Safety, Reliability, Certification, Maintenance

MITICATSafety, Reliability, Certification,MaintenanceProf. R. John HansmanMIT International Center for Air Transportation

MITICAT

MITICATU.S. Military Accident Rates#4.0Accident Rate3.0MarineCorps2.0NavyAir Force1.001992Army1994199619982000#Class A accidents per 100,000 flight hours.Figure by MIT OCW. Adapted from: AviationWeek 10/02.2002

MITICAT

MITICAT

MITICAT

MITICAT

MITICAT

MITICAT

MITICATSafetyy Safety Targets/Standards Civil Air Carrier Civil General Aviation MilitaryFAR Part 25FAR Part 23Mil Specy Safety ComponentsVehicle AirworthinessTraining and Operating ProceduresMaintenanceCulture Quality Management Processes Incident Reporting Accident Investigation Liability y Design Philosophy Fail Safe Fail OperationalFAR Part 121FAR Part 91

MITICATCertificationy Civil Certificate of Airworthiness (i.e. Certification) Guarantee to the public that the aircraft is airworthy to somestandard Operational Approval Operating CertificateÐEquipmentÐProceduresÐTrainingy Military Procurementy Space Man Rated

MITICATCertificationy Aircraft Certificate of Airworthiness Standard Type Certificate (STC) Categories Air Carrier Normal Utility Experimental Rotorcraft LTA Others

MITICATCertificationy Component Certificate of Airworthiness Engines Propellers Parts Instrumentsy Component (Parts & Instruments) Standards Technical Service Order (TSO) Minimum Operational Performance Specification (MOPS)y Software Standards RTCA DO-178By Continued Airworthiness Inspections Maintenance

MITICATFederal Aviation RegulationsyPart 1 - DEFINITIONS AND ABBREVIATIONSyPart 11 - GENERAL RULEMAKING PROCEDURESyPart 21 - CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTSyPart 23 - AIRWORTHINESS STANDARDS: NORMAL, UTILITY, ACROBATIC, ANDCOMMUTER CATEGORY AIRPLANESyPart 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANESyPart 27 - AIRWORTHINESS STANDARDS: NORMAL CATEGORY ROTORCRAFTyPart 29 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY ROTORCRAFTyPart 31 - AIRWORTHINESS STANDARDS: MANNED FREE BALLOONSyPart 33 - AIRWORTHINESS STANDARDS: AIRCRAFT ENGINESyPart 34 - FUEL VENTING AND EXHAUST EMISSION REQUIREMENTS FOR TURBINE ENGINEPOWERED AIRPLANESyPart 35 - AIRWORTHINESS STANDARDS: PROPELLERSyPart 36 - NOISE STANDARDS: AIRCRAFT TYPE AND AIRWORTHINESS CERTIFICATIONy http://www.faa.gov/regulations policies/

MITICATIdea for new avionics product is bornProduct is evaluated for marketability& certifiabilityCompany makes decision to proceedwith developmentThis is the appropriate time to initiatecertification projectClose consultation with FAAengineering personnel is essentialthroughout design process to avoidnew requirements late in processFAA witnesses many of the systemstests for certificationFAA witnesses all of the flight andground tests conducted on an aircraftfor certificationFAA engineering personnelare sometimes consulted at this stepPreliminary design completedCertification plan is prepared & submittedto the ACO for review & approval. Planwill address the system safety assessment& the software aspects of certificationDetailed design completedTesting plans & system safety assessmentprepared & submitted to the ACO forreview & approvalSystem testing completedFlight test plan & balance of designapproval documents submitted to ACO forreview & approvalInstallation in aircraft & certificationtesting completedFAA ACO issues certificate & systemis ready for operational approvalFigure by MIT OCW.TC or STCApproval Process

MITICATSafety Analysisy Advisory Circular AC 25.1309-1A System Design and Analysisy Fail Safey Fail Operationaly Preliminary Hazard Analysisy Functional Hazard Assessmenty Depth of Analysis Flowchart Complex System

MITICATProbability vs. ConsequencesGraphCatastrophicAccidentAdverse ExtremelyImprobable

MITICATProbability(per unit of exposure)Descriptive yProbable10E-510E-7ImprobableRemoteExtremely hat is the correct unit of exposure : Flight hour, Departure, Failure

MITICATSafety Analysisy Preliminary Hazard Analysisy Fault Tree Analysis Top Down Search - Presumes Hazards KnownSystem DefinitionFault Tree ConstructionQualitative AnalysisQuantitative Analysisy Event Tree Analysis Bottom Up “Forward” Search - Identifies possible outcomesy Failure Modes and Effects Analysis Probabilistic “Forward” SearchRequires Failure Probability EstimatesRequires Assumed Failures from PHA or Historical Data“Target Level of Safety”

MITICATA Reduced Event Tree for A Loss of Coolant Accident123Pipe BreakElectric PowerECCS4FissionProduct RemovalEvent Tree ExampleFrom : atingEventSucceedsFailsP3P1FailsP2Figure by MIT OCW.1-P4FailsP41-P5FailsP5P1P1 x P5P1 x P4P1 x P4 x P5P1 x P3P1 x P3 x P4P1 x P2

MITICATFault Tree and Event Tree ExamplesFrom : LevesonRelief Valve 1OpensPressuretoo highExplosionRelief Valve 2Pressure decreasesOpensFailsFailsPressure decreasesPressuretoo highRelief valve 1does not openRelief valve 2does not orfailureComputeroutputtoo lateComputer does notopen valve 1Operator does not knowto open value 2Computerdoes notissue commandto openvalve 1Value 1 positionindicator fallsonA Fault Tree and EventTree ComparisonFigure by MIT OCW.OperatorinattentiveOpen indicatorlight falls on

