Maintenance and Reliability

technologies


Introduction
Recent fast development in digital technologies in many fields enables replacement of "old-fashioned" analogue or even mechanical control systems by state of the art digital control solutions with many advantages. In aerospace, this process was slowed-down by the fact that replacement of control functions which are safety critical is a demanding and expensive process. Therefore, some aerospace applications still use abovementioned obsolete technologies. Especially in the area of small aircraft with limited resources for development and certification, this issue prevents faster development.
To tackle this issue, new effective approaches need to be developed. The paper deals with research of new approaches to effectively develop complex electronic systems for general aviation aircraft, in particular to ensure effective safety assessment for FADEC (Full Authority Digital Engine Control) under development.
The paper deals with safety and reliability assessment as an integral part of the development process for modern aviation products with potentially critical functions. Focus is on digital engine control units, their development process and tools offering potential savings in otherwise time demanding and expensive safety assessment processes. The paper shows application of several approaches, which together form an innovative way for safety assessment of aerospace products (otherwise strictly limited by regulation procedures). It is focused on practical ways towards reduction of development costs during safety assessment, which do not compromise its comprehensiveness. Described approaches are based on experience from development of numerous aerospace products in last nearly 20 years. As an addition, possibility to further enhance the proposed innovative effect classification by application of FMECA was shown. Possible methods for quantitative assessment using Fuzzy logic and/or multiple-criteria decision analysis were discussed.
A unified concept of criticality levels respecting • FADEC use in different types of aircraft.
Combination of Item and Functional FMEA used • to reduce time-effort for safety assessment.
New failure effect classification used to link ef-• fects to different aircraft categories.
Application of enhanced methods for safety assessment of FADEC Jiri Hlinka a , Rostislav Kostial a , Michaela Horpatzka a a Institute of Aerospace Engineering, Brno University of Technology, Technicka 2896/2 616 69 Brno Czech Republic Also today´s small turbine engines in general aviation are often equipped with FADEC in all or some configuration options. As an example, Rolls-Royce M250 turboshaft engine developed from Allison Model 250 (produced and continuously improved from the 1960s) features dual-channel FADEC in the latest series. The engine is used for example in MD 530F from 2016 or in Bell 407GXi from 2018 [26].
Pratt and Whitney has two variants of PT6 engine with electronic control. PT6C is a medium-class helicopter turboshaft engine with dual-channel FADEC with hydro-mechanical backup, used in AW139 [30]. The latest PT6E offers a dual-channel integrated electronic propeller and the engine control system also with single-lever power control. Single-lever power control (for both engine and propeller) reduces pilot workload. In 2019 PT6E was announced as the power plant for Pilatus PC-12 NGX [29].
Czech company PBS Velka Bites developed small turbine engines. FADEC is a standard equipment of models TJ100 and TJ150. Model TJ100 is aimed at light sport aircraft, gliders, UAVs and micro jets, while bigger TJ150 was designed directly for unmanned applications [1].
The paper deals with FADEC for small turbine engines for general aviation. All works are part of a wider research project done in cooperation with UNIS company. Research is dedicated to advanced technology of modular control and diagnostics systems for small turbine engines with thrust around 1500 N and small turboprop engines with power around 180kW. Such engine size has a wide range of aircraft applications and flight profiles. This may include for example UAS (unmanned aerial systems), small sport aircraft (2 or 4 seaters), or auxiliary power for gliders, see Tab. 1. Each application has specific performance demands, engine operation duration, or frequency of power level changes.

