Transcript Pegasus The Future in Personal Travel – Safety by Design

Pegasus Personal Air Vehicle
The Future in Personal Travel
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Introduction
Pegasus PAV Safety By Design Team
–
–
–
–
–
–
Mike Olmstead:
Evan Brown:
Blake Stringer:
Yongchang Li:
James Masters:
Jeff Johnson:
Team Leader, Hardware
FTA, Software
PRISM, Hardware
Markov Analysis, Software
Markov Analysis, Human Reliability
Dependence Diagrams, Human Reliability
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Agenda
•
•
•
•
•
•
•
•
•
•
•
Process Overview
System Description
New Technologies
Functional Hazard Assessment
Preliminary System Safety Assessment
Dependence Diagrams
Fault Tree Analysis
Markov Analysis
PRISM Model/Monte Carlo Simulation
Certification Process
Conclusion
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
System Safety Process: ARP 4761
Concept
Development
Preliminary
Design
Aircraft FHA
System FHA
•Functions
•Hazards
•Effects
•Classifications
•Functions
•Hazards
•Effects
•Classifications
Detailed
Design
Design Validation
& Verification
PSSA
Aircraft FTA
•Qualitative
•System Budgets
•Intersystem
Dependencies
System FTA
•Qualitative
•Subsystem
Budgets
SSA
System FTAs
System
FMEAs
FMES
•Qualitative
•Failure Rates
DD
MA
Particular Risk Analysis
CCA
Common Mode Analysis
Zonal Safety Analysis
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
System Description
• 4 Bladed, single main rotor, NOTAR equipped
• Light Helicopter/Personal Air Vehicle use
• Upgrade of MD500E, with new rotor, engine,
transmission, avionics and anti-torque system
• Cruise speed: 141 knots at 80% MCP
• Max range: 438 nm at 113 knots
• Payload: 1156 lbs
• Improved safety & reliability at low cost (<$500K)
• Pegasus-2 follow-on dual mode (roadable)
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
System Description
Possible Pegasus Missions
Personal Travel Applications
Urban mobility
Business travel
Long distance commuting
Recreation, Sports and Leisure
utility/reconnaissance
Government Applications
Emergency medical services
Law enforcement
Fire/Rescue
Military light
Commercial Applications
Media/Traffic
Air taxi
Agricultural/Farming/Ranching
Aerial tours
Express package delivery
Offshore oil rig transport
Corporate Applications
Corporate transport
Employee commuting
Ferry service
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
System Description
Preflight
PAV
Operate
PAV
Perform
Flight
Planning
Start
PAV
Postflight
PAV
Drive PAV
on Ground
Perform Visual
Inspections
Shutdown
PAV
Inspect
Fuselage
Brief
Satey
Procedures
Accelerate PAV
Steer PAV
Stop PAV
Inspect
Main Rotor
Load
Passengers
and Cargo
Air/Ground
Transition
Fly
PAV
Land
PAV
Air/Ground
Transition
Unfold Blades
Hover/Taxi
Land
Aircraft
Fold Blades
Start Engine
Perform
Takeoff
Perform
shutdown
Activate ground
Controls
Perform BIT
Checks
Climb
Stop Rotor
Start ground
engine
Increase throttle
to 100%
Cruise
Unload Pass.
/Cargo
Peform before
takeoff checks
Descend
Inspect
Engine
Inspect
NOTAR
Inspect
Avionics
Inspect
Landing Gear
Inspect
Cabin Area
Refuel
PAV
Hover/Taxi
Maintain Situational
Awareness
Manage System
Failures
Monitor
Instruments
ID
Failure
Navigate
Perform
Emergency
Procedures
Communicate
Recover
Aircraft
Maintain
Traffic
Avoidance
Perform
Mission
Perform
PAV
Mission
Perform other
Missions as
needed
Maintain
PAV
Perform
Scheduled
Maintenance
Perform
Unscheduled
Maintenance
Exchange lifelimited parts
ID Fault
Perform Inspections/Services
Perform
Diagnositics
Perform Powerplant overhaul
Replace failed
component
Figure 1. PAV Mission Scenario
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
•
•
•
•
•
•
Full Authority Digital Engine Control
General Aviation Propulsion (GAP) engine
Garmin GNS 530 Avionics Package
Hanson Elastic Articulated Rotor Hub
Aerofilter Engine Inlet Barrier Filter
No-Tail Rotor (NOTAR) anti-torque system
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
Full Authority Digital Engine Control
• Automatically controls fuel flow to engine
reducing pilot workload
• Senses NG, NP, TGT, etc to control fuel
flow
• Easier starting, fault monitoring,
eliminates hot starts, rotor RPM droop and
has auto relight capabilities
• Dual redundant ECUs to ensure no failure
of auto mode
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
General Aviation Propulsion (GAP) engine
• Development by Williams and NASA Glenn
• 500 shp
125 lbs
.5068 SFC
• Allows room for growth
• Compatible with current “off the shelf” transmission
used on MD520N
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
Garmin GNS 530 Avionics Package
• Integrated WAAS-upgradeable color moving map
GPS
