Certification and Avionics MIT ICAT Prof. R. John Hansman
advertisement
MIT ICAT Certification and Avionics Prof. R. John Hansman MIT International Center for Air Transportation MIT ICAT y Safety Targets/Standards Civil Air Carrier Civil General Aviation Military y Safety FAR Part 25 FAR Part 23 Mil Spec Safety Components Vehicle Airworthiness Training and Operating Procedures Maintenance Culture Quality Management Processes Incident Reporting Accident Investigation Liability y Design Philosophy Fail Safe Fail Operational FAR Part 121 (JAR) FAR Part 91 MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT Certification y Civil Certificate of Airworthiness (i.e. Certification) Guarantee to the public that the aircraft is airworthy to some standard Operational Approval Operating Certificate Ð Equipment Ð Procedures Ð Training y Military Procurement y Space Man Rated MIT ICAT Certification y Aircraft Certificate of Airworthiness Standard Type Certificate (STC) Categories Air Carrier Normal Utility Experimental Rotorcraft LTA Others MIT ICAT Certification y Component Certificate of Airworthiness Engines Propellers Parts Instruments y Component (Parts & Instruments) Standards Technical Service Order (TSO) Minimum Operational Performance Specification (MOPS) y Software Standards RTCA DO-178B y Continued Airworthiness Inspections Maintenance MIT ICAT Certification y Airline Operating Certificate - Part 121 Procedures Training Airports Aircraft Management MIT ICAT Federal Aviation Regulations y Part 1 - DEFINITIONS AND ABBREVIATIONS y Part 11 - GENERAL RULEMAKING PROCEDURES y Part 21 - CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS y Part 23 - AIRWORTHINESS STANDARDS: NORMAL, UTILITY, ACROBATIC, AND COMMUTER CATEGORY AIRPLANES y Part 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES y Part 27 - AIRWORTHINESS STANDARDS: NORMAL CATEGORY ROTORCRAFT y Part 29 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY ROTORCRAFT y Part 31 - AIRWORTHINESS STANDARDS: MANNED FREE BALLOONS y Part 33 - AIRWORTHINESS STANDARDS: AIRCRAFT ENGINES y Part 34 - FUEL VENTING AND EXHAUST EMISSION REQUIREMENTS FOR TURBINE ENGINE POWERED AIRPLANES y Part 35 - AIRWORTHINESS STANDARDS: PROPELLERS y Part 36 - NOISE STANDARDS: AIRCRAFT TYPE AND AIRWORTHINESS CERTIFICATION y http://www.airweb.faa.gov/Regulatory_and_Guidance_Library/rgWebco mponents.nsf/HomeFrame?OpenFrameSet MIT ICAT Description of the FAA Avionics Certification Process This Diagram illustrates the TC or STC approval process. Idea for New Avionics Product is Born Product is Evaluated for Marketability and Certifiability Company Makes Decision to Proceed with Development This is the appropriate time to initiate certification project Close consultation with FAA engineering personnel is essential throughout design process to avoid new requirements late in process FAA witnesses many of the systems tests for certification FAA witnesses all of the flight and ground tests conducted on aircraft for certification FAA engineering personnel are sometimes consulted at this step Preliminary Design Completed Detailed Design Completed System Testing Completed Installation in Aircraft and Certification Testing Completed FAA ACO Issues Certificate and System is Ready for Operational Approval Certification Plan is Prepared and Submitted to the ACO for Review and Approval. Plan will Address the System Safety Assessment and the Software Aspects of Certification Testing Plans and System Safety Assessment Prepared and Submitted to the ACO for Review and Approval Flight Test Plan and Balance of Design approval Documents Submitted to ACO for Review and Approval MIT ICAT y Advisory Circular AC 25.1309-1A System Design and Analysis y Fail Safe y Fail Operational y Preliminary Hazard Analysis y Functional Hazard Assessment y Depth of Analysis Flowchart Complex System MIT ICAT Probability vs. Consequences Catastrophic Accident Adverse Effect On Occupants Airplane Damage Emergency Procedures Abnormal Procedures Nuisance Normal Probable Improbable Extremely Improbable MIT ICAT Probability (per unit of exposure) Descriptive Probabilities FAR 1 JAR Frequent 10E-3 Probable Reasonably Probable 10E-5 10E-7 Improbable Remote Extremely Remote 10E-9 Extremely Improbable Extremely Improbable What is the correct unit of exposure : Flight hour, Departure, Failure MIT ICAT y Preliminary Hazard Analysis y Fault Tree Analysis y Safety Analysis Top Down Search - Presumes Hazards Known System Definition Fault Tree Construction Qualitative Analysis Quantitative Analysis Event Tree Analysis Bottom Up “Forward” Search - Identifies possible outcomes y Failure Modes and Effects Analysis Probabilistic “Forward” Search Requires Failure Probability Estimates Requires Assumed Failures from PHA or Historical Data “Target Level of Safety” MIT ICAT A reduced event tree for a loss of coolant accident. 