System Safety Assessment Process in Aerospace
Although safety assessment is an integral part of design and certification of new equipment for aerospace use, current common methods have significant space for improvement. Regulation requirements (both FAA 14 CFR, and EASA CS) prescribe during development/ design safety assessment combination of standard methods like FHA (Functional Hazard Assessment), FMEA/FMECA (Failure Modes, Effects/and Criticality Analysis), FTA (Fault Tree Analysis), RBD (Reliability Block Diagrams). Recommended practices for aerospace are summarized in SAE APR 4761 [14]. Critical review of prediction techniques is the subject of several papers, for example [27], [35]. However, for the development of complex product, like FADEC, also new sophisticated methods can be applied.
FHA is a systematic, comprehensive examination of functions to identify and classify conditions of those functions according to their severity [14]. FHA is usually used as a preliminary analysis during the early design phase, when exact components of the system are not yet known. Since it evaluates functions of the system and effects of their loss, it helps to find critical systems/parts already in early design phases.
FMEA is a qualitative method of analysis that involves the study of possible failure modes and faults in sub items, and their effects at various indenture levels [17]. For aerospace use it provides a systematic, bottom up method of identifying the failure modes of systems, components or functions and determining the effect on the aircraft. It is a key method to prove the requirement "no catastrophic event should result from the failure of a single component". Typically is used Functional or Item (Piece parts) FMEA [14].
Both FHA and FMEA are qualitative assessment methods. For quantitative assessment are used FTA, RBD or Markov analysis. These are top-down methods which proceed down through more detailed levels of design. After qualitative analysis, when failure condi-

Single Engine Aircraft Glider
Engine is not used for a) critical phases of flight (take off, landing etc.) Electrical power is not generated by engine. Independent source (battery) is used. b) Independent fuel cut offs. Each engine is controlled by independent own FADEC unit. c) Aircraft without anti-icing system are limited to IMC without icing. d) Regulation e) STANAG 4671, CS-LUAS require detailed model of the FADEC system and thus are suitable for later design phases, where the system structure is mostly established and it is assumed there will be no more major changes. Since the detailed modelling of complex systems is time consuming, there are efforts to simplify these models or methods [9]. However in the described case, the assessment was done for the FADEC in pre-prototype and prototype phase of development, where many parts were subject to change. Therefore putting an effort into creation of a detailed system model was impractical.
To adapt to early design conditions, adjustment was done to the traditional safety assessment methods especially FHA and FMEA to minimize the need to rework analysis every time the change occurs. For quantitative analysis FTA (Fault Tree Analysis) was used, which is not described in detail in the paper since its standard form described in SAE ARP 4761 [14] was used. The use of FTA in combination with Markov analysis for FADEC reliability assessment is described in detail in [22] for example. System safety for FADEC from a software perspective was addressed in [28].

Enhanced safety assessment concept for complex electronic systems
Current general safety assessment process for aviation in a simple form is shown on Fig. 1. This scheme was derived from recommendations of EASA CS AMC 25.1309 (Acceptable Means of Compliance) System design and analysis [3].
The team of authors was from the beginning facing strict submission of FADEC with a wide range of use, see Tab. 1. Similar needs can be expected for different engine control units producers in a given power range. To enable efficient and precise safety assessment of such complex electronic system, some new techniques were adopted. These techniques can be applied on any complex electronic system (in general). For aviation, in addition, all safety assessment techniques must comply with main airworthiness requirements for aircraft design and certification, typically EASA CS-23 [7] or FAA 14 CFR Part 23 [2] (for aircraft with fixed wing and propulsion unit), EASA CS-22 [6] (for gliders with auxiliary power unit), or other similar requirements. Depending on the country of origin, also Chinese or Russian equivalent airworthiness requirements can be applied. However, most of the regulation requirements link to the same industrial standards and practices. For example, CS-23 and 14 CFR Part 23 requirements link to safety assessment procedures described in ASTM F3230-17 [31]. Detailed guidelines for safety assessment including a list of assessment methods are also available in SAE ARP 4761 [14]. A list of basic assessment methods is shortly mentioned in chapter 3, further information on safety assessment procedures is for example in [26]. The paper is focused on practical ways towards reduction of develop-tions are identified, quantitative analysis can be applied to find what single failure or combinations of failures exist at lower levels that might cause each failure condition [14]. In addition, for software development in the aerospace industry, recommendations of RTCA DO-178 [11] are applied. More information on safety assessment of software for aerospace use can be found in a number of papers. For example, in [33] is an overview of the RTCA DO-178C and its impacts on Certification of Safety-Critical avionic systems. Another overview and certification of the safety critical computer systems using RTCA DO-178 is presented in [19]. More practical use of RTCA DO-178 for condition monitoring system is presented in [13].
Although new progressive methods offering some advantages can be found in several research works (for example [20]), aerospace industry relies on above-described well proven methods which are also established in aerospace regulation requirements. Therefore, the work presented in the paper is based on FHA and FMEA. In addition, the paper focuses on new ways to reduce time effort and costs for safety assessment using these methods, which are acceptable for the aerospace certification process. In fact, modifications proposed in the paper are so extensive, that they form an innovative approach to both FHA and FMEA which was not to such extent applied in aviation before. For example, presented enhanced FHA uses a totally new definition of criticality levels allowing rapid application of results on different aircraft classes (with different applications and failure effects). Proposed hybrid FMEA approach (although may be seen in similar applications for other industrial sectors), in this paper is interlinked to classification from enhanced FHA (for greater flexibility for different aircraft types), and optimized for aerospace application (respecting its typical segmentation/functional zoning). Since the aerospace industry is facing escalation of development costs with every new aircraft generation (additional development costs related to more strict requirements and more complex systems), reduction of effort and costs in every aspect of the development process is extremely important.

