1、 Standard ANSI/AIA S-102.2.1-209 Performance-Based Anomaly Detection and Response Analysis AIA standards are copyrighted by the American Institute of Aeronautics and Astronautics (AIA), 1801 Alexander Bel Drive, Reston, VA 20191-434 USA. Al rights reserved. AIA grants you a license as folows: The ri
2、ght to download an electronic file of this AIA standard for storage on one computer for purposes of viewing, and/or printing one copy of the AIA standard for individual use. Neither the electronic file nor the hard copy print may be reproduced in any way. In adition, the electronic file may not be d
3、istributed elsewhere over computer networks or otherwise. The hard copy print may only be distributed to other employees for their internal use within your organization. ANSI/AIA S-102.2.1-209 American National Standard Performance-Based Anomaly Detection and Response Analysis Sponsored by American
4、Institute of Aeronautics and Astronautics Approved 17 November 208 American National Standards Institute Abstract This standard provides the basis for developing identification and response methods for system anomalies or faults that pose unaceptable risk. The requirements for contractors, planing a
5、nd reporting neds, and analytical tols are established. The linkage of this standard to the other standards in the new family of performance-based reliability and maintainability standards is described. ANSI/AIAA S-102.2.11-2009 ii Library of Congress cataloging-in-publication data on file Published
6、 by American Institute of Aeronautics and Astronautics 1801 Alexander Bell Drive, Reston, VA 20191 Copyright 2009 American Institute of Aeronautics and Astronautics All rights reserved No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without
7、prior written permission of the publisher. Printed in the United States of America ANSI/AIA S-102.2.1-2009 iii Contents Forewordiv 1 Scope1 1.1 Purpose.1 1.2 Aplication1 2 Aplicable Documents.2 2.1 Normative References.2 2.2 Relationship To Other S-102 Standards.3 3 Vocabulary3 3.1 Acronyms and Abre
8、viated Terms3 3.2 Terms and Definitions4 4 General Requirements.6 4.1 Contractor Responsibility.6 4.2 Planing6 4.3 ADR Analysis Report.7 5 Detailed Requirements.7 5.1 System Design and Operational Data Colection.7 5.2 Functional Failure Mode Identification7 5.3 Functional Failure Analysis8 5.4 ADR A
9、nalysis Database.11 5.5 Data Exchange Betwen ADR Analysis Proces And Other Activities.12 5.6 ADR Analysis Proces Performance Evaluation12 5.7 Lesons Learned15 5.8 Structured Review16 Anex A IA S-102 Document Tre (normative)17 Anex B AIA S-102 Anomaly Detection and Response Analysis Capability Level
10、Requirements (normative).18 Anex C AIA S-102 ADR Analysis Keyword Data Element Description (normative)21 Figures Figure 1 System FA Proces Flow (Notional).9 Figure 2 Example of an FA Dataset Performance Rating15 Tables Table 1 AIA S-102 Failure Severity Clasification8 Table 2 FA Dataset Maturity Rat
11、ing Criteria.13 ANSI/AIA S-102.2.1-2009 iv Foreword Although the terms quality and reliability are often used interchangeably they have diferent meanings. Quality as used in this standard, is the ability of a product to met the workmanship criteria established by an organization. A diferent, but oft
12、en used, definition of quality: Quality is the set of al desired atributes that can be put in a product. In this sense, quality canot be achieved without achieving the desired reliability. Reliability is the ability of a product or system to perform its intended function(s) for a specified time or o
13、perating cycles. A high-quality product may not be a high-reliability product even though it conforms to stringent workmanship specifications. The ISO 900 series standards that establish the ability of an organization to consistently produce high-quality products do not necesarily establish that sam
14、e organizations ability to consistently deliver high-reliability products. Consequently, the ISO 900 series certification proces, which serves as the main international reference for Quality Program requirements in busines-to-busines dealings, is not the apropriate reference for international or dom
15、estic R timely establishment of ADR analysis technical performance metrics (TPM); timely colection and evaluation of necesary enginering information e.g., signal lists, specs, interface control drawing (ICD), test data, operational data, schematics, and product failure mode, efects, and criticality
