1、_ SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising there
2、from, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancelled. SAE invites your written comments and suggestions. Copyright 2006 SAE International All rights reserved. No part of this publication m
3、ay be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: 724-776-4970 (outside USA)
4、 Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.org ARP5107 REV. B AEROSPACE RECOMMENDED PRACTICE Issued 1997-06 Revised 2006-11 Superseding ARP5107A Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems RATIONALE Revision B has a r
5、evised section 6.4 on Recommendations on Items Considered Part of the FADEC System. TABLE OF CONTENTS 1. SCOPE 4 1.1 Purpose. 4 1.2 Summary of Revisions 4 1.2.1 Summary of Revision A 4 1.2.2 Summary of Revision B 5 1.3 Field of Application 5 2. REFERENCES 6 2.1 Applicable Documents 6 2.1.1 FAA Publi
6、cations. 6 2.1.2 EASA Publications 6 2.2 Acronyms and Symbols 6 3. APPLICABILITY 8 4. HISTORICAL PERSPECTIVE 8 5. HISTORY OF INTEGRITY GUIDELINES. 8 6. GENERAL ANALYSIS APPROACH. 10 6.1 FADEC System Configuration 10 6.2 Repair Categories: Immediate, Short, and Long Time 12 6.3 Classification of FADE
7、C Fault Types 13 6.3.1 No Dispatch (ND) Type Faults 13 6.3.2 Short Time (ST) Type Faults. 13 6.3.3 Long Time (LT) Type Faults 13 6.3.4 Combinations of Faults and Uncovered (UC) Faults 14 6.3.5 Aircraft Related Information 15 6.4 Recommendations on Items Considered Part of the FADEC System . 15 6.5 R
8、ecommendations on In-Service LOTC Reporting 22 7. CALCULATION APPROACHES: SINGLE ENGINE ANALYSIS. 22 7.1 A Simple Time-Averaging Approach. 22 7.1.1 LOTC Rate for Full-up Electronics 25 7.1.2 Average LOTC Rate for Short Time (ST) Faults. 26 7.1.3 Average LOTC Rate for Long Time (LT) Faults 26 7.1.4 C
9、alculations of the Average LOTC Rate Using the TWA Approach. 26 7.1.5 An Example Calculation 27 7.2 Markov Model Approach . 28 7.2.1 Open Loop Markov Models: 29 7.2.2 Closed Loop Markov Model Approach 32 SAE ARP5107 Revision B - 2 - 7.2.3 Examples of Single Fault States. 38 7.2.4 Acceptability (and
10、Accuracy) of Single State Models . 38 7.3 Comparison of TWA and MM Approaches . 38 7.4 A Single State FADEC System MM Example. 40 7.4.1 Description of the Excel Spreadsheet Data 40 7.4.2 Validity of the Calculated Data 49 7.5 Second Example: A Single and Dual State Model of a FADEC System . 50 7.6 D
11、iscussion of Markov Model and TWA Approaches, and the Use of Fault Trees for Determining LOTC Rates When Operating With Faults. 50 7.7 Time-Since-Fault (i.e., On-Condition) Repair Versus Periodic Inspection and Repair. 53 8. CALCULATION APPROACHES: DUAL ENGINE ANALYSIS . 57 8.1 Time-Averaging Approa
12、ch 57 8.2 Maximum Specific Risk Failure Rates as a Function of Dispatch Configuration 58 9. SUMMARY 59 10. NOTES 59 APPENDIX A EARLY APPLICATIONS . 60 APPENDIX B REVISED FAA ANE POLICY LETTER, ANE-1993-33.28TLD-R1, DATED JUNE 29, 2001, POLICY FOR TIME LIMITED DISPATCH (TLD) OF ENGINES FITTED WITH FU
13、LL AUTHORITY DIGITAL ENGINE CONTROLS (FADEC) SYSTEMS 61 APPENDIX C DISCUSSION OF SOME TYPICAL FADEC SYSTEM FAULTS AND THEIR APPLICABILITY TO THE LOTC ANALYSIS 88 APPENDIX D DISCUSSION OF THE MMEL, DDG, CMRS, AND THEIR RELATIONSHIP TO FADEC SYSTEM MAINTENANCE (THE HANDLING OF ND, ST, AND LT FAULTS).
