1. Introduction: Co-cause analysis
In the safety assessment of an aircraft or system, the probabilities discussed are often determined based on the assumption of fault independence, so it is important to consider whether there will be a loss of independence.
To ensure that independence is certain or acceptable, a Common Cause Analysis (CCA) is required.
CCAs should support the design of the system architecture by evaluating the sensitivity of the entire architecture to common cause events. These co-causal events were evaluated by completing the following analyses: Specific Risk Analysis (PRA), Common Model Analysis (CMA), and Regional Safety Analysis (ZSA).
The abbreviations related to the above common cause analysis are as follows:
2. Classification of PRA
In general, the main manufacturer (OEM) is responsible for the specific risk analysis, and the first supplier provides the necessary support as needed.
Common specific risk items are listed below in accordance with aviation industry best practices.
Specific risk analysis throughout the aircraft and systems development process, especially when there are significant changes to the aircraft design (e.g., EWIS rewiring).
For specific risks that may lead to Class I or Class II failure, a detailed analysis process and conclusions should be given.
3. Analyze the process
Specific risk analysis can generally be carried out according to the following process.
3.1 Identify specific risk items that need to be analyzed.
Combined with the design characteristics of the aircraft itself, and referring to the common specific risk items, the list of specific risks applicable to this type of aircraft is given. The aircraft-grade safety team takes the lead and works with the systems teams to conduct thematic studies on a case-by-case basis for specific risks on the list.
When analyzing the impact of a particular risk, it is not necessary to consider the simultaneous occurrence of multiple risks.
3.2. Determine the airworthiness requirements to be met
Capture the regulatory requirements that need to be met in conjunction with the requirements of the airworthiness regulations and their advisory notices.
3.3 Define the failure model for analysis
Establish a failure model for analysis. For example, for a specific risk of bird strikes, a bird body model (size, weight) needs to be determined;For engine rotor blasting, there are several debris types that need to be defined.
3.4 Define the area affected by the risk
For example, nose, EE cabin, nose landing gear compartment, etc.
3.5 Identify the systems and equipment affected by the risk based on the region
Cross-checking can be done with the help of the ZSA.
3.6 Determine the design and installation precautions to be taken for the system equipment
Cross-checks can be carried out with the help of the design and installation guidelines used in the ZSA.
3.7 Assess the impact of the risk on the affected system equipment
Cross-checking can be done with the help of FMEA and PSSA.
3.8 Assess the impact of the risk on the aircraft
The presence of Class I and II effects should be focused on and can be cross-checked with the help of SSA.
3.9 Assess whether the impact of risk on the aircraft is acceptable
If acceptable, a report is formed, and its conclusions are incorporated into the SSA. If this is not acceptable, measures such as protection, isolation, and redesign are required.
4. Bird strikes are examples
At all stages of the flight, the aircraft may be hit by the bird's body.
Aircraft head-on structures and equipment, including noses, wing leading edges, nacelles, engine blades, landing gear, etc., are susceptible to impact.
Therefore, the aircraft structure and associated components must be designed to withstand a bird impact, or at least to be able to land safely after a bird strike.
Specific risk analysis of bird strikes, the applicable airworthiness regulations are as follows:
According to the consultation notice, the bird body model (weight, dimensions, etc.) is as follows:
The velocity, angle, and area of impact of the bird body impact are then defined.
Combined with the digital prototype, the impact trajectory of the bird body and the affected structures and system equipment were examined in different regions, and the impact of the relevant failure state on the aircraft system was evaluated.
Finally, when the conditions for the bird strike test are met, the bird strike test should be carried out in time and compared with the results to improve the confidence of the results.
5. Example of engine rotor blasting
On April 17, 2018, local time in the United States, a Boeing 737 aircraft of Southwest Airlines failed to function on the left side of the engine during the cruise stage, the air intake tract and part of the fairing fell off, the engine **, and the accident plane finally made a successful forced landing.
There were 148 people on board, including 5 crew members and 143 passengers. As a result of the accident, one passenger was killed, seven passengers were injured, and the left engine nacelle and porthole of the aircraft were seriously damaged.
This case study has been done before, click here to read.Engine rotor components break when rotating at high speeds, producing fragments of different sizes. Debris with high energy breaks through the engine casing and scatters along different flight angles, thereby damaging the surrounding structures, system equipment, pipelines, etc., posing a great risk to flight safety.Little grapefruit, ** civil aircraft from the United States Southwest Airlines B737 engine failure incident, understand the engine rotor blasting.
Despite ccar3375 and ccar33Section 94 has requirements for debris tolerance, and engine manufacturers are trying to reduce the probability of non-inclusive rotor bursts, but based on actual route operation experience, engine rotor bursts still occur.
Because it is difficult to completely eliminate the damage caused by rotor blasting to aircraft, CCARC25 requires aircraft manufacturers to take steps to minimize the damage caused by rotor blasting.
The relevant regulations are as follows, and the relevant advisory notice is mainly AC 20-128A.
According to the analysis of the affected area and fragment dispersion path of engine rotor blasting, it can be seen that for the wing crane engine type, the influence range of rotor blasting usually includes the middle fuselage, wing, engine hanging, opposite side engine, etc.
Rotor blasting produces several types of debris (different debris with different flying angles), with large shards having infinite energy and small shards having finite energy.
When carrying out the specific risk analysis of rotor blasting, the engine rotor burst fragment model should be established according to the engine rotor parameters. Then, according to the rotor burst fragmentation model, the affected area and the affected systems are determined.
Evaluate the failure state caused by rotor blasting and its impact level. For catastrophic failure states, the residual risk size should also be calculated.
It should be noted that the design measures to solve the rotor blasting problem mainly include isolation, blocking and redundancy.
5. Example of rear pressure frame rupture
On August 12, 1985, a JAL Boeing 747 suffered a ruptured rear pressure frame, depressurized the cabin, damaged the aircraft's vertical tail and disintegrated in the air, and then the hydraulic system completely failed, resulting in a complete loss of flight control.
In the end, only 4 passengers and crew were rescued, and the remaining 520 people were killed. This incident has raised questions about design after hydraulic failure, and the related article is as follows:
This incident was previously analyzed, and a backup flight control system consisting only of "adjusting engine thrust" was introduced.The direct cause of the rupture of the rear pressure frame is the pressure formed by the pressure difference between its two sides, which is formedPressure shockIt can damage the tail structure and systems, and prevent the aircraft from continuing to fly and land safely. At the same time, it is causedRapid depressurization of the cabin, which can cause discomfort or injury to the crew and passengers.Grapefruit, a civil aircraft backup flight control system that only relies on "adjusting engine thrust".
For specific risks of rear pressure frame rupture, the relevant airworthiness regulations are as follows:
The specific risk analysis of the rupture of the rear pressure frame mainly includes the following:
1. Define the specific risk failure model and affected area of post-pressure frame rupture. Although the tail breather or other pressure relief device can release the pressure at the tail, it will still have a large pressure impact on the area around the rear pressure frame when it ruptures.
2. Determine the structures, systems and equipment affected by the risk. Based on the digital prototype, the main structural components installed in the hazardous area under pressurized loads, as well as the systems and equipment that may be affected, are identified and their installation locations are determined.
3. Comprehensively consider the design and installation precautions taken by the structure, system and equipment, and evaluate the impact of risks on the system equipment. For critical systems and equipment, measures such as redundant isolation, structural protection, fire and explosion protection should be taken.
4. Assess the impact of the risk on the aircraft. At the aircraft level, the failure modes and combinations of systems should be considered as a whole, and the impact on the aircraft should be assessed to ensure that the rupture of the rear pressure frame does not result in Class I and II failure states.
It is important to note that the functionality of a single airborne system may depend on the proper functioning of the hydraulic system, the power supply system, and the cross-linked system such as the EWIS, so the indirect effects of the cross-linked system should be considered when performing a single system analysis.
If the impact of the risk on the aircraft and systems is acceptable, the analysis is concluded. If this is not acceptable, design changes and other safeguards need to be considered.
Okay, that's all for pra.