ls increased/decreased. Pilot should Major keep the automatic mode, and land the aircraft if it is necessary Hover/Taxi Take-off Cruise b. Failure to switch to manual mode Take-off Cruise Landing 7 Verification See below Results in fixed fuel flow. Pilot should make the switch to manual mode, and conduct landing if it is necessary Results in fixed fuel flow. Pilot should make the switch to manual mode, and conduct landing if it is necessary Results in fixed fuel flow. Pilot should make the switch to manual mode Results in fixed fuel flow. Pilot should make the switch to manual mode, and land the aircraft as soon as possible a. Automatic Mode Failure 6 Reference to Supporting Material Major Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Catastrophic Hazardous Catastrophic Cause main rotor RPM to droop/overspeed as collective ls increased/decreased. Pilot should Catastrophic keep the automatic mode, and land the aircraft if it is necessary Cause main rotor RPM to droop/overspeed as collective ls Hazardous increased/decreased. Pilot should keep the automatic mode Cause main rotor RPM to droop/overspeed as collective ls increased/decreased. Pilot should Catastrophic keep the automatic mode to land the aircraft The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Functional Hazard Assessment (FHA) System (Engine) FHA – Human Interaction 1 Function 2 Failure Condition Failure to properly pre-flight or Human Interacts run-up aircraft with Powerplant a. Failure to notice FOD 3 Phase 4 Effect of Failure Condition on Aircraft/crew 5 Classification Pre-flight See Below Pre-flight Partial or complete engine failure. Pilot must enter autorotative descent Hazardous Pre-flight Potential engine damage resulting from low fluid levels Partial or complete engine failure. Pilot must enter autorotative descent Partial or complete engine failure. Pilot must enter autorotative descent Damaged HMU could affect fuel flow and lead to engine flame out Clogged fuel filter could lead to engine flame out Pre-flight Pre-flight Unaware of FADEC malfunctions Potential engine overtemperature All Phases See Below b. Failure to notice low fluid levels c. Failure to notice structural damage to engine d. Failure to inspect electrical system Pre-flight e. Failure to properly inspect HMU f. Failure to properly inspect fuel filter button g. Failure to properly monitor FADEC BITs h. Failure to properly monitor start Pre-flight Failure to react to emergencies Pre-flight Pre-flight a. Failure to react to loss of engine power Taxi Takeoff Cruise Landing Damage to engine, aircraft, and potential injury/fatality to crew. Slow reaction time in collective reduction will result in rapid decay of rotor rpm Damage to engine, aircraft, and potential injury/fatality to crew. Slow reaction time in collective reduction will result in rapid decay of rotor rpm Damage to engine, aircraft, and potential injury/fatality to crew. Slow reaction time in collective reduction will result in rapid decay of rotor rpm Damage to engine, aircraft, and potential injury/fatality to crew 6 Reference to Supporting Material 7 Verification Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Hazardous Hazardous Operator's Manual / EPs Operator's Manual / EPs FTA FTA Major Operator's Manual / EPs FTA Catastrophic Operator's Manual / EPs FTA Hazardous Operator's Manual / EPs FTA Catastrophic Operator's Manual / EPs FTA The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PSSA Inputs The following set of safety (availability, integrity, installation) requirements were derived from the aircraft and system FHAs and Common Cause Analysis based on an average flight duration of 3.5 hours. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 L PSSA Inputs HARDWARE BASED SAFETY REQUIREMENTS 1. 2. 3. 4. 5. 6. 7. 8. 