MITFailure Modes and Effects AnalysisICATF M E A F O R A S Y S T E M O F T W O A M P L I F I E R S I N PA R A L L E LCriticalABABFailure probability Failure mode1 x 10-31 x 10-3Failures bymode (%)Open90Short5Other5Open90Short5Other5Figure by MIT OCW. Adapted from: Leveson.EffectsCritical5 x 10-5Noncriticalx5 x 10-55 x 10-55 x 10-5x

MITICATReliability Architecturesy Analysis Values often of Questionable IntegrityyDrives Failure Mitigation Approachesy Avoid Single String Failure Cannot guarantee 10E-9y Redundancy Dual Redundant for Passive Failures e.g. Wing Spar Triple Redundancy for Active Systems 777 Fly By WireÐ SensorsÐ ProcessorsÐ ActuatorsÐ Data Bus A320 Reliability Architecture by Comparison

MITICATB777 Avionics Architecture

MITICATFly-by-wire -- A330/A340PRIMSECPRIMSECPRIM Flight Control computers are dual channel– one for control and one for monitoring Each processor has a different vendor for hardware & software– software for each processor coded in a different language

MITFBW- A330/A340 flight control architectureICAT Computer / hydraulic actuator arrangementGrnd spoilers, speedbrakeRoll control surfacesGrnd spoilers, speedbrakeRoll control surfacesSpoilersAileronsS1 P1 P2 S2 P3 P3P3 S1 P1 P2S1 S2SpoilersP3 P3 S2 P2 P1 S1P1 P2 S2 P3S1 S2P1 P2 P31 2 3SlatsS1 S2 RudderTLUFlaps* Trim WheelsYaw damperP1 S1P3 S2* RudderpedalsAileronsTHSElevatorTrimS1S2P2 P1S2 S1ElevatorP1 P2S1 S2

MITICATAdditional Issuesy Conventional vs. New Technologies/Configurationsy Problem with Software and Complex Systemsy Emergent Behaviory Air-Ground Coupling Issues

MITICATFAA 8040.4 Safety AnalysisProcessPlanID HazardsAnalysisRiskAssessmentDecision

MITICATOperational Reliabilityy MTBF Mean Time Between Failurey MTBUR Mean Time Between Unscheduled Replacementy Dispatch Reliability Conditional Airworthiness Minimum Equipment Listy Relates to Life Cycle Costs

MITICATMaintenancey Scheduled Maintenance Periodic (e.g. Annual) On Time (Time Between Overhaul) (TBO) Progressive (Inspection Based e.g. Cracks) Conditional (Monitoring Based e.g. Engines - ACARS) Heavy Maintenance Checksy Unscheduled “Squawks” Reported Anomalies Logbook Entries (ACARS) Line Replacement Units (LRU) Parts Inventory F16 Tail Glass Cockpits

MITICATLogbook EntriesyPilot: Test flight OK, except autoland very rough.yMechanic: Autoland not installed on this aircraft.yPilot: No. 2 propeller seeping prop fluid.yMechanic: No. 2 propeller seepage normal. Nos. 1, 3 and 4 propellers lack normal seepage.yPilot: Something loose in cockpit.yMechanic: Something tightened in cockpit.yPilot: Autopilot in altitude-hold mode produces a 200-fpm descent.yMechanic: Cannot reproduce problem on ground.yPilot: DME volume unbelievably loud.yMechanic: DME volume set to more believable level.yPilot: Friction locks cause throttle levers to stick.yMechanic: That's what they're there for!yPilot: IFF inoperative.yMechanic: IFF always inoperative in OFF mode.yPilot: Suspected crack in windscreen.yMechanic: Suspect you're right.yPilot: Number 3 engine missing.yMechanic: Engine found on right wing after brief search.yPilot: Aircraft handles funny.yMechanic: Aircraft warned to straighten up, fly right, and be serious.

MITICATTypical Check CyclesyRamp-check before every flightyA-check is done every 350-650 hours and includes more detailed checkof electronics and systems as well as a cabin/haul checkyB-check is done every 5 month (1000 hours) and is basically anextended A-check.yC-check is a detailed inspection of the aircraft’s structure as well assystems carried out every 8-18 month according to cycles/flying timeetc.yIL-check is made every 48 month and include detailed inspection andservice of structure, wings etc. as well as very extensive tests andservice carried out on electronics, hydraulics etc. Recommendedimprovements are also done.yD-check is almost a total dismantle and rebuilding of the aircraft.Almost every part is checked. D-check is made every 72 month.

MITICATAirworthiness Directivesy Airworthiness Directives Based on identified hazards Time to compliancey Service Bulletins

MITICATy Fuelingy Loading Payload Storesy Servicing Food Water Oxygen Oil Hydraulics Airy Cleaningy ArmingServicing

MITICATTransition training / CCQ100%25 days9 days8 days8 days3 daysFull 320A330toA3401 dayA340toA330

mit icaticat federal aviation regulations y part 1 - definitions and abbreviations y part 11 - general rulemaking procedures y part 21 - certification procedures for products and parts y part 23 - airworthiness standards: normal, utility, acrobatic, and commuter category airplanes y part 25 - airworthiness standards: transport category airplanes y part 27 - airworthiness standards: normal .