Transcript Document 7342609

Supersonic Business Jet
Safety by Design
Final Presentation
July 29th, 2002
Mark Birney
Kit Borden
Adam Krause
Jieun Ku
Samson Lim
Shawn Mahan
Overview
•
•
•
•
•
•
•
•
System Introduction
Certification Process
Certification Compliance
Functional Hazard Assessment
Prism System Analysis
Human Error Assessment
Preliminary System Safety Assessment
Uncertainty Analysis and Technology Assessment
AE 6362: Safety by Design
2
Market Outlook for SBJs
• A demand for more than 10,000 business jets
expected between 2001 and 2011 (Source:
Gulfstream)
• Gulfstream estimates market for environmentally
friendly SBJ’s to be 10% of annual subsonic
market
• DARPA has heavily prioritized projects aiming at
solving technology challenges of supersonic flight,
notably the Quiet Supersonic Platform (QSP)
AE 6362: Safety by Design
3
“Voice of the Customer”
• Reduce Travel Time (more than 50%)
– By Increasing Cruise Speed (100%)
– By Reducing Airport Ground Time (70%)
• Increase Versatility & Efficiency
– By Using General Aviation & Other Smaller Airports
– By Reducing Ground Transportation Time
• Improve Productivity & Business Opportunities
– By Providing Doorstep-to-Destination Travel
In order to satisfy customer requirements, a long
range supersonic business jet is required.
AE 6362: Safety by Design
4
Limitations & Requirements
Gulfstream market research has indicated significant
design barriers to overcome
• Sonic Boom Issues
– “BANG” & Nose Shock Overpressure (< 0.5 psf)
• Environmental (Non Sonic Boom Related) Issues
– Takeoff/Landing Noise
– NOX & CO2 Emissions
– Ozone Depletion
• Operational Issues
– Supersonic Flight Over Land
– Operable from Regional Airports
– Efficient Operations at Both Subsonic & Supersonic
Speeds
– High Availability Required
AE 6362: Safety by Design
5
QFD Results
By using the QFD as an initial screening test it was determined that:
• Mission profile would be very important (Cruise Mach number weighting)
• The choice of propulsion system would have a large impact on the system
• Aircraft geometry (Planform shape, fuselage area ruling) was also significant
AE 6362: Safety by Design
6
Emissions
•Current Regulations govern LTO NOx
emissions based on standard Take-off
and Approach Cycle
•Allowable emissions based on Design
Thrust and OPR of engine
•No current regulations for CO2 or
cruise NOx emissions, but ICAO is
developing guidelines governing these
parameters
Courtesy NASA Glenn
•The future regulations may prove
very important because of relatively
high NOx emission rates at high mach
numbers
Courtesy NASA Glenn
Sideline and Fly-over Noise
•Stage IV Noise Regulations require
10dB cumulative reduction over
Stage III
Courtesy NASA Glenn
Courtesy NASA Glenn
AE 6362: Safety by Design
•Applies to Aircraft certified after
2006
Courtesy NASA Glenn
8
Mission Profile
Cruise Climb
Mach 1.8 over ~ 3,800 nm.
~ 66,500 ft
~ 56,700 ft
~ 32,000 ft
Climb II
Sonic Boom
Climb I
Takeoff
Descent
Approach
Land
• Mission profile based on customer’s desire for direct flights
• 4000 nautical mile design range
AE 6362: Safety by Design
9
Geometry
Dimension
Value
Wing Span
Wing Area
Sweep
Aspect Ratio
Taper Ratio
Fuselage Length
Vertical Tail Span
Horizontal Tail Span
68 ft.
2077 sqft.
67 deg.
1.7
0.326
140 ft.
15.8 ft.
26 ft.
AE 6362: Safety by Design
10
Performance and Economic Metrics
Metrics
TOGW (lbs)
TOFL (ft)
Vapp (knots)
FONOISE (dB)
SLNOISE (dB)
NOx Red %
CO2 (lb/nm)
Impulse (lb*s/ft 2)
SBPRISE (psf)
Acq ($M)
DOC ($/NM)
Optimum Design
Target
108,392
5,632
127
78.058
88.664
-48%
36.63
0.014
0.678
129
8.30
125,000
6,500
130
88.000
92.000
0%
50.00
0.020
0.500
100
6.00
• Constraint Values based on Government
regulations as well as customer requirements
• All targets are met except for sonic boom and
economic targets.
