Appendix C. Safety Analysis Electrical System. C.1 Electrical System Architecture. C.2 Fault Tree Analysis

Similar documents
Aircraft Hydraulic Systems Design and Performance

FAA Part 27 Rotorcraft Safety Continuum for Systems & Equipment

Economic Impact of Derated Climb on Large Commercial Engines

Aircraft Electric Power System Overview: System Description and Specifications

An advisory circular may also include technical information that is relevant to the rule standards or requirements.

Application of claw-back

Umatilla Electric Cooperative Net Metering Rules

FUNCTIONAL SAFETY SOLUTIONS in Solenoid Valves

Turbine, Generator & Auxiliaries - Course 134. IV = Intercept Valve RESV ~ Reheat Emergency stop Valve. CONTROL VALVES Figure 6.1

Notification of a Proposal to issue a Certification Memorandum

Michigan/Grand River Avenue Transportation Study TECHNICAL MEMORANDUM #18 PROJECTED CARBON DIOXIDE (CO 2 ) EMISSIONS

Easy Access Rules for Auxiliary Power Units (CS-APU)

ESF on Fire Protection Proposed ESF on Fire Protection Engine attachment points applicable to Piston Engines EASA

A Practical Guide to Free Energy Devices

APPLICATION NOTE QuickStick 100 Power Cable Sizing and Selection

AMC 20-3 Effective: 26/12/2007 Annex III to ED Decision 2007/019/R of 19/12/2007

Proposed Special Condition for limited Icing Clearances Applicable to Large Rotorcraft, CS 29 or equivalent. ISSUE 1

GE Energy. Variable Frequency Transformers Grid Inter-tie

European Aviation Safety Agency

Federal Aviation Administration Emerging Technology Initiatives

Case Study: Silver Lining in Plants Oil Analysis Program Prevents Catastrophic Generator Failure

Summary of General Technical Requirements for the Interconnection of Distributed Generation (DG) to PG&E s Distribution System

An Application of the Fault Tree Analysis for the Power System Reliability Estimation

REDUCING VULNERABILITY OF AN ELECTRICITY INTENSIVE PROCESS THROUGH AN ASYNCHRONOUS INTERCONNECTION

Case Study: Silver Lining in Plants Oil Analysis Program Prevents Catastrophic Generator Failure

A REPORT ON THE STATISTICAL CHARACTERISTICS of the Highlands Ability Battery CD

Federal Aviation Administration

Explanatory Note to Decision 2017/017/R

Selective Coordination Enforcement:

LEAD SCREWS 101 A BASIC GUIDE TO IMPLEMENTING A LEAD SCREW ASSEMBLY FOR ANY DESIGN

Hydro Plant Risk Assessment Guide

FAA & Industry Avionics Rotorcraft Forum

Special Condition C-04 on Interaction of Systems and Structure on helicopters configured with Fly-by-Wire (FBW) Flight Control System (FCS)

AGN 021 Alternator Life Expectancy

Session Four Applying functional safety to machine interlock guards

Application Note. First trip test. A circuit breaker spends most of its lifetime conducting current without any

TORONTO TRANSIT COMMISSION REPORT NO.

HYDRAULIC ACTUATOR REPLACEMENT USING ELECTROMECHANICAL TECHNOLOGY

Analysis of Turbine Missile & Turbine-Generator Overspeed Protection System Failure Probability at NPPs: A case study from PSA perspective

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

An approach based on Engineering a Safer World Systems Thinking Applied to Safety Leveson (2011)

Bombardier Challenger Auxiliary Power Unit

SAE Mini BAJA: Suspension and Steering

PARAMETRIC MODELING OF AIRCRAFT FUEL SYSTEMS INTEGRATION IN RAPID

Guideline for Parallel Grid Exit Point Connection 28/10/2010

Reliability of Hybrid Vehicle System

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 5 R-1 Line #15

HYDRAULIC AND LANDING GEAR SYSTEMS Author: Antonio Corrales Domínguez DPTO. DE INGENIERÍA AEROESPACIAL Y MECÁNICA DE FLUIDOS

canaaair chaiiencjer

The electro-mechanical power steering with dual pinion

CENTRIFUGAL PUMP: Parallel and Series Operation 11/11/02

Technical Article. ISO26262: ams deploys unique technology to meet every new safety requirement. Roland Einspieler

Fuel Cell Application in a New Configured Aircraft PUBLISHABLE REPORT

ATA 49 AUXILIARY POWER UNIT

City of Palo Alto (ID # 6416) City Council Staff Report

PISTON ENGINE OVERHAUL PERIODS FOR AIRCRAFT HOLDING A NATIONAL CERTIFICATE OF AIRWORTHINESS

3.17 Energy Resources

Dornier 328Jet - Pneumatic

What action is expected to take place in the foreseeable future in ADRs with regard to seat belts on school buses?

