TREINAMENTO COMPLEMENTAR DE RCE

1
TREINAMENTO COMPLEMENTAR DE RCE
PROCESSO DE SYSTEM SAFETY ASSESSMENT
26 DE OUTUBRO DE 2004
2
OBJETIVO
Tecer comentários sobre o Processo de Avaliação
de Segurança de Sistemas na Certificação de
Aeronaves de Transporte. (Enfoque da Autoridade
Certificadora).
3
OBJETIVO
DEIXAR A SEGUINTE MENSAGEM
A AUTORIDADE CERTIFICADORA DEVE ENTENDER
SEGURANÇA DE SISTEMA COMO UM ASSUNTO MUITO MAIS
VASTO DO QUE O CUMPRIMENTO DE REQUISITOS.
O APOIO CADA VEZ MAIOR DO RCE É FUNDAMENTAL
4
COMO GARANTIR A SEGURANÇA?
1. COMPROMETIMENTO GERENCIAL ?
2. AUMENTO DA CONFIABILIDADE?
3. REQUISITOS DE CERTIFICAÇÃO MAIS SEVEROS?
4. MELHOR CONTROLE DA QUALIDADE?
5. IDENTIFICAÇÃO DOS RISCOS?
5
NÃO SE TRATA DE UMA AULA, MAS DE UMA TROCA DE
IDÉIAS. COMENTÁRIOS SÃO MUITO BEM VINDOS.
6
COMO GARANTIR A SEGURANÇA?
AVALIAÇÃO DE SEGURANÇA DE SISTEMAS
GERENCIAMENTO DE SEGURANÇA DE SISTEMAS
PROGRAMA DE SEGURANÇA DE SISTEMAS
DEVELOPMENT ASSURANCE
7
OVERVIEW
1 CONSIDERAÇÕES GERAIS
2 SYSTEM SAFETY ASSESSEMENT
3 ONGOING SAFETY ASSESSMENT
4 OBJETIVOS DE SEGURANÇA
5 ENGENHARIA DE CONFIABILIDADE
6 SSA UMA NOVA ABORDAGEM
7 ARP 4754
8 RISCO ESPECÍFICO
8
REFERÊNCIAS
1 ARP 4761 Guidelines and Methods for Conducting
the Safety Assessment Process on Civil Airborne
Systems and Equipment
2 ARP 4754 Certification Considerations for
Highly-Integrated or Complex Aircraft Systems
3 ARP 5150 Safety Assessment of Transport in
Commercial Service
4 RTCA/DO-178 Software Considerations in Airborne
Systems and Equipment Certification,
5 RTCA/DO-254 Design Assurance Guidance for
Airborne Electronic Hardware
6 BASE DE CERTIFICAÇÃO ERJ 170/190
9
Considerações Gerais
10
COMO GARANTIR A SEGURANÇA?
SISTEMA
É um agregado de organizações, pessoas,
infraestrutura, equipamentos, procedimentos,
regras e informações usadas para garantir o
produto ou serviço cumpram a função esperada
11
COMO GARANTIR A SEGURANÇA?
SEGURANÇA
12
COMO GARANTIR A SEGURANÇA?
SEGURANÇA DE SISTEMAS
The application of engineering and management
principles, criteria, and techniques to optimize
all aspects of safety within the constraints of
operational effectiveness, time, and cost
throughout all phases of the system life cycle.
(MIL-STD-882C STANDARD PRACTICE FOR SYSTEM SAFETY
3.2.18).
13
COMO GARANTIR A SEGURANÇA?
ENGENHARIA DE SEGURANÇA DE SISTEMAS
An engineering discipline requiring specialized
professional knowledge and skills applying
scientific and engineering principles, criteria,
and techniques to identify and eliminate hazards,
in order to reduced the associated risk.
(MIL-STD-882C, 3.2.20).
14
COMO GARANTIR A SEGURANÇA?
GERENCIAMENTO DE SEGURANÇA DE SISTEMAS
An management discipline that defines the system
safety program requirements and ensures the
planning, implementation, and accomplishment of
system safety tasks and activities consistent
with the overall program requirements.
(MIL-STD-882C, 3.2.22).
15
COMO GARANTIR A SEGURANÇA?
PROGRAMA DE SEGURANÇA DE SISTEMAS
The combined tasks and activities of system
safety management and system safety engineering
implemented by acquisition project managers.
(MIL-STD-882C, 3.2.24).
16
COMO GARANTIR A SEGURANÇA?
SYSTEM SAFETY MANAGEMENT
DECISION MAKING PROCESS
How much does it cost ?
Is it safe ?
17
COMO GARANTIR A SEGURANÇA?
SEGURANÇA DE SISTEMAS
PRODUTO e seu CICLO DE VIDA
A ORGANIZAÇÃO
18
GERENCIAMENTO DA SEGURANÇA (Safety Management)
The goals of system safety can be achieved only
with the support of management A sincere
commitment to safety by management is perhaps the
most important factor in achieving it.
An Air Force study of system safety concluded
Air Force top management support of system
safety has not gone unnoticed by contractors (...)
IMPORTÂNCIA DA SEGURANÇA DE SISTEMAS
An example of how this results was accomplished
was the B-1B program, in which the Program
Manager or Deputy Manager chaired the meetings of
the group where safety decisions were made.
19
GERENCIAMENTO DA SEGURANÇA (Safety Management)
SEGURANÇA DE SISTEMAS E SEU POSICIONAMENTO NA
ESTRUTURA ORGANIZACIONAL
Link direto com os tomadores de decisão
Independência de outras disciplinas suportes como
Reliability e Quality Assurance
Canais de Comunicação Direta com a maioria das
partes da organização.
Deve ter Influência na tomada de decisões
Deve ter foco e coordenação
20
GERENCIAMENTO DA SEGURANÇA (Safety Management)
System safety needs direct communication paths to
most parts of the organization
21
MISSION
22
SYSTEM SAFETY ASSESSMENT
23
SYSTEM SAFETY ASSESSMENT PROCESS
The complete process applied during the design of
the system to establish safety objectives and to
demonstrate compliance with RBHA/FAR/JAA 25.1309
and other safety related requirement. (ARP 4761)
1. SAFETY OBJECTIVES
2. SHOW COMPLIANCE WITH
3. SAFETY RELATED REQUIREMENTS
24
THE SSA PROCESS IN A NUTSHELL
CRITICALITY VALIDATION
FFS, A/C, SITS, FTs Performance Flight
Dynamics Analysis
Cert. Plan and CCD (requirements)
FHA
Aircraft Systems Software and Complex
hardware Hirf/Lightning
CASCADE FAILURE PROPAGATION (CMA)
HIRF/Lightning Certif. Process
Analysis and Testing (actual A/C, Iron
Bird, SITS, Electric Rig)
SA
Aircraft Systems (including Flight Controls and
propulsion Dormant faults (1309 9.c.(6), Plt10E-3
for flight controls)
SW/ Complex HW Certif. Process
25
SYSTEM SAFETY ASSESSMENT
A saída do FHA é usado como ponto de partida para
conduzir a PSSA
26
SYSTEM SAFETY ASSESSMENT
27
FHA
28
SYSTEM SAFETY ASSESSMENT
Aircraft FHA
Loss of deceleration capability
Top-down
CONCEPT AND ARCHITECTURE
Aircraft FTA
Loss of deceleration capability
Loss of thrust reverser
Loss of effective wheel braking
Loss of speed brakes in wet runway
Loss of wheel braking
Relationship between FHA, FTA and FMEA
29
SYSTEM SAFETY ASSESSMENT
30
SYSTEM SAFETY ASSESSMENT
System FHAs
Ldg gear
Hydraulic
Electric
Braking
PRELIMINARY DESIGN
Top-down
LOSS OF WHEEL BRAKING
System PFTAs
Electric
Hydraulic
Braking system
Loss of wheel braking
Loss of normal braking
Loss of normal braking
Loss of alternate braking
31
SYSTEM SAFETY ASSESSMENT
DETAILED DESIGN
CONCEPT AND ARCHITECTURE
PRELIMINARY DESIGN
quantitative
quantitative
System FHAs
Component FMEAs
Aircraft FHA
Accumulator
Ldg gear
Brake metering valve
Loss of deceleration capability
Pneumatic
Anti-skid computer
Bottom-up
Top-down
Brake control valve
Electric
Top-down
Hydraulic
Braking
LOSS OF WHEEL BRAKING
Aircraft FTA
System PFTAs
Loss of deceleration capability
Systems FMEAs
Electric
Pneumatic
Hydraulic
Electric
Braking system
Hydraulic
Loss of wheel braking
Loss of thrust reverser
Loss of effective wheel braking
Braking
Loss of normal braking
Loss of alternate braking
Loss of normal braking
Loss of wheel braking
Loss of speed brakes in wet runway
Final SSA FTAs
Closes the loop
Loss of wheel braking
Relationship between FHA, FTA and FMEA
Loss of normal braking
Loss of alternate braking
Loss of normal braking
32
SYSTEM SAFETY ASSESSMENT
Design process
System concept
33
SYSTEM SAFETY ASSESSMENT
34
FAULT TREE ANALYSIS