AE 6362: Safety by Design
11
System Breakdown
1. Structures
2. Equipment Centers
3. Flight Deck
4. Information Management System
5. Communications
6. Navigation
7. Auto-pilot System
8. Electrical Power System
9. Fuel System
10. Power Plant
Air-Vehicle
•Based on B-777
System Breakdown
11. Auxiliary Power Unit
12. Hydraulic System
13. Landing Gear
14. Flight Controls
15. Environmental Systems
16. Ice and Rain Protection
17. Fire Protection
18. Cabin Systems
AE 6362: Safety by Design
19. Light System
20. Cargo Systems
12
Propulsion System Breakdown
Power Plant
Engine
Cowlings
Engine
Core
Engine Oil
System
Engine
Control
Engine Air
System
Inlet
Hinged
Cowlings
Indication
System
Engine
Fuel
System
Engine
Start and
Ignition
System
Thrust
Reverser
Exhaust
Nozzle
Exhaust
Plug
AE 6362: Safety by Design
13
Engine Configuration
Low Bypass
Ratio MixedFlow Turbofan
AE 6362: Safety by Design
14
Certification Process
Shawn Mahan
Safety and Certification Overview
Product Development
Conceptual Design
Aircraft FHA
Aircraft FTA
Preliminary Design
Detailed Design
System FHA
SSA
PSSA
FMEAs
System FTAs
System FTAs
Certification Planning and Safety Assurance
AE 6362: Safety by Design
16
Certification - Introduction
• The SSBJ and SBBJ engine will need to be
certified by the FAA before it can enter
revenue and passenger service
• The FAA has outlined the method to obtain
an Original Design Approval on its website.
• The following slides will provide an
overview of the Certification Program for
the SSBJ Engine
AE 6362: Safety by Design
17
The FAA Website
AE 6362: Safety by Design
18
AE 6362: Safety by Design
19
Original Design Approval Process
•
As outlined on the FAA Certification Website, an original FAA design
approval is a six phase process in which an applicant applies for, and the FAA
may issue, a type certificate or design approval of a product or a major design
change to a product.
•
•
•
•
•
•
Phase I:
Phase II:
Phase III:
Phase IV:
Phase V:
Phase VI:
•
Detailed information can be found in The FAA and Industry Guide to Product
Certification, available on the FAA Website.
AE 6362: Safety by Design
Partnership for Safety Plan
Conceptual Design and Standards
Refined Product Definition and Risk Management
Certification Project Planning
Certification Project Management
Post Certification
20
Program Schedule
AE 6362: Safety by Design
21
Program Schedule
AE 6362: Safety by Design
22
Program Schedule
AE 6362: Safety by Design
23
Key Players and Roles
• Communication and
cooperation are the keys to
a successful program.
• Key Players and Roles are
defined and summarized
in The FAA and Industry Guide
to Product Certification
AE 6362: Safety by Design
24
Certification Example
• It took DAL 3 years to complete a small structural modification to the
B757 pylon.
• There were several factors that led to delays:
– Large companies tend to divide functions across several groups
•
•
•
•
Engineering
AD Compliance
NTSB / FAA Liaison
Internal DERs
– The FAA organization is large and decentralized
• Which ACO will you need to coordinate through? ATL ACO, LA ACO, SEA
ACO
• Politics
• Coordinating project status meetings and conformity inspections is difficult.
AE 6362: Safety by Design
25
Avoid the Pitfalls
• Plan well and early, get training from the FAA if you need
it.
• Always pad your schedule and plan for contingencies.
• Defeat Organizational Barriers
–
–
–
–
Develop a good reporte with the FAA.
Assign one person as a dedicated project manager.
Get written commitments!
Organize and document your progress and problems.
AE 6362: Safety by Design
26
Deliverables
• The Certification process will generate
several types of data.
• Data requirements will be required by
applicable sections of the FAR and the
FAA.
• The following list is taken from The FAA
and Industry Guide to Product Certification
AE 6362: Safety by Design
27
Data Types
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Familiarization and Board meeting minutes
Program Specific Certification Plan
Product Certification Team and Management
status reviews
Application for Type/Production Certification
Letter of Application Acknowledgment
Certification Project Notification
Type Certification Basis
Issue Papers, Special Conditions,
Exemptions, Equivalent Level of Safety
Findings
Burden Assessments
Issues Tracking List
Compliance Check List
Conformity Procedures
Type Inspection Authorizations and
Conformity Requests
Delegation plan
AE 6362: Safety by Design
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Compliance Data (e.g.,test plans, reports,
analyses.)
Type Inspection Report
Installation and Operating instructions
Flight Manual
Structural Repair Manual
Instructions for Continued Airworthiness
Continued Airworthiness management plan
Type Design Approvals
Type Certificate Data Sheet
Production Approvals
Production Limitation Record
Airworthiness Certifications
Compliance Summary Document
Project Evaluation Forms
28
Sample Data
AE 6362: Safety by Design
29
Data Retention
• Both the FAA and the Applicant are
responsible for maintaining and storing
data.
• FAA Order 8110.4B provides the following
information about data retention.
AE 6362: Safety by Design
30
Data Retention
AE 6362: Safety by Design
31
Certification Basis
• The Certification Basis identifies the applicable
standards to which the Applicant must show
compliance.
• It also includes the need for special conditions,
exemptions, and equivalent safety findings, if any.
