pac45t system functional hazard analysis...upgrade for usaf t-1a jayhawk training aircraft, which is...

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0

PS Engineering Inc. Proprietary Information Lenoir City, TN

PAC45T System Functional Hazard Analysis

Prepared by:

Gary Picou

Vice President of Quality Systems

Approved by:

Peter Campbell Vice President of Engineering

Rev. By Date Description of Change

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


Table of Contents 1.0 General Information ................................................................................................ 3

1.1 Introduction .......................................................................................................... 3 1.1.1 Application Environment .............................................................................. 3

1.1.2 Compliance with regulations ........................................................................ 4

1.2 Design Assurance Level Failure Condition Classification .................................. 4

1.2.1 Design Assurance Level ............................................................................... 5

1.3 System Description .............................................................................................. 5 1.4 Safety Summary ................................................................................................... 8 1.5 Related Documents .............................................................................................. 8

1.5.1 Fault Tree Analysis- smoke/fire in the cockpit ............................................. 9

1.6 Function Hazard Analysis of Major and Minor Failure Conditions (AC25.1309-

1A, §(b) (d); AC23.1309-1E, §15(a)(b)) ...................................................................... 11

2.0 Function List ......................................................................................................... 14 2.1 Transmit Selection and Fail Safe ....................................................................... 14

2.1.1 Transceiver switching ................................................................................. 14

2.2 Split Mode ........................................................... Error! Bookmark not defined. 2.3 Swap Mode .......................................................... Error! Bookmark not defined.

2.4 Communications Receive Audio ........................................................................ 15 3.0 DSP ....................................................................................................................... 15

3.1 Navaid Audio Selection ..................................................................................... 16 4.0 Intercom ................................................................................................................ 16

4.1 Mode Selection ................................................................................................... 16

4.2 Volume Control .................................................................................................. 17 4.3 Intercom Squelch................................................................................................ 17

5.0 Music and Telephone ............................................. Error! Bookmark not defined.

5.1 Music Input(s) ..................................................... Error! Bookmark not defined.

5.2 Bluetooth® Functions ......................................... Error! Bookmark not defined. 5.2.1 Telephone distribution ................................. Error! Bookmark not defined.

5.2.2 Bluetooth Music function ............................ Error! Bookmark not defined.

6.0 Miscellaneous (power supply, etc) ....................................................................... 17 6.1.1 Power Supply .............................................................................................. 17

6.1.2 Headphone Amplifier.................................................................................. 18

7.0 Micro-coded devices (DO-254 SEH & CEH) ...................................................... 18

7.1 FPGA Reliability ................................................................................................ 18 7.2 PIC Reliability .................................................................................................... 18 7.3 Single Event Effects and Neutron Induced Errors ............................................. 18

8.0 MTBF .................................................................................................................... 18 Table of Figures

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


Figure 1-1 Overall System Block Diagram. ....................................................................... 7

Figure 1-2 Flow Chart for §23.1309 Compliance Path....................................................... 8

Figure 1-3 Fault Tree for Hazardous condition ................................................................ 10

Figure 2-1 Fail-safe block diagram ................................................................................... 14

Figure 4-1 Intercom block diagram .................................................................................. 16

Figure 6-1 Power Supply Block Diagram ......................................................................... 17

1.0 General Information

1.1 Introduction

The PAC45T is an audio controller that also incorporates up to an 8-station intercom

system.

The PAC45T has a digital design for the audio panel and intercom system. Logic

controlled by an FPGA and PLC. The audio path and volume controls are handles in a

Digital Signal Processor.

The PAC45T system is a subset of the capabilities previously FAA TSO-accepted in the

PAC45 (August 4, 2017). The PAC45T has two communication transceiver selections,

instead of 5, and does not incorporate the Head Related Transfer application or stereo

headsets.

The PAC45T incorporates a one 10-watt speaker amplifier, and is intended to drive a

low-impedance (military) headset. These alterations necessitate a different shape chassis,

as well as qualification of the headset amplifier under FAA-TSO C139a.

1.1.1 Application Environment The purpose of the PAC45T system is to provide communications radio and navigation

aid audio source selection control, and intercom capability. In addition, the systems

provides cockpit and cabin user speaker output, and an audio alert subsystem presents

audio tones to the crew.