• Método amplamente usado na indústria
  aeroespacial, eletrônica e nuclear.

• Originalmente desenvolvido em 1961 para
  avaliar o Minuteman Launch Control System.

• Os top event considerados eram três
• Ignição acidental do motor e
• Falha no lançamento.
• Lançamento inadvertido (inesperado),

35
ARP 4761 GUIDANCE AND METHODS FOR CONDUCTING THE
SAFETY ASSESSMENT PROCESS ON CIVIL, AIRBORNE
SYSTEMS AND EQUIPMENT SYSTEMS
Métodos de Análise usados em SSA

• Fault Tree Analysis/Dependence Diagrams/Markov
  Analysis (FT/DD/MA)

• Failure Mode and Effect Analysis (FMEA)

• Failure Mode and Effect Sudmmary (FMES)

• Common Cause Analysis (CCA)

Zonal Safety Analysis (ZSA) Particular Risk
Analysis (PRA) Common Mode Analysis (CMA)
36
FAULT TREE ANALYSIS
TOP EVENT (T) no flow of water to reactor
37
FAULT TREE ANALYSIS
TOP EVENT (T) no flow of water to reactor
C valve V fails closed A pump 1 fails to
run B pump 2 fails to run
38
FAULT TREE ANALYSIS
TOP EVENT (T) no flow of water to reactor
C valve V fails closed A pump 1 fails to
run B pump 2 fails to run
A menor combinação de falhas que, se ocorrerem,
farão o evento topo ocorrer.
39
ONGOING SAFETY ASSESSMENT
40
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO

• MÉTODOS QUANTITATIVOS (necessários para Condições
  de Falha Hazardous e Catastróficas).

ARP 4761
Análise de Árvores de Falha (FTA) Diagramas de
Dependência (DD) Análise de Markov (MA) (Não
estudada neste curso) Análise de Modos de Falha
e Efeitos (FMEA)
Esta publicação não cobre aspectos importantes da
Engenharia de Confiabilidade, como, por exemplo,
Modelamento e Previsão de Confiabilidade
(Reliability Prediction).
41
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO
Controle da Qualidade
Teoria da Amostragem, Estatística
42
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO
Teoria de Man(u)tenabilidade e Disponibilidade In
corporação de Requisitos de Manutenção no Projeto
ARP 5150 Safety Assessment of Transport
Airplanes in Commercial Service
43
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO
ARP 5150 Safety Assessment of Transport
Airplanes in Commercial Service
Guidelines, methods and tools used to perform the
ongoing safety assessment process, intended to
support an overall safety management program.
Addresses the Is it safe part of a safety
management
Provides a systematic process to measure and
monitor safety to help determine safety
priorities and focus available resources in areas
tha offer the greatest potential to improve
avaition safety.
Compendium of best safety practices gathered
togheter as reference
44
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO
ONGOING SAFETY ASSESSMENT PROCESS
Safety Assessment is the monitoring,
identification, assessment and prioritization
according to hazard level and probability of
occurrence of risks associated with operations in
a company. A process dedicated to assuring that
risk is identified and managed properly within
established limits a process of identifying, and
estimating, and prioritizing each risk
assessment of accident and injury, and
determining if action should be considered.
45
ONGOING SAFETY ASSESSMENT PROCESS
46
ONGOING SAFETY ASSESSMENT PROCESS
Appendix A Safety Significant Event Reference
Lists Appendix C Qualitative Risk
Assessment Appendix D Quantitative Risk
Assessment Appendix E Root Cause (Event Tree)
Analysis Appendix F Weibull Analysis Appendix G
Monte Carlo Analysis Appendix H Relaibility
Growth Modeling Appendix N Hazard Tracking
Appendix O Lessons Learned
Appendix K Operator Service Bulletin
Process Appendix L Manufacturer Service Bulletin
Process Appendix M Airworthiness Directive
Development Process
Appendix B Data Sources and Programs Appendix
I Flight Perational Quality Assurance
(FOQA) Appendix J Maintenance Error Decision Aid
(MEDA)
47
MÉTODOS QUANTITATIVOS
When conducting quantitative FT/DD/MA, the
probabilities are estimated from the failure
rates, and exposure times of the events.
Probability calculations for civil aircraft
certifications are based on the probabilities
calculated for all the aircraft of the same type.
For the purpose of these analysis, the failure
rates are usually assumed to be constant over
time and are estimates of mature failure rats
after infant mortality and prior to wear-out. If
wear-out or infant mortality is to a
consideration then other methods would need to be
employed, for example life limitations or
enhanced burn-in. Failing that, other
distributions (e.g. Weibull) have to be applied
or Monte Carlo simulation could be used. But this
is beyond the scope of this document. The
analysis should calculate average probability of
occurrence per flight hour for the failure
condition assuming a typical flight of average
duration and considering the appropriate exposure
and at risk times (ARP 4761).
48
Distribuição Weibull
49
Linkage BETWEEN SYSTEM SAFETY ASSESSMENT AND ICA
During the safety assessment process associated
with  25.1309 compliance, useful information or
instructions associated with the continued
airworthiness of the airplane might be
identified. This information should be made
available to those compiling the Instructions for
Continued Airworthiness covered by  25.1529
VAI 11.1 EMB-190 SSA-ICA Process
50
Objetivos de Segurança
51
COMO GARANTIR A SEGURANÇA ?
HOW SAFE IS SAFE ENOUGH?
Após o acidente em Three Mile Island o NRC
(Nuclear Regulatory Comission), estabeleceu metas
qualitativas e quantitativas de segurança.
Por exemplo
The likelihood of a nuclear reactor accident
that results in a large-scale core melt should
normally be less than one in 10,000 per year of
reactor operation.
The risk to the population near a nuclear power
plant of cancer fatalities that might result from
nuclear power plant operation should not exceed
one tenth of one percent (0.1 ) of the sum of
cancer fatality risks resulting from all other
causes.
52
COMO AUMENTAR A SEGURANÇA ?
HOW SAFE IS SAFE ENOUGH?
On 17 July 1996 a Trans World Airlines Boeing
747, registered N93119 departed New York-JFK for
a flight (TWA 800) to Paris. About 12 minutes
after takeoff, while climbing through 13700ft, an
explosion occurred and the aircraft broke up.
Flaming debris fell into the sea. All 229
occupants were killed.
Em decorrência