• The proposed certification basis is established by
the FAA at the beginning of a TC program.
AE 6362: Safety by Design
32
Certification Basis
SSBJ Certification Basis
14CFR
Aircraft
Engine
Sec 21.17, Designation of Regulations
X
X
Sec 21.29, Issue of Type Certificate
X
X
Part 25, Transport Category Aircraft
X
Part 33, Engine
X
Part 34, Fuel Venting and Emissions
X
X
Part 36, Noise Requirements
X
X
Part 43, Maintenance Requirements
X
Sec 21.16, Special Conditions
X
X
Sec 21.21(b)(1), Equivalent Level of Safety
X
X
Part 11, Exemptions
X
X
AE 6362: Safety by Design
33
Certification Compliance and
Functional Hazard
Assessment
Kit Borden
Certification and Testing
• FAR Part 33 covers Engines
– Includes supersonic engine regulations
• FAR Part 36 covers Noise
– Includes supersonic noise regulations for Concorde
only
• These two parts were chosen to study in further
detail because of the system chosen to study
(propulsion) and because noise is important for
any commercial aircraft and especially the
supersonic aspect of this design.
AE 6362: Safety by Design
35
Noise Requirements
• Lack of generic supersonic requirements
leaves two main options
– Seek an exception to the existing regulations
– Seek new rule making activity for appropriate
regulations
AE 6362: Safety by Design
36
Exception to existing rules
• There could be a time savings because rule
making is a long process.
• Obtaining an exception involves fewer
people than new rule making.
• An exception would not be a flexible should
new regulations come into being during the
life of the aircraft.
AE 6362: Safety by Design
37
New Rules
• Regulations for non-Concorde supersonic
commercial aircraft will come eventually
• Asking for those rules now has two
advantages
– Allows for greater shaping of the regulations as
they are created
– Ensures continuing compliance
• Both rule making and the design will be
long processes, so the time penalty should
be minimal
AE 6362: Safety by Design
38
Part 36
Part 36
Subpart A - General
36.1 Applicabilty & Definitions
a
b
c
d
e
f
g
h
36.2 Special retroactive requirements
a
b
36.3 Compatibility with
airworthiness
requirements
36.5 Limitation of part
36.6 Incorparation by reference
a
b
c
d
e
36.7 Acoustical change: Transport
category large airplanes and
turbojet powered airplanes.
AE 6362: Safety by Design
Applicable
Output
Test specified
Y
Y
N
Y
N
Y
Y
N
N
Y
N
Y
N
Y
N
N
Y
Y
Y
N
Y
Y
Y
Y
Y
N
N
N
N
N
N
N
N
N
39
Appendix A - Aircraft Noise Levels Under 36.101
A36.1
Noise certification test and measurement conditions.
a - General
Y
b - Test site
Y
requiments
c - Weather
Y
restrictions
d - Aircraft testing
Y
procedures
A36.3
Measurement of aircraft noise received on the ground.
a - General
Y
b - Measurment
Y
system
c - Sensing,
recording, and
Y
reproducing
equipment.
d - Analysis
Y
equipment
e - Calibrations
Y
f - Noise
measurement
Y
procedures
A36.5
Reporting and correcting measured data.
a - General
Y
b - Data Reporting
Y
c - Noise
Y
certification
reference conditions
d - Data Corrections
Y
e - Validity of
Y
Results
A36.7
Symbols and units.
Y
A36.9
Atmospheric attenuation of sound.
a - General
Y
b - Meteorological
Y
measurements
c - Attenuation
Y
rates
d - Correction for
atmospheric
Y
attenuation
A36.11
Detailed correction procedures.
a - General
Y
b - Takeoff profiles
Y
c - Approach
Y
profiles
d - PNLT
Y
corrections
by Design e - Duration
Y
corrections
f - Nonstandard
Y
location correction
Part 36
AE 6362: Safety
N
Y
N
Y
N
Y
Y
Physical/Electronic
N
Y
N
Y
N
Y
N
Y
Y
Y
N
Y
Y
N
N
Y
N
Y
Y
Y
N
Electronic/Physical
Mathematical Correction
N
N
Y
Y
Physical
Y
Y
Physical (specified in another
document)
Y
Y
Mathematical Corrections
N
N
N
(Note: this section defines how
corrections are made so the tests
are not actually made under this
section)
N
N
N
40
Example of Noise Testing
•Basic testing techniques remain the same
regardless of noise levels allowed.
•New rules would merely give the
allowable levels.
•New techniques may be required for
supersonic noise evaluation.
