dr. daniel p. schrage professor and director, casa and cert school of aerospace engineering

System Safety Risk Management: An Autonomous UAV Example from a

Course on Safety By Design and Flight Certification

Dr. Daniel P. SchrageProfessor and Director, CASA and CERT

School of Aerospace EngineeringGeorgia Institute of Technology

Atlanta, GA 30332-0150

Presentation OutlineOverview of Georgia Tech graduate

program in Aerospace Systems Design

Brief description of the Safety By Design and Flight Certification Course

Example from Safety Course for an Autonomous Unmanned Aerial Vehicle (UAV) – The GTMAX

Georgia Tech Practice-Oriented M.S. Program

in Aerospace Systems Design

Legend: Core Classes Elective Classes

SummerSemester IISemester I

IPPD Methods/TechniquesSpecialProject

DesignSeminars

IntegratedProduct/Process

DevelopmentDisciplinary Courses

PropulsionSystemsDesign

SystemsDesign IAppliedDesign I

SystemsDesign IIAppliedDesign II

IPPD Tools/Infrastructure

ModernDesign

Methods I

Modern Design

Methods II

ProductLife Cycle

Management

Internships

Mathematics (2 Required) Other Electives

Safety ByDesign

Safety By Design and Flight Certification Course

First taught in 1998 as a project oriented course to orient students on the role of safety by design and flight certification in the design iteration process

Course builds on the Integrated Product/Process Development (IPPD) through Robust Design Simulation (RDS) environment created in the Georgia Tech Aerospace Systems Design Laboratory (ASDL)

Course taught in the summer semester to allow students to analyze the designs they developed during the fall and spring semesters (Fixed Wing,V/STOL Rotorcraft, Space, and Missiles)

Course has been continuously improved each year to address more of the issues in moving to a risk based managed process

Course has sought to incorporate user friendly tools for System Reliability Prediction, FTA, FMEA and Markov Analysis

Emphasis on the course taught this summer was on the interaction of Hardware, Software, and Liveware (Human) reliabilities & partnerships with industry and government

Course Projects for Summer 2002

Quiet Supersonic Aircraft – in conjunction with Gulfstream Aerospace Corporation

The ICBM Peacekeeper as a Commercial Launch Vehicle – in conjunction with the FAA Space Systems Development Division

A VTOL Personal Air Vehicle (PAV) – in conjunction with the NASA PAV Evaluation program

*An Autonomous UAV: GTMAX – in conjunction with the DARPA Software Enabled Control (SEC) program and the GT Entry in the International Aerial Robotics Competition (IARC)* Example to be illustrated

Development of a Certification Plan(ARP 4754:Cert Considerations For Highly-Integ or Complex Aircraft

Systems)

Each Plan should include: A functional and operational description of the system and the aircraft

on which the system will be installed A statement of the relationship of this certification plan to any other

relevant system certification plans A summary of the functional hazard assessment (aircraft hazards, failure

conditions, and classification) A summary of the preliminary system safety assessment (system safety

objectives & preliminary system development assurance levels) A description of any novel or unique design features that are planned

to be used in meeting the safety objectives A description of the new technologies or new technology applications to

be implemented The system certification basis including any special conditions The proposed methods of showing compliance with the certification

basis A list of the data to be submitted and the data to be retained under

configuration control, along with a description or sample of data formats The approximate sequence and schedule for certification events

The Overall GT Safety By Design Approach

FHA/FTA

Other PSSA Methods

PROBABILISTIC ASSESSMENT(CRYSTAL BALL)

MARKOV ANALYSIS(MEADEPS)

SYSTEM RELIABILITY(PRISM)

CRITICALITYMATRIX

DO-178B

ARP 4754

ARP 4761

NO

YES

RELIABILITYPREDICTION

SAFETYPREDICTION

AIRCRAFT/SPACECRAFTSYSTEM DESIGN

SATISFIED?

PREDICTIONPROGRAMS

RELIABILITY SIMULATION

ANALYSISTECHNIQUES

APPLY

Technology Insert.TIF/TIES ?