• Estabelecida a White House Commission on Aviation
  Safety and Security (Gore Commission).
  Juntamente com a National Civil Aviation Review
  Comission (1997) pediram
• Uma redução dos acidentes fatais em aeronaves
  comercias em 80 em 10 anos (até 2007).
• Uma redução de 10 vezes a taxa de acidentes, em
  20 anos.

O FAA e os fabricantes formaram o Commercial
Aviation Safety Team (CAST).
53
COMO GARANTIR A SEGURANÇA?
AVALIAÇÃO DE RISCOS
MATRIZ DE RISCO ? ÍNDICES DE RISCO
P probabilidade D dano
54
HAZARD SEVERITY CATEGORIES
DESCRIPTION
CATEGORY
DEFINITION
55
HAZARD PROBABILITY LEVELS
DESCRIPTION
LEVEL
SPECIFIC INDIVIDUAL ITEM
FLEET OR INVENTORY
56
1A
2A
3A
4A
1A
2A
3A
4A
1B
2B
3B
4B
1C
2C
3C
2D
1D
3D
3E
2E
1E
57
1
3
7
13
13
7
3
1
16
5
2
9
4
6
11
10
8
14
17
15
12
58
ARP 5151 SAFETY ASSESSMENT OF GENERAL AVIATION
AIRPLANES ROTORCRAFT IN COMMERCIAL SERVICE
The Ongoing Safety Assessment Process.
SAE S-18 GAR Subcommittee
General Aviation airplanes and Rotorcraft (GAR)
59
COMO GARANTIR A SEGURANÇA?
GERENCIAMENTO DE RISCOS

• Programa ? Fases
• Etapas do Processo de Gestão
• 1. Primeira Fase
• ETAPA 1 Define os requisitos para a
  implementação do gerenciamento.

• 2. Todas as Fases (seqüencialmente)
• ETAPA 2 Identificação e Avaliação dos Riscos
• ETAPA 3 Decisão e Ação (Analisar a
  aceitabilidade dos riscos e as opções de redução)
• ETAPA 4 Controle, comunicação e aceitação de
  riscos.

60
HAZARD SEVERITY
DESCRIPTION
CATEGORY
DEFINITION
61
HAZARD PROBABILITY LEVELS
DESCRIPTION
LEVEL
FLEET OR INVENTORY
FREQUENT
A
Continuously experienced
PROBABLE
B
Will occur frequently
OCCASIONAL
C
Will occur several times
REMOTE
D
Unlikely but can reasonably be expected to occur
IMPROBABLE
E
Unlikely to occur, but possible
62
Extremaly High
Extremaly High
High
Medium
Extremaly High
High
Medium
High
High
Medium
Medium
Medium
Medium
Low
Low
Low
63

• 25.1309   Equipment, systems, and installations.
• The equipment, systems, and installations whose
  functioning is required by this subchapter, must
  be designed to ensure that they perform their
  intended functions under any foreseeable
  operating condition.
• The airplane systems and associated components,
  considered separately and in relation to other
  systems, must be designed so that
• (1) The occurrence of any failure condition which
  would prevent the continued safe flight and
  landing of the airplane is extremely improbable,
  and
• (2) The occurrence of any other failure
  conditions which would reduce the capability of
  the airplane or the ability of the crew to cope
  with adverse operating conditions is improbable.

64
FAILURE CONDITION (SEVERITY) CLASSIFICATIONS
(1) No Safety Effect Failure Conditions that
would have no effect on safety for example,
Failure Conditions that would not affect the
operational capability of the airplane or
increase crew workload life of each airplane.
(2) Minor Failure Conditions which would not
significantly reduce airplane safety, and which
involve crew actions that are well within their
capabilities. Minor Failure Conditions may
include, for example, a slight reduction in
safety margins or functional capabilities, a
slight increase in work load, such as routine
flight plan changes, or some physical discomfort
to passengers or cabin crew.
(3) Major Failure Conditions which would reduce
airplane the capability of the airplane or the
ability of the crew to cope with adverse
operating conditions to the extent that there
would be, for a significant reduction in safety
margins or functional capabilities, a significant
increase in work load or in conditions impairing
crew efficiency, or discomfort to the flight
crew, or physical distress to passengers or cabin
crew, possibly including injuries.
65

• 25.1309   Equipment, systems, and installations
  (HARMONIZED)
• (b) The airplane systems and associated
  components, considered separately and in relation
  to other systems, must be designed and installed
  so that
• (1) Each catastrophic failure condition
• (i) is extremely improbable and
• (ii) does not result from a single failure
  and
• (2) Each hazardous failure condition is
  extremely remote and
• (3) Each major failure condition is remote.

66
FAILURE CONDITION (SEVERITY) CLASSIFICATIONS

• HAZARDOUS Failure Conditions which would reduce
  airplane the capability of the airplane or the
  ability of the crew to cope with adverse
  operating conditions to the extent that there
  would be
• A large reduction in safety margins or functional
  capabilities
• Physical distress or excessive workload such that
  the flight crew cannot be relied upon to perform
  their tasks accurately or completely or
• Serious or fatal injury to a relatively small
  number of the occupants other than the flight
  crew.

