Hazard Analysis for Rotorcraft

Similar documents
Systems Theoretic Process Analysis (STPA)

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

Route Causes. The largest percentage of European helicopter. For helicopters, the journey not the destination holds the greatest risk.

D DAVID PUBLISHING. Development and Achievement of the T-50 Flight Control s Consolidated OFP. 1. Introduction. 2. Consolidated OFP s Needs

Using STAMP to Address Causes and Preventive Measures of Mid-Air Collisions in Visual Flight

GUERNSEY ADVISORY CIRCULARS. (GACs) UPSET PREVENTION AND RECOVERY TRAINING GAC 121/135-2

Analyzing Risk at the FAA Flight Systems Laboratory

NETWORK MANAGER - SISG SAFETY STUDY

Civil Aircraft System Safety and Electromagnetic Compatibility

NATIONAL TRANSPORTATION SAFETY BOARD

IHST Initiative in India. B. S. Singh Deo Vice President RWSI

Runway Safety Programme Global Runway Safety Action Plan

Certification of Rotorcraft and FHA Process

Analysis of alerting system failures in commercial aviation accidents

STPA for Airports. safety hazard analysis for aircraft operations in hub airports. Aeronautics Institute of Technology - ITA (Brazil)

helicopter? Fixed wing 4p58 HINDSIGHT SITUATIONAL EXAMPLE

The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval Management Spacing

Development of the Safety Case for LPV at Monastir

ARMS Exercises. Capt. Gustavo Barba Member of the Board of Directors

Aeroplane State Awareness during Go-around (ASAGA)

INTERNAL AUDIT DIVISION REPORT 2017/051. Audit of the aviation safety programme in the African Union-United Nations Hybrid Operation in Darfur

AIRWORTHINESS ADVISORY. Airworthiness Impacts of Electronic Flight Bags

Airport Safety Management Systems: Integrating Planning Into the Process

REPORT 2014/111 INTERNAL AUDIT DIVISION. Audit of air operations in the United Nations Operation in Côte d Ivoire

AERODROME SAFETY COORDINATION

Instrument Ground School IFR Decision Making

Federal Aviation Administration. Summary

OPERATIONS CIRCULAR 4 OF 2011

Department of Defense DIRECTIVE

Best Practices in Safety Investigations

Avionics Certification. Dhruv Mittal

Advanced Flight Control System Failure States Airworthiness Requirements and Verification

Practical Risk Management

AFI Flight Operations Safety Awareness Seminar (FOSAS)

Cirrus Transition Training

The Impact of Maintenance on Passenger Airline Safety

Identifying and Utilizing Precursors

Analyzing Accidents and Incidents with CAST. STAMP Workshop Tutorial March 26, 2018

FAA/HSAC PART 135 SYSTEM SAFETY RISK MANAGEMENT SAFETY ELEMENT TRAINING OF FLIGHT CREWMEMBERS JOB AID Revision 1

SPECIAL CONDITION. : RPAS Flight Control Systems

TANZANIA CIVIL AVIATION AUTHORITY AIR NAVIGATION SERVICES INSPECTORATE. Title: CONSTRUCTION OF VISUAL AND INSTRUMENT FLIGHT PROCEDURES

The role of Flight Data Analysis in the aircraft manufacturer s SMS.

Date: 01 Aug 2016 Time: 1344Z Position: 5441N 00241W

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

A Review by IHST (INDIA) Prepared by Air Vice Marshal K Sridharan VM (G) President, Rotary Wing Society of India Regional Lead

Appendix B. Comparative Risk Assessment Form

Date: 29 Apr 2017 Time: 1119Z Position: 5226N 00112W Location: 10nm ENE Coventry

34th ATS/Airline Safety Forum Health Check. Simon McDonald Safety Assurance

Future Automation Scenarios

RPAS Working Group RPAS in Switzerland Rules and Integration

OPS 1 Standard Operating Procedures

Surveillance and Broadcast Services

Human Factors Challenges in Poor Visibility Helicopter Operations

Proposed suas Safety Performance Requirements for Operations over People

REPUBLIC OF KENYA MINISTRY OF TRANSPORT AND INFRASTRUCTURE DEPARTMENT OF AIR ACCIDENT INVESTIGATION

U.S. FOREST SERVICE AVIATION SAFETY MANAGEMENT SYSTEMS

The Board concluded its investigation and released report A11H0002 on 25 March 2014.

