Get documents about "Background
Document Sample
Decelerate Aircraft on ground: Aircraft FHA Case Study:
60 mins
Introduction to Wheel Brake System Case Study
This session introduces a case study concerning the Wheel Brake System (WBS) of an aircraft
landing gear, based on an example in Aviation Recommended Practice (ARP) 4761 Appendix L.
The Product Context
The case study concerns the design of a new (fictitious) aircraft, called the S18 (Figure 1). The S18 is
a four engine passenger aircraft, designed to carry 300 to 350 passengers up to 5,000 nautical miles at
0.86 mach. (Engines are omitted from Figure 1 so that it is easier to see the landing gear, which is the
main focus of this study.) The average flight length required is 5 hours. Within the context of the S18
development project, the case study focuses on the design of the WBS, which provides the (aircraft-
level) function decelerate the aircraft on the ground. The WBS provides the braking of the wheels of
the Main Landing Gear during landing and rejected takeoff (RTO).
Figure 1 - S18 Aircraft Nose and Main Landing Gears
1
Decelerate Aircraft on ground: Aircraft FHA Case Study:
60 mins
The Process Context
In order to eventually achieve air-worthiness certification, the S18 project has elected to comply with
applicable industry standards. These include ARP 4754, which describes certification activities in the
context of a model development process, and ARP 4761, which provides a model safety assessment
process and descriptions of safety assessment techniques. The applicable standard for the
development of software items is DO-178B. If properly enacted, these processes will generate the
information necessary to achieve air-worthiness certification. Figure 2 summarises the safety
assessment and design processes and their interaction.
Aircraft Level Aircraft Level
Aircraft
FHA Functions
Requirements
Failure Condition, Effects,
Functional Interactions Objectives
Classification, Safety
Allocation of
System Level System Aircraft Functions
Failure
FHA Sections Functions to Systems
Conditions Failure Condition, Effects,
& Effects Classification, SafetyObjectives
Development
of System
Architectural
PSSAs Requirements Architecture
Separation
System
CCAs Requirement
Architecture
Allocation of
Item Requirements
Safety Objectives,
Requirements to
Analyses Required Item Requirements Hardware &
Software
SSAs System
Implementation
Separation Implementation
Verification
Results Physical System
Certification
Safety Assessment Process System Development Process
Figure 2 - Safety Assessment Process Model
Acronyms in the Figure refer to:
FHA Functional Hazard Assessment
PSSA Preliminary System Safety Assessment
SSA System Safety Assessment
CCA Common Cause Analysis
2
Decelerate Aircraft on ground: Aircraft FHA Case Study:
60 mins
Functional Hazard Assessment (FHA) at Aircraft Level
During aircraft level FHA, the safety specialist seeks to identify all the malfunctions implied by the
nominal functions of the aircraft, as described in requirements documentation. The effects of
malfunctions are considered, and assigned severity classifications and upper limits on the allowable
probabilities of occurrence. Table 1 shows the definitions of these classifications and probabilities
contained in the Federal Aviation Regulations (FAR – American) and Joint Aviation Regulations
(JAR – European).
For those components which are not amenable to probabilistic reliability modelling (including
software components), the concept of Development Assurance Levels is adopted. However, at the
aircraft level, a probabilistic approach is usually used, as the acceptability of hazards is usually
assessed in quantitative terms.