• CATASTROPHIC Failure Conditions which would
  result in multiple fatalities, usually with the
  loss of airplane cabin crew.
• (would prevent continued safe flight and
  landing).

67
SAFETY OBJECTIVES
(1) Probable Failure Conditions are those
anticipated to occur one or more times during the
entire operational life of each airplane.
(2) Remote Failure Conditions are those unlikely
to occur to each airplane during its total life,
but which may occur several times when
considering the total operational life of a
number of airplanes of the type.
(3) Extremely Remote Failure Conditions are
those not anticipated to occur to each airplane
during its total life but which may occur a few
times when considering the total operational life
of all airplanes of the type.
(4) Extremely Improbable Failure Conditions are
those so unlikely that they are not anticipated
to occur during the entire operational life of
all airplanes of one type.
68
HAZARD SEVERITY CATEGORIES
CATASTROPHIC
HAZARDOUS
MAJOR
MINOR
NO SAFETY EFFECT
1A
2A
3A
4A
1A
2A
3A
4A
4A
NO PROBAILITY REQUIREMENT
1B
2B
3B
4B
1B
2B
3B
4B
PROBABLE
1C
2C
3C
4C
1C
2C
4C
REMOTE
1D
2D
3D
4D
1D
4D
EXTREMELY REMOTE
FREQUENCY OF OCCURANCE
1E
2E
3E
4E
4E
EXTREMELY IMPROBABLE
69
Causas primárias de acidentes
Frota de jatos comerciais 1994-2004
Fonte Boeing
70
SAFETY OBJECTIVES
1/106 horas de vôo
ACIDENTES SÉRIOS
10 CAUSADOS POR SISTEMAS
1/107 horas de vôo
100 Condições de falha potencialmente
CATASTRÓFICAS
1/109 horas de vôo
AVERAGE Probability per Flight Hour for
Catastrophic Conditions would be 1?10-9
lt10-9
71
SAFETY OBJECTIVES
(1) Probable Failure Conditions are those
anticipated to occur one or more times during the
entire operational life of each airplane.
lt10-3
(2) Remote Failure Conditions are those unlikely
to occur to each airplane during its total life,
but which may occur several times when
considering the total operational life of a
number of airplanes of the type.
lt10-5
(3) Extremely Remote Failure Conditions are
those not anticipated to occur to each airplane
during its total life but which may occur a few
times when considering the total operational life
of all airplanes of the type.
lt10-7
(4) Extremely Improbable Failure Conditions are
those so unlikely that they are not anticipated
to occur during the entire operational life of
all airplanes of one type.
lt10-9
72
lt10-3
lt10-5
lt10-7
lt10-9
73
ENGENHARIA DE CONFIABILIDADE
74
DEFINIÇÃO DE CONFIABILIDADE
É a probabilidade de que um produto ou serviço
opere como esperado por um período de tempo
especificado (design life) nas condições de
operação previstas em projeto.
Portanto confiabilidade é a operação sem falhas
em condições de operação especificadas, por um
período especificado.
75
APROXIMAÇÃO p/ EVENTO RARO
76
MODELAMENTO DA CONFIABILIDADE 1
Components and Failure Rates of the Tape
Component Function Failure Rate
1 Feed-spool, advances the tape 0.0003
2 Take-up spool, guides the tape 0.0002
3 Erase head, erases the contents of the tape 0.0005
4 Record/Replay head, transforms magnetized 0.0008
5 Pressure pad, supports tape 0.0001
6 Pinch wheel, provides tension in tape 0.00025
7 Capstan, ensures flatness of tape 0.0002
Components of a Tape Cassette
77
SISTEMA EM SÉRIE
Exemplo de um Diagrama de Blocos de
Confiabilidade (RELIABILITY BLOCK DIAGRAMS)
78
Modelamento de Telecomunicação para ATCS
Automatic Dependence Surveillance
AES Aeronautical earth station
GES Ground earth station
ARTCC Air Route traffic control center
Proposed Oceanic Operating Environment (ADS)
79
Modelamento de Telecomunicação para ATCS
CMU Control Module Unit
SDU Satellite Data Unit
RFU Radio Frequency Unit
Figura 5 Possible AES Avionics Configuration
80
Modelamento de Telecomunicação para ATCS
Figura 6 Reliability Block Diagram for the AES
Avionics
81
Modelamento de Telecomunicação para ATCS
Table Failure Data of the Systems Components
Component/Subsystem Failure Rate (Failures/Hr)
Satellite data units (SDU) 2.5 X 10 6
Communication management unit (CMU) 1.42 X 10 6
Radio frequency unit (RFU) 0.8 X 10 6
Aeronautical telecomunications network (ATN) 1.75 X 10 4
Air router traffic services (ATS) 2.85 X 10 4
Automatic dependent surveillance unit (ADSU) 5 X 10 4
Splitter 3 X 10 6
Combiner 5 X 10 6
High-power antenna (HPA) 6 X 10 5
High-power relay (HPR) 4 X 10 6
High-gain antenna (HGA) 4 X 10 5
Low-gain antenna (LGA) 3.5 X 10 5
Low-noise antenna (LNA) 2 X 10 5
Beam steering unit (BSU) 8.7 X 10 6
82
Automatic Dependence Surveillance
CONCLUSÕES

1. Necessidade de reprojetar a maioria dos
   componentes da aeronautical earth station para
   reduzir sua taxa de falhas.

2) Os componentes da air route traffic control
center pedem mudanças de projeto ou redundância
para alguns componentes ou links.
3) A confiabilidade da ground earth station
excede os requisitos mínimos do sistema.
4) As técnicas de modelamento e estimativa de
confiabilidade podem ser ferramentas de projeto
efetivas para configurações complexas.
83
MODELAMENTO DE SISTEMAS
84
DETERMINAÇÃO DAS TAXAS DE FALHA
Previsões de Confiabilidade (Reliability
Predictions)

• Comumente usadas no desenvolvimento de produtos
  e sistemas.

• Comparação de abordagens de projeto alternativos

• Avaliação do progresso em direção as
  especificações de confiabilidade.

• Fornecem insight em custos de segurança,
  manutenção e garantia.