System Safety Assessment of FADEC
For safety assessments of FADEC are usually used methods, which allow simulation -for example Markov analysis (Markov chains) which was used for prototypes of FADEC for JAS 39 Gripen [15], or where the Markov process [24] and Monte Carlo simulation [25] based time limited dispatch analysis for FADEC was used. Another option is an analysis based on Bayesian networks. Research [21] used improved BN analysis for commercial aircrafts FADEC. Simulations

Functions Criticality Level Analysis
As can be seen from Tab. 1, FADEC for general aviation engine can perform a wide variety of missions. In addition, it can also have a wide range of critical functions, i.e. engine control, electric power generation control, etc. Therefore, it is necessary to decompose all FADEC functions and link them to categories. New applied method divides all FADEC functions into four categories, see Tab. 2. These functions are linked to Enhanced FHA analysis and complement the Failure Classification.

Enhanced FHA
Every FADEC function is analysed using FHA (Functional Hazard Assessment). The main goal of FHA results is to provide a list of potentially risky functions (and shortcomings), which should be further analysed, and/or corrective action should be taken (design change, added redundancy, etc.). Standard FHA is generally used for one specific application. This may be a problem if intended use of the product is for different specifications (CS-22, CS-23) or applications (manned/ unmanned). Enhanced FHA uniquely solved this problem, since it was developed to effectively cover all intended applications of analysed product. Enhanced FHA shown in Fig. 2 for the first time ever identifies effects for all FADEC applications in the single table.
According to aviation regulation requirements, all functions with HAZARDOUS or CATASTROPHIC consequences have to be further analysed using a prescribed set of analysis methods. Also functions from categories ESSENTIAL or MODERATE (according to Tab. 2) should have detailed safety assessment. These steps were done as normal engineering procedure out of the scope of the paper.
See chapter 5.2 for more details on example FADEC results.

Hybrid Block FMEA
Classic safety assessment process defined in SAE ARP4761 recognizes Part FMEA or Functional FMEA. Since developed FADEC was a complex electronic device, with a significant number of electronic parts, standard part FMEA would be time consuming. On the other hand, functional FMEA would not respect fully hardware "block composition" of FADEC. Therefore, "hybrid FMEA" was proposed and applied, combining advantages of both, part and functional FMEA. Goal of the application of hybrid method was to reduce the number of analysed components, and ability to quickly integrate design changes into safety assessment.
Decomposition of analysed FADEC led to functional blocks. Each block is a set of components performing defined functions. Two block types can be recognized: Simple block -performs single function (i.e. temperature meas-• urement, el. current filtration, …)

Functions Criticality level Description
Essential Functionality of particular part of the system or the system itself is directly influenced by a function behaviour. It essentially provides intended function of the system or part of the system (Thrust control, fuel flow control etc.)

Moderate
The function indirectly influences essential functions. However, moderate function does not provide intended function itself (Overspeed protection, Turbine temperatures, Oil pressure etc.).

Marginal
Functions that supports essential or moderate functions in the proposed envelope.

Insignificant
Functions without influence on essential or moderate functions.

Fig. 2. Example FHA applied on the FADEC
Node block -performs more than one function (i.e. MCU-Micro • Controller Unit with sensors data processing and fuel flow control).
Each function must be analysed in FMEA for Node blocks. Fig. 3 shows an example of a functional block (composed of filters in the circuit of integrated electric power generator) which consist of capacitors (C1, C2 etc.) resistors (R1, R2 etc.) and coils (L1) with connections to ground (GND).