9. Loss of all engine power (engine out) during takeoff or landing shall be less than 3.5E-9 per flight Occurrence of engine compressor stall during takeoff or cruise shall be less than 3.5E-7 per flight Occurrence of engine deflagration shall be less than 3.5E-9 per flight. Engine under-speed during takeoff and landing shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per flight. Engine fire during all phases of flight shall be less than 3.5E-7 per flight and during cruise shall be less than 3.5E-9 per flight. FADEC Failure during cruise shall be less than 3.5E-7 per flight. During takeoff and landing FADEC failure shall be less than 3.5E-9 per flight. FADEC fixed during cruise shall be less than 3.5E-7 per flight. During takeoff and landing FADEC fixed shall be less than 3.5E-9 per flight. Fuel filter clogged/bypass during flight shall be less than 3.5E-7 per flight. Loss of fuel flow to the engine during flight shall be less than 3.5E-9 per flight. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PSSA Inputs SOFTWARE BASED SAFETY REQUIREMENTS 1. FADEC AUTO mode failure during takeoff and landing shall be less than 3.5 E-9 and during cruise shall be 3.5 E-7. 2. Failure to switch to manual mode during takeoff and landing shall be less than 3.5E-9 and during cruise shall be 3.5 E-7. 3. FADEC gives false engine out indication shall be less than 3.5E-9 and during cruise shall be 3.5E-7. 4. FADEC loss of automatic flameout detection and relight capabilities during takeoff and landing shall be less than 3.5E-9 and during cruise shall be 3.5E-7. 5. Loss of fault monitoring during flight shall be less than 3.5E-7. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PSSA Inputs HUMAN BASED SAFETY REQUIREMENTS: 1. Failure to pre-flight shall be less than 3.5E-7 per flight. 2. Failure to properly react to loss of engine power during takeoff and landing shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per flight. 3. Failure to properly react to engine under-speed during takeoff and landing shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per flight. 4. Failure to properly react to engine fire during taxi and cruise shall be less than 3.5E-7 per flight and during takeoff and landing shall be less than 3.5E-9 per flight. 5. Failure to properly react to FADEC failure during takeoff and landing shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per flight. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PSSA Inputs HUMAN BASED SAFETY REQUIREMENTS: (CONT’D): 6. Failure to properly react to false engine out warning during takeoff, cruise, and landing shall be less than 3.5E-7 per flight. 7. Failure to properly react to engine fire during taxi and cruise shall be less than 3.5E-7 per flight and during takeoff and landing shall be less than 3.5E-9 per flight. 8. Failure to properly react to FADEC failure during takeoff and landing shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per flight. 9. Failure to properly react to false engine out warning during takeoff, cruise, and landing shall be less than 3.5E-7 per flight. 10. Failure to observe engine instruments during landing shall be less than 3.5E-7 per flight. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PSSA Inputs HUMAN BASED SAFETY REQUIREMENTS (CONT’D): 11. Failure to notice sensory indications during takeoff shall be less than 3.5E-7 per flight. 12. Failure to properly manage fuel during takeoff and landing shall be less than 3.5E-9. 13. Failure of maintenance personnel to reconnect fittings shall be less than 3.5E-9. 14. Failure to properly perform maintenance inspections or services shall be less than 3.5E-9. 15. Failure to properly latch cowlings shall be less than 3.5E-9 per flight. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Safety Req’ts / Design Decisions Safety Requirement Design Decisions Remarks 11. Failure to properly react to FADEC failure during takeoff and landing shall be less than 3.5E-9 per flight. (Liveware based) The FADEC system shall be redundant and no single event shall bypass the system’s redundancy or independence. The FADEC shall be designed and installed in such a way that FADEC failure is extremely unlikely. Takeoff and landing are where a FADEC failure is most critical. Failure to properly react during these times must be minimized. Extra pilot training and awareness during these times will be extremely important. 