Criticadas por não serem estimativas precisas da
taxa de falha real (aproximações sem base
científica).
85
DETERMINAÇÃO DAS TAXAS DE FALHA
ERROS SÃO CONSERVATIVOS
Jensen "Electronic Component Reliability,
Fundamental, Modeling, Evaluation, and
Assurance", 2nd Edition John Wiley Sons 1985.
86
DETERMINAÇÃO DAS TAXAS DE FALHA

• Exemplo de discrepâncias nas estimativas de taxas
  de falhas

Table 1 Predicted values of 64K DRAM hazard rate
in FITs (1994)
The British Telecom Handbook of Reliability Data
HDR 4
87
DETERMINAÇÃO DAS TAXAS DE FALHA
MIL-HDBK-217 "Reliability Prediction of
Electronic Equipment" Apesar de não ser mantido
atualizado pelos US military, ainda é a
abordagem mais usada pelos projetistas militares
e comerciais.
Bellcore (agora Telcordia) TR-332 A abordagem
Bellcore é amplamente usada na indústria de
telecomunicações e foi recentemente atualizada
para SR-332 em maio de 2001. Muito parecida com a
MIL-HDBK-217.
RDF 2000 A mais recente e completa metodologia
européia desenvolvida pela CNET. Ainda não
recebeu muita atenção dos US mas pode evoluir
para um novo padrão mundial se a MIL-HDBK-217
continuar desatualizada. Assim como a abordagem
PRISM ela também usa modelamentp de thermal
cycling e dormant system.
88
DETERMINAÇÃO DAS TAXAS DE FALHA
PRISM - PRISM é uma nova tecnologia desenvolvida
pelo Reliability Analysis Center que tem a
capacidade de modelar os efeitos de thermal
cycling e dormancy.
Physics-of-Failure Esta família de abordagens
difere significantemente das outras metodologias
empíricas listadas acima, por buscar o mecanismo
detalhado da falha.Usado principalmente no nível
de sub-dispositivos na fase de projeto.
The IEEE Gold Book - IEEE STD 493-1997, IEEE
Recommended Practice for the Design of Reliable
Industrial and Commercial Power Systems, fornece
dados em sistemas de distribuição de potencia
comerciais.
89
DETERMINAÇÃO DAS TAXAS DE FALHA
Equipamentos mecânicos Representa um desafio em
termos de previsão de confiabilidade devido a
especificidade e variedade dos componentes e
montagens. Estes sistemas são freqüentemente
suscetíveis a desgastes, o que normalmente não é
um problema em eletrônica.
NPRD-95 - The Nonelectronic Parts Reliability
Data (NPRD-95) databook é amplamente utilizado. È
publicado pelo Reliability Analysis Center e
fornece um compêndio de histórico de taxas de
falha em serviço para uma vasta gama de montagens
mecânicas.
NSWC-94/L07 - Handbook of Reliability Prediction
Procedures for Mechanical Equipment.  Este
handbook apresenta uma abordagem única para a
predição de confiabilidade de componentes
mecânicos, apresentando modelos de taxas de falha
para classes fundamentais de componentes
eletrônicos.
90
DETERMINAÇÃO DAS TAXAS DE FALHA
1) Cálculo a partir de Reliability Handbooks
FMD-97, Failure Mode/Mechanism Distributions,
1997, Reliability Analysis Center, Rome, N.Y.
OREDA Offshore Reliability Data database
2) Estimativa por meio de experiência de campo

• EXPERIÊNCIA ANTERIOR EM SITUAÇÕES SIMILARES

• Estatísticas de Itens Removidos (Fabricante,
  Operador)

3) Ensaios ad hoc em laboratório

• PLANEJAMENTO DE EXPERIMENTOS

• USO DE TÉCNICAS ESTATÍSTICAS
• Testes de aderência, testes paramétricos e
  não-paramétricos.

91
DETERMINAÇÃO DAS TAXAS DE FALHA
MIL-HDK-217
Temperature factor

• Modelos de taxas de falha para dezenove
  categorias principais de componentes eletrônicos
  usados em sistemas modernos, desde microcircuitos
  e semicondutiors discretos a componentes passivos
  (resistores e capacitores) .

Contact Construction Factor
Exemplo Diodos de Baixa Freqüência (MIL-S-19500)
Environmental Factor

• Modelos desenvolvidos pelo ajuste de curvas a
  dados de falha históricos, coletados da operação
  em campo e testes em laboratório.

Electrical Stress Factor
Quality Factor
Base Failure Rate
92
DETERMINAÇÃO DAS TAXAS DE FALHA
FALHA STRESS superior a STRENGHT
Figura Distribuição de falha de transistores
submetidos a temperaturas crescentes
93
DETERMINAÇÃO DAS TAXAS DE FALHA
Característica da população de componentes
Decorrência de projeto pobre, problemas com
fabricação e workmanship
Figura Função de Densidade de Probabilidade de
Componentes na Visão do Fabricante ou do
Usuário-Final, quando não se realizou nenhum tipo
de burn-in
94
Early failures
Main population failures
95
Burn-in Experiments
200 componentes eletrônicos
População anômala representa cerca de 10
Tempo de depuração 10 a 20 horas
Figura Weilbull plot early failures in printed
circuit boards tested at 70º C ambient
96
ENSAIOS EM LABORATÓRIO
Morte prematura representa cerca de 15
Weilbull plot early failures in printed circuit
boards under conditions of use at 25º C
97
TAXAS DE FALHA CONSTANTES
A maioria dos modelos utilizados em aviação
baseiam-se em taxa de falha constante. Isto
implica que a função de confiabilidade do sistema
não depende de sua idade.
98
CURVA DA BANHEIRA
STRESS FAILURE
QUALITY FAILURE
WEAROUT FAILURE
99
SSA UMA NOVA ABORDAGEM
100
AC/AMJ 25.1309 ARSENAL
Advisory
AdvisoryCircular

Material
Joint
101
AC/AMJ 25.1309 ARSENAL

• RELATED DOCUMENTS.
• a. Advisory Circulars, Advisory Material Joint.
• AMJ 25.1322 Alerting Systems.
• AC 25.19/AMJ 25.19 Certification Maintenance
  Requirements.
• AC 20-115B RTCA, Inc, Document DO 178B/ AMJ
  20-115B EUROCAE ED-12B.
• AC/AMJ 25-901 Safety Assessment of Powerplant
  Installations.

 
102
AC/AMJ 25.1309 ARSENAL
b. Industry documents.   (1) RTCA, Inc.,
Document No. DO-160D/EUROCAE ED14D, Environmental
Conditions and Test Procedures for Airborne
Equipment.   (2) RTCA, Inc., Document No.
RTCA/DO-178B/EUROCAE ED12B, Software
Considerations in Airborne Systems and Equipment
Certification.   (3) Society of Automotive
Engineers (SAE) Aerospace Recommended Practice
(ARP) 4754/EUROCAE ED-79, Certification
Considerations for Highly Integrated or Complex
Aircraft Systems.   (4) SAE ARP 4761, Guidelines
and Methods for Conducting the Safety Assessment
Process on Civil Airborne Systems and Equipment.
 
