ESCAPES FROM AIRWORTHINESS CERTIFICATION – AND … 2/Escapes From Airworthiness... · escapes...
Transcript of ESCAPES FROM AIRWORTHINESS CERTIFICATION – AND … 2/Escapes From Airworthiness... · escapes...
S5 - Dayton OH June 2010 1
ESCAPES FROM AIRWORTHINESS CERTIFICATION –
AND HOW TO PREVENT THEM
Herb HechtSoHaR IncorporatedCulver City, California
S5 - Dayton OH June 2010 2
CERTIFICATION - FAR 25.1309
(a)The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that—
(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
(2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.
Also: Single Failure Avoidance, Analysis and Test Requirements
S5 - Dayton OH June 2010 3
CERTIFICATION – AC 25.1309-1
Probable: >10-5
Improbable: <10-5 and >10-9
Extremely Improbable: <10-9
Per flight-hour
DETAILS OF ANALYSIS AND TEST
S5 - Dayton OH June 2010 4
OTHER DOCUMENTS
ANALYSIS & TEST GUIDANCE
RTCA DO-178BSAE ARP 4754
SAE ARP 4761
SOFTWARE SYSTEM
TEST
S5 - Dayton OH June 2010 5
EVOLUTION OF REQUIREMENTSSYSTEMREQ'MTS
SYSTEMREQ'MTS
PROPAGATEDSYSTEMREQ'MTS
PROPAGATEDAND DERIVED
SYSTEMREQ'MTS
REQ'MTS FROMOTHER
SYSTEMS
REQ'MTS FROMOTHER
SYSTEMS
PROPAGATEDAND DERIVED
SYSTEMREQ'MTS
SYSTEMREQ'MTS
WATERFALL ARP 4754 REALISTIC
STATED
IMPLEMENTED
S5 - Dayton OH June 2010 7
CRITICAL EVENTS
DATE/PLACE
AIR-CR’FT
KILLEDINJR’D
EVENT MODE REDMGM
M’NTNCE
PILOT
2/2009AMST’DM
B737 987
FAILED RADAR ALTIMETER RE-TARDS THROTTLE TOO EARLY
X X X X
10/2008AUSTRL
A330 054
FAILED AoA SIGNAL CORRUPTSMULTIPLE ADIRU OUTPUTS
X X X
8/2005AUSTRL
B777 00
UNABLE TO RECOVER FROMACCELEROMETER FAILURE
X X
5/2001BILBAO
A320 0?
AoA PROTECTION PREVENTSNOSE UP FOR GO-AROUND
X
10/2000ATLANTIC
A340 00
NEAR COLLISION CAUSED BYUNEXPECTED AoA PROTECTION
X
9/1999ROMANIA
FALC900
76
FAILED PITCH FEEL UNIT CAUSES PITCH OSCILLATIONS
X X X
S5 - Dayton OH June 2010 8
TURKISH B737 AMSTERDAM
• LEFT RADAR ALTIMETER JUMPS TO -8 FT WHEN AIRCRAFT IS AT 770 FT, CAUSING THROTTLE RETARDATION, LOSS OF AIRSPEED
• RIGHT RADAR ALTIMETER IS OK BUT NOT UTILIZED• MANUAL THROTTLE ADVANCE IS TOO LATE TO AVERT
CRASH SHORT OF RUNWAY• RIGHT RADAR ALTIMETER HAD MALFUNCTIONED ON
AT LEAST THREE PREVIOUS FLIGHTS
S5 - Dayton OH June 2010 9
QANTAS A330 AUSTRALIA• IN TURBULENCE AoA SENSOR OUTPUTS SPIKES THAT
ARE ONLY IMPERFECTLY FILTERED. ONE SPIKE CAUSES -4 DEG ELEVATOR AT THE SAME TIME AS A MACH COMPENSATION FEATURE COMMANDS -6 DEG. THE COMBINED COMMANDS GENERATE NEGATIVE G’S, ANY UNBELTED PASSENGER BEING THROWN AROUND
• THE SPIKES HAD BEEN A PROBLEM BEFORE, BUT SEVERITY WAS NOT RECOGNIZED.
• COMPLEXITY OF ADIRU CONTROLS PREVENTED CREW FROM TAKING OPTIMUM RECOVERY ACTION.
S5 - Dayton OH June 2010 11
MALAYSIAN AIRL.B777 AUSTRALIA
• 6 NON-ORTHOGONAL ACCELEROMETERS ARE USED TO GENERATE BODY CENTERED ACCELERATION DATA. THEORETICALLY CAPABLE OF CORRECT OUTPUT AS LONG AS 3 INSTRUMENTS ARE OK.