Courtesy NASA Glenn
Courtesy NASA Glenn
AE 6362: Safety by Design
Courtesy NASA Glenn
41
Part 33
AE 6362: Safety by Design
Subpart E - Design and Construction; Turbine Aircraft Engines
33.61 Applicibility
Y
N
33.62 Stress analysis
Y
Y
33.63 Vibration
Y
Y
33.65 Surge and stall
Y
Y
characteristics
33.66 Bleed air system
Y
Y
33.67 Fuel system
a
Y
Y
b
Y
Y
c
Y
Y
d
N
33.68 Induction system icing
Y
N
a
Y
Y
b
Y
Y
33.69 Ignitions system
Y
Y
33.71 Lubrication system
a
Y
Y
b
Y
Y
c
Y
Y
d
Y
Y
e
Y
Y
33.72 Hydraulic actuating
Y
Y
systems
33.73 Power or thrust
Y
N
response
a
Y
Y
b
Y
Y
33.74 Continued rotation
Y
Y
33.75 Safety analysis
Y
Y
33.76 Bird ingestion
a
Y
Y
b
Y
Y
c
Y
Y
33.77 Foreign object ingestion
-- ice
a-b Reserved
N
c
Y
Y
d
?
Y
e
Y
Y
33.78 Rail and hail ingestion
a
Y
Y
b
N
c
Y
Y
d
?
Y
33.79 Fuel burning thrust
?
Y
augmentor
Y
N
N
Analysis
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
Y
Analysis
Y
Y
Y
Physical
Physical
Physical
N
N
Y
Physical
Y
Physical
Y
Y
N
Physical
Physical
42
Functional Hazard Assessment and
Certification
• The FHA is part of the processes described
in SAE 4761.
• Certification is driven by the FARs.
• Meeting the standards derived from SAE
4761 improves performance for the FAR
requirements.
AE 6362: Safety by Design
43
Appendix A: Functional Hazard Assessment of SBJ Propulsion System
Function
Failure Condition
Phase
Effect of Failure Condition on A/C
Crew
Classification & Quantitative
Requirement
Supporting
Verification
Material
Provide Aircraft
Propulsion
A. One Engine Out (Annunciated)
B. One Engine Out (Unannunciated)
C. One Engine Partially Out (Annunciated)
AE 6362: Safety by Design
Taxi
Return aircraft to terminal.
Takeoff Abort takeoff before decision speed or
make emergency landing if past
decision speed.
Climb
Locate nearest field for emergency
landing. Correct flight path when
Cruise Locate nearest field for emergency
landing. Correct flight path when
Descent Locate nearest field for emergency
landing. Correct flight path when
Landing Correct approach configuration and
complete landing.
Taxi
Throttle for that engine has no effect.
Takeoff Reduced thrust for takeoff. Possibly
not enough thrust to takeoff.
Climb
Reduced thrust for climb. Possibly not
enough thrust to climb.
Cruise Sudden decrease in airspeed
Descent Sudden decrease in airspeed
Landing Sudden decrease in airspeed
Taxi
Return aircraft to terminal.
Takeoff Abort takeoff before decision speed or
takeoff and land if after decision
Climb
Crew can shut down engine and
return to the airport for repair.
Cruise Crew can shut down engine and land
at the nearest airfield or determine if
there is enough thrust to continue.
Descent Crew can shut down engine and land
at the nearest airfield or determine if
there is enough thrust to continue.
Landing Crew can determine whether the
reduced thrust of the engine is
needed to correct flight path during
landing. If not it can be shut down.
Minor. No quantitative requirement.
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Minor. No quantitative requirement.
Minor. No quantitative requirement.
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Minor. No quantitative requirement.
Minor. No quantitative requirement.
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Minor. No quantitative requirement.
44
D. One Engine Partially Out (Unannunciated)
E. Both Engines Out (Annunciated)
Taxi
Throttle is sluggish during taxi
Takeoff Reduced thrust for takeoff. Possibly
not enough thrust to takeoff.
Climb
Reduced thrust for climb. Possibly not
enough thrust to climb.
Cruise Sudden decrease in airspeed
Descent Sudden decrease in airspeed
Landing Sudden decrease in airspeed
Minor. No quantitative requirement.
Major. P<10-5 per flight hour
Taxi
Takeoff
Climb
Cruise
Descent
Landing
Minor. No quantitative requirement.
Catastrophic. P<10-9 per flight hour
Catastrophic. P<10-9 per flight hour
Catastrophic. P<10-9 per flight hour
Catastrophic. P<10-9 per flight hour
Major. P<10-5 per flight hour
Wait for towing
Emergency Procedures
Emergency landing / ditch
Emergency landing / ditch
Emergency landing / ditch
Correct approach configuration and
complete landing.
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Major. P<10-5 per flight hour
Minor. No quantitative requirement.
Note: A partial loss of an engine would most likely result in the discontinued use of that engine resulting in an Engine Out condition.