Table 1 - Failure Condition Severity as Related to Probability and Assurance Level
Probability Per flight or flight hour
(Quantitative) 1.0 1.0E-3 1.0E-5 1.0E-7 1.0E-9
Probability FAR Probable Improbable Extremely
(Descriptive) Improbable
JAR Frequent Reasonably Remote Extremely Remote Extremely
Probable Improbable
Failure FAR Minor Major Severe Major Catastrophic
Condition
Severity JAR Minor Major Hazardous Catastrophic
Classification
Failure FAR - slight reduction in - significant - large reduction in - all failure
Condition & safety margins reduction in safety margins or conditions
Effect JAR - slight increase in crew safety margins functional which
workload or functional capabilities prevent
- some inconvenience capabilities - higher workload or continued
to occupants - significant physical distress safe flight
increase in crew such that the crew and landing
workload or in could not be relied
conditions upon to perform
impairing crew tasks accurately or
efficiency completely
- some discomfort - adverse effects
to occupants upon occupants
Development ARP Level D Level C Level B Level A
Assurance 4754
Level
3
Decelerate Aircraft on ground: Aircraft FHA Case Study:
60 mins
Task 1
As part of the aircraft-level design process, various functions have been identified for the whole
aircraft. The function to be considered in the case study, namely Decelerate Aircraft on the Ground,
is evident in the functional decomposition of Figure 3.
Aircraft
Functions
1st level
Determine Control Control
Control Control Determine
Heading Aircraft on Cabin
Thrust Flight Path Orientation
and Position the Ground Environment
2nd level
Control
Determine Decelerate
Aircraft
Air/Ground Aircraft on
Direction on
Transition the Ground
the Ground
Figure 3 - Aircraft Function Tree
Systems to decelerate the aircraft on the ground usually include wheel brakes, spoilers and thrust
reversers. These systems can either be controlled manually or by an auto-stopping function, where
the braking systems are armed in advance by the pilot and then automatically activated.
For the function Decelerate Aircraft on the Ground, identify a set of possible failure conditions
which might be identified during the FHA process.
HINT: Focus on the requirement, rather than the functions or systems that implement the
requirement. Consider the ways in which this requirement could fail to be met.
4
Decelerate Aircraft on ground: Aircraft FHA Case Study:
60 mins
Task 2
Identify environmental conditions that could influence how systems meet the Decelerate Aircraft on
the Ground requirement. Is this a purely functional consideration or do system design solutions have
to be considered?
HINT: Think of environmental factors which might be relevant in the braking of an aircraft on the
runway.
Task 3
Identify, in broad terms, emergency configurations of the aircraft that could influence how systems
meet the Decelerate Aircraft on the Ground requirement.
HINT: Consider failures (unavailability) of major support systems likely to be present on the aircraft.
Task 4
Identify flight phases of the aircraft operation where ground braking systems are required.
Task 5
Construct an FHA table for the function Decelerate Aircraft on the Ground of the form:
Function Failure Condition Phase Effect on Aircraft / Classification Verification
Crew
(Blank tables are provided at the end of this session.)
Decide on the likely effects of each failure condition occurring in each of the flight phases that you
have identified. Classify the effects using the ARP 4761 Severity Classification, as indicated in Table
1.
HINT: Consider the breakdown of each failure condition into unannunciated / annunciated failures,
where a failure is annunciated if its occurrence is signalled to the pilot.
For the FHA table you have constructed, identify which techniques might be used to demonstrate
compliance with safety objectives.
What are the main outputs of the FHA process?
Which processes make use of these outputs?
Might the FHA Table have to be revised at a later time in the system development process, or should
it be stable?
5
Wheel Braking System Case Study:
Model Answer
Task 1
For the function Decelerate Aircraft on the Ground, identify a set of possible failure
conditions which might be identified during the FHA process. HINT: Focus on the requirement,
rather than the functions or systems that implement the requirement. Consider the ways in
which this requirement could fail to be met.
Functional Failure Conditions include (from ARP 4761 Appendix L):
Loss of all deceleration capability;
Reduced deceleration capability;
Inadvertent deceleration;
Loss of all auto stopping features;
Asymmetric Deceleration.
Task 2
Identify environmental conditions that could influence how systems meet the Decelerate
Aircraft on the Ground requirement. Is this a purely functional consideration or do system
design solutions have to be considered?
Environmental and emergency configurations and conditions include (From ARP 4761):
Runway Conditions (wet, icy, etc.);
Runway Length;
Tail / Cross Wind.