14、90 APPENDIX E PROBABILITY OF A DUAL ENGINE FAILURE WITH DIVERSION AND TURNBACK 93 APPENDIX F REVIEW OF THE COEFFICIENTS USED IN THE TIME-WEIGHTED-AVERAGE (TWA) EQUATION 95 APPENDIX G WHEN IS A SINGLE STATE MODEL OK? 100 APPENDIX H COMPARISON OF THE ASYMPTOTIC VALUE OF (DP/DT)/(1 P) IN AN OPEN LOOP M
15、ARKOV MODEL WITH THAT OF THE AVERAGE FAILURE RATE OF THE SYSTEM FROM A CLOSED LOOP MARKOV MODEL. . 103 FIGURE 1 SIMPLIFIED FADEC SYSTEM . 11 FIGURE 2 SIMPLIFIED FADEC SYSTEM FAULT DIAGRAM. 14 FIGURE 3 SIMPLIFIED FLOW DIAGRAM FOR FADEC SYSTEM FAULTS LEADING TO LOTC 15 FIGURE 3.1 ILLUSTRATIONS OF ALL
16、LOTC EVENTS, ALL IFSD EVENTS, AND ENGINE CONTROL SYSTEM ELEMENTS INVOLVED IN A TLD ANALYSIS. 16 FIGURE 4 A GRAPHICAL REPRESENTATIONS OF THE FAILURE PATHS OF A SIMPLE FADEC SYSTEM THAT LEAD TO LOTC 23 FIGURE 5 PLOT OF THE LOTC RATE FOR THE EXAMPLE DATA GIVEN IN 7.1.5 FOR BOTH THE ORIGINAL FRACTIONAL
17、COEFFICIENTS (AS GIVEN IN THE ORIGINAL ARP) WITH THE IMPROVED FRACTIONAL COEFFICIENTS GIVEN IN THIS REVISED ARP 28 FIGURE 6 OPEN LOOP MARKOV MODEL WATER FALL DIAGRAM. 29 FIGURE 7 OPEN LOOP MARKOV MODEL OF SIMPLE FADEC SYSTEM WITH REPAIR FOR SHORT AND LONG TIME FAULT STATES 29 FIGURE 8 PROBABILITY FL
18、OW INTO AND OUT OF STATE PJ. 30 FIGURE 9 CLOSED LOOP MM FOR SIMPLE FADEC CONTROL SYSTEM WITH REPAIR FOR SHORT AND LONG TERM FAULT STATES. 33 FIGURE 10 SINGLE STATE MARKOV MODEL 35 FIGURE 11 COMPARISON OF TWA SOLUTIONS USING THE ORIGINAL ARP FRACTIONAL COEFFICIENTS AND THE BALANCED EQUATION 6 COEFFIC
19、IENTS OF THIS ARP WITH MARKOV MODEL SOLUTIONS USING EQUATIONS 20, 20C AND 20F (FROM THIS ARP) FOR THE FADEC SYSTEM DATA GIVEN IN 7.1.5. 39 FIGURE 12 MM DIAGRAM OF A TYPICAL FADEC SYSTEM (NOTE: ALL S ARE FAILURES PER MILLION HOURS). 41 FIGURE 13 LOTC RATE (TABLE 1 DATA USING EQUATION 20) AS A FUNCTIO
20、N OF THE LT FAULT REPAIR TIME FOR SIMPLE FADEC SYSTEM EXAMPLE OF FIGURE 12 . 47 FIGURE 13A COMPARISON OF FIGURE 12 MARKOV MODEL LOTC CALCULATIONS USING EQUATIONS 20, 20C AND 20F 48 SAE ARP5107 Revision B - 3 - FIGURE 14 SECOND EXAMPLE OF SINGLE STATE MARKOV MODEL OF A TYPICAL FADEC SYSTEM, WITH 23 S
21、INGLE FAULT STATES 51 FIGURE 15 FIGURE 14 MODEL WITH 180 DUAL STATES ADDED. 52 FIGURE 16 LOTC RATES AS A FUNCTION OF LT REPAIR TIME FOR BOTH THE SINGLE AND DUAL STATE MODELS OF FIGURES 14 AND 15 53 FIGURE 17 (TINSPECT/TTSF) VERSUS (TTSF/TMTBF(LT) 55 FIGURE 18 DERIVATION OF APPROXIMATION GIVEN IN EQU
22、ATION 24 . 56 TABLE 1 TYPICAL CATEGORIZATION OF FADEC SYSTEM ELEMENTS 18 TABLE 2 SPREADSHEET SOLUTION FOR FADEC SYSTEM EXAMPLE SHOWN IN FIGURE 12. 43 TABLE 3 SPREAD SHEET SHOWING THE CALCULATIONS FOR DETERMINING THE COEFFICIENTS A0, A1, B0, B1, C0, C1, D0, D1USED IN EQUATION 20C 49 TABLE 4 DUAL ENGI
23、NE SPECIFIC RISK AS A FUNCTION OF DISPATCH CONFIGURATION. 58 SAE ARP5107 Revision B - 4 - 1. SCOPE This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited Disp
24、atch (TLD) to the thrust control reliability of Full Authority Digital Electronic Control (FADEC) systems. The TLD concept is one wherein a redundant system is allowed to operate for a predetermined length of time with faults present in the redundant elements of the system, before repairs are requir
25、ed. This document includes the background of the development of TLD, the structure of TLD that was developed and implemented on present generation commercial transports, and the analysis methods used to validate the application of TLD on present day FADEC equipped aircraft. Although this document is
