TREINAMENTO COMPLEMENTAR DE RCE

TREINAMENTO COMPLEMENTAR DE RCE
PROCESSO DE “SYSTEM SAFETY ASSESSMENT” 26 DE OUTUBRO DE 2004

OBJETIVO: Tecer comentários sobre o
Processo de Avaliação de Segurança de Sistemas na Certificação de Aeronaves de Transporte. (Enfoque da Autoridade Certificadora).

OBJETIVO: DEIXAR A SEGUINTE MENSAGEM:
A AUTORIDADE CERTIFICADORA DEVE ENTENDER SEGURANÇA DE SISTEMA COMO UM ASSUNTO MUITO MAIS VASTO DO QUE O CUMPRIMENTO DE REQUISITOS. O APOIO CADA VEZ MAIOR DO RCE É FUNDAMENTAL

COMO GARANTIR A SEGURANÇA?
1. COMPROMETIMENTO GERENCIAL ? 2. AUMENTO DA CONFIABILIDADE? 3. REQUISITOS DE CERTIFICAÇÃO MAIS SEVEROS? “Como aumentar a segurança na aviação?” O cumprimento da Regulamentação Aeronáutica: por exemplo FAR (Federal Aviation Regulation) é a resposta mais óbvia. Estes requisitos cobrem aspectos diversos: Projeto, manutenção, operação, treinamento, etc. Por exemplo: Part 23: Airworthiness Standards: Normal, Utility, Acrobatic, And Commuter Category Airplanes Part 25: Airworthiness Standards: Transport Category Airplanes Part 27: Airworthiness Standards: Normal Category Rotorcraft Part 61: Certification: Pilots, Flight Instructors, And Ground Instructors Part 91 General Operating And Flight Rules Há requisitos bastante específicos, como é o caso do famosos (c) 25.901(c). Visando ao comprimento destes requisitos é que se fala em “System Safety Assessment”, um processo que visa, por meio da análise das funções da aeronave e dos sistemas que desempenham essas funções, identificar as ditas “condições perigosas” e reduzir os riscos a elas associados a um nível aceitável. Mas há muito mais. Aviões militares, sistemas de defesa, navios, submarinos, foguetes. Neste casos, pode variar a terminologia, falando-se muito em Programas de Segurança de Sistemas, Gestão da Segurança, Gestão de Riscos. Mas os conceitos fundamentais, qualitativos e quantitativos, não mudam. 4. MELHOR CONTROLE DA QUALIDADE? 5. IDENTIFICAÇÃO DOS RISCOS?

NÃO SE TRATA DE UMA AULA, MAS DE UMA TROCA DE IDÉIAS
NÃO SE TRATA DE UMA AULA, MAS DE UMA TROCA DE IDÉIAS. COMENTÁRIOS SÃO MUITO BEM VINDOS.

AVALIAÇÃO DE SEGURANÇA DE SISTEMAS GERENCIAMENTO DE SEGURANÇA DE SISTEMAS PROGRAMA DE SEGURANÇA DE SISTEMAS DEVELOPMENT ASSURANCE

OVERVIEW: 1 CONSIDERAÇÕES GERAIS 2 SYSTEM SAFETY ASSESSEMENT
3 ONGOING SAFETY ASSESSMENT 4 OBJETIVOS DE SEGURANÇA 5 ENGENHARIA DE CONFIABILIDADE 6 SSA: UMA NOVA ABORDAGEM 7 ARP 4754 8 RISCO ESPECÍFICO

REFERÊNCIAS: 1 ARP 4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment 2 ARP 4754: Certification Considerations for Highly-Integrated or Complex Aircraft Systems 3 ARP 5150: Safety Assessment of Transport in Commercial Service 4 RTCA/DO-178 Software Considerations in Airborne Systems and Equipment Certification, 5 RTCA/DO-254 Design Assurance Guidance for Airborne Electronic Hardware 6 BASE DE CERTIFICAÇÃO: ERJ 170/190

Considerações Gerais

SISTEMA É um agregado de organizações, pessoas, infraestrutura, equipamentos, procedimentos, regras e informações usadas para garantir o produto ou serviço cumpram a função esperada

Safety : Freedom from unacceptable risk.

SEGURANÇA DE SISTEMAS The application of engineering and management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle. (MIL-STD-882C STANDARD PRACTICE FOR SYSTEM SAFETY ).

ENGENHARIA DE SEGURANÇA DE SISTEMAS An engineering discipline requiring specialized professional knowledge and skills applying scientific and engineering principles, criteria, and techniques to identify and eliminate hazards, in order to reduced the associated risk. (MIL-STD-882C, ).

GERENCIAMENTO DE SEGURANÇA DE SISTEMAS An management discipline that defines the system safety program requirements and ensures the planning, implementation, and accomplishment of system safety tasks and activities consistent with the overall program requirements. (MIL-STD-882C, ).

PROGRAMA DE SEGURANÇA DE SISTEMAS The combined tasks and activities of system safety management and system safety engineering implemented by acquisition project managers. (MIL-STD-882C, ).

SYSTEM SAFETY MANAGEMENT DECISION MAKING PROCESS How much does it cost ? Is it safe ?

SEGURANÇA DE SISTEMAS PRODUTO e seu CICLO DE VIDA A ORGANIZAÇÃO

GERENCIAMENTO DA SEGURANÇA (Safety Management)
“The goals of system safety can be achieved only with the support of management: A sincere commitment to safety by management is perhaps the most important factor in achieving it.” An Air Force study of system safety concluded: “Air Force top management support of system safety has not gone unnoticed by contractors (...) IMPORTÂNCIA DA SEGURANÇA DE SISTEMAS An example of how this results was accomplished was the B-1B program, in which the Program Manager or Deputy Manager chaired the meetings of the group where safety decisions were made.

GERENCIAMENTO DA SEGURANÇA (Safety Management)
SEGURANÇA DE SISTEMAS E SEU POSICIONAMENTO NA ESTRUTURA ORGANIZACIONAL Link direto com os tomadores de decisão Independência de outras disciplinas suportes como Reliability e Quality Assurance Canais de Comunicação Direta com a maioria das partes da organização. Deve ter Influência na tomada de decisões Deve ter foco e coordenação

GERENCIAMENTO DA SEGURANÇA (“Safety Management”)
System safety Industrial safety Reliability engineering Manufacturing Operations Contracting Project engineering Quality assurance GERENCIAMENTO DA SEGURANÇA (UM EXEMPLO) System safety needs direct communication paths to most parts of the organization

Money Money Management Management Man Man Medium Medium Machine Machine MISSION

SYSTEM SAFETY ASSESSMENT

SYSTEM SAFETY ASSESSMENT PROCESS
The complete process applied during the design of the system to establish safety objectives and to demonstrate compliance with RBHA/FAR/JAA and other safety related requirement. (ARP 4761) 1. SAFETY OBJECTIVES 2. SHOW COMPLIANCE WITH 3. SAFETY RELATED REQUIREMENTS