The PAC45T–system was designed specifically to meet the requirements of the avionics

upgrade for USAF T-1A Jayhawk training aircraft, which is a version of the Beechcraft

400-series. The 400T is type certificated under A16SW, approved November 27, 1991.

Other possible application aircraft are certified under 14 CFR 23, and 25, both single-

multi- reciprocating, turbo-propeller turbo-fan, and turbine engine configurations, 12,500

lbs. and up.

The PAC45T can also be applied to fixed-wing Class I and Class II aircraft (Single

Reciprocating Engine or Multiple Reciprocating Engine <6,000 lbs.).

These aircraft are typically flown under 14 CFR Part 91 rules.

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


1.1.2 Compliance with regulations This document serves to show compliance with the following regulations:

14 CFR §23.1309 Equipment, systems, and installations.

The PAC45T is designed to be installed in accordance with manufacturer’s instructions

such that it will not adversely affect the safety of the airplane or its occupants, or the

proper functioning of those required for type certification or by operating rules.


and considered separately and in relation to the other associated avionics systems such

that any catastrophic failure condition is extremely improbable and can not result from a

single failure; any hazardous failure condition is extremely remote; and any major failure

condition is remote. The PAC45T is designed as described in this document such that any

failure will be mitigated to a minor or no effect.

14 CFR §25.1309 Equipment, systems, and installations.

The PAC45T functionality is not required by aircraft certified under Part 25

(§25.1309(a)). However, it is designed to ensure that it will perform under any

foreseeable operating conditions, and tested in accordance with RTCA DO-160G.


and considered separately and in relation to the other associated avionics systems.

The occurrence of any failure condition which would prevent the continued safe flight

and landing of the airplane is extremely improbable, and occurrence of any other failure

conditions which would reduce the capability of the airplane or the ability of the crew to

cope with adverse operating conditions is improbable.

The PAC45T is designed in such a manner as to prevent any unsafe operating conditions.

Should the systems fail, reversion to fail-safe permits continued aircraft operation.

Compliance with the requirements of 25.1309 (b) are be shown by analysis in this

document, and where necessary, by appropriate ground, flight, and bench/environmental

tests.

In showing compliance with §25.1309 (a) (b) with regard to the electrical system and

equipment design and installation, critical environmental conditions was considered and

tested in accordance with the FAA-TSO C139a, FAA-TSO C35d, RTCA DO-160G DO-

143, and DO-214A.

1.2 Design Assurance Level Failure Condition Classification

The PAC45T serves as an audio selector control panel and aircraft intercom. Any failure

in the PAC45T can be mitigated by turning the unit off with the switch, or removing

power. This places the unit in Fail-Safe, which connects the pilot headphones to the

communications transceiver (COM 1 input) and the copilot position to another

communications transceiver (COM 2input) through mechanical relays. This allows

continued communications.

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


The pilot position shall also have the audio provided from one of the onboard audio alerts

input to the audio system.

Audio messages store in the PAC45T’s independent alert audio systems will be heard by

the pilot, if Alert Power is provided to the system.

If the installation utilizes the recommended stereo headphones, the pilot will also have

audio from the navigation receiver designated as NAV 1, which will allow the

identification of navigation aids needed for instrument flight.

With the system in fail safe, the following functions are lost:

Function Effect Condition

Pilot communication on

more than one two-way

communications system.

Slight increase in crew

workload, reduction in

functional capability,

i.a.w. 14 CFR

91.205(d)(2)

Minor

Pilot and copilot audio from

multiple navigation

receivers

Reduction in functional

capability

Minor

Crew/Passenger Intercom None, occupants can

speak without intercom

No Safety Effect

1.2.1 Design Assurance Level

PS Engineering submits that the Design Assurance level for the equipment, both

Software (RTCA DO-178C) and Complex Electronic Hardware (RTCA DO-254) is

Level D, because the systems cannot contribute to a failure condition other than Minor.

However, the customer requested DAL Level C to support a consistent cockpit assurance

level.