1 Pipe Break Event Tree Example From : Leveson 2 Electric Power 3 ECCS 4 Fission Product Removal 5 Containment Integrity Succeeds Succeeds 1-P4 Succeeds 1-P3 Fails P4 Available 1-P2 Initiating Event Fails P3 P1 Fails P2 Succeeds 1-P4 Fails P4 P1 Fails P5 P1 x P5 Succeeds 1-P5 P1 x P4 Fails P5 P1 x P4 x P5 P1 x P3 P1 x P3 x P4 P1 x P2 Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. MIT ICAT A fault tree and event tree comparison. Explosion Relief valve 1 Fault Tree and Event Tree Examples From : Leveson Relief valve 2 Opens Pressure too high Pressure decreases Opens Fails Fails Pressure decreases Pressure too high Relief valve 1 does not open Explosion Valve failure Pressure monitor failure Computer output too late Relief valve 2 does not open Valve failure Computer does not open valve 1 Computer does not issue command to open valve 1 Operator inattentive Operator does not know to open value 2 Value 1 position indicator falls on Open indicator light falls on Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. MIT Failure Modes and Effects Analysis ICAT FMEA for a system of two amplifiers in parallel. A Failure probability Critical Failure mode % Failure by mode A 1 x 10-3 Open Short Other 90 5 5 B 1 x 10-3 Open Short Other 90 5 5 B Effects Critical Noncritical 5 x 10-5 5 x 10-5 5 x 10-5 x x 5 x 10-5 Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. MIT ICAT Reliability Architectures y Analysis Values often of Questionable Integrity y Drives Failure Mitigation Approaches y Avoid Single String Failure Cannot guarantee 10E-9 y Redundancy Dual Redundant for Passive Failures e.g. Wing Spar Triple Redundancy for Active Systems 777 Fly By Wire Ð Sensors Ð Processors Ð Actuators Ð Data Bus A320 Reliability Architecture by Comparison MIT ICAT Fly-by-wire -- A330/A340 PRIM SEC PRIM SEC PRIM • Flight Control computers are dual channel – one for control and one for monitoring • Each processor has a different vendor for hardware & software – software for each processor coded in a different language MIT FBW - A330/A340 flight control architecture ICAT Computer / hydraulic actuator arrangement Grnd spoilers, speedbrake Roll control surfaces Grnd spoilers, speedbrake Roll control surfaces Spoilers Ailerons S1 P1 P2 S2 P3 P3 P3 S1 P1 P2 S1 S2 Spoilers P3 P3 S2 P2 P1 S1 P1 P2 S2 P3 S1 S2 P1 P2 P3 1 2 3 Slats S1 S2 Rudder TLU Ailerons Flaps * Trim Wheels Yaw damper P1 S1 P3 S2 * Rudder pedals THS Elevator Trim S1 S2 P2 P1 S2 S1 Elevator P1 P2 S1 S2 MIT ICAT Additional Issues y Conventional vs. New Technologies/Configurations y Problem with Software and Complex Systems y Emergent Behavior y Air-Ground Coupling Issues MIT ICAT FAA 8040.4 Safety Analysis Process Plan ID Hazards Analysis Risk Assessment Decision MIT ICAT Operational Reliability y MTBF Mean Time Between Failure y MTBUR Mean Time Between Unscheduled Replacement y Dispatch Reliability Conditional Airworthiness Minimum Equipment List y Relates to Life Cycle Costs MIT ICAT Maintenance y Scheduled Maintenance Periodic (e.g. Annual) On Time (Time Between Overhaul) (TBO) Progressive (Inspection Based e.g. Cracks) Conditional (Monitoring Based e.g. Engines - ACARS) Heavy Maintenance Checks y Unscheduled “Squawks” = Reported Anomalies Logbook Entries (ACARS) Line Replacement Units (LRU) Airworthiness Directives, Service Difficulty Reports y Parts Inventory Parts Tracking Commonality Glass Cockpits F16 Tail MIT ICAT What are the Key Technologies for Formation Flight y Communications y Navigation y Surveillance y Control (Station Keeping) Intent States String Stability y Vehicle Configuration Aero/Performance Control y Propulsion y Degree of Autonomy y Flight Criticality Hardware Software y Low Observability y Others? MIT ICAT Generic Avionic System Antenna Sensor Interface Unit Black Box Power Display MFD Hardware Software Input Device Databus Antenna Datalink Flight Data Recorder Cooling MIT ICAT Avionics Components y Black Box (LRU) y Power (440 AC or 28V DC) y Cooling y Databus (AIRINC 429, 629, IEEE486,…) Databus Interface y Antenna and or Sensors y Display Head MFD Dedicated Display MIT ICAT y Barometric Altitude y Airspeed y Mach Number y Vertical Speed y Total Air Temperature (TAT) y Static Air Temperature (SAT) y Angle of Attack (α) y Angle of Sideslip (β) Air Data MIT ICAT 10 Roll Scale 10 0.6 Wind Vector 12 AI Reference Symbol 35 01 00 Airspeed Ground Speed Pitch Scale -220 218 GS -10 Flight Path Acceleration 1450 B -700 VS -10 Flight Path Vector Speed Error Tape HEAD-UP DISPLAY Horizon and Heading Scale Barometric Altitude Vertical Speed