THE SSA PROCESS IN A NUTSHELL
CRITICALITY VALIDATION FFS, A/C, SITS, FTs Performance& Flight Dynamics Analysis Cert. Plan and CCD (requirements) FHA Aircraft Systems Software and Complex hardware Hirf/Lightning CASCADE FAILURE PROPAGATION (CMA) HIRF/Lightning Certif. Process Analysis and Testing (actual A/C, Iron Bird, SITS, Electric Rig) SA Aircraft Systems (including Flight Controls and propulsion Dormant faults (1309 §9.c.(6), P<10E-3 for flight controls) SW/ Complex HW Certif. Process

Identificação de todas as condições de falha juntamente com a Argumentação para sua classificação. A saída do FHA é usado como ponto de partida para conduzir a PSSA

PSSA é um exame sistemático das as arquiteturas propostas para os sistemas para determinar como elas podem causar os hazard funcionais identificados na FHA e não satisfazer os Safety Objectives. O Objetivo é estabelecer requisitos de segurança para sistemas, itens, HW/SW (é realizada em múltiplos estágios).

Aircraft FHA Loss of deceleration capability Top-down CONCEPT AND ARCHITECTURE Aircraft FTA Loss of deceleration capability Loss of thrust reverser effective wheel Loss of braking Loss of speed brakes in wet runway Loss of wheel braking Relationship between FHA, FTA and FMEA

SSA é uma avaliação sistemática, completa dos sistemas implementados para mostrar que os Safety Objectives da FHA e os Safety Requirements derivados da PSSA são cumpridos O SSA é baseado nas FTA da PSSA e usa valores quantitativos obtidos das FMEA. Também inclui resultados das CCA.

System FHAs Ldg gear Hydraulic Electric PRELIMINARY DESIGN Braking LOSS OF WHEEL BRAKING Top-down System PFTAs Electric Hydraulic Braking system Loss of wheel braking Loss of normal braking Loss of normal braking alternate Loss of braking

CONCEPT AND ARCHITECTURE quantitative PRELIMINARY DESIGN DETAILED DESIGN quantitative Aircraft FHA System FHAs Component FMEAs Ldg gear Accumulator Loss of deceleration capability Brake metering valve Pneumatic Anti-skid computer Top-down Electric Top-down Brake control valve Bottom-up Hydraulic Braking LOSS OF WHEEL BRAKING Aircraft FTA Loss of deceleration capability System PFTAs Systems FMEAs Electric Hydraulic Pneumatic Braking system Electric Loss of wheel braking Hydraulic Loss of thrust reverser Loss of effective wheel braking Braking Loss of normal braking Loss of wheel braking Loss of normal braking Loss of alternate braking speed brakes in wet Loss of runway Final SSA FTAs Closes the loop Loss of wheel braking Relationship between FHA, FTA and FMEA Loss of normal braking Loss of normal braking Loss of alternate braking

Design process System concept

FAULT TREE ANALYSIS Método amplamente usado na indústria aeroespacial, eletrônica e nuclear. Originalmente desenvolvido em 1961 para avaliar o “Minuteman Launch Control System”. Os “top event” considerados eram três: Ignição acidental do motor e Falha no lançamento. Lançamento inadvertido (inesperado),

ARP 4761: GUIDANCE AND METHODS FOR CONDUCTING THE SAFETY ASSESSMENT PROCESS ON CIVIL, AIRBORNE SYSTEMS AND EQUIPMENT SYSTEMS Métodos de Análise usados em SSA Fault Tree Analysis/Dependence Diagrams/Markov Analysis (FT/DD/MA) Failure Mode and Effect Analysis (FMEA) Failure Mode and Effect Sudmmary (FMES) Common Cause Analysis (CCA) Zonal Safety Analysis (ZSA) Particular Risk Analysis (PRA) Common Mode Analysis (CMA)

FAULT TREE ANALYSIS TOP EVENT (T): “no flow of water to reactor”

FAULT TREE ANALYSIS TOP EVENT (T): “no flow of water to reactor”
C = “valve V fails closed” A = “pump 1 fails to run” B = “pump 2 fails to run”

FAULT TREE ANALYSIS CONJUNTOS DE CORTE MÍNIMOS: (MINIMAL CUTSETS):
TOP EVENT (T): “no flow of water to reactor” CONJUNTOS DE CORTE MÍNIMOS: (MINIMAL CUTSETS): C = “valve V fails closed” A = “pump 1 fails to run” B = “pump 2 fails to run” A menor combinação de falhas que, se ocorrerem, farão o evento topo ocorrer. MINIMAL CUTSETS: C (de um componente) A.B (de dois componentes)

ONGOING SAFETY ASSESSMENT

PROJETO FABRICAÇÃO  OPERAÇÃO
COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO MÉTODOS QUANTITATIVOS (necessários para Condições de Falha “Hazardous” e Catastróficas). ARP 4761 Análise de Árvores de Falha (FTA) Diagramas de Dependência (DD) Análise de Markov (MA) (Não estudada neste curso) Análise de Modos de Falha e Efeitos (FMEA) Esta publicação não cobre aspectos importantes da Engenharia de Confiabilidade, como, por exemplo, Modelamento e Previsão de Confiabilidade (“Reliability Prediction”).

COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO Controle da Qualidade Teoria da Amostragem, Estatística

COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO Teoria de Man(u)tenabilidade e Disponibilidade Incorporação de Requisitos de Manutenção no Projeto ARP 5150: Safety Assessment of Transport Airplanes in Commercial Service

COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO ARP 5150: Safety Assessment of Transport Airplanes in Commercial Service Guidelines, methods and tools used to perform the ongoing safety assessment process, intended to support an overall safety management program. Addresses the “Is it safe” part of a safety management Provides a systematic process to measure and monitor safety to help determine safety priorities and focus available resources in areas tha offer the greatest potential to improve avaition safety. Compendium of best safety practices gathered togheter as reference

COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO ONGOING SAFETY ASSESSMENT PROCESS Safety Assessment is the monitoring, identification, assessment and prioritization according to hazard level and probability of occurrence of risks associated with operations in a company. A process dedicated to assuring that risk is identified and managed properly within established limits; a process of identifying, and estimating, and prioritizing each risk; assessment of accident and injury, and determining if action should be considered.