26、 specific to TLD analyses (for FADEC systems) of the loss of thrust control, the techniques and processes discussed in this document are considered applicable to other FADEC system failure effects or other systems, such as, thrust reverser, and propeller control systems, and overspeed protection sys
27、tems. 1.1 Purpose The purpose of this document is to provide guidance on achieving approval of time-limited-dispatch (TLD) for full authority digital electronic (engine) control (FADEC) systems. In this regard, the usage of the term “TLD“ refers to the concept that FADEC engine control systems shall
28、 be allowed to operate with faults for a specified period of time, after which, appropriate repairs shall be made to bring the system back to a “full up“ configuration. For the purposes of this document, the term “full up“ is used to indicate that the FADEC system is free of faults which affect its
29、loss of thrust control (LOTC) failure rate as defined in Section 5. Hence, “required repairs“ for this application of TLD are limited to only those faults that affect the LOTC rate, and faults that do not affect the LOTC rate, such as faults in sensors used for engine condition monitoring, are not a
30、ddressed in these guidelines. Sensors that could affect the LOTC rate, such as oil pressure, oil temperature, and exhaust gas temperature (EGT) should be included in the analysis if those sensors are part of the engines FADEC system. This document is concerned with LOTC events which are caused by fa
31、ilures and/or faults in the engines control system. Engine failures from any other causes are not the subject of these guidelines. In addition, this document is not intended to establish specific requirements for FADEC system certification or design. Specific requirements pertaining to certification
32、 should be coordinated with the appropriate certifying agency. 1.2 Summary of Revisions 1.2.1 Summary of Revision A A significant improvement in determining the fractional coefficients of the time-weighted-average (TWA) equation, which is the first approach described herein for estimating the averag
33、e LOTC rate of the system, has been made and is described in 7.1. The new coefficients allow the TWA method to yield a more balanced solution - one which is closer to the Markov model solution and somewhat simpler to use. Much has changed in the description of the Markov modeling (MM) analysis appro
34、ach described in this revision. Since the original release in June of 1997, the authors of this ARP have a better understanding of the MM approach as it applies to FADEC as well as other systems. Unique to this document is the description of MM as either an Open Loop or Closed Loop model. The nomenc
35、lature of Open Loop and Closed Loop Markov models is unique to this document. The authors have not seen this terminology used elsewhere, and there is no intention herein to set any type of standard in the using of this terminology. The development of the Closed Loop MM approach has lead to NOT havin
36、g to solve a set of differential equations to obtain the steady state solution for the overall average failure rate of a system, but rather, simply solving a set of algebraic equations to obtain the solution. This was implied in the original release, because the MMs in that release were solved by in
37、tegrating the differential equations until a steady state solution was obtained, where all of the time derivatives were essentially zero. However, it was not specifically called out that the derivatives should be set to zero at the onset, and the resulting set of algebraic equations solved to obtain