• Integrated VHF-COM, VOR, Localizer, and glideslope
• Combines all essential navigation and
communication functions
• Integrated with GDL-49 displays NEXRAD weather
radar information
• Also integrates with GTX-330 S mode transponder
to provide traffic avoidance information
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
Hanson Elastic Articulated Rotor Hub
• Bearingless, stiff flexure design with effective hinge
offset of 10 degrees
• Slight forward sweep and matched leadlag/flapping stiffness of flexure eliminates the need
for dampers
• Low control forces eliminate the need for
hydraulics
• Auto trim feature eases pilot workload and
improves safety
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
Aerofilter Engine Inlet Barrier Filter
• Improved air induction system from old swirl tube
technology
• Increases efficiency of engine, increases power
output and lowers TGT temps and gph
• Reduces engine wear and increases engine life
substantially
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
New Technologies
No-Tail Rotor (NOTAR) anti-torque system
• Safer, quieter, less fragile system than traditional
tail rotor anti-torque system
• Uses tailboom slot, vertical fins and direct thruster
to control aircraft
• Only drawbacks are reduced efficiency and need
for more horsepower to power the NOTAR fan
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
• Considers both loss of functions and malfunctions
• Identifies the failure condition for each phase of flight
• Establishes derived safety requirements needed to
limit the function failure effects that affect the failure
condition classification
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
The FHA considered functions at two levels
• The Vehicle level
Overall Aircraft was examined and top level functions were
considered
• The System level
– The system that was investigated further was the power plant
(engine)
– For the system FHA, failure conditions were looked at from the
perspective of:
•
•
•
•
Human Failures
Hardware Failures
Software Failures
Interaction with other systems
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
Functional Failure Conditions for the function “Control
Power”
•
•
•
•
•
•
Loss of fuel flow control
Inability to govern rotor speed
Inability to limit engine torque
Inability to limit engine temperature
Inability to govern engine NP & NG speed
Inability to monitor faults
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
Environmental and Emergency Configurations and
Conditions
•
•
•
•
•
•
•
Engine Inlet Icing
Snow/Water Ingestion
Dust/Sand/Volcanic Ash Ingestion
Salt Water Ingestion
High Density Altitude/Hot Ambient Temp.
Electrical Failure
Fuel Line Failure
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
Aircraft Functions
Pegasus
Functions
Control
Flight
Path
Control
Power
Control Fuel
Flow
Control
Vehicle on
Ground
Provide
Collision
Avoidance
Govern
Rotor Speed
Provide
Commo
Limit Eninge
Torque
Control
Cabin
Environment
Provide
Spatial
Orientation
Provide
Crew/Pass.
Equipment
Safety
Limit Engine
Temperature
Provide
Navigation
Gover NG &
NP Speed
Handle
Cargo
Monitor
Faults
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
Aircraft FHA
1
Function
Control
Flight Path
Control Power
2
Failure Condition
Loss of Collective Control
(including binding, feedback,
& sloppiness)
Engine Fail
a. Engine Out
Control Vehicle
on the ground
Loss of Steering
Control Cabin
Environment
Provide Spatial
Orientation
Loss of heat/air conditioning
Loss of aircraft gyros
Provide Collision Pilot task overload
Avoidance
Provide Collision Reduced Visibility
Avoidance
Provide
Communication
Provide
Navigation
Provide crew/
passengers/
equipment
Safety
Handle Cargo
Loss of Radios
GPS Failure
Cabin Fire
Structural Failure
3
Phase
4
Effect of Failure Condition
on Aircraft/crew
Hover/Taxi
Throttle off-Autorotate
Take-off
Manual throttle, reduce throttle to
min rotor RPM, conduct running
landing
Cruise
Manual throttle, reduce throttle to
min rotor RPM, conduct running
landing
Landing
Conduct running landing
Hover/Taxi/TO
See Below
Cruise/landing
Hover/Taxi
Autorotate
Take-off
Autorotate
Cruise
Autorotate, attempt restart
Landing
Autorotate
Ground mode Stop vehicle, transition to air
mode and fly to nearest
maintenance facility
All phases
Attempt to fix system, adjust
mission as necessary
Hover/Taxi
Land, fix gyros
Take-off
Return to airfield, fix gyros
Cruise
Continue to destination VFR,
fix gyros, if IFR inform ATC
"no gyro," request ground
controlled approach
Landing
Land, fix gyros
Hover/Taxi
Land, revise mission
Take-off
Abort takeoff, revise mission
Cruise
Land as soon as practicable
Landing
Land
Hover/Taxi
Land, refile for IFR
