Rotorcraft Design I Day Five: Process and Tools Considerations

1
Rotorcraft Design IDay Five Process and Tools
Considerations

• Dr. Daniel P. Schrage
• Professor and Director, CERT CASA
• Georgia Tech
• Atlanta, GA 30332-0150

2
Presentation Outline

• Safety By Design and Certification
• Overview of Georgia Tech Preliminary Design
  Program(GTPDP)
• Description of a VTOL PAV Demonstrator Program
• Course Wrapup

3
Pegasus Personal Air Vehicle The Future in
Personal Travel
4
Introduction

• Pegasus PAV Safety By Design Team
• Mike Olmstead Team Leader, Hardware
• Evan Brown FTA, Software
• Blake Stringer PRISM, Hardware
• Yongchang Li Markov Analysis, Software
• James Masters Markov Analysis, Human Reliability
• Jeff Johnson Dependence Diagrams, Human
  Reliability

5
Agenda

• Process Overview
• System Description
• New Technologies
• Functional Hazard Assessment
• Preliminary System Safety Assessment
• Dependence Diagrams
• Fault Tree Analysis
• Markov Analysis
• PRISM Model/Monte Carlo Simulation
• Certification Process
• Conclusion

6
Process Overview
Detailed Design
Design Validation Verification
Concept Development
Preliminary Design

• Aircraft FHA
• Functions
• Hazards
• Effects
• Classifications

• System FHA
• Functions
• Hazards
• Effects
• Classifications

PSSA
SSA

• System FTAs
• Qualitative
• Failure Rates

System FMEAs FMES

• System FTA
• Qualitative
• Subsystem Budgets
• DD
• MA

• Aircraft FTA
• Qualitative
• System Budgets
• Intersystem Dependencies

CCA
Particular Risk Analysis
Common Mode Analysis
Zonal Safety Analysis
7
System Description

• 4 Bladed, single main rotor, NOTAR equipped
• Light Helicopter/Personal Air Vehicle use
• Upgrade of MD500E, with new rotor, engine,
  transmission, avionics and anti-torque system
• Cruise speed 141 knots at 80 MCP
• Max range 438 nm at 113 knots
• Payload 1156 lbs
• Improved safety reliability at low cost
  (lt500K)
• Pegasus-2 follow-on dual mode (roadable)

8
System Description
Possible Pegasus Missions
Personal Travel Applications Government Applications Urban mobility Emergency medical services Business travel Law enforcement Long distance commuting Fire/Rescue Recreation, Sports and Leisure Military light utility/reconnaissance Commercial Applications Corporate Applications Media/Traffic Corporate transport Air taxi Employee commuting Agricultural/Farming/Ranching Ferry service Aerial tours Express package delivery Offshore oil rig transport
9
System Description
10
New Technologies

• Full Authority Digital Engine Control
• General Aviation Propulsion (GAP) engine
• Garmin GNS 530 Avionics Package
• Hanson Elastic Articulated Rotor Hub
• Aerofilter Engine Inlet Barrier Filter
• No-Tail Rotor (NOTAR) anti-torque system

11
New Technologies

• Full Authority Digital Engine Control
• Automatically controls fuel flow to engine
  reducing pilot workload
• Senses NG, NP, TGT, etc to control fuel flow
• Easier starting, fault monitoring, eliminates hot
  starts, rotor RPM droop and has auto relight
  capabilities
• Dual redundant ECUs to ensure no failure of auto
  mode

12
New Technologies

• General Aviation Propulsion (GAP) engine
• Development by Williams and NASA Glenn
• 500 shp
• 125 lbs
• .5068 SFC
• Allows room for growth
• Compatible with current off the shelf
  transmission used on MD520N

13
New Technologies

• Garmin GNS 530 Avionics Package
• Integrated WAAS-upgradeable color moving map GPS
• Integrated VHF-COM, VOR, Localizer, and
  glide-slope
• Combines all essential navigation and
  communication functions
• Integrated with GDL-49 displays NEXRAD weather
  radar information
• Also integrates with GTX-330 S mode transponder
  to provide traffic avoidance information

14
New Technologies

• Hanson Elastic Articulated Rotor Hub
• Bearingless, stiff flexure design with effective
  hinge offset of 10 degrees
• Slight forward sweep and matched
  lead-lag/flapping stiffness of flexure eliminates
  the need for dampers
• Low control forces eliminate the need for
  hydraulics
• Auto trim feature eases pilot workload and
  improves safety