38、 the values of the state probabilities. In addition, it was not recognized that the values obtained for the state probabilities, which are dependent on the value of the feedback rate from the fully-failed, loss-of-thrust-control (LOTC) state to the full-up state, do not affect the failure rate of th
39、e system. Hence, although the original release provides some rational for setting the feedback or repair rate from the fully failed LOTC state to the full-up state to unity (i.e., 1.0), the value of this feedback rate doesnt matter and the rational for setting the feedback rate to unity can be misle
40、ading. As the new material shows, the solution is independent of all state probabilities and the value of the fully failed to full-up feedback rate. The solution is only dependent on the failure SAE ARP5107 Revision B - 5 - rates between the various states of the model and the repair rates used for
41、the short time (ST), long time (LT) states, and if modeled, any no-dispatch (ND) fault states. Experience has also shown that simulating states representing two or more failures has little influence on the overall LOTC rate of FADEC systems when the repair rates for the various fault states are much
42、 more frequent than the failure rates into and out of those fault states. When this is the case, constructing a “single state model” is usually adequate. In single state models, described in 7.2.2.3, only single fault states are modeled, and only those additional single failures that would cause the
43、 control system to go from those single fault states to the LOTC state are modeled. Adding additional multiple failure states only affects the answer by small amount, i.e., less than 5%. This is discussed in more detail in Appendix G. Similar to the above, the use of the terminology “single state mo
44、del” is unique to this document, and there is no intention to set any terminology standard with the use of this descriptive term. Some who have reviewed this document have commented that the use of the terminology single state model is misleading because a single state model actually models all dual
45、 failures that lead to the LOTC state. This is correct. However, the selection of the terminology made because the model explicitly shows only the single failure states. All dual failures that lead to LOTC events are included in the LOTC failure state, and no dual failures that do NOT result in an L
46、OTC event are modeled. A revised Engine and Propeller Directorate policy letter, reference 2.1.1.3, on time-limited-dispatch for engines fitted with FADEC systems was released on June 29, 2001. Changes from the original policy letter, see references in 2.1.1, to the requirements for TLD operations w
47、ere minor in nature, but the revised policy letter was expanded greatly to reflect what has been learned of TLD operations from in-service experience. The new policy letter replaces the original one and is included in Appendix B. A discussion of the elements that are considered part of the engine co
48、ntrol system and should be represented in the LOTC analysis, will be added (6.4) in the future. 1.2.2 Summary of Revision B Section 6.4, on Recommendations on Items Considered Part of the FADEC System, has been significantly expanded to provide more guidance on that subject. Section 6.5, on Recommen
49、dations on in-service LOTC Reporting, has been added. The functions of the system, the elements selected for use in the system, and the design implementation all depend on the overall system architecture. In addition, integration between the engine and the aircraft control systems is constantly changing. All of these factors impact the selection of the elements to include as part of the FADEC system. Therefore, the information include