Take-off
Prepare to switch to instruments
Cruise
Prepare to switch to instruments
Landing
Land
Hover/Taxi
Land, fix radios
Take-off
Go around, flash lights at tower,
follow light gun instructions, land
Cruise
Attempt to fix radios, squawk
7600 on transponder
Landing
Follow light gun instructions, land
Hover/Taxi
Land, fix GPS
Take-off
If mission critical abort, otherwise
transition to map
Cruise
troubleshoot GPS, trans to map
Landing
Land, fix GPS
Hover/Taxi
Land, egress cabin
Take-off
Land, egress cabin
Cruise
Land as soon as possible, egress
Landing
Land, egress cabin
Hover/Taxi
Land, shut down aircraft
Take-off
Land, shut down aircraft
Cruise
Land as soon as possible
Landing
Land, shut down aircraft
5
Classification
Major
Catastrophic
6
Reference to
Supporting Material
Operator's Manual EPs
Operator's Manual EPs
7
Verification
Aircraft FTA
Aircraft FTA
Catastrophic
Operator's Manual EPs
Aircraft FTA
Catastrophic
See Below
Operator's Manual EPs
Emergency Procedures
IAW Operators Manual
Aircraft FTA
Aircraft FTA
Major
Catastrophic
Hazardous
Catastrophic
Minor
Operator's Manual
Aircraft FTA
No safety effect
Operator's Manual
Aircraft FTA
No safety effect
Minor
Major
FAR/ATM
FAR/ATM
FAR/ATM
Aircraft FTA
Aircraft FTA
Aircraft FTA
Minor
Minor
Minor
Major
Minor
Minor
Minor
Minor
Minor
Minor
Minor
FAR/ATM
ATM
ATM
ATM
ATM
FAR/ATM
FAR/ATM
FAR/ATM
FAR/ATM
FAR/ATM
FAR/ATM
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
VFR-Minor
IFR-Major
Minor
No safety effect
Minor
FAR/ATM
Aircraft FTA
FAR/ATM
Operator's Manual EPs
Operator's Manual EPs
Aircraft FTA
Aircraft FTA
Aircraft FTA
Minor
No safety effect
Hazardous
Hazardous
Catastrophic
Hazardous
Major
Major
Major
Major
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Operator's Manual EPs
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
Aircraft FTA
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
System (Engine) FHA - Hardware
1
Function
Control Power
2
Failure Condition
Engine Fail
a. Engine Out
(failure of combustion chamber
to burn fuel)
b. Engine Chips
(engine material failure)
c. Compressor Stall
(failure to compress air)
d. Partial Failure
e. Engine deflagration
Engine Overspeed
3
Phase
Hover/Taxi/TO
Cruise/landing
Hover/Taxi
Take-off
Cruise
Landing
Hover/Taxi
Take-off
Cruise
Landing
Hover/Taxi
4
Effect of Failure Condition
on Aircraft/crew
See Below
Autorotate
Autorotate
Autorotate, attempt restart
Autorotate
Land as soon as possible
Land as soon as possible
Land as soon as possible
Land as soon as possible
Reduce collective and land
as soon as possible
Take-off
Reduce collective and land
as soon as possible
Cruise
Reduce collective and land
as soon as possible
Landing
Reduce collective and land
as soon as possible
Hover/Taxi
Land as soon as possible
Take-off
Land as soon as possible
or Autorotate
Cruise
Land as soon as possible
or Autorotate
Landing
Land as soon as possible
or Autorotate
While running High speed objects inside/outside
vehicle impact crew/passengers
Hover/Taxi
Autorotate
Take-off
Abort takeoff - perform manual
throttle operations and land
as soon as possible
Cruise
Perfom manual throttle
operations and land as soon
as possible
Landing
Perfom manual throttle
operations and land as soon
as possible
5
Classification
See Below
6
Reference to
Supporting Material
Emergency Procedures
IAW Operators Manual
7
Verification
Aircraft FTA
Major
Catastrophic
Hazardous
Catastrophic
Minor
Minor
Minor
Minor
Minor
Hazardous
Hazardous
Minor
Minor
Catastrophic
Major
Catastrophic
Catastrophic
Major
Major
Operator's Manual EPs
Operator's Manual EPs
Aircraft FTA
Aircraft FTA
Major
Operator's Manual EPs
Aircraft FTA
Major
Operator's Manual EPs
Aircraft FTA
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
System (Engine) FHA - Software
1
Function
Engine
Parameters
Control
2
Failure Condition
Mode Failure
3
Phase
Hover/Taxi
Take off/
Cruise/
Landing
4
Effect of Failure Condition
on Aircraft/crew
5
Classification
Landing
Hover/Taxi
Cause main rotor RPM to
droop/over speed as collective ls
increased/decreased. Pilot should Major
keep the automatic mode, and land
the aircraft if it is necessary
Hover/Taxi
Take-off
Cruise
b. Failure to switch to manual
mode
Take-off
Cruise
Landing
7
Verification
See below
Results in fixed fuel flow. Pilot
should make the switch to manual
mode, and conduct landing if it is
necessary
Results in fixed fuel flow. Pilot
should make the switch to manual
mode, and conduct landing if it is
necessary
Results in fixed fuel flow. Pilot
should make the switch to manual
mode
Results in fixed fuel flow. Pilot
should make the switch to manual
mode, and land the aircraft as soon
as possible
a. Automatic Mode Failure
6