Hazard Identification Questionnaire

Eng. Musallam.M. Labani Trainer & Consultant Aviation Pioneers

U.S. ARMY LEAD THE FLEET USAGE ANALYSIS. David White Westar Corporation. Michael McFalls U.S. Army Aviation & Missile Command

(HELICOPTER FORCE LANDED AND BURNT OUT AFTER ENGINE FIRE WARNINGS)

Sonya Tietjen Consultant, Aviation Safety 26 September 2013 London, UK. FDM, Risk and Protecting your Assets

Technical Standard Order

Evidence - Based Training: A walk through the data

Synopsis of NTSB Alaska DPS Accident Hearing, Including Recommendations

Airspace Infringement

Aviation Safety Improvements: Advancing Safety Through Multiple Means

Advanced Transition Training

Waiver Safety Explanation Guidelines

ADVISORY CIRCULAR FOR AIR OPERATORS

Crew Resource Management

Turboprop Propulsion System Malfunction Recog i n titi ion on an d R d Response

AIRPROX REPORT No PART A: SUMMARY OF INFORMATION REPORTED TO UKAB

NZQA registered unit standard version 2 Page 1 of 9. Demonstrate flying skills for an airline transport pilot licence (aeroplane)

Establishing a Risk-Based Separation Standard for Unmanned Aircraft Self Separation

Flight Operations Briefing Notes

Facilitated Learning Analysis Near Mid-Air Collision. Pacific Southwestern Region September 2010

Sensitivity Analysis for the Integrated Safety Assessment Model (ISAM) John Shortle George Mason University May 28, 2015

GENERAL INFORMATION Aircraft #1 Aircraft #2

SAFETY CASE OF AN UNMANNED CARGO AIRCRAFT DURING AN INTERNATIONAL TEST FLIGHT

Development of a Common Taxonomy for Hazards

SEARCH AND RESCUE DEPARTMENT

USE OF RADAR IN THE APPROACH CONTROL SERVICE

IAGSA Survey Contract Annex

CFIT-Procedure Design Considerations. Use of VNAV on Conventional. Non-Precision Approach Procedures

2.1 Private Pilot Licence (Aeroplane/Microlight)

1. SUMMARY 2. ADDITIONAL PARTICIPATION

SEARCH AND RESCUE DEPARTMENT

Christchurch, New Zealand, April 2015

Report to Congress Aviation Security Aircraft Hardening Program

Inadequate Justification, Significant Economic Impact, Potential Safety Concerns

Procedures for Approval of Master Minimum Equipment List

Recommendation to Include Specific Safety Requirements in Geophysical Survey Contracts & Proposed Survey Contract Annex

AIRCRAFT ACCIDENT REPORT AND EXECUTIVE SUMMARY

Paul Clayton Air New Zealand

UAS/NAS Forum: Technology Milestones Necessary for NAS Certification Autonomy: Relating UAS Automation to Certification

VFR GENERAL AVIATION FLIGHT OPERATION

PBN and airspace concept

UAS Integration Risk Assessment Air Traffic Organization

Transcription:

Hazard Analysis for Rotorcraft 2 nd Lt. Blake Abrecht, USAF Massachuse(s Ins,tute of Technology Engineering Systems Division Master s Student Mr. Dave Arterburn Director, RotorcraB Systems Engineering and Simula,on Center University of Alabama in Huntsville 2 nd Lt. David Horney, USAF 2 nd Lt. Jon Schneider, USAF Massachuse(s Ins,tute of Technology Aeronau,cs and Astronau,cs Master s Student Major Brandon Abel, USAF Massachuse(s Ins,tute of Technology Aeronau,cs and Astronau,cs PhD Candidate Dr. Nancy Leveson Professor of Aeronau,cs and Astronau,cs Massachuse(s Ins,tute of Technology 22 March 2016

Disclaimer The views expressed in this presentation are those of the authors and do not reflect the official policy or position of the United States Air Force, United States Army, Department of Defense, or the U.S. Government. STAMP Workshop 2

Case Study Solem, Courtney. Using Fly- By- Wire Technology in Future Models of the UH- 60 and other Rotary Wing AircraP, Oregon NAZA Space ConsorUum. Havir, T. J., Durbin, D. B., and Frederick, L. J., Human Factors Assessment of the UH- 60M Common Avionics Architecture System (CAAS) Crew StaUon During the Limited User EvaluaUon (LEUE), Army Research Laboratory. December 2005. Solem, Courtney. Using Fly- By- Wire Technology in Future Models of the UH- 60 and other Rotary Wing AircraP, Oregon NAZA Space ConsorUum. Apply Systems TheoreUc Process Analysis (STPA) to the analysis of the Warning, CauUon, and Advisory System of the UH- 60M Upgrade STAMP Workshop 3