FHA/FTA

Other PSSA Methods




CRITICALITYMATRIX

System FHA/FTA

Other PSSA Methods




CRITICALITYMATRIX

DO-178B

ARP 4754

ARP 4761

DO-178B/160D

ARP 4754

ARP 4761

NO

YES

RELIABILITYPREDICTION

SAFETYPREDICTION

AIRCRAFT/SPACECRAFTSYSTEM DESIGN

SATISFIED?

PREDICTIONPROGRAMS

RELIABILITY SIMULATION

ANALYSISTECHNIQUES

APPLY

Technology Insert.TIF/TIES ?

SafetyGoals

Aircraft/SpacecraftFHA/FTA

SBD Process Overview

Aircraft FHA•Functions•Hazards•Effects•Classifications

System FHA•Functions•Hazards•Effects•Classifications

Aircraft FTA•Qualitative•System Budgets•Intersystem Dependencies

System FTA•Qualitative•Subsystem Budgets

DDMA

SystemFMEAsFMES

System FTAs•Qualitative•Failure Rates

PSSA SSA

CCA

Concept Development

PreliminaryDesign

DetailedDesign

Design Validation& Verification

Particular Risk Analysis

Common Mode Analysis

Zonal Safety Analysis

GTMaxPreliminary Safety Assessment and Certification Plan

Han Gil ChaeAdeel KhalidKayin CannonColin PouchetHenrik B. Christophersen

Overview Introduction

General facts about GTMax GTMax Certification

General Information of UAV Certification Analysis for particular system Human Errors Proposed system improvement Proposed Certification plan

Conclusions

Introduction System Description System Requirements

GTMax : Development

Originally developed for aerial pest control

Modified for DARPA SEC Program and for Aerial Robotics

Test bed for Manned Vehicle

Electronic System

Software Enabled Control (SEC)

Dr. John BayDARPA/IXO

The objective of SEC is to co-develop advanced real-time control system algorithms and the

software services and infrastructure necessary to implement them on distributed embedded processors in a robust and verifiable way

DARPA SEC Participants Open Control Platform (OCP) Developers:

-Georgia Tech - Boeing Phantom Works- UC Berkeley -Honeywell Technology Labs

SEC Technology Developers (Active State Modelers, On Line Control Customization,Coordinated Multi-Modal Control, High Confidence Software Control Systems):-Georgia Tech - UC Berkeley - Rockwell Collins- Cornell - MIT - Northrop Grumman Corp- Cal Tech - Draper Labs - Honeywell Labs- U of Min - Vanderbilt- OGI - Stanford

University Led Experiments (Rotary Wing): Georgia Tech Industry Led Experiments (Fixed Wing): Boeing Phantom Works

The Georgia Tech GTMAX : A Truly Modular Open System Testbed

The Georgia Tech GTMAX consists of The Yamaha RMAX Remotely Piloted Helicopter: a

rugged, proven air vehicle which is becoming the vehicle testbed choice for VTOL UAV autonomous vehicle research

The Georgia Tech Modular Avionics Package: built for reconfigurability, growth and easy upgrade

The Boeing - Georgia Tech OCP: a Real Time CORBA based open system software architecture

As a system the GTMAX provides an excellent resource for the UAV community for developing and evaluating UAV technologies, both hardware and software, as well as Home Security Experiments

GTMAX : Vehicle Specifications

Weight Gross Weight : 204.6 lb Empty Weight : 127.6 lb Payload : 66 lb

1800

3630

3115

720

1080

(mm)Engine Gasoline 2-Cylinder Water Cooled Power output : 21Hp

Performance Fuel : 6L (1.6 gal) Endurance : 60 min

GT Research UAV: GTMAX

Georgia TechOnboardAvionics

RCReceiver

Data Link I

RC Transmitter

Data Link I Ground Computer(s)

AndNetwork

Ethernet

GPS Reference

On-board Avionics

Ground Control Station

Safety Pilot

Yamaha Attitude Control System

(YACS)

Data Link II Data Link II

GPS

Actuators

GEO

RGIA

TEC

HYA

MAH

A

3x RS-232 Serial

Boeing-GT OCP

Onboard Avionics Hardware Architecture

WirelessSerial

WirelessEthernet

D-GPS

IMU

RadarAltimeter

SonarAltimeter

Magneto-meter

Servo-Interface

EthernetHub

PowerDist

Ext Power

Serial DataEthernetPower

Computer#1

Computer#2

Video Camera,Radar and PossiblyLidar to be installedthis summer

GTMAX Avionics HW Integration

GTMAX hardware is packaged into exchangeable modules:

Flight Computer Module GPS Module Data Link Module IMU/Radar Module Unused Module (Growth) Sonar/Magnetometer

Assemblies Power Distribution System

Each module has self-contained power regulation and EMI shielding

Shock-mounted main module rack

GTMAX Hardware Integration

Power System On-board generator outputs

12V DC, 10 A Power source hot-

swappable between on-board and external

Each module is powered via individual circuit breakers

Interfacing and Wiring Interface Types: RS-232

Serial, Ethernet, 12V DC All interfaces on module

back-sides Aviation-quality wiring

harness

Limitations of State-of-the-ArtComplex Control Systems:• Tightly coupled• Difficult to adapt or evolve• Complex, inflexible data interchange• Computationally limited• Closed, proprietary systems Desired Capabilities:

• Adaptibility and dynamic reconfigurability• Plug-and-play extensibility, component interchangeability• Real-time quality of service• Interoperability, distributed communication• Openness

Open Control Platform Motivation

Boeing-GIT Baseline Open Control Platform (OCP) Software Implementation on the GTMAX

GPS

IMU

Magnetometer

sonar

receiver commands

Vehicle Health

RMAX Attitude sensors

Navigation ModuleComponent

ControllerComponent

Sensors SerialInterface

Vehicle SerialInterface

Controls API Input Port

Controls API Output Port

RMAX Actuator demultiplexer

Actuator SerialInterface

ControlData_out

ControlData_in

NavControl_out

NavControl_in

NavData_out

NavData_in

timeout_in

100 HzTimer

50 Hz

50 Hz 50 Hz

100 Hz

I/OComponent

DataLink Interface Ethernet “Serial” PortSerial port

Ethernet “Serial” Port

Serial port1 Hz & 10 Hz1 Hz & 10 Hz

Input datalink portsread @ 100 Hz

m0 written at 10 Hzm1 written at 1 Hz

Mission Intelligence Flow for GT Research

Mission Planning

Mode Selection

Mode Switching

Flight Control System

UAV

Sensors

Sensor Fusion

Obstacle/Target Detection

Obstacle/Target Identification

Obstacle/Target Tracking

Situation Awareness

Diagnostics

Fault Tolerant Control

Continue MissionEmergency ?

Yes

No

15 min

GTMax : Aerial Robotics Mission & SEC Scenario

Get Information from the Inside

Identify Structure

No Need to Return after the Mission

T/O (manually) 3KmFly Autonomously

GTMax Certification Certification Basis Analysis (Functional, FHA, PSSA) Human Errors Strategy for achieving compliance Sequence of certification events

FAA CertificationDesign Production Operation

Type Design Approval

Type Certificate

Quality AssuranceApproval

Type DesignConformity

Production Certificate

Airworthiness

Certificate

Continued Airworthine

ss

Defect found in operation

Certification Basis

Suggested Regulations

Rotorcraft- FAR 27

No Certification Basis for UAVs

Safety Assessment- SAE APR4761

System Design/Analysis- AC 25.1309-1A

Certification basis? Presently no certification basis for unmanned

aircraft. Unmanned vs. manned aircraft:

Increased reliance on electronic flight control systems in unmanned aircraft

Safety = threat to persons and property outside aircraft

Flight over populated areas vs. isolated areas Ground Control System

Suggested Regulations Flight crewmember(s) on the ground Safety equipment for occupants not required

Impact protection for occupants Safety belts Oxygen Warning lights

Flight Control System Certification Ground Control System Certification Categories of unmanned aircraft

Certification basisAmended FARs

FAR Part 1: Definitions and Abbreviations FAR Part 21: Certification Procedures for Products and

Parts FAR Part 27: Airworthiness Standards: Normal Category

Rotorcraft FAR Part 33: Airworthiness Standards: Aircraft Engines FAR Part XX: Airworthiness Standards: Electronic Flight