Reference to
Supporting Material
Major
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Catastrophic
Hazardous
Catastrophic
Cause main rotor RPM to
droop/overspeed as collective ls
increased/decreased. Pilot should Catastrophic
keep the automatic mode, and land
the aircraft if it is necessary
Cause main rotor RPM to
droop/overspeed as collective ls
Hazardous
increased/decreased. Pilot should
keep the automatic mode
Cause main rotor RPM to
droop/overspeed as collective ls
increased/decreased. Pilot should Catastrophic
keep the automatic mode to land
the aircraft
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Functional Hazard Assessment (FHA)
System (Engine) FHA – Human Interaction
1
Function
2
Failure Condition
Failure to properly pre-flight or
Human Interacts run-up aircraft
with Powerplant
a. Failure to notice FOD
3
Phase
4
Effect of Failure Condition
on Aircraft/crew
5
Classification
Pre-flight
See Below
Pre-flight
Partial or complete engine failure.
Pilot must enter autorotative descent Hazardous
Pre-flight
Potential engine damage resulting
from low fluid levels
Partial or complete engine failure.
Pilot must enter autorotative descent
Partial or complete engine failure.
Pilot must enter autorotative descent
Damaged HMU could affect fuel flow
and lead to engine flame out
Clogged fuel filter could lead to
engine flame out
Pre-flight
Pre-flight
Unaware of FADEC malfunctions
Potential engine overtemperature
All Phases
See Below
b. Failure to notice low fluid levels
c. Failure to notice structural
damage to engine
d. Failure to inspect electrical
system
Pre-flight
e. Failure to properly inspect HMU
f. Failure to properly inspect fuel
filter button
g. Failure to properly monitor
FADEC BITs
h. Failure to properly monitor start
Pre-flight
Failure to react to emergencies
Pre-flight
Pre-flight
a. Failure to react to loss of engine
power
Taxi
Takeoff
Cruise
Landing
Damage to engine, aircraft, and
potential injury/fatality to crew. Slow
reaction time in collective reduction
will result in rapid decay of rotor rpm
Damage to engine, aircraft, and
potential injury/fatality to crew. Slow
reaction time in collective reduction
will result in rapid decay of rotor rpm
Damage to engine, aircraft, and
potential injury/fatality to crew. Slow
reaction time in collective reduction
will result in rapid decay of rotor rpm
Damage to engine, aircraft, and
potential injury/fatality to crew
6
Reference to
Supporting Material
7
Verification
Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Hazardous
Hazardous
Operator's Manual / EPs
Operator's Manual / EPs
FTA
FTA
Major
Operator's Manual / EPs
FTA
Catastrophic Operator's Manual / EPs
FTA
Hazardous
Operator's Manual / EPs
FTA
Catastrophic Operator's Manual / EPs
FTA
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PSSA Inputs
The following set of safety (availability, integrity,
installation) requirements were derived from the
aircraft and system FHAs and Common Cause
Analysis based on an average flight duration of
3.5 hours.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
L
PSSA Inputs
HARDWARE BASED SAFETY REQUIREMENTS
1.
2.
3.
4.
5.
6.
7.
8.
9.
Loss of all engine power (engine out) during takeoff or landing shall be less than 3.5E-9 per flight
Occurrence of engine compressor stall during takeoff or cruise shall be less than 3.5E-7 per flight
Occurrence of engine deflagration shall be less than 3.5E-9 per flight.
Engine under-speed during takeoff and landing shall be less than 3.5E-9 per flight and during
cruise shall be less than 3.5E-7 per flight.
Engine fire during all phases of flight shall be less than 3.5E-7 per flight and during cruise shall be
less than 3.5E-9 per flight.
FADEC Failure during cruise shall be less than 3.5E-7 per flight. During takeoff and landing
FADEC failure shall be less than 3.5E-9 per flight.
FADEC fixed during cruise shall be less than 3.5E-7 per flight. During takeoff and landing FADEC
fixed shall be less than 3.5E-9 per flight.
Fuel filter clogged/bypass during flight shall be less than 3.5E-7 per flight.
Loss of fuel flow to the engine during flight shall be less than 3.5E-9 per flight.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PSSA Inputs
SOFTWARE BASED SAFETY REQUIREMENTS
1.
FADEC AUTO mode failure during takeoff and landing shall be less
than 3.5 E-9 and during cruise shall be 3.5 E-7.
2.
Failure to switch to manual mode during takeoff and landing shall be
less than 3.5E-9 and during cruise shall be 3.5 E-7.
3.
FADEC gives false engine out indication shall be less than 3.5E-9 and
during cruise shall be 3.5E-7.
4.
FADEC loss of automatic flameout detection and relight capabilities