103
ERJ 170/190 CERTIFICATION BASIS
Embraer made an application for the ERJ-170/190
series aircraft on 20 May 1999 (Ref. Embraer
letter PCE-0809/99, dated 20 May 1999).
US FAR 25, including Amendments 25-1 through
25-98 effective on 10 March 1999, Amdt. 25-99,
25-100, 25-101, 25-102 (paragraphs 25.981(a) and
25.981(b) only, and Appendix H) 25-103, 25.104,
25-105, 25-107, except paragraph 25.735(h)
25-108, 25-109.
104
FCAR HSI-015 Equipment, Systems and Installations
EQUIVALENT LEVEL OF SAFETY (30/07/02)
STATEMENT OF ISSUE The current guidance material
for compliance with RBHA/FAR 25.1309 is not
considered to be sufficiently effective and
complete for assessing the safety aspects of
complex and highly integrated systems that
perform interrelated multi-functions
(particularly through the use of electronic
technology and software based techniques), such
as those installed in the ERJ-170 aircraft.
105
FCAR HSI-015 Equipment, Systems and Installations
DISCUSSION As a result of the FAA/JAA
Harmonization Working Groups activities, both
authorities have reached an agreement on a
revised text for the systems safety assessment
requirements, as well as, on the guidance
material related with the associated acceptable
means of compliance.
Such revisions have included new areas of concern
and related substantiation methodologies, which
were developed to cope with modern aircraft
complex systems, highly integrated, performing
multiple functions with extensive use of software
techniques. The proposed modifications of the
related requirements are presently at the final
stages of the rulemaking process by both
authorities.
106
FCAR HSI-015 Equipment, Systems and Installations
DISCUSSION (cont.) Embraer has indicated its
willingness to comply with the related parts of
those modifications, transcribed below from the
FAA draft NPRM for better understanding,
including the associated guidance material, as an
equivalent level of safety to the RBHA/FAR
25.1309 at Amendment 98 (ERJ-170 default
certification basis).
107
FCAR HSI-015 Equipment, Systems and Installations
CTA POSITION The regulatory changes foreseen by
the JAA NPA 25F-281 and FAA NPRM on sections
25.1301, 25.1309 and new 25.1310 bring a
considerable improvement for the systems,
equipment and installation requirements of the
Chapter 25, due to the clarification of already
existing provisions and identification of new
related concepts () Therefore, the application
of those impending new rules, as an equivalent
level of safety for the current requirements, and
the corresponding substantiation methodology
established in the revised AC/AMJ 25.1309 above
referred, is opportune for the ERJ-170
certification program and will surely provide an
adequate and satisfactory approach for compliance.
108
FCAR HSI-015 Equipment, Systems and Installations
CTA POSITION (cont.) A final noteworthy remark
regarding powerplant installations (last sentence
of the main paragraph of the proposed 25.1309) is
opportune. Since the proposed rule, albeit
resulting from a technical consensus is not in
effect, any last minute changes should not be
ruled out. This concern applies specifically to
powerplant installations therefore, considering
that current powerplant installations are not
explicitly covered by 25.1309, and the focus of
this FCAR is indeed on highly integrated aircraft
systems and equipment, the CTA will not require
compliance with 25.901(c) under the framework of
25.1309(b).
109
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION Embraer agrees with the
general intent of CTA position. Some background
discussion, however, is needed for a better
understanding of Embraer position, as explained
below. Embraer is aware that the ERJ-170 is an
aircraft with highly integrated systems
performing complex and interrelated functions and
agrees with CTA that the present guidance
material for compliance with RBHA/FAR 25.1309 is
not considered enough effective and complete for
assessing the safety aspects of highly integrated
and complex systems.
110
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.1) In order to address
the concerns related to systems integration
Embraer adopted the following 1. Process to
prevent errors on requirements, design and
implementation 2. Systems safety assessment
based on FAA/JAA harmonized material for systems
safety assessment requirements 3. Aircraft
safety assessment, covering failure conditions
that affect multiple aircraft level functions
and 4. Verification of aircraft level safety
assessment by means of actual tests using an
integrated iron bird rig.
111
FCAR HSI-015 Equipment, Systems and
Installations

• EMBRAER POSITION (cont.2)
• Below follows an explanation about each item
  above
• PROCESS
• Regarding the applicability of SAE ARP4754/ED79
  to the ERJ-170 program, Embraer performed a
  detailed analysis on that document and prepared
  an adequacy plan. Such plan was presented to
  CTA, JAA and FAA and it was considered acceptable
  for program ERJ-170 usage. In order to formalize
  the plan, Embraer issued the ENS-003188 titled
  ARP4754 - Adequacy for ERJ-170, attached to this
  letter.