External Hard Drive: A DFMA Redesign

TURBOPROP ENGINE App. K AIAA AIRCRAFT ENGINE DESIGN

Fault Diagnosis of Lakvijaya Power Plant: A Case Study of an Anti-Rotational Pin Failure

CHAPER 5 POWER FLOW STUDY IN THE INTEGRATED GRID NETWORK

AVIATION INVESTIGATION REPORT A01Q0009 LOSS OF CONTROL ON TAKE-OFF

(Refer Slide Time: 00:01:10min)

NOTIFICATION OF A PROPOSAL TO ISSUE A CERTIFICATION MEMORANDUM

Level of Service Analysis for Urban Public Transportation of Dumlupinar University Evliya Celebi Campus in Kutahya, Turkey

OPTIMORE - Optimised Modular Range Extender for every day customer usage AVL SCHRICK project summary

Paralleling Equipment

Analyzing Feature Interactions in Automobiles. John Thomas, Ph.D. Seth Placke

Navis NavDP 4000 Series

Appendix B STATISTICAL TABLES OVERVIEW

capacity due to increased traction; particularly advantageous on road surfaces

European Aviation Safety Agency

WHY TWO SPOOLS ARE BETTER THAN ONE: EQUIPPING OUR MILITARY WITH THE BEST TECHNOLOGY FOR EXISTING AND EMERGING THREATS

Today s meeting. Today s meeting 2/7/2016. Instrumentation Technology INST Symbology Process and Instrumentation Diagrams P&IP

Method of Aircraft Fuel Tank System Ignition Source Fail- Safe Feature Analysis

Bombardier Global Express - Hydraulics

SECTION A DYNAMICS. Attempt any two questions from this section

VOLTAGE SAGS; A LITTLE STORAGE CAN GO A LONG WAY

SAFETY AND RELIABILITY ANALYSIS OF ELECTRIC POWER STEERING SYSTEM USED IN AUTOMOBILES

Unit C of the Scholven Power Plant Automated with System 800xA

Grid-Friendly Utility-Scale PV Plants

Penn West Petroleum Ltd. Well Blowout W5M August 17, 2010

Application of EMME3 and Transportation Tomorrow Survey (TTS) for Estimation of Zonal Time Varying Population Density Distribution in

Safety factor and fatigue life effective design measures

University of New Hampshire: FSAE ECE Progress Report

RELIABILITY ASSESSMENT OF POWER EQUIPMENT IN A DISTRIBUTION SUBSTATION USING FAULT TREE ANALYSIS A. J. Adelabu, Y. S. Haruna and U. O.

FURTHER TECHNICAL AND OPERATIONAL MEASURES FOR ENHANCING ENERGY EFFICIENCY OF INTERNATIONAL SHIPPING

Power System Operating Incident Report Trip of Murray Lower Tumut No kv Transmission Line at Murray End Only on 18 November 2013

Project Summary Fuzzy Logic Control of Electric Motors and Motor Drives: Feasibility Study

A Process for Mapping Component Function to Mission Completion

TYPE CERTIFICATE DATA SHEET

Computer Aided Transient Stability Analysis

Designation of a Community Safety Zone in Honey Harbour in the Township of Georgian Bay

Proposed Special Condition C-xx on Rudder Control Reversal Load Conditions. Applicable to Large Aeroplane category. Issue 1

Risk Management of Rail Vehicle Axle Bearings

Landing Gear & Brakes

FIRE CONTAINMENT GUIDE

B777. Electrical DO NOT USE FOR FLIGHT

Transcription:

Appendix C Safety Analysis Electrical System This example analyses the total loss of aircraft electrical AC power on board an aircraft. The safety objective quantitative requirement established by FAR/JAR 25.1309 and as amplified in ARP 4754 will be such that this event could be catastrophic and the probability of occurrence shall be less than 1 10 9 per flight hour (or shall not occur more frequently than once per 1000 million flight hours). The ability of a system design to meet these requirements is established by a fault tree analysis (FTA) that uses the following probability techniques. C.1 Electrical System Architecture In this example it is assumed: that the aircraft has two independent but identical electrical power generation channels, the main components of which are the generator and the Generator Control Unit (GCU) which governs voltage regulation and system protection; the aircraft has an independent emergency system such as a ram air turbine (RAT); that the failure rates of these components may be established and agreed due to the availability of in-service component reliability data or a sound engineering rationale, which will provide a figure acceptable to the certification authorities. The concept of this three-lane architecture is portrayed in Figure C.1 in a simplified form. C.2 Fault Tree Analysis The fault tree analysis very much simplified for this example is shown in Figure C.2. The mean time between failures (MTBF) of a generator is 2000 hours this means that the failure rate of Generator 1 is 1/2000 or 5.0 10 4 per flight hour. Similarly if the MTBF of the generator controller GCU 1 is 5000 hours then the failure rate of GCU 1 is 1/5000 or 2.0 10 4 per flight hour. The combined failure rate gives the probability of loss of electrical power Civil Avionics Systems, Second Edition. Ian Moir, Allan Seabridge and Malcolm Jukes. 2013 John Wiley & Sons, Ltd. Published 2013 by John Wiley & Sons, Ltd.