Control Systems for Unmanned Aircraft FAR Part XX: Airworthiness Standards: Ground Control

Systems for Unmanned Aircraft

Functional AnalysisTop Level

AND

Execute Mission(GCS)

6.0

Execute Mission(UAV)

5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Maintain Equipment

Maintain mission vehicle(s)

Maintain Ground Station Equipment

Maintain Supporting Equipment

Manage Organization

Manage Operation Manage Personnel Manage finances Manage

sales/marketing Manage supporting

equipment/facilities

Functional AnalysisAND


6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Receive Mission AssignmentAND


6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Functional Analysis

Receive Mission Description

3.1Study map of

route

3.2

Checkweather

3.4

Make preliminary flight plan

3.3

AND AND

Request additional

information from customer

3.6

Negotiate rate with customer

3.8

Evaluate Mission

3.7

Ref. 2.0 Maintain

Equipment

Investigate regulatory issues

3.5

NO GO

GO

NO GO

Ref. 2.0 Maintain Equipment

Ref. 4.0 Prepare for mission.

Prepare for mission

Verify readiness of UAV Create flight plan File NOTAM Verify that all necessary equipment is

loaded and ready Obtain/sign release form Depart for launch site



6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Execute Mission (UAV)



6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Arrive at launch site

5.1

Prepare UAV

5.2

Preflight UAV

5.3

Take offand climb

5.4

Cruise

5.5

Search for target

5.6

Locate target

5.7

Search for portals

5.8

Find open portal(s)

5.9

Prepare for subvehicle

launch

5.10

Deploy subvehicle

5.11

Hover in relay position

5.12

Cruise (return)

5.13

Descend andland

5.14

Start executing

mission

Finished Executing Mission

Execute Mission (GCS)



6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Arrive at launch site

6.1

Prepare GCS for launch

6.2

Brief crew

6.4

Upload software/flight

plan to UAV

6.6

Perform BIT

6.7

Prepare fortake off

6.9Activate flight

plan (autonomous

flight)

5.8

Monitor UAV during mission

execution

5.9

Start executing mission (GCS)

Finished Executing Mission (GCS)

Simulate mission in GCS

6.3

AND

Troubleshoot and repair

6.8

AND

Perform autonomous

take off

6.4

Perform manual take off

6.3

OR OR

Establish communication

link with UAV

6.5

GO

NO GO

ABORT MISSION Control UAV(high- level commands)

5.9OR OR

Land UAV upon return to Launch

site

6.3

Download data from UAV as

needed

6.3

Shut down GCS

6.3

Prepare for next flight

FHA & FTA : Flight Control as Critical System Safety Subsystem

Control System (Collective)

Electronic SystemMechanical System

FHA & FTA : Mechanical System

Function Failure Condition Phase Effect of Failure Condition Classfication Ref. To SupportingMaterial

Verification

A1.1 Generate Rotor Force Loss of Lift Force of Rotor FTA

a. Loss of Rotor structure All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground

Catastropic

a. Loss of Transmissionstructure

All Causes loss of rotor capability Catastropic

A 2.1 Control CollectivePitch

Loss of Control Capability All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground

Catastropic

a. Loss of Control sys. Structure

b. Loss of electricityc. Loss of Command

A 2.2 Control Cyclic Pitch Loss of Control Capability All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground

Catastropic

a. Loss of Control sys. Structure

Loss of Collective PitchControl capability

Loss of MechanicalLinkage Capability

Loss of ActuatorCapability

Loss of Electiricity

Failure ofMechanical

Component ofActuator

Loss of steeringcommands from

Flight ControlComputer

Loss of steeringcommands fromRemote Control

Receiver

Failure of WireHarness

Loss of BatteryCapability

Failure of GroundStation

Failure of On-BoardSystem

1E-6

1E-5


To ElectronicSystem

FHA & FTA : Electronic SystemFunction Failure Condition Phase Effect of Failure Condition Classfication Ref. To Supporting

MaterialB1 Generate actuator

steering commandsLoss of validcommands from FCS.

a. Invalid or missingoutput from FCS.

T/O &Landing

Safety pilot will assume control ofaircraft and bring it to a safelanding.