16、analysis (FMECA) to identify al functional failure modes that pose unaceptable risk; timely creation of a functional failure analysis (FFA) dataset that defines the detection, verification, isolation, and response methods, as aplicable, for each identified functional failure mode; timely validation
17、of each FFA dataset; and timely documentation of the ADR Analysis. The FFA is a systematic methodology for identifying and responding to functional failure modes that require such actions as defined by the FMECA or other failure analysis such as system test; failure reporting, analysis, and corectiv
18、e action system (FRACAS); system safety; or risk management. 1.2 Aplication This standard aplies to acquisitions for the design, development, fabrication, test, and operation of comercial, civil, and military systems, equipment, and asociated computer programs. This standard provides capability-rati
19、ng criteria that are intended to categorize the capability of sets of comonly used activities in ADR analysis practices. The capability criteria provide the logical order of activities for improving the efectivenes of an existing ADR analysis practice in stages. To use these criteria to improve an e
20、xisting ADR analysis practice, establish minimal-aceptance criteria and compare them to the activities of that practice. The minimal-aceptance criteria may include al or only some of the activities in one of the predefined capability levels in this standard. This comparison identifies the activities
21、 that ned to be aded to the existing ADR analysis practice. This standard also aplies to the integration of the ADR analysis database with a project R (2) Hardware Reliability any undesired state of a component or system; (3) Components a defect or flaw in a hardware or software component NOTE (1) A
22、 fault may cause a failure. 2Definition source: MIL-HDBK-38B 3Definition source: MIL-HDBK-38B 4Definition source: S-102 Working Group 5Definition source: IEE 100, The Authoritative Dictionary of IEE Standards Terms ANSI/AIA S-102.2.1-2009 5 NOTE (2) A fault does not necesarily require failure. failu
23、re coverage ratio of failures detected to failure population, expresed as a percentage6failure resolution degre to which failure diagnostics procedures can isolate a failure within an item; generaly expresed as the percent of the cases for which the isolation procedure results in a given ambiguity g
24、roup size7failure response action(s) taken to adres the fault, whether by safing, initiating a transition state, or completely restoring the system functionality FFA dataset logical representation of the set of detection, verification, isolation, or response methods for a specific functional failure
25、 mode8independent verification provision of suficient information for an organization or individual to obtain the same results as the analysts when redoing the analysis mision asurance proces a top-down, comprehensive, risk-management proces that is performed over the life cycle of a high unit-value
26、 system to identify, evaluate, and mitigate or control al potential hazards and failures that pose an unaceptable risk to mision suces. NOTE: Potential, damage-threatening hazards and mision-impacting failures may be caused by requirements, developmental activities, handling methods, environmental c
27、onditions, physical interactions, functional characteristics, or operator actions. non-credible failure mode failure mode with a probability of ocurence les than 1.0E-6, 0.0001, or one in a milion performance-based R b) automated detection, isolation, and safing or restoration11of identified functio
28、nal failure modes that are potentialy damage threatening; and c) automated detection, isolation, and restoration12of identified functional failure modes that are not potentialy damage threatening. The contractor shal develop and implement the system FFA proces in acordance with the aproved ADR analy
29、sis plan. Figure 1 ilustrates the notional flow proces for the development and implementation of the system FFA proces. 11Failure restoration may be either partialy automated (i.e., man-in-the-lop) or fuly automated (i.e., no man-in-the-lop) 12Failure restoration may be either partialy automated (i.