Two-phase failure effect classification for FMEA
Same failures can have different effects on different aircraft types/ categories. Shown methodology takes this fact into account, it has two-phase process.
Phase One: Failure effect classification on a system level Phase one classifies failure effects on FADEC system itself. Every safety assessment classification is done just for FADEC system, no effect on aircraft or engine is considered. Goal of the Phase One is to predict critical elements of FADEC (without link to particular application). Therefore, different assessment classification is used compared to aviation standards [3], see Tab

Extension to Hybrid Block FMECA
To further enhance proposed innovative effect classification, it is possible to use FMECA (Failure Modes, Effects and Criticality Analysis) instead of FMEA. This will move proposed solution towards quantitative assessment, adding also criticality level (for example in the form of CN -Criticality number). Authors did consider this extension for future enhancement of the presented method. Many models for criticality definition exist, including models based on risk matrix, Fig. 3. Example of simple filter block for el. energy filtration Table 3. FADEC system criticality level

Safety -Critical
Failures which directly affect the system ability to perform primary and/ or essential functions. System can no longer perform its primary functions. Emergency shutdown or switch to backup system required.

Serious
Failures which directly affect the system ability to perform primary and/ or essential functions. System is able perform its primary functions for limited amount of time, before shutdown or switching to backup system.

Degraded
Failures which can affect performance of the system. Primary functions are preserved with limited performance for an unlimited time.

Not Critical
Failures without an effect on primary or essential functions. In case of a failure, analogue segment of MCU (Microprocessor) and analogue inputs fail, resulting in ECU emergency shut down and use of back-up system for engine control. Crew has visual indication on activation of back-up system.

Overspeed Protection/ Loss of Sensing
In case of a failure, MCU has no information on turbine rpm. This results in ECU emergency shut down and use of back-up system for engine control. Crew has visual indication on activation of back-up system. Crew is able to monitor turbine rpm using on-board instruments (indication is independent on overspeed protection).  Table 7 Effects on system Effects on aircraft

Block 1
Power-Rail filter provides el. filtration and connectivity to aircraft on-board electrical grid.
Short circuit Short circuit on one or more of the block items.

APR
In case of a failure, ECU overvoltage protection is activated. In worst case scenario, ECU is switched-off and back-up system is used for engine control.

CLASS: Critical
In case of failure, the aircraft continue in flight on back-up system. Some functions are deactivated (overspeed protection, automated start etc.

FAILURE DESCRIPTION:
In case of failure, the engine losses thrust due to the emergency shutdown.

Change in aircraft behaviour Master warning -red light and sound (except: jet engine glider)
Plane Category Flight phase See. Table 7 Failure Classification Note Jet engine Glider where factors ( ) 1 N π … are weighting factors that express influences on failure effects. These factors can for example represent influence of: failure classes, • effect of the part failure on the system, • failure probability of one part in a set of all analysed parts, • ease of failure detection, • speed of response on failure. • All these factors are based on expert judgement which leads to certain subjectivity of assessment. Therefore this method is suitable primarily for assessments, where there is no reliable source of information on failure probability.

CN defined using generic base failure rate with influencing
factors ( [16]) where: KRi C criticality factor of the part, i ID number of the part, N total number of parts, β conditional probability that the failure will lead to a critical failure of the system, α relative ratio between failure rate of the given type to total failure rate for given part, G λ failure rate of a part with influence of all possible failure modes. The usual form is: failure rate/10 6 , t operating time that each part accumulates during whole operating time of the system, K E corrective factor, incorporates effects of different operating conditions against conditions, for which was G λ determined, K A corrective factor, incorporates effects of different operating loads against loads, for which was G λ determined.  [34]. Risk assessment is calculated by multiplying the ranking values of O, S and D [5].
Although in aerospace mode occurrence (O) can usually be defined with high degree of confidence (thanks to the previous experience and operational data), effects severity (S) and probability of detecting the failure (D) may sometimes involve high degree of subjective judge- Table 7. ICAO flight phases [10] ICAO FLIGHT PHASES

STANDING STD
Prior to pushback or taxi, or after arrival, at the gate, ramp, or parking area, while the aircraft is stationary.