AE 6362: Safety by Design
45
Prism System Analysis and
Human Error Assessment
Jieun Ku
PRISM
• Developed By Reliability Analysis Center (RAC)
• Performs system-level failure rate assessments
• Disadvantages
– No redundancy function
• No OR gate function
– Human factors are not properly considered
AE 6362: Safety by Design
47
PRISM Flow Chart
PRISM
Grade Process
Factors
Construct
system tree
Input Failure Rates
for Each Components
Summarize
Component
Failure Rates
at Assembly Level
Summarize
Assembly
Failure Rates
at System
Get Report From
PRISM
SBJ Total Failure Rate
Cargo System
0%
Cabin System
1%
Fire Protection
Light System
3%
1%
Ice and Rain Protection
3%
Environmental System
4%
Flight Controls
15%
Flight Deck
13%
Information Management
System
13%
Landing Gear
1%
Hydraulic System
0%
Auxiliary Pow er Unit
2%
Pow er Plant
1%
Fuel System
1%
Auto-Pilot System
13%
Electrical Pow er System
2%
Structure
0%
Equipment Center
3%
Communications
10%
Navigation
14%
** (11.504/M Calendar Hours)
Failure Rate Distribution - 1
Power Plant System Failure Rate Distribution
Engine Oil System
3%
Engine Start and
Ignition System
3%
Engine Air System
3%
Engine Fuel System
3%
Engine Cowlings
6%
Engine Core
6%
Engine Control
6%
Auxiliary Power Unit System Failure Rate Distribution
Indication System
70%
Maintanence Panel
16%
APU Core
16%
APU Oil System
16%
APU Start and
Ignition System
16%
APU Fuel System
16%
Controls/Indication
System
20%
Failure Rate Distribution - 2
Fuel System Failure Rate Distribution
Maintanence Panel
7%
Storage
6%
Refuel System
6%
Fuel Jettision/Defuel
System
7%
Fuel Feed System
7%
Controls/Indication
System
60%
Fuel Quantity
Indication System
7%
Total System Failure Rate Distribution
Hardware
24%
Software
76%
Human Factors
• Human  Information Processing System
– Ergonomics aspect
– Different failure rates in each conditions
• Human error causes 20 to 50 % of
equipment failures
• Human reliability elements have to be
included in reliability analysis
AE 6362: Safety by Design
52
Ways That Humans Cause Errors
Taken Incorrect Decision
In Response
To A Difficulty
Failure
To Carry Out
A Necessary Function
Carrying Out A Task
That Should Not
Have Been Accomplished
HUMAN ERROR
Poor Timing And
Poor Response
To A Contingency
Failure
To Realize
A Hazardous Situation
Types of Human Errors
•Operating Errors
•Maintenance Errors
•Assembly Errors
•Design Errors
•Inspection Errors
•Installation Errors
Operating Errors
•Function-associated errors
– Decision making
– Sequencing
– Problem solving
– Estimating
– Tracking
– Detecting
–Identifying
– Sensing
– Classifying Coding
•Operating equipment- associated errors
- Errors of omission - situations requiring operator attention
- Error of identification - misidentification of an object and its
treatment as the correct object
- Error of interpretation - misunderstanding of information and
result in performing incorrect tasks
Human Reliability Analysis (HRA)
Methodologies
• Technique For Human Error Rate Prediction
(THERP)
• Probability Tree Method
• Pontecorvo’s Method
• The Throughput Ratio Method
• Personnel Reliability Index
• Block Diagram Method
AE 6362: Safety by Design
56
Technique For Human Error Rate
Prediction (THERP)
• Predicting human error rates.
• Evaluate system probability that
- Errors will cause system failure
- Operations will lead to an error.
• Methods used are
- The system and task analysis method
- The probability tree method
AE 6362: Safety by Design
57
Probability Tree Method
• Concerned with representing critical human actions
• The advantages
- Useful in applying prediction of individual error rates
- Useful in predicting the quantitative effects of errors
- serves as a visibility tool
- Incorporate with physical and emotional stress
- Helps to decrease the probability of errors
AE 6362: Safety by Design
58
Environmental Factors
on Human Reliability
• The human is easy to be distracted by environmental
circumstance
• Environmental factors can be detected and changed to the
direction that can help human reliability.
 Discussed and applied on HRA software REHMS-D
 The sensitivity analysis is carried with human factor
AE 6362: Safety by Design
59
Human Reliability Analysis
• Fault Tree Analysis
• HRA Event Tree
• REHMS-D (**Advised By Ho-Seoung Lee)
AE 6362: Safety by Design
60
Fault Tree Analysis
Failure rate to detect
P(f)=0.00045
Pilot fails to detect,
P(f)=0.003
Co-pilot fails to detect,
P(f)=0.15
* Ref. Human Reliability and Safety Analysis Data Handbook
AE 6362: Safety by Design
61
HRA Event Tree
Pilot Detects
Co-pilot
Pilot Fails To
Changes
Detects
Detects Change P(f) = 0.003
Changes
Co-pilot Fails To
Detects Change P(f) =0.15
AE 6362: Safety by Design
62
REHMS-D - 1
• Evaluate human reliability related with machine
• Shows effects of environmental and personnel
factors
• Does not analyze with unacceptable
environmental factors
AE 6362: Safety by Design
63
REHMS-D - 2
Subsystem
Hydraulic
Fuel System
System
Fuel
Engine
Phase
Operating
Operating
Operating
Quantity(Minimum)
Time(Minutes)
1
275
1
275
1
275
Weight(lb)
1408
1235
10691
Tolerance
70.4
61.75
534.55
Tech. Pref.
