Functional safety consideration on LAMPS
an EU funded low cost inverter project
January 2016
This presentation does not contain any export controlled technical data
1
Electronics motor control center (EMCC )
PRODUCTS
A380 Electric Flight Controls
A350 Thrust
Reverser (TRAS)
Electric Landing Gear
A350 Flying Test Bed
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
2
Aircraft application determines mitigation strategies for
functional safety
Source: sinodefenceforum.com
Source: www.globalpilotlife.com
A10 basic stick and rudder aircraft
some damage
Operation: Hostile environment
requires triple redundancy
A350 highly computerized aircraft
no damage
Operation: Many flight hours in friendly skies
requires multi stream redundancy
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
3
LAMPS AN AIRCRAFT COMPONENT
LIGHTWEIGHT AFFORDABLE MOTOR & POWER SYSTEM
• Justification
More electric aircraft
Cost / Weight reduction
• Output about 5kW 15000rpm
• Applications
Primary and secondary control surface
Needs to be able to hold torque at 0 motor
speed unless aerodynamically trimmed or
actuator mechanism takes over
• Reliability goals
Mtbf 60 E+3 h
135000 Flight Hours
21500 Flights
25 years service
• Weight approx 15kg
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
4
UTAS FUNCTIONAL SAFETY IMPLEMENTATION
Safety is driven by requirements as performance is
e.g.: Failure rates, Failure Modes, Failure states
Government agencies FAA and JAA give direction through
FAR, JAR and advisory materials
Reliability and safety are related but independent areas of concern
Safety requirements exist on aircraft systems, equipment, down to
component level
The equipment in itself might be considered a hazard depending on
its implementation and will be reviewed
Functional requirements can be negotiated
Safety can’t
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
5
GOVERNING STANDARDS
Standards
•
ARP 4754
Guidelines for Development of Civil Aircraft and Systems written by the SAE org
•
ARP4761
Guidelines and Methods for conducting the safety assessment process on civil
airborne systems and equipment
•
DO178
software considerations
•
DO254
Design Guidance for Electronic Hardware
•
DO297
Integrated Modular Avionics
•
UTAS-PRO-1510 is standard work created from the work above
It is centrally held but can be tailored to business unit demands
•
MDS-04-03 documents required to substantiate adherents to standards and
Functional Safety Impact Analysis
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
6
FUNCTIONAL SAFETY
AN INTEGRATED PROCESS
The safety process described by ARP 4754 is implemented
through the following means
• Integrated Product Development (IPD) team for design AND
manufacturing
• Adherence to procedure
- enforced by the program manager
• Verified requirements
- Meeting contractual requirements, performance, cost, schedule
- Safety Goals component safety level
• Creation of a Safety & Reliability Program Plan ( SRPP )
- by the Project Safety Reliability Engineer (PSE )
• Prevention of requirements creep
- changes in performance can influence safety and need to be assessed
• Control of the hardware life cycle and version control
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
7
UTAS IMPLEMENTATION
Development process according to UTAS-PRO-1510
Functional Safety
requirements are entered
as part of the requirements
gathering process
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
8
FUNCTIONAL SAFETY INTEGRATED PROCESS
PRODUCT CREATION
Development Assurance Level according to DO254A
• Five Development assurance levels exist DAL-A to DAL-E
• The Level determines the likely impact on the outcome of a flight
A: Catastrophic
B: Hazardous / Severe
C: Major
D: Minor
E: No effect
• The assigned Level for a component determines the allowable failure
rate
• Special analysis considerations are applied in particular DAL-A and B
systems
- Safety Specific Analysis
- Functional Failure Path Analysis FFP
- Mathematical formal Methods
• Mitigation Strategy
E.g.
- Flight control system DAL-A 1.0 E-9 /hour,
- Entertainment system DAL-E n/a, still the hazard of that system is evaluated
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
9
FUNCTIONAL SAFETY IMPACT ANALYSIS
PRODUCT CREATION
Once system level safety is analysed, a required DAL-level is assigned to a
component
• System safety plan defines the roles requirements and actions
• Functional Hazard Assessment ( FHA ) records the effects on safety by
loss or degradation of a function or equipment
• System Safety Assessment ( SSA ) summarises the safety activities to
met safety requirements or failure conditions from FHA
Different mathematical tools exist to depict and asses failures
• Functional Failure path Analysis ( FFPA ) determines the design
assurance strategy
These feed into the functional hazards assessment Safety verification plan
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
10
SAFETY VERIFICATION PLAN AND EXECUTION
Different recommended efforts for DAL-levels
Development assurance level
A&B
C
D
E
Verification Matrix
R
R
A
N
Verification Plan
R
R
A
N
Verification Procedures
R
R
A
N
Verification Summary
R
R
A
N
ASA / SSA
R
R
A
N
R ( at least one )
R
A
N
Test unintended
function
R
A
A
N
Service Experience
A
A
A
A
Inspection, Review,
Analysis or testing
Note: R- Recommended for certification, A- As negotiated, N- Not required
Aircraft Safety Assessment ( ASA )
System safety Assessment ( SSA )
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
11
SAFETY OF FLIGHT ANALYSIS
Once verification of the component has proven to meet safety requirements
the equipment will be put into service on a test platform to perform first flight
Source: Gietzold
Source: www.globalpilotlife.com
Requirements for safety and redundancy on that platform will be met
Bespoke hardware will go on designated aircraft of future service
In an ideal world all contractual performance requirements will be met as well,
However a larger freedom exists on performance
A second spin on hardware or software might be required
Upon successful completion about 2 years of customer testing will pass with
closed loop in Failure Reporting And Corrective Action System
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
12
FUNCTIONAL SAFETY IMPACT ON MEA
Description
• System principles have not changed
• Assumption same maturity as mechanical systems
• Little Experience in primary electrical systems, more backup system
• Large propulsion systems still in the beginning
e.g.: Solar Eclipse 2
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
13
CONCLUSION
The goal for electrical systems is to reach and exceed the same
high level of reliability and safety as mechanical systems
No call backs
24/7 aircraft availability
Thank You
UTC Aerospace Systems Proprietary – This presentation does not contain any export controlled technical data
14