during takeoff and landing shall be less than 3.5E-9 and during cruise
shall be 3.5E-7.
5.
Loss of fault monitoring during flight shall be less than 3.5E-7.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PSSA Inputs
HUMAN BASED SAFETY REQUIREMENTS:
1.
Failure to pre-flight shall be less than 3.5E-7 per flight.
2.
Failure to properly react to loss of engine power during takeoff and landing
shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7
per flight.
3.
Failure to properly react to engine under-speed during takeoff and landing
shall be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7
per flight.
4.
Failure to properly react to engine fire during taxi and cruise shall be less
than 3.5E-7 per flight and during takeoff and landing shall be less than 3.5E-9
per flight.
5.
Failure to properly react to FADEC failure during takeoff and landing shall be
less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7 per
flight.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PSSA Inputs
HUMAN BASED SAFETY REQUIREMENTS: (CONT’D):
6.
Failure to properly react to false engine out warning during takeoff,
cruise, and landing shall be less than 3.5E-7 per flight.
7.
Failure to properly react to engine fire during taxi and cruise shall be less
than 3.5E-7 per flight and during takeoff and landing shall be less than
3.5E-9 per flight.
8.
Failure to properly react to FADEC failure during takeoff and landing shall
be less than 3.5E-9 per flight and during cruise shall be less than 3.5E-7
per flight.
9.
Failure to properly react to false engine out warning during takeoff,
cruise, and landing shall be less than 3.5E-7 per flight.
10. Failure to observe engine instruments during landing shall be less than
3.5E-7 per flight.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PSSA Inputs
HUMAN BASED SAFETY REQUIREMENTS (CONT’D):
11. Failure to notice sensory indications during takeoff shall be less than 3.5E-7
per flight.
12. Failure to properly manage fuel during takeoff and landing shall be less than
3.5E-9.
13. Failure of maintenance personnel to reconnect fittings shall be less than
3.5E-9.
14. Failure to properly perform maintenance inspections or services shall be
less than 3.5E-9.
15. Failure to properly latch cowlings shall be less than 3.5E-9 per flight.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Safety Req’ts / Design Decisions
Safety Requirement
Design Decisions
Remarks
11. Failure to properly react
to FADEC failure during
takeoff and landing shall be
less than 3.5E-9 per flight.
(Liveware based)
The FADEC system shall be
redundant and no single
event shall bypass the
system’s redundancy or
independence. The FADEC
shall be designed and
installed in such a way that
FADEC failure is extremely
unlikely.
Takeoff and landing are
where a FADEC failure is
most critical. Failure to
properly react during these
times must be minimized.
Extra pilot training and
awareness during these times
will be extremely important.
2. Maintenance personnel
leaving tools in the engine
compartment shall be less
than 3.5E-9 per flight.
(Liveware based)
The maintenance equipment
and storage shall be
considered an integral part of
the overall system. As such,
Safety and best-practice
techniques shall be utilized to
the maximum extent possible.
This failure must be
completely eliminated. Extra
training and safety programs
should be implemented. Also,
the system will have safety
features, such as colors that
contrast with tools, built into it.
3. FADEC failure during take
off and landing shall be less
than 3.5E-9 per flight.
(Hardware based)
FADEC ECU shall be dual
redundant. All FADEC
hardware will be of a fail safe
design. HMU fail safe open
for pilot manual control option.
Again, takeoff and landing are
where total FADEC failure
leaves the least amount of
reaction time. Systems in
parallel are a key to ensuring
safety.
4. Loss of fuel flow to the
engine during flight shall be
less than 3.5E-9 per flight.
(Hardware based)
Main considerations here are
fuel pump failure and fuel filter
clogged. Design redundancy
in both of these systems to
preclude failure.
Use two fuel pumps, one
engine driven, the other a fuel
boost pump. Failure of either
of these would not result in
failure of the system. If fuel
filter becomes clogged,
provide a fail safe bypass
valve and indication to pilot.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Safety Req’ts / Design Decisions
Safety Requirement
Design Decisions
Remarks
5. Failure to switch to
manual mode during takeoff
and landing shall be less than
3.5E-9 and during cruise shall
be 3.5E-7. (Software based)
FADEC software failure to
automatically switch to
manual mode if automatic
mode fails would require