1.3 System Description

The PAC45T Audio Controller system is comprised of one each avionics-rack mounted,

audio hub (HUB45R) and up to four user control panels (CTL45T). One CTL45T is

located t each crew station, plus an observer station and a rear rack/work station. All four

CTL45T are identical.

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


CTL45T Control Head

HUB45R

CTL45T

CTL45M

VHF

Collins

VHF-4000E

NAV 1

Collins

NAV-4000

MKR 1

Collins

NAV-4000

ADF 1

Collins

NAV-4000

DME 1

Collins

DME-4000

NAV 2

Collins

NAV-4500

MKR 2

Collins

NAV-4500

TCAS

Collins

TTR-4100

UHF

Magnavox

RT-1145B/ARC-164

TACAN

Collins

TCN-500

NAV1

COM 1

COM 2

MKR 1

NAV 2

MKR 2

TACAN

DME

UNSW 1

CTL45T

CTL45TRS422

RS422

RS422

RS422

PAC45T

Components

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


HUB45

Pilot Speaker

Observer Speaker

Copilot Speaker

Microphone

Impedance

Adapter

Pilot

Microphone

Impedance

Adapter

Copilot

Microphone

Impedance

Adapter

Observer

Cabin Speaker

Cabin Speaker

Cabin Speaker

Microphone

Impedance

Adapter

Radio Rack

PSA210

SPR

AMP

PA And Observer

PSA210

SPR

AMP

HSA13

HSA13

HSA13

HSA13

Microphone

Impedance

Adapter

Service Door

HSA13

Figure 1-1 Overall System Block Diagrams.

The PAC45T audio controller handles switching of selected audio from the radios,

transmitter and receiver selection for the crew, intercom functions and radio volume,

speaker volume. Intercom and overall radio volume is controlled by the concentric knobs.

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


1.4 Safety Summary

PS Engineering will certify that the PAC45T will meet the requirements of the

certification basis (see §1.1.2) through design and testing. Our systems Safety Analysis

determined that the probability of a Major failure condition is remote, in accordance with

§25.1309 and Advisory Circular 25.1309-1A.

During the Safety Management System (SMS) analysis of our development process, PS

Engineering has identified only one condition that would lead to a hazardous condition,

that is smoke in the cockpit (ref 14 CFR 21.3(c)(1)).

This hazard is further analyzed in § 1.3.1, and the determined occurrence rate estimated

at less than 1 x 10-9 per operating hour.

Start assessment of system

Will Operation of this

Equipment have Adverse

Effect on Equipment essential

to Safe Operation?

Any Adverse

Effect on other

Equipment?

Meets requirements of

25.1309(a)(1)

Will any failure or

malfunction Result

in a Hazard?

Meets requirements of

25.1309(a)(2)&(3)

Improbable

No

No

Figure 1-2 Flow Chart for §25.1309 Compliance Path

1.5 Related Documents

Document Title Source

AC 23.1309-1E Systems Safety Analysis and Assessment for Part 23

Airplanes

FAA

AC 25.1309-1A Systems Safety Analysis and Assessment for Part 25

Airplanes

FAA

Order 8110.105 Simple and Complex Electronic Hardware Approval

Guidance

FAA

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


DO-178C Software Considerations in Airborne Systems and

Equipment Certification

RTCA

DO-214A Audio Systems Characteristics and Minimum

Operational Performance Standards for Aircraft Audio

Systems

RTCA

DO-254 Design Assurance Guidance for Airborne Electronic

Hardware

RTCA

ARP4761 Guidelines And Methods For Conducting The Safety

Assessment Process On Civil Airborne Systems And

Equipment

SAE

ARP926B Fault/Failure Analysis Procedure SAE

ARP4754A Guidelines for Development of Civil Aircraft and

Systems

SAE

Microsemi Reliability report, revision 15, 2017 Microsemi

Firm Error Single-Event Effects in FPGAs, Ground level and

Atmospheric Background Radiation effects in FPGAs

Actel

.

1.5.1 Fault Tree Analysis- smoke/fire in the cockpit The PAC45T uses mechanical components that are small enough and will not support

open flame. The PCB material is FR-4 which is self extinguishing (UL rated at V0:

burning stops within 10 seconds on a vertical specimen; drips of particles allowed as long

as they are not inflamed). The supplier of PCBs is certified by UL, and provides

ANSI/UL certification on the boards.

