ImageVerifierCode 换一换
格式:PDF , 页数:12 ,大小:771.35KB ,
资源ID:1023272      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-1023272.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(SAE ARP 6539-2017 Validation and Verification Process Steps for Monitors Development in Complex Flight Control and Related Systems.pdf)为本站会员(syndromehi216)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

SAE ARP 6539-2017 Validation and Verification Process Steps for Monitors Development in Complex Flight Control and Related Systems.pdf

1、 _ SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising ther

2、efrom, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be revised, reaffirmed, stabilized, or cancelled. SAE invites your written comments and suggestions. Copyright 2017 SAE International All rights reserved. No part of this

3、publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: +1 724-776-49

4、70 (outside USA) Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.org SAE values your input. To provide feedback on this Technical Report, please visit http:/standards.sae.org/ARP6539 AEROSPACE RECOMMENDED PRACTICE ARP6539 Issued 2017-11 Validation and Verification Proc

5、ess Steps for Monitors Development in Complex Flight Control and Related Systems RATIONALE There is a need for a document that provides a process for the development and approval of monitoring algorithms for highly-integrated and complex aircraft flight control and related systems. This document sat

6、isfies this need. FORWARD A monitor is a mechanism in place to detect failures at the component or system level. The monitor functionality includes input signal sampling, a detection scheme and a corrective action. Poorly designed monitors can result in an inability of the monitor to detect or react

7、 to the failure condition in a time frame appropriate to the failure threat, or in nuisance trips affecting system availability. The inability to detect a failure in a timely fashion can have a negative impact on: Aircraft safety The pilots ability to cope with a developing problem Aircraft safety m

8、argins Nuisance trips can have a negative impact on: Baseline safety due to reductions in redundancy following system re-configuration, or reduced system availabity Degradation of the importance attached to warnings due to complacency resulting from frequency of occurrence Development program cost a

9、nd schedule increases if the issues are only discovered at the aircraft integration rigs, or during flight test Dispatch interruption rate increases and unplanned diversions for fleets if the problems emerge, or persist into revenue service of the aircraft Increase in no fault found rates following

10、unscheduled maintenance removals SAE INTERNATIONAL ARP6539 Page 2 of 12 This recommended practice provides program level guidance to validate and verify the need for, and robustness of monitoring functions for highly integrated aircraft systems. As a general note, the Supplier described in this docu

11、ment is a system, sub-system, or equipment supplier. In some cases though, the monitor(s), or monitoring scheme, may be developed by the OEM, or consist of some combination of OEM and Supplier derived monitors. The process steps for this type of development work are the same and are aimed at the lev

12、el at which the monitor requirements are specified. The OEM monitors development team can be assigned the role of the Supplier in the context of this process. TABLE OF CONTENTS 1. SCOPE . 2 1.1 Field of Application . 2 2. APPLICABLE DOCUMENTS . 3 2.1 Definitions . 3 2.2 Abbreviations 4 3. MONITORS D

13、ESIGN PROCESS STEPS . 5 3.1 Monitors Development Plan . 5 3.1.1 Critical Monitors 6 3.2 Validation, Definition and Review of Monitors 6 3.2.1 Completeness Check . 7 3.2.2 Correctness Check . 7 3.2.3 Peer Communities 7 3.2.4 Monitor Performance 8 3.3 Verification of Monitors . 9 3.3.1 Safety of Fligh

14、t . 10 3.3.2 Type Certification and Entry into Service . 11 3.3.3 Post Entry into Service . 11 3.4 Monitors V however, it can also be used for military aircraft applications. SAE INTERNATIONAL ARP6539 Page 3 of 12 2. APPLICABLE DOCUMENTS There are no applicable documents. 2.1 Definitions ANALYSIS: A

15、n evaluation based on decomposition into simple elements. ASSESSMENT: An evaluation based upon engineering judgment. ASSUMPTIONS: Statements, principles, and/or premises offered without proof. AVAILABILITY: Qualitative or quantitative attribute that a system or item is in a functioning state at a gi

16、ven point in time. It is sometimes expressed in terms of the probability of the system or item not providing its output(s). COMMON CAUSE ANALYSIS: Generic term encompassing zonal safety analysis, particular risk analysis, and common mode analysis. COMMON MODE ANALYSIS: An analysis performed to verif