CONCEPTUAL
ARRANGEMENT
ONLY
S5 - Dayton OH June 2010 12
B777 - CONTINUED
• #5 ACCELEROMETER FAILS IN JUNE 2001• #6 ACCELEROMETER FAILS ON EVENT FLIGHT IN
AUGUST 2005. SOFTWARE SUBSTITUTES #5 FOR #6 RESULTING IN VIOLENT PITCH-UP MANEUVER.
• (UNOFFICIAL A) SOFTWARE WAS TESTED BUT RESULT WAS MISINTERPRETED
• (UNOFFICIAL B) SOFTWARE WAS MODIFIED AFTER TEST.
• CORE ISSUE: SHOULD FAILED #5 HAVE REMAINED ON AIRCRAFT FOR OVER 4 YEARS?
S5 - Dayton OH June 2010 13
NON-ORTHOGONAL INSTR. TEST
• FROM D. E. ECKHARDT ET AL., “AN EXPERIMENTAL EVALUATION OF SOFTWARE REDUDANCY AS A STRATEGY FOR IMPROVING RELIABILITY”, IEEE TRANS. SOFTW. ENG., JULY 1991
No. ofprioranomalies
ObservedFailures
Total Tests FailureFraction
0 1,268 134,135 0.01
1 12,921 101,151 0.13
2 83,022 143,509 0.58
SOFTWARE RESPONSE TO AN INTRUMENT FAILURE
S5 - Dayton OH June 2010 14
PREVENTING ESCAPES
• REALISTIC REQUIREMENTS REVIEWS• REVIEW GUIDES FOR REDUNDANCY
MANAGEMENT• INTERFACE WITH MAINTENANCE• MODES – QUANTITY & SIDE EFFECTS
S5 - Dayton OH June 2010 15
REALISTIC REQUIREMENTS REVIEWS
CONCEPT SYST.REQ'MTS SOFTW.REQ'MTS SOFTW.DESIGN CODING
OBJECTIVE ALGORITHM ASSIGNM'T
OBJECTIVE ALGORITHM ASSIGNM'T
OBJECTIVE ALGORITHM ASSIGNM'T
OBJECTIVE ALGORITHM ASSIGNM'T
OBJECTIVE ALGORITHM ASSIGNM'T
OPERATIONAL REQM'TS
IMPLEMENTATION
COMPUTING ENV.
MONIT. & SELF-TEST
APPLICATION SOFTW.
S5 - Dayton OH June 2010 16
REQUIREMENTS PARTITIONSOPERATIONAL REQUIREMENTS
LOSS OF PROPULSION, ELECTRIC POWER, COMMUNICATION, THERMAL CONTROL
IMPLEMENTATION DETAILCALIBRATION ANOMALIES, ACTUATOR STATES, SENSOR INPUT
COMPUTING ENVIRONMENTHARDWARE FAILURES, MEMORY ERRORS, EXECUTIVE, MIDDLEWARE
MONITORING AND SELF-TESTOVER-TEMPERATURE SENSORS, SYSTEM PERFORMANCE TEST
APPLICATION SOFTWAREASSERTIONS, VIOLATION OF TIMING CONSTRAINTS, MODE CHANGES
S5 - Dayton OH June 2010 17
REDUNDANCY MANAGMENT
REDUNDANCY
DYNAMIC FAULT-MASKING
ERROR DETECTIONCOMPARISONMAGNITUDE/DEVIATIONEXTERNAL
SWITCHINGHARDWARESOFTWAREMEMORY
TIMINGOPERATIONRECOVERY
TIMINGOPERATIONRECOVERY
INDICATIONFAULTRECOVERY
LEVELPHYSICAL/ANALYTIC
S5 - Dayton OH June 2010 18
MAINTENANCE INTERFACE
• REVIEW OF ON-BOARD AND PILOT GENERATED EVENT LOGS BY SAFETY ENGINEER
• CLEAR IDENTIFICATION OF SAFETY CRITICAL ITEMS• LIMITATION ON MAINTENANCE DEFERRALS
S5 - Dayton OH June 2010 19
MODES
• ESSENTIAL VS. CONVENIENCE MODES• LIMITATION ON CHANGE OF SIDE
EFFECTS WHEN TRANSITIONING BETWEEN MODES
• IMPROVE MODE AWARENESS**Steven P. Miller et al., “A Methodology for Improving Mode Awareness
in Flight Guidance Design”. Proc of the 21st Digitial Avionics Systems Conference (DACS ’02), Irvine, California, October 2002.
S5 - Dayton OH June 2010 20
QUESTIONS/COMMENTS
310/338-0990 X110