The units are externally protected by a 5A circuit breaker. In addition, an internal fuse

rated at 3A protects the unit from any internal short circuit that would cause excess

current to flow into the circuit board. The fuse will open within 100mS if the current

exceeds 3.5A (from datasheet). The maximum current that will be supported by the

copper paths (1 oz external layer, 0.050: copper), is also 3A.

If there were sufficient current to cause heating of the fiberglass PCB, it still would not

support open flame or smoke die to the self-extinguishing feature of the laminate.

Therefore, it will require an additional flammable agent or foreign substance before flame

would be possible. Such contamination has happened, when compass fluid has leaked and

entered the avionics stack. However, this condition would be discovered before power

applied.

In 32 years, this company has not had a case of smoke in the cockpit cause by the articles

we build. We have an installed base of over 89,000 units. The FAA Data suggests that a

SRE aircraft likely to get this equipment may operate approximately 73 hours per year.

Using a median time of 13 years and 70 hours per year, we conservatively estimate that

we have had no occurrences in 80 million flight hour opportunities, of a rate of less than

1.23 x 10-9 opportunities Therefore, we submit that the PAC45T cannot contribute to a

smoke/fire condition of Hazardous with a probability greater than 1 x 10-6 per operating

hour for a Class II airplane.

PAC45T

System Functional

Hazard Analysis

Document: 002-145-1309

Date: 09/12/2018

Revision: 0


Audio Panel Smoke/Flame

Hazard

Failure in high current

section of Audio Panel

Failure in hardware switch

so Audio Panel cannot be

turned off

Failure Aircraft Circuit

Breaker fails to open when

load exceeded, or cannot

be manually opened by

crew

Internal Fuse fails to open

under excessive load

PC Board Gold traces carry

excess current beyond

rating

Fiberglass PCB material

heats to charring or

smoldering

Foreign flammable

substance infiltrated unit

Figure 1-3 Fault Tree for Hazardous condition

PAC45TTSO

System Functional Hazard Analysis

Document: 002-045-1309

Date: 05/12/2017

Revision: 0

PS Engineering Inc. Proprietary Information Revision: 1.0 Lenoir City, TN

1.6 Function Hazard Analysis of Major and Minor Failure Conditions (AC25.1309-1A, §(b) (d); AC23.1309-1E, §15(a)(b))

This section is a detailed breakdown of the functions and features of the PAC45T System, and potential effects to the crew. Fail safe and other

mitigation strategies ensure that the failure condition would not reduce the capability of the aircraft or the ability of the flight crew to cope with

adverse operating conditions to the extent that there would be: a significant reduction in safety margins or functional capabilities, a significant

increase in flight crew workload or in conditions impairing flight crew efficiency, or discomfort to occupants, possibly including injuries.

Item#

Function Failure Condition Effect of Failure on Aircraft/Crew/Passengers

Class Reference TSO Detection Remarks

1 Power and Fail Safe Audio System Inoperative Pilot only has use of primary COM radio, copilot has a different communication radio

Minor* 91.205(d)(2), 91.511(c), 91.711(c)

C139a Crew, unit will not turn on

Crew is able to communicate on primary radios.

2 Transmit Selection Crew cannot select desired transmitter

Crew must coordinate transmitter use, no loss of function.

Minor 91.205(d)(2), 91.511(c), 91.711(c)

C139a Crew Crew is able to communicate on primary radios.

3 Mic switching Crew cannot select desired transmitter

Crew must coordinate transmitter use, no loss of function.

Minor 91.205(d)(2), 91.511(c), 91.711(c)

C139a Crew Crew is able to communicate on primary radios.

6 Receive Audio Selection Crew cannot select desired receiver

Crew cannot change the communications receiver selection. Will have to change frequencies on radio more

Minor 21.205(d)(2) suitable for the route to be flown.

C139a Crew Crew will still receive visual indications from navigation equipment.

7 Navaid Audio Selection Crew cannot select desired navigation Audio

Crew unable to select desired receive audio to identify the navigation station selected, either for VOR Enroute or ILS

Major* 21.205(d)(2) suitable for the route to be flown.