544 Civil Avionics Systems Generator 1 RAM Air Generator 2 Turbine Generator Control Unit 1 Generator Control Unit 2 Main Bus 1 Emergency Bus Main Bus 2 Channel 1 Emergency Channel 2 Figure C.1 Simplified electrical power system 5.0 x 10-4 2.0 x 10-4 Loss of Gen 1 Loss of GCU 1 OR 7.0 x 10-4 All failure rate probabilities are per flight hour Loss of Channel 1 AC AND 4.9 x 10-7 Loss of Channel 2 AC 7.0 x 10-4 Loss of Primary AC Power 5.0 x 10-4 2.0 x 10-4 Loss of Gen 2 Loss of GCU 2 OR 4.9 x 10-10 1.0 x 10-3 Failure of Emergency AC AND Total Loss of Figure C.2 Simplified FTA AC power loss

Appendix C: Safety Analysis Electrical System 545 to Main Bus 1. This is calculated by summing the failure rates of generator and controller, as either failing will cause the loss of Main Bus 1: = 5.0 10 4 + 2.0 10 4 = 7 10 4 per flight hour (Generator 1) (GCU 1) (Main Bus 1) Similarly, assuming generator channels 1 and 2 are identical, the failure rate of Main Bus 2 is given by: = 5.0 10 4 + 2.0 10 4 = 7 10 4 per flight hour (Generator 2) (GCU 2) (Main Bus 2) (Note that at this stage the experienced aircraft systems designer would be considering the effect of a common cause or common mode failure.) The probability of two independent channels failing (assuming no common cause failure) is derived by multiplying the respective failure rates. Therefore the probability of both Main Buses failing is: = 7 10 4 7 10 4 = 49 10 8 or 4.9 10 7 per flight hour (Main Bus 1) (Main Bus 2) Therefore the two independent electrical power channels alone will not meet the requirement of better than 1 10 9 per flight hour. Assuming the addition of the ram air turbine (RAT) emergency channel as shown in the figure, with an MTBF of 1000 hours or a failure rate of 1 10 3 per flight hour, the probability of total loss of electrical power becomes: 4.9 10 7 1 10 3 = 4.9 10 10 per flight hour, which meets the requirements. (Main Buses) (RAT failure) This very simple example is illustrative of fault tree analysis, which is one of the techniques used during the PSSA and SSA processes. However, even this simple example outlines some of the issues and interactions that need to be considered. Real systems are very much more complex, with many more system variables and interlinks between a number of aircraft systems.

Appendix D Safety Analysis Engine Control System The example chosen uses a Markov analysis to evaluate the likelihood of an engine in-flight shut down (IFSD), which would be a typical analysis necessary to determine the reliability of an engine prior to seeking Extended Twin Operations (ETOPS) clearance for a twin-engine aircraft. D.1 Factors Resulting in an In-Flight Shut Down Figure D.1 illustrates three main failure types, any of which could contribute to IFSD: a mechanical failure; an instrumentation failure that causes the crew to shut an engine down as a precautionary measure as they are unsure about engine health; a failure within the control portion of the engine that resides in the full authority digital engine control (FADEC) unit. The first two items above may be readily calculated using past historical data gained from the experience of operating similar engine types. The FADEC is more difficult to assess as multiple failure states are possible and a detailed state analysis is required. D.2 Engine Control System Architecture A simple example will be used to illustrate the Markov analysis technique. In this case the dual-channel FADEC example outlined in Figure D.2 is used. This simplified architecture is typical of many dual-channel FADECs using a command:monitor (COM:MON) implementation. There are two independent lanes: Lane A and Lane B. The FADEC undertakes the task of metering the flow of fuel to the engine, thereby controlling engine thrust. It also controls other valves on the engine related to bleed air and Civil Avionics Systems, Second Edition. Ian Moir, Allan Seabridge and Malcolm Jukes. 2013 John Wiley & Sons, Ltd. Published 2013 by John Wiley & Sons, Ltd.

