Managing Complex Airplane System Failures Through A Structured .
NASA/TM—2018–219774Managing Complex Airplane System Failuresthrough a Structured Assessment ofAirplane CapabilitiesRandall J. MumawSan Jose State University FoundationMichael FearyNASA Ames Research CenterLars FuckeDiehl AerospaceMichael StewartSan Jose State University FoundationRandy RitprasertSan Jose State University FoundationAlex PopoviciSan Jose State University FoundationRohit DeshmukhSan Jose State University FoundationMarch 2018
NASA STI Program in ProfileSince its founding, NASA has been dedicatedto the advancement of aeronautics and spacescience. The NASA scientific and technicalinformation (STI) program plays a key part inhelping NASA maintain this important role. CONFERENCE PUBLICATION.Collected papers from scientific andtechnical conferences, symposia,seminars, or other meetingssponsored or co-sponsored by NASA.The NASA STI program operates under theauspices of the Agency Chief InformationOfficer. It collects, organizes, provides forarchiving, and disseminates NASA’s STI. TheNASA STI program provides access to theNTRS Registered and its public interface, theNASA Technical Reports Server, thusproviding one of the largest collections ofaeronautical and space science STI in theworld. Results are published in both non-NASAchannels and by NASA in the NASA STIReport Series, which includes the followingreport types: SPECIAL PUBLICATION.Scientific, technical, or historicalinformation from NASA programs,projects, and missions, oftenconcerned with subjects havingsubstantial public interest. TECHNICAL TRANSLATION.English-language translations offoreign scientific and technicalmaterial pertinent to NASA’smission.Specialized services also include creatingcustom thesauri, building customizeddatabases, and organizing and publishingresearch results. TECHNICAL PUBLICATION. Reportsof completed research or a majorsignificant phase of research that presentthe results of NASA programs andinclude extensive data or theoreticalanalysis. Includes compilations ofsignificant scientific and technical dataand information deemed to be ofcontinuing reference value. NASAcounterpart of peer-reviewed formalprofessional papers but has less stringentlimitations on manuscript length andextent of graphic presentations.For more information about the NASA STIprogram, see the following: Access the NASA STI program homepage at http://www.sti.nasa.gov E-mail your question via tohelp@sti.nasa.gov Phone the NASA STI Help Desk at(757) 864-9658 TECHNICAL MEMORANDUM.Scientific and technical findings that arepreliminary or of specialized interest, e.g.,quick release reports, working papers, andbibliographies that contain minimalannotation. Does not contain extensiveanalysis. Write to:NASA STI Information DeskMail Stop 148NASA Langley Research CenterHampton, VA 23681-2199 CONTRACTOR REPORT. Scientific andtechnical findings by NASA-sponsoredcontractors and grantees.ii
NASA/TM—2018–219774Managing Complex Airplane System Failuresthrough a Structured Assessment ofAirplane CapabilitiesRandall J. MumawSan Jose State University FoundationMichael FearyNASA Ames Research CenterLars FuckeDiehl AerospaceMichael StewartSan Jose State University FoundationRandy RitprasertSan Jose State University FoundationAlex PopoviciSan Jose State University FoundationRohit DeshmukhSan Jose State University FoundationNational Aeronautics andSpace AdministrationAmes Research CenterMoffett Field, CaliforniaMarch 2018iii
AcknowledgmentsThis work has benefitted significantly from discussions with Jelmer Reitsma ofBoeing, who was pursuing similar interests. We also want to thank a group of U.S.airline pilots who provided some early inputs on airplane capabilities. In addition,Captain Rob Koteskey of United Airlines provided valuable early reviews and adviseon the prototype displays. Finally, we’d like to acknowledge valuable reviewer inputsfrom Loukia Loukopoulou and Mary Connors.Trade name and trademarks are used in this report foridentification only. Their usage does not constitute anofficial endorsement, either expressed or implied, by theNational Aeronautics and Space Administration.Available from:NASA STI ProgramSTI Support ServicesMail Stop 148NASA Langley Research CenterHampton, VA 23681-2199This report is also available in electronic form at http://www.sti.nasa.govor http://ntrs.nasa.gov/iv