112
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (Cont. 3) 2. SYSTEM SAFETY
ASSESSMENT The safety assessment for each
aircraft system verifies compliance with the
safety objectives related to RBHA/FAR/JAR 25.1309
requirements, defined in the corresponding system
functional hazard analysis. Each system safety
assessment is conducted in accordance with
Embraer standard ENS-002175 System Safety
Assessment Reports Guidelines. This standard is
based on -       NPA 25F-281 -       AC
25.1309, Arsenal revised and -       SAE ARP
4761. Systems safety assessment considers all
equipment/hardware that affect systems functions
and includes fault tree analysis for each
catastrophic and hazardous failure condition.
Independency claims at fault trees are supported
by common cause analysis.
113
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.4) 3. AIRCRAFT SAFETY
ASSESSMENT Systems integration introduces failure
conditions affecting simultaneously multiple
systems and aircraft top level functions. In
order to address the failure propagation
assessment at aircraft level, related to
potential sources of cascading/common cause
failures, fault propagation and final effect on
aircraft level functions, Embraer will develop an
aircraft safety assessment, in addition to the
traditional systems safety assessment.
114
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont. 5) 3. AIRCRAFT SAFETY
ASSESSMENT In this assessment, it will be
considered failures conditions of
equipment/systems with multiple functions
integrated controllers, multi-user control
signals and power sources predicting the
effects/criticalities on systems/functions and
determining the global effect on the aircraft top
level functions. The combination of those
failures will generate the matrix of potential
failure cases. These failure conditions will be
covered in the aircraft safety assessment (report
170MSS012). The following are the main
components for the matrix of potential failure
cases
115
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.6) 3. AIRCRAFT SAFETY
ASSESSMENT Integrated controllers - MAUs
(considering for each MAU the loss of electrical
power per channel at module level and loss of
communications) - SPDAs (considering for each
SPDA the loss of electrical power at model level
and loss of communications) -AMS controllers
(considering the loss of SPDA electrical power
and loss of communications) -MRCs (loss of
electrical power and loss of communications) -GCU
s (loss of communications) -FADECs (loss of
total electrical power and loss of
communications) -MCDUs (loss of electrical power
and loss of communications) and - CCDs (loss of
electrical power and loss of communications).
116
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.6) 3. AIRCRAFT SAFETY
ASSESSMENT The following are the main components
for the matrix of potential failure cases
(cont.) Control signals -       Air ground
signals -       Wheel speed signals -      
Engine signals -       Air data signals -      
IRS signals and -       Flap position signal.
117
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.7) 3. AIRCRAFT SAFETY
ASSESSMENT The following are the main components
for the matrix of potential failure cases
(cont.) Power sources -       Main
engines -       Electrical -       Hydraulics
and -       Pneumatics. Additional failure
cases -       Power sources and integrated
controllers -    Power sources and power sources
electrical, hydraulics, pneumatics and -      
Integrated controllers and integrated controllers.
118
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.8) 3. AIRCRAFT SAFETY
ASSESSMENT For each failure case, a propagation
analysis is conducted taking into account the
scenario configuration of the aircraft and
flight phase and predicting the
effect/criticality of that failure on
systems/functions that contribute to aircraft
top-level functions 1.       Provide
lateral/directional control 2.       Provide
pitch control 3.       Provide
thrust 4.       Provide lift and drag
control 5.       Provide primary flight
information 6.       Provide navigation 7.      
 Provide communication 8.       Provide auto
flight 9.       Provide habitable
environment 10.    Protect structural integrity
against system fail 11.    Provide unobstructed
cockpit vision 12.    Provide protection against
fire and 13.    Halt the airplane.
119
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.9) 4 VERIFICATION OF
AIRCRAFT SAFETY ASSESSMENT Once the
effects/criticalities were predicted by the
propagation analysis related to potential sources
of cascading/common cause failures, Embraer will
demonstrate those effects and verity
criticalities using a certification vehicle
entitled integrated iron bird rig which will
contain the following actual aircraft systems and
modeled systems Aircraft systems -      
Integrated digital platform (includes MAUs,
SPDAs, FADECs, AMS controllers, MCDUs, CCDs,
displays, MRC and digital data buses) -     Cockp
it overhead panel (with systems modules that
interface with the integrated digital
platform) -       Cockpit circuit breakers
panels -  Electrical power systems (with actual
electrical buses powering the corresponding
systems) -       Hydraulic system -      
Flight controls system -       Auto pilot
system -       Landing gear, brakes and
steering and -       Thrust reversers.
120
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.10) 4 VERIFICATION OF
AIRCRAFT SAFETY ASSESSMENT Aircraft
aerodynamic model -       Aerodynamic data bank
permitting the aerodynamic aircraft
simulation. Modeled aircraft systems -      
Main engines (controlled by actual
FADECs) -       Mechanical portion of fuel
system (controlled by actual SPDAs) -      
APU -   Mechanical portion of air management
systems (controlled by actual AMS
controllers) -      Air data system outputs and
sensors heating (controlled by actual MAUs and
SPDAs) and -       Flap/slat.
121
FCAR HSI-015 Equipment, Systems and
Installations
EMBRAER POSITION (cont.10) 4 VERIFICATION OF
AIRCRAFT SAFETY ASSESSMENT The integrated iron
bird will be described in the report 170MSD001.
The process for conducting the failure
propagation assessment at aircraft level will
be performed with the support of the human factor
group in the verification of criticality of each
failure case. All activities involving the
integrated systems safety assessment shall be
documented in the following reports -      
170MSS003 Aircraft Functional Hazard
Assessment -       170MSS012 Aircraft Safety
Assessment -       170MSD002 - Integrated
Systems Overview -       170MSC003 Safety
Assessment Methodology -       170MSD001
Failure Propagation Vehicle Description -      
170MSP001 Failure Propagation Vehicle Test
Proposal -       170MSR001 Failure
Propagation Vehicle Test Results -      
170ELS005 SPDA Secondary Power Distribution
Assembly FMEA -       170LGA058 WOW
Functional FMEA and 170AVA004
Functional FMEA MAU.
122
FCAR HSI-015 Equipment, Systems and
Installations
LIST OF REPORTS -       170ADO001 FUNCTIONAL
HAZARD ANALYSIS CRITERIA -   170ADY008 FHA
SUPPORTING CALCULATIONS GROUND ROLL DECELERATION
AND CLIMB CAPABILITY -       170AFS001 - AFCS
SYSTEM SAFETY ASSESSMENT -       170AFS004
AFCS FHA VERIFICATION TEST PLAN -       170AUS001
AUXILIARY POWER UNIT SYSTEM SAFETY
ASSESSMENT -       170AUS002 AUXILIARY POWER
UNIT SYSTEM FUNCTIONAL HAZARD ANALYSIS (....) -  
     170MSR001 Failure Propagation Vehicle
Test Results -       170ELS005 SPDA
Secondary Power Distribution Assembly
FMEA -       170LGA058 WOW Functional FMEA
and 170WWS002 VACUUM WASTE SYSTEM
SAFETY ASSESSMENT
94 reports directly related to Safety Assessment.
123
METHODOLOGY AND CERTIFICATION DOCUMENTATION

• AIRCRAFT FUNCTIONS TOP LEVEL FUNCTIONS

1. To provide aircraft lateral/directional control
2. To provide pitch control
3. To provide thrust
4. To provide lift and drag control
5. To provide Primary Flight Information
6. To provide navigation capability
7. To provide communication capability
8. To provide auto flight capability
9. To provide habitable environment
10. To protect structure integrity against
systems failures
11. To provide unobstructed cockpit vision
12. To provide protection against fire
13. To land and halt aircrat
124
ARP 4754
125
PROCESSO DE DESENVOLVIMENTO DE REQUISITOS Um
programa de desenvolvimento de aeronave genérico
126
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÃO ? OPERAÇÃO

• CERTIFICATION CONSIDERATIONS FOR HIGHLY
  INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS (nome
  atual)

ARP 4754

• GUIDANCE FOR VALIDATION AND VERIFICATION OF
  AIRCRAFT SYSTEMS (nome a ser adotado)

