MIT ICAT Certification and Avionics Prof. R. John Hansman MIT International Center for Air Transportation MIT ICAT Safety y Safety Targets/Standards ? Civil Air Carrier FAR Part 25 FAR Part 121 (JAR) ? Civil General Aviation FAR Part 23 FAR Part 91 ? Military Mil Spec y Safety Components ? Vehicle Airworthiness ? Training and Operating Procedures ? Maintenance ? Culture ? Quality Management Processes ? Incident Reporting ? Accident Investigation ? Liability y Design Philosophy ? Fail Safe ? Fail Operational MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT (Courtesy of Boeing Corporation. Used with permission.) MIT ICAT Certification y Civil ? Certificate of Airworthiness (i.e. Certification) ? Guarantee to the public that the aircraft is airworthy to some standard ? Operational Approval ? Operating Certificate DEquipment DProcedures DTraining y Military ? Procurement y Space ? Man Rated MIT ICAT Certification y Aircraft Certificate of Airworthiness ? Standard Type Certificate (STC) ? Categories ? Air Carrier ? Normal ? Utility ? Experimental ? Rotorcraft ? LTA ? Others MIT ICAT Certification y Component Certificate of Airworthiness ? Engines ? Propellers ? Parts ? Instruments y Component (Parts & Instruments) Standards ? Technical Service Order (TSO) ? Minimum Operational Performance Specification (MOPS) y Software Standards ? RTCA DO-178B y Continued Airworthiness ? Inspections ? Maintenance MIT ICAT Certification y Airline Operating Certificate - Part 121 ? Procedures ? Training ? Airports ? Aircraft ? Management MIT ICAT Federal Aviation Regulations y Part 1 - DEFINITIONS AND ABBREVIATIONS y Part 11 - GENERAL RULEMAKING PROCEDURES y Part 21 - CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS y Part 23 - AIRWORTHINESS STANDARDS: NORMAL, UTILITY, ACROBATIC, AND COMMUTER CATEGORY AIRPLANES y Part 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES y Part 27 - AIRWORTHINESS STANDARDS: NORMAL CATEGORY ROTORCRAFT y Part 29 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY ROTORCRAFT y Part 31 - AIRWORTHINESS STANDARDS: MANNED FREE BALLOONS y Part 33 - AIRWORTHINESS STANDARDS: AIRCRAFT ENGINES y Part 34 - FUEL VENTING AND EXHAUST EMISSION REQUIREMENTS FOR TURBINE ENGINE POWERED AIRPLANES y Part 35 - AIRWORTHINESS STANDARDS: PROPELLERS y Part 36 - NOISE STANDARDS: AIRCRAFT TYPE AND AIRWORTHINESS CERTIFICATION y http://www.airweb.faa.gov/Regulatory_and_Guidance_Library/rgWebco mponents.nsf/HomeFrame?OpenFrameSet MIT ICAT FAA engineering personnel are sometimes consulted at this step Product is Evaluated for Marketability and Certifiability Company Makes Decision to Proceed with Development Preliminary Design Completed Description of the FAA Avionics Certification Process This Diagram illustrates the TC or STC approval process. Detailed Design Completed This is the appropriate time to initiate certification project FAA witnesses many of the systems tests for certification FAA witnesses all of the flight and ground tests conducted on aircraft for certification Close consultation with FAA engineering personnel is essential throughout design process to avoid new requirements late in process System Testing Completed Installation in Aircraft and Certification Testing Completed Idea for New Avionics Product is Born FAA ACO Issues Certificate and System is Ready for Operational Approval Certification Plan is Prepared and Submitted to the ACO for Review and Approval. Plan will Address the System Safety Assessment and the Software Aspects of Certification Testing Plans and System Safety Assessment Prepared and Submitted to the ACO for Review and Approval Flight Test Plan and Balance of Design approval Documents Submitted to ACO for Review and Approval MIT ICAT y Advisory Circular AC 25.1309-1A ? System Design and Analysis y Fail Safe y Fail Operational y Preliminary Hazard Analysis y Functional Hazard Assessment y Depth of Analysis Flowchart ? Complex System MIT ICAT Probability vs. Consequences Probable Improbable Extremely Improbable Catastrophic Accident Adverse Effect On Occupants Airplane Damage Emergency Procedures Abnormal Procedures Nuisance Normal MIT ICAT Descriptive Probabilities Probability (per unit of exposure) FAR Probable Improbable Extremely Improbable JAR Frequent Reasonably Probable Remote Extremely Remote Extremely Improbable 1 10E-3 10E-5 10E-7 10E-9 What is the correct unit of exposure : Flight hour, Departure, Failure MIT ICAT Safety Analysis y Preliminary Hazard Analysis y Fault Tree Analysis ? Top Down Search - Presumes Hazards Known ? System Definition ? Fault Tree Construction ? Qualitative Analysis ? Quantitative Analysis y Event Tree Analysis ? Bottom Up “Forward” Search - Identifies possible outcomes y Failure Modes and Effects Analysis ? Probabilistic “Forward” Search ? Requires Failure Probability Estimates ? Requires Assumed Failures from PHA or Historical Data ? “Target Level of Safety” MIT ICAT Event Tree Example From : Leveson A reduced event tree for a loss of coolant accident. Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. Succeeds Succeeds Succeeds Succeeds Succeeds Fails Fails Fails Fails Fails Fails 1-P4 1-P4 1-P5 1-P3 1-P2 P4 P3 P2 P4 P5 P5 Available Initiating Event P1 P1 P1 x P5 P1 x P2 P1 x P4 P1 x P3 P1 x P4 x P5 P1 x P3 x P4 Pipe Break 1 Electric Power 2 ECCS 3 Fission Product Removal 4 Containment Integrity 5 MIT ICAT Fault Tree and Event Tree Examples From : Leveson Operator inattentive Relief valve 1 Relief valve 1 does not open Pressure too high Opens Opens Pressure decreases Pressure decreases Explosion A fault tree and event tree comparison. Fails Fails Relief valve 2 Explosion Pressure too high Valve failure Valve failure Pressure monitor failure Computer output too late Computer does not issue command to open valve 1 Operator does not know to open value 2 Relief valve 2 does not open Computer does not open valve 1 Value 1 position indicator falls on Open indicator light falls on Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. MIT ICAT Failure Modes and Effects Analysis A B Critical A B FMEA for a system of two amplifiers in parallel. Open Short Other 90 5 5 90 5 5 Open Short Other 1 x 10 -3 x x 5 x 10 -5 5 x 10 -5 5 x 10 -5 5 x 10 -5 1 x 10 -3 Failure probability Failure mode % Failure by mode Effects Critical Noncritical Adapted from: Leveson, Nancy. Safeware: System Safety and Computers. Addison-Wesley, 1995. MIT ICAT Reliability Architectures y Analysis Values often of Questionable Integrity y Drives Failure Mitigation Approaches y Avoid Single String Failure ? Cannot guarantee 10E-9 y Redundancy ? Dual Redundant for Passive Failures ? e.g. Wing Spar ? Triple Redundancy for Active Systems ? 777 Fly By Wire DSensors DProcessors DActuators DData Bus ? A320 Reliability Architecture by Comparison MIT ICAT Fly-by-wire -- A330/A340 PRIM PRIM PRIM SEC SEC ? Flight Control computers are dual channel – one for control and one for monitoring ? Each processor has a different vendor for hardware & software – software for each processor coded in a different language MIT ICAT S1 S1S2 S2 S2 * Trim Wheels pedals Grnd spoilers, speedbrake Grnd spoilers, speedbrake Roll control surfaces Roll control surfaces Spoilers Spoilers Ailerons Ailerons S1 S1 S1 S2 S2 S1 S2 S1 S1 S2 S2 S1 S2 S2 S1P1 P1 P1 P1 P1 P1 P1 P1 P2 P2 P2 P2 P2 P2 P2 P3 P3 P3 P3 P3 P3 P3 P3 TLU Rudder * Rudder Slats Yaw damper Trim Flaps THS ElevatorElevator 1 FBW- A330/A340 flight control architecture 2 3 Computer / hydraulic actuator arrangement MIT ICAT Additional Issues y Conventional vs. New Technologies/Configurations y Problem with Software and Complex Systems y Emergent Behavior y Air-Ground Coupling Issues MIT ICAT FAA 8040.4 Safety Analysis Process Plan ID Hazards Analysis Risk Assessment Decision MIT ICAT Operational Reliability y MTBF ? Mean Time Between Failure y MTBUR ? Mean Time Between Unscheduled Replacement y Dispatch Reliability ? Conditional Airworthiness ? Minimum Equipment List y Relates to Life Cycle Costs MIT ICAT Maintenance y Scheduled Maintenance ? Periodic (e.g. Annual) ? On Time (Time Between Overhaul) (TBO) ? Progressive (Inspection Based e.g. Cracks) ? Conditional (Monitoring Based e.g. Engines - ACARS) ? Heavy Maintenance Checks y Unscheduled ? “Squawks” = Reported Anomalies ? Logbook Entries (ACARS) ? Line Replacement Units (LRU) ? Airworthiness Directives, Service Difficulty Reports y Parts Inventory ? Parts Tracking ? Commonality ? Glass Cockpits ? F16 Tail MIT ICAT What are the Key Technologies for Formation Flight y Communications y Navigation y Surveillance y Control (Station Keeping) ? Intent States ? String Stability y Vehicle Configuration ? Aero/Performance ? Control y Propulsion y Degree of Autonomy y Flight Criticality ? Hardware ? Software y Low Observability y Others? MIT ICAT Generic Avionic System Software Hardware Antenna Sensor Databus Flight Data Recorder Black Box Input Device Display MFD Interface Unit DatalinkAntenna Power Cooling MIT ICAT Avionics Components y Black Box (LRU) y Power (440 AC or 28V DC) y Cooling y Databus (AIRINC 429, 629, IEEE486,…) ? Databus Interface y Antenna and or Sensors y Display Head ? MFD ? Dedicated Display MIT ICAT Air Data y Barometric Altitude y Airspeed y Mach Number y Vertical Speed y Total Air Temperature (TAT) y Static Air Temperature (SAT) y Angle of Attack (α) y Angle of Sideslip (β) MIT ICAT Roll Scale HEAD-UP DISPLAY 10 -10 -10 AI -220 -700 VS218 GS 1450 B 0.6 00 35 01 12 10 Airspeed Ground Speed Pitch Scale Flight Path Acceleration Flight Path Vector Speed Error Tape Wind Vector Reference Symbol Barometric Altitude Vertical Speed Horizon and Heading Scale