Minor (D)

b. Invalid or missingoutput from FCS.

Cruise(within RCrange)

Safety pilot will assume control ofaircraft and bring it to a safelanding.

Minor (D)

a. Unable to sendtelemetry data to GCS

T/O,LandingandCruise

The GCS will not have the up-to-date information about the currentlocation of the UAV

Minor (D) toMajor (C)

B3 Monitorsystems/performance

Failure to detectproblema. Failure to detectMain Computer failure

T/O,Landingand in-rangeCruise

Problem will not surface unlessthere is an actual Main Computerfailure. Safety pilot may takecontrol.

Minor (D)

Loss of steering commandsfrom Flight Control

Computer

Loss of steering commandsfrom Flight Control

Computer


Backup Controller

Loss of steeringcommands fromMain Computer

Failure of HeartbeatMonitor to switch toBackup Controller

3E-31E-4

Failure of MainComputer to

discontinue sendingheartbeats.

Internal failure inHeartbeat Monitor

Heartbeat Monitorswitches incorrectly

to Backup Contr.


Backup Controller

1E-3 1E-4

1E-3 1E-4

To MechanicalSystem

PSSA : Software Exploration

MEADEPPrism Crystal BallSystem failurerate modeling

Markovanalysis

Monte CarloSimulation

Whatfor ?

Easy ?

Redundancy MultipleEvents

DistributionFuctions

Database

Monte Carlo Simulationfor

Whole System

PRISMfor

Mech. Components

PSSA : Strategy










Receiver





1E-6

1E-5


Backup Controller



3E-31E-4




Heartbeat Monitorswitches incorrectlyto Backup Contr.


Backup Controller

1E-3 1E-4

1E-3 1E-4

Fault Tree based on FHA

Markov Analysisfor

Mechanical System& Electronic SystemMech.

Elec.

PSSA : Prism modelingMechanical components

Prism Database Total Failure

Rate - 1.76 E-3/Op.

hr

Failure/M calendar hr Failure/Operation hr

Linkage 27.089 9.36E-04

Yoke 8.1256 2.81E-04

Main Rotor 3.7443 1.29E-04

Swash P 2.8822 9.96E-05

Servo 9.2274 3.19E-04

Failure rates

PSSA : Markov AnalysisMechanical System

MTTF -

6023.275 /hr Reliability - 93.57 hr

PSSA : Markov AnalysisElectronic System

MTTF -

1000.249 /hr Reliability - 90.48 hr










Receiver





1E-6

1E-5


Backup Controller



3E-31E-4




Heartbeat Monitorswitches incorrectlyto Backup Contr.


Backup Controller

1E-3 1E-4

1E-3 1E-4

Fault Tree from FHA

MechanicalComponent of

Actuator

BatteryCapability

WireHarness

On-BoardSystem

GroundSystem

Steering commandsFrom Flight Control

Computer

Electricity

Steering command from RemoteControl Receiver

MechanicalLinkage

Capability

Actuator Capability

Simplified Block Diagram

PSSA : Monte Carlo Simulation

1 2 3

4

5 67

overall = 1 + 2 + 3 + (5 + 6) × 4 + 7

Frequency Comparison

.000

.004

.008

.012

.017

0.00290 0.00300 0.00310 0.00320 0.00330

Overlay Chart Same order as Inputs

MechanicalComponent of

Actuator

BatteryCapability

WireHarness

On-BoardSystem

GroundSystem

Steering commandsFrom Flight Control

Computer

Electricity

Steering command from RemoteControl Receiver

MechanicalLinkage

Capability

Actuator Capability

PSSA : Monte Carlo Simulation

Normal curve fit gives = 3.1×10-5

= 7.0 ×10-5

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4 Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

Mean = 0.00

0.00 0.00 0.00 0.00 0.00

B4

1E-5 1E-5

1E-5

1E-51E-6

1E-6

1E-6

PSSA : Reliability Goals

General Aviation Loss Of Aircraft (LOA)

10 / 100,000 flight hrs = 1E-4 / flight hr

60%- Mechanical system failures- “Other” external causes

Human error plays significant roll in UAV

10%Reliability GoalLOAFlight Control= 1E-5

Human Errors : IntroductionDirect or Indirect Intentional or Unintentional

Flying into Electrical Lines- Mission planner

- Ground control- Maintenance

Human Errors : Human Safety and Reliability

Increased Mission Success

Increased Safetyof ROA and Environment

Better Working Environment

Increased Worker Safety

Reduced DelaysDue to Injury

Increased Worker Reliability

Increased ROAReliability

Human Errors : Working EnvironmentSome important factors and issues

Information - There are power lines here

Documentation - Stay 500 feet from power lines

Communication - We should move away

Workload - What? I’m busy

Visual/Aural Alerts - Warning!

Training - What do I do now?

Human Errors : Environment

Possible Dangers in the Environment High workload / Time critical workload / High

stress Unnoticed errors / no quality assurance Too many details to consider Hazardous equipment and materials Distractions

AND


6.0


5.0

Receive Mission

Assignment

3.0

Maintain Equipment

2.0

Manage Organization

1.0

AND

ANDAND

GO

NO GO

Prepare for mission

4.0

Each Top Level Function has a Different Environment

Human Errors : Launch Site Setup

Major Dangers: Suggestions:High workload

Unnoticed errors

Hazardous equipment and materials

Weather and terrain

Document procedure

Range safety officerLabels and color

Information about launch site

before arrival

Familiarization with all equipment

New technology Fault tolerant software Fault tolerant system architecture

Fault Tolerant Design: Software

LPE Step 1 Mission Objective Abstract Mathematical Language

Mission Objective4)(: UloperationaAssumption t

|.|)(..: DposvuloperationaTtUuGoal tt

Fault Tolerant Design: Software LPE Step 2

Mission Plan Flowchart

Language Formal Proof

Fault Tolerant Design: Software

LPE Step 3 Control System Destination Vector Formation Vector Proven Algorithm Automatically

Generated Code

Fault Tolerant Design : Software

Open-Control Platform

APIReal-Time Reconfig.Mediator

High-Level Abstraction

Located On-Board

LPE Step 1Math. Expression

LPE Step 2Flowchart Validation

MPC, Control, Communication

LPE Step 3Executable CodeSeveral LanguagesCode Validation

Fault Tolerant Design : system architecture

PrimarySensor

SecondarySensor

Rotor(Mech.systems)

Actuators

Power plantsystem

Generator

RMaxbattery

HB Monitorand Steering

Relay

SteeringCommandsMain Flight

Computer

BackupFlight

Controller

Sensordata

BackupBattery Trickle charge

Primary Avionics DC Bus

Secondary Avionics DC Bus

Strategy for showing complianceToday: No Certification basis for

unmanned aircraftThe “5-year plan”:

1. Demonstrate product2. FAA cooperation3. Initial NPRM4. Amendments to FARs 5. Start formal Certification process

Structure is not so expensive

GTMax is already flying

Certification PlanActivityApplication to FAA ODevelop. Certification BasisGCP Develop.Cert. Schedule Develop.Initial Type board meeting OTest Plan SubmitalGCP Review and ApprovalInterm. Type board meeting ODrawing ReleasePrototype 1 Fab/AssemblePrototype 1 1st FLTEnvelope expansionLoad level surveySystems/Weather/LightningPrototype 2 Fab/AssemblePrototype 2 1st FLTEnvelope expansionPerformance & HQMod into GTVGTV Ground TestsRotor & XMSN Bench TestStatic testsFinal Type Board Meeting OCertification O

Year 1

Tests for Autonomous flight & Control system

Conclusions Summary Further study

What was accomplished Suggested Certification basis Functional Analysis, FHA, PSSAQuantified System ReliabilityConsidered Human FactorsDeveloped fault tolerant flight

controlProposed strategy for compliance

Further StudyCurrent work to include UAVs in FARsObtain more accurate failure ratesAnalysis for aircraft level reliabilityComplete safety assessment process

on all aircraft systemsDevelop systems through operational

experience

Questions ?

Thank you

dr. daniel p. schrage professor and director, casa and cert school of aerospace engineering

Documents

safety course

system safety risk management

role of safety

safety objectivesa description

design iteration processcourse

certification planarp

aerospace systems designlegend

system reliability prediction