Design solutions have to be considered so that we know how the environment interacts with the
aircraft.
Task 3
Identify, in broad terms, emergency configurations of the aircraft that could influence how
systems meet the Decelerate Aircraft on the Ground requirement.
Environmental and emergency configurations and conditions of the aircraft include (From ARP
4761):
Engine Out
Hydraulic System Loss
Electrical System Loss
Task 4
Identify flight phases of the aircraft operation where ground braking systems are required.
Applicable Phases include (From ARP 4761):
Taxi;
Takeoff to Rotation;
Landing Roll;
Rejected Takeoff (RTO).
7
Wheel Braking System Case Study:
Model Answer
Task 5
Construct an FHA table for the function Decelerate Aircraft on the Ground.
Function Failure Condition Phase Effect of Failure Classification Verification
(Hazard Description) Condition on Aircraft /
Crew
Decelerate Loss of Deceleration Landing See Below
Aircraft on Capability /RTO
the ground /Taxi
a. Unannunciated Landing Crew is unable to Catastrophic S18 Aircraft
loss of Deceleration /RTO decelerate the aircraft, Fault Tree
Capability resulting in a high speed
overrun
b. Annunciated loss of Landing Crew selects a more Hazardous S18 Aircraft
Deceleration suitable airport, notifies Fault Tree
Capability emergency ground
support, and prepares
occupants for landing
overrun
c. Unannunciated loss Taxi Crew is unable to stop Major
of Deceleration the aircraft on the taxi
Capability way or gate, resulting in
low speed contact with
terminal, aircraft or
vehicles.
d. Annunciated loss of Taxi Crew steers the aircraft No safety effect
Deceleration clear of any obstacles and
Capability calls for a tug or portable
stairs
Inadvertant Takeoff Crew is unable to takeoff Catastrophic S18 Aircraft
deceleration after V1 due to application of Fault Tree
brakes at the same time
as high thrust settings,
resulting in a high speed
overrun.
Partial loss of Landing See below
deceleration /RTO
capability
a. Unannunciated Landing Crew is unable to Hazardous S18 Aircraft
partial loss of /RTO completely decelerate the Fault Tree
Deceleration aircraft before the end of
Capability the runway resulting in a
potential overrun
b. Annunciated Landing Crew selects a more Major
partial loss of suitable airport, notifies
Deceleration emergency ground
Capability support, and prepares
occupants for landing
overrun
c. Unannunciated Taxi Crew may not be able to Minor
partial loss of adequately stop the
Deceleration aircraft before obstacle,
Capability resulting in low speed
collision
d. Annunciated Taxi Crew steers the aircraft No safety effect
partial loss of clear of any obstacles and
Deceleration calls for a tug or portable
Capability stairs
8
Wheel Braking System Case Study:
Model Answer
Function Failure Condition Phase Effect of Failure Classification Verification
(Hazard Description) Condition on Aircraft /
Crew
Decelerate Loss of automatic Landing See below
Aircraft on stopping capability /RTO
the ground a. Unannunciated Landing Crew arms automatic Major
(cont.) loss of automatic /RTO stopping features for
stopping capability Landing / RTO. Upon
landing / RTO the
automatic stopping
features fail to operate.
Crew recognises situation
and manually activates
stopping capability. Crew
reaction time results in
potential overrun.
b. Annuniciated loss Landing Crew manually activates No safety effect
of automatic stopping /RTO stopping capability upon
capability landing or RTO
Asymmetric Landing See below
Deceleration /RTO
a. Unannunciated Landing Crew is not prepared for Major
Asymmetric /RTO asymmetric deceleration
deceleration and reacts too late to
maintain directional
control, resulting in an
offside excursion from the
runway
b. Annunciated Landing Crew is prepared for Minor
asymmetric asymmetric deceleration
deceleration and counters with
appropriate rudder and
nose wheel steering
inputs
c. Asymmetric Taxi Aircraft diverts slightly No safety effect
deceleration from intended course
9