TAXI TXI
The aircraft is moving on the aerodrome surface under its own power prior to take off or after landing.

TAKEOFF TOF
From the application of take off power, through rotation and to an altitude of 35 feet above runway elevation.

INITIAL CLIMB ICL
From the end of the Take-off sub-phase to the first prescribed power reduction, or until reaching 1,000 feet above runway elevation or the VFR pattern, whichever comes first. LANDING LDG From the beginning of the landing flare until aircraft exits the landing runway, comes to a stop on the runway, or when power is applied for take off in the case of a touch-and-go landing.

EMERGENCY DE-SCENT EMG
A controlled descent during any airborne phase in response to a perceived emergency situation.

UNCONTROLED DESCENT UND
A descent during any airborne phase in which the aircraft does not sustain controlled flight.
ment. To reduce this significant shortage, which is not only linked to RPN method (but also other mentioned methods), Fuzzy logic may further be applied as a supporting tool. This can be especially meaningful in case of probability of detecting the failure (D). An alternative approach on optimization of parameters is for example in [34]. Although a number of papers can be found, where RPM is criticized for some shortcomings, which were summarized by Liu in [23], it is most suitable method for Fuzzy logic application (and reduction of degree of subjective judgement). Most significant shortcomings usually mentioned include RPN values and their varying sensitivity to small changes, or that parameters O, S and D are equally weighted.
Choice of specific criticality analysis method primarily depends on available input information and secondarily on specific conditions and goals of the analysis. For example case described in the paper, most suitable seems to be RPN method, which will be considered in further text. Authors do consider extension of methods presented in Chapter 4 towards partially quantitative assessment using FMECA with application of Fuzzy logic or Multiple-criteria decision analysis. Chapters 4.5 and 4.6 are showing potential of this extension, and should be considered as an introduction to future work.

Fuzzy extended criticality inputs
To evaluate a given item probability of detecting failure (D), for example scoring Tab. 8 can be used (based on [18]). Detectability scoring interval is 0,10 . Lower score corresponds with higher probability of failure detection. High score corresponds with lower probability of failure detection resulting in a latent failure. Detectability fuzzy membership is established in Fig. 4. The trapezoidal membership function is used.
Tab. 9 shows an example component from simple filter block shown on Fig. 3. In this case the component is ceramic capacitor C1, and its failure modes detectability. As can be seen, there is no direct possibility to detect any of the three failures modes shown. Short circuit can be detected based on collateral effects (activation of overload protection and automatic switch to HBM mode), and during pre-flight inspection. Change in operational parameters is practically undetectable and latent until more capacitors degrade, or until another failure mode occurs. Open circuit of the capacitor can cause filtration degradation which can influence some of very sensitive parts of the system. The detectability of the failure is very complicated.

Fuzzy interface process
As can be seen in Fig. 5, input values O, S, and D are starting point for Fuzzy inference process. Fuzzy procedures described many times in the literature can be applied. The most used inference technique is Mamdani, developed by Professor Ebrahim Mamdani of London University in 1975. Detailed description of fuzzy inference process is out of the scope of the paper. It uses several process steps, including Pre-flight inspection test: Item malfunction is possible to detect during pre-flight test, according to the flight manual.
x x x 7 x x x 8 x x x 9 x x x 10 LATENT Fig. 4. Fuzzy membership function for liguistic variable-detecablity [18] Fuzzification, Rule evaluation (using Fuzzy interference rules) and De-fuzzification. The last step, De-fuzzification, is done in the order to gain the fuzzy process single scalar quantity output. Ranking represents the extended criticality level of the failure mode.
The last step, De-fuzzification, is done in the order to gain the fuzzy process single scalar quantity output. Ranking represents the extended criticality level of the failure mode. For De-fuzzification, probably the most used defuzzification technique is centroid technique. It finds where vertical line would slice the aggregate set on final Fuzzy scoring into two equal masses. Mathematically this center of gravity (COG) can be expressed as follow: where µ x is membership function on final scoring. Risk assessment methodology using fuzzification for RPN methodology was discussed in ref. [8] 4.4.6. Multiple-criteria decision analysis Second method considered for future evaluation of criticality is multiple-criteria decision analysis. If applied during FADEC proto-type design, it has an advantage of different weighting for O, S, and D criteria. It also has small sensitivity for changes of non-critical criteria. On the other hand, it is sensitive for changes of critical criteria used for decision making. There was some work which uses multiplecriteria decision before, for example [4], where was used TOPSIS method maritime risk evaluation.
Authors plan to make comprehensive evaluation of both methods on the case of one functional FADEC block. Method with best results will be than recommended for application on whole FADEC.