Table of ContentsList of Figures .Acronyms and Definitions .Executive Summary .1. Introduction .2. Managing System Failures: From Failures to Operational Decisions .3. Current Schemes for Managing Non-Normals .3.1 Boeing 787 .3.2 Airbus A380.3.3 Embraer ERJ 170/190 (First Generation Primus Epic).3.4 Bombardier C-series .3.5 Gulfstream G500 .3.6 General Characteristics of the Current Systems .4. Technology Changes and New Challenges .5. Derivation of Airplane Capabilities .5.1 Airplane System Functions .5.2 Abstraction Hierarchy .5.3 Function Framework .6. Example Display Concepts for Supporting Assessment and Decision Making .6.1 Mission Compatibility.6.2 Airplane Capabilities .6.3 Maneuver Envelope.6.4 Operational Limitations by Phase of Flight .6.5 Mission Risks .6.6 Support for Diversion Decisions .6.7 Display Integration .6.8 Remaining Design Decisions .7. Case Studies and Initial Prototype Interface.7.1 Case 1: A Single, Simple Failure that has Implications forApproach and Landing .7.2 Case 2: An AC Bus Failure that Affects a Number of Airplane Systems .7.3 Case 3: The Qantas 32 (A380) Uncontained Engine Failure .7.4 Case 4: The American Airlines Standby Bus Failure andDelayed Consequences .8. Next Steps .9. Summary and Conclusions .References 434374142434445
List of FiguresFigure 1. Managing airplane system failures .Figure 2. Managing airplane system failures (detail 1).Figure 3 Managing airplane system failures (detail 2).Figure 4. Boeing 787 displays .Figure 5. Airbus ECAM displays .Figure 6. Airbus STATUS displays .Figure 7. Gulfstream displays (from a G500).Figure 8. Compatible with; not compatible with arrival; loss of options .Figure 9. Maneuver envelope changes .Figure 10. Operational limitations by phase of flight (example 1) .Figure 11. Operational limitations by phase of flight (example 2) .vi44568101424283031
Acronyms and DefinitionsAAL . American AirlinesAC bus . alternating current busAFM . Airplane Flight ManualAH . abstraction hierarchyAPU . auxiliary power unitATC . air traffic controlCAS . crew alerting system or central alerting systemCPCS . cabin pressurization systemDSP. Display Select PanelDST . decision support toolECAM. electronic centralized aircraft monitorECL . electronic checklistECS. environmental control systemEICAS. engine-indications and crew-alerting systemETOPS . extended-range twin-engine operation performance standardsEWD . ECAM warning displayFMC. flight management computerft . feetGPS. global positioning systemIFR. instrument flight rulesILS . instrument landing systeminop . inoperableKBFI . Boeing Field (Seattle)KOKC . Oklahoma City airportkts . knotsLDG PERF . landing performanceLNAV . lateral navigationLOC . localizerLRC . long-range cruiseMALSR . medium intensity approach lighting system plus runway alignmentindicator lightsMEL. minimum equipment listMFD . multi-function displayNASA . National Aviation and Space AdministrationNNC. non-normal checklistNOTAM. notice to airmenOEB . Operations Engineering BulletinOEM . original equipment manufacturerOIS . Onboard Information SystemORD. Chicago O’Hare AirportQRH. quick reference handbookRAT . ram air turbineRNAV . area navigationRVR . runway visual rangeRVSM . reduced vertical separation minimaSD . Systems DsplayTCAS . traffic collision avoidance systemVNAV. vertical navigationV . reference touchdown speedrefvii
Managing Complex Airplane System Failuresthrough a Structured Assessmentof Airplane CapabilitiesRandall J. Mumaw , Michael Feary , Lars Fucke , Michael Stewart,Randy Ritprasert, Alex Popovici, Rohit Deshmukh123Executive SummaryThis report describes an analysis of current transport aircraft system-managementdisplays and the initial development of a set of display concepts for providinginformation about aircraft system status. The new display concepts are motivated by ashift away from the current approach to aircraft system alerting that reports the status ofphysical components, and towards displaying the implications for mission capability.Specifically, the proposed display concepts describe transport airplane componentfailures in terms of operational consequences of aircraft system degradations. Theresearch activity described in this report is an effort to examine the utility of differentrepresentations of complex systems and operating environments to support real-timedecision making during off-nominal situations. A specific focus is to develop displayconcepts that provide more highly integrated information to allow pilots to more easilyreason about the operational consequences of the off-nominal situations. The work canalso serve as a foundational element to autonomy-supported decision making since weare developing ideas for integrating information from the airplane and the operationalenvironment to support decision