C139a Crew Crew will still receive visual indications from navigation equipment.

8 Intercom Intercom fails to work Crew cannot speak to each other or to passengers over the intercommunications system.

No Effect

N/A N/A Crew Crew and passengers can speak over the aircraft noise without headsets

PAC45TTSO


Document: 002-045-1309

Date: 05/12/2017

Revision: 0


Item#



9 Mode Selection Cannot select different modes

Depending on last configuration the crew may not be able to speak with each other, passenger, or both, or everybody is able to talk

No Effect


10 Volume Control Unable to adjust ICS volume

If volume too low, crew cannot speak to each other or to passengers over the intercommunications system. If too high, and uncontrolled, the ICS becomes nuisance, and is turned off

No Effect


11 Intercom Squelch No ICS, or open mic If ICS squelch fails closed, crew cannot speak to each other or to passengers over the intercommunications system. If fails open, the ICS becomes nuisance, and is turned off

No Effect


27 Miscellaneous Reserved

28 Power Supply Audio control inoperable Pilot only has use of 1 COM radio, copilot has the other radio

Major 91.205(d)(2), 91.511(c), 91.711(c)

C139a Crew System in fail safe, VHF com can still operate, on last settings,

29 Rated Power Output Receiver audio level is inadequate

Communication and navigation audio may be unusable.

Major DO-214A § 2.4.1 C139a Crew System in fail safe, VHF com can still operate, on last settings,

32 Frequency Characteristics

Receiver audio may be distorted, sound clipped or have tinny sound

Communication and navigation audio my be distorted, but will be useable

Major* DO-214A §2.4.2 C139a Crew System in fail safe, VHF com can still operate, on last settings,

33 Distortion Characteristics Receiver audio may be distorted

Communication and navigation audio my be distorted, or clipped but will be useable

Major* DO-214A § 2.4.3 C139a Crew System in fail safe, VHF com can still operate, on last settings, 34 Impedance Input or output

impedance controls fail. Signal integrity is compromised

Audio transfer energy may not be idea. Some loss of volume

Major* DO-214A § 2.4.4 C139a Crew System in fail safe, VHF com can still operate, on last settings,

PAC45TTSO


Document: 002-045-1309

Date: 05/12/2017

Revision: 0


Item#



35 Volume Controls Discontinuity in volume control action

Crew may have to select a non optimum volume level on ICS.

Major* DO-214A § 2.4.5 C139a Crew Radio volume can be adjusted to compensate if needed

36 Output regulation Output to the headset varies widely when different headsets are used

Crew may need to find compatible headsets

Major* DO-214A § 2.4.6 C139a Crew Distorted audio a possibility, but still useable

37 Cross talk Audio from unselected sources is heard in the audio when not desired, at some excessive level (>50dB)

Desired audio may be mixed with undesired signals, making interpretation difficult.

Major* DO-214A § 2.4.7 C139a Crew Includes station-to-station, input-to-output and input to microphone signals

38 Audio Noise Level The level of background or other noise is excessive (>-50dB)

Desired audio may be mixed with background signals, making interpretation difficult.

Major* DO-214A § 2.4.11 C139a Crew still useable

42 System polarity N/A None No Effect

DO-214A § 2.4.12 C139a Crew A field failure could not result in any noticeable phase inversion

43 System delay N/A None No Effect

DO-214A § 2.4.13 C139a No detection No person will detect a system delay in analog audio path

44 Overdrive Distortion on the input or output in the presence of normal signals

Communication and navigation audio my be distorted, or clipped but will be useable

Major* DO-214A § 2.4.14 C139a System in fail safe, VHF com can still operate, on last settings,

45 Listening Test Poor audio quality General poor quality in audio heard by the crew and passengers, may be a nuisance to listen to.

Major* DO-214A § 2.4.15 C139a System remains useable

PAC45TTSO

System Functional

Hazard Analysis

Document: 002-045-1309

Date: 09/12/2017

Revision: 0


2.0 Function List

2.1 Transmit Selection and Fail Safe

ATC RADIOS

EXTERNAL CONNECTORS

J451-

23

PILOT MIC

FAILSAFE

RELAY

J451-

27

PILOT

MIC IN

COM1

MIC OUT

COM1

INPUT

J452-

27

PILOT COM

FAILSAFE

RELAY

J452-

18

PILOT

HEADSET

EAR (L)PTT

INPUT

J451-

44

J451-

48

COM1

KEY

CREW MICSHEADPHONE

AMPS

POWER NOT APPLIED

2.1 Power and Fail Safe

PSENGINEERING

INCORPORATED

PAC45T – 2.1 Power & Fail Safe

REV 1.0 GPicou

9800 MARTEL ROAD, LENOIR CITY TN 37772

CONFIDENTIAL 10/24/2018

J452-

55

UNSWITCHED1

INPUT

K7K3

COM2

INPUT

J452-

28

J452-

35

COPILOT

HEADSET

EAR (L)

HEADPHONE

AMPS

COPILOT COM

FAILSAFE

RELAY

K1

J4524-

56

PILOT

HEADSET

EAR (R)

J451-

24

COPILOT MIC

FAILSAFE

RELAY

J451-

28

COPILOT

MIC IN

COM2

MIC OUT

CP PTT

INPUT

J451-

45

COM2

KEY

CREW MICS

K2

J451-

49

ALERT

AUDIO

Figure 2-1 Fail-safe block diagram

Relays that are normally closed when power off connect the pilot headphone to the

primary communications transceiver (UHF, COM 1) the stored audio alert tones and a

source of unswitched alert audio for a fail-safe operation.

In addition, the copilot will also hear the #2 communications radio (VHF COM 2).

These normally closed relay contacts are extremely reliable. In 34 years and 120,000

component installations (360,000 Omron components used) there has never been a

documented failure of the relay contact to perform the fail safe function. We will assign

a worst case of 3.3 x 10-06

2.1.1 Transceiver switching Selecting and connecting the desired combination of crew microphone (pilot and copilot

positions) to the desired communications transceiver (COM 1 and COM 2) is dependent

on relays that are controlled by the FPGA logic. There is no digital processing on audio

signals presented to other equipment such as the communications transceivers.

The audio from the transceivers is digitized in the CODECs, and processed through the

DSP to add to the audio TDM stream. The audio may be spatially processed, depending

on the user setting.

In the event that the audio panel malfunctions, it can be turned off, or if power is

removed, the communications audio from COM 1 is passed directly to the pilot’s headset

through mechanical relays.

The FPGA based on supplied data is 5.9 x 10-7.

PAC45TTSO

System Functional

Hazard Analysis

Document: 002-045-1309

Date: 09/12/2017

Revision: 0


2.2 Communications Receive Audio

This signal is sent to the DSP through a dedicated CODEC.

The CODEC manufacturer’s failure rate is shown in Mean Time to Failure (MTTF) and

we use a most frequent rate of 16,118 years.

3.0 DSP DR0

(To DSP McBSP0)

16 Timeslots

16 bits per timeslot

1 2 3 4 5 60 7 8 9 10 11 12 13 14 15

Com 1

(UHF)

Com 2

(VHF)NAV 1 NAV 2 ADF MKR 1 MKR 2 TACAN DME 1 DME 2 AUX AUX Pilot Mic Copilot Mic Pass Mics (Empty)

1 2 3 4 5 60 7 8 9 10 11 12 13 14 15

Pilot Left Pilot Right Copilot Left Copilot Right Pass Left Pass Right PA SPR (Unused) (Unused) (Unused) (Unused) (Unused) (Unused) (Unused) (Unused)

DX0

(From DSP McBSP0)

16 Timeslots

16 bits per timeslot

McBSP0

DMA

McBSP DRR

“rcv”

DMA0_RcvIsr():

Copies rcv to

rcvBufA to

AudioIn[][]

“rcvBufA”

“AudioIn[channel][sample]”

runIntercomInterface():

calls runMicRouting(route, channel, level)

which sets MixLevel[output][input]

mics coms

runIntelliVox():

Determines vox state of mic inputs based in

IntelliAudio algorithm. Stores results in

VOXstate_obj

“AudioOut[channel][sample]”

AudioMixer(output):

Mixes all mic channels based on levels in

MixLevel[][]. Puts results in AudioOut[][]

“AudioOut[channel][sample]”

DMA

McBPS0

“xmt”

McBSP DXR

DMA1_XmtIsr():

Copies AudioOut[][] to

xmt

AudioLevel(source, gain, dest):

Sets output level volume for mic inputs“AudioOut[channel][sample]”

fractVecMix(source, level, dest):

Mixes all coms based on levels in MixLevel[][]. Chooses

either raw com audio or SpatialAudio_Left/Right based on

state of SpatialAudio on/off flags

DSP

SPCR2 is set to indicate McBSP is not ready for new data

SPCR2.XRDY is set when ready for new data from CPU or DMA.