15
New Technologies

• Aerofilter Engine Inlet Barrier Filter
• Improved air induction system from old swirl tube
  technology
• Increases efficiency of engine, increases power
  output and lowers TGT temps and gph
• Reduces engine wear and increases engine life
  substantially

16
New Technologies

• No-Tail Rotor (NOTAR) anti-torque system
• Safer, quieter, less fragile system than
  traditional tail rotor anti-torque system
• Uses tailboom slot, vertical fins and direct
  thruster to control aircraft
• Only drawbacks are reduced efficiency and need
  for more horsepower to power the NOTAR fan

17
Functional Hazard Assessment (FHA)

• Considers both loss of functions and malfunctions
• Identifies the failure condition for each phase
  of flight
• Establishes derived safety requirements needed to
  limit the function failure effects that affect
  the failure condition classification

18
Functional Hazard Assessment (FHA)

• The FHA considered functions at two levels
• The Vehicle level
• Overall Aircraft was examined and top level
  functions were considered
• The System level
• The system that was investigated further was the
  power plant (engine)
• For the system FHA, failure conditions were
  looked at from the perspective of
• Human Failures
• Hardware Failures
• Software Failures
• Interaction with other systems

19
Functional Hazard Assessment (FHA)

• Functional Failure Conditions for the function
  Control Power
• Loss of fuel flow control
• Inability to govern rotor speed
• Inability to limit engine torque
• Inability to limit engine temperature
• Inability to govern engine NP NG speed
• Inability to monitor faults

20
Functional Hazard Assessment (FHA)

• Environmental and Emergency Configurations and
  Conditions
• Engine Inlet Icing
• Snow/Water Ingestion
• Dust/Sand/Volcanic Ash Ingestion
• Salt Water Ingestion
• High Density Altitude/Hot Ambient Temp.
• Electrical Failure
• Fuel Line Failure

21
Functional Hazard Assessment (FHA)
Aircraft Functions
22
Functional Hazard Assessment (FHA)
Aircraft FHA
23
Functional Hazard Assessment (FHA)
System (Engine) FHA - Hardware
24
Functional Hazard Assessment (FHA)
System (Engine) FHA - Software
25
Functional Hazard Assessment (FHA)
System (Engine) FHA Human Interaction
26
PSSA Inputs
The following set of safety (availability,
integrity, installation) requirements were
derived from the aircraft and system FHAs and
Common Cause Analysis based on an average flight
duration of 3.5 hours.  
27
PSSA Inputs
HARDWARE BASED
SAFETY REQUIREMENTS   L 1. Loss of all
engine power (engine out) during takeoff or
landing shall be less than 3.5E-9 per flight
   2. Occurrence of engine compressor stall
during takeoff or cruise shall be less than
3.5E-7 per flight 3. Occurrence of
engine deflagration shall be less than 3.5E-9 per
flight. 4. Engine under-speed during
takeoff and landing shall be less than 3.5E-9 per
flight and during cruise shall be less than
3.5E-7 per flight.     5. Engine fire
during all phases of flight shall be less than
3.5E-7 per flight and during cruise shall be
less than 3.5E-9 per flight.     6. FADEC
Failure during cruise shall be less than 3.5E-7
per flight. During takeoff and landing FADEC
failure shall be less than 3.5E-9 per
flight.      7. FADEC fixed during cruise
shall be less than 3.5E-7 per flight. During
takeoff and landing FADEC fixed shall be less
than 3.5E-9 per flight.      8. Fuel filter
clogged/bypass during flight shall be less than
3.5E-7 per flight.     9. Loss of fuel flow
to the engine during flight shall be less than
3.5E-9 per flight.
28
PSSA Inputs
SOFTWARE BASED SAFETY REQUIREMENTS

• 1. FADEC AUTO mode failure during takeoff and
  landing shall be less
• than 3.5 E-9 and during cruise shall be 3.5
  E-7.
• 2. Failure to switch to manual mode during
  takeoff and landing shall be
• less than 3.5E-9 and during cruise shall be 3.5
  E-7.
• 3. FADEC gives false engine out indication
  shall be less than 3.5E-9 and
• during cruise shall be 3.5E-7.
• 4. FADEC loss of automatic flameout detection
  and relight capabilities
• during takeoff and landing shall be less than
  3.5E-9 and during cruise
• shall be 3.5E-7.
• 5. Loss of fault monitoring during flight shall
  be less than 3.5E-7.