making.1. IntroductionThroughout the history of aviation, the approach to managing airplane system failures has been tiedto sensing and reporting on failures of physical airplane components (e.g., an electrical bus). Thisapproach requires the flight crew, with the aid of procedures, to sort out how the airplane is affectedin terms of continued safe flight and landing. This can be a complex task for flight crews in modernjet transports and, in a number of cases, flight crews have managed it poorly (e.g., AAL 268,September 2008; https://www.ntsb.gov/ layouts/ntsb.aviation/brief2.aspx?ev id 20081007X03940&ntsbno CHI08IA292&akey 1). This issue is taking on increasing importance becauserecently developed transport airplanes have more complex and interconnected systems thatsignificantly increase the difficulty of anticipating how component failures will affect systemoperations. While more intensive pilot training could reduce the impact of the increasing complexityof systems, it is highly unlikely that airplane systems training will be increased sufficiently tosupport pilots in reasoning through airplane system failures.123San Jose State University Foundation; NASA Ames Research Center, Moffett Field, California.NASA Ames Research Center, Moffett Field, California.Diehl Aerospace; Hamburg, Germany.1
We describe a new approach that attempts to translate physical system components directly intoairplane “capabilities,” which is the set of airplane functions required for operations. Ideally, thesecapabilities—when combined with other information that can be taken from the operationalenvironment (e.g., current weather)—can present information to the flight crew that is closelyaligned with the necessary operational decisions.This report documents the work we have done to date on identifying airplane capabilities anddesigning display concepts that present these capabilities to the flight crew in a way that conveysairplane state and helps them make operational decisions. The report begins with a description offlight crew activities and decisions that are part of managing a non-normal event tied to airplanesystem failures. Section 3 describes the flight deck displays in the most-advanced commercial jettransport airplanes to show how airplane system failures are being addressed now. Section 4describes how changes in airplane system architectures have made managing airplane system nonnormals more difficult and that the existing solutions may have limitations. Section 5 describes theprocess we used for defining airplane capabilities, which moves away from traditional descriptionsof physical airplane component states and toward functional descriptions. In Section 6, we describethe results of our work on defining new display concepts and their contents. A number of displayconcepts are presented with a description of how they could be coordinated for managing nonnormal events. Section 7 presents a set of prototype displays that are linked to two fictional casesand two actual cases (the Qantas 32 accident and an American Airlines incident). In the last sectionswe identify potential next steps to further this work and present a summary of our conclusions.2. Managing System Failures: From Failures to Operational DecisionsAirplane systems are responsible for supporting the full range of functions in a jet transport aircraft;examples are navigation, communication, pressurization, moving flight control surfaces, andstopping after landing. While airplane systems are generally highly reliable, they can fail or bedamaged during a flight, and when this occurs, the flight crew needs to manage those failures forcontinued safe flight and landing. The flight crew activities tied to managing these failures aregenerally the following three steps: Step 1: Manage the immediate threats to the flight. The sub-goals are to identify theimmediate threats, take action to remove them or manage them, and achieve a safe, stable,and flyable airplane. The following immediate threats, at minimum, should be considered:– fire– airplane depressurization– engine failure– damaged or non-functioning flight control surfaces– ground proximity– potential for traffic or obstacle collision– windshear conditions– take-off configuration– stall (or approaching a stall)– overspeed– unusual attitude– autopilot disconnect2