Outline UH-60MU WCA Case Study Comparison to Traditional Techniques MIL-STD-882E Compliance Summary STAMP Workshop 4

STPA Process 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios 1: Identify and define accidents and hazards - Accident (loss): an undesired or unplanned event that results in a loss - Hazard: A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident 2: Model the control structure for the system - Control structure at the organizational level - Functional control structure at the system level 3: Identify unsafe control actions (UCAs) - UCAs lead to a hazardous system state 4: Identify causal factors and generate scenarios - Causal scenarios identified for each unsafe control action STAMP Workshop 5

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios Defined Accidents A-1: Loss or major damage to aircraft A-2: One or more fatalities or significant injuries Defined Hazards H-1: Violation of minimum separation requirements (A-1, A-2) H-2: Lack of aircraft control (A-1, A-2) Scope of Case Study Limited to WCAs and systems associated with the Electrical and Flight Control Subsystems of the UH-60M Upgrade STAMP Workshop 6

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios Training and Peacetime Organizational Safety Control Structure Continuously monitor quality control. Ensure adequate training of UH-60MU maintenance personnel. Ensure proper and timely UH-60MU inspections. Ensure adequate UH-60MU program supervision. Provide maintenance personnel with lessons-to-be-learned from all platform accident summaries. Focus of this analysis OrganizaUonal decisions, regulauons, training procedures/requirements, operauons orders, etc. can all affect UH- 60MU operauons STAMP Workshop 7

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios FuncUonal Control Structure (1): Safety Related ResponsibiliUes/Process Models Each controller within the UH- 60MU has safety- related responsibiliues and process models that inform acuon generauon STAMP Workshop 8

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios FuncUonal Control Structure (1): Safety Related ResponsibiliUes/Process Models Each controller within the UH- 60MU has safety- related responsibiliues and process models that inform acuon generauon STAMP Workshop 9

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios FuncUonal Control Structure (1): Safety Related ResponsibiliUes/Process Models Each controller within the UH- 60MU has safety- related responsibiliues and process models that inform acuon generauon STAMP Workshop 10

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios FuncUonal Control Structure (2): Feedback Loops and FuncUonal RelaUonship The relevant control acuons and feedback within each feedback loop is analyzed to determine unsafe control acuons and generate causal scenarios STAMP Workshop 11

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios FuncUonal Control Structure (3): Detailed Electrical Subsystem Components STAMP Workshop 12

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons FuncUonal Control Structure (4): Detailed FCS Components 4. Causal Scenarios STAMP Workshop 13

UH-60MU WCA Case Study 1. Define Accidents/ Hazards Source Controller Flight Crew PVI Components AutomaUc Controllers (FCC) Control Action Electrical Cautions ON 2. Model Control Structure 3. Unsafe Control AcUons Four parts of an unsafe control action: Type of Control Action Does not provide Does provide Provided in the wrong order/ incorrect Uming Stopped too soon/applied too long Not providing causes hazard ES UCA32: EICAS fails to present an electrical caution when the applicable conditions for an alert exist. [H-1, H-2] (Example UCA Table) Providing causes hazard ES UCA33: EICAS presents an electrical caution when the conditions applicable to the caution do not exist. [H-1, H-2] Control Action The acuon that the controller provides (or does not provide) 4. Causal Scenarios Context Incorrect timing/ incorrect order ES UCA34: EICAS presents an electrical caution too late for the Flight Crew to recover the aircraft to a safe condition. [H-1, H-2] The scenario that makes the control acuon unsafe This technique idenufied 126 unsafe control acuons as part of this case study Stopped too soon/ applied too long N/A STAMP Workshop 14

UH-60MU WCA Case Study 1. Define Accidents/ Hazards 2. Model Control Structure 3. Unsafe Control AcUons 4. Causal Scenarios Potential causes of unsafe control Process model flaws Inadequate design requirements Conflicting feedback Inadequate feedback Missing feedback Inappropriate control actions Ineffective control actions Missing control actions Physical component failures Etc. Causal scenarios allow for more detailed, traceable safety recommendauons to be made for safe UH- 60MU operauon STPA Unsafe Control Action The Flight Crew does not provide collective control input necessary for level flight, resulting in controlled flight into terrain Scenario 1: The Flight Crew has a flawed process model and believes they are providing sufficient control input to maintain level flight. This flawed process model could result from: a) The altitude indicator and attitude indicator are malfunctioning during IFR flight and the pilots are unable to maintain level flight b) The Flight Crew believes the aircraft is trimmed in level flight when it is not c) The Flight Crew has excessive workload due to other tasks and cannot control the aircraft d) The Flight Crew has degraded visual conditions and cannot perceive slow rates of descent that result in a continuous descent e) The Flight Crew does not perceive rising terrain and trims the aircraft for level flight that results in controlled flight into terrain STAMP Workshop 15

