330 likes | 511 Views
International Helicopter Safety Symposium 2005. Mr. Bob Frazier, AEPCO Contracted System Safety Manager. Mr. Colin Gale United Kingdom AHIPT AH/M&L/S&S. Apache Cooperative Project Office AH-64D Aircraft Safety Model “Potential Cumulative Risk Model”. Background.
E N D
International Helicopter Safety Symposium 2005 Mr. Bob Frazier, AEPCO Contracted System Safety Manager Mr. Colin Gale United Kingdom AHIPT AH/M&L/S&S Apache Cooperative Project Office AH-64D Aircraft Safety Model “Potential Cumulative Risk Model”
Background • USG and UK have cooperative agreements and have formed Cooperative Project Office (CPO) • The UK attends and participates at the Joint Apache System Safety Working Group Meetings. • Under CPO MOU the US/UK have formed 7 working groups. Through Safety working group AAH PMO became aware of the UK Safety Management Program and the UK Aircraft Safety Model and program for managing risks. • Apache PMO recognized the UK Safety Model using a Fault Tree as a potential method for modeling cumulative system risk. • The Apache PM attends and participates as a member of the UK AHIPTL Safety Panel. • UK MoD requires hazard risk to be ‘As Low As Reasonably Practicable’ (ALARP) • UK Guidance material suggests a target probability of 10-6 per flying hour for loss of aircraft or death (JSP 553). • Demonstrate with Analyzable Safety Case (DERA report ‘Guidance for the Provision of an Aircraft Safety Case’). • Recommended practices highlight the technique of Fault Tree Analysis (e.g. SAE ARP 4761).
Risk Management Tools • UK Risk Management Tools • Hazard Log Database (HLD): • ‘bottom up’ approach of user’s view of causes of failure, classification of severity. • Fault probability data is traceable via decisions at System Safety Review Group (SSRG) and captured in HLD. • Source documents are referenced in Apache HLD. • SSRG risk decisions are recorded in the HLD. • Aircraft Safety Model (ASM): • ‘top down’ approach of catastrophic hazards and contributing failure mechanisms, by construction of Fault Tree diagrams. • These are Complimentary Approaches • Aircraft Safety Model: • The UK Safety Model developed by Westland Helicopters Limited under contract to the MoD with guidance from DERA (now QinetiQ) supported by ERA (Independent Safety Advisor to AAH IPT). • The model uses a Fault Tree “top down” approach of catastrophic hazards and contributing failure mechanisms, through the construction of Fault Tree logic diagrams. • Fault probability data is traceable via decisions at review and source documents referenced in Apache Hazard Log Database.
Observations of the UK Safety Model • Traditional fault trees tend to concentrate on material failures and is considered to be a valid approach for an quantitative risk decision tool. • UK ASM is a fault tree that models the way in which faults can either singly, or in combination, result in an accident. • Accidents rarely happen as a result purely from material failures. They usually result from a combination of failures and circumstances. • A risk based fault tree may be used to make the contribution to an accident of “material”, “human” and “environment” elements explicit. • UK ASM is used to establish which combinations of hazards/failures will be catastrophic. • UK ASM contains failures that either directly (via OR gates) or indirectly (via AND gates) lead to a catastrophic event.
Aircraft Safety Model • Under a cooperative effort the UK MoD working with QinetiQ have assisted the US in the development of an aircraft safety model for the Longbow Apache Helicopter • Status of US Project: • US is currently 95% complete in terms of architecture • The FT requires population with parts data, then actual failure data in order to get realistic prediction capability to identify baseline cumulative risk • These methods are being considered to populate failure date • Original FMEA/FMECA reliability predictions • Industry standards for component reliability • FMEA/FMECA data updated with actual failure data • Aircraft component design specifications • Combinations of the above with adjudication using engineer judgment • Attempting to get failure/reliability data from the Prime and his subcontractors
Aircraft Safety Model Objectives of a System Safety Program • To identify, evaluate and eliminate the hazards associated with each system (or to reduce the risk to an acceptable level) • To consider and use the historical data, including lessons learned from other systems • To seek minimum risk in accepting and using new designs, materials, and production and test techniques • To take action to eliminate hazards or reduce risks to a level acceptable to the managing activity • To accomplish changes in design, configuration, or mission requirements in such a manner that a risk level acceptable to the managing activity is maintained
Aircraft Safety Model • Fault Tree Risk Applications provide us with a means of achieving the System Safety Objectives: • If properly constructed and populated with accurate failure data the FT will definecumulative baseline riskto a system and subsequentchanges in risk • The FT allows for a greater understanding of thecumulative failure effectsof component failures at the subsystem and system levels, (i.e. marginal or negligible severity risks could if combined with the right exposure condition propagate to a critical or catastrophic risk level) • Accident Investigation/Analysis • When combined with Isographs Risk Vu software (live risk model): • Changes in risk to the system can be quantified and risk management decisions can be based onrisk vs costoutcome by derived risk scenarios and potential mitigation practices without changing the baseline FT • Systemconfigurationchangescan be evaluated to see the dynamic impact to risk to the system (i.e. case by case basis or major system engineering changes, overhaul or redesigns) without changing the baseline FT
Aircraft Safety Model • Hazards with lesser severity may not appear in the model unless they contribute to a catastrophic event but will be tracked in the hazard log database • ASM provides identification of “Worst Credible” outcomes, all credible possibilities are considered, including multiple or cascading failures or events. • Modelling allows for consideration of Risk Exposures and Mitigation Methodology to be included in the model.
Aircraft Safety Model • The Aircraft Safety Model is currently populated with the following types of failure data: • LSAR data: • Removal data which is more pessimistic than the design predicted failure rate data (provided by Prime Vendor) or the in-service actual failure rate data. • Design failure rate data • Engineering judgment expected failure rate: • Safety Critical Items/Components which are managed via fixed lives (usually 6 nines reliability) • Unpopulated
Path Ahead • Use U.S. Army Combat Readiness Center’s Apache accident history to populate accident historical experience related to crew death • Coordination will be required with Boeing and subs, other part manufactures and/or overhaul facilities for the collection of actual failure data, FMEA’s or component specifications • Use original FMEA or FMECA failure data • Use FMEA data adjusted for current failure rates (Boeing rollups) • Use vendor failure rates • Used industry standards or equipment specifications • Coordination with user community to establish and validate assumptions of usage (risk exposure) • Complete undeveloped structures
SYSTEM SAFETY MANAGEMENT PEO AVN DECISION AUTHORITY MATRIX 2 4 8 12 1 5 6 10 15 3 9 11 14 17 7 16 18 19 20 13 LEVELDECISION AUTHORITY HIGH AAE or DESIGNEE MEDIUM PEO or EQ LOW PM or EQ
EXAMPLE CASE STUDY Auxiliary Power Unit (APU) Power Takeoff Clutch (PTC)
UK CASE STUDY COCKPIT CANOPY FOGGING
Criticality of Fogging Loss of aircraft (4.4x10-4) High Risk (Catastrophic, Frequent) Fogging occurs (1x10-3) Take off, landing, NOE, or hover in confined space. (0.44)
Total Fogging with Mitigation Medium Risk (Catastrophic, Incredible) Loss of aircraft (3.645x10-8) Purging cockpit heating of moisture and limiting air temp demand (0.5) Fogging occurs & failure to recover aircraft (1.657x10-7) Take off, landing, NOE, or hover in confined space. (0.44) Note : This figure recognises that the front pilot should have more chance to recover the aircraft safely because of good visual references. Front pilot fails to safely recover aircraft (1.657x10-3) Rear pilot unable to safely recover the aircraft (1x10-1) Total Fogging of Cockpit Transparencies occurs (1x10-3) Note : This figure take into account that whilst the rear pilot may lose visual references he may still be able to recover the aircraft safely. Front pilot unable to take control in time (1x10-3) Anti-ice failure (6.57x10-4)
Any Questions?