Appendix D: Safety Analysis Engine Control System 547 Engine Mechanical Failure Engine Instrumentation Failure OR In-Flight Engine Shutdown FADEC Failure Figure D.1 Factors resulting in IFSD cooling, and monitors key engine variables such as shaft speed, pressure ratio and engine temperatures. Each lane comprises Command and Monitor elements that are interconnected for crossmonitoring purposes and which undertake the control and monitoring functions outlined above. The analysis required to decide upon the impact of certain failures in conjunction with others utilises a Markov model in order to understand the dependencies FADEC LANE A Command Channel Ca X-Channel Monitor Monitor Channel Ma INPUTS Throttle Engine Speed Temperatures Fuel Flow LANE B Command Channel Cb X-Channel Monitor Monitor Channel Mb OUTPUTS Fuel Metering Bleed Valves Cooling Valves Indications Figure D.2 Simplified FADEC architecture

548 Civil Avionics Systems Fully Serviceable First Failure Second Failure Third Failure Fourth F ailure 6 2 7 12 3 8 13 1 16 4 9 14 5 10 15 Engine Uncontrollable 11 LEGEND: Ca represents a serviceable command channel; Ca represents a failed command channel etc Figure D.3 Simple FADEC Markov model D.3 Markov Analysis Figure D.3 depicts a simple Markov analysis that models this architecture. By using this model, the effects of interrelated failures can be examined. The model has a total of 16 states, as shown by the number in the bottom right-hand corner of the appropriate box. Each box relates to the serviceability state of the Lane A Command (Ca) and Monitor (Ma) channels, and Lane B Command (Cb) and Monitor (Mb) channels. These range from the fully serviceable state in box 1 through a series of failure conditions to the totally failed state in box 16. Clearly most normal operating conditions are going to be in the left-hand region of the model. Also represented on the diagram are the first, second, third and fourth failure areas. Concentrating on the left-hand side of the model it can be seen that the fully serviceable state in box 1 can migrate to any one of six states: Failure of Command channel A (Ca) results in state 2 being reached. Failure of Monitor channel A (Ma) results in state 3 being reached. Failure of Command channel B (Cb) results in state 4 being reached. Failure of Monitor channel B (Mb) results in state 5 being reached. These failures are represented by solid arrows and represent a single failure transition. Failure of the cross-monitor between Command A and Monitor A results in both functions being lost simultaneously and reaching state 6.

Appendix D: Safety Analysis Engine Control System 549 Failure of the cross-monitor between Command B and Monitor B results in both functions being lost simultaneously and reaching state 11. These failures are represented by dashed arrows. The failure of the cross-monitor represents a skip of two failures across the diagram and therefore has more effect than direct single command or monitor channel failure. All of these failure states described above result in an engine that may still be controlled by the FADEC. However, further failures beyond this point will result in an engine that may not be controllable, either because both control channels are inoperative or because the good control and monitor lanes are in opposing channels. The model shown above is constructed according to the following rules: an engine may be dispatched as a get-you-home measure provided that only one monitor channel has failed. This means that states 3 and 5 are dispatchable, but not states 2, 4, 6 or 11, since subsequent failures could result in engine shut-down. By knowing the failure rates of the command channels, monitor channels and crossmonitors, quantitative values may be inserted into the model and probabilities assigned to the various states. By summing the probabilities so calculated, numerical values may be derived. Simplified Example (all failure rates per flight hour) Probability of engine mechanical failure = 1 10 6 per flight hour. Probability of instrumentation failure leading to engine shut-down = 2 10 6 per flight hour. The probability of determining shut-down due to failures within the FADEC is more complex and needs a Markov analysis. If it is assumed that the failure rate of a command channel (Ca or Cb) is 8.3 10 5 per flight hour (MTBF of 12,000 hours); failure rate of a monitor channel (Ma or Mb) is 5.6 10 5 per flight hour (MTBF of 18,000 hours); and the failure rate of the cross-monitor (Ca.Ma or Cb.Mb) is 1.4 10 5 per flight hour; then the probability of all 16 logic states shown in the diagram may be calculated. If it is further assumed that for the engine to remain controllable a functional command:monitor pair must be available, then the probability of the engine having to be shut down due to FADEC failures may be calculated. In fact, this probability is estimated by summing all of the relevant logic states shown in the dashed box shown on the diagram. This includes states 7 to 10, states 12 to 15, and state 16. For the figures given above for the FADEC command and monitor channels this probability is 4.7 10 8 per flight hour. The summation of these three factors yields the total probability of an engine shut-down as 3.1 10 5 per flight hour, and the contribution of FADEC failures to engine shut-down is in fact very small ( 1.3%). This is despite the fact that the FADEC is not hugely reliable the assumed figures used above equate to an overall FADEC MTBF of 3600 hours; it is the redundancy inherent in the architecture that leads to its availability. The fact that the second and subsequent failures that cause shut-down are relatively unlikely events is also important to consider.

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback