modulo 08 airborne systems

7/23/2019 Modulo 08 Airborne Systems

1/78

RPAS Airborne Systems - 1

Introduction to RPAs Certification

Total or partial reproduction without the authorisation of SENASA is not allowed.

Servicios y Estudios para la NavegacinArea y l a Seguri dad Aeronut ica, S.A.

Introduction to RPAsCertification

Module 8RPAS Airborne Systems

Module 8 - 2 SENASA 2013Total or partial reproduction is notallowed

RPAS Airborne Systems

Introduction

STANAG 4703

STANAG 4703 - Payloads / Miscellaneous Equipment

STANAG 4671

System Safety Assessment

System Safety Assessment for RPAS Design Philosophy

RPAS Airborne Systems certification summary


2/78





UAS/RPAS AIRBORNE SYSTEMS

POWERPLANT INSTALLATION FUEL SUBSYSTEM

FUEL TANK SUBSYSTEM

FUEL TANK INTEGRATION

FLIGHT CONTROL SURFACES

LANDING GEAR

AIRCRAFT DE-ICING SYSTEMS

AIR VEHICLE ELECTRICAL SUBSYSTEM

ELECTRICAL SUBSYSTEM LAYOUT

HYDRAULICALLY POWER

COOLING

PAYLOADS & EQUIPMENTCOMPARTMENT

SWAPPABLE UNIVERSAL PAYLOAD PRESSURIZATION

FIRE PROTECTION

ELECTRICAL BONDING ANDLIGHTNING PROTECTION

PARACHUTE LANDING SYSTEM


AIR VEHICLE POWERPLANT INSTALLATION


3/78





AIR VEHICLE FUEL TANK SUBSYSTEM


FUEL TANK INTEGRATION


4/78





AIR VEHICLE FUEL SUBSYSTEM


UAV FLIGHT CONTROL SURFACES

SERVO


5/78





UAV LANDING GEAR


AIRCRAFT DE-ICING SYSTEMS


6/78





AIR VEHICLE ELECTRICAL SUBSYSTEM


UAV ELECTRICAL SUBSYSTEM LAYOUT


7/78





UAV HYDRAULICALLY POWER


UAV COOLING


8/78





PAYLOADS & EQUIPMENT COMPARTMENT


SWAPPABLE UNIVERSAL PAYLOAD

Electric Penguin BE640 W Lithium Polymerquick replaceable batterycartridge.


9/78





UAV PARACHUTE LANDING SYSTEM



Introduction

STANAG 4703


STANAG 4671





10/78





STANAG 4703 SYSTEMS & EQUIPMENTREQUIREMENTS (ER 1.3.1)

The UAV system must not have design features or detailsthat experience has shown to be hazardous in theirintended application.

ESSE

NTIAL

REQUIREMENTS


STANAG 4703 SYSTEM & EQUIPMENTDETAILED ARGUMENTS

UL.21 SUBSTANTIATION OF THE UAS DESIGN CRITERIA

UL.22 TECHNICAL OCCURRENCES REPORTING

UL.23 FUNCTION & RELIABILITY DATA

DETAILED

ARGUMENTS


11/78





STANAG 4703 DESIGN CRITERIASUBSTANTIATION (UL.21)

The Applicant should substantiate that the design criteriaare either Derived from Standard Aerospace Practices, or that

Any Novel design criteria are based on sound engineeringprinciples.

Acceptable Means of Compliance (Deliverable) Technical Specification with the Design Criteria

DESIGN

CRITERIA

-AMC


STANAG 4703 DESIGN CRITERIASUBSTANTIATION (UL.21)

EXAMPLE OF DESIGN CRITERIA

The electrical system should include overload protectiondevices (fuses or circuit breakers);

The electrical bonding should be guaranteed;

The electrical wires must be sized to accommodate theexpected electrical loads;

Positive drainage of moisture should be provided wherevernecessary (e.g. static pressure measuring devices);

Drainage and venting should be provided where flammablefluid vapour may accumulate].

EtcDESIGN

CRITER

IA

-AMC


12/78





STANAG 4703 TECHNICAL OCCURRENCESREPORTING (UL.22)

The Applicant must provide a method to track technicaloccurrences affecting safety throughout the life of theprogram and implement preventive and corrective actionsas necessary.

DESIGN

CRITERIA

-AMC


STANAG 4703 FUNCTION & RELIABILITYDATA (UL.23)

Flight test experience must be accumulated before TypeCertification, exploring the complete design usage spectrumin order to provide a sufficient level of confidence to theCertifying Authority. Any technical events that occur during this flight test experience

must be reported, analyzed and corrected when necessary.

Both the occurrences and their corrective actions must be madeavailable to the Certifying Authority.

DESIGN

CRITER

IA

-AMC


13/78






The UAV system, with those equipment and appliancesrequired for type-certification, or by operating rules mustfunction as intended under any foreseeable operatingconditions, taking due account of the system, equipment orappliance operating environment.

Other systems, equipment and appliance not required fortype- certification, or by operating rules, whether functioningproperly or improperly, must not reduce safety and must notadversely affect the proper functioning of any other system,equipment or appliance.

Systems, equipment and appliances must be operablewithout needing exceptional skill or strengthE

SSE

NTIAL

REQUIREMENTS


STANAG 4703 SYSTEM & EQUIPMENTDETAILED ARGUMENTS

UL.24 Equipment Functioning & Reliability

UL.25 Equipment Environmental Qualification

UL.29 Systems Integration Desmostration

DETAILED

ARGUMENTS


14/78





STANAG 4703 AIRBORNE EQUIPMENTDETAILED ARGUMENTS (UL.24)

1. All equipment must function properly within the designusage spectrum, including icing conditions, if required.

2. Equipment Specification and Declaration of Design andPerformance (DDP) For all installed equipment the UAV System manufacturer must

approve its specification, in order to assess compatibility with UAVsystem higher-level requirements.

All equipment must have a Declaration of Design and Performance(DDP)) released by its manufacturer and accepted by the UAVsystem manufacturer.

D

ETAILED

ARGUMENTS


STANAG 4703 AIRBORNE EQUIPMENT DETAILEDARGUMENTS (UL.24)

3. The installation provisions, environment and the intendedusage of all equipment must meet all performance,operating and safety limitations to which the equipment isqualified (i.e. it meets its specifications). MOC: Environmental Qualification Specification

4. The minimum necessary accuracy of each measuring

device used to control UAV trajectory and to acquirenavigation data must be established by the UAV systemmanufacturer and be compatible with UAV high-levelrequirements. MOC: Analysis, and Ground & Flight Test ReportsD

ETAILED

ARGUMENTS


15/78






5. Each measuring device must be calibrated as necessary(e.g. airspeed sensors). MOC: Ground & Flight Calibration Test Reports

6. Any equipment whose failure could lead to loss offunctions or misleading data with hazardous orcatastrophic effects on safety must have fault detection /fault isolation capabilities as agreed by the CertifyingAuthority. MOC: Equipment Technical Specification, FMEA

D

ETAILED

ARGUMENTS


AIRBORNE EQUIPMENT REQUIREMENTS

A minimum essential set of Built-In-Test (BIT) performanceshould be included in the design. MOC Equipment Technical Specification

UAV faults and status information must be transmitted tothe UCS/UCB for display to the operator, when the link isavailable

MOC Equipment Technical Specification For example

AIR VEHICLE / GROUND CONTROL STATION

Computers Checksum

Data Link Health

GPS Receiver Receiver failure indication from power- up, self-test or

background BIT

Motherboards Under-voltage

Temperature

DETAILED

ARGUMENTS


16/78





STANAG 4703 SYSTEM SAFETYASSESSMENT REQUIREMENTS (UL.25)

Equipment Qualification Data (DDP, EQF) Equipment Installation Analysis (Appraisal)

Ground & Flight Functional Test Results

Ground & Flight EMC Test Results

MEA

NS

OF

COMPLIANCE

Equipment DataAnalysis

Test Results

Certification Data Package



Each sub-system of the UAV system affecting safeoperation (e.g. UAV, UCB / UCS, Data-Link etc.) mustperform its intended function under any operating conditionidentified in Operating Spectrum. Identify all functions of each sub-system.

Characterize the operational environment of each sub-system.

Perform all necessary functional tests at sub-system level. Perform all necessary environmental tests (e.g. vibration, humidity,

EMC/HIRF, etc.).

Show that the operation of any other sub-system or item of installedequipment does not adversely affect the operation of those sub-systems that affect safe operation. (EMC)

The test plans must be provided to the Certifying Authority.

DETAILED

ARGUMENTS


17/78






Equipment Qualification Data (DDP, EQF) Equipment Installation Analysis (Appraisal)

Ground & Flight Functional Test Results

Ground & Flight EMC Test Results

MEA

NS

OF

COMPLIANCE

Equipment DataAnalysis

Test Results



STANAG 4703 SYSTEMS & EQUIPMENTINTEGRATION DETAILED ARGUMENTS

UL.29 INTEGRATION

The UAV, the UCB / UCS, the Data-Link, Launch/Recoveryequipment (where applicable) and any other systemnecessary for operation must function properly whenoperated all together

Means of Compliance: Evidence of accumulated flight test activity and problem report

tracking, except the Certifying Authority ask for additional evidence.

DETAILED

ARGUMENTS


18/78





STANAG 4703 SUBSYSTEM INTEGRATIONREQUIREMENTS (UL.29)

Results of Ground & Fligth Test Campaign Records of Test Activities and Problem Reports

MEA

NS

OF

COMPLIANCE

GROUND & FLIGTHTEST RESULTS




The UAV systems, equipment and associated appliances,including the control station, its data links etc., consideredseparately and in relation to each other, must be designedsuch that any catastrophic failure condition does not resultfrom a single failure not shown to be extremely improbable.

An inverse relationship must exist between the probability of

a failure condition and the severity of its effect on the UAV,crew, ground- crew or other third parties.

Due allowance must be made for the size and broadconfiguration of the UAV system (including specific militarysystems and operations) and that this may prevent thissingle failure criterion from being met for some parts andsome systems on helicopters, small or single engineaeroplanes and uninhabited aerial vehicles

ESSENTIAL

REQU

IREMENTS


19/78






A System Safety Assessment must be performed for theUAV system (including all contributions coming from theUAV, UCS/UCB, Data Link and any other equipmentnecessary to operate the UAV system) and submitted to theCertifying Authority, which includes but is not limited to: The definition of a Hazard Reference System to be agreed by the

Certifying Authority (see Appendix 5);

A Functional Hazard Analysis FHA (see SAE ARP 4761)

A Failure Mode Effect and Criticality Analysis FMEA (see SAE ARP4761)

A Fault Tree Analysis FTA (see SAE ARP 4761)DE

TAILEDA

RGUMENTS



The safety analysis must demonstrate compliance with thefollowing.1. All credible hazards and accidents must be identified, the associated

accident sequences must be defined and the associated risks mustbe determined.

2. The cumulative probability per flight hour for a catastrophic event(with all the contribution of all UAV systems and sub-systems,

including propulsion, navigation, data-link, UCS/UCB, etc.) must notbe greater than the Hazard Reference System cumulative safetyrequirement as agreed with the Certifying Authority.

3. All identified safety risks must be reduced to the minimum levels thatare compatible with technological constraints, and each failurecondition must be acceptable according to the Hazard ReferenceSystem criteria in Appendix 5, as agreed with the CertifyingAuthority.

DETAILEDA

RG

UMENTS


20/78






System Safety Assessment Report !!, in accordance withSAE ARP 4761

MEA

NS

OF

COMPLIANCE

SYSTEM SAFETYREPORT




Introduction

STANAG 4703


STANAG 4671





21/78





STANAG 4703 - PAYLOADREQUIREMENTS (UL.28)

The payload equipment, whether functioning properly orimproperly, must not adversely affect the safe flight andcontrol of the UAV. MoC: Payload Hazard Analysis, Functional Test

The payload equipment must be electromagneticallycompatible with other UAV systems. MoC: Functional & EMC Test Results

All potential hazards caused by the payload (includinglasers) to crew, ground staff or third parties must beassessed and minimized. MoC: Payload Hazard AnalysisDE

TAILEDA

RGUMENTS


STANAG 4703 - PAYLOADREQUIREMENTS (UL.28)

Evaluation of the effects of payload normal functioning andfailures on the other UAV subsystems MoC: Payload Hazard Analysis

MEANS

OF

COM

PLIANCE


22/78





STANAG 4703 UAV AIRBORNE SUBSYSTEMS

SUMMARY OF TECHNICAL REPORTS UAV Subsystems Design Criteria

UAV Subsystems Production Drawings & Specifications

Equipment Technical Specifications

Equipment Qualification Data (DDP, TDS, EQF, L/HIRF)

Equipment Installation Analysis (Appraisal)

FMEA & Failure Rates (MTBF) Analysis

Ground & Flight Functional Test Reports

Ground & Flight EMC Test Reports

Function & Reliability Test Reports

Failures & Malfunctions Problems Reports



Introduction

STANAG 4703


STANAG 4671





23/78





STANAG 4671 USAR STRUCTURE

Subparts A-G are derived directly from CS-23. While subparts H and I follow theformat of CS-23, they are unique to USAR.

VAMOS VER LAS PRINCIPALES DIFERENCIAS


STANAG 4671 AIR VEHICLE SUBSYSTEMS

USAR.U722 Landing gear - General

The following section is for conventional landing geararrangements. If novel designs are proposed the acceptancemethods shall be agreed with the Certifying Authority.


24/78






USAR.775 Payload transparencies The design of payload transparencies and radomes in pressurised

compartments must be based on factors specific to high altitudeoperation, including1. The effects of continuous and cyclic pressurisation loading;

2. The inherent characteristics of the material used;

3. The effects of temperatures and temperature gradients;

4. The effects on the structural integrity of the UAV in the occurrence ofwall pressurisation fracture, either by flaw or by explosion; and,

5. Safety-of-flight critical viewing areas of camera and sensor windowsshall be maintained free of fog, frost and other obstructions for allsteady state and transient ground and flight operating conditions withinthe specified UAV environmental envelope. They shall be designed towithstand foreign object damage (FOD) from birds, hail, runway,taxiway, and ramp debris.



USAR.783 Doors, Covers and Hatches (a) to (d) ... Not applicable

e) Each external door and hatch must comply with the followingrequirements:1. There must be a means to lock and safeguard each external door and

hatch, including payload and service type doors, against inadvertentopening in flight, as a result of mechanical failure or failure of a single

structural element, either during or after closure.2. There must be a provision for direct visual inspection of the locking

mechanism to determine if the external door or hatch, for which theinitial opening movement is not inward, is fully closed and locked. Theprovisions must be discernible, under operating lighting conditions, byinspection and maintenance staff using a flashlight or an equivalentlighting source.


25/78






USAR.787 Payload compartments Each payload compartment must

1. Be designed for the maximum weight and distribution of contents andfor the critical load distributions at the appropriate maximum loadfactors corresponding to the flight and ground load conditions ofUSAR.

2. Have means to prevent the contents of any compartment frombecoming a hazard by shifting, and to protect any controls, wiring,lines, equipment, or accessories whose damage or failure would affectsafe operations.



USAR.843 Pressurisation Testsa) Strength test. The complete pressurised compartment, including

doors, windows, canopy and valves, must be tested as a pressurevessel for the pressure differential specified in USAR.365 (d).

b) Functional tests. The following functional tests must be performed:1. Tests of the functioning and capacity of the positive and negative

pressure differential valve.

2. Tests of the pressurisation system to show proper functioning undereach possible condition of pressure, temperature and moisture, up tothe maximum altitude for which certification is requested


26/78






USAR.841 Pressurised compartmentsa) Not applicable

b) If necessary for structural protection, pressurised compartmentsshould have the following valves (or their equivalent)1. A pressure relief valve (or its equivalent) to automatically limit the

positive pressure differential to a predetermined value at the maximumrate of flow delivered by the pressure source. The pressure differentialis positive when the internal pressure is greater than the external.

2. A reverse pressure differential relief valve (or its equivalent) toautomatically prevent a negative pressure differential that woulddamage the structure.



USAR.U850 Fire protection General

Specific UAV fire protection requirements presented inUSAR aim at minimizing the risk of fire that may lead touncontrolled UAV flight and crash and potential damages tothird parties. Compliance with those requirements mustshow that this general intent is met, in particular that:

a) Electrical installation and propulsion systems (including relatedmaterials) are adequately designed (see USAR.1359, USAR.1181and appendix F), and,

b) Consideration must be given to protection of flight critical structureand systems (such as flight control system).

c) The flammability, toxicity, smoke effects and thermaldecomposition of the materials must be considered in design.


27/78






USAR.863 Flammable Fluid Fire Protection See AMC.863

a) In each area where flammable fluids or vapours might escape byleakage of a fluid system, there must be means to minimise theprobability of ignition of the fluids and vapours and the resultanthazard if ignition does occur.

b) Compliance with sub-paragraph (a) must be shown by analysis ortests and the following factors must be considered:



USAR.863 Flammable Fluid Fire Protection.....1. Possible sources and paths of fluid leakage and means of detecting

leakage.

2.Flammability characteristics of fluids, including effects of anycombustible or absorbing materials.

3. Possible ignition sources, including electrical faults, over-heating ofequipment, static electricity, lightning and malfunctioning of protectivedevices.

4. Means available for controlling or extinguishing a fire, such as stoppingflow of fluids, shutting down equipment, fireproof containment, or use ofextinguishing agents.

5. Ability of UAV components that are critical to safety of flight to withstandfire and heat. (c) Not applicable in this subpart (see USAR.1817Flammable fluid fire protection)

d) Each area where flammable fluids or vapours might escape byleakage of a fluid system must be identified and defined.


28/78






USAR.865 Fire protection of flight control systemcomponents, engine mounts and other flight structure

See AMC.865

Flight control system components, engine mounts, andother flight structure located in designated fire zones, or inadjacent areas that would be subjected to the effects of firein the designated fire zones, must be constructed offireproof material or be shielded so that they are capable ofwithstanding the effects of a fire. Engine vibration isolatorsmust incorporate suitable features to ensure that the engineis retained if the non- fireproof portions of the isolatorsdeteriorate from the effects of a fire.



USAR.867 Electr ical bonding and protect ion againstlightning and static electricity

See AMC.867 (a)a) The UAV must be protected against catastrophic effects from

lightning and static electricity. A lightning analysis assessment hasto be carried out and agreed with the Certifying Authority.

b) For metallic components, compliance with sub-paragraph (a) maybe shown by1. Bonding the components and grounding them properly to the airframe;

or

2. Designing the components so that a strike will not result in acatastrophic event.

c) For non-metallic components, compliance with sub-paragraph (a)may be shown by1. Designing the components to minimise the effect of a strike; or

2. Incorporating acceptable means of diverting the resulting electricalcurrent so as not to result in a Catastrophic event.


29/78






USAR.U881 Parachute Design See AMC.881 (a)

Where a UAV is designed to be recovered by parachute,a) Materials and workmanship shall be of a quality which documented

experience or tests have conclusively demonstrated to be suitablefor the manufacture of parachute assemblies and components

b) All materials shall remain functional for storage and use from -40Cto +93.3C, and from 0 to 100% relative humidity.

c) All plated ferrous parts shall be treated to minimise HydrogenEmbrittlement.

d) Stitching shall be of a type that will not unravel when broken



USAR.U881 Parachute Designe) Information concerning parachute assemblies and components

must be furnished in the UAV System documentation, including:1. Part number

2. Manufacturers name and address

3. Maximum operating limits

4. Instruction for packing method and inspection at approved intervals

5. Instruction for continued airworthiness.

f) Where practicable parachute assemblies shall be designed foroperational re-use, parachute attachments must have a fatigueevaluation determined in accordance with USAR 570, unlessotherwise agreed with the Certifying Authority.


30/78






U1307 USAR.U1307 Environmental Contro l System(ECS)

See AMC.1307

Cooling must be provided for flight critical equipment asrequired for it to meet its performance and reliability for theintended lifetime.a) The ECS design shall incorporate the system safety requirements

of the UAV.

b) The ECS shall meet all safety requirements when operating underinstalled conditions over the design envelope and maintain

integration integrity to ensure the UAV safety-of-flight.c) The UAV shall incorporate an alternate means of cooling of safety-

critical avionics when the primary ECS is non-operational.



d) The ECS design (including emergency equipment and/or auxiliarymethods) shall provide an acceptable pressure environment forequipment affecting safety-of-flight.

e) Normal and emergency pressurization requirements and statusshall be indicated at the UCS.

f) Safety-critical items such as flight controls, avionics andcommunications shall function long enough to safely land the

aircraft if ECS function is lost and alternate methods are notavailable to insure airworthy operations.

g) ECS normal and emergency procedures shall be included in theUAV System flight manual.

..(Ver STANAG 4671)


31/78






USAR.U1412 Emergency Recovery Capability See USAR.1412 (a)(2) and AMC.1412 (e)

a) The UAV System must integrate an emergency recovery capabilitythat consists of :1. a flight termination system, procedure or function that aims to

immediately end normal flight, or,

2. an emergency recovery procedure that is implemented through UAVcrew command or through autonomous design means in order tomitigate the effects of critical failures with the intent of minimising therisk to third parties, or,

3. any combination of USAR.1412 (a) (1) and USAR.1412 (a) (2).



USAR.U1412 Emergency Recovery Capability

b) The emergency recovery capability must function as desired over

the whole flight envelope under the most adverse combination ofenvironmental conditions

c) The emergency recovery capability must be safeguarded frominterference leading to inadvertent operation.

d) The emergency recovery capability must receive its electricalpower, if needed, from the bus that provides the maximumreliability for operation. In case of complete loss of the primaryelectrical power generating system, it must automatically switch tothe battery.


32/78






USAR.U1412 Emergency Recovery Capability

e) Use of explosives to perform in-flight total destruction of the airvehicle is not an acceptable means of compliance to USAR.1412

f) Where the emergency recovery capability includes a pre-programmed course of action to reach a predefined site where itcan be reasonably expected that fatality will not occur, thedimensions of such areas must be stated in the UAV System FlightManual.



USAR.U1413 Engine Shut Down Procedure

In the event of an engine failure that causes shutdown, thefollowing requirements apply:a) the UAV must be designed to retain sufficient control and

manoeuvrability until it has reached a forced landing area.

b) therefore, the emergency electrical power must be designed in

such a way that its reliability and duration are compatible withUSAR.1413 (a). The time period needed to perform a glide frommaximum certificated altitude to sea level and reach a forcedlanding area includes the time needed for the UAV crew torecognise the failure and to take appropriate action, if required.

c) the engine shut down procedure must be analysed considering theexistence of the emergency recovery capability specified inUSAR.1412


33/78






USAR.1416 De-icer system If certification with ice protection provisions is desired and a

de-icer system is installeda) The system must meet the requirements specified in USAR.1419.

b) The system and its components must be designed to perform theirintended function under any normal system operating temperatureor pressure.

c) Not applicable in this subpart (see USAR.1811 Pneumatic de-icerboot system indicator)



USAR.1419 Ice Protection

If certification with ice protection provisions is desired,compliance with the following requirements must be shown:a) The recommended procedures for the use of the ice protection

equipment must be set forth in the UAV System Flight Manual or inapproved manual material.

b) An analysis must be performed to establish, on the basis of theUAVs operational needs, the adequacy of the ice protectionsystem for the various components of the UAV. In addition, tests ofthe ice protection system must be conducted to demonstrate thatthe UAV is capable of operating safely in continuous maximum andintermittent maximum icing conditions


34/78






USAR.1419 Ice Protection

c) Compliance with all or portions may be accomplished by reference,where applicable because of similarity of the designs to analysisand tests performed for the type certification of a Type CertificatedUAV.

d) When monitoring of the external surfaces of the UAV by the UAVcrew is required for proper operation of the ice protectionequipment, it must be ensured that the monitoring can be done inall operating and environmental conditions.



USAR.1431 Electronic equipmenta) In showing compliance with USAR.1309 (b)(1) and (2) with respect

to radio and electronic equipment and their installations, criticalenvironmental conditions must be considered.

b) Radio and electronic equipment, controls, and wiring must beinstalled so that operation of any unit or system of units will notadversely affect the simultaneous operation of any other radio or

electronic unit, or system of units.c) Not applicable in this subpart (see USAR.1707 Communication

system)

d) Not applicable in this subpart (see USAR.1707 Communicationsystem)

e) Not applicable in this subpart (see USAR.1707 Communicationsystem)


35/78






USAR.1431 Electronic equipment

f) Electronic payload equipment and wiring must be installed so thatoperation will not adversely affect the simultaneous operation ofany other radio or electronic unit, or system of units.

g) All sensitive and essential equipment as identified in (a) must beprotected againstinternal and external sourcesof electromagneticinterference (EMI).



USAR.1435 Hydraulic systemsa) Design. Each hydraulic system must be designed as follows:

1. Each hydraulic system and its elements must withstand, withoutyielding, the structural loads expected in addition to hydraulic loads.

2. Not applicable in this subpart (see USAR.1813 Hydraulic systemsindicator)

3. There must be means to ensure that the pressure, including transient

(surge) pressure, in any part of the system will not exceed the safe limitabove design operating pressure and to prevent excessive pressureresulting from fluid volumetric changes in all lines which are likely toremain closed long enough for such changes to occur.

4. The minimum design burst pressure must be 2.5 times the operatingpressure.

5. There must be adequate means to protect hydraulic systems critical tocontinued safe flight resulting from fluid loss.

6. All materials in contact with the hydraulic fluid shall be compatible withthe hydraulic fluid over the temperature range, functional, service andstorage conditions the hydraulic system will experience.


36/78






USAR.1435 Hydraulic systems .b) Tests. Each system must be substantiated by proof pressure tests.

When proof-tested, no part of any system may fail, malfunction, orexperience a permanent set. The proof load of each system mustbe at least 1.5 times the maximum operating pressure of thatsystem.

c) Accumulators. A hydraulic accumulator or reservoirs may beinstalled on the engine side of any firewall if1. It is an integral part of an engine or propeller system, or

2. The reservoir is non-pressurised and the total capacity of all such non-pressurised reservoirs is one litre (one US-quart) or less.



USAR.1437 Accessories for multi-engine UAV

For multi-engine UAV, engine-driven accessories essentialto safe operation must be distributed among the twoengines so that the failure of any one engine will not impairsafe operation through the malfunctioning of theseaccessories.


37/78






USAR.1438 Pressurisation and pneumatic systemsa) Pressurisation system elements must be burst pressure tested to

2.0 times, and proof pressure tested to 1.5 times, the maximumnormal operating pressure.

b) Pneumatic system elements must be burst pressure tested to 3.0times, and proof pressure tested to 1.5 times, the maximum normaloperating pressure.

c) An analysis, or a combination of analysis and test, may besubstituted for any test required by sub- paragraph (a) or (b) if theCertifying Authority finds it equivalent to the required test.



1461 USAR.1461 Equipment Containing High EnergyRotorsa) Equipment containing high energy rotors must meet sub-

paragraphs (b), (c) or (d) .b) High energy rotors contained in equipment must be able to

withstand damage caused by malfunctions, vibration, abnormalspeeds and abnormal temperatures. In addition

1. Auxiliary rotor cases must be able to contain damage caused by thefailure of high energy rotor blades; and2. Equipment control devices, systems and instrumentation must

reasonably ensure that no operating limitations affecting the integrity ofhigh energy rotors will be exceeded in service.

c) It must be shown by test that equipment containing high energyrotors can contain any failure of a high energy rotor that occurs atthe highest speed obtainable with the normal speed control devicesinoperative.

d) Equipment containing high energy rotors must be located whererotor failure will not adversely affect continued safe flight.


38/78






U1481 USAR.U1481 Payloadsa) A payload is a device or equipment carried by the UAV, which

performs the mission assigned. The payload comprises allelements of the air vehicle that are not necessary for flight but arecarried for the purpose of fulfilling specific mission objectives. It isassumed that a UAV System Type Certification Basis may bereleased for several payload configurations.

b) Where a UAV System is designed to carry payloads, theintegration and operation of those payloads must1. Not adversely affect the safe flight and control of the UAV;

2. Be shown as electromagnetically compatible (EMC) with systems onboard of the UAV;

3. Meet safety objectives as provided in USAR.1309.



U1485 USAR.U1485 Environmental Control System (ECS) See AMC.1485

a) If installed, the ECS must comply with the system safety requirementsapplicable to the UAV.

b) The ECS must meet all safety requirements when operating under installedconditions over the design envelope and maintain integration integrity toensure the UAV safety-of-flight.

c) In the event that the primary ECS is non-operational the UAV system designmust comply with either (1) or (2) such that no single ECS subsystem failure

shall result in loss of UAV.1. Incorporated secondary/emergency systems capable of maintaining flight safety critical

conditions. Such systems shall be capable of operating until either; the primary ECS isavailable or safe landing is achieved.

2. Allow the continued function of the safety critical operations (flight controls, avionics andcommunications) until safe landing is achieved.

d) ECS normal and emergency procedures must be included in the UAV SystemFlight Manual.

e) Adequate controls and displays for the ECS must be installed in the UCS orother appropriate locations to allow the ECS to function as intended. Sufficientcautions, warnings, and advisories must be provided to alert the UAV crew toproblems in time for corrective action to be taken from a safety-of-flightperspective.


39/78






AUTOMATIC TAKE-OFF SYSTEM - AUTOMATICLANDING SYSTEM

U1490 USAR.U1490 General

See AMC.1490 (f)(2)

When a UAV System, designed for conventional take-offand landing on a runway is equipped with an automatictake-off system or an automatic landing system or both, itshould meet the following requirementsa) Once the automatic take-off or landing mode has been engaged,

the UAV crew monitors the whole process from the UCS, via thecommand and control data link, but is not required to perform anymanual piloting action, except manual abort, where required, asper provisions of USAR.1492.

..



U1492 USAR.U1492 Manual Abort Function

Where a UAV System is designed for conventional take-offand landing on a runway, it must include the followingfunction:a) The automatic system must incorporate a manual abort function.

Its control shall be easily accessible to the UAV crew in order to

1. stop the UAV on the runway during the take-off run at every speed upto refusal speed or rotation speed VR, whichever is less.

2. where it is safe to perform, initiate a go around during the landingphase at every height down to a Decision Point.

b) Specific go around procedure shall be provided in the UAV SystemFlight Manual under USAR.1585 (j).


40/78





STANAG 4671 COMPLIANCE DEMOSTRATION

ACCEPTABLE MEANS OF COMPLIANCE (AMC)STANAG 4671 Book 2, Acceptable Means of Compliance

FAA AC 23-17C Systems and Equipment Guide forCertification of Part 23 Airplanes and Airships

FAA AC 23-2A Flammability Tests

FAA AC 20-73A Aircraft Ice Protection

FAA AC 23-8A Flight Test Guide for Certification of Part 23Airplanes

FAA AC 23.1309() System Safety Analysis and Assessment

for Part 23 Airplanes


STANAG 4671 COMPLIANCE REPORTS

Design Criteria

Functional Operations Test Results

Performance Test Results

System Safety Assessment (FHA, FMEA, FTA, CCA)

Component and Equipment SOFCertifications/Qualifications

Design Studies and Analysis

Installation and Operational Characteristics

Flight Manual and Limitations

Electromagnetic Environmental Effects Analysis and TestResults

Diminishing Manufacturing Sources Plan

Obsolete Parts Plan


41/78






Introduction STANAG 4703


STANAG 4671


System Safety Assessment for RPAS

Design Philosophy



UAV SYSTEM SAFETY ASSESSMENT

La para justificar la seguridad del sistema es necesariopreparar un anlisis de la seguridad de cada una de suspartes, tanto de forma individual como su conjunto.

Los objetivos de seguridad que debern ser demostradosdependern de la complejidad del sistema, y de laslimitaciones que se le impongan para su operacin

Para sistemas sencillos que vayan operar en espaciosareos segregados y sobre reas poco pobladas, podrabastar con demostrar que no existe ningn fallo simple queme llev a la prdida del control de la aeronave no tripulada

Para sistemas que vaya a operar sin restricciones enespacios areos no segregados, o incluso sobre reaspobladas, al criterio anterior habr que aadir que no existeninguna posible combinacin de fallos que no se puededemostrar como extremadamente improbable


42/78





UAV SYSTEM SAFETY ASSESSMENT

Los criterios y la terminologa aplicable a los anlisis deseguridad vienen establecidos en el material guacorrespondiente la seccin 1309:

Para UAS/RPAS las principales referencias son: USAR AMC.1309 (b) System Design and Analysis

FAA AC 23.1309C System Safety Analysis and Assessment forPart 23 Airplanes

A su vez este material gua hace referencia al siguientedocumento, que recoge la metodologa para preparar unSSA completo de un sistema: SAE ARP 4761 Guidelines and Methods for Conducting the Safety

Assessment Process on Civil Airborne Systems and Equipment


Evaluacin de la Segur idad del Sistema

Un SSA de un sistema complejo rene las conclusiones deotros anlisis mas detallados, y la metodologa a seguirest indicada en Material Interpretativo y desarrollada en elSAE ARP 4761.

Anlisis Funcional de los Riesgos(FHA)

Identificacin de los Modos de Fallo ylos Efectos (FMEA)

Anlisis de la Probabilidad de losFallos mas relevantes (FTA, DDA,MA)

Anlisis de las Causas Comunes deFallos (CCA PRA, ZSA, CMA)


43/78





SYSTEMS SAFETY ASSESSMENT PROCESS MODEL


ELECCIN DEL MTODO DE CUMPLIMIENTO

LA ELECCIN DEPENDER DE: Si el sistema se puede clasificar como es No-Esencial, Esencial o

Crtico para la operacin segura

Tambin dependen si podemos clasificar al sistema comoconvencional o como un sistema complejo

Si el sistema es redundante y puede provocar condiciones de fallocatastrficas


44/78





PROFUNDIDAD DE LOS AN LISIS AREALIZAR

La profundidad del anlisis depende de: De la clasificacin del sistema como sistema critic o esenciales

De la severidad de las condiciones de fallo que pueda provocar elsistema

De la propia complejidad del sistema, y si se debe demostrar queest diseado a prueba de fallos

De la similaridad con otros sistemas previamente ya aprobados


TIPOS DE ANLISIS (ASSESSMENTS)

En Material Interpretativo sobre la seccin 1309 podemosencontrar referencias a:

Design Appraisal

Installation Appraisal

Failures Modes and Effects Analysis

Fault Tree or Dependence Diagrams

Markov Analysis Common Cause Analysis

Zonal Safety Analysis

Particular Risk Analysis

Common Mode Analysis


45/78





Qu es un Anlisis Funcional de Riesgos

Anlisis metdico de todos los riesgos Clasificacin de las Condiciones de todos los riesgos

identificados

CLASIF.EFECTOSFASE DEVUELO

CLASEDEFALLO

FUNCIN

ANLISIS FUNCIONAL DE RIESGOS

Catastrfica

Peligrosa

Mayor

Menor


PROPSITO DE UN FHA

Identificar las potenciales condiciones de fallo y clasificar suseveridad

Desarrollar los requisitos de diseo para garantizar laseguridad del sistema respecto a; La arquitectura del sistema,

Integridad del software y hardware complejo (CEH),

Separacin y Segregacin En base a sus conclusiones desarrollar el diseo de forma

que se pueda asegurar el cumplimiento con los requisitosde seguridad

Identificar los mtodos de cumplimiento ms apropiados


46/78





ORGANIZACI N DEL CONTENIDO DE UNANALISIS DE RIESGOS FUNCIONALES

Descripcin del diseo del sistema y sus funciones Otros datos necesarios para poder realizar el anlisis y

comprender las conclusiones

Premisas que han sido consideradas o asumidas durante elanlisis

Anlisis sistemtico de todas las funciones y riesgosidentificados

Resultados y conclusiones del anlisis, mediante: Un resumen de las hojas de trabajo preparadas, con una lista de

condiciones de fallo crticas, o eventos relevantes para seranalizados a posteriori

El Apndice con las hojas de trabajo (FHA Worksheets)


HOJA DE TRABAJO DE UN FHA


47/78





FASES DE OPERACIN DE UN AERONAVE

Figura 2


Anlisis modos de fallos y efectos(AMFE/FMEA)

Un anlisis modos de fallos y efectos (AMFE/FMEA) es unde anlisis de fallos potenciales de un concepto, proceso odiseo y su clasificacin

Su clasificacin viene determinada por la gravedad o por elefecto de los fallos en el sistema

La finalidad de un FMEA es eliminar o reducir los fallos,

comenzando por aquellos con una prioridad ms alta. Puede ser tambin utilizado para evaluar las prioridades de

la gestin del riesgo durante el desarrollo del sisetma.


48/78





TIPOS DE FMEA


QUE ES UN FMEA DE UN DISEO

Es un anlisis sistemtico, inductivo, es decir desde loscomponentes ms pequeos del sistema e identificando losmodos de sus modos de fallo y como afectan a sufuncionamiento

Puede ser realizado a diversos niveles: Componente (Piece-Part)

Equipo (LRU, Blackbox) Funcional (System FMEA)

Tambin permite que se puedan analizar los fallos delsoftware de forma cualitativa y desde un punto de vistaestrictamente funcional


49/78





CONTENIDO DE UN FMEA DE UN DISEO

Anlisis de todos los modos de fallo de cada componentedel sistema y clasificacin de los efectos.

Efectos enel Sistema

Efectos enlaAeronave

IndicacinFaseModoFallo

Componente

Anl is is de Modos de Fallo y Efectos (Sistema / LRU)


PARA QUE SIRVE UN FMEA

Para determinar y analizar los efectos de un fallo de cadaparte, componente y equipo de un sistema

Para identificarFallos Latentes

Para Obtener mucha ms informacin sobre los fallos deun sistema que otros tipos de anlisis (FTA, RBD etc)

Para identificar condiciones de fallos simples que puedancausar consecuencias peligrosas o catastrficas


50/78





CONTENIDO DE UN FMEA

Un FMEA realmente incluye la siguiente informacin:Identificacin del componente, seal y/o funcin

Modos de fallo y tasas de fallo de los componentes

Fase de la operacin en la cual el fallo ocurre

Detectabilidad y medios de deteccin

Acciones manuales o automticas que compensan el fallo

Efecto de los fallos, bien de forma directa sobre aeronave o sobre elnivel superior del sistema


COMO SE DETERMINAN LOS MODOS DEFALLO

Teniendo suficiente conocimiento y experiencia sobre losprincipios de funcionamiento del sistema, equipo ocomponente

Mediante el uso de documentos con datos desarrolladospor la industria y las agencias como por ejemplo: MIL-HDBK-217,

MIL-HDBK-338, RAC Non-electronic Parts Reliability Data. (NPRD)

GIDEP (Government Industry Data Exchange Program),

MIL-HDBK-978,

Rome Laboratorys Reliability Engineers Toolkit


51/78





COMO SE PRESENTAN LOS RESULTADOS

Descripcin breve el sistema, equipo o componente Resumen de las conclusiones obtenidas en cada una de

las hojas de trabajo Lista de condiciones de fallo identificadas como peligrosas o

catastrficas, y si se debe a un fallo simple o una combinacin

Lista de todos los fallos latentes

Lista de los procedimientos de operacin identificados

Lista procedente de mantenimiento identificados

Las hojas de trabajo las cuales se habrn preparado deacuerdo con el tipo de anlisis de modo de fallos que

estamos realizando


HOJA DE TRABAJO SFMEA


52/78





DETERMINACI N DE LA PROBABILIDAD DEUN FALLO

Para determinar la probabilidad de un fallo que afecte a unsistema podemos utilizar las siguientes tcnicas:

Anlisis de rbol de Fallos (FTA)

Diagrama de Dependencia (DD)

Diagramas de Bloques de Fiabilidad (RBD)

Anlisis de Markow (MA)

Anlisis de Montecarlo


QUE ES UN RBOL DE FALLOS (FTA)

El rbol de fallos una representacin grfica organizada delas condiciones y factores que causan, o contribuyen a laaparicin de un suceso indeseable

Este suceso es conocido como Suceso Superior" o "TopEvent"


53/78





RBOL DEL FALLO DE SISTEMA DE EXTINCIN


DATOS PARA LA PREPARACIN DE FTA


54/78





ANLISIS DE CAUSA COMN DE FALLO

Un fallo por una causa comn en funciones similaresmltiples es el resultado de un evento simple que causaque estas funciones fallen de la misma manera y al mismotiempo

Una causa comn de fallo ocurre siempre que se usanarquitecturas redundantes para mejorar la fiabilidad de unafuncin crtica o esencial


FALLOS EN CASCADA

Los fallos en cascada son un tipo particular de falloscausas o modos comunes, donde un fallo simple, que porel mismo no se puede considerar como peligroso, puedeprecipitar una cadena de fallos que s pueden ser peligros.

Es un fallo cuya la probabilidad de que ocurra se vesignificativamente incrementada por la existencia de un

fallo previo Las estadsticas del accidentes muestran que realmente se

producen en muchos casos por una cascada o serie defallos no previstos

La causa comn de fallo en cascada puede ocurrir si el falloen una funcin trae consigo el fallo de otras funciones.


55/78





Sistemas Candidatos a Producir Fallos enCascada

El sistema elctrico, si no existe una adecuada segregacinde la alimentacin de los sistemas con funcionesredundantes

Los sistemas hidrulicos que proporciona la energanecesaria para mover mandos de vuelo, y por estar sujetosa Contaminacin de sus fluidos a

Incremento de los esfuerzos por fallo de uno de sus componentes

Los sistemas que utilizan uniones mecnicas paratransmitir movimiento, afectados por la desconexin oatasco

Los sistemas de combustible y los fallos en un motor enaeronaves con varios motores


AN LISIS DE LAS CAUSAS COMUNES DEFALLO

Al establecer las probabilidades de que ocurrancondiciones de fallo peligrosas o catastrficas, a menudoasumimos durante los anlisis de sistemas mltiples quelos fallos son independientes.

Por lo tanto, es necesario verificar que tal independenciaexiste, para lo cual hay que establecer unas tcnicas de

anlisis apropiadas para el tipo de fallos que estamosanalizando

Estas tcnicas o mtodos de anlisis de las causascomunes de fallo podemos dividir en: Anlisis de Riesgos Zonales (ZSA)

Anlisis de Riesgos Particulares (PRA)

Anlisis de Modos Comunes de Fallo (CMA)


56/78





OBJETIVOS DE UN ANLISIS ZONAL

El objetivo de un anlisis de seguridad zonal es asegurarque el diseo del sistema y su instalacin cumple con losobjetivos de seguridad respecto a: Los estndares aceptados de diseo e instalacin

Los efectos de los fallos sobre la aeronave

La implicacin de los posibles errores de mantenimiento

La verificacin de que el diseo cumple con los requisitos deindependencia asumidos durante el anlisis de la probabilidad decada fallo relevante para la seguridad de la aeronave


MATRIZ DE RIESGOS POR ZONAS


57/78





TAREAS PARA DE UN ANLISIS ZONAL

El anlisis de seguridad zonal es principalmente un anlisiscualitativo que comprende principalmente tres tareasseparadas Preparacin de las guas de diseo e instalacin

Inspeccin de la instalacin en la zona

Inspeccin de las interferencias entre los sistemas, equiposcomponentes

Documentacin de las observaciones y conclusiones


DOCUMENTACIN DEL ANLISIS ZONAL

Los resultados de las inspeccines, y los posibles efectossobre la aeronave debern quedar documentados en uninforme de anlisis de la seguridad zonal (ZSA)

Los registros de los anlisis e investigaciones realizadasdeben ser realizados a diario, de acuerdo con una lista decomprobacin y debern quedar adecuadamente

contemplados: Cualquier problema potencial de la instalacin,

Las desviaciones encontradas respecto a las guas de instalacin,

Fallos significativos que puedan afectar a los sistemas

La manera en la que se pueden resolver los posibles riesgos


58/78





ZHA - EJEMPLO HOJA DE TRABAJO


ANLISIS DE RIESGOS PARTICULARES

Los riesgos particulares son eventos o condicionesexternas al sistema que pueden violar la independenciaasumida durante los anlisis de fiabilidad del sistema

Estas condiciones externas pueden influenciar a variaszonas de la aeronave a la vez, simultneamente

Alguno de los riesgos los particulares y estn sujetos a

requisitos de aeronavegabilidad especficos


59/78





RIESGOS PARTICULARES CON REQUISITOSESPECFICOS

RIESGOS PARTICULARES FAR 25

Estallido de Turbina 25.903

Reventn de Neumticos 25.729

Proteccin contra Fuego Varios

Formacin de Hielo 25.1419

Impacto de un Rayo 25.1316

Campos de Alta Energa de Radiada 25.1317


EFECTOS DEL ESTALLIDO DEL ROTOR


60/78





RIESGOS ASOCIADOS AL ESTALLIDO


OTROS POSIBLES RIESGOS PARTICULARES

Roturas en Dispositivos de alta energa ( Motor, APU,Fans)

Rotura de Botellas de Alta Presin

Rotura de conductos de aire a alta presin

Fugas de conductos de aire a alta temperatura

Fuga y Escapes de fluidos (Examinados generalmente enZSA)

Efectos por pedrisco, nieve, hielo

Impacto de pjaros

Sacudidas de ejes que han perdido algn soporte

Rotura de amparos de presin


61/78





Documentacin del Anlisis de RiesgosParticulares

1. Descripcin del riesgo particular analizado2. Elementos que se ven afectados por el riesgo particular

3. Zonas donde estos elementos estn instalados

4. Modos de fallo causados por el riesgo particular objeto deinvestigacin

5. Efecto resultante sobre aeronave y clasificacin de susefectos Adicionalmente se podra incluir:

Cualquier desviacin sobre las premisas iniciales

La manera de como se han resuelto los riesgos


ANLISIS DE MODOS COMUNES

Este tipo anlisis se debe realizar a lo largo de todo elproceso de desarrollo y anlisis de un sistema

Es un anlisis cualitativo, una herramienta analtica usadapara asegurar la fiabilidad y robustez de un diseo

La experiencia acumulada en el diseo se debe usar paraverificar la integracin de los componentes de una manera

lgica El anlisis de modos comunes se realiza para verificar que

todos los eventos analizados para determinar laprobabilidad de que ocurra un fallo peligroso o catastrficoson realmente independientes


62/78





PROCESO PARA REALIZAR UN AN LISIS DEMODOS COMUNES

Establecer listas de comprobacin especficas para elprograma Tipos de modos comunes

Fuentes del error

Condiciones de fallo

Identificar los requisitos aplicables

Analizar el diseo de los sistemas y componentes paraverificar que se cumplan los requisitos aplicables

Documentar los resultados obtenidos en los pasos

anteriores


Modos Comunes Que Deben SerConsiderados

Errores de diseo del software

Errores de diseo del hardware

Fallos del hardware

Defectos o errores en los procesos de produccin oreparacin

Eventos relacionados con los esfuerzos

Errores de instalacin

Errores en los requisitos de diseo

Factores Ambientales

Fallos en Cascada

Fallos de fuentes externas comunes


63/78





IDENTIFICACIN DE LOS REQUISITOS CMA

Para establecer los requisitos es necesario que el analistaconozca: La arquitectura del diseo y el plan de instalacin

Las caractersticas de los componentes y los equipos

Las tareas de prueba y mantenimiento

Los procedimientos de la tripulacin

Las especificaciones de los sistemas, equipos y software


CARACTER STICAS DE PROTECCI NCONTRA LOS MODOS COMUNES

Principios de funcionamiento diferentes, redundancia ybarreras

Programas de mantenimiento preventivo y pruebas

Niveles de control del diseo y calidad del diseo

Revisin de procedimientos o especificaciones

Entrenamiento del personal

Control de calidad


64/78





INTERRELACIN DE LOS TIPOS DE ANLISIS

El anlisis de riesgos (FHA) establece los eventos que sonrelevantes para garantizar la operacin segura, y losobjetivos de seguridad

El anlisis de modos de fallo (FMEA) nos proporciona queocurre con cada fallo de cada componente de los sistemas

El anlisis de la fiabilidad de las funciones criticas(FTA/RBD), nos garantiza que cumplimos con los objetivosde seguridad

El anlisis de causas comunes (CCA) verifica que no hay

nada externo o interno al sistema que pueda violar laindependencia y segregacin asumida durante los anlisisprecedentes


INTERRELACIN DE LOS TIPOS DE ANLISIS


65/78





MATERIAL GUA DE LAS AGENCIAS

EASA AMC 25.1309 System Design and Analysis EASA AMC 25.901(c) Safety Assessment of Powerplant

Installations

EASA AMC E-150 Safety Analysis

EASA AMC P-150 Propeller Safety Analysis

EASA AMC 25.1709 System Safety; EWIS

FAA AC 23.1309-1D System Safety Analysis andAssessment For Part 23 Airplanes

FAA AC 25.1309-1A System Design Analysis

FAA AC 25.1309-1B (Draft ARAC TAE_SDA_T2 )



Introduction

STANAG 4703


STANAG 4671


System Safety Assessment for RPAS

Design Philosophy



66/78





Safety Assessment for RPAS

Probable

Remoto

ExtremadamenteRemoto

ExtremadamenteImprobable

Menor Mayor Peligroso Catastrfico

Probabilidad

Severidad

Limite Aceptable

El nivel de riesgo de un evento sedescribe como la combi nacin de laprobabilidad de ocurrencia del eventoy la severidad de la consecuencia

Equipos y sis temas instalados enla aeronave / Estacin de control

SOFTWARE LEVELDEFINITIONS

RTCA-DO-178B

Level A - CatastrficoLevel B - Peligroso

Level C - MayorLevel D - MenorLevel E - Sin efecto

En las situaciones ms adversas posibles.


CS 25.1309 Equipment, systems and installations (See AMC 25.1309)

a) The aeroplane equipment and systems must be designed andinstalled so that:1. Those required for type certification or by operating rules, or whose

improper functioning would reduce safety, perform as intended underthe aeroplane operating and environmental conditions.

2. Other equipment and systems are not a source of danger in themselves

and do not adversely affect the proper functioning of those covered bysub-paragraph (a)(1) of this paragraph.

b) The aeroplane systems and associated components, consideredseparately and in relation to other systems, must be designed sothat:1. Any catastrophic failure condition

i. isextremely improbable;andii. does not result from asingle failure; and

2. Any hazardous failure condition isextremely remote; and3. Any major failure condition isremote.


p


67/78





Historicamente: La probabilidad de accidente de un avin grande de transporte

debido a causas relacionadas con la operacin y la estructura es,aproximadamente:

1 x 10-6 por FH

El 10%, aproximadamente, es debido a Condiciones de Fallos delos sistemas. Por tanto, debido a sistemas es:

1 x 10-7 por FH

Se supone que existen 100 Condiciones de Fallo en un avingrande que pueden ser Catastrficas, por tanto:

1 x 10-9 por FH para cada Cond ic in Fal lo Catastrf ico queest asociado al trmino Extremadamente Improbable



Los objetivos de safety deben considerar:

Nivel de seguridad equivalente a los aviones tripulados

La proteccin a terceros Tripulacin UAV

Otras aeronaves

Daos en tierra

La realidad econmica para permitir su desarrollo

Aceptacin social

Consistencia con los de las aeronaves actuales (transporte civil ymilitar).



68/78





Dificultades aplicacin requisito XX.1309 Definiciones de severidad.No son aplicables las definiciones de

aviacin convencional. An NO hay consenso para los RPAs.

Metodologa para su aplicacin. Los AMCs EASA o ACs FAA noson directamente aplicables. La severidad de los fallos puede variarentre aviacin convencional y RPAs

Piloto al mando: En aviacin convencional el piloto es infalible. EnRPAs el piloto est basado en algoritmos. Qu criterios seaplican a los algoritmos?

Nuevas tecnologasNO empleadas en aviacin convencional.

Establecimiento niveles de probabilidad.



Historicamente: La probabilidad de accidente de un avin grande de transporte

debido a causas relacionadas con la operacin y la estructura es,aproximadamente:

1 x 10-6 por FH

El 10%, aproximadamente, es debido a Condiciones de Fallos delos sistemas. Por tanto, debido a sistemas es:

1 x 10-7 por FH Se supone que existen 100 Condiciones de Fallo en un avin

grande que pueden ser Catastrficas, por tanto:1 x 10-9 por FH para cada Condici n Fall o Catastrfico que estasociado al trmino Extremadamente Improbable

La mayora de los UAS tienen sistemas complejos (sistema control de vuelo,sistema de guiado, etc). Por tanto es razonable suponer que estos sistemaspuedan tener 100 condiciones potenciales de fallo independientemente deltamao del avin,



69/78





Quantitative integrity required to maintain safe flight andlanding to equivalent manned aircraft (excluding MAC)

Aircrafttype Hullloss

rate

10%dueto

systems

PotentialFailure

Conditions

ProbabilityofasystemsFC

leadingtoCATFC

MannedCS25Largetransporta/c 1x106 1x107 100(102) 1x109

UAS25Largetransportaircraft 1x106 1x107 100(102) 1x109

MannedCS23classI 1x104 1x105 10(101) 1X106

UAS23classI 1x104 1x105 100(102) 1x107

MannedCS23classII 1x105 1x106 10(101) 1x107

UAS23classII 1x105 1x106 100(102) 1x108

MannedCS23classIII 1x106 1x107 10(101) 1x108

UAS23classIII 1x106 1x107 100(102) 1x109

MannedCS27smallrotorcraft 1x104 N/A N/A N/A

UAS27smallrotorcraft 1x104 1x105 100(102) 1x107

MannedCS29largerotorcraft 1x105 N/A N/A N/A

UAS

29

large

rotorcraft 1x10

5 1x10

6

100

(10

2) 1x10

8MannedCSVLAVeryLighta/c 1x104 N/A N/A N/A

UASVLAVeryLighta/c 1x104 1x105 100(102) 1x107

MannedCSVLRVeryLightr/c N/A N/A N/A N/A

UASVLRVeryLightRotorcraft 1x104? 1x105 100(102) 1x107

BVLOSUASbelow manned a/cweights 1x103? 1x104 100(102) 1x106?

VLOSUASbelowmannedai/cweights 1x103? 1x104 10(101) 1x105?



La probabili dad de impactar cont ra alguien en el suelo en una cadaincontrolada se considera 100%.

Clasificacin del fallo en funcin del nivel de energa.

Otras opciones:

Inicialmente:

Probabilidad de daos a terceros

Densidad de poblacin

Area letal

Energa de impacto



70/78





Nivel de energa:

PUNTO DE PARTIDAV impacto kts CS-25

CATASTRFICO450

1.52 x 108 NmPELIGROSO

R= p x E =0.152MAYOR

5.670 Masa KgEc =Mx(1,5xVc)2 = 152MJ

R=pxE=1,52



Relationship between aircraft accidents and ground fatalities

EASA annual safety review2009 (EASA MS operators )

NTSB (USA GA 2005)

Average No.accidents/year(10 year perio d)

1160 1730

Average No. fatalaccidents/year

145 341(13% of accidents) (20% of accidents)

Average No.accidents/yearwith ground fatalities

modulo 08 airborne systems

Documents