ONGOING SAFETY ASSESSMENT PROCESS
ESTABLISH MONITOR PARAMETERS MONITOR FOR EVENTS ASSESS EVENT & RISK DEVELOP ACTION PLAN DISPOSTION 1 2 3 4 5

ONGOING SAFETY ASSESSMENT PROCESS
ESTABLISH MONITOR PARAMETERS MONITOR FOR EVENTS ASSESS EVENT & RISK DEVELOP ACTION PLAN DISPOSTION 1 2 3 4 5 Appendix A Safety Significant Event Reference Lists Appendix C Qualitative Risk Assessment Appendix D Quantitative Risk Assessment Appendix E Root Cause (Event Tree) Analysis Appendix F Weibull Analysis Appendix G Monte Carlo Analysis Appendix H Relaibility Growth Modeling Appendix N Hazard Tracking Appendix O Lessons Learned Appendix K Operator Service Bulletin Process Appendix L Manufacturer Service Appendix M Airworthiness Directive Development Process Appendix B Data Sources and Programs Appendix I Flight Perational Quality Assurance (FOQA) Appendix J Maintenance Error Decision Aid (MEDA)

MÉTODOS QUANTITATIVOS
When conducting quantitative FT/DD/MA, the probabilities are estimated from the failure rates, and exposure times of the events. Probability calculations for civil aircraft certifications are based on the probabilities calculated for all the aircraft of the same type. For the purpose of these analysis, the failure rates are usually assumed to be constant over time and are estimates of mature failure rats after infant mortality and prior to wear-out. If wear-out or infant mortality is to a consideration then other methods would need to be employed, for example life limitations or enhanced burn-in. Failing that, other distributions (e.g. Weibull) have to be applied or Monte Carlo simulation could be used. But this is beyond the scope of this document. The analysis should calculate average probability of occurrence per flight hour for the failure condition assuming a typical flight of average duration and considering the appropriate exposure and at risk times (ARP 4761).

Distribuição Weibull

VAI 11.1 EMB-190 SSA-ICA Process
Linkage BETWEEN SYSTEM SAFETY ASSESSMENT AND ICA During the safety assessment process associated with § compliance, useful information or instructions associated with the continued airworthiness of the airplane might be identified. This information should be made available to those compiling the Instructions for Continued Airworthiness covered by § VAI 11.1 EMB-190 SSA-ICA Process

Objetivos de Segurança

COMO GARANTIR A SEGURANÇA ?
HOW SAFE IS SAFE ENOUGH? Após o acidente em Three Mile Island o NRC (Nuclear Regulatory Comission), estabeleceu metas qualitativas e quantitativas de segurança. Por exemplo: “The likelihood of a nuclear reactor accident that results in a large-scale core melt should normally be less than one in 10,000 per year of reactor operation”. “The risk to the population near a nuclear power plant of cancer fatalities that might result from nuclear power plant operation should not exceed one tenth of one percent (0.1 %) of the sum of cancer fatality risks resulting from all other causes.”

COMO AUMENTAR A SEGURANÇA ?
HOW SAFE IS SAFE ENOUGH? On 17 July 1996 a Trans World Airlines Boeing 747, registered N93119 departed New York-JFK for a flight (TWA 800) to Paris. About 12 minutes after takeoff, while climbing through 13700ft, an explosion occurred and the aircraft broke up. Flaming debris fell into the sea. All 229 occupants were killed. Em decorrência: Estabelecida a White House Commission on Aviation Safety and Security (Gore Commission). Juntamente com a National Civil Aviation Review Comission (1997) pediram: Uma redução dos acidentes fatais em aeronaves comercias em 80% em 10 anos (até 2007). Uma redução de 10 vezes a taxa de acidentes, em 20 anos. NECESSÁRIO DEFINIR OBJETIVOS DE SEGURANÇA O FAA e os fabricantes formaram o Commercial Aviation Safety Team (CAST).

AVALIAÇÃO DE RISCOS R = P  D MATRIZ DE RISCO  ÍNDICES DE RISCO P = probabilidade D = dano

HAZARD SEVERITY CATEGORIES
DESCRIPTION CATEGORY DEFINITION CATASTROPHIC I Death, system loss, or severe environmental damage CRITICAL II Severe injury, severe occupational illness, major system or environmental damage MARGINAL III Minor injury, minor occupational illness, major system or environmental damage NEGLIGEABLE IV Less than minor injury, occupational illness, or less than minor system or environmental damage

SPECIFIC INDIVIDUAL ITEM
HAZARD PROBABILITY LEVELS DESCRIPTION LEVEL SPECIFIC INDIVIDUAL ITEM FLEET OR INVENTORY FREQUENT A Likely to occur frequently Continuously experienced PROBABLE B Will occur several times in the life of the item Will occur frequently OCCASIONAL C Likely to occur some time in the life of an item Will occur several times REMOTE D Unlikely but possible to occur in the life of an item Unlikely but can reasonably be expected to occur IMPROBABLE E So unlikely, it can be assumed occurrence may not be experienced Unlikely to occur, but possible

1A 1A 2A 2A 3A 3A 4A 4A 1B 1B 2B 3B 4B 2B 3B 4B 1C 2C 3C 4C 1D 2D 3D
HAZARD SEVERITY CATEGORIES I CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENCY OF OCCURANCE FREQUENT PROBABLE OCCASIONAL REMOTE IMPROBABLE 1A 1A 2A 2A 3A 3A 4A 4A 1B 1B 2B 3B 4B 2B 3B 4B 1C 2C 3C 4C 1D 2D 3D 4D 1E 2E 3E 4E 1C 2C 3C 1D 2D 3D 1E 2E 3E

CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENCY OF OCCURANCE FREQUENT PROBABLE OCCASIONAL REMOTE IMPROBABLE 1 1 3 3 7 7 13 13 2 2 5 9 16 5 9 16 4 6 11 18 8 10 14 19 12 15 17 20 4 6 11 8 10 14 12 15 17

Risk Reduction / Mitigation
Risk Assessment Hazard Identification Risk Reduction / Mitigation Risk Control Implementation Hazard Tracking ARP 5151: SAFETY ASSESSMENT OF GENERAL AVIATION AIRPLANES & ROTORCRAFT IN COMMERCIAL SERVICE The “Ongoing Safety Assessment Process.” SAE S-18 GAR Subcommittee General Aviation airplanes and Rotorcraft (GAR)

GERENCIAMENTO DE RISCOS Programa  Fases Etapas do Processo de Gestão 1. Primeira Fase ETAPA 1: Define os requisitos para a implementação do gerenciamento. 2. Todas as Fases (seqüencialmente) ETAPA 2: Identificação e Avaliação dos Riscos ETAPA 3: Decisão e Ação (Analisar a aceitabilidade dos riscos e as opções de redução) ETAPA 4: Controle, comunicação e aceitação de riscos.

HAZARD SEVERITY DESCRIPTION CATEGORY DEFINITION CATASTROPHIC 1 Fatal injury or aircraft severe damage or loss CRITICAL 2 Severe injury or substantial aircraft damage MARGINAL 3 Minor injury or minor damage NEGLIGEABLE 4 No significant effects

HAZARD PROBABILITY LEVELS
DESCRIPTION LEVEL FLEET OR INVENTORY FREQUENT A Continuously experienced PROBABLE B Will occur frequently OCCASIONAL C Will occur several times REMOTE D Unlikely but can reasonably be expected to occur IMPROBABLE E Unlikely to occur, but possible

Extremaly High Extremaly High High Medium Extremaly High High Medium
HAZARD SEVERITY CATEGORIES I CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENCY OF OCCURANCE FREQUENT PROBABLE OCCASIONAL REMOTE IMPROBABLE Extremaly High Extremaly High High Medium Extremaly High High Medium Low High High Medium Medium Medium Medium Low Low Low

25.1309 Equipment, systems, and installations.
The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition. The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that— (1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and (2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable. Exemplo de Avaliação de Riscos ( )

FAILURE CONDITION (SEVERITY) CLASSIFICATIONS
(1) No Safety Effect Failure Conditions that would have no effect on safety; for example, Failure Conditions that would not affect the operational capability of the airplane or increase crew workload life of each airplane. (2) Minor Failure Conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor Failure Conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in work load, such as routine flight plan changes, or some physical discomfort to passengers or cabin crew. (3) Major Failure Conditions which would reduce airplane the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for a significant reduction in safety margins or functional capabilities, a significant increase in work load or in conditions impairing crew efficiency, or discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries. Exemplo de Avaliação de Riscos. Material Harmonizado AC/AMJ (Arsenal Version) – System Design and Analysis

25.1309 Equipment, systems, and installations (HARMONIZED)
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed and installed so that: (1) Each catastrophic failure condition (i) is extremely improbable; and (ii) does not result from a single failure; and (2) Each hazardous failure condition is extremely remote; and (3) Each major failure condition is remote. Exemplo de Avaliação de Riscos ( )

FAILURE CONDITION (SEVERITY) CLASSIFICATIONS
HAZARDOUS Failure Conditions which would reduce airplane the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be: A large reduction in safety margins or functional capabilities Physical distress or excessive workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely; or Serious or fatal injury to a relatively small number of the occupants other than the flight crew. AC/AMJ (Arsenal Version) – System Design and Analysis CATASTROPHIC Failure Conditions which would result in multiple fatalities, usually with the loss of airplane cabin crew. (would prevent continued safe flight and landing).

SAFETY OBJECTIVES (1) Probable Failure Conditions are those anticipated to occur one or more times during the entire operational life of each airplane. (2) Remote Failure Conditions are those unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type. (3) Extremely Remote Failure Conditions are those not anticipated to occur to each airplane during its total life but which may occur a few times when considering the total operational life of all airplanes of the type. (4) Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type.

CATASTROPHIC HAZARDOUS MAJOR MINOR NO SAFETY EFFECT 1A 1A 2A 2A 3A 3A 4A 4A 4A NO PROBAILITY REQUIREMENT 1B 1B 2B 2B 3B 3B 4B 4B PROBABLE 1C 1C 2C 2C 3C 4C 4C REMOTE 1D 1D 2D 3D 4D 4D Exemplo de Matriz de Tolerabilidade de Riscos, conforme sugestão de mudança ao FAR (Adotado no Programa 170, por meio da FCAR HSI-15). FREQUENCY OF OCCURANCE EXTREMELY REMOTE 1E 2E 3E 4E 4E EXTREMELY IMPROBABLE

Causas primárias de acidentes:
Frota de jatos comerciais: Fonte: Boeing

SAFETY OBJECTIVES 1/106 horas de vôo 1/107 horas de vôo
ACIDENTES SÉRIOS 10 % CAUSADOS POR SISTEMAS 1/107 horas de vôo 100 Condições de falha potencialmente CATASTRÓFICAS 1/109 horas de vôo <10-9 AVERAGE Probability per Flight Hour for Catastrophic Conditions would be 110-9

SAFETY OBJECTIVES <10-3 <10-5 <10-7 <10-9
(1) Probable Failure Conditions are those anticipated to occur one or more times during the entire operational life of each airplane. <10-3 (2) Remote Failure Conditions are those unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type. <10-5 (3) Extremely Remote Failure Conditions are those not anticipated to occur to each airplane during its total life but which may occur a few times when considering the total operational life of all airplanes of the type. <10-7 Requisitos de segurança (“Safety Objectives”) quantitativos. (4) Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. <10-9

<10-3 <10-5 <10-7 <10-9

ENGENHARIA DE CONFIABILIDADE

DEFINIÇÃO DE CONFIABILIDADE
É a probabilidade de que um produto ou serviço opere como esperado por um período de tempo especificado (“design life”) nas condições de operação previstas em projeto. Portanto confiabilidade é a operação sem falhas em condições de operação especificadas, por um período especificado.

APROXIMAÇÃO p/ EVENTO RARO

MODELAMENTO DA CONFIABILIDADE 1
Components and Failure Rates of the Tape Component Function Failure Rate 1 Feed-spool, advances the tape 0.0003 2 Take-up spool, guides the tape 0.0002 3 Erase head, erases the contents of the tape 0.0005 4 Record/Replay head, transforms magnetized 0.0008 5 Pressure pad, supports tape 0.0001 6 Pinch wheel, provides tension in tape 7 Capstan, ensures flatness of tape Components of a Tape Cassette

SISTEMA EM SÉRIE Exemplo de um Diagrama de Blocos de Confiabilidade (RELIABILITY BLOCK DIAGRAMS)

Automatic Dependence Surveillance
Modelamento de Telecomunicação para ATCS Automatic Dependence Surveillance AES = Aeronautical earth station GES = Ground earth station ARTCC = Air Route traffic control center Proposed Oceanic Operating Environment (ADS)

Modelamento de Telecomunicação para ATCS
CMU = Control Module Unit SDU = Satellite Data Unit RFU = Radio Frequency Unit Figura 5: Possible AES Avionics Configuration

Figura 6: Reliability Block Diagram for the AES Avionics

Table: Failure Data of the System’s Components Component/Subsystem Failure Rate (Failures/Hr) Satellite data units (SDU) 2.5 X 10 –6 Communication management unit (CMU) 1.42 X 10 –6 Radio frequency unit (RFU) 0.8 X 10 –6 Aeronautical telecomunications network (ATN) 1.75 X 10 –4 Air router traffic services (ATS) 2.85 X 10 –4 Automatic dependent surveillance unit (ADSU) 5 X 10 –4 Splitter 3 X 10 –6 Combiner 5 X 10 –6 High-power antenna (HPA) 6 X 10 –5 High-power relay (HPR) 4 X 10 –6 High-gain antenna (HGA) 4 X 10 –5 Low-gain antenna (LGA) 3.5 X 10 –5 Low-noise antenna (LNA) 2 X 10 –5 Beam steering unit (BSU) 8.7 X 10 –6

Automatic Dependence Surveillance
CONCLUSÕES: Necessidade de reprojetar a maioria dos componentes da “aeronautical earth station” para reduzir sua taxa de falhas. 2) Os componentes da “air route traffic control center” pedem mudanças de projeto ou redundância para alguns componentes ou links. 3) A confiabilidade da “ground earth station” excede os requisitos mínimos do sistema. 4) As técnicas de modelamento e estimativa de confiabilidade podem ser ferramentas de projeto efetivas para configurações complexas.

MODELAMENTO DE SISTEMAS

DETERMINAÇÃO DAS TAXAS DE FALHA
Previsões de Confiabilidade (Reliability Predictions): Comumente usadas no desenvolvimento de produtos e sistemas. Comparação de abordagens de projeto alternativos Avaliação do progresso em direção as especificações de confiabilidade. Fornecem “insight” em custos de segurança, manutenção e garantia. Criticadas por não serem estimativas precisas da taxa de falha real (aproximações sem base científica).

Segundo Jensen , "Achieving high reliability is a process of sound design and manufacturing practices. Using handbook predictions for design comparisons is rarely a good idea". It can mislead the designer to select a less reliable component over a more reliable one due to the lack of coherence between predicted values. ERROS SÃO CONSERVATIVOS EXEMPLO: As taxas de falha dos componentes dos sistemas de “display” eletrônicos dos B-757 e B-767 eram 20 por cento das previsões da MIL-HDBK-217. Jensen; "Electronic Component Reliability, Fundamental, Modeling, Evaluation, and Assurance", 2nd Edition John Wiley & Sons 1985.

Exemplo de discrepâncias nas estimativas de taxas de falhas * Table 1: Predicted values of 64K DRAM hazard rate in FITs (1994) *The British Telecom Handbook of Reliability Data HDR 4

MIL-HDBK-217 "Reliability Prediction of Electronic Equipment" – Apesar de não ser mantido atualizado pelos “US military”, ainda é a abordagem mais usada pelos projetistas militares e comerciais. Bellcore (agora Telcordia) TR-332 – A abordagem Bellcore é amplamente usada na indústria de telecomunicações e foi recentemente atualizada para SR-332 em maio de Muito parecida com a MIL-HDBK-217. RDF 2000 – A mais recente e completa metodologia européia desenvolvida pela CNET. Ainda não recebeu muita atenção dos US mas pode evoluir para um novo padrão mundial se a MIL-HDBK-217 continuar desatualizada. Assim como a abordagem PRISM ela também usa modelamentp de “thermal cycling” e “dormant system”.

PRISM - PRISM é uma nova tecnologia desenvolvida pelo Reliability Analysis Center que tem a capacidade de modelar os efeitos de “thermal cycling” e “dormancy”. Physics-of-Failure – Esta família de abordagens difere significantemente das outras metodologias empíricas listadas acima, por buscar o mecanismo detalhado da falha.Usado principalmente no nível de sub-dispositivos na fase de projeto. The IEEE Gold Book - IEEE STD , IEEE Recommended Practice for the Design of Reliable Industrial and Commercial Power Systems, fornece dados em sistemas de distribuição de potencia comerciais.

Equipamentos mecânicos: Representa um desafio em termos de previsão de confiabilidade devido a especificidade e variedade dos componentes e montagens. Estes sistemas são freqüentemente suscetíveis a desgastes, o que normalmente não é um problema em eletrônica. NPRD-95 - The Nonelectronic Parts Reliability Data (NPRD-95) databook é amplamente utilizado. È publicado pelo Reliability Analysis Center e fornece um compêndio de histórico de taxas de falha em serviço para uma vasta gama de montagens mecânicas. NSWC-94/L07 - Handbook of Reliability Prediction Procedures for Mechanical Equipment. Este handbook apresenta uma abordagem única para a predição de confiabilidade de componentes mecânicos, apresentando modelos de taxas de falha para classes fundamentais de componentes eletrônicos.

1) Cálculo a partir de “Reliability Handbooks” FMD-97, Failure Mode/Mechanism Distributions, 1997, Reliability Analysis Center, Rome, N.Y. OREDA Offshore Reliability Data database 2) Estimativa por meio de experiência de campo EXPERIÊNCIA ANTERIOR EM SITUAÇÕES SIMILARES Estatísticas de Itens Removidos (Fabricante, Operador) 3) Ensaios “ad hoc” em laboratório PLANEJAMENTO DE EXPERIMENTOS USO DE TÉCNICAS ESTATÍSTICAS: Testes de aderência, testes paramétricos e não-paramétricos.

MIL-HDK-217 Temperature factor Modelos de taxas de falha para dezenove categorias principais de componentes eletrônicos usados em sistemas modernos, desde microcircuitos e semicondutiors discretos a componentes passivos (resistores e capacitores) . Contact Construction Factor Exemplo: Diodos de Baixa Freqüência (MIL-S-19500) Environmental Factor Modelos desenvolvidos pelo ajuste de curvas a dados de falha históricos, coletados da operação em campo e testes em laboratório. Electrical Stress Factor Quality Factor Base Failure Rate

FALHA: “STRESS” superior a “STRENGHT” Figura: Distribuição de falha de transistores submetidos a temperaturas crescentes

Característica da população de componentes Decorrência de projeto pobre, problemas com fabricação e “workmanship” Figura: Função de Densidade de Probabilidade de Componentes na Visão do Fabricante ou do Usuário-Final, quando não se realizou nenhum tipo de “burn-in”

Early failures Main population failures

Burn-in Experiments 200 componentes eletrônicos
População anômala representa cerca de 10 % Tempo de depuração 10 a 20 horas Figura: Weilbull plot early failures in printed circuit boards tested at 70º C ambient

ENSAIOS EM LABORATÓRIO
Morte prematura representa cerca de 15 % Weilbull plot early failures in printed circuit boards under conditions of use at 25º C

TAXAS DE FALHA CONSTANTES
A maioria dos modelos utilizados em aviação baseiam-se em taxa de falha constante. Isto implica que a função de confiabilidade do sistema não depende de sua idade. 1) Equipamentos começam a ser usados após a eliminação das falhas precoces. 2) Equipamentos completam a missão antes que a fase de desgaste “wear-out” se manifeste (como descrito na curva da banheira). 3) Sistema, do ponto de vista do usuário, deve ser depurado. 4) Taxa de falha não é susceptível a “overloads”, “duty cycles” severos e outros fatores encontrados em serviço.

CURVA DA BANHEIRA STRESS FAILURE QUALITY FAILURE WEAROUT FAILURE

SSA: UMA NOVA ABORDAGEM

AC/AMJ ARSENAL Advisory Advisory Circular Material Joint

AC/AMJ 25.1309 ARSENAL a. Advisory Circulars, Advisory Material Joint.
RELATED DOCUMENTS. a. Advisory Circulars, Advisory Material Joint. AMJ Alerting Systems. AC 25.19/AMJ Certification Maintenance Requirements. AC B RTCA, Inc, Document DO 178B/ AMJ B EUROCAE ED-12B. AC/AMJ Safety Assessment of Powerplant Installations.

AC/AMJ 25.1309 ARSENAL b. Industry documents.
(1) RTCA, Inc., Document No. DO-160D/EUROCAE ED14D, Environmental Conditions and Test Procedures for Airborne Equipment. (2) RTCA, Inc., Document No. RTCA/DO-178B/EUROCAE ED12B, Software Considerations in Airborne Systems and Equipment Certification. (3) Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754/EUROCAE ED-79, Certification Considerations for Highly Integrated or Complex Aircraft Systems. (4) SAE ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.

ERJ 170/190 CERTIFICATION BASIS
Embraer made an application for the ERJ-170/190 series aircraft on 20 May 1999 (Ref. Embraer letter PCE-0809/99, dated 20 May 1999). US FAR 25, including: Amendments 25-1 through effective on 10 March 1999, Amdt , , , (paragraphs (a) and (b) only, and Appendix H); , , , , except paragraph (h); ,

FCAR HSI-015: Equipment, Systems and Installations
EQUIVALENT LEVEL OF SAFETY (30/07/02) STATEMENT OF ISSUE: The current guidance material for compliance with RBHA/FAR is not considered to be sufficiently effective and complete for assessing the safety aspects of complex and highly integrated systems that perform interrelated multi-functions (particularly through the use of electronic technology and software based techniques), such as those installed in the ERJ-170 aircraft.

DISCUSSION: As a result of the FAA/JAA Harmonization Working Groups activities, both authorities have reached an agreement on a revised text for the systems safety assessment requirements, as well as, on the guidance material related with the associated acceptable means of compliance. Such revisions have included new areas of concern and related substantiation methodologies, which were developed to cope with modern aircraft complex systems, highly integrated, performing multiple functions with extensive use of software techniques. The proposed modifications of the related requirements are presently at the final stages of the rulemaking process by both authorities.

DISCUSSION (cont.): Embraer has indicated its willingness to comply with the related parts of those modifications, transcribed below from the FAA draft NPRM for better understanding, including the associated guidance material, as an equivalent level of safety to the RBHA/FAR at Amendment 98 (ERJ-170 default certification basis).

CTA POSITION: The regulatory changes foreseen by the JAA NPA 25F-281 and FAA NPRM on sections , and new bring a considerable improvement for the systems, equipment and installation requirements of the Chapter 25, due to the clarification of already existing provisions and identification of new related concepts (…) Therefore, the application of those impending new rules, as an equivalent level of safety for the current requirements, and the corresponding substantiation methodology established in the revised AC/AMJ above referred, is opportune for the ERJ-170 certification program and will surely provide an adequate and satisfactory approach for compliance.

CTA POSITION (cont.): A final noteworthy remark regarding powerplant installations (last sentence of the main paragraph of the proposed ) is opportune. Since the proposed rule, albeit resulting from a technical consensus is not in effect, any last minute changes should not be ruled out. This concern applies specifically to powerplant installations; therefore, considering that current powerplant installations are not explicitly covered by , and the focus of this FCAR is indeed on highly integrated aircraft systems and equipment, the CTA will not require compliance with (c) under the framework of (b).

EMBRAER POSITION: Embraer agrees with the general intent of CTA position. Some background discussion, however, is needed for a better understanding of Embraer position, as explained below. Embraer is aware that the ERJ-170 is an aircraft with highly integrated systems performing complex and interrelated functions and agrees with CTA that the present guidance material for compliance with RBHA/FAR is not considered enough effective and complete for assessing the safety aspects of highly integrated and complex systems.

EMBRAER POSITION (cont.1) In order to address the concerns related to systems integration Embraer adopted the following: 1. Process to prevent errors on requirements, design and implementation; 2. Systems safety assessment based on FAA/JAA harmonized material for systems safety assessment requirements; 3. Aircraft safety assessment, covering failure conditions that affect multiple aircraft level functions; and 4. Verification of aircraft level safety assessment by means of actual tests using an integrated iron bird rig.

EMBRAER POSITION (cont.2): Below follows an explanation about each item above: PROCESS: Regarding the applicability of SAE ARP4754/ED79 to the ERJ-170 program, Embraer performed a detailed analysis on that document and prepared an adequacy plan. Such plan was presented to CTA, JAA and FAA and it was considered acceptable for program ERJ-170 usage. In order to formalize the plan, Embraer issued the ENS titled ARP Adequacy for ERJ-170, attached to this letter.

EMBRAER POSITION (Cont. 3): 2. SYSTEM SAFETY ASSESSMENT The safety assessment for each aircraft system verifies compliance with the safety objectives related to RBHA/FAR/JAR requirements, defined in the corresponding system functional hazard analysis. Each system safety assessment is conducted in accordance with Embraer standard ENS – System Safety Assessment Reports – Guidelines. This standard is based on: - NPA 25F-281; - AC , Arsenal revised; and - SAE ARP 4761. Systems safety assessment considers all equipment/hardware that affect systems functions and includes fault tree analysis for each catastrophic and hazardous failure condition. Independency claims at fault trees are supported by common cause analysis.

EMBRAER POSITION (cont.4): 3. AIRCRAFT SAFETY ASSESSMENT Systems integration introduces failure conditions affecting simultaneously multiple systems and aircraft top level functions. In order to address the failure propagation assessment at aircraft level, related to potential sources of cascading/common cause failures, fault propagation and final effect on aircraft level functions, Embraer will develop an aircraft safety assessment, in addition to the traditional systems safety assessment.

EMBRAER POSITION (cont. 5): 3. AIRCRAFT SAFETY ASSESSMENT: In this assessment, it will be considered failures conditions of equipment/systems with multiple functions – integrated controllers, multi-user control signals and power sources – predicting the effects/criticalities on systems/functions and determining the global effect on the aircraft top level functions. The combination of those failures will generate the matrix of potential failure cases. These failure conditions will be covered in the aircraft safety assessment (report 170MSS012). The following are the main components for the matrix of potential failure cases:

EMBRAER POSITION (cont.6): 3. AIRCRAFT SAFETY ASSESSMENT – Integrated controllers: - MAUs (considering for each MAU the loss of electrical power per channel at module level and loss of communications); - SPDAs (considering for each SPDA the loss of electrical power at model level and loss of communications); -AMS controllers (considering the loss of SPDA electrical power and loss of communications); -MRCs (loss of electrical power and loss of communications); -GCUs (loss of communications); -FADECs (loss of total electrical power and loss of communications); -MCDUs (loss of electrical power and loss of communications); and - CCDs (loss of electrical power and loss of communications).

EMBRAER POSITION (cont.6): 3. AIRCRAFT SAFETY ASSESSMENT The following are the main components for the matrix of potential failure cases (cont.): – Control signals: - Air ground signals; - Wheel speed signals; - Engine signals; - Air data signals; - IRS signals; and - Flap position signal.

EMBRAER POSITION (cont.7): 3. AIRCRAFT SAFETY ASSESSMENT The following are the main components for the matrix of potential failure cases (cont.): – Power sources: - Main engines; - Electrical; - Hydraulics; and - Pneumatics. – Additional failure cases: - Power sources and integrated controllers; - Power sources and power sources – electrical, hydraulics, pneumatics; and - Integrated controllers and integrated controllers.

EMBRAER POSITION (cont.8): 3. AIRCRAFT SAFETY ASSESSMENT For each failure case, a propagation analysis is conducted taking into account the scenario – configuration of the aircraft and flight phase – and predicting the effect/criticality of that failure on systems/functions that contribute to aircraft top-level functions: 1. Provide lateral/directional control; 2. Provide pitch control; 3. Provide thrust; 4. Provide lift and drag control; 5. Provide primary flight information; 6. Provide navigation; 7. Provide communication; 8. Provide auto flight; 9. Provide habitable environment; 10. Protect structural integrity against system fail; 11. Provide unobstructed cockpit vision; 12. Provide protection against fire; and 13. Halt the airplane.

EMBRAER POSITION (cont.9): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT Once the effects/criticalities were predicted by the propagation analysis related to potential sources of cascading/common cause failures, Embraer will demonstrate those effects and verity criticalities using a certification vehicle entitled integrated iron bird rig which will contain the following actual aircraft systems and modeled systems: – Aircraft systems: - Integrated digital platform (includes MAUs, SPDAs, FADECs, AMS controllers, MCDUs, CCDs, displays, MRC and digital data buses); - Cockpit overhead panel (with systems modules that interface with the integrated digital platform); - Cockpit circuit breakers panels; - Electrical power systems (with actual electrical buses powering the corresponding systems); - Hydraulic system; - Flight controls system; - Auto pilot system; - Landing gear, brakes and steering; and - Thrust reversers.

EMBRAER POSITION (cont.10): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT – Aircraft aerodynamic model: - Aerodynamic data bank permitting the aerodynamic aircraft simulation. – Modeled aircraft systems: - Main engines (controlled by actual FADECs); - Mechanical portion of fuel system (controlled by actual SPDAs); - APU; - Mechanical portion of air management systems (controlled by actual AMS controllers); - Air data system outputs and sensors heating (controlled by actual MAUs and SPDAs); and - Flap/slat.

EMBRAER POSITION (cont.10): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT – The integrated iron bird will be described in the report 170MSD001. The process for conducting the failure propagation assessment at aircraft level will be performed with the support of the human factor group in the verification of criticality of each failure case. All activities involving the integrated systems safety assessment shall be documented in the following reports: - 170MSS003 – Aircraft Functional Hazard Assessment; - 170MSS012 – Aircraft Safety Assessment; - 170MSD Integrated Systems Overview; - 170MSC003 – Safety Assessment Methodology; - 170MSD001 – Failure Propagation Vehicle Description; - 170MSP001 – Failure Propagation Vehicle Test Proposal; - 170MSR001 – Failure Propagation Vehicle Test Results; - 170ELS005 – SPDA – Secondary Power Distribution Assembly – FMEA; - 170LGA058 – WOW Functional FMEA; and 170AVA004 – Functional FMEA – MAU.

LIST OF REPORTS - 170ADO001 – FUNCTIONAL HAZARD ANALYSIS CRITERIA - 170ADY008 – FHA SUPPORTING CALCULATIONS GROUND ROLL DECELERATION AND CLIMB CAPABILITY - 170AFS AFCS SYSTEM SAFETY ASSESSMENT - 170AFS004 – AFCS FHA VERIFICATION TEST PLAN - 170AUS001 – AUXILIARY POWER UNIT SYSTEM SAFETY ASSESSMENT - 170AUS002 – AUXILIARY POWER UNIT SYSTEM FUNCTIONAL HAZARD ANALYSIS (....) - 170MSR001 – Failure Propagation Vehicle Test Results; - 170ELS005 – SPDA – Secondary Power Distribution Assembly – FMEA; - 170LGA058 – WOW Functional FMEA; and 170WWS002 – VACUUM WASTE SYSTEM SAFETY ASSESSMENT 94 reports directly related to Safety Assessment.

METHODOLOGY AND CERTIFICATION DOCUMENTATION
AIRCRAFT FUNCTIONS TOP LEVEL FUNCTIONS 1. To provide aircraft lateral/directional control 2. To provide pitch control 3. To provide thrust 4. To provide lift and drag control 5. To provide Primary Flight Information 6. To provide navigation capability 7. To provide communication capability 8. To provide auto flight capability 9. To provide habitable environment 10. To protect structure integrity against systems failures 11. To provide unobstructed cockpit vision 12. To provide protection against fire 13. To land and halt aircrat

ARP 4754

PROCESSO DE DESENVOLVIMENTO DE REQUISITOS
Um programa de desenvolvimento de aeronave genérico Aircraft Requirements Formulation System Requirements Hardware Requirements Prelim Hardware Design PDR = Approval of Design Concept Proceed with detailed design. CDR = Approval of Detailed Design Proceed with fabrication. Hardware Fabrication Software Coding Unit Testing Code Test Hardware / Software Integration Lab / Flight Testing Production First Article Inspection Software Requirements System Testing CDR PDR Source: Spitzer/Chilenski Software Design Detailed Hardware Assembly Software Integration Testing Review HW / SW Test Readiness System Test Readiness

COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO  OPERAÇÃO CERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS (nome atual) ARP 4754 GUIDANCE FOR VALIDATION AND VERIFICATION OF AIRCRAFT SYSTEMS (nome a ser adotado) Abordagem Qualitativa. Reconhece que não existem métodos numéricos para caracterizar os erros de desenvolvimento (determinação de requisitos e erros de projeto). CAPTURA DE REQUISITOS E ATRIBUIÇÂO DOS DAL Requisitos de Segurança PROCESSO DE SSA Requisitos Funcionais (combinação de desejos do cliente, restrições regulatóriais e “implementation reality”. Requisitos: do Cliente, Operacionais, de Desempenho, de Instalação, etc.

COMO GARANTIR A SEGURANÇA ?
PROJETO FABRICAÇÂO OPERAÇÂO ARP 4754: CERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS “DEVELOPMENT ASSURANCE” Todas ações planejadas e sistemáticas usadas para substanciar, a um nível adequado de confiança, que erros de desenvolvimento foram identificados corrigidos, de tal modo que o sistema satisfaça a base de certificação aplicável. “ERRO DE DESENVOLVIMENTO” Um equívoco na determinação de requisitos, no projeto ou na implementação.