Abordagem Qualitativa. Reconhece que não existem
métodos numéricos para caracterizar os erros de
desenvolvimento (determinação de requisitos e
erros de projeto).
CAPTURA DE REQUISITOS E ATRIBUIÇÂO DOS DAL
Requisitos de Segurança
PROCESSO DE SSA
Requisitos Funcionais (combinação de desejos do
cliente, restrições regulatóriais e
implementation reality.
Requisitos do Cliente, Operacionais, de
Desempenho, de Instalação, etc.
127
COMO GARANTIR A SEGURANÇA ?
PROJETO ?FABRICAÇÂO ?OPERAÇÂO
ARP 4754 CERTIFICATION CONSIDERATIONS FOR HIGHLY
INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS
DEVELOPMENT ASSURANCE
Todas ações planejadas e sistemáticas usadas para
substanciar, a um nível adequado de confiança,
que erros de desenvolvimento foram identificados
corrigidos, de tal modo que o sistema satisfaça a
base de certificação aplicável.
ERRO DE DESENVOLVIMENTO
Um equívoco na determinação de requisitos, no
projeto ou na implementação.
128
Safety Assessment Process Guidelines Methods (
ARP 4761 )
Intended Aircraft Function
Function, Failure Safety Information
System Design
Functional System
System Development Processes ( ARP 4754 )
Aircraft System Development Process
Aircraft System Development
Implementation
Hardware Development Life-Cycle ( DO-254 )
Hardware Life-Cycle Process
Software Development Life-Cycle ( DO-178B )
Software Life-Cycle Process
129
SAE AEROSPACE RECOMMENDED PRACTICE 4754
CERTIFICATION CONSIDERATIONS FOR HIGHLY
INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS
The process includes the assignment of
development assurance levels, similar to FHA
hazard severity levels. The Development Assurance
Levels defined in 4754 determine the necessary
software and hardware design assurance levels of
DO-178B and DO-254.
Development assurance establishes confidence
that the system development has been accomplished
in a sufficiently disciplined manner to limit the
likelihood of development errors that could
impact aircraft safety
130
System Development Assurance Level Assignment
131
4.3 Software Summary Software control and
indication is accomplished via the SPDA, FADEC,
and EICAS systems. Table 2 summarizes the ERJ-170
Functional Hazard Analysis - Software (See Annex
C). The safety level required in the FHA is
accomplished or exceeded by thesoftware.
132
Aircraft Function 3
Aircraft Function 2
Aircraft Function 1
System 3
System 2
System 1
Item 3
Item 2
Item 1
Software Life-Cycle
Hardware Life-Cycle
ITEM DEVELOPMENT
SYSTEM DEVELOPMENT
AIRCRAFT FUNCTION
133
Aircraft Level Requirements
Aircraft Functions
Aircraft Level FHA
Failure Conditions, Effects, Classification,
Safety Requirements
Functional
Allocation of Aircraft Functions to systems
Systems Functions
System-level FHA sections
Failure Conditions Effects
Failure Conditions, Effects, Classification,
Safety Objectives
Development of System Architecture
Architectural Requirements
Separation Requirements
CCAs
System Architecture
Allocation of Item Requirements to Hardware
Software
SSAs
Item requirements
System Implementation
Separation Verification
Implementation
Results
Physical System
Certification
Safety Assessment Process
System Development Process
134
Requirements Baseline Overview
Functional requirements
Safety requirements
Requirements associated to Acft Level Functions
ACFT Level FHA
Certific. Requir.
Aircraft
System Level FHA Sections
System Requir.
Systems
DAL
Selected Functions
Equip./SW Requir. Integrated Digital Platform
Equipment / Sw
135
(No Transcript)
136
FUTURE WORK ERJ 190 SSA

• List of aircraft level functions reviewed and
  harmonized between all involved areas
• Requirements determination and traceability
• More extensive adoption of ARP 4754
• FHA, including assignment of DAL to systems and
  subsystems

137
FUTURE WORK ERJ 190 SSA
138
Risco Específico
139
Average Probability PFH Definition

• Average Probability Per Flight Hour
• is a representation of the number of times the
  subject Failure Condition is predicted to occur
  during the entire operating life of all airplanes
  of the type divided by the anticipated total
  operating hours of all airplanes of that type
• (Note The Average Probability Per Flight Hour is
  normally calculated as the probability of a
  failure condition occurring during a typical
  flight of mean duration divided by that mean
  duration). (AC/AMJ 25-1309 )

140
Calculation of Average Probability per Flight
Hour (Quantitative Analysis)

• (1) The Average Probability per Flight Hour is
  the probability of occurrence, normalized by the
  flight time, of a Failure Condition during a
  flight which can be seen as an average over all
  possible flights of the fleet of aircraft to be
  certified. The calculation of the Average
  Probability per Flight Hour for a Failure
  Condition should consider
• (I) the average flight duration and the average
  flight profile for the aircraft type to be
  certified,
• (ii) all combinations of failures and events
  that contribute to the Failure Condition,
• (iii) the conditional probability if a sequence
  of events is necessary to produce the Failure
  Condition,
• (iv) the relevant "at risk" time if an event is
  only relevant during certain flight phases,
• (v) the average exposure time if the failure can
  persist for multiple flights. (AC/AMJ 25-1309)

141
SAE S-18Specific Risk definition
Specific Risk the probability of failure for
an individual airplane or flight, where one or
more significant risk parameters differ from
airplane to airplane (or flight to flight) and
the values of those parameters are identifiable
for those individual airplanes or flights
142
Specific Risk definition

• For example, individual airplanes (or flights)
  may be at a higher risk than the fleet average
  if
• One or more components are failed or inoperative
  (degraded configuration but OK per MMEL).
• Components have more service time (wearout
  failure modes).
• Components have less service time (infant
  mortality failure modes).
• Flight length is shorter (cycle driven failure
  mode).
• Flight length is longer (more time between
  pre-flight checks)
• Longer time since last inspection (latent failure
  mode).
• Components are outside design specifications
  (e.g. quality issue).
• Operating environment or mission profile is more
  severe.
• Aircraft Configuration (Weight and Balance)

143
SAE S-18Specific Risk definition
While noting the controversy of specific risk
as an assessment metric, it is recognized that
there are at least two examples of regulatory and
industry guidance related to specific risk.
     Gunstone ACJ 39.3(b)(4) / CAAM
(Continued Airrworthiness Assessment Methodology)
AC 39-XX         Time Limited Dispatch (TLD)
144
FAA/EASA consensusSpecific Risk definition
The risk on an aircraft on a specific flight
due to a condition that deviates from the fleets
average risk.
Do we limit exposure / deviation / both?
Deviation 10-x
Deviation
Fleet average 10-9
Time
Exposure
Full-up 10-y
Example Illustration a Catastrophic Failure
Condition
145
Feedback from SDAHWG

• Authorities
• The risk on an aircraft on a specific flight due
  to a condition that deviates from the fleets
  average risk.

• SDAHWG
• The risk on an aircraft per flight hour due to a
  condition that results in a deviation from the
  fleet's average risk. Conditions specifically of
  concern are significant latent failures and MMEL
  items.

146
What is the RULE?

• FAA seeks a clearer and more integrated set of
  recommendations from ARAC, because
• SDA, Flight Controls, and Powerplant HWGs each
  independently provided to the FAA varying
  philosophies on how specific risks should be
  managed (e.g., recommendations range from
  prohibiting singlelatent, to allowing
  singlelatent and specifying a minimum level of
  integrity, to no specific risk evaluation at
  all.)
• Specific risk issues transcend any one system
  type, and need to be coordinated
  cross-functionally (e.g., latent and MMEL issues
  are common issues.)

147
CONCLUSIONS