Mission Reliability
0.9
0.9
0.9
Parameters
Availability
0.95
0.95
0.95
MTBF(Hours)
50000
25000
15000
MTTR(Hours)
60
30
60
MAX. MTTR(Hours)
Mission Duration(Minutes)
72
275
90
275
72
275
Objective
AE 6362: Safety by Design
64
Sensitivity of Decision Making
1.02
1
1
0.999
0.995
0.985
0.98
Human Reliability
0.968
0.96
0.94
0.94
0.92
0.9
0.899
0.88
0.86
0.84
1
2
3
4
5
Number of Decision to be made
6
7
Sensitivity of Duration
1
0.95
0.94
0.91
0.9
0.88
0.82
0.8
Duration Reliability
0.76
0.7
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
15
30
45
60
90
Working Period without Rest(Minutes)
120
150
1
1
0.9
0.8
Motor/Comtrol
Reliability
Speech
Reliability
0.78
0.7
0.6
0.5
Motor/Control
Response Type
Response Reliability
Response Reliability
Sensitivity of Response
1
1
0.983
0.9
Motor/Comtrol
Reliability
Speech Reliability
0.8
0.7
0.6
0.5
Vocal
Response Type
Sensitivity Analysis
Using REHMS-D
• The environmental factors affects to human
sensory reliability MOST
• Working period has to be considered to maintain
certain reliability level
• The number of decisions need to be limited
• Response types must be selected based on tasks
AE 6362: Safety by Design
68
Further Study
• Disadvantages of REHMS-D
– Not suitable for aircraft maintenance environment
– Not suitable for pilot error assessment
– Inconvenience in using
– The lack of phase level analysis
• Need alternative software for human reliability
assessment in system design level
AE 6362: Safety by Design
69
New Methodology Proposal
Man-Machine Failure Rate
Human Failure Rate
PRISM
Alternative Software
Machine Failure Rate
Phase Level Analysis
Interface with Excel
Subsystem Level Analysis
Detailed Human Characteristic
Support Graphical Diagrams
AE 6362: Safety by Design
70
Preliminary System Safety
Assessment
Mark Birney
Preliminary System Safety Assessment
• PSSA begins when FHA is completed
• Iterative with the rest of the safety and design process
• Objective: Determine what failure conditions can result in
the hazards described by the FHA
System
Definition
Safety
Requirements
PSSA
Preliminary
Design
FHA
FTA
Markov Analysis
Safety
Performance
AE 6362: Safety by Design
72
Preliminary System Safety Assessment
•Detailed safety assessment performed on
propulsion systems
•Function of the engine and the function of the
engine monitoring systems analyzed
•Failure sources considered for hardware,
software and liveware
Engine Failure Conditions
Failure of Fuel System
Blade Failure
Cooling Failure
Engine Oil Failure
Engine Ignition System
Engine Control Failure
Engine Control Software Failure
Manual Control-Based Failure
Structural Failure
AE 6362: Safety by Design
Annunciation Capability Failure
Failure in Monitoring System
Failure in Warning System
Failure in Annunciating Software
Failure to Observe Annunciation
73
Fault Tree Analysis
•Fault Tree Analysis used to assess failure modes for the
propulsion system
•Probabilities of failure set for source failures and calculated for
the propulsion system
Annunciated Single
Engine Failure
FTA for annunciated
single engine full or
partial failure
Single Engine
Failure
Fuel
System
Cooling
System
Blade
AE 6362: Safety by Design
Structural
System
Oil
System
Ignition
System
Control
Software
Engine
Control
Manual
Control
74
Fault Tree Analysis
•Fault tree for unannunciated single engine full or partial failure
•Both subsystems most fail for this situation to occur
•Humans and software counted as part of two subsystems
Unannuciated Single
Engine Failure
Annunciation
Capability Failure
Single Engine
Failure
Monitoring
System
Warning
System
Annunciation
Software
Observation
Fuel
System
Cooling
System
Blade
AE 6362: Safety by Design
Structural
System
Oil
System
Ignition
System
Control
Software
Engine
Control
Manual
Control
75
FTA in Relex
Unannunciated Single
Engine Failure
Top Event
Q:2.02003e-011
Annunciation Capability
Failure
Annun. Fail
Q:5.00999e-006
Monitoring System Failure
Warning System Failure
Annunciation Software
Failure
Observation Failure
Event 1
Event 2
Event 3
Event 4
Q:2e-006
Q:2e-006
Q:1e-006
Q:1e-008
Sing le Engine Failure
Prop Fail (1)
Q:4.03199e-006
Fuel System Failure