These immediate threats are typically alerted at the Time-Critical Warning level to indicatethe highest level of urgency. It is critical to have a safe, stable, and flyable airplane, undercontrol, before any further activities should be pursued. Step 2: Contain system failures and restore system functions. Airplane system failures areannunciated through an alerting system, typically through a set of short alerting systemmessages. Examples of these messages are PACK L, HYD PRESS C, or ELEC AC BUS. Thesemessages typically indicate a failure or non-normal state has been sensed in some airplanesystem component. Many, but not all, messages are also a link to a non-normal checklist(NNC) that contains actions for the flight crew to take in response to the failure. Theseactions are designed to do some or all of the following:– Contain the system failure. For example, to close fuel system valves when there is aknown leak from a fuel tank. By reconfiguring the fuel system, a pilot may be able toprevent further fuel loss.– Restore system functions. For example, to engage a new source of power when onesource of power was lost, such as starting the auxiliary power unit (APU) or ram airturbine (RAT) when electrical power was lost from another source. Ideally, byreconfiguring airplane systems, it becomes possible to restore lost or degradedfunctions. However, it may not be possible to restore everything.– Mitigate system failures. For example, to change airplane or airplane systems operationto accommodate a failure, such as descending to a lower altitude when it is no longerpossible to pressurize the airplane adequately to support operations at a high altitude.The NNCs are designed to try to achieve these three objectives. However, these actions are“packaged” in NNCs that are tied to each failure, and when there are multiple airplanesystem component failures (and multiple messages), the flight crew must determine whichNNC to apply, and in what order NNCs will be performed. In some cases, the flight crewwill understand the nature of the failure and that will aid them in setting priorities forperforming NNCs.Note that in the more-detailed view of this task (Figure 2), there is also a need to determinevery early—prior to systems management—whether an emergency landing is needed. Step 3: Revise mission as needed. Another consideration in responding to airplane systemfailures are changes to the operational limitations of the airplane. The airplane systemfailures may lead to, for example, limitations in airspeed, flap settings, or the need tomanually deploy the landing gear.When failures are more significant, there may be a need to revise the mission; that is, it maynot be possible to safely fly to the planned destination. The flight crew needs to determine ifthere is a need to revise the mission, and if so, in what way. Further, this assessment can beon-going as there may be changes to weather or, perhaps, continued degradation of airplanesystems, such as a fuel leak.These three types of activities are captured in Figure 1 at a high level. On the left are the three stepsfor managing immediate threats. When that objective has been met, it is possible to move to the twoperformance cycles, one for each of the other two activities.3
Figure 1. Managing airplane system failures.For the middle performance cycle, the flight crew can, ideally, assess the situation to determine if itmakes sense to continue on with the mission, if the airplane systems would benefit from furtheractions, and what limitations there are for continued flight (Note that the items with the colored“splat” under them [e.g., “for mission”] are items that are addressed by the work described here.)Figure 2 provides a more detailed view of these.Figure 2. Managing airplane system failures (detail 1).For the right-hand cycle, the flight crew has done all they can with actions on airplane systems, andthey are now more focused on the mission. Assessment continues for determining if the mission canstill be supported and additional limitations for continued flight. This assessment serves to revise themission, if needed. These revisions can be minor (a change to the approach) or major (a diversion toa different airport). Figure 3 provides a more detailed description of this activity.4
