S5 - Dayton OH June 2010 1

ESCAPES FROM AIRWORTHINESS CERTIFICATION –

AND HOW TO PREVENT THEM

Herb HechtSoHaR IncorporatedCulver City, California

S5 - Dayton OH June 2010 2

CERTIFICATION - FAR 25.1309

(a)The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.

(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that—

(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and

(2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.

Also: Single Failure Avoidance, Analysis and Test Requirements

S5 - Dayton OH June 2010 3

CERTIFICATION – AC 25.1309-1

Probable: >10-5

Improbable: <10-5 and >10-9

Extremely Improbable: <10-9

Per flight-hour

DETAILS OF ANALYSIS AND TEST

S5 - Dayton OH June 2010 4

OTHER DOCUMENTS

ANALYSIS & TEST GUIDANCE

RTCA DO-178BSAE ARP 4754

SAE ARP 4761

SOFTWARE SYSTEM

TEST

S5 - Dayton OH June 2010 5

EVOLUTION OF REQUIREMENTSSYSTEMREQ'MTS

SYSTEMREQ'MTS

PROPAGATEDSYSTEMREQ'MTS

PROPAGATEDAND DERIVED

SYSTEMREQ'MTS

REQ'MTS FROMOTHER

SYSTEMS

REQ'MTS FROMOTHER

SYSTEMS

PROPAGATEDAND DERIVED

SYSTEMREQ'MTS

SYSTEMREQ'MTS

WATERFALL ARP 4754 REALISTIC

STATED

IMPLEMENTED

S5 - Dayton OH June 2010 6

FROM DO-178B

S5 - Dayton OH June 2010 7

CRITICAL EVENTS

DATE/PLACE

AIR-CR’FT

KILLEDINJR’D

EVENT MODE REDMGM

M’NTNCE

PILOT

2/2009AMST’DM

B737 987

FAILED RADAR ALTIMETER RE-TARDS THROTTLE TOO EARLY

X X X X

10/2008AUSTRL

A330 054

FAILED AoA SIGNAL CORRUPTSMULTIPLE ADIRU OUTPUTS

X X X

8/2005AUSTRL

B777 00

UNABLE TO RECOVER FROMACCELEROMETER FAILURE

X X

5/2001BILBAO

A320 0?

AoA PROTECTION PREVENTSNOSE UP FOR GO-AROUND

X

10/2000ATLANTIC

A340 00

NEAR COLLISION CAUSED BYUNEXPECTED AoA PROTECTION

X

9/1999ROMANIA

FALC900

76

FAILED PITCH FEEL UNIT CAUSES PITCH OSCILLATIONS

X X X

S5 - Dayton OH June 2010 8

TURKISH B737 AMSTERDAM

• LEFT RADAR ALTIMETER JUMPS TO -8 FT WHEN AIRCRAFT IS AT 770 FT, CAUSING THROTTLE RETARDATION, LOSS OF AIRSPEED

• RIGHT RADAR ALTIMETER IS OK BUT NOT UTILIZED• MANUAL THROTTLE ADVANCE IS TOO LATE TO AVERT

CRASH SHORT OF RUNWAY• RIGHT RADAR ALTIMETER HAD MALFUNCTIONED ON

AT LEAST THREE PREVIOUS FLIGHTS

S5 - Dayton OH June 2010 9

QANTAS A330 AUSTRALIA• IN TURBULENCE AoA SENSOR OUTPUTS SPIKES THAT

ARE ONLY IMPERFECTLY FILTERED. ONE SPIKE CAUSES -4 DEG ELEVATOR AT THE SAME TIME AS A MACH COMPENSATION FEATURE COMMANDS -6 DEG. THE COMBINED COMMANDS GENERATE NEGATIVE G’S, ANY UNBELTED PASSENGER BEING THROWN AROUND

• THE SPIKES HAD BEEN A PROBLEM BEFORE, BUT SEVERITY WAS NOT RECOGNIZED.

• COMPLEXITY OF ADIRU CONTROLS PREVENTED CREW FROM TAKING OPTIMUM RECOVERY ACTION.

S5 - Dayton OH June 2010 10

A330 ADIRU SELECTION

S5 - Dayton OH June 2010 11

MALAYSIAN AIRL.B777 AUSTRALIA

• 6 NON-ORTHOGONAL ACCELEROMETERS ARE USED TO GENERATE BODY CENTERED ACCELERATION DATA. THEORETICALLY CAPABLE OF CORRECT OUTPUT AS LONG AS 3 INSTRUMENTS ARE OK.