29
PSSA Inputs

• HUMAN BASED SAFETY REQUIREMENTS
•  
• 1. Failure to pre-flight shall be less than
  3.5E-7 per flight.
• Failure to properly react to loss of engine power
  during takeoff and landing shall be less than
  3.5E-9 per flight and during cruise shall be less
  than 3.5E-7 per flight.
• Failure to properly react to engine under-speed
  during takeoff and landing shall be less than
  3.5E-9 per flight and during cruise shall be less
  than 3.5E-7 per flight.
• Failure to properly react to engine fire during
  taxi and cruise shall be less than 3.5E-7 per
  flight and during takeoff and landing shall be
  less than 3.5E-9 per flight.
• Failure to properly react to FADEC failure during
  takeoff and landing shall be less than 3.5E-9 per
  flight and during cruise shall be less than
  3.5E-7 per flight.

30
PSSA Inputs

• HUMAN BASED SAFETY REQUIREMENTS (CONTD)
• 6. Failure to properly react to false engine
  out warning during takeoff, cruise, and landing
  shall be less than 3.5E-7 per flight.
• 7. Failure to properly react to engine fire
  during taxi and cruise shall be less than 3.5E-7
  per flight and during takeoff and landing shall
  be less than 3.5E-9 per flight.
• 8. Failure to properly react to FADEC
  failure during takeoff and landing shall be less
  than 3.5E-9 per flight and during cruise shall be
  less than 3.5E-7 per flight.
• 9. Failure to properly react to false engine
  out warning during takeoff, cruise, and landing
  shall be less than 3.5E-7 per flight.
• 10. Failure to observe engine instruments
  during landing shall be less than 3.5E-7 per
  flight.
•  

31
PSSA Inputs
HUMAN BASED SAFETY REQUIREMENTS (CONTD)

•  
• Failure to notice sensory indications during
  takeoff shall be less than 3.5E-7 per flight.
• 12.  Failure to properly manage fuel during
  takeoff and landing shall be less than 3.5E-9.
• 13. Failure of maintenance personnel to
  reconnect fittings shall be less than 3.5E-9.
•  14. Failure to properly perform maintenance
  inspections or services shall be less than
  3.5E-9.
•  15. Failure to properly latch cowlings shall be
  less than 3.5E-9 per flight.

32
Safety Reqts / Design Decisions
   
33
Safety Reqts / Design Decisions
34
Dependence Diagrams
FUEL SYSTEM
FUEL FILTER
FUEL GOVERNOR
COMPRESSOR
ENGINE DRIVEN FUEL PUMP
AIR INLET
FUEL TANK
FUEL LINE
FUEL BOOST PUMP
PILOT CONTROLS FUEL FLOW
FUEL FILTER BYPASS
FADEC ALLEVIATES STALL CONDITION
PILOT PERFOMS AUTO- ROTATION
35
Dependence Diagrams
FADEC SYSTEM
FADEC SENSOR INPUTS
NP
NG
FADEC CONTROLS FUEL FLOW
FADEC GIVES PROPER INDICATION TO PILOT
AIRCRAFT ELECTRICAL POWER
ROTOR RPM
COLLECT POS
FADEC SOLENOID
FADEC SWITCH
AMBIENT CONDITIONS
PILOTGIVES PROPER RESPONSE TO INDICATION
MANUAL MODE (PILOT CONTROLS)
PERMANENT MAGNETIC ALTERNATOR
CIT
ENGINE TORQUE
ARINC INTERFACE
36
Dependence Diagrams
HUMAN INTERACTION
Reconnect Fittings
Performs Inspections
Latch Cowlings
Clean Up Tools
PILOT CONDUCTS PRE-FLIGHT INSPECTIONS
MAINT PERSONNEL TAKE OIL SAMPLES
MAINT PERSONNEL FLUSH ENGINE
MAINT PERSONNEL CALIBRATE TOOLS
PILOT CONDUCTS POST-FLIGHT INSPECTIONS
37
Fault Tree AnalysisAircraft Level

• FTA developed for catastrophic failures
  identified in FHA

Engine Failure selected for system level analysis
38
Fault Tree Analysis System Level Engine Out
39
Markov Analysis

• Introduction
• Markov analysis looks at a sequence of events,
  and analyzes the tendency of one event to be
  followed by another
• Markov analysis provides a means of analyzing the
  reliability and availability of systems whose
  components exhibit strong dependencies
• Typical dependencies that Markov models can
  handle
• Components in cold or warm standby
• Common maintenance personnel
• Common spares with a limited on-site stock

40
Markov Analysis

• Parallel Repairable System

41
MA Vs. FTA
Markov Analysis

• Large System
• Independent Events
• Constant Failure Rate
• l10-6
• Repairable Sys. ?
• Non-repairable Sys. v

• Small System
• Dependent Events
• Inconstant Failure Rate
• l(1-C)m
• Repairable Sys. v
• Non-repairable Sys. v

42
Markov Analysis

• FADEC Fail
• ECU
• PMA
• HMU
• Other Components
  System FHA
• Personnel Leave Tools In Engine Compartment
• Maintenance personnel
• realize the tool
• Pilot realize the tool

System FHA
43
Markov Analysis
FADEC Fail

• FADEC System
• Level 1- Total FADEC Fail

?f FADEC Failure Rate ?f FADEC Repair Rate 1
Optional 0 Failed
FADEC Failure due to ECU
44
Markov Analysis
FADEC Fail

• Level 2- FADEC Automatic Mode Fail

• - Loss of ECU
• - Loss of HMU
• - Loss of PMA
• ? - Loss of Other components

????
E,H,P,O
FADEC Automatic Mode Failure
45
Markov Analysis
FADEC Fail

• Level 3- Loss of ECU ability to command FADEC

? Loss of one ECU ? ECU Repair Rate ?c
Loss of aircraft electrical to both ECUs ?c
Electrical Recovery Rate 1 Optional 0 Failed
46
Markov Analysis
Human Reliability

• Personnel Leave Tools In Engine Compartment

?1 Maintenance personnel does not recover the
tools ?2 Pilot does not recover the tools ?c
Recovery Rate (0) 1 Optional 0 Failed
47
Markov Analysis
Results

• FADEC Fail
• Non-repairable Condition
• Repairable Condition
• Human Reliability

48
PRISM Reliability

• Reliability Goal MTBF 80 hrs
• Allows some comparison between PAV and
  automobiles
• Feasible given the new technologies and the
  conservative PGE estimate
• Best available MTBF 103 hrs
• The only way to test the goal is to run a Monte
  Carlo simulation
• PRISM Pareto Charts indicate all sub-systems are
  significant.

49
PRISM Reliability
50
Monte Carlo Simulation

• Assume all input variables (sub-systems) have a
  Weibull distribution, based upon a minimum
  failure rate, most likely, and a maximum
  failure rate.
• Run a simulation of 5,000 iterations to generate
  a frequency and probability distribution.
• Repeat the simulation 200 times and record the
  variability

51
Monte Carlo Results
MTBF Normally Distributed Mean 76.65 Std Dev
3.25 95 CI (70.28, 83.01) P(MTBF lt 80)
0.8487 P(MTBF 80) 0.0722
52
Bootstrap Results

• Repeated simulation 200 times
• Summary Statistics for MTBF

53
Monte Carlo Conclusions

• May not be able to achieve a MTBF of 80, but
  can achieve one above 70, which is a vast
  improvement over current rotary wing platforms.

54
Certification Process

• Supplemental Type Certificate (STC) Application
• Systems requiring certification
• Rotor
• Hub assembly
• Blade and flexure assembly
• Engine
• Applicable FAR Parts
• 27 Normal Category Rotorcraft
• 21 Products and Parts
• 33 Aircraft Engines
• 36 Aircraft Noise

DERs (FAA Order 8110.37A)
Structural Engineering DER
Powerplant / Engine DER
Systems and Equipment DER
Rotor DER
Flight Analyst DER
Flight Test Pilot DER
Acoustical DER
55
Certification Process

• DER Checklists
• Requirements by phase
• Design
• Analysis
• Testing
• Other
• Time and cost saved in upgrade

56
Conclusion

• Pegasus Disruptive Technology