17、y that failure events identified in the ASA/SSA are independent in the actual implementation. DERIVED REQUIREMENTS: Additional requirements resulting from design or implementation decisions during the development process which are not directly traceable to higher-level requirements. ERROR: An omitte

18、d or incorrect action by a crewmember or maintenance person, or a mistake in requirements, design, or implementation. FAILURE: An occurrence which affects the operation of a component, part or element such that it can no longer function as intended. This includes both loss of function and malfunctio

19、n. Note: errors may cause failures, but are not considered to be failures. FAILURE CONDITION: A condition having an effect on the aircraft and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant

20、adverse operational or environmental conditions or external events. FAILURE EFFECT: A description of the operation of a system or item as the result of a failure; i.e., the consequence(s) a failure mode has on the operation, function or status of a system or an item. FAULT: A manifestation of an err

21、or in an item or system that may lead to a failure. FUNCTIONAL HAZARD ASSESSMENT: A systematic, comprehensive examination of functions to identify and classify Failure Conditions of those functions according to their severity. HAZARD: A condition resulting from failures, external events, errors, or

22、combinations thereof where safety is affected. ITEM: A hardware or software element having bounded and well-defined interfaces. MONITOR: A monitor is a mechanism in place to detect failures at the component or system level. ORIGINAL EQUIPMENT MANUFACTURER: Airframe manufacturer, typically responsibl

23、e for structural and systems requirements specification and aircraft level integration. PRELIMINARY SYSTEM SAFETY ASSESSMENT: A systematic evaluation of a proposed system architecture and its implementation, based on the Functional Hazard Assessment and Failure Condition classification, to determine

24、 safety requirements for systems and items. SAE INTERNATIONAL ARP6539 Page 4 of 12 SYSTEM: A combination of inter-related items arranged to perform a specific function(s). SYSTEM SAFETY ASSESSMENT: A systematic, comprehensive evaluation of the implemented system to show that the relevant safety requ

25、irements are met. TRACEABILITY: The recorded relationship established between two or more elements of the development process. For example, between a requirement and its source or between a verification method and its requirement. VALIDATION: The determination that the requirements for a product are

26、 correct and complete. i.e. Are we building the right aircraft/ system/ function/ item? VERIFICATION: The evaluation of an implementation of requirements to determine that they have been met. i.e. Did we build the aircraft/ system/ function/ item right? 2.2 Abbreviations AFHA Aircraft Functional Haz

27、ard Assessment ARP Aerospace Recommended Practice ASA Aircraft Safety Assessment CAS Crew Alerting Systems CCA Common Cause Analysis CDR Critical Design Review CMA Common Mode Analysis DCS Designated Certification Specialist (EASA) DER Designated Engineering Representative (FAA) EASA European Aviati

28、on Safety Agency EIS Entry into Service FAA Federal Aviation Administration FHA Functional Hazard Assessment FMEA Failure Modes and Effect Analysis OEM Original Equipment Manufacturer PASA Preliminary Aircraft Safety Assessment PDR Preliminary Design Review PSSA Preliminary System Safety Assessment

29、SFHA Systems Functional Hazard Assessment SoF Safety of Flight SSA System Safety Assessment V&V Validation and Verification SAE INTERNATIONAL ARP6539 Page 5 of 12 3. MONITORS DESIGN PROCESS STEPS The intent of these steps is to ensure proper time and effort is planned into the design process from be

30、ginning of the program to implement a rigorous Validation and Verification (V&V) process of the monitors design. Figure 1 shows how the monitors V&V process steps fit into a typical aircraft development program. The activities encompassed in steps 3.1 through 3.4 are discussed in the next sections o

31、f this ARP. Figure 1 - Monitors development V&V cycle 3.1 Monitors Development Plan Early in the development of an aircraft program, the Supplier should prepare a Monitor Development Plan that includes the following activities: a. Senior peer community at the Suppliers facility to review the monitor

32、ing strategies and mechanisms during the requirements definition phase b. Supplier design team to present preliminary monitor layouts and development plan with the system architecture at the Preliminary Design Review (PDR), or other program specific planning review milestone c. OEM and Supplier work