System Development Processes
Safety Assessment Process Guidelines & Methods ( ARP 4761 ) Intended Aircraft Function Function, Failure & Safety Information System Design Functional System System Development Processes ( ARP 4754 ) Aircraft System Development Process Aircraft System Development Implementation Hardware Development Life-Cycle ( DO-254 ) Hardware Life-Cycle Process Software Development Life-Cycle ( DO-178B ) Software Life-Cycle Process

SAE AEROSPACE RECOMMENDED PRACTICE 4754 – CERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS The process includes the assignment of development assurance levels, similar to FHA hazard severity levels. The Development Assurance Levels defined in 4754 determine the necessary software and hardware design assurance levels of DO-178B and DO-254. “Development assurance establishes confidence that the system development has been accomplished in a sufficiently disciplined manner to limit the likelihood of development errors that could impact aircraft safety”

System Development Assurance Level Assignment

4.3 Software Summary Software control and indication is accomplished via the SPDA, FADEC, and EICAS systems. Table 2 summarizes the ERJ-170 Functional Hazard Analysis - Software (See Annex C). The safety level required in the FHA is accomplished or exceeded by thesoftware.

Supporting Processes ITEM DEVELOPMENT SYSTEM DEVELOPMENT
Certification Coordination Safety Assessment Requirements Validation Implementation Verification Configuration Management Process Assurance Aircraft Function 3 Aircraft Function 2 Aircraft Function 1 System 3 System 2 System 1 Item 3 Item 2 Item 1 Hardware Life-Cycle Software Life-Cycle ITEM DEVELOPMENT SYSTEM DEVELOPMENT AIRCRAFT FUNCTION

Aircraft Level Requirements Aircraft Level FHA
Aircraft Functions Failure Conditions, Effects, Classification, Safety Requirements Functional Allocation of Aircraft Functions to systems Failure Conditions & Effects System-level FHA sections Systems Functions Failure Conditions, Effects, Classification, Safety Objectives Development of System Architecture Architectural Requirements CCAs Separation Requirements System Architecture Allocation of Item Requirements to Hardware & Software SSAs Item requirements System Implementation Separation & Verification Implementation Results Physical System Certification Safety Assessment Process System Development Process

Requirements Baseline Overview [Integrated Digital Platform]
Functional requirements Safety requirements Requirements associated to Acft Level Functions ACFT Level FHA Aircraft Certific. Requir. System Level FHA Sections System Requir. Systems DAL Selected Functions Equipment / Sw Equip./SW Requir. [Integrated Digital Platform]

Requirements determination and traceability
FUTURE WORK: ERJ 190 SSA List of aircraft level functions reviewed and harmonized between all involved areas Requirements determination and traceability More extensive adoption of ARP 4754 FHA, including assignment of DAL to systems and subsystems

FUTURE WORK: ERJ 190 SSA Process is being concluded (integration with product process) Configuration Management Preliminary procedures issued Process is being discussed internally Requirements Verification Preliminary procedure issued Process Assurance Procedures are being analyzed to show compliance with ARP4754 Safety Assessment Procedures issued Teams are being trained Requirements Validation Certification Coordination Tailoring criteria presented to CTA. Embraer teams currently applying the criteria ARP4754 Scope definition

Risco Específico

Average Probability PFH Definition
Average Probability Per Flight Hour: is a representation of the number of times the subject Failure Condition is predicted to occur during the entire operating life of all airplanes of the type divided by the anticipated total operating hours of all airplanes of that type (Note: The Average Probability Per Flight Hour is normally calculated as the probability of a failure condition occurring during a typical flight of mean duration divided by that mean duration). (AC/AMJ )

Calculation of Average Probability per Flight Hour (Quantitative Analysis)
(1) The Average Probability per Flight Hour is the probability of occurrence, normalized by the flight time, of a Failure Condition during a flight which can be seen as an average over all possible flights of the fleet of aircraft to be certified. The calculation of the Average Probability per Flight Hour for a Failure Condition should consider: (I) the average flight duration and the average flight profile for the aircraft type to be certified, (ii) all combinations of failures and events that contribute to the Failure Condition, (iii) the conditional probability if a sequence of events is necessary to produce the Failure Condition, (iv) the relevant "at risk" time if an event is only relevant during certain flight phases, (v) the average exposure time if the failure can persist for multiple flights. (AC/AMJ )

SAE S-18 Specific Risk definition
Specific Risk: the probability of failure for an individual airplane or flight, where one or more significant risk parameters differ from airplane to airplane (or flight to flight) and the values of those parameters are identifiable for those individual airplanes or flights

Specific Risk definition
For example, individual airplanes (or flights) may be at a higher risk than the fleet average if: One or more components are failed or inoperative (degraded configuration but OK per MMEL). Components have more service time (“wearout” failure modes). Components have less service time (“infant mortality” failure modes). Flight length is shorter (cycle driven failure mode). Flight length is longer (more time between pre-flight checks) Longer time since last inspection (latent failure mode). Components are outside design specifications (e.g. quality issue). Operating environment or mission profile is more severe. Aircraft Configuration (Weight and Balance)

SAE S-18 Specific Risk definition
While noting the controversy of specific risk as an assessment metric, it is recognized that there are at least two examples of regulatory and industry guidance related to specific risk. · Gunstone ACJ 39.3(b)(4) / CAAM (Continued Airrworthiness Assessment Methodology) AC 39-XX · Time Limited Dispatch (TLD)

Example Illustration : a Catastrophic Failure Condition
FAA/EASA consensus Specific Risk definition The risk on an aircraft on a specific flight due to a condition that deviates from the fleet’s average risk. Do we limit exposure / deviation / both? Deviation: 10-x Deviation Fleet average: 10-9 Time Exposure Full-up: 10-y Example Illustration : a Catastrophic Failure Condition

Feedback from SDAHWG Authorities: SDAHWG:
The risk on an aircraft on a specific flight due to a condition that deviates from the fleet’s average risk. SDAHWG: The risk on an aircraft per flight hour due to a condition that results in a deviation from the fleet's average risk. Conditions specifically of concern are significant latent failures and MMEL items.

What is the RULE? FAA seeks a clearer and more integrated set of recommendations from ARAC, because SDA, Flight Controls, and Powerplant HWGs each independently provided to the FAA varying philosophies on how specific risks should be managed (e.g., recommendations range from prohibiting single+latent, to allowing single+latent and specifying a minimum level of integrity, to no specific risk evaluation at all.) Specific risk issues transcend any one system type, and need to be coordinated cross-functionally (e.g., latent and MMEL issues are common issues.)

CONCLUSIONS

TREINAMENTO COMPLEMENTAR DE RCE

Apresentações semelhantes

Apresentação em tema: "TREINAMENTO COMPLEMENTAR DE RCE"— Transcrição da apresentação:

Apresentações semelhantes

Sobre projeto

Feedback

Login

Autorizar-se através da rede social:

TREINAMENTO COMPLEMENTAR DE RCE

Apresentações semelhantes

Apresentação em tema: "TREINAMENTO COMPLEMENTAR DE RCE"— Transcrição da apresentação:

Apresentações semelhantes

Sobre projeto

Feedback