Figure 3. Managing airplane system failures (detail 2).In the next section, we look at existing jet transport airplanes to see how well they support these activities.3. Current Schemes for Managing Non-NormalsWe looked at recently-produced flight decks from each of the major airplane manufacturers (OEMs)to identify the following in terms of how the interface supports managing non-normals: What interface displays are used? Are non-normal (alert) messages reduced or consolidated in an attempt to identify issuesmore central to the failure? How are messages prioritized? Can the flight crew easily see the full set of alert messages? Can the flight crew select any NNC they think is most important? Does the system generate any information about operational consequences? How are changes to operational limitations or consequences presented to the flight crew?3.1 Boeing 787What interface displays are used? The EICAS (engine indications and crew alerting system) is used to display non-normal(alert) messages (see Figure 4; specifically, the display just to the right of the narrowNAV display). The ECL (electronic checklist) display. This is where the non-normal checklists aredisplayed and executed. When there is a non-normal message that has an associatedchecklist, and the pilot presses the CHKL button on the Display Select Panel, the checklist isautomatically presented on a multi-function display (MFD). If multiple EICAS alerts aredisplayed with associated checklists, when the CHKL button is pressed, a queue ofchecklists is presented for the pilot to choose among. Synoptic displays. These displays, which provide a schematic of the airplane system, can beselected onto one of the MFDs. There is no requirement to use a synoptic when performinga non-normal checklist.5
Figure 4. Boeing 787 displays.Are non-normal (alert) messages reduced or consolidated in an attempt to identify issues morecentral to the failure? EICAS messages are not eliminated or reduced, but there can be reductions in the messagesthat have an NNC associated with them. For example, the NNC called ELEC GEN DRIVE L1contains the command, “Do not perform ELEC GEN OFF checklist.” Thus, the ELEC GEN OFFNNC is removed from the ECL queue when ELEC GEN DRIVE L1 message is active. TheELEC GEN OFF message will remain in the EICAS queue but the square icon, whichindicates an NNC exists, will be removed.How are messages prioritized? Alert messages are assigned one of the following levels:– Warning: The highest level of failure indicating a condition that requires immediateflight crew awareness and action. This failure indication is color-coded red and has anassociated continuous aural warning (Master Warning) that can be cancelled manually.– Caution: This failure indication defines a condition that requires immediate flight crewawareness, but may not require immediate action. It is color-coded amber with a singleoccurrence aural warning (Master Caution).– Advisory:This failure indication is also color-coded amber but is indented to the rightfrom the Caution-level messages; there is no associated aural alert. An advisory-levelmessage requires awareness and may require flight crew action.6
These levels drive prioritization such that, in the EICAS queue, all warnings are presentedabove cautions, and cautions are presented above advisory messages. As EICAS messagesoccur (i.e., are added to the queue), they are presented with the most recent at the top of thequeue but only within each alerting category.Can the flight crew easily see the full set of alert messages?Yes, all messages can be viewed. If there are more than 12 EICAS messages, they are put ona second page and it requires paging down to see them.Can the flight crew select any message (NNC) they think is most important?Yes, the flight crew can select any NNC from the ECL queue (or select an ECL not in thequeue). When an EICAS message is displayed, a white square (a checklist icon) appears nextto it if there is an associated checklist to be accomplished. When the pilot presses the CHKLbutton on the Display Select Panel (DSP), the checklist is automatically presented on anMFD. If multiple EICAS alerts are displayed with checklists for accomplishment, when theCHKL button is pressed, a list of checklists (the NNC queue) is presented for the pilot tochoose among. These are presented in the order of the EICAS messages.Does the system generate any information about operational consequences?Yes. Within each NNC there are “operational notes” which (generally) identify on-goingconsequences of the failure or changes to the operational limitations for the airplane.How are changes to operational limitations or consequences presented to the flight crew?There is a section called NOTES and all operational notes from each active NNC arecollected and can be displayed at any time. There is a NOTES softkey on the ECL display.3.2 Airbus A380What interface displays are used?There is a central display called the ECAM Warning Display (EWD) (top display in Figure5), which is the lower half of the engine indications display. The EWD provides an area forshowing ECAM (electronic centralized aircraft