Blade Failure
Cooling System Failure
Oil System Failure
Structural System Failure
Ig nition System Failure
Engine Control Failure
Engine Control Software
Failure
Failure via Manual Control
Event 5
Event 6
Event 7
Event 8
Event 9
Event 10
Event 11
Event 12
Event 13
Q:1e-006
Q:1e-006
Q:1e-006
Q:1e-006
Q:1e-009
Q:1e-008
Q:1e-008
Q:1e-008
Q:1e-009
AE 6362: Safety by Design
76
FTA Results
• Results indicate that safety requirements set can be met for
unannunciated full and partial engine failures and both
engines out
• Single engine full or partial failure probability cannot be
met
Probability of Failure
Per Flight Hour Per Flight
Annunciated Single
Engine Failure
Unannunciated Single
Engine Failure
Annunciated Partial
Single Engine Failure
Unannunciated Partial
Single Engine Failure
Both Engines Out
(Annunciated)
AE 6362: Safety by Design
Requirement per Flight
4.03E-06
2.02E-05
5.00E-06
2.02E-11
1.01E-10
5.00E-06
1.40E-05
7.01E-05
5.00E-06
7.02E-11
3.51E-10
5.00E-06
1.6257E-11
8.13E-11
5.00E-09
77
Criticality Matrix
Failure Condition
1
A. One Engine Out
(Annunciated)
Phase
Taxi
Takeoff
2
Climb
3
Cruise
4
Descent
5
6
Landing
7
B. One Engine Out Taxi
(Unannunciated)
Takeoff
8
Climb
9
Cruise
10
Descent
11
12
Landing
13
C. One Engine Partially Taxi
Out (Annunciated)
Takeoff
14
Climb
15
Cruise
16
Descent
17
18
Landing
19
D. One Engine Partially Taxi
Out (Unannunciated) Takeoff
20
Climb
21
Cruise
22
Descent
23
24
Landing
25
E. Both Engines Out Taxi
(Annunciated)
Takeoff
26
Climb
27
Cruise
28
Descent
29
AE 6362: Safety
by
Design
Landing
30
•Matrix shows phases of
mission and their criticality to
mission safety
•One engine partially out
during takeoff, climb, cruise or
descent is the most critical
failure condition
Minor
Probability
#
Very High
High
Moderate
13,18
Low
1,6,7,12,19,24
Very Low
Severity
Major
14,15,16,17
2,3,4,5,8,9,10,11,20,21,22,23
30
Catastrophic
26,27,28,29
78
PSSA Results
• Safety requirements not met for single engine out
or single engine partially out
• Criticality matrix indicates that single engine
partially out situations will be the most critical in
improving system safety
• There are several options for improving safety
performance
– Markov Analysis to determine required repair rates
– Add technologies to improve sub-system reliability
– Continue to redefine system and continue to reevaluate
AE 6362: Safety by Design
79
Sensitivity Analysis
Sensitivity Chart
Target Forecast: Annunciated Single Engine Failure Per Flight Hour
-1
Cooling System
Failure
Fuel System Failure
Oil System Failure
Blade Failure
Structural System
Partial Failure
Ignition System Partial
Failure
Structural System
Failure
Manual Control Partial
Failure
Ignition System Failure
-0.5
0
0.5
1
•Bar chart created by running a
simulation on a spreadsheet
FTA
•Performed to show what
engine sub-systems have the
greatest impact on failure
probabilities
•Information may be used to
investigate technologies for
improving safety
•Cooling, oil, fuel systems
most critical along with blade
failure effects for this case
Observation Failure
AE 6362: Safety by Design
80
Sensitivity Analysis
Sensitivity Chart
Target Forecast: Unannunciated Single Engine Failure Per Flight Hour
-1.000
Warning System
Failure
Monitoring System
Failure
Cooling System
Failure
Oil System Failure
Fuel System Failure
Blade Failure
Annunciation
Softw are Failure
Structural System
Partial Failure
-0.500
0.000
0.500
1.000
•For unannunciated failure
cases, the warning and
monitoring systems have the
greatest impact
•Cooling, oil and fuel systems
along with blade failure have
the greatest impact from the
engine hardware
•Software failure is also
important for the loss of
annunciation
Ignition System Failure
Blade Partial Failure
AE 6362: Safety by Design
81
Uncertainty Analysis and
Technology Assessment
Adam Krause
Monte Carlo Simulation
• Probability distributions around
individual propulsion subsystems
• Probabilities combined using the Fault
Tree Analysis models to determine
probability of failure modes
AE 6362: Safety by Design
83
Sample FTA Model Used
AE 6362: Safety by Design
84
Annunciated Single Engine Failure
PerFlight Hour