extremely quick pilot reaction,
especially during takeoff and
landing. Use dual redundant
ECUs and fail safe back up
through HMU.
Two ECUs backing each
other up provides even
greater reliability (parallel
systems) and the HMU full
open (dependent on throttle
position) upon automatic
mode failure provides a triple
redundancy.
6. FADEC gives false engine
out indication shall be less
than 3.5E-9 and during cruise
shall be 3.5E-7. (Software
based)
A false engine out indication
could cause the pilot to take
inappropriate action, possibly
leading to
engine/transmission damage
or crash sequence. Dual
redundancy of ECUs reduces
this probability to within an
acceptable range.
Dual ECUs provides greater
reliability. Human interaction
was considered. Pilot training
in analyzing failure conditions
and responding appropriately
greatly reduces the severity of
this failure condition.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Dependence Diagrams
FUEL SYSTEM
ENGINE
DRIVEN
FUEL
PUMP
FUEL
FILTER
FUEL
GOVERNOR
COMPRESSOR
AIR INLET
FUEL
TANK
FUEL LINE
FUEL
BOOST
PUMP
FUEL
FILTER
BYPASS
PILOT
CONTROLS
FUEL
FLOW
FADEC
ALLEVIATES
STALL
CONDITION
PILOT
PERFOMS
AUTOROTATION
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Dependence Diagrams
FADEC SYSTEM
FADEC SENSOR INPUTS
NP
NG
AIRCRAFT
ELECTRICAL
POWER
ROTOR RPM
FADEC
CONTROLS
FUEL
FLOW
FADEC
GIVES
PROPER INDICATION
TO PILOT
COLLECT POS
FADEC
SWITCH
PERMANENT
MAGNETIC
ALTERNATOR
FADEC
SOLENOID
AMBIENT
CONDITIONS
CIT
ENGINE
TORQUE
MANUAL
MODE
(PILOT
CONTROLS)
PILOTGIVES
PROPER
RESPONSE TO
INDICATION
ARINC
INTERFACE
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Dependence Diagrams
HUMAN INTERACTION
Performs
Inspections
Reconnect
Fittings
Clean Up
Tools
PILOT CONDUCTS
PRE-FLIGHT
INSPECTIONS
Latch
Cowlings
MAINT
PERSONNEL
TAKE OIL
SAMPLES
MAINT
PERSONNEL
FLUSH
ENGINE
MAINT
PERSONNEL
CALIBRATE
TOOLS
PILOT CONDUCTS
POST-FLIGHT
INSPECTIONS
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Fault Tree Analysis
Aircraft Level
• FTA developed for catastrophic failures identified in FHA
Engine Failure selected for system level analysis
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Fault Tree Analysis
System Level – Engine Out
(E ngine O ut) C o m bustio n
C ha m be r D o e s No t B urn F ue l
1
5 .9E -10
S truc tura l
F a ilure
Hu ma n Fa ilure –
P ilo t C uts E ngine
P hys ic a l
F a ilure
1.1
1 .2
1.3
1 .3E -10
1 .3E -10
3 .3E -10
L oss o f
C o mpo ne nts
C ra c ks /De fe cts in
C ha m be r Ho us ing
P ilo t Ina dve rte ntly
R o lls Thro ttle O ff
P ilo t R ea cts Inco rrec tly
to E me rge nc y
L oss o f F ue l
Flo w
L os s o f Air
F lo w
1.1.1
1.1 .2
1.2.1
1.2.2
1.3.1
1.3.2
6 .7E -11
6 .7E -11
6 .7E -11
6 .7E -11
2 E -10
1 .3E -10
F ilte r Fa ilure
E m pty F ue l
Ta nk
FAD E C Cuts
F ue l Flo w
F ue l L ine
F a ilure
P u mp
Fa ilure
C o mpre s s o r
S ta ll
Clo gge d Air
Inle t
1.3 .1.1
1.3.1.2
1.3.1.3
1.3.1 .4
1 .3.1.5
1.3.2 .1
1.3.2.2
4 .5E -17
6 .7E -11
6 .7E -11
6 .7E -11
4 .5E -17
6 .7E -11
6 .7E -11
Clo gge d
F ue l Filte r
C lo gge d F ilte r
B ypa ss
B o os t P um p
F a ilure
E ngine D riv e n
P u mp Fa ilure
1 .3.1.1.1
1.3.1.1.2
1.3 .1.5.1
1.3.1 .5.2
6 .7E -9
6 .7E -9
6 .7E -9
6 .7E -9
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
Introduction
– Markov analysis looks at a sequence of events, and analyzes
the tendency of one event to be followed by another
– Markov analysis provides a means of analyzing the reliability
and availability of systems whose components exhibit
strong dependencies
Typical dependencies that Markov models can handle
– Components in cold or warm standby
– Common maintenance personnel
– Common spares with a limited on-site stock
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
Parallel Repairable System
1
1
A
1,1
B
2
2
2
1,0
c
c
2
0,0
1 
1
0,1
dP (t )
 (      ) P (t )   P (t )   P (t )   P (t )
dt
4
1
2
c
4
2
2
1
3
c
4
dP (t )
  P (t )   P (t )  (   ) P (t )
dt
3
2
1
1
4
1
2
1
dP (t )
  P (t )   P (t )  (   ) P (t )
dt
dP (t )
 (     ) P (t )   P (t )   P (t )   P (t )
dt
2
1
1
2
4
2
1
1
1
1
2
c
1
1
2
2
3
c
The Pegasus Personal Air Vehicle – Safety by Design
4
AE6362
Summer 2002
Markov Analysis
MA Vs. FTA
• Small System
• Large System
• Dependent Events
• Independent Events
20%
40%
5%
Today
Head
?Tail
35%
Tomorrow
This time
• Inconstant Failure Rate
=(1C)
• Repairable Sys.
Non-repairable Sys.
Head
Next time
• Constant Failure Rate
=10-6
√
√
• Repairable Sys.
Non-repairable Sys.
The Pegasus Personal Air Vehicle – Safety by Design
χ
√
AE6362
Summer 2002
Markov Analysis
• FADEC Fail
Function
Engine
Parameters
Control
Failure Condition
c. Manual Mode Failure
Phase
Hover/Taxi
Take-off
Cruise
Landing