Outline UH-60MU WCA Case Study Comparison to Traditional Techniques Hazard Classification example Hazard Tracking Worksheet example Failure based Hazard example MIL-STD-882E Compliance Summary STAMP Workshop 16

UH-60MU SAR Hazard Classification UH-60MU SAR marginal hazards Loss of altitude indication in DVE Loss of heading indication in DVE Loss of airspeed indication in DVE Loss of aircraft health information Loss of external communications Loss of internal communications UH- 60MU SAR idenufies various hazards as marginal that could lead to a catastrophic accident STPA Unsafe Control Action The Flight Crew does not provide collective control input necessary for level flight, resulting in controlled flight into terrain Scenario 1: The Flight Crew has a flawed process model and believes they are providing sufficient control input to maintain level flight. This flawed process model could result from: a) The altitude indicator and attitude indicator are malfunctioning during IFR flight and the pilots are unable to maintain level flight b) The Flight Crew believes the aircraft is trimmed in level flight when it is not c) The Flight Crew has excessive workload due to other tasks and cannot control the aircraft d) The Flight Crew has degraded visual conditions and cannot perceive slow rates of descent that result in a continuous descent e) The Flight Crew does not perceive rising terrain and trims the aircraft for level flight that results in controlled flight into terrain STAMP Workshop 17

UH-60MU SAR Hazard Tracking Worksheet Causal factors of this hazard condition only include failures An assumption is made that the Flight Crew will not only recognize this hazard condition, but also that they will respond appropriately. As a result, existing controls that are considered adequate for mitigation only include redundant systems and Level A software. Sikorsky AircraP CorporaUon, Safety Assessment Report for the UH- 60M Upgrade AircraP, Document Number SER- 703655. 03 January, 2012. STAMP Workshop 18

UH-60MU SAR Failure based Hazards UH-60MU SAR residual hazard APU Chaffing can lead to failure of the UH-60MU APU and can affect blade deice operations when the loss of a main generator occurs STPA Unsafe Control Action UCA: The Flight Crew does not switch APU generator power ON when either GEN 1 or GEN 2 are not supplying power to the helicopter and the Blade Deice System is required. Scenario 1: The Flight Crew does not know that APU generator power is needed to run the Blade Deice System. This flawed process model could result from: a) The ICE DETECTED, MR DEICE FAULT/FAIL, or TR DEICE FAIL cautions are not given to the Flight Crew when insufficient power is available for the Blade Deice System b) The Flight Crew does not know that two generators are not providing power to the Blade Deice System c) The Flight Crew acknowledged the GEN1 or GEN 2 Fail cautions prior to needing the Blade Deice system and failed to start the APU GEN when the additional power was required for the Blade Deice System STPA idenufies non- failure scenarios that can lead to a hazardous system state that are not documented by tradiuonal hazard analysis techniques STAMP Workshop 19

Outline STPA Background UH-60MU WCA Case Study Comparison to Traditional Techniques MIL-STD-882E Compliance Summary STAMP Workshop 20

MIL-STD-882E Compliance MIL-STD-882E System Safety Process Fully addressed through use of STPA Partially addressed through use of STPA STAMP Workshop 21

MIL-STD-882E Compliance STPA supports Task Section 100- (System Safety) Management Task 106: Hazard Tracking System STPA allows for the generation of normal operations mitigation measures that are identified and selected with traceability to version specific hardware designs or software releases (MIL-STD-882E, pp. 38) STPA supports Task Section 200- Analysis Task 205: System Hazard Analysis Identify previously unidentified hazards associated with subsystem interfaces and faults; identify hazards associated with the integrated system design, including software and subsystem interfaces; recommend actions necessary to eliminate identified hazards or mitigate their associated risks (MIL-STD-882E, pp. 54) STAMP Workshop 22

Summary STPA shown to be a viable and useful hazard analysis process STPA identified additional hazard causes not documented by previous traditional analyses and includes humans as system components. STPA s top down approach assists in scoping and reducing the analysis effort The hierarchal abstraction of STPA limits the analysis to the most serious hazards and does not require considering all component failures STPA can be used at any life cycle stage Provides the most benefits in the early stages of design and contracting (when existing methods are not feasible) Can be included in system specifications and contracting language Using STPA supports both MIL-STD-882E and SAE ARP 5754A standards for military and commercial aircraft, respectively STAMP Workshop 23

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback