Modulo 08 Airborne Systems

Introduction to RPAs Certification
Introduction to RPAs
Certification
Module 8
RPAS Airborne Systems
Servicios y Estudios para la Navegacin

Area y la Seguridad Aeronutica, S.A.
Introduction
STANAG 4703
STANAG 4703 - Payloads / Miscellaneous Equipment
STANAG 4671
System Safety Assessment
System Safety Assessment for RPAS
Design Philosophy
RPAS Airborne Systems certification summary
SENASA 2013
Module 8 - 2
Total or partial reproduction is not allowed
RPAS Airborne Systems - 1

Total or partial reproduction without the authorisation of SENASA is not allowed.
UAS/RPAS AIRBORNE SYSTEMS
POWERPLANT INSTALLATION
FUEL SUBSYSTEM
FUEL TANK SUBSYSTEM
FUEL TANK INTEGRATION
FLIGHT CONTROL SURFACES
LANDING GEAR
AIRCRAFT DE-ICING SYSTEMS
AIR VEHICLE ELECTRICAL SUBSYSTEM
ELECTRICAL SUBSYSTEM LAYOUT
HYDRAULICALLY POWER
COOLING
PAYLOADS & EQUIPMENT
COMPARTMENT
SWAPPABLE UNIVERSAL PAYLOAD
PRESSURIZATION
FIRE PROTECTION
ELECTRICAL BONDING AND
LIGHTNING PROTECTION
PARACHUTE LANDING SYSTEM
SENASA 2013
Module 8 - 3
AIR VEHICLE POWERPLANT INSTALLATION
SENASA 2013
Module 8 - 4

AIR VEHICLE FUEL TANK SUBSYSTEM
SENASA 2013
Module 8 - 5
FUEL TANK INTEGRATION
SENASA 2013
Module 8 - 6

AIR VEHICLE FUEL SUBSYSTEM
SENASA 2013
Module 8 - 7
UAV FLIGHT CONTROL SURFACES
SERVO
SENASA 2013
Module 8 - 8

UAV LANDING GEAR
SENASA 2013
Module 8 - 9
AIRCRAFT DE-ICING SYSTEMS
SENASA 2013
Module 8 - 10

AIR VEHICLE ELECTRICAL SUBSYSTEM
SENASA 2013
Module 8 - 11
UAV ELECTRICAL SUBSYSTEM LAYOUT
SENASA 2013
Module 8 - 12

UAV HYDRAULICALLY POWER
SENASA 2013
Module 8 - 13
UAV COOLING
SENASA 2013
Module 8 - 14

PAYLOADS & EQUIPMENT COMPARTMENT
SENASA 2013
Module 8 - 15
SWAPPABLE UNIVERSAL PAYLOAD

Electric Penguin BE
640 W Lithium Polymer

quick replaceable battery
cartridge.
SENASA 2013
Module 8 - 16

UAV PARACHUTE LANDING SYSTEM
SENASA 2013
Module 8 - 17
Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 18

STANAG 4703 SYSTEMS & EQUIPMENT

REQUIREMENTS (ER 1.3.1)
ESSENTIAL REQUIREMENTS
The UAV system must not have design features or details

that experience has shown to be hazardous in their
intended application.
SENASA 2013
Module 8 - 19
STANAG 4703 SYSTEM & EQUIPMENT

DETAILED ARGUMENTS
UL.21 SUBSTANTIATION OF THE UAS DESIGN CRITERIA
DETAILED ARGUMENTS
UL.22 TECHNICAL OCCURRENCES REPORTING

UL.23 FUNCTION & RELIABILITY DATA
SENASA 2013
Module 8 - 20

STANAG 4703 DESIGN CRITERIA

SUBSTANTIATION (UL.21)
DESIGN CRITERIA - AMC
The Applicant should substantiate that the design criteria

are either
Derived from Standard Aerospace Practices, or that
Any Novel design criteria are based on sound engineering
principles.
Acceptable Means of Compliance (Deliverable)

Technical Specification with the Design Criteria
SENASA 2013
Module 8 - 21
STANAG 4703 DESIGN CRITERIA

SUBSTANTIATION (UL.21)
EXAMPLE OF DESIGN CRITERIA
The electrical system should include overload protection
devices (fuses or circuit breakers);
The electrical bonding should be guaranteed;
The electrical wires must be sized to accommodate the
expected electrical loads;
Positive drainage of moisture should be provided wherever
necessary (e.g. static pressure measuring devices);
Drainage and venting should be provided where flammable
fluid vapour may accumulate].
Etc
SENASA 2013
Module 8 - 22

STANAG 4703 TECHNICAL OCCURRENCES

REPORTING (UL.22)
The Applicant must provide a method to track technical

occurrences affecting safety throughout the life of the
program and implement preventive and corrective actions
as necessary.
SENASA 2013
Module 8 - 23
STANAG 4703 FUNCTION & RELIABILITY

DATA (UL.23)
Flight test experience must be accumulated before Type

Certification, exploring the complete design usage spectrum
in order to provide a sufficient level of confidence to the
Certifying Authority.
Any technical events that occur during this flight test experience
must be reported, analyzed and corrected when necessary.
Both the occurrences and their corrective actions must be made
available to the Certifying Authority.
SENASA 2013
Module 8 - 24


The UAV system, with those equipment and appliances
required for type-certification, or by operating rules must
function as intended under any foreseeable operating
conditions, taking due account of the system, equipment or
appliance operating environment.
Other systems, equipment and appliance not required for
type- certification, or by operating rules, whether functioning
properly or improperly, must not reduce safety and must not
adversely affect the proper functioning of any other system,
equipment or appliance.
Systems, equipment and appliances must be operable
without needing exceptional skill or strength
SENASA 2013
Module 8 - 25
STANAG 4703 SYSTEM & EQUIPMENT

DETAILED ARGUMENTS
DETAILED ARGUMENTS
UL.24 Equipment Functioning & Reliability

UL.25 Equipment Environmental Qualification
UL.29 Systems Integration Desmostration
SENASA 2013
Module 8 - 26

STANAG 4703 AIRBORNE EQUIPMENT

DETAILED ARGUMENTS (UL.24)
DETAILED ARGUMENTS
1. All equipment must function properly within the design

usage spectrum, including icing conditions, if required.
2. Equipment Specification and Declaration of Design and
Performance (DDP)
For all installed equipment the UAV System manufacturer must
approve its specification, in order to assess compatibility with UAV
system higher-level requirements.
All equipment must have a Declaration of Design and Performance
(DDP)) released by its manufacturer and accepted by the UAV
system manufacturer.
SENASA 2013
Module 8 - 27
STANAG 4703 AIRBORNE EQUIPMENT DETAILED

ARGUMENTS (UL.24)
DETAILED ARGUMENTS
3. The installation provisions, environment and the intended

usage of all equipment must meet all performance,
operating and safety limitations to which the equipment is
qualified (i.e. it meets its specifications).
MOC: Environmental Qualification Specification
4. The minimum necessary accuracy of each measuring

device used to control UAV trajectory and to acquire
navigation data must be established by the UAV system
manufacturer and be compatible with UAV high-level
requirements.
MOC: Analysis, and Ground & Flight Test Reports
SENASA 2013
Module 8 - 28


5. Each measuring device must be calibrated as necessary
(e.g. airspeed sensors).
DETAILED ARGUMENTS
MOC: Ground & Flight Calibration Test Reports
6. Any equipment whose failure could lead to loss of

functions or misleading data with hazardous or
catastrophic effects on safety must have fault detection /
fault isolation capabilities as agreed by the Certifying
Authority.
MOC: Equipment Technical Specification, FMEA
SENASA 2013
Module 8 - 29
AIRBORNE EQUIPMENT REQUIREMENTS

A minimum essential set of Built-In-Test (BIT) performance
should be included in the design.
DETAILED ARGUMENTS
MOC Equipment Technical Specification
UAV faults and status information must be transmitted to

the UCS/UCB for display to the operator, when the link is
available
MOC Equipment Technical Specification
For example
AIR VEHICLE / GROUND CONTROL STATION
Computers
Checksum
Data Link Health
GPS Receiver
Receiver failure indication from power- up, self-test or

background BIT
Motherboards
Under-voltage
Temperature
SENASA 2013
Module 8 - 30

MEANS OF COMPLIANCE
STANAG 4703 SYSTEM SAFETY

ASSESSMENT REQUIREMENTS (UL.25)
Equipment Qualification Data (DDP, EQF)

Equipment Installation Analysis (Appraisal)
Ground & Flight Functional Test Results
Ground & Flight EMC Test Results
Equipment Data
Analysis
Test Results
Certification Data Package
SENASA 2013
Module 8 - 31

DETAILED ARGUMENTS
Each sub-system of the UAV system affecting safe

operation (e.g. UAV, UCB / UCS, Data-Link etc.) must
perform its intended function under any operating condition
identified in Operating Spectrum.
Identify all functions of each sub-system.

Characterize the operational environment of each sub-system.
Perform all necessary functional tests at sub-system level.
Perform all necessary environmental tests (e.g. vibration, humidity,
EMC/HIRF, etc.).
Show that the operation of any other sub-system or item of installed
equipment does not adversely affect the operation of those subsystems that affect safe operation. (EMC)
The test plans must be provided to the Certifying Authority.
SENASA 2013
Module 8 - 32

MEANS OF COMPLIANCE

Equipment Qualification Data (DDP, EQF)

Ground & Flight Functional Test Results
Ground & Flight EMC Test Results
Equipment Data
Analysis
Test Results
SENASA 2013
Module 8 - 33
DETAILED ARGUMENTS

INTEGRATION DETAILED ARGUMENTS
UL.29 INTEGRATION
The UAV, the UCB / UCS, the Data-Link, Launch/Recovery
equipment (where applicable) and any other system
necessary for operation must function properly when
operated all together
Means of Compliance:
Evidence of accumulated flight test activity and problem report
tracking, except the Certifying Authority ask for additional evidence.
SENASA 2013
Module 8 - 34

STANAG 4703 SUBSYSTEM INTEGRATION

REQUIREMENTS (UL.29)
MEANS OF COMPLIANCE
Results of Ground & Fligth Test Campaign

Records of Test Activities and Problem Reports
GROUND & FLIGTH

TEST RESULTS
SENASA 2013
Module 8 - 35

The UAV systems, equipment and associated appliances,
including the control station, its data links etc., considered
separately and in relation to each other, must be designed
such that any catastrophic failure condition does not result
from a single failure not shown to be extremely improbable.
An inverse relationship must exist between the probability of
a failure condition and the severity of its effect on the UAV,
crew, ground- crew or other third parties.
Due allowance must be made for the size and broad
configuration of the UAV system (including specific military
systems and operations) and that this may prevent this
single failure criterion from being met for some parts and
some systems on helicopters, small or single engine
aeroplanes and uninhabited aerial vehicles
SENASA 2013
Module 8 - 36

DETAILED ARGUMENTS

A System Safety Assessment must be performed for the
UAV system (including all contributions coming from the
UAV, UCS/UCB, Data Link and any other equipment
necessary to operate the UAV system) and submitted to the
Certifying Authority, which includes but is not limited to:
The definition of a Hazard Reference System to be agreed by the
Certifying Authority (see Appendix 5);
A Functional Hazard Analysis FHA (see SAE ARP 4761)
A Failure Mode Effect and Criticality Analysis FMEA (see SAE ARP
4761)
A Fault Tree Analysis FTA (see SAE ARP 4761)
SENASA 2013
Module 8 - 37

DETAILED ARGUMENTS
The safety analysis must demonstrate compliance with the

following.
1. All credible hazards and accidents must be identified, the associated
accident sequences must be defined and the associated risks must
be determined.
2. The cumulative probability per flight hour for a catastrophic event
(with all the contribution of all UAV systems and sub-systems,
including propulsion, navigation, data-link, UCS/UCB, etc.) must not
be greater than the Hazard Reference System cumulative safety
requirement as agreed with the Certifying Authority.
3. All identified safety risks must be reduced to the minimum levels that
are compatible with technological constraints, and each failure
condition must be acceptable according to the Hazard Reference
System criteria in Appendix 5, as agreed with the Certifying
Authority.
SENASA 2013
Module 8 - 38


MEANS OF COMPLIANCE
System Safety Assessment Report !!, in accordance with

SAE ARP 4761
SYSTEM SAFETY
REPORT
SENASA 2013
Module 8 - 39
Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 40

STANAG 4703 - PAYLOAD

The payload equipment, whether functioning properly or
improperly, must not adversely affect the safe flight and
control of the UAV.
DETAILED ARGUMENTS
MoC: Payload Hazard Analysis, Functional Test
The payload equipment must be electromagnetically

compatible with other UAV systems.
MoC: Functional & EMC Test Results
All potential hazards caused by the payload (including

lasers) to crew, ground staff or third parties must be
assessed and minimized.
MoC: Payload Hazard Analysis
SENASA 2013
Module 8 - 41
STANAG 4703 - PAYLOAD

Evaluation of the effects of payload normal functioning and
failures on the other UAV subsystems
MEANS OF COMPLIANCE
MoC: Payload Hazard Analysis
SENASA 2013
Module 8 - 42

STANAG 4703 UAV AIRBORNE SUBSYSTEMS

SUMMARY OF TECHNICAL REPORTS
UAV Subsystems Design Criteria
UAV Subsystems Production Drawings & Specifications
Equipment Technical Specifications
Equipment Qualification Data (DDP, TDS, EQF, L/HIRF)
FMEA & Failure Rates (MTBF) Analysis
Ground & Flight Functional Test Reports
Ground & Flight EMC Test Reports
Function & Reliability Test Reports
Failures & Malfunctions Problems Reports
SENASA 2013
Module 8 - 43
Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 44

STANAG 4671 USAR STRUCTURE
Subparts A-G are derived directly from CS-23. While subparts H and I follow the
format of CS-23, they are unique to USAR.
VAMOS VER LAS PRINCIPALES DIFERENCIAS
SENASA 2013
Module 8 - 45
STANAG 4671 AIR VEHICLE SUBSYSTEMS

USAR.U722 Landing gear - General
The following section is for conventional landing gear
arrangements. If novel designs are proposed the acceptance
methods shall be agreed with the Certifying Authority.
SENASA 2013
Module 8 - 46


USAR.775 Payload transparencies
The design of payload transparencies and radomes in pressurised
compartments must be based on factors specific to high altitude
operation, including
1.
2.
3.
4.
5.
The effects of continuous and cyclic pressurisation loading;

The inherent characteristics of the material used;
The effects of temperatures and temperature gradients;
The effects on the structural integrity of the UAV in the occurrence of
wall pressurisation fracture, either by flaw or by explosion; and,
Safety-of-flight critical viewing areas of camera and sensor windows
shall be maintained free of fog, frost and other obstructions for all
steady state and transient ground and flight operating conditions within
the specified UAV environmental envelope. They shall be designed to
withstand foreign object damage (FOD) from birds, hail, runway,
taxiway, and ramp debris.
SENASA 2013
Module 8 - 47

USAR.783 Doors, Covers and Hatches
(a) to (d) ... Not applicable
e) Each external door and hatch must comply with the following
requirements:
1. There must be a means to lock and safeguard each external door and
hatch, including payload and service type doors, against inadvertent
opening in flight, as a result of mechanical failure or failure of a single
structural element, either during or after closure.
2. There must be a provision for direct visual inspection of the locking
mechanism to determine if the external door or hatch, for which the
initial opening movement is not inward, is fully closed and locked. The
provisions must be discernible, under operating lighting conditions, by
inspection and maintenance staff using a flashlight or an equivalent
lighting source.
SENASA 2013
Module 8 - 48


USAR.787 Payload compartments
Each payload compartment must
1. Be designed for the maximum weight and distribution of contents and
for the critical load distributions at the appropriate maximum load
factors corresponding to the flight and ground load conditions of
USAR.
2. Have means to prevent the contents of any compartment from
becoming a hazard by shifting, and to protect any controls, wiring,
lines, equipment, or accessories whose damage or failure would affect
safe operations.
SENASA 2013
Module 8 - 49

USAR.843 Pressurisation Tests
a) Strength test. The complete pressurised compartment, including
doors, windows, canopy and valves, must be tested as a pressure
vessel for the pressure differential specified in USAR.365 (d).
b) Functional tests. The following functional tests must be performed:
1. Tests of the functioning and capacity of the positive and negative
pressure differential valve.
2. Tests of the pressurisation system to show proper functioning under
each possible condition of pressure, temperature and moisture, up to
the maximum altitude for which certification is requested
SENASA 2013
Module 8 - 50


USAR.841 Pressurised compartments
a) Not applicable
b) If necessary for structural protection, pressurised compartments
should have the following valves (or their equivalent)
1. A pressure relief valve (or its equivalent) to automatically limit the
positive pressure differential to a predetermined value at the maximum
rate of flow delivered by the pressure source. The pressure differential
is positive when the internal pressure is greater than the external.
2. A reverse pressure differential relief valve (or its equivalent) to
automatically prevent a negative pressure differential that would
damage the structure.
SENASA 2013
Module 8 - 51

USAR.U850 Fire protection General
Specific UAV fire protection requirements presented in
USAR aim at minimizing the risk of fire that may lead to
uncontrolled UAV flight and crash and potential damages to
third parties. Compliance with those requirements must
show that this general intent is met, in particular that:
a) Electrical installation and propulsion systems (including related
materials) are adequately designed (see USAR.1359, USAR.1181
and appendix F), and,
b) Consideration must be given to protection of flight critical structure
and systems (such as flight control system).
c) The flammability, toxicity, smoke effects and thermal
decomposition of the materials must be considered in design.
SENASA 2013
Module 8 - 52


USAR.863 Flammable Fluid Fire Protection
See AMC.863
a) In each area where flammable fluids or vapours might escape by
leakage of a fluid system, there must be means to minimise the
probability of ignition of the fluids and vapours and the resultant
hazard if ignition does occur.
b) Compliance with sub-paragraph (a) must be shown by analysis or
tests and the following factors must be considered:
SENASA 2013
Module 8 - 53

USAR.863 Flammable Fluid Fire Protection.....
1. Possible sources and paths of fluid leakage and means of detecting
leakage.
2. Flammability characteristics of fluids, including effects of any
combustible or absorbing materials.
3. Possible ignition sources, including electrical faults, over-heating of
equipment, static electricity, lightning and malfunctioning of protective
devices.
4. Means available for controlling or extinguishing a fire, such as stopping
flow of fluids, shutting down equipment, fireproof containment, or use of
extinguishing agents.
5. Ability of UAV components that are critical to safety of flight to withstand
fire and heat. (c) Not applicable in this subpart (see USAR.1817
Flammable fluid fire protection)
d) Each area where flammable fluids or vapours might escape by

leakage of a fluid system must be identified and defined.
SENASA 2013
Module 8 - 54


USAR.865 Fire protection of flight control system
components, engine mounts and other flight structure
See AMC.865
Flight control system components, engine mounts, and
other flight structure located in designated fire zones, or in
adjacent areas that would be subjected to the effects of fire
in the designated fire zones, must be constructed of
fireproof material or be shielded so that they are capable of
withstanding the effects of a fire. Engine vibration isolators
must incorporate suitable features to ensure that the engine
is retained if the non- fireproof portions of the isolators
deteriorate from the effects of a fire.
SENASA 2013
Module 8 - 55

USAR.867 Electrical bonding and protection against
lightning and static electricity
See AMC.867 (a)
a) The UAV must be protected against catastrophic effects from
lightning and static electricity. A lightning analysis assessment has
to be carried out and agreed with the Certifying Authority.
b) For metallic components, compliance with sub-paragraph (a) may
be shown by
1. Bonding the components and grounding them properly to the airframe;
or
2. Designing the components so that a strike will not result in a
catastrophic event.
c) For non-metallic components, compliance with sub-paragraph (a)

may be shown by
1. Designing the components to minimise the effect of a strike; or
2. Incorporating acceptable means of diverting the resulting electrical
current so as not to result in a Catastrophic event.
SENASA 2013
Module 8 - 56


USAR.U881 Parachute Design
See AMC.881 (a)
Where a UAV is designed to be recovered by parachute,
a) Materials and workmanship shall be of a quality which documented
experience or tests have conclusively demonstrated to be suitable
for the manufacture of parachute assemblies and components
b) All materials shall remain functional for storage and use from -40C
to +93.3C, and from 0 to 100% relative humidity.
c) All plated ferrous parts shall be treated to minimise Hydrogen
Embrittlement.
d) Stitching shall be of a type that will not unravel when broken
SENASA 2013
Module 8 - 57

USAR.U881 Parachute Design
e) Information concerning parachute assemblies and components
must be furnished in the UAV System documentation, including:
1.
2.
3.
4.
5.
Part number
Manufacturers name and address
Maximum operating limits
Instruction for packing method and inspection at approved intervals
Instruction for continued airworthiness.
f) Where practicable parachute assemblies shall be designed for

operational re-use, parachute attachments must have a fatigue
evaluation determined in accordance with USAR 570, unless
otherwise agreed with the Certifying Authority.
SENASA 2013
Module 8 - 58


U1307
USAR.U1307 Environmental Control System
(ECS)
See AMC.1307
Cooling must be provided for flight critical equipment as
required for it to meet its performance and reliability for the
intended lifetime.
a) The ECS design shall incorporate the system safety requirements
of the UAV.
b) The ECS shall meet all safety requirements when operating under
installed conditions over the design envelope and maintain
integration integrity to ensure the UAV safety-of-flight.
c) The UAV shall incorporate an alternate means of cooling of safetycritical avionics when the primary ECS is non-operational.
SENASA 2013
Module 8 - 59

d) The ECS design (including emergency equipment and/or auxiliary
methods) shall provide an acceptable pressure environment for
equipment affecting safety-of-flight.
e) Normal and emergency pressurization requirements and status
shall be indicated at the UCS.
f) Safety-critical items such as flight controls, avionics and
communications shall function long enough to safely land the
aircraft if ECS function is lost and alternate methods are not
available to insure airworthy operations.
g) ECS normal and emergency procedures shall be included in the
UAV System flight manual.
..(Ver STANAG 4671)
SENASA 2013
Module 8 - 60


USAR.U1412 Emergency Recovery Capability
See USAR.1412 (a)(2) and AMC.1412 (e)
a) The UAV System must integrate an emergency recovery capability
that consists of :
1. a flight termination system, procedure or function that aims to
immediately end normal flight, or,
2. an emergency recovery procedure that is implemented through UAV
crew command or through autonomous design means in order to
mitigate the effects of critical failures with the intent of minimising the
risk to third parties, or,
3. any combination of USAR.1412 (a) (1) and USAR.1412 (a) (2).
SENASA 2013
Module 8 - 61


b) The emergency recovery capability must function as desired over
the whole flight envelope under the most adverse combination of
environmental conditions
c) The emergency recovery capability must be safeguarded from
interference leading to inadvertent operation.
d) The emergency recovery capability must receive its electrical
power, if needed, from the bus that provides the maximum
reliability for operation. In case of complete loss of the primary
electrical power generating system, it must automatically switch to
the battery.
SENASA 2013
Module 8 - 62



e) Use of explosives to perform in-flight total destruction of the air
vehicle is not an acceptable means of compliance to USAR.1412
f) Where the emergency recovery capability includes a preprogrammed course of action to reach a predefined site where it
can be reasonably expected that fatality will not occur, the
dimensions of such areas must be stated in the UAV System Flight
Manual.
SENASA 2013
Module 8 - 63

USAR.U1413 Engine Shut Down Procedure
In the event of an engine failure that causes shutdown, the
following requirements apply:
a) the UAV must be designed to retain sufficient control and
manoeuvrability until it has reached a forced landing area.
b) therefore, the emergency electrical power must be designed in
such a way that its reliability and duration are compatible with
USAR.1413 (a). The time period needed to perform a glide from
maximum certificated altitude to sea level and reach a forced
landing area includes the time needed for the UAV crew to
recognise the failure and to take appropriate action, if required.
c) the engine shut down procedure must be analysed considering the
existence of the emergency recovery capability specified in
USAR.1412
SENASA 2013
Module 8 - 64


USAR.1416 De-icer system
If certification with ice protection provisions is desired and a
de-icer system is installed
a) The system must meet the requirements specified in USAR.1419.
b) The system and its components must be designed to perform their
intended function under any normal system operating temperature
or pressure.
c) Not applicable in this subpart (see USAR.1811 Pneumatic de-icer
boot system indicator)
SENASA 2013
Module 8 - 65

USAR.1419 Ice Protection
If certification with ice protection provisions is desired,
compliance with the following requirements must be shown:
a) The recommended procedures for the use of the ice protection
equipment must be set forth in the UAV System Flight Manual or in
approved manual material.
b) An analysis must be performed to establish, on the basis of the
UAVs operational needs, the adequacy of the ice protection
system for the various components of the UAV. In addition, tests of
the ice protection system must be conducted to demonstrate that
the UAV is capable of operating safely in continuous maximum and
intermittent maximum icing conditions
SENASA 2013
Module 8 - 66


USAR.1419 Ice Protection

c) Compliance with all or portions may be accomplished by reference,
where applicable because of similarity of the designs to analysis
and tests performed for the type certification of a Type Certificated
UAV.
d) When monitoring of the external surfaces of the UAV by the UAV
crew is required for proper operation of the ice protection
equipment, it must be ensured that the monitoring can be done in
all operating and environmental conditions.
SENASA 2013
Module 8 - 67

USAR.1431 Electronic equipment
a) In showing compliance with USAR.1309 (b)(1) and (2) with respect
to radio and electronic equipment and their installations, critical
environmental conditions must be considered.
b) Radio and electronic equipment, controls, and wiring must be
installed so that operation of any unit or system of units will not
adversely affect the simultaneous operation of any other radio or
electronic unit, or system of units.
c) Not applicable in this subpart (see USAR.1707 Communication
system)
d) Not applicable in this subpart (see USAR.1707 Communication
system)
e) Not applicable in this subpart (see USAR.1707 Communication
system)

SENASA 2013
Module 8 - 68


USAR.1431 Electronic equipment

f)
Electronic payload equipment and wiring must be installed so that

operation will not adversely affect the simultaneous operation of
any other radio or electronic unit, or system of units.
g) All sensitive and essential equipment as identified in (a) must be
protected against internal and external sources of electromagnetic
interference (EMI).
SENASA 2013
Module 8 - 69

USAR.1435 Hydraulic systems
a) Design. Each hydraulic system must be designed as follows:
1. Each hydraulic system and its elements must withstand, without
yielding, the structural loads expected in addition to hydraulic loads.
2. Not applicable in this subpart (see USAR.1813 Hydraulic systems
indicator)
3. There must be means to ensure that the pressure, including transient
(surge) pressure, in any part of the system will not exceed the safe limit
above design operating pressure and to prevent excessive pressure
resulting from fluid volumetric changes in all lines which are likely to
remain closed long enough for such changes to occur.
4. The minimum design burst pressure must be 2.5 times the operating
pressure.
5. There must be adequate means to protect hydraulic systems critical to
continued safe flight resulting from fluid loss.
6. All materials in contact with the hydraulic fluid shall be compatible with
the hydraulic fluid over the temperature range, functional, service and
storage conditions the hydraulic system will experience.
SENASA 2013
Module 8 - 70


USAR.1435 Hydraulic systems .
b) Tests. Each system must be substantiated by proof pressure tests.
When proof-tested, no part of any system may fail, malfunction, or
experience a permanent set. The proof load of each system must
be at least 1.5 times the maximum operating pressure of that
system.
c) Accumulators. A hydraulic accumulator or reservoirs may be
installed on the engine side of any firewall if
1. It is an integral part of an engine or propeller system, or
2. The reservoir is non-pressurised and the total capacity of all such nonpressurised reservoirs is one litre (one US-quart) or less.
SENASA 2013
Module 8 - 71

USAR.1437 Accessories for multi-engine UAV
For multi-engine UAV, engine-driven accessories essential
to safe operation must be distributed among the two
engines so that the failure of any one engine will not impair
safe operation through the malfunctioning of these
accessories.
SENASA 2013
Module 8 - 72


USAR.1438 Pressurisation and pneumatic systems
a) Pressurisation system elements must be burst pressure tested to
2.0 times, and proof pressure tested to 1.5 times, the maximum
normal operating pressure.
b) Pneumatic system elements must be burst pressure tested to 3.0
times, and proof pressure tested to 1.5 times, the maximum normal
operating pressure.
c) An analysis, or a combination of analysis and test, may be
substituted for any test required by sub- paragraph (a) or (b) if the
Certifying Authority finds it equivalent to the required test.
SENASA 2013
Module 8 - 73

1461 USAR.1461 Equipment Containing High Energy
Rotors
a) Equipment containing high energy rotors must meet subparagraphs (b), (c) or (d) .
b) High energy rotors contained in equipment must be able to
withstand damage caused by malfunctions, vibration, abnormal
speeds and abnormal temperatures. In addition
1. Auxiliary rotor cases must be able to contain damage caused by the
failure of high energy rotor blades; and
2. Equipment control devices, systems and instrumentation must
reasonably ensure that no operating limitations affecting the integrity of
high energy rotors will be exceeded in service.
c) It must be shown by test that equipment containing high energy

rotors can contain any failure of a high energy rotor that occurs at
the highest speed obtainable with the normal speed control devices
inoperative.
d) Equipment containing high energy rotors must be located where
rotor failure will not adversely affect continued safe flight.
SENASA 2013
Module 8 - 74


U1481 USAR.U1481 Payloads
a) A payload is a device or equipment carried by the UAV, which
performs the mission assigned. The payload comprises all
elements of the air vehicle that are not necessary for flight but are
carried for the purpose of fulfilling specific mission objectives. It is
assumed that a UAV System Type Certification Basis may be
released for several payload configurations.
b) Where a UAV System is designed to carry payloads, the
integration and operation of those payloads must
1. Not adversely affect the safe flight and control of the UAV;
2. Be shown as electromagnetically compatible (EMC) with systems on
board of the UAV;
3. Meet safety objectives as provided in USAR.1309.
SENASA 2013
Module 8 - 75
U1485 USAR.U1485 Environmental Control System (ECS)

See AMC.1485
a)
b)
c)
If installed, the ECS must comply with the system safety requirements
applicable to the UAV.
The ECS must meet all safety requirements when operating under installed
conditions over the design envelope and maintain integration integrity to
ensure the UAV safety-of-flight.
In the event that the primary ECS is non-operational the UAV system design
must comply with either (1) or (2) such that no single ECS subsystem failure
shall result in loss of UAV.
1.
2.
Incorporated secondary/emergency systems capable of maintaining flight safety critical

conditions. Such systems shall be capable of operating until either; the primary ECS is
available or safe landing is achieved.
Allow the continued function of the safety critical operations (flight controls, avionics and
communications) until safe landing is achieved.
d) ECS normal and emergency procedures must be included in the UAV System
Flight Manual.
e) Adequate controls and displays for the ECS must be installed in the UCS or
other appropriate locations to allow the ECS to function as intended. Sufficient
cautions, warnings, and advisories must be provided to alert the UAV crew to
problems in time for corrective action to be taken from a safety-of-flight
perspective.
SENASA 2013
Module 8 - 76


AUTOMATIC TAKE-OFF SYSTEM - AUTOMATIC
LANDING SYSTEM
U1490
USAR.U1490 General
See AMC.1490 (f)(2)
When a UAV System, designed for conventional take-off
and landing on a runway is equipped with an automatic
take-off system or an automatic landing system or both, it
should meet the following requirements
a) Once the automatic take-off or landing mode has been engaged,
the UAV crew monitors the whole process from the UCS, via the
command and control data link, but is not required to perform any
manual piloting action, except manual abort, where required, as
per provisions of USAR.1492.
..
SENASA 2013
Module 8 - 77

U1492 USAR.U1492 Manual Abort Function
Where a UAV System is designed for conventional take-off
and landing on a runway, it must include the following
function:
a) The automatic system must incorporate a manual abort function.
Its control shall be easily accessible to the UAV crew in order to
1. stop the UAV on the runway during the take-off run at every speed up
to refusal speed or rotation speed VR, whichever is less.
2. where it is safe to perform, initiate a go around during the landing
phase at every height down to a Decision Point.
b) Specific go around procedure shall be provided in the UAV System

Flight Manual under USAR.1585 (j).
SENASA 2013
Module 8 - 78

STANAG 4671 COMPLIANCE DEMOSTRATION

ACCEPTABLE MEANS OF COMPLIANCE (AMC)
STANAG 4671 Book 2, Acceptable Means of Compliance
FAA AC 23-17C Systems and Equipment Guide for
Certification of Part 23 Airplanes and Airships
FAA AC 23-2A Flammability Tests
FAA AC 20-73A Aircraft Ice Protection
FAA AC 23-8A Flight Test Guide for Certification of Part 23
Airplanes
FAA AC 23.1309() System Safety Analysis and Assessment
for Part 23 Airplanes
SENASA 2013
Module 8 - 79
STANAG 4671 COMPLIANCE REPORTS
Design Criteria
Functional Operations Test Results
Performance Test Results
System Safety Assessment (FHA, FMEA, FTA, CCA)
Component
and
Equipment
SOF
Certifications/Qualifications
Design Studies and Analysis
Installation and Operational Characteristics
Flight Manual and Limitations
Electromagnetic Environmental Effects Analysis and Test
Results
Diminishing Manufacturing Sources Plan
Obsolete Parts Plan
SENASA 2013
Module 8 - 80

Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 81
UAV SYSTEM SAFETY ASSESSMENT

La para justificar la seguridad del sistema es necesario
preparar un anlisis de la seguridad de cada una de sus
partes, tanto de forma individual como su conjunto.
Los objetivos de seguridad que debern ser demostrados
dependern de la complejidad del sistema, y de las
limitaciones que se le impongan para su operacin
Para sistemas sencillos que vayan operar en espacios
areos segregados y sobre reas poco pobladas, podra
bastar con demostrar que no existe ningn fallo simple que
me llev a la prdida del control de la aeronave no tripulada
Para sistemas que vaya a operar sin restricciones en
espacios areos no segregados, o incluso sobre reas
pobladas, al criterio anterior habr que aadir que no existe
ninguna posible combinacin de fallos que no se puede
demostrar como extremadamente improbable
SENASA 2013
Module 8 - 82

UAV SYSTEM SAFETY ASSESSMENT

Los criterios y la terminologa aplicable a los anlisis de
seguridad vienen establecidos en el material gua
correspondiente la seccin 1309:
Para UAS/RPAS las principales referencias son:
USAR AMC.1309 (b) System Design and Analysis
FAA AC 23.1309C System Safety Analysis and Assessment for
Part 23 Airplanes
A su vez este material gua hace referencia al siguiente

documento, que recoge la metodologa para preparar un
SSA completo de un sistema:
SAE ARP 4761 Guidelines and Methods for Conducting the Safety
Assessment Process on Civil Airborne Systems and Equipment
SENASA 2013
Module 8 - 83
Evaluacin de la Seguridad del Sistema

Un SSA de un sistema complejo rene las conclusiones de
otros anlisis mas detallados, y la metodologa a seguir
est indicada en Material Interpretativo y desarrollada en el
SAE ARP 4761.
Anlisis Funcional de los Riesgos
(FHA)
Identificacin de los Modos de Fallo y
los Efectos (FMEA)
Anlisis de la Probabilidad de los
Fallos mas relevantes (FTA, DDA,
MA)
Anlisis de las Causas Comunes de
Fallos (CCA PRA, ZSA, CMA)
SENASA 2013
Module 8 - 84

SYSTEMS SAFETY ASSESSMENT PROCESS MODEL
SENASA 2013
Module 8 - 85
ELECCIN DEL MTODO DE CUMPLIMIENTO

LA ELECCIN DEPENDER DE:
Si el sistema se puede clasificar como es No-Esencial, Esencial o
Crtico para la operacin segura
Tambin dependen si podemos clasificar al sistema como
convencional o como un sistema complejo
Si el sistema es redundante y puede provocar condiciones de fallo
catastrficas
SENASA 2013
Module 8 - 86

PROFUNDIDAD DE LOS ANLISIS A

REALIZAR
La profundidad del anlisis depende de:
De la clasificacin del sistema como sistema critic o esenciales
De la severidad de las condiciones de fallo que pueda provocar el
sistema
De la propia complejidad del sistema, y si se debe demostrar que
est diseado a prueba de fallos
De la similaridad con otros sistemas previamente ya aprobados
SENASA 2013
Module 8 - 87
TIPOS DE ANLISIS (ASSESSMENTS)

En Material Interpretativo sobre la seccin 1309 podemos
encontrar referencias a:
Design Appraisal
Installation Appraisal
Failures Modes and Effects Analysis
Fault Tree or Dependence Diagrams
Markov Analysis
Common Cause Analysis
Zonal Safety Analysis
Particular Risk Analysis
Common Mode Analysis
SENASA 2013
Module 8 - 88

Qu es un Anlisis Funcional de Riesgos

Anlisis metdico de todos los riesgos
Clasificacin de las Condiciones de todos los riesgos
identificados
Catastrfica
ANLISIS FUNCIONAL DE RIESGOS
CLASE
FASE DE
FUNCIN DE
EFECTOS CLASIF.
VUELO
FALLO
SENASA 2013
Peligrosa
Mayor
Menor
Module 8 - 89
PROPSITO DE UN FHA
Identificar las potenciales condiciones de fallo y clasificar su
severidad
Desarrollar los requisitos de diseo para garantizar la
seguridad del sistema respecto a;
La arquitectura del sistema,
Integridad del software y hardware complejo (CEH),
Separacin y Segregacin
En base a sus conclusiones desarrollar el diseo de forma

que se pueda asegurar el cumplimiento con los requisitos
de seguridad
Identificar los mtodos de cumplimiento ms apropiados
SENASA 2013
Module 8 - 90

ORGANIZACIN DEL CONTENIDO DE UN

ANALISIS DE RIESGOS FUNCIONALES
Descripcin del diseo del sistema y sus funciones
Otros datos necesarios para poder realizar el anlisis y
comprender las conclusiones
Premisas que han sido consideradas o asumidas durante el
anlisis
Anlisis sistemtico de todas las funciones y riesgos
identificados
Resultados y conclusiones del anlisis, mediante:
Un resumen de las hojas de trabajo preparadas, con una lista de
condiciones de fallo crticas, o eventos relevantes para ser
analizados a posteriori
El Apndice con las hojas de trabajo (FHA Worksheets)
SENASA 2013
Module 8 - 91
HOJA DE TRABAJO DE UN FHA
SENASA 2013
Module 8 - 92

FASES DE OPERACIN DE UN AERONAVE
Figura 2
SENASA 2013
Module 8 - 93
Anlisis modos de fallos y efectos

(AMFE/FMEA)
Un anlisis modos de fallos y efectos (AMFE/FMEA) es un
de anlisis de fallos potenciales de un concepto, proceso o
diseo y su clasificacin
Su clasificacin viene determinada por la gravedad o por el
efecto de los fallos en el sistema
La finalidad de un FMEA es eliminar o reducir los fallos,
comenzando por aquellos con una prioridad ms alta.
Puede ser tambin utilizado para evaluar las prioridades de
la gestin del riesgo durante el desarrollo del sisetma.
SENASA 2013
Module 8 - 94

TIPOS DE FMEA
SENASA 2013
Module 8 - 95
QUE ES UN FMEA DE UN DISEO

Es un anlisis sistemtico, inductivo, es decir desde los
componentes ms pequeos del sistema e identificando los
modos de sus modos de fallo y como afectan a su
funcionamiento
Puede ser realizado a diversos niveles:
Componente (Piece-Part)
Equipo (LRU, Blackbox)
Funcional (System FMEA)
Tambin permite que se puedan analizar los fallos del

software de forma cualitativa y desde un punto de vista
estrictamente funcional
SENASA 2013
Module 8 - 96

CONTENIDO DE UN FMEA DE UN DISEO

Anlisis de todos los modos de fallo de cada componente
del sistema y clasificacin de los efectos.
Anlisis de Modos de Fallo y Efectos (Sistema / LRU)

Componente
Modo
Fallo
Fase
Indicacin
Efectos en
Efectos en
la
el Sistema
Aeronave
SENASA 2013
Module 8 - 97
PARA QUE SIRVE UN FMEA

Para determinar y analizar los efectos de un fallo de cada
parte, componente y equipo de un sistema
Para identificar Fallos Latentes
Para Obtener mucha ms informacin sobre los fallos de
un sistema que otros tipos de anlisis (FTA, RBD etc)
Para identificar condiciones de fallos simples que puedan
causar consecuencias peligrosas o catastrficas
SENASA 2013
Module 8 - 98

CONTENIDO DE UN FMEA
Un FMEA realmente incluye la siguiente informacin:
Identificacin del componente, seal y/o funcin

Modos de fallo y tasas de fallo de los componentes
Fase de la operacin en la cual el fallo ocurre
Detectabilidad y medios de deteccin
Acciones manuales o automticas que compensan el fallo
Efecto de los fallos, bien de forma directa sobre aeronave o sobre el
nivel superior del sistema
SENASA 2013
Module 8 - 99
COMO SE DETERMINAN LOS MODOS DE

FALLO
Teniendo suficiente conocimiento y experiencia sobre los
principios de funcionamiento del sistema, equipo o
componente
Mediante el uso de documentos con datos desarrollados
por la industria y las agencias como por ejemplo:
MIL-HDBK-217,
MIL-HDBK-338,
RAC Non-electronic Parts Reliability Data. (NPRD)
GIDEP (Government Industry Data Exchange Program),
MIL-HDBK-978,
Rome Laboratorys Reliability Engineers Toolkit
SENASA 2013
Module 8 - 100

COMO SE PRESENTAN LOS RESULTADOS

Descripcin breve el sistema, equipo o componente
Resumen de las conclusiones obtenidas en cada una de
las hojas de trabajo
Lista de condiciones de fallo identificadas como peligrosas o
catastrficas, y si se debe a un fallo simple o una combinacin
Lista de todos los fallos latentes
Lista de los procedimientos de operacin identificados
Lista procedente de mantenimiento identificados
Las hojas de trabajo las cuales se habrn preparado de

acuerdo con el tipo de anlisis de modo de fallos que
estamos realizando
SENASA 2013
Module 8 - 101
HOJA DE TRABAJO SFMEA
SENASA 2013
Module 8 - 102

DETERMINACIN DE LA PROBABILIDAD DE
UN FALLO
Para determinar la probabilidad de un fallo que afecte a un
sistema podemos utilizar las siguientes tcnicas:
Anlisis de rbol de Fallos (FTA)
Diagrama de Dependencia (DD)
Diagramas de Bloques de Fiabilidad (RBD)
Anlisis de Markow (MA)
Anlisis de Montecarlo
SENASA 2013
Module 8 - 103
QUE ES UN RBOL DE FALLOS (FTA)

El rbol de fallos una representacin grfica organizada de
las condiciones y factores que causan, o contribuyen a la
aparicin de un suceso indeseable
Este suceso es conocido como Suceso Superior" o "Top
Event"
SENASA 2013
Module 8 - 104

RBOL DEL FALLO DE SISTEMA DE EXTINCIN
SENASA 2013
Module 8 - 105
DATOS PARA LA PREPARACIN DE FTA
SENASA 2013
Module 8 - 106

ANLISIS DE CAUSA COMN DE FALLO

Un fallo por una causa comn en funciones similares
mltiples es el resultado de un evento simple que causa
que estas funciones fallen de la misma manera y al mismo
tiempo
Una causa comn de fallo ocurre siempre que se usan
arquitecturas redundantes para mejorar la fiabilidad de una
funcin crtica o esencial
SENASA 2013
Module 8 - 107
FALLOS EN CASCADA
Los fallos en cascada son un tipo particular de fallos
causas o modos comunes, donde un fallo simple, que por
el mismo no se puede considerar como peligroso, puede
precipitar una cadena de fallos que s pueden ser peligros.
Es un fallo cuya la probabilidad de que ocurra se ve
significativamente incrementada por la existencia de un
fallo previo
Las estadsticas del accidentes muestran que realmente se
producen en muchos casos por una cascada o serie de
fallos no previstos
La causa comn de fallo en cascada puede ocurrir si el fallo
en una funcin trae consigo el fallo de otras funciones.
SENASA 2013
Module 8 - 108

Sistemas Candidatos a Producir Fallos en

Cascada
El sistema elctrico, si no existe una adecuada segregacin
de la alimentacin de los sistemas con funciones
redundantes
Los sistemas hidrulicos que proporciona la energa
necesaria para mover mandos de vuelo, y por estar sujetos
a
Contaminacin de sus fluidos a
Incremento de los esfuerzos por fallo de uno de sus componentes
Los sistemas que utilizan uniones mecnicas para

transmitir movimiento, afectados por la desconexin o
atasco
Los sistemas de combustible y los fallos en un motor en
aeronaves con varios motores
SENASA 2013
Module 8 - 109
ANLISIS DE LAS CAUSAS COMUNES DE

FALLO
Al establecer las probabilidades de que ocurran
condiciones de fallo peligrosas o catastrficas, a menudo
asumimos durante los anlisis de sistemas mltiples que
los fallos son independientes.
Por lo tanto, es necesario verificar que tal independencia
existe, para lo cual hay que establecer unas tcnicas de
anlisis apropiadas para el tipo de fallos que estamos
analizando
Estas tcnicas o mtodos de anlisis de las causas
comunes de fallo podemos dividir en:
Anlisis de Riesgos Zonales (ZSA)
Anlisis de Riesgos Particulares (PRA)
Anlisis de Modos Comunes de Fallo (CMA)
SENASA 2013
Module 8 - 110

OBJETIVOS DE UN ANLISIS ZONAL

El objetivo de un anlisis de seguridad zonal es asegurar
que el diseo del sistema y su instalacin cumple con los
objetivos de seguridad respecto a:
Los estndares aceptados de diseo e instalacin

Los efectos de los fallos sobre la aeronave
La implicacin de los posibles errores de mantenimiento
La verificacin de que el diseo cumple con los requisitos de
independencia asumidos durante el anlisis de la probabilidad de
cada fallo relevante para la seguridad de la aeronave
SENASA 2013
Module 8 - 111
MATRIZ DE RIESGOS POR ZONAS
SENASA 2013
Module 8 - 112

TAREAS PARA DE UN ANLISIS ZONAL

El anlisis de seguridad zonal es principalmente un anlisis
cualitativo que comprende principalmente tres tareas
separadas
Preparacin de las guas de diseo e instalacin
Inspeccin de la instalacin en la zona
Inspeccin de las interferencias entre los sistemas, equipos
componentes
Documentacin de las observaciones y conclusiones
SENASA 2013
Module 8 - 113
DOCUMENTACIN DEL ANLISIS ZONAL

Los resultados de las inspeccines, y los posibles efectos
sobre la aeronave debern quedar documentados en un
informe de anlisis de la seguridad zonal (ZSA)
Los registros de los anlisis e investigaciones realizadas
deben ser realizados a diario, de acuerdo con una lista de
comprobacin y debern quedar adecuadamente
contemplados:
Cualquier problema potencial de la instalacin,

Las desviaciones encontradas respecto a las guas de instalacin,
Fallos significativos que puedan afectar a los sistemas
La manera en la que se pueden resolver los posibles riesgos
SENASA 2013
Module 8 - 114

ZHA - EJEMPLO HOJA DE TRABAJO
SENASA 2013
Module 8 - 115
ANLISIS DE RIESGOS PARTICULARES

Los riesgos particulares son eventos o condiciones
externas al sistema que pueden violar la independencia
asumida durante los anlisis de fiabilidad del sistema
Estas condiciones externas pueden influenciar a varias
zonas de la aeronave a la vez, simultneamente
Alguno de los riesgos los particulares y estn sujetos a
requisitos de aeronavegabilidad especficos
SENASA 2013
Module 8 - 116

RIESGOS PARTICULARES CON REQUISITOS

ESPECFICOS
RIESGOS PARTICULARES
FAR 25
Estallido de Turbina
25.903
Reventn de Neumticos
25.729
Proteccin contra Fuego
Varios
Formacin de Hielo
25.1419
Impacto de un Rayo
25.1316
Campos de Alta Energa de Radiada
25.1317
SENASA 2013
Module 8 - 117
EFECTOS DEL ESTALLIDO DEL ROTOR
SENASA 2013
Module 8 - 118

RIESGOS ASOCIADOS AL ESTALLIDO
SENASA 2013
Module 8 - 119
OTROS POSIBLES RIESGOS PARTICULARES

Roturas en Dispositivos de alta energa ( Motor, APU,
Fans)
Rotura de Botellas de Alta Presin
Rotura de conductos de aire a alta presin
Fugas de conductos de aire a alta temperatura
Fuga y Escapes de fluidos (Examinados generalmente en
ZSA)
Efectos por pedrisco, nieve, hielo
Impacto de pjaros
Sacudidas de ejes que han perdido algn soporte
Rotura de amparos de presin
SENASA 2013
Module 8 - 120

Documentacin del Anlisis de Riesgos

Particulares
1.
2.
3.
4.
Descripcin del riesgo particular analizado

Elementos que se ven afectados por el riesgo particular
Zonas donde estos elementos estn instalados
Modos de fallo causados por el riesgo particular objeto de
investigacin
5. Efecto resultante sobre aeronave y clasificacin de sus
efectos
Adicionalmente se podra incluir:
Cualquier desviacin sobre las premisas iniciales
La manera de como se han resuelto los riesgos
SENASA 2013
Module 8 - 121
ANLISIS DE MODOS COMUNES

Este tipo anlisis se debe realizar a lo largo de todo el
proceso de desarrollo y anlisis de un sistema
Es un anlisis cualitativo, una herramienta analtica usada
para asegurar la fiabilidad y robustez de un diseo
La experiencia acumulada en el diseo se debe usar para
verificar la integracin de los componentes de una manera
lgica
El anlisis de modos comunes se realiza para verificar que
todos los eventos analizados para determinar la
probabilidad de que ocurra un fallo peligroso o catastrfico
son realmente independientes
SENASA 2013
Module 8 - 122

PROCESO PARA REALIZAR UN ANLISIS DE

MODOS COMUNES
Establecer listas de comprobacin especficas para el
programa
Tipos de modos comunes
Fuentes del error
Condiciones de fallo
Identificar los requisitos aplicables

Analizar el diseo de los sistemas y componentes para
verificar que se cumplan los requisitos aplicables
Documentar los resultados obtenidos en los pasos
anteriores
SENASA 2013
Module 8 - 123
Modos Comunes Que Deben Ser

Considerados
Errores de diseo del software

Errores de diseo del hardware
Fallos del hardware
Defectos o errores en los procesos de produccin o
reparacin
Eventos relacionados con los esfuerzos
Errores de instalacin
Errores en los requisitos de diseo
Factores Ambientales
Fallos en Cascada
Fallos de fuentes externas comunes
SENASA 2013
Module 8 - 124

IDENTIFICACIN DE LOS REQUISITOS CMA

Para establecer los requisitos es necesario que el analista
conozca:
La arquitectura del diseo y el plan de instalacin

Las caractersticas de los componentes y los equipos
Las tareas de prueba y mantenimiento
Los procedimientos de la tripulacin
Las especificaciones de los sistemas, equipos y software
SENASA 2013
Module 8 - 125
CARACTERSTICAS DE PROTECCIN
CONTRA LOS MODOS COMUNES
Principios de funcionamiento diferentes, redundancia y
barreras
Programas de mantenimiento preventivo y pruebas
Niveles de control del diseo y calidad del diseo
Revisin de procedimientos o especificaciones
Entrenamiento del personal
Control de calidad
SENASA 2013
Module 8 - 126

INTERRELACIN DE LOS TIPOS DE ANLISIS

El anlisis de riesgos (FHA) establece los eventos que son
relevantes para garantizar la operacin segura, y los
objetivos de seguridad
El anlisis de modos de fallo (FMEA) nos proporciona que
ocurre con cada fallo de cada componente de los sistemas
El anlisis de la fiabilidad de las funciones criticas
(FTA/RBD), nos garantiza que cumplimos con los objetivos
de seguridad
El anlisis de causas comunes (CCA) verifica que no hay
nada externo o interno al sistema que pueda violar la
independencia y segregacin asumida durante los anlisis
precedentes
SENASA 2013
Module 8 - 127
INTERRELACIN DE LOS TIPOS DE ANLISIS
SENASA 2013
Module 8 - 128

MATERIAL GUA DE LAS AGENCIAS
EASA AMC 25.1309 System Design and Analysis

EASA AMC 25.901(c) Safety Assessment of Powerplant
Installations
EASA AMC E-150 Safety Analysis
EASA AMC P-150 Propeller Safety Analysis
EASA AMC 25.1709 System Safety; EWIS
FAA AC 23.1309-1D System Safety Analysis and
Assessment For Part 23 Airplanes
FAA AC 25.1309-1A System Design Analysis
FAA AC 25.1309-1B (Draft ARAC TAE_SDA_T2 )
SENASA 2013
Module 8 - 129
Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 130

Safety Assessment for RPAS

Equipos y sistemas instalados en
la aeronave / Estacin de control
El nivel de riesgo de un evento se

describe como la combinacin de la
probabilidad de ocurrencia del evento
y la severidad de la consecuencia
En las situaciones ms adversas posibles.
Probabilidad
SOFTWARE LEVEL
DEFINITIONS
RTCA-DO-178B
Probable
Limite Aceptable
Remoto
Level A - Catastrfico
Level B - Peligroso
Level C - Mayor
Level D - Menor
Level E - Sin efecto
Extremadamente
Remoto
Extremadamente
Improbable
Severidad
Menor
Mayor
Peligroso
Catastrfico
SENASA 2013
Module 8 - 131

CS 25.1309 Equipment, systems and installations
(See AMC 25.1309)
a) The aeroplane equipment and systems must be designed and
installed so that:
1. Those required for type certification or by operating rules, or whose
improper functioning would reduce safety, perform as intended under
the aeroplane operating and environmental conditions.
2. Other equipment and systems are not a source of danger in themselves
and do not adversely affect the proper functioning of those covered by
sub-paragraph (a)(1) of this paragraph.
b) The aeroplane systems and associated components, considered

separately and in relation to other systems, must be designed so
that:
1. Any catastrophic failure condition
i.
ii.
p<10-9
is extremely improbable; and
does not result from a single failure; and
Fallo Simple
2. Any hazardous failure condition is extremely remote; and

3. Any major failure condition is remote.
p<10-7
p<10-5
SENASA 2013
Module 8 - 132


Historicamente:
La probabilidad de accidente de un avin grande de transporte
debido a causas relacionadas con la operacin y la estructura es,
aproximadamente:
1 x 10-6 por FH
El 10%, aproximadamente, es debido a Condiciones de Fallos de
los sistemas. Por tanto, debido a sistemas es:
1 x 10-7 por FH
Se supone que existen 100 Condiciones de Fallo en un avin
grande que pueden ser Catastrficas, por tanto:
1 x 10-9 por FH para cada Condicin Fallo Catastrfico que
est asociado al trmino Extremadamente Improbable
SENASA 2013
Module 8 - 133

Los objetivos de safety deben considerar:
Nivel de seguridad equivalente a los aviones tripulados
La proteccin a terceros
Tripulacin UAV
Otras aeronaves
Daos en tierra
La realidad econmica para permitir su desarrollo

Aceptacin social
Consistencia con los de las aeronaves actuales (transporte civil y
militar).
SENASA 2013
Module 8 - 134


Dificultades aplicacin requisito XX.1309
Definiciones de severidad. No son aplicables las definiciones de
aviacin convencional. An NO hay consenso para los RPAs.
Metodologa para su aplicacin. Los AMCs EASA o ACs FAA no
son directamente aplicables. La severidad de los fallos puede variar
entre aviacin convencional y RPAs
Piloto al mando: En aviacin convencional el piloto es infalible. En
RPAs el piloto est basado en algoritmos. Qu criterios se
aplican a los algoritmos?
Nuevas tecnologas NO empleadas en aviacin convencional.
Establecimiento niveles de probabilidad.
SENASA 2013
Module 8 - 135

Historicamente:
La probabilidad de accidente de un avin grande de transporte
debido a causas relacionadas con la operacin y la estructura es,
aproximadamente:
1 x 10-6 por FH
El 10%, aproximadamente, es debido a Condiciones de Fallos de

los sistemas. Por tanto, debido a sistemas es:
1 x 10-7 por FH
Se supone que existen 100 Condiciones de Fallo en un avin

grande que pueden ser Catastrficas, por tanto:
1 x 10-9 por FH para cada Condicin Fallo Catastrfico que est
asociado al trmino Extremadamente Improbable
La mayora de los UAS tienen sistemas complejos (sistema control de vuelo,
sistema de guiado, etc). Por tanto es razonable suponer que estos sistemas
puedan tener 100 condiciones potenciales de fallo independientemente del
tamao del avin,
SENASA 2013
Module 8 - 136


Quantitative integrity required to maintain safe flight andlanding to equivalent manned aircraft (excluding MAC)
Hullloss
rate
Aircrafttype
MannedCS25Largetransporta/c
UAS25Largetransportaircraft
MannedCS23classI
UAS23class I
MannedCS23classII
UAS23classII
MannedCS23classIII
UAS23classIII
MannedCS27smallrotorcraft
UAS27smallrotorcraft
MannedCS29largerotorcraft
UAS29largerotorcraft
MannedCSVLAVeryLighta/c
UASVLAVeryLighta/c
MannedCSVLRVeryLightr/c
UASVLRVeryLightRotorcraft
BVLOSUASbelow manned a/cweights
VLOSUASbelowmannedai/cweights
10%dueto
systems
PotentialFailure
Conditions
ProbabilityofasystemsFC
leadingtoCATFC
1x106
1x107
100(102)
1x109
1x106
1x107
100(102)
1x109
1x104
1x105
10(101)
1X106
1x104
1x105
100(102)
1x107
1x105
1x106
10(101)
1x107
1x105
1x106
100(102)
1x108
1x106
1x107
10(101)
1x108
1x109
1x106
1x107
100(102)
1x104
N/A
N/A
N/A
1x104
1x105
100(102)
1x107
1x105
N/A
N/A
N/A
1x105
1x106
100(102)
1x108
1x104
N/A
N/A
N/A
1x104
1x105
100(102)
1x107
N/A
N/A
N/A
N/A
1x104?
1x105
100(102)
1x107
1x103?
1x104
100(102)
1x106?
1x103?
1x104
10(101)
1x105?
SENASA 2013
Module 8 - 137

Inicialmente:
Energa de impacto
Densidad de poblacin
Area letal
Probabilidad de daos a terceros
Otras opciones:
La probabilidad de impactar contra alguien en el suelo en una cada

incontrolada se considera 100%.
Clasificacin del fallo en funcin del nivel de energa.
SENASA 2013
Module 8 - 138


Nivel de energa:
V impacto
PUNTO DE PARTIDA
CS-25
kts
CATASTRFICO
450
1.52 x 108 Nm
PELIGROSO
R= p x E =0.152
MAYOR
Ec =Mx(1,5xVc)2 =152MJ
R=pxE=1,52
5.670
Masa Kg
SENASA 2013
Module 8 - 139

Daos en tierra
Relationship between aircraft accidents and ground fatalities
Average No.
accidents/year
(10 year period)
Average No. fatal
accidents/year
Average No.
accidents/year
with ground fatalities
EASA annual safety review

2009 (EASA MS operators)
NTSB (USA GA 2005)
1160
1730
145
341
(13% of accidents)
(20% of accidents)
(0.3% of accidents)
(0.2% of accidents)
Esta tabla muestra datos de EASA y NTSB de accidentes que demuestran que el peligro para
terceras partes en tierra debido a accidentes de aviacin es muy bajo, alrededor del 0,2% por
accidente. Por tanto esta nueva metodologa no correlaciona directamente la KE y los daos
en tierra
SENASA 2013
Module 8 - 140


Daos en tierra
Safety is measured by No. accidents and fatal accidents/fh
The public perceive safety as the potential for injury/death and in absolute terms.
If the number of UA crashes was allowed to increase, safety would reduce
Ground risk should be independent of whether an aircraft is manned or unmanned
SENASA 2013
Module 8 - 141

Daos en tierra
Conclusion?
No need to define a specific ground risk for UAS as the current
accident based statistics are valid.
Ground risk can be managed by ensuring that the total number of
accidents per a/c category does not rise with UAS
Existing CSs are airworthinesss contribution to avoiding accidents
and the protection of people and property
Impact KE approach can act as a guide in showing equivalence with
manned aircraft but doesnt need to relate to the severity of
damage/harm to people on the ground
SENASA 2013
Module 8 - 142


Colisin en vuelo
To be discussed:
Must assume that any mid-air collision will result in loss of both a/c
Probability of the flight crew avoiding collisions in IMC is low
D&A considered as 2 separate sub-systems:
Separation assurance
Collision avoidance
Should the target level of safety be set as a function of airspace type

(i.e. the availability of ATC separation and the category of aircraft
expected to be encountered)?
What reliance can be placed on ATC for separation assurance?
SENASA 2013
Module 8 - 143

Colisin en vuelo
Airspace Classes F, G
Probability of mid-air
collision
10-7
AND
UAS ASAS fails
UAS CA fails
10-3
10-3
SENASA 2013
Manned aircraft does

not mitigate
10-1
Module 8 - 144


Colisin en vuelo
Probability of mid-air
collision
<10-9
Airspace Classes A, B, C
Creditfor
ATC?
AND
ATC fails
10-3
UAS ASAS fails

10-3
UAS CA fails
10-3
Manned aircraft does

not mitigate
10-1
SENASA 2013
Module 8 - 145
Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 146

FILOSOFAS DE DISEO PRINCIPALES

Para cumplir con los objetivos de seguridad el material gua
de la seccin 1309 identifica las siguientes filosofas de
diseo:
FALLO SIMPLE (SIMPLE FAILURE)
APRUEBA FALLOS (FAIL-SAFE)
SENASA 2013
Module 8 - 147
CONCEPTO DE FALLO SIMPLE

Single Fault es el criterio de seguridad que se aplicaba
hasta que la FAA considero la necesidad de incluir
considerar combinaciones de fallo. (Enmienda 25-41)
Con este criterio, los anlisis se centraban en demostrar
que no exista una condicin de fallo nica que impidiese la
continuacin del vuelo y aterrizaje de forma segura.
Todava puede ser vlido para aviones monomotores con
sistemas convencionales y bases de certificacin
anteriores.
SENASA 2013
Module 8 - 148

CONCEPTO A PRUEBA DE FALLOS (FAILSAFE)

Se deben considera los efectos y las combinaciones de
fallos para considerar un diseo seguro.
Con 2 objetivos:
El fallo de cualquier elemento debe ser asumido, y no debe impedir
la continuacin del vuelo y aterrizaje seguro.
Fallos subsiguientes, detectables o no detectables, tambin deben
ser asumidos, a menos que se demuestre que son extremadamente
improbables
El trmino Fail-Safe, se puede intercambiar tambin por el

trmino Fault-Tolerant
SENASA 2013
Module 8 - 149
PRINCIPIOS DE DISEO FAIL-SAFE

1. INTEGRIDAD Y CALIDAD
2. REDUNDANCIA O EXISTENCIA SISTEMAS
RESERVA
3. AISLAMIENTO (SEPARACIN FSICA)
4. FIABILIDAD DEMOSTRADA
5. INDICACIN DE FALLOS (AVISO)
6. PROCEDIMIENTOS TRIPULACIN
7. CAPACIDAD DE COMPROBACIN DEL ESTADO
8. CONFINAMIENTO DEL FALLO
9. CONTROL DEL MODO FALLO
SENASA 2013
DE
Module 8 - 150

UAV/RPA FAULT-TOLERANT CONTROL
Non-Adaptative vs Adaptive FTC Systems

Integrated Fault-tolerant Architecture
Active System Restructuring Component
Suite of Adaptive Reconfigurable Flight Controllers
Reconfigurable Path Planning Component
Mission Adaptation Component
..
SENASA 2013
Module 8 - 151
CRITERIOS DE DISEO SISTEMAS

A la hora de desarrollar los sistemas hay establecer cules
son los criterios de diseo aplicables, segn establece los
propios estndares de certificacin (p.e. STANAG 4703)
Estos criterios de diseo estn reflejados en estndares de
la propia industria como son principalmente MIL-STD, SAE,
AECMA,
En muchos casos estos estndares con los criterios de
diseo suelen estar identificados en el propio material gua
con los mtodos de cumplimiento aceptados por las
autoridades (AMC/AC)
Podemos decir que para cada instalacin, equipo o
instrumento de un Sistema UAV existe una referencia
aplicable MIL/SAE/AECMA, la cual debera ser tenida en
cuenta la hora de preparar la especificacin tcnica del
sistema.
SENASA 2013
Module 8 - 152

Introduction
STANAG 4703
STANAG 4671
Design Philosophy
SENASA 2013
Module 8 - 153
UAV SUBSYSTEMS CERTIFICATION

SUMMARY
La certificacin de los sub-sistemas de un sistema de
aeronave no tripulada es muy similar a la de las aeronaves
tripuladas ,
Se siguen estndares muy similares a los las Aeronaves
Ligeras tripuladas y criterios de cumplimiento de
equivalentes (AMC/AC)
Es un proceso metdico, y la mejor manera de conducirlo
es a travs de una matriz de cumplimiento con cada uno de
los requisitos aplicables
Esta matriz de cumplimiento debe ser aprobada por la
autoridad de certificacin al comienzo del programa
SENASA 2013
Module 8 - 154

ESCOLLOS Y TRAMPAS (PITFALLS)

No poder disponer de la documentacin requerida respecto
a la homologacin de los equipos y componentes de los
subsistemas del UAV
Utilizar equipos y componentes que no tienen un sistema
de control la produccin adecuado (QML, QPL, AQEC, etc)
No disponer de anlisis de fiabilidad y de modos de fallo de
los fabricantes de los instrumentos, equipos y componentes
que pueden ser esenciales para operacin segura de la
aeronave no tripulada
SENASA 2013
Module 8 - 155
PREGUNTAS Y DUDAS
SENASA 2013
Module 8 - 156


Modulo 08 Airborne Systems

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modulo 08 Airborne Systems

Uploaded by

Copyright:

Available Formats

Introduction to RPAs Certification

Servicios y Estudios para la Navegacin

RPAS Airborne Systems

Total or partial reproduction is not allowed

RPAS Airborne Systems - 1

Introduction to RPAs Certification

UAS/RPAS AIRBORNE SYSTEMS

Total or partial reproduction is not allowed

AIR VEHICLE POWERPLANT INSTALLATION

Total or partial reproduction is not allowed

RPAS Airborne Systems - 2

Introduction to RPAs Certification

AIR VEHICLE FUEL TANK SUBSYSTEM

Total or partial reproduction is not allowed

FUEL TANK INTEGRATION

Total or partial reproduction is not allowed

RPAS Airborne Systems - 3

Introduction to RPAs Certification

AIR VEHICLE FUEL SUBSYSTEM

Total or partial reproduction is not allowed

UAV FLIGHT CONTROL SURFACES

Total or partial reproduction is not allowed

RPAS Airborne Systems - 4

Introduction to RPAs Certification

UAV LANDING GEAR

Total or partial reproduction is not allowed

AIRCRAFT DE-ICING SYSTEMS

Total or partial reproduction is not allowed

RPAS Airborne Systems - 5

Introduction to RPAs Certification

AIR VEHICLE ELECTRICAL SUBSYSTEM

Total or partial reproduction is not allowed

UAV ELECTRICAL SUBSYSTEM LAYOUT

Total or partial reproduction is not allowed

RPAS Airborne Systems - 6

Introduction to RPAs Certification

UAV HYDRAULICALLY POWER

Total or partial reproduction is not allowed

Total or partial reproduction is not allowed

RPAS Airborne Systems - 7

Introduction to RPAs Certification

PAYLOADS & EQUIPMENT COMPARTMENT

Total or partial reproduction is not allowed

SWAPPABLE UNIVERSAL PAYLOAD

640 W Lithium Polymer

Total or partial reproduction is not allowed

RPAS Airborne Systems - 8

Introduction to RPAs Certification

UAV PARACHUTE LANDING SYSTEM

Total or partial reproduction is not allowed

RPAS Airborne Systems

Total or partial reproduction is not allowed

RPAS Airborne Systems - 9

Introduction to RPAs Certification

STANAG 4703 SYSTEMS & EQUIPMENT

The UAV system must not have design features or details

Total or partial reproduction is not allowed

STANAG 4703 SYSTEM & EQUIPMENT

UL.22 TECHNICAL OCCURRENCES REPORTING

Total or partial reproduction is not allowed

RPAS Airborne Systems - 10

Introduction to RPAs Certification

STANAG 4703 DESIGN CRITERIA

DESIGN CRITERIA - AMC