2. Maintenance personnel leaving tools in the engine compartment shall be less than 3.5E-9 per flight. (Liveware based) The maintenance equipment and storage shall be considered an integral part of the overall system. As such, Safety and best-practice techniques shall be utilized to the maximum extent possible. This failure must be completely eliminated. Extra training and safety programs should be implemented. Also, the system will have safety features, such as colors that contrast with tools, built into it. 3. FADEC failure during take off and landing shall be less than 3.5E-9 per flight. (Hardware based) FADEC ECU shall be dual redundant. All FADEC hardware will be of a fail safe design. HMU fail safe open for pilot manual control option. Again, takeoff and landing are where total FADEC failure leaves the least amount of reaction time. Systems in parallel are a key to ensuring safety. 4. Loss of fuel flow to the engine during flight shall be less than 3.5E-9 per flight. (Hardware based) Main considerations here are fuel pump failure and fuel filter clogged. Design redundancy in both of these systems to preclude failure. Use two fuel pumps, one engine driven, the other a fuel boost pump. Failure of either of these would not result in failure of the system. If fuel filter becomes clogged, provide a fail safe bypass valve and indication to pilot. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Safety Req’ts / Design Decisions Safety Requirement Design Decisions Remarks 5. Failure to switch to manual mode during takeoff and landing shall be less than 3.5E-9 and during cruise shall be 3.5E-7. (Software based) FADEC software failure to automatically switch to manual mode if automatic mode fails would require extremely quick pilot reaction, especially during takeoff and landing. Use dual redundant ECUs and fail safe back up through HMU. Two ECUs backing each other up provides even greater reliability (parallel systems) and the HMU full open (dependent on throttle position) upon automatic mode failure provides a triple redundancy. 6. FADEC gives false engine out indication shall be less than 3.5E-9 and during cruise shall be 3.5E-7. (Software based) A false engine out indication could cause the pilot to take inappropriate action, possibly leading to engine/transmission damage or crash sequence. Dual redundancy of ECUs reduces this probability to within an acceptable range. Dual ECUs provides greater reliability. Human interaction was considered. Pilot training in analyzing failure conditions and responding appropriately greatly reduces the severity of this failure condition. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Dependence Diagrams FUEL SYSTEM ENGINE DRIVEN FUEL PUMP FUEL FILTER FUEL GOVERNOR COMPRESSOR AIR INLET FUEL TANK FUEL LINE FUEL BOOST PUMP FUEL FILTER BYPASS PILOT CONTROLS FUEL FLOW FADEC ALLEVIATES STALL CONDITION PILOT PERFOMS AUTOROTATION The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Dependence Diagrams FADEC SYSTEM FADEC SENSOR INPUTS NP NG AIRCRAFT ELECTRICAL POWER ROTOR RPM FADEC CONTROLS FUEL FLOW FADEC GIVES PROPER INDICATION TO PILOT COLLECT POS FADEC SWITCH PERMANENT MAGNETIC ALTERNATOR FADEC SOLENOID AMBIENT CONDITIONS CIT ENGINE TORQUE MANUAL MODE (PILOT CONTROLS) PILOTGIVES PROPER RESPONSE TO INDICATION ARINC INTERFACE The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Dependence Diagrams HUMAN INTERACTION Performs Inspections Reconnect Fittings Clean Up Tools PILOT CONDUCTS PRE-FLIGHT INSPECTIONS Latch Cowlings MAINT PERSONNEL TAKE OIL SAMPLES MAINT PERSONNEL FLUSH ENGINE MAINT PERSONNEL CALIBRATE TOOLS PILOT CONDUCTS POST-FLIGHT INSPECTIONS The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Fault Tree Analysis Aircraft Level • FTA developed for catastrophic failures identified in FHA Engine Failure selected for system level analysis The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Fault Tree Analysis System Level – Engine Out (E ngine O ut) C o m bustio n C ha m be r D o e s No t B urn F ue l 1 5 .9E -10 S truc tura l F a ilure H u ma n F a ilure – P ilo t C uts E ngine P hys ic a l F a ilure 1.1 1 .2 1.3 1 .3E -10 1 .3E -10 3 .3E -10 L oss o f C o mpo ne nts C ra c ks /De fe cts in C ha m be r Ho us ing P ilo t Ina dve rte ntly R o lls Thro ttle O ff P ilo t R ea cts Inco rrec tly to E me rge nc y L oss o f F ue l F lo w L os s o f Air F lo w 1.1.1 1.1 .2 1.2.1 1.2.2 1.3.1 1.3.2 6 .7E -11 6 .7E -11 6 .7E -11 6 .7E -11 2 E -10 1 .3E -10 F ilte r Fa ilure E m pty F ue l Ta nk F AD E C C uts F ue l F lo w F ue l L ine F a ilure P u mp F a ilure C o mpre s s o r S ta ll C lo gge d Air Inle t 1.3 .1.1 1.3.1.2 1.3.1.3 1.3.1 .4 1 .3.1.5 1.3.2 .1 1.3.2.2 4 .5E -17 6 .7E -11 6 .7E -11 6 .7E -11 4 .5E -17 6 .7E -11 6 .7E -11 C lo gge d F ue l F ilte r C lo gge d F ilte r B ypa ss B o os t P um p F a ilure E ngine D riv e n P u mp F a ilure 1 .3.1.1.1 1.3.1.1.2 1.3 .1.5.1 1.3.1 .5.2 6 .7E -9 6 .7E -9 6 .7E -9 6 .7E -9 The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis Introduction – Markov analysis looks at a sequence of events, and analyzes the tendency of one event to be followed by another – Markov analysis provides a means of analyzing the reliability and availability of systems whose components exhibit strong dependencies Typical dependencies that Markov models can handle – Components in cold or warm standby – Common maintenance personnel – Common spares with a limited on-site stock The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis Parallel Repairable System 1 1 A 1,1 B 2 2 2 1,0 c c 2 0,0 1 1 0,1 dP (t ) ( ) P (t ) P (t ) P (t ) P (t ) dt 4 1 2 c 4 2 2 1 3 c 4 dP (t ) P (t ) P (t ) ( ) P (t ) dt 3 2 1 1 4 1 2 1 dP (t ) P (t ) P (t ) ( ) P (t ) dt dP (t ) ( ) P (t ) P (t ) P (t ) P (t ) dt 2 1 1 2 4 2 1 1 1 1 2 c 1 1 2 2 3 c The Pegasus Personal Air Vehicle – Safety by Design 4 AE6362 Summer 2002 Markov Analysis MA Vs. FTA • Small System • Large System • Dependent Events • Independent Events 20% 40% 5% Today Head ?Tail 35% Tomorrow This time • Inconstant Failure Rate =(1C) • Repairable Sys. Non-repairable Sys. Head Next time • Constant Failure Rate =10-6 √ √ • Repairable Sys. Non-repairable Sys. The Pegasus Personal Air Vehicle – Safety by Design χ √ AE6362 Summer 2002 Markov Analysis • FADEC Fail Function Engine Parameters Control Failure Condition c. Manual Mode Failure Phase Hover/Taxi Take-off Cruise Landing d. Total loss of FADEC (both automatic and manual mode failure) ECU PMA HMU Other Components Hover/Taxi Take-off Cruise Landing Effect of Failure Condition on Aircraft/crew HMU will default to the maximum fuel flow attainable. Pilot must coordinate throttle and collective inputs, and land the aircraft if it is necessary HMU will default to the maximum fuel flow attainable. Pilot must coordinate throttle and collective inputs, and land the aircraft if it is necessary HMU will default to the maximum fuel flow attainable. Pilot must coordinate throttle and collective inputs HMU will default to the maximum fuel flow attainable. Pilot must coordinate throttle and collective inputs Crew is unable to control the engine. Land the aircraft as soon as possible Crew is unable to control the engine. Land the aircraft as soon as possible Crew is unable to control the engine. Land the aircraft as soon as possible Crew is unable to control the engine. Land the aircraft as soon as possible Classification Reference to Supporting Material Operator's Manual EPs Aircraft FTA Hazardous p<10-7 per flight hour Operator's Manual EPs Aircraft FTA Hazardous p<10-7 per flight hour Operator's Manual EPs Aircraft FTA Major p<10-5 per flight hour Operator's Manual EPs Aircraft FTA Catastrophic p<10-9 per flight hour Catastrophic p<10-9 per flight hour Catastrophic p<10-9 per flight hour Catastrophic p<10-9 per flight hour Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Operator's Manual EPs Aircraft FTA Major p<10-5 per flight hour Verification System FHA • Personnel Leave Tools In Engine Compartment 1 Function 