|
【范围】
|
This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for
conducting and documenting the analyses associated with the application of Time Limited Dispatch (TLD) to the thrust
control reliability of Full Authority Digital Electronic Control (FADEC) systems. The TLD concept is one wherein a
redundant system is allowed to operate for a predetermined length of time with faults present in the redundant elements
of the system, before repairs are required. This document includes the background of the development of TLD, the
structure of TLD that was developed and implemented on present generation commercial transports, and the analysis
methods used to validate the application of TLD on present day FADEC equipped aircraft. Although this document is
specific to TLD analyses (for FADEC systems) of the loss of thrust control, the techniques and processes discussed in
this document are considered applicable to other FADEC system failure effects or other systems, such as, thrust reverser,
and propeller control systems, and overspeed protection systems.
1.1 Purpose
The purpose of this document is to provide guidance on achieving approval of time-limited-dispatch (TLD) for full
authority digital electronic (engine) control (FADEC) systems. In this regard, the usage of the term "TLD" refers to the
concept that FADEC engine control systems shall be allowed to operate with faults for a specified period of time, after
which, appropriate repairs shall be made to bring the system back to a "full up" configuration. For the purposes of this
document, the term "full up" is used to indicate that the FADEC system is free of faults which affect its loss of thrust
control (LOTC) failure rate as defined in Section 5. Hence, "required repairs" for this application of TLD are limited to only
those faults that affect the LOTC rate, and faults that do not affect the LOTC rate, such as faults in sensors used for
engine condition monitoring, are not addressed in these guidelines. Sensors that could affect the LOTC rate, such as oil
pressure, oil temperature, and exhaust gas temperature (EGT) should be included in the analysis if those sensors are
part of the engine's FADEC system.
This document is concerned with LOTC events which are caused by failures and/or faults in the engine's control system.
Engine failures from any other causes are not the subject of these guidelines. In addition, this document is not intended
to establish specific requirements for FADEC system certification or design. Specific requirements pertaining to
certification should be coordinated with the appropriate certifying agency.
1.2 Summary of Revisions
1.2.1 Summary of Revision A
A significant improvement in determining the fractional coefficients of the time-weighted-average (TWA) equation, which
is the first approach described herein for estimating the average LOTC rate of the system, has been made and is
described in 7.1. The new coefficients allow the TWA method to yield a more balanced solution - one which is closer to
the Markov model solution and somewhat simpler to use.
Much has changed in the description of the Markov modeling (MM) analysis approach described in this revision. Since
the original release in June of 1997, the authors of this ARP have a better understanding of the MM approach as it applies
to FADEC as well as other systems. Unique to this document is the description of MM as either an Open Loop or Closed
Loop model. The nomenclature of Open Loop and Closed Loop Markov models is unique to this document. The authors
have not seen this terminology used elsewhere, and there is no intention herein to set any type of standard in the using of
this terminology. The development of the Closed Loop MM approach has lead to NOT having to solve a set of differential
equations to obtain the steady state solution for the overall average failure rate of a system, but rather, simply solving a
set of algebraic equations to obtain the solution. This was implied in the original release, because the MMs in that
release were solved by integrating the differential equations until a steady state solution was obtained, where all of the
time derivatives were essentially zero. However, it was not specifically called out that the derivatives should be set to
zero at the onset, and the resulting set of algebraic equations solved to obtain the values of the state probabilities.
In addition, it was not recognized that the values obtained for the state probabilities, which are dependent on the value of
the feedback rate from the fully-failed, loss-of-thrust-control (LOTC) state to the full-up state, do not affect the failure rate
of the system. Hence, although the original release provides some rational for setting the feedback or repair rate from the
fully failed LOTC state to the full-up state to unity (i.e., 1.0), the value of this feedback rate doesn’t matter and the rational
for setting the feedback rate to unity can be misleading. As the new material shows, the solution is independent of all
state probabilities and the value of the fully failed to full-up feedback rate. The solution is only dependent on the failure
rates between the various states of the model and the repair rates used for the short time (ST), long time (LT) states, and
if modeled, any no-dispatch (ND) fault states.
Experience has also shown that simulating states representing two or more failures has little influence on the overall
LOTC rate of FADEC systems when the repair rates for the various fault states are much more frequent than the failure
rates into and out of those fault states. When this is the case, constructing a “single state model” is usually adequate. In
single state models, described in 7.2.2.3, only single fault states are modeled, and only those additional single failures
that would cause the control system to go from those single fault states to the LOTC state are modeled. Adding additional
multiple failure states only affects the answer by small amount, i.e., less than 5%. This is discussed in more detail in
Appendix G.
Similar to the above, the use of the terminology “single state model” is unique to this document, and there is no intention
to set any terminology standard with the use of this descriptive term. Some who have reviewed this document have
commented that the use of the terminology single state model is misleading because a single state model actually models
all dual failures that lead to the LOTC state. This is correct. However, the selection of the terminology made because the
model explicitly shows only the single failure states. All dual failures that lead to LOTC events are included in the LOTC
failure state, and no dual failures that do NOT result in an LOTC event are modeled.
A revised Engine and Propeller Directorate policy letter, reference 2.1.1.3, on time-limited-dispatch for engines fitted with
FADEC systems was released on June 29, 2001. Changes from the original policy letter, see references in 2.1.1, to the
requirements for TLD operations were minor in nature, but the revised policy letter was expanded greatly to reflect what
has been learned of TLD operations from in-service experience. The new policy letter replaces the original one and is
included in Appendix B.
A discussion of the elements that are considered part of the engine control system and should be represented in the
LOTC analysis, will be added (6.4) in the future.
1.2.2 Summary of Revision B
Section 6.4, on Recommendations on Items Considered Part of the FADEC System, has been significantly expanded to
provide more guidance on that subject. Section 6.5, on Recommendations on in-service LOTC Reporting, has been
added.
The functions of the system, the elements selected for use in the system, and the design implementation all depend on
the overall system architecture. In addition, integration between the engine and the aircraft control systems is constantly
changing. All of these factors impact the selection of the elements to include as part of the FADEC system. Therefore,
the information included in this section does not provide an absolute answer, but is intended to provide a methodology to
use in selecting which elements of the aircraft/engine control system should be included in the analysis.
The added Table 1 in that section illustrates how to consider all elements of the thrust or power control system, the
functions and failure modes associated with the element, and then evaluate whether it is or is not part of the TLD
restriction envelope depicted in Figure 3.1. The table also shows the most likely result of a failure of the element by
identifying the applicable area of Figure 3.1.
1.3 Field of Application
This document applies to redundant FADEC control systems for aircraft engines on multi-engine aircraft. TLD addresses
the level of degraded redundancy that is allowable - while still meeting the necessary airworthiness requirements - for
FADEC controlled aircraft engines used on multi-engined aircraft. (It is noted that the submittal of a TLD analysis is not a
requirement for certification of an engine incorporating a FADEC system. The analysis is a means to substantiate and
obtain approval for dispatching and operating a FADEC system - for limited time periods - with faults present in the
system.) Although this document specifically applies to FADEC systems on multi-engined aircraft, the methodologies
presented herein with regard to achieving an overall average system failure rate can also be applied to other systems.strRefField
|