d. Total loss of FADEC (both
automatic and manual mode
failure)
ECU
PMA
HMU
Other Components
Hover/Taxi
Take-off
Cruise
Landing
Effect of Failure Condition
on Aircraft/crew
HMU will default to the maximum
fuel flow attainable. Pilot must
coordinate throttle and collective
inputs, and land the aircraft if it is
necessary
HMU will default to the maximum
fuel flow attainable. Pilot must
coordinate throttle and collective
inputs, and land the aircraft if it is
necessary
HMU will default to the maximum
fuel flow attainable. Pilot must
coordinate throttle and collective
inputs
HMU will default to the maximum
fuel flow attainable. Pilot must
coordinate throttle and collective
inputs
Crew is unable to control the
engine. Land the aircraft as soon
as possible
Crew is unable to control the
engine. Land the aircraft as soon
as possible
Crew is unable to control the
engine. Land the aircraft as soon
as possible
Crew is unable to control the
engine. Land the aircraft as soon
as possible
Classification
Reference to
Supporting Material
Operator's Manual EPs
Aircraft FTA
Hazardous
p<10-7 per flight
hour
Operator's Manual EPs
Aircraft FTA
Hazardous
p<10-7 per flight
hour
Operator's Manual EPs
Aircraft FTA
Major
p<10-5 per flight
hour
Operator's Manual EPs
Aircraft FTA
Catastrophic
p<10-9 per flight
hour
Catastrophic
p<10-9 per flight
hour
Catastrophic
p<10-9 per flight
hour
Catastrophic
p<10-9 per flight
hour
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Operator's Manual EPs
Aircraft FTA
Major
p<10-5 per flight
hour
Verification
System FHA
• Personnel Leave Tools In Engine Compartment
1
Function
2
Failure Condition
Failure to perform proper
maintenance procedures
a. Failure to reconnect fittings
 Maintenance personnel
realize the tool
 Pilot realize the tool
3
Phase
Maintenance
b. Maintenance personnel leave
tools in engine compartment
c. Failure to properly perform
maintenance inspections or
services
Maintenance
d. Cowlings not latched properly
Maintenance
Maintenance
4
Effect of Failure Condition
on Aircraft/crew
Damaged lines or significant fluid
leakages may occur
FOD ingestion or significant
structural damage
Oil samples not taken or observed
could lead to poor engine
performance or failure. Misdiagnosis
or failure to locate potential
problems could result in engine
failure
Structural damage to aircraft;
potential of cowling breaking off in
flight
5
Classification
6
Reference to
Supporting Material
7
Verification
Catastrophic
Catastrophic
Catastrophic
Catastrophic
System FHA
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
FADEC Fail
• FADEC System
ECU
HMU
PMA
Other
ECU
Auto. Mode
Man. Mode
• Level 1- Total FADEC Fail
f — FADEC Failure Rate
f — FADEC Repair Rate
1— Optional
0— Failed
FADEC Failure due to ECU
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
FADEC Fail
Level 2- FADEC Automatic Mode Fail
- Loss of ECU
+++
E,H,P,O
- Loss of HMU
- Loss of PMA
 - Loss of Other
components
FADEC Automatic Mode Failure
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
FADEC Fail
Level 3- Loss of ECU ability to command FADEC
 — Loss of one ECU
 — ECU Repair Rate
c — Loss of aircraft electrical
to both ECUs
c — Electrical Recovery Rate
1— Optional
0— Failed
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
Human Reliability
• Personnel Leave Tools In Engine Compartment
1 — Maintenance personnel
does not recover the tools
2 — Pilot does not recover the
tools
c — Recovery Rate (0)
1— Optional
0— Failed
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Markov Analysis
Results
• FADEC Fail
– Non-repairable Condition
Model-Name
Failure-Rate (per
hour)
MTTF (hours)
Reliability (100
hours)
Main
ECU
Channel
0.000002686789
0.000003779965
0.0000073
372191.4895
264552.7141
136986.3014
0.9999620796
0.999983482
0.9992702664
– Repairable Condition
Model- Failure-Rate
Name (per hour)
RecoveryRate (per
hour)
0.000000746052 1.0000292
Availability
Unavailability
MTTR (hours) MTTF (hours)
Annual
Downtime
(hours)
0.0065352
0.999999254 0.00000074603 0.9999708
1340389.1417756
Main
0.000003730037 0.5000146
0.9999925402 0.0000074598
1.99994160171 268093.85536926300 0.06534784800
ECU
0.00000730002
0.6239316239
0.9999883001
0.000011699895
1.6027397261 136985.9260659560 0.1024910802
Channel
• Human Reliability
Model-Name
Failure-Rate (per hour) MTTF (hours)
Reliability (100 hours)
Human_ Interaction
0.000001000099
0.999999982
999901.0098
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PRISM Reliability
Reliability Goal: MTBF = 80 hrs
– Allows some comparison between PAV and automobiles
– Feasible given the new technologies and the “conservative”
PGE estimate
– Best available: MTBF = 103 hrs
– The only way to test the goal is to run a Monte Carlo
simulation
– PRISM Pareto Charts indicate all sub-systems are
significant.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
PRISM Reliability
Max
138.02
35.50
120.62
88.96
15.10
89.90
52.18
131.64
83.62
78.18
50.48
135.78
79.98
1099.96
800
100
600
75
400
50
200
0
Cum Percent
Target
89.52
23.03
78.24
57.70
9.79
58.31
33.85
85.39
54.24
50.71
32.74
88.07
51.88
713.47
25
Airframe
Propulsion
Instrument
Drive
Flight Control
Electrical
Landing Gear
Utility/ECS
Rotor
Fuel
NOTAR
Avionics
Engine Installation
Minimum
69.01
17.75
60.31
44.48
7.55
44.95
26.09
65.82
41.81
39.09
25.24
67.89
39.99
549.98
Failure Rate
Sub-system
Airframe
Avionics
Drive
Electrical
Eng Inst
Flt Cont
Fuel
Instr
Ldg Gear
Rotor
NOTAR
Propulsion
Utility/ECS
Total F/MCH
0
Sub-System
MTBF
103.78
80.00
51.89
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Monte Carlo Simulation
• Assume all input variables (sub-systems) have a
Weibull distribution, based upon a minimum failure
rate, “most likely,” and a maximum failure rate.
• Run a simulation of 5,000 iterations to generate a
frequency and probability distribution.
• Repeat the simulation 200 times and record the
variability
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Monte Carlo Results
Airframe
Engine Installat ion
Ut ilit y/ECS
Overlay Chart
Frequency Comparison
.0 2 8
69.01
86.26
103.52
120.77
138.02
7.55
9.44
Drive
11.33
13.22
15.11
39.99
49.99
59.99
69.99
79.99
N o rm a l Di s tri bu ti o n
Me an = 76 .6 5
S td D e v = 3 .2 5
.0 2 1
Landing G ear
.0 1 4
.0 0 7
MT B F
60.31
75.39
90.47
105.54
120.62
41.81
52.26
62.71
73.17
.0 0 0
83.62
6 7. 5 0
Ele ctric al
44.48
55.85
67.23
Ro tor
78.60
89.97
39.09
48.86
Engine Installat ion
7.55
9.44
11.33
84.86
101.83
68.41
78.18
44.17
50.48
65.82
82.27
98.73
115.18
131.64
78.66
89.89
NO TAR
13.22
15.11
25.24
31.55
Propuls ion
67.89
58.64
37.86
Fuel
118.80
135.77
26.09
32.61
39.14
7 2. 5 0
7 7. 5 0
8 2. 5 0
8 7. 5 0
Ins truments
Flight C ontrols
45.66
52.18
44.95
56.19
67.42
MTBF Normally Distributed
Mean 76.65
Std Dev 3.25
95% CI: (70.28, 83.01)
P(MTBF <= 80): 0.8487
P(MTBF = 80): 0.0722
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Bootstrap Results
• Repeated simulation 200 times
• Summary Statistics for MTBF
Statistic
Mean
Std Dev
MTBF Mean
76.67
0.04
MTBF Std Dev
3.24
0.03
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Monte Carlo Conclusions
May not be able to achieve a MTBF of 80, but can
achieve one above 70, which is a vast improvement
over current rotary wing platforms.
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Certification Process
– Supplemental Type Certificate
(STC) Application
– Systems requiring
certification:
• Rotor
– Hub assembly
– Blade and flexure assembly
• Engine
DERs (FAA Order 8110.37A)
Structural Engineering DER
Powerplant / Engine DER
Systems and Equipment DER
– Applicable FAR Parts:
• 27 – Normal Category
Rotorcraft
• 21 – Products and Parts
• 33 – Aircraft Engines
• 36 – Aircraft Noise
Rotor DER
Flight Analyst DER
Flight Test Pilot DER
Acoustical DER
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002
Certification Process
•
•
•
•
Design
Analysis
Testing
Other
– Time and cost saved
in upgrade
21
35
2
21
39
3
27
45
4
27
5
27
6
Subpart/Discipline
Flight / General
Requirement
Other
FAR Sect.
1
Test
#
Analysis
– DER Checklists
– Requirements by
phase
Design
Flight Test Pilot DER Checklist

