MIT ICAT MIT ICATSafety, Reliability, Certification, Maintenance Prof. R. John Hansman MIT International Center for Air TransportationMIT ICATMIT ICATMIT ICAT MIT ICAT0 1994 #Class A accidents per 100,000 flight hours Accident Rate 1996 1998 2000 20021992 1.0 2.0 U.S. Military Accident Rates# 3.0 Air Force Army Navy Marine Corps 4.0 .Figure by MIT OCW. Adapted from: Aviation Week 10/02.MIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICATMIT ICAT MIT ICATSafety y Safety Targets/Standards  Civil Air Carrier FAR Part 25 FAR Part 121  Civil General Aviation FAR Part 23 FAR Part 91  Military Mil Spec y Safety Components  Vehicle Airworthiness  Training and Operating Procedures  Maintenance  Culture  Quality Management Processes  Incident Reporting  Accident Investigation  Liability y Design Philosophy  Fail Safe  Fail OperationalMIT ICAT MIT ICATCertification y Civil  Certificate of Airworthiness (i.e. Certification)  Guarantee to the public that the aircraft is airworthy to some standard  Operational Approval  Operating Certificate ÐEquipment ÐProcedures ÐTraining y Military  Procurement y Space  Man RatedMIT ICAT MIT ICATCertification y Aircraft Certificate of Airworthiness  Standard Type Certificate (STC)  Categories  Air Carrier  Normal  Utility  Experimental  Rotorcraft  LTA  OthersMIT ICAT MIT ICATCertification y Component Certificate of Airworthiness  Engines  Propellers  Parts  Instruments y Component (Parts & Instruments) Standards  Technical Service Order (TSO)  Minimum Operational Performance Specification (MOPS) y Software Standards  RTCA DO-178B y Continued Airworthiness  Inspections  MaintenanceMIT ICAT MIT ICATFederal Aviation Regulations y Part 1 - DEFINITIONS AND ABBREVIATIONS y Part 11 - GENERAL RULEMAKING PROCEDURES y Part 21 - CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS y Part 23 - AIRWORTHINESS STANDARDS: NORMAL, UTILITY, ACROBATIC, AND COMMUTER CATEGORY AIRPLANES y Part 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES y Part 27 - AIRWORTHINESS STANDARDS: NORMAL CATEGORY ROTORCRAFT y Part 29 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY ROTORCRAFT y Part 31 - AIRWORTHINESS STANDARDS: MANNED FREE BALLOONS y Part 33 - AIRWORTHINESS STANDARDS: AIRCRAFT ENGINES y Part 34 - FUEL VENTING AND EXHAUST EMISSION REQUIREMENTS FOR TURBINE ENGINE POWERED AIRPLANES y Part 35 - AIRWORTHINESS STANDARDS: PROPELLERS y Part 36 - NOISE STANDARDS: AIRCRAFT TYPE AND AIRWORTHINESS CERTIFICATION y http://www.faa.gov/regulations_policies/MIT ICAT MIT ICATFAA engineering personnel are sometimes consulted at this step TC or STC Approval Process Product is evaluated for marketability & certifiability Company makes decision to proceed with development Preliminary design completed Detailed design completed This is the appropriate time to initiate certification project FAA witnesses many of the systems tests for certification FAA witnesses all of the flight and ground tests conducted on an aircraft for certification Close consultation with FAA engineering personnel is essential throughout design process to avoid new requirements late in process System testing completed Installation in aircraft & certification testing completed Idea for new avionics product is born FAA ACO issues certificate & system is ready for operational approval Certification plan is prepared & submitted to the ACO for review & approval. Plan will address the system safety assessment & the software aspects of certification Testing plans & system safety assessment prepared & submitted to the ACO for review & approval Flight test plan & balance of design approval documents submitted to ACO for review & approval Figure by MIT OCW.MIT ICAT MIT ICATSafety Analysis y Advisory Circular AC 25.1309-1A  System Design and Analysis y Fail Safe y Fail Operational y Preliminary Hazard Analysis y Functional Hazard Assessment y Depth of Analysis Flowchart  Complex SystemMIT ICAT MIT ICATProbability vs. Consequences Graph Probable Improbable Extremely Improbable Catastrophic Accident Adverse Effect On Occupants Airplane Damage Emergency Procedures Abnormal Procedures Nuisance NormalMIT ICAT MIT ICATDescriptive Probabilities Probability (per unit of exposure) FAR JAR 1 Frequent 10E-3 Probable Reasonably Probable 10E-5 Remote 10E-7 Improbable Extremely Remote 10E-9 Extremely ExtremelyImprobable Improbable What is the correct unit of exposure : Flight hour, Departure, FailureMIT ICAT MIT ICATSafety Analysis y Preliminary Hazard Analysis y Fault Tree Analysis  Top Down Search - Presumes Hazards Known  System Definition  Fault Tree Construction  Qualitative Analysis  Quantitative Analysis y Event Tree Analysis  Bottom Up “Forward” Search - Identifies possible outcomes y Failure Modes and Effects Analysis  Probabilistic “Forward” Search  Requires Failure Probability Estimates  Requires Assumed Failures from PHA or Historical Data  “Target Level of Safety”MIT ICAT MIT ICATEvent Tree Example From : Leveson A Reduced Event Tree for A Loss of Coolant Accident Succeeds Succeeds Succeeds Succeeds Succeeds Fails Fails Fails Fails Fails Fails 1-P4 1-P4 1-P5 1-P3 1-P2 P4 P3 P2 P4 P5 P5 Available Initiating Event P1 P1 P1 x P5 P1 x P2 P1 x P4 P1 x P3 P1 x P4 x P5 P1 x P3 x P4 Pipe Break 1 Electric Power 2 ECCS 3 Fission Product Removal 4 Containment Integrity 5 Figure by MIT OCW.MIT ICAT MIT ICATFault Tree and Event Tree Examples From : Leveson Operator inattentive Relief Valve 1 Pressure too high Opens Opens Pressure decreases Pressure decreases Explosion Fails Fails Relief Valve 2 Explosion Valve failure A Fault Tree and Event Tree Comparison Valve failure Pressure monitor failure Computer output too late Computer does not issue command to open valve 1 Operator does not know to open value 2 Computer does not open valve 1 Value 1 position indicator falls on Open indicator light falls on Pressure too high Relief valve 1 does not open Relief valve 2 does not open Figure by MIT OCW.MIT ICAT MIT ICATFailure Modes and Effects Analysis Figure by MIT OCW. Adapted from: Leveson. ABCriticalABOpenShortOther90559055OpenShortOther1 x 10-3 x x 5 x 10-55 x 10-55 x 10-55 x 10-51 x 10-3Failure probability Failure modeFailures by mode (%)EffectsCritical