2 Failure Condition Failure to perform proper maintenance procedures a. Failure to reconnect fittings Maintenance personnel realize the tool Pilot realize the tool 3 Phase Maintenance b. Maintenance personnel leave tools in engine compartment c. Failure to properly perform maintenance inspections or services Maintenance d. Cowlings not latched properly Maintenance Maintenance 4 Effect of Failure Condition on Aircraft/crew Damaged lines or significant fluid leakages may occur FOD ingestion or significant structural damage Oil samples not taken or observed could lead to poor engine performance or failure. Misdiagnosis or failure to locate potential problems could result in engine failure Structural damage to aircraft; potential of cowling breaking off in flight 5 Classification 6 Reference to Supporting Material 7 Verification Catastrophic Catastrophic Catastrophic Catastrophic System FHA The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis FADEC Fail • FADEC System ECU HMU PMA Other ECU Auto. Mode Man. Mode • Level 1- Total FADEC Fail f — FADEC Failure Rate f — FADEC Repair Rate 1— Optional 0— Failed FADEC Failure due to ECU The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis FADEC Fail Level 2- FADEC Automatic Mode Fail - Loss of ECU +++ E,H,P,O - Loss of HMU - Loss of PMA - Loss of Other components FADEC Automatic Mode Failure The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis FADEC Fail Level 3- Loss of ECU ability to command FADEC — Loss of one ECU — ECU Repair Rate c — Loss of aircraft electrical to both ECUs c — Electrical Recovery Rate 1— Optional 0— Failed The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis Human Reliability • Personnel Leave Tools In Engine Compartment 1 — Maintenance personnel does not recover the tools 2 — Pilot does not recover the tools c — Recovery Rate (0) 1— Optional 0— Failed The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Markov Analysis Results • FADEC Fail – Non-repairable Condition Model-Name Failure-Rate (per hour) MTTF (hours) Reliability (100 hours) Main ECU Channel 0.000002686789 0.000003779965 0.0000073 372191.4895 264552.7141 136986.3014 0.9999620796 0.999983482 0.9992702664 – Repairable Condition Model- Failure-Rate Name (per hour) RecoveryRate (per hour) 0.000000746052 1.0000292 Availability Unavailability MTTR (hours) MTTF (hours) Annual Downtime (hours) 0.0065352 0.999999254 0.00000074603 0.9999708 1340389.1417756 Main 0.000003730037 0.5000146 0.9999925402 0.0000074598 1.99994160171 268093.85536926300 0.06534784800 ECU 0.00000730002 0.6239316239 0.9999883001 0.000011699895 1.6027397261 136985.9260659560 0.1024910802 Channel • Human Reliability Model-Name Failure-Rate (per hour) MTTF (hours) Reliability (100 hours) Human_ Interaction 0.000001000099 0.999999982 999901.0098 The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PRISM Reliability Reliability Goal: MTBF = 80 hrs – Allows some comparison between PAV and automobiles – Feasible given the new technologies and the “conservative” PGE estimate – Best available: MTBF = 103 hrs – The only way to test the goal is to run a Monte Carlo simulation – PRISM Pareto Charts indicate all sub-systems are significant. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 PRISM Reliability Max 138.02 35.50 120.62 88.96 15.10 89.90 52.18 131.64 83.62 78.18 50.48 135.78 79.98 1099.96 800 100 600 75 400 50 200 0 Cum Percent Target 89.52 23.03 78.24 57.70 9.79 58.31 33.85 85.39 54.24 50.71 32.74 88.07 51.88 713.47 25 Airframe Propulsion Instrument Drive Flight Control Electrical Landing Gear Utility/ECS Rotor Fuel NOTAR Avionics Engine Installation Minimum 69.01 17.75 60.31 44.48 7.55 44.95 26.09 65.82 41.81 39.09 25.24 67.89 39.99 549.98 Failure Rate Sub-system Airframe Avionics Drive Electrical Eng Inst Flt Cont Fuel Instr Ldg Gear Rotor NOTAR Propulsion Utility/ECS Total F/MCH 0 Sub-System MTBF 103.78 80.00 51.89 The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Monte Carlo Simulation • Assume all input variables (sub-systems) have a Weibull distribution, based