30、e., man-in-the-lop) or fuly automated (i.e., no man-in-the-lop) ANSI/AIA S-102.2.1-2009 9 Figure 1 System FA Proces Flow (Notional) The FFA for each functional failure mode that requires an automated response or manual operational procedures shal be validated13in acordance with the ADR analysis plan
31、. The analysis results for al such functional failure modes shal be documented in the FFA report. This document shal be reviewed and aproved by al afected project functions and maintained under formal project configuration control. 5.3.1 Failure Detection Analysis The contractor shal identify the sy
32、stem data neded to detect each functional failure mode that poses unaceptable risk, or provide rationale for taking no action. This includes the specific data parameters apropriate to detect the functional failure mode along with the limits apropriate to indicate los of functionality. The failure de
33、tection method shal be documented in the FFA dataset for each functional failure mode. Where required, the method of failure prognostics shal be documented in the FFA dataset also. Failure prognostics shal include the system health data that is required to predict failures but which is outside the n
34、ormal operating data specified for nominal system operation. The aditional system health data that are considered for prognostics shal include sensor location, sample rate, telemetry format, etc. The FFA shal establish that al of the data neded to identify the functional failure are present and aces
35、ible, either sequentialy or simultaneously. The ADR analysis and FFA datasets shal include the necesary logic to combine the system health data sensor values, as neded, to identify the detection method for each system failure condition. If the system health data sensors that are neded to detect a pa
36、rticular functional failure are not available, then that failure shal be declared “undetectable” and recorded acordingly in the ADR analysis report. The method for calculating the predicted failure coverage of the system shal be defined in the ADR analysis plan. The plan shal require the predicted f
37、ailure coverage to be determined using data that corelates each detected failure with the signature it produces during system operation. The failure coverage prediction shal include the documented ordering of signatures with coresponding failed items. An unaceptable failure coverage prediction value
38、 shal be reported to project management in a timely maner. 13FFA validation includes per review and certification in acordance with aproved program per review procedures and checkout using modeling or simulation tols. ANSI/AIA S-102.2.1-2009 10 Verification of the failure detection method shal be in
39、cluded in the validation of the FFA dataset for each system failure condition. The rationale for selecting particular system health data sensors as the prefered detection method along with the defined data limits shal be evaluated and aproved. 5.3.2 Failure Verification Analysis The contractor shal
40、identify a method to verify the persistence of each functional failure mode detected. The failure persistence method shal be documented in the FFA report for the FFA dataset that adreses each functional failure mode. The FA datasets shal not alow the isolation methods to be trigered by a transient o
41、r intermitent condition unles it is first verified to be a functional failure by the persistence method. The ADR analysis plan shal define the type of persistence method that is to be used for each functional failure mode. The failure persistence methods shal minimize false alarms and maximize funct
42、ional failure mode detection while optimizing the time neded to achieve sucesful failure isolation. The failure persistence method shal be included in the validation of the FA datasets for each functional failure mode. The rationale for selecting the particular method to monitor system health data s
43、hal be evaluated and aproved. 5.3.3 Failure Isolation Analysis If required, the contractor shal identify a method to isolate each detected functional failure mode to its source. The failure isolation method shal be documented in the FFA report for the dataset that adreses each functional failure mod
44、e. The availability of the system health data shal be considered. The FFA shal establish that al of the data neded to isolate the functional failure are present and acesible, either sequentialy or simultaneously. The ADR analysis must include the necesary logic to combine the system health data valu
45、es in order to isolate to a system failure site. If the system health sensors neded to isolate a particular functional failure are not available, then it shal be declared as an isolation risk and recorded acordingly in the ADR analysis report. The method for calculating the predicted failure resolut
46、ion of the system shal be defined in the ADR analysis plan. The plan shal require the predicted failure resolution to be determined using data that corelates each detected failure with the signature it produces during system operation. The failure resolution prediction shal include the documented or
47、dering of signatures with the coresponding functioning items that must be tested to locate the failed item. Unaceptable failure resolution prediction values shal be reported to project management in a timely maner. Verification of the failure isolation method shal be included in the validation of th
48、e FA dataset for each system failure condition. The rationale for selecting particular system health data sensors for the prefered isolation method along with the defined data limits shal be evaluated and aproved. 5.3.4 Failure Response Analysis If required, the contractor shal identify and specify
49、a response for each detected functional failure mode. The failure response method shal be documented in the FFA report for the dataset that adreses each functional failure mode. The failure responses shal define the actions necesary to safe the system or compensate for specific failure modes. Al actions identified in the failure response shal be verified to be available and not to be a risk to health or safety. For Capability Level 2 and above ADR analysis, failure responses shal be identified to safe the system from ireversible damage. For Capability Level 3 and