Flight Tests








Climb: One Engine inoperative



71
Autorotation Performance



27
75
Landing



9
27
79
Limit Height--Speed Envelope



10
27
143
Controllability and Maneuverability



11
27
151
Flight Controls



12
27
161
Trim Control



13
27
171
General Stability



14
27
173
Static Longitudinal Stability



15
27
B27.6
Dynamic Stability



16
27
251
Vibration



17
27
177
Static Directional Stability



18
27
235
Taxiing Condition



19
27
241
Ground Resonance



20
27
672
21
27
22
FLT Test Instrument Calibration
General

51
Takeoff
65
Climb: All Engines Operating
27
67
7
27
8
Performance
Flight Characteristics
Gnd handling Characteristics
Stability Augmentation System - Boost



673
Primary Flight Controls



27
674
Interconnected Controls



23
27
675
Control Stops and Limits



24
27
683
Control Operational Tests
25
27
771
Pilot Compartment

26
27
773
Pilot Compartment View

27
27
777
Cockpit Controls

28
27
779
Motion Effect of Cockpit Controls


29
27
1303
Equipment / General
Flight Navigation Equipment


30
27
1321
Instrument Installation
Cockpit Arrangement Visibility


31
27
1322
Warning Caution Panel



32
27
1329
Autopilot



33
27
1335
Flight Director System



34
27
1435
Hydraulic System



35
27
1459
Flight Recorder


36
27
1501
37
27
38
27
39
Control Systems
Personnel and Cargo







Operational Limits


1503
Airspeed Limits


1505
Velocity Never Exceed (VNE)

27
1525
OPN Types VFR/IFR/Day/Night

40
27
1527
Maximum Operational Altitude

41
27
1543
Instrument Markings

Operational Limits
The Pegasus Personal Air Vehicle – Safety by Design









AE6362
Summer 2002
Conclusion
Pegasus = Disruptive Technology
The Pegasus Personal Air Vehicle – Safety by Design
AE6362
Summer 2002