XEVT is set (an interrupt) when ready for more data from DMA (corresponds with XRDY)

Setting SPCR2.XINTM to 00

causes TX interrupt XINT to be sent

each time XRDY is set.

PS Engineering is using a Texas Instruments TMS320VC5509-series Fixed-point Digital

Signal Processor (ref. desig. U4). This device is responsible for filtering microphone

audio, radio audio, and music audio, and then distributing the audio streams as desired for

the flight regime.

The other function is PS Engineering’s proprietary IntelliAudio® spatial signal

processing. This process shifts the audio phasing between the left and right stereo ear

phones to provide an apparent location in three-dimensional space. The effect is an

improvement in interpretation and reduction in listening fatigue as the crew doesn’t have

to expend energy determining which audio device is speaking.

The TI DSP is a mature part, and has an established MTBF of 3.63 x 10-8. This exceeds

the minimum probability of 1 x 10-6 required for a Major failure classification.

PAC45TTSO

System Functional

Hazard Analysis

Document: 002-045-1309

Date: 09/12/2017

Revision: 0


3.1 Navaid Audio Selection

Losing the ability to hear one of the receivers or change the selection will not seriously

impair the crew’s ability to manage the navigation aid, visual cues will be available.

The Navaid audio is routed directly through a CODEC, and is not spatially processed.

The reliability of the Navaid audio is the same as any audio processed through the

CODEC.

4.0 Intercom The intercommunications section is non-essential, non-required. The overlap between the

intercom and audio systems described by DO-214A is the microphone inputs and

headphone outputs, which use the same hardware and CEH described in §2.1 to §2.4.

INTERCOM

PLT MIC

CPLT MIC

COM RADIO MIC AUDIO

DSP – TMS320VC5509A

(2) CH CODEC (2) CH CODEC

TDM AUDIO BUS 1

i2c Control Bus

BOOT EEPROM

(128K x 8)

TDM AUDIO BUS 2

I2C

PASS 1 MIC

PASS 2 MIC

PASS3 MIC

PASS4 MIC

PASS 1 EAR

PASS 2 EAR

(2) CH CODEC

PLT MIC

CPLT MIC

VOICE VOICE

PLT EAR

CPLT EAR

dsPIC33

(2) CH CODEC

(2) CH CODEC (2) CH CODEC

FPGA

ControlClock & Control

Intercom Logic Control

FRONT PANEL

BUTTONS & DISPLAY

PASS 3 EAR

PASS 4 EAR

COM RADIO MIC AUDIO

NAV AUDIO

UNSW

AUDIO

MUSIC

Figure 4-1 Intercom block diagram

4.1 Mode Selection

The intercom mode selector determines who hear what audio sources and combinations.

The sources are aircraft radios, microphones from other crew or passengers on the

intercom, music, and telephone audio from the Bluetooth® enabled device.

The dsPIC33, FPGA, CODECs and DSP control the Intercom audio routing

PAC45TTSO

System Functional

Hazard Analysis

Document: 002-045-1309

Date: 09/12/2017

Revision: 0


The intercom is non- required, and crew can remove their headset if conversation is

necessary for the continuation of the flight.

The flight crew is directed by 14CFR 91.21 to determine the any device used shall not

create interference with the communications or navigation systems. If such a condition

arises such as an uncontrolled audio static or other problem, the crew and or passenger

can simply disconnect the device without any other mitigation needed.

4.2 Intercom Volume Control

Intercom volume control does not affect the amplitude of the radio sources. However,

this is still tested to be compliant with RTCA DO-214 §2.4.5.