monitoring) messages and the associatedNNC steps. On the EWD, 18 lines are available for the display of ECAM messages (or stepsof the associated checklist).A downward green arrow appears at the bottom of the EWD display to indicate the presenceof ECAM messages of a lower priority when more alerts and checklist items exist than canbe displayed (i.e., more than 18 lines worth of information). As displayed items areaccomplished and their associated alerts cleared, the lines below scroll up on the display.Below the EWD is a Systems Display (SD) (lower display in Figure 5). System synoptics areautomatically displayed in the SD, which show the status of the malfunctioning system andthe effect the crew actions are having on it as checklist steps are accomplished. Although asystem synoptic is displayed automatically when an alert for a specific system is displayed,the pilots can also manually select a synoptic to be displayed.7
Figure 5. Airbus ECAM displays.Are non-normal (alert) messages reduced or consolidated in an attempt to identify issues morecentral to the failure?Yes, alert messages that would be generated from actions in another NNC will be inhibited.For example, when an ELEC GEN failure occurs, the ELEC GEN FAULT alert message will bedisplayed on the EWD. And, the associated ELEC GEN FAULT NNC will be displayed justbelow the alert message. That particular NNC requests that the Generator be turned to OFF.In this case, because that was an action from the NNC, the EWD will inhibit the ELEC GENOFF message from the EWD. Normally, if the Generator were OFF, there would be an alertmessage on the EWD.How are messages prioritized?When airplane system failures occur, they generate a message at one of the following levels:Level 3: The highest level of
describes how changes in airplane system architectures have made managing airplane system non-normals more difficult and that the existing solutions may have limitations. Section 5 describes the process we used for defining airplane capabilities, which moves away from traditional descriptions
Demand-side mark et failures happen when de-mand curves do not reflect consumers' full willing-ness to pay for a good or service. Suppl y-side market failures occur when supply curves do not reflect the full cost of producing a good or service. Demand-Side Market Failures Demand-side market failures arise because it is impossible
paper airplane design holds the world record for the farthest distance flown by a paper airplane. How far will yours go? Special thanks to The Paper Airplane Guy , John Collins, . Flat piece of wood that is wider than the paper airplane 1 large rubber band 2 nails Hammer
characteristics, and availability of trained labor. traditionally, some carriers rely on more effi cient airplane utilization based on point to point service and faster airplane turnaround at the gate. improved airplane utilization helps spread fixed ownership costs over an increased number of trips, reducing costs per seat mile or per trip.
Arturo’s Desert Eagle Arturo’s winning design was used to create a giant paper airplane. Flying the giant paper airplane How the contest was run Introduction to Arturo Valdenegro and his giant paper airplane design Ken Blackburn’s Simple Paper Airplane (Media) Parts of Arturo’s plane are on permanent display at the Pima Air and Space .
Rod Machado’s Private Pilot Handbook B4. later I’ll show you how to recognize when you’re near a stall). As long as the airplane stays above its stall speed, enough lift is produced to counter the airplane’s weight and the airplane will fly. If the stall speed of Airplane C
AIRPLANE CHARACTERISTICS FOR AIRPORT PLANNING HIGHLIGHTS Revision No. 20 - Jan 01/12 LOCATIONS CHG CODE DESCRIPTIONS OF CHANGE CHAPTER 2 Section 2-1 Subject 2-1-0 General Airplane Characteristics R Subject 2-1-1 General Airplane Characteristics Data R OEW AND PAYLOAD DELETED. WV054, WV055 AND WV056 ADDED USABLE VOLUME BASED ON LD3 UPDATED OEW .
Some data on the invention of the airplane and the new airplane industry By Peter B. Meyer1,2 Office of Productivity and Technology, U.S. Bureau of Labor Statistics 18 Feb 2010 This work is preliminary and incomplete. Introduction
Anatomi Olahraga 6 Fisiologi Sistem Tulang 52 Sel Penyusun Tulang 53 BAGIAN IV ARTHROLOGI 64 Klasifikasi Sendi 64 A. Berdasrkan Tanda Struktural Yang Spesifik 64 B. Berdasrkan Jumlah Aksisnya 71 C. Berdasarkan Bentuk Permukaan Tulang 72 D. Berdasarkan Komponen Penyusun Kerangka 74 E. Berdasarkan Luas Gerakan 74 BAGIAN V MIOLOGY 76 Fibra Otot Seran Lintang 79 Fibra Otot Polos 84 Fibra Otot .