PerFlight
100%
100%
90%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00 5.E-07 1.E-06 2.E-06 2.E-06 3.E-06 3.E-06 4.E-06 4.E-06 5.E-06 5.E-06
AE 6362: Safety by Design
0%
0.E+00
5.E-06
1.E-05
2.E-05
2.E-05
3.E-05
85
Unannunciated Single Engine Failure
PerFlight
PerFlight Hour
100%
100%
90%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00
2.E-07
4.E-07
AE 6362: Safety by Design
6.E-07
8.E-07
1.E-06
1.E-06
0%
0.E+00
1.E-06
2.E-06
3.E-06
4.E-06
5.E-06
6.E-06
86
Annunciated Partial Single Eng. Failure
PerFlight
PerFlight Hour
100%
100%
90%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00 2.E-06 4.E-06 6.E-06 8.E-06 1.E-05 1.E-05 1.E-05 2.E-05 2.E-05
AE 6362: Safety by Design
0%
0.E+00 1.E-05 2.E-05 3.E-05 4.E-05 5.E-05 6.E-05 7.E-05 8.E-05 9.E-05
87
Unannunc. Partial Single Eng. Failure
PerFlight Hour
PerFlight
100%
100%
90%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00
2.E-07
4.E-07
AE 6362: Safety by Design
6.E-07
8.E-07
1.E-06
1.E-06
0%
0.E+00
1.E-06
2.E-06
3.E-06
4.E-06
5.E-06
6.E-06
88
Both Engines Out (Annunciated)
PerFlight Hour
PerFlight
100%
100%
90%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00
2.E-10
4.E-10
AE 6362: Safety by Design
6.E-10
8.E-10
1.E-09
1.E-09
0%
0.E+00
1.E-09
2.E-09
3.E-09
4.E-09
5.E-09
6.E-09
89
Must Infuse Technologies to Meet
Targets for :
•
•
Annunciated Single Engine Failure
Annunciated Partial Single Engine Failure
Technologies Used :
• Active Combustion Control
• Ceramic Matrix Composites
• Environmental Engine Technology
AE 6362: Safety by Design
90
Active Combustion Control – T1
Benefits
• NOx Reduction
• Facilitates
Certification
Description:
Costs
• Difficult task
• Combustion
instability
• High RDT&E
Improves the effectiveness of RQL and LPP. Controls the efficiency and the
emissions of the combustor based on information fed back from sensors placed
in the turbine stages
Impact on
Safety :
AE 6362: Safety by Design
91
Ceramic Matrix Composites – T2
Benefits
Description:
•
•
•
High T4
Engine weight reduction
Cooling reduction
Costs
• Engine Cost
• Stress constraint
CMC’s used for turbine components will increase the maximum allowable
material temperature. This allows for higher turbine inlet temperatures or
reduced cooling. This system also eliminates the need for an afterburner and
reduces engine weight significantly.
Impact on Safety :
AE 6362: Safety by Design
92
Environmental Engine – T3
Benefits
• NOx Reduction
• Noise Reduction
Costs
• Multi-million dollar
investment
• High RDT&E
Description:
Modifications required the engine parameters to comply with the
requirements and predicted outcomes of programs like IHPTET or QSP
Impact on Safety :
AE 6362: Safety by Design
93
Annunciated Single Engine Failure
PerFlight Hour
100%
Target
90%
NewCDF
withTechs
PerFlight
100%
OldCDF
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00 5.E-07 1.E-06 2.E-06 2.E-06 3.E-06 3.E-06 4.E-06 4.E-06 5.E-06 5.E-06
AE 6362: Safety by Design
Target
NewCDF
withTechs
90%
0%
0.E+00
5.E-06
1.E-05
2.E-05
OldCDF
2.E-05
3.E-05
94
Annunciated Partial Single Eng. Failure
PerFlight Hour
100%
Target
90%
NewCDF
withTechs
AnnunciatedPartial SingleEngineFailurePerFlight
OldCDF
100%
90%
80%
80%
70%
70%
60%
60%
50%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
0.E+00 2.E-06 4.E-06 6.E-06 8.E-06 1.E-05 1.E-05 1.E-05 2.E-05 2.E-05
AE 6362: Safety by Design
Target
NewCDF
withTechs
OldCDF
0%
0.E+00 1.E-05 2.E-05 3.E-05 4.E-05 5.E-05 6.E-05 7.E-05 8.E-05 9.E-05
95
Conclusions
• SBJ has good potential to serve the needs of many
businesses, but faces many certification and safety
challenges
• Certification challenges
– Meeting noise requirements
– Working with the FAA to develop exceptions or new
rules for supersonic flight
AE 6362: Safety by Design
96
Conclusions
• Safety
– Initial study shows that the entire system has good
safety parameters
– Detailed study of engine reveals potential issues with
one engine-out situation
– Further refinement and definition of the engine system
will be needed as the SBJ design moves forward
– Human and software reliability pose special issues in
the safety process
AE 6362: Safety by Design
97