4.3 Intercom Squelch

The voice-activate relay (VOX) silences the intercom microphones to prevent

background aircraft noise from entering the audio system. In the PAC45T, the VOX is

handles by dedicated discrete Programmable Logic Controllers. The intercom itself is a

non-required function.

5.0 Miscellaneous (power supply, etc)

5.1.1 Power Supply The PAC45T has an internal power supply that converts aircraft bus voltage (18-33

VDC) to the voltages used by the components.

Conditioning

Buck+11V

1A

Buck-11V

1A

Buck+12V

1A

LDO+9V

1A

Buck+5V

1A

LDO+4V

1A

Buck-5V

1A

LDO-4V

1A

LDO+9V

1A

LDO+3.3V

1A

LDO+1.6V

1A

LDO+3.3V

1A

LDO+3.3V

1A

Filter

LDO+3.3V

1A

LDO+1.8V

1A

LDO+1.5V

1A

LDO+3.3V

1A

LDO+1.8V

1A

LDO+3.3V

1A

LDO+3.3V

1A

+28V In

+11VA: Headphone Amps

-11VA: Headphone Amps

+9VA: IntelliVOX OpAmps,

Mic Bias

+4VA: OpAmps

+3.3VA: CODECs

-4VA: OpAmps

+28V: Pilot Control Head

+12V: Backlight Conditioning

+9VA: PTT, Expansion

+4VA: OpAmps

+3.3VA: CODECs

-4VA: OpAmps

+3.3V: CODECs

+1.8V: CODECs

+3.3V: I/O

+3.3V: CODECs

+1.8V: CODECs

+1.6V: DSP

+1.5V: FPGAs

+3.3V: BT, DSP, FPGAs, PIC

+5V: IntelliVOX PICs

+3.3V: I/O

Analog Digital

Top PCB

Middle PCB

Bottom PCB

Figure 5-1 Power Supply Block Diagram

PAC45TTSO

System Functional

Hazard Analysis

Document: 002-045-1309

Date: 09/12/2017

Revision: 0


5.1.1.1 CEH power Source

These regulators have been rated by their manufacturer (Texas Instruments/National

Semiconductor) with a failure rate of 1.18 x 10-9.

5.1.2 Headphone Amplifier The PAC45T has two headphone circuits, left and right which drive a single 8 ohm

headphone output. There would not be a significant loss of signal if one fails. For the

purposes of radio audio, there is no difference in the audio presented to each side.

In the event of an amplifier failure, the other channel will still provide adequate

headphone audio for use by the crew. The circuit design eliminates a single point of

failure in the headphone audio path by spreading the path through multiple device

packages.

6.0 Micro-coded devices (DO-254 SEH & CEH) The PAC45TEX contains two primary devices that affect overall function, a Fixed

Program Gate Array, and a PIC Microcontroller.

6.1 FPGA Reliability

The Field-Programmable Gate Array (FPGA) used for logic switching functions is an

Actel A3P060 13μM CMOS Flash-based device from Microsemi. To get reliability

information we used Micro Semi’s Reliability Report from 2017 (Rev. 15). That device

has a demonstrated reliability of 1.97 x 10-8 MTTF, and exceeds the 1.0 x 10-5 goal.

6.2 PIC Reliability

The PAC45T uses a Microchip PIC24F64GA106 microcontroller display and human

interface control, etc. We gathered reliability data from Microchip, the manufacturer.

The dynamic life process was used, with the worst case single-year results that show a

FIT rate of 3.1 x 10-7 and exceeds the 1.0 x 10-5 goal.

6.3 Single Event Effects and Neutron Induced Errors

PS Engineering uses Actel-brand Flash-based FPGAs in the design. Unlike a SRAM

FPGA, the Actel Flash has been tested and shown to be immune from SEE from ground

level to 50,000 feet.

7.0 MTBF

There is not adequate data to develop a real-world MTBF history.

The PAC45T Bill of Material was analyzed in accordance with MIL-HDBK-217F. This

process evaluates the reliability of the components and weighs environmental factors to

provide an MTBF value when real data is unknown. The MTBF for the PAC45T (all

functions major and minor) is calculated to be 39,946 Hours, or 3.99x 10-5.