5.
Result and discussion -Enhanced safety assessment concept applied on FADEC

Analysed system description
All methods described in chapter 4 were applied to the engine digital control unit for small turbine engine with 1500 N thrust and integrated electric generator. Control unit was composed of 4 main modules with the total 1168 components. Control unit general composition is shown on Fig. 6.

System analysis results
For the particular FADEC system, enhanced FHA was performed (as described in chapter 4.2) for aircraft categories presented in Tab. 1. The goal was to identify effects resulting from the failure of the analysed function. In total 21 functions were defined and analysed covering complete FADEC functionality with respect to higher aircraft levels. In total 6 critical functions were selected for more detailed analysis. In addition, for less critical functions, corrective actions were proposed (often new procedures for flight manual).
System components were divided into functional blocks, complete FADEC was divided into 78 functional blocks. Blocks were analysed using hybrid block FMEA with Failure Effect Classification. Total of  During the FADEC development countless minor changes were made, such as replacements of some elements, or changes in the power supply or filtration parts of FADEC. Thanks to the use of Enhanced safety assessment and especially the Hybrid block FMEA, it was not necessary to analyse these minor changes at the level of individual components. Only failure rates for the given block were corrected and so the FMEA evaluation did not change.
There were a few major changes during the development which had influence on FADEC functions or number and layout of PCBs (Printed Circuit Boards). These changes had to be revised in Hybrid block FMEA but for blocks affected by design changes only.
If we consider minimum time necessary for single part analysis in part FMEA to be in average 10 min (taking into account great number of repeating parts, which speed-up the assessment process), and compare it with average 30 min for the analysis of a single block in hybrid block FMEA, we can estimate time savings for safety assessment of FADEC like device, see Tab. 10 and Fig 7. Calculated times are based on long-time experience from aerospace safety assessment process (item analysis time, influence of connection into the system and effects on other system items/elements are considered). The concept of safety assessment has been proven to be suitable for safety assessment in early phases of FADEC development. It can be assumed that methods mentioned in this paper will be suitable for other complex electronic systems.

Conclusion
More strict regulation requirements and more complex aircraft systems are the main reason for increasing development costs for recent aerospace projects. Reduction of development effort and costs in every aspect of the development process is therefore extremely important. At the same time, it is not possible to omit any function on the aircraft and its detailed analysis. Unique solutions presented in the paper were strictly driven by a requirement to ensure the same extent of analysed functions as traditional methods, without possibility to omit any important information (i.e, function or component failure). Structure and outputs were continuously compared with previous works on other aviation products. At the same time, developed solutions enable quick adoption of safety assessment on different aircraft types (different FADEC applications) without the need to repeat a complete set of analyses from the beginning for each aircraft type. Thanks to a combination of specially defined function criticality levels with enhanced FHA, any future application in different aircraft category can be quickly analysed without demanding modifications of complete safety assessment.
Enhanced safety assessment done on an example FADEC confirmed, that small design changes inside blocks (with small/no functional effects) do not require comprehensive and time demanding revision of complete safety assessment (as in case of classic Part FMEA application). Small design change applied in this example design was, among others, integration of filtration capacitors. At the same time, reliability of major hardware blocks is available.
Larger design modifications (like change of number of PCBs) require major revision of safety assessment. However, this revision can be easily applied only to modified blocks. Functional blocks proved useful also for later fault tree analysis.
At every moment of performed works, comparison was done to monitor, if new method analyses all functions / component failures like in the case of traditional methods prescribed by regulation requirements, tracking if comprehensiveness and reliability correctness of the process is ensured. There was no evidence of any shortcoming as a result of developed procedures.
As an addition, possibility to further enhance the proposed innovative effect classification by application of FMECA was shown. Possible methods for quantitative assessment using Fuzzy logic and/or