33、shop activity prior to the system Critical Design Review (CDR) to validate the monitor design cases and understand the aircraft cases driving the monitor characteristics see 3.2 d. Supplier design team to prepare and document monitor implementation and validation details as a CDR deliverable SAE INT

34、ERNATIONAL ARP6539 Page 6 of 12 e. Supplier design team to further refine the monitors design characteristics and proceed with monitor verification activity of the critical monitors for Safety of Flight (SoF) f. OEM and Supplier workshop to review the SoF monitors V&V design data as part of the firs

35、t flight readiness activities see 3.3 g. Supplier to provide monitors V&V design data to support Type Certification h. Supplier to finalize the entire monitors V&V activity with monitor design details for Entry into Service (EIS) with a peer review of the design data with the OEM see 3.4 NOTES: 1. T

36、he V&V activity and workshops associated with the monitors work is quite labor intensive due to the complexity of highly integrated digital systems. Development planning should include time and effort for this activity to be iterative in nature and require focused attention of senior engineers for e

37、xtended periods of time at both the Supplier and the OEM facilities, depending on the activity. 2. Monitor design data should be provided by the monitor design team to the OEM to chronicle the V&V activity, design characteristics and design assumptions after the prescribed Supplier and OEM peer revi

38、ews for each of the development gates. Major program milestones, reviews, and Supplier deliverables are typically defined in a system specific statement of work, which should include the monitor related activities and artifacts defined herein, with details of the activities captured in a Supplier Mo

39、nitor Development Plan. 3.1.1 Critical Monitors Critical monitors warrant special scrutiny early during the design cycle to mitigate cost and schedule risk associated with late discovery of issues. A critical monitor in this context is one that may pose a program risk, either during development or i

40、n revenue service. Monitors that may pose a program risk in development are those that meet one or more of the following criteria, and should be validated and verified for SoF to minimize program risk: a. Traces to an aircraft safety case b. Creates a Crew Alerting System (CAS) message requiring pil

41、ot action c. Forces a system reconfiguration reducing performance or redundancy Monitors that may pose a program risk in revenue service are those that meet one or more of the following criteria, and should be validated and verified in time for EIS to minimize the impact of nuisance behaviors on cus

42、tomer operations: d. Creates a CAS or maintenance message that will prevent dispatch e. Creates a CAS or maintenance message that will force operational limitations The later the critical monitor V&V activity is deferred, the further out the risk of poor monitor design consequences is carried, with

43、exponentially increasing cost and schedule threats. 3.2 Validation, Definition and Review of Monitors Failure monitoring requirements originate from and should be traced to: a. Safety requirements derived from the AFHA, PASA, SFHA, PSSA, SSA, CCA, CMA, FMEA and other safety related documentation b.

44、Crew awareness requirements driving CAS messages included in the system interface definition documents with the OEM and other Suppliers SAE INTERNATIONAL ARP6539 Page 7 of 12 c. Derived requirements at lower level hardware or software requirements d. Maintenance and health monitoring requirements e.

45、 Economic requirements in place to protect expensive equipment from damage The monitors design data should contain the traceability for each monitor clearly stating the safety, or other, aircraft level requirement or assumption from which it is derived. The validation data should be completed by the

46、 Supplier and included in the CDR package. 3.2.1 Completeness Check A completeness check should be done as part of the design validation activity to ensure the top down and bottom up traceablity for requirements coverage of monitors. Specific attention should be paid during the check of safety criti

47、cal monitors to ensure the independence requirements are properly represented in the monitoring architecture. For instance, independence between control and monitor lanes must be established to ensure a fault condition does not affect the two lanes in a manner that would mask the failure condition.

48、3.2.2 Correctness Check A correctness check should be done first by the Supplier design team and then repeated in detail by both the Supplier and OEM peer communities. The correctness check should address: Justification of the monitor existence Peformance of the monitor Robustness of the monitor 3.2

49、.3 Peer Communities The Supplier peer community should include senior specialists with specific product knowledge of current and legacy programs to fully leverage lessons learned in the detailed implementations of the monitors from disciplines like: Actuation Electronics Software Systems Special attention should be paid to details of legacy implementations that may affect the monitored characteristi

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1