upon a minimum failure rate, “most likely,” and a maximum failure rate. • Run a simulation of 5,000 iterations to generate a frequency and probability distribution. • Repeat the simulation 200 times and record the variability The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Monte Carlo Results Airframe Engine Installat ion Ut ilit y/ECS Overlay Chart Frequency Comparison .0 2 8 69.01 86.26 103.52 120.77 138.02 7.55 9.44 Drive 11.33 13.22 15.11 39.99 49.99 59.99 69.99 79.99 N o rm a l Di s tri bu ti o n Me an = 76 .6 5 S td D e v = 3 .2 5 .0 2 1 Landing G ear .0 1 4 .0 0 7 MT B F 60.31 75.39 90.47 105.54 120.62 41.81 52.26 62.71 73.17 .0 0 0 83.62 6 7. 5 0 Ele ctric al 44.48 55.85 67.23 Ro tor 78.60 89.97 39.09 48.86 Engine Installat ion 7.55 9.44 11.33 84.86 101.83 68.41 78.18 44.17 50.48 65.82 82.27 98.73 115.18 131.64 78.66 89.89 NO TAR 13.22 15.11 25.24 31.55 Propuls ion 67.89 58.64 37.86 Fuel 118.80 135.77 26.09 32.61 39.14 7 2. 5 0 7 7. 5 0 8 2. 5 0 8 7. 5 0 Ins truments Flight C ontrols 45.66 52.18 44.95 56.19 67.42 MTBF Normally Distributed Mean 76.65 Std Dev 3.25 95% CI: (70.28, 83.01) P(MTBF <= 80): 0.8487 P(MTBF = 80): 0.0722 The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Bootstrap Results • Repeated simulation 200 times • Summary Statistics for MTBF Statistic Mean Std Dev MTBF Mean 76.67 0.04 MTBF Std Dev 3.24 0.03 The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Monte Carlo Conclusions May not be able to achieve a MTBF of 80, but can achieve one above 70, which is a vast improvement over current rotary wing platforms. The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Certification Process – Supplemental Type Certificate (STC) Application – Systems requiring certification: • Rotor – Hub assembly – Blade and flexure assembly • Engine DERs (FAA Order 8110.37A) Structural Engineering DER Powerplant / Engine DER Systems and Equipment DER – Applicable FAR Parts: • 27 – Normal Category Rotorcraft • 21 – Products and Parts • 33 – Aircraft Engines • 36 – Aircraft Noise Rotor DER Flight Analyst DER Flight Test Pilot DER Acoustical DER The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Certification Process • • • • Design Analysis Testing Other – Time and cost saved in upgrade 21 35 2 21 39 3 27 45 4 27 5 27 6 Subpart/Discipline Flight / General Requirement Other FAR Sect. 1 Test # Analysis – DER Checklists – Requirements by phase Design Flight Test Pilot DER Checklist Flight Tests Climb: One Engine inoperative 71 Autorotation Performance 27 75 Landing 9 27 79 Limit Height--Speed Envelope 10 27 143 Controllability and Maneuverability 11 27 151 Flight Controls 12 27 161 Trim Control 13 27 171 General Stability 14 27 173 Static Longitudinal Stability 15 27 B27.6 Dynamic Stability 16 27 251 Vibration 17 27 177 Static Directional Stability 18 27 235 Taxiing Condition 19 27 241 Ground Resonance 20 27 672 21 27 22 FLT Test Instrument Calibration General 51 Takeoff 65 Climb: All Engines Operating 27 67 7 27 8 Performance Flight Characteristics Gnd handling Characteristics Stability Augmentation System - Boost 673 Primary Flight Controls 27 674 Interconnected Controls 23 27 675 Control Stops and Limits 24 27 683 Control Operational Tests 25 27 771 Pilot Compartment 26 27 773 Pilot Compartment View 27 27 777 Cockpit Controls 28 27 779 Motion Effect of Cockpit Controls 29 27 1303 Equipment / General Flight Navigation Equipment 30 27 1321 Instrument Installation Cockpit Arrangement Visibility 31 27 1322 Warning Caution Panel 32 27 1329 Autopilot 33 27 1335 Flight Director System 34 27 1435 Hydraulic System 35 27 1459 Flight Recorder 36 27 1501 37 27 38 27 39 Control Systems Personnel and Cargo Operational Limits 1503 Airspeed Limits 1505 Velocity Never Exceed (VNE) 27 1525 OPN Types VFR/IFR/Day/Night 40 27 1527 Maximum Operational Altitude 41 27 1543 Instrument Markings Operational Limits The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002 Conclusion Pegasus = Disruptive Technology The Pegasus Personal Air Vehicle – Safety by Design AE6362 Summer 2002