CONCEPTUAL

ARRANGEMENT

ONLY

S5 - Dayton OH June 2010 12

B777 - CONTINUED

• #5 ACCELEROMETER FAILS IN JUNE 2001• #6 ACCELEROMETER FAILS ON EVENT FLIGHT IN

AUGUST 2005. SOFTWARE SUBSTITUTES #5 FOR #6 RESULTING IN VIOLENT PITCH-UP MANEUVER.

• (UNOFFICIAL A) SOFTWARE WAS TESTED BUT RESULT WAS MISINTERPRETED

• (UNOFFICIAL B) SOFTWARE WAS MODIFIED AFTER TEST.

• CORE ISSUE: SHOULD FAILED #5 HAVE REMAINED ON AIRCRAFT FOR OVER 4 YEARS?

S5 - Dayton OH June 2010 13

NON-ORTHOGONAL INSTR. TEST

• FROM D. E. ECKHARDT ET AL., “AN EXPERIMENTAL EVALUATION OF SOFTWARE REDUDANCY AS A STRATEGY FOR IMPROVING RELIABILITY”, IEEE TRANS. SOFTW. ENG., JULY 1991

No. ofprioranomalies

ObservedFailures

Total Tests FailureFraction

0 1,268 134,135 0.01

1 12,921 101,151 0.13

2 83,022 143,509 0.58

SOFTWARE RESPONSE TO AN INTRUMENT FAILURE

S5 - Dayton OH June 2010 14

PREVENTING ESCAPES

• REALISTIC REQUIREMENTS REVIEWS• REVIEW GUIDES FOR REDUNDANCY

MANAGEMENT• INTERFACE WITH MAINTENANCE• MODES – QUANTITY & SIDE EFFECTS

S5 - Dayton OH June 2010 15

REALISTIC REQUIREMENTS REVIEWS

CONCEPT SYST.REQ'MTS SOFTW.REQ'MTS SOFTW.DESIGN CODING

OBJECTIVE ALGORITHM ASSIGNM'T

OBJECTIVE ALGORITHM ASSIGNM'T

OBJECTIVE ALGORITHM ASSIGNM'T

OBJECTIVE ALGORITHM ASSIGNM'T

OBJECTIVE ALGORITHM ASSIGNM'T

OPERATIONAL REQM'TS

IMPLEMENTATION

COMPUTING ENV.

MONIT. & SELF-TEST

APPLICATION SOFTW.

S5 - Dayton OH June 2010 16

REQUIREMENTS PARTITIONSOPERATIONAL REQUIREMENTS

LOSS OF PROPULSION, ELECTRIC POWER, COMMUNICATION, THERMAL CONTROL

IMPLEMENTATION DETAILCALIBRATION ANOMALIES, ACTUATOR STATES, SENSOR INPUT

COMPUTING ENVIRONMENTHARDWARE FAILURES, MEMORY ERRORS, EXECUTIVE, MIDDLEWARE

MONITORING AND SELF-TESTOVER-TEMPERATURE SENSORS, SYSTEM PERFORMANCE TEST

APPLICATION SOFTWAREASSERTIONS, VIOLATION OF TIMING CONSTRAINTS, MODE CHANGES

S5 - Dayton OH June 2010 17

REDUNDANCY MANAGMENT

REDUNDANCY

DYNAMIC FAULT-MASKING

ERROR DETECTIONCOMPARISONMAGNITUDE/DEVIATIONEXTERNAL

SWITCHINGHARDWARESOFTWAREMEMORY

TIMINGOPERATIONRECOVERY

TIMINGOPERATIONRECOVERY

INDICATIONFAULTRECOVERY

LEVELPHYSICAL/ANALYTIC

S5 - Dayton OH June 2010 18

MAINTENANCE INTERFACE

• REVIEW OF ON-BOARD AND PILOT GENERATED EVENT LOGS BY SAFETY ENGINEER

• CLEAR IDENTIFICATION OF SAFETY CRITICAL ITEMS• LIMITATION ON MAINTENANCE DEFERRALS

S5 - Dayton OH June 2010 19

MODES

• ESSENTIAL VS. CONVENIENCE MODES• LIMITATION ON CHANGE OF SIDE

EFFECTS WHEN TRANSITIONING BETWEEN MODES

• IMPROVE MODE AWARENESS**Steven P. Miller et al., “A Methodology for Improving Mode Awareness

in Flight Guidance Design”. Proc of the 21st Digitial Avionics Systems Conference (DACS ’02), Irvine, California, October 2002.

S5 - Dayton OH June 2010 20

QUESTIONS/COMMENTS

herb@sohar.com

310/338-0990 X110