Post on 22-May-2018
© ACENTISS 2015
Approved Center of Engineering, Technology andIn Service Support
The reproduction and distribution of this document as well as the communication of its contents to others without explicit authorisation by ACENTISS GmbH are prohibited. Offenders will be held liable for the payment of damages
Certification of RPAS Components
Hans Tönskötter, Mireia Medrano, Josef Mendler
BAM, 10.03.2015
© ACENTISS 2015 2
Content
■ Airworthiness of RPAS – Status
■ ELIAS System Components
■ Roadmap to Certification
■ Certification of System Components – Duplex Engine
■ Way Ahead
BAM, 10.03.2015
© ACENTISS 2015 3
Key Technological Challenges
Airworthiness Code with Acceptable Means of Complia nces and Guidance Material (acc. to STANAG 4671 , CS-23, CS-25, …)
Justification and validation of RPAS safety
Security of C2-systems , Data Link and Bandwidth allocation
Integration of RPAS into ATM
RPAS security issues
Safe automated operations
• Current ATM interfaces (Airspace class A – C) + extension to non-controlled areas
• Airborne based D&A systems (HW, SW)• Ground based D&A systems• GCS Human Machine Interface (HMI)• Ground & Obstacle Collision Avoidance• Weather detection + Protection• Detectability solutions• Observer & pilot functions and responsibilities (E-
VLOS)• Hazard protection (e.g. wake vortex)
• Current and future ATM environment
• Infrastructures in correlation with RLOS, BLOS (+ SATCOM)
• Radio bandwidth management
• Threats + potential mitigations
• Automated OCM, Health Monitoring + FTA• Automated Take Off, Mission and Landing• Auto Taxiing + Airport operations
BAM, 10.03.2015
Airworthiness of RPAS - Status
© ACENTISS 2015 4
ATM
CustomerMannedAircraft
Third Party Assets
Public Concern Environment
Roadmap2Certification via EUROPAS
RPAS
Onboard Systems (D&A, Data link, …)
Payload (e.g. Sensor)
Data
Pilot inCommand
GCS
A/C
Data
BAM, 10.03.2015
© ACENTISS 2015 5
■ Airworthiness of RPAS – Status
■ ELIAS System Components
■ Roadmap to Certification
■ Certification of System Components – Duplex Engine
■ Way Ahead
BAM, 10.03.2015
Content
© ACENTISS 2015 6
Data Link InterfaceAntenna
GCS in Container
StabilizedEO/IR-Sensor
Avionics (Navigation (INS/GPS), Data Management, FMC, FCC)
Data Link with electronic Antenna
Cockpit Displays(Flight Instruments, Map, Flight Path)
Mission Equipment of ELIAS
Full system capability with ground control station and sensor dataBAM, 10.03.2015
© ACENTISS 2015 7
ELIAS – System Components
Redundant FCS
Electric redundantMotor
Data-linkage withelectronic Antenna
Step 2:Electrically Redundantlanding gear
Flight Control and Navigation
Integration of highly efficientEnergy Storage
Evolution of technologies covering the roadmap from electric UL to certifiable UAS using the technology demonstrator ELIAS
Step 1:Electrically retractable landing gear
Ground Control Station- Console- Software
BAM, 10.03.2015
© ACENTISS 2015 8
Content
■ Airworthiness of RPAS – Status
■ ELIAS System Components
■ Roadmap to Certification
■ Certification of System Components – Duplex Engine
■ Way Ahead
BAM, 10.03.2015
© ACENTISS 2015 9
Type of Operation Certification Basis
Manned Aircraft • VVZ acc. LTF-UL
Optionally Piloted LTF-UL
Remotely Piloted
• STANAG 4671
• EASA policy E.Y013-01(as far as agency is responsible)
• Or …
Certification Approaches
BAM, 10.03.2015
© ACENTISS 2015 10
ARP 4754a, DO-178C and DO-254
BAM, 10.03.2015
ARP: Aerospace Recommended Practice
© ACENTISS 2015 11
Standards
BAM, 10.03.2015
Certification of RPAS
Substantiation Substantiation
Test / Validation
Developm
ent
Requ. M.
Config. M.
Change M.
Qual. M.
Safety
© ACENTISS 2015 12
ARP 4754a, DO-178C and DO-254
� ARP 4754AGuidelines for the development for systems that support aircraft level functions and have failure modes with the potential effect to the safety of the aircraft
� DO-178CGuidelines for the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements through objectives for software life cycle.
� DO-254Guidelines for the development and design assurance of airborne electr onic hardware such that it safely performs its tasks.
BAM, 10.03.2015
© ACENTISS 2015 13
■ Qualitative:no single failure shall lead to a catastrophic effect
■ Quantitative:acceptable range applies for each individual failure condition
if not achieved on individual level go to => SYSTEM level: on system level combination of all catastrophic failure conditions is characterised by an occurrence of 10-5 per flight hour or less
EXAMPLE STANAG 4671: Safety Objectives
Certification Approaches
BAM, 10.03.2015
Results in multiple fatalities and/or loss of the system
Reduces the capability of the system or operator to cope with adverse operating conditions ….
FAA Safety HB
n/a
> 10 -5 / FH
> 10 -7 / FH
> 10 -9 / FH
< 10 -9 / FH
© ACENTISS 2015 14
Typical Safety Assessment Process[ref. CS-25]
Certification Approaches
BAM, 10.03.2015
§ CS25.1309
CS 25.1309 Equipment, systems and installations(See AMC 25.1309)(b) The aeroplane systems and associated components, considered separately and in relation to other systems, must be designed so that -
(1) Any catastrophic failure condition(i) is extremely improbable; and(ii) does not result from a single failure; and
(2) Any hazardous failure condition isextremely remote; and(3) Any major failure condition is remote.
(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards.
© ACENTISS 2015 15
AMC.1309 (b) Functional hazard assessment (FHA) [re f. STANAG 4671 ed.1]
■ A systematic, comprehensive examination of UAV and system functions to identify potential Minor, Major, Hazardous and Catastrophic failure conditions that may arise as a result of a malfunction or failure to function.
■ The FHA consists of:identifying all the functions at the level under study (aerial vehicle - payloads, etc.) and its interfaces (UCS - data link, etc.),identifying and describing the failure conditions associated with these functionsdetermining the effects and the severity of these failure conditions
■ The FHA should include – but not be limited to – consideration of the failure conditions in Appendix A of FAA Advisory Circular 23-1309-1C.
Certification Approaches
BAM, 10.03.2015
© ACENTISS 2015 16
Safety Assessment Process ARP 4761
FHA• Identify each failure condition along with rationale• Starting point for the next step which is the PSSA
PSSA
• Systematic examination of proposed system architecture• Establishes the safety requirements of the system and to determine that the proposed
architecture can reasonably be expected to meet the safety objectives outlined in the FHA• Takes the form of an FTA
SSA
• Based on the PSSA• To show that the safety objectives from FHA and derived safety requirements from PSSA are
met• Carried out with the help of FMES (summary of failures identified by FMEA)
BAM, 10.03.2015
PSSA: Preliminary System Safety AssessmentSSA: System Safety Assessment (SSA)
© ACENTISS 2015 17
Content
■ Airworthiness of RPAS – Status
■ ELIAS System Components
■ Roadmap to Certification
■ Certification of System Components – Duplex Engine
■ Way Ahead
BAM, 10.03.2015
© ACENTISS 2015 18
Redundant Power (Duplex Engine)
BAM, 10.03.2015
Concept and Design
� Electrical and Mechanical Redundant (except of Propeller und Drive Shaft)Increase of Safety and power consumption during cruise condition
� Overall Redundancy (engine, controller, inverter , Battery-Management-System, electrical power supply (batteries))
� Certification: Single Engine Category within UL-Standards
� Additional safety aspects based on Duplex-Engine means weight penalties
� Weight penalties are compensated by increased engine efficiency of Duplex-Engine related to partial-load operational range (Shutdown of one engine) –depending on flight mission (endurance)
© ACENTISS 2015 19
Integration of Engine
BAM, 10.03.2015
Challenges:
� Cooling Concept must be optimized: Usage of Aircraft Ram Air ; Maximum power output only required during take-off and Cruise
� Cooling Air must be dry and dustless
� Cooling device must be aerodynamically compatible (no addtiional drag)
� Environmental robustness of aircraft (e.g. rain)
Solution:
� Integrating concept of ACENTISS for electric power engines considering Ram Air Cooling System (weight optimized)
� Cooling System is integrated into ELIAS aircraft:
� Flight testing
� Wind tunnel test campaign
� Integrated into Duplex-Engine
© ACENTISS 2015 20
Duplex-Engine Development
Basis: Duplex-Engine of Geiger HPD25D (Prototype)� Electrically & mechanically redundant (except drive shaft)
� 2 Engines in one case
� Both engines act over free-wheel on a drive shaft(propeller shaft)
� Max. power 32 kW (2 x 16 kW)� Continuous power 25 kW (2 x 12.5 kW)� Nominal voltage 58VDC; � Max. currentr 2 x 275 A
Challenges: Cooling of the Duplex-Engine IABG/ACENTISS:
� Development of a Duplex-Engine-Integration into the electrical ultralight airplane ELIAS
� Development of an effective cooling system for the Duplex-Engine in consideration of the installation conditions in the typical ultralight airplane
� Verification of the solution with the modified Duplex-Engine at a test rig and in a wind tunnel
BAM, 10.03.2015
Inverter with controller
Duplex-Engine HPD25D
© ACENTISS 2015 21
Validation of Duplex-Engine
� ACENTISS-Engine test rig Systematic testing of the redundant drive system with cooling; consisting of engine, inverter, controller and battery pack with BMS
� Wind tunnelTesting of the Duplex-Engine with propeller under conditions similar to flight
� Flight test with ELIASHalf of the engine, the engine controller and the inverter are designed in the same way as the single-disc engine HPD13.5 integrated in ELIAS=> Results of the flight test of ELIAS are also relevant for the Duplex-Engine
BAM, 10.03.2015
Wind tunnel test of the ELIAS - fuselage incl. Engine and propeller at TU Munich
Duplex-Engine-support with the fairing for the wind tunnel test
© ACENTISS 2015 22
Ground Tests – Engine Test Rig
BAM, 10.03.2015
Portable Engine-Test rig for the system test of the Duplex-Engine� Test rig for the examination of electrical single-disc – and Duplex-Engine under special
consideration of the Certififcation aspects.
� Complete platform of the redundant engine system including:
Duplex-Engine
2 x Engine-Controller and inverter
Adjustable supply of coolingair (pressure and flow rate of 100g/s)
Measuring system of drive,torque, current and voltage
Variation of the powerwith eddy current brake(40 kW)
Electrical power supply through2 x 3 Li-Ionen- battery packwith BMS*
Testing with propeller instead of brake is possible Cooling air supply:
Compressor with speedregulator
Power supply 58VDC2 Li-Ionen-Battery-pack with BMS
Cooling air distributor
Eddy current brakeE-Engine
(under the fairing)
Engine controller with cooling element
*) BMS: Battery Management System
© ACENTISS 2015 23
FHA drive system
� Develop Functional Hazard Assessments (FHA) for the drive system based on the guidelineof ARP4761 by ACENTISS
� The process of the safety analysis consists of several steps:
ARP4761
Advisory Circular 23.1309-1E
NASA/TM-2007-214539
BAM, 10.03.2015
2.
Identification of failure
3.
Determination of the effects
of failure
4.
Classification of criticality
5.
Classification of FDAL +
Prob/ FH to failure
6.
Identification of support material
7.
Identification of method for verification of
failure
1.
Derivation of the functions
from the requirements
© ACENTISS 2015 24
FHA drive system
2.
Identification of failure
3.
Determination of the
effects of failure
4.
Classification of criticality
5.
Classification of FDAL +
Prob/ FH to failure
6.
Identification of support material
7.
Identification of method for verification of
failure
Function Ref. Failure Condition Phase Effect of Failure Condition on Aircraft Class. FDAL Prob. / FHSupporting
MaterialVerification
DM-1.1 Complete loss of drive
Taxi/Takeoff below
V1/ Takeoff above V1/
TakeOff /Enroute/ Go
Around
DM- 1.1 a a. Complete loss of drive Takeoff below V1Abort TakeOff. Slight reduction in safety
margin. Minor D <10
-3 / h
DM- 1.1 f f. Complete loss of drive Takeoff above V1 Uncontrolled loss of UAV Catastrophic C <10-6
/ h
DM-1.2Partial loss of drive due to
one motor failure
Taxi/Takeoff below
V1/ Takeoff above V1/
TakeOff /Enroute/ Go
Around
DM- 1.1 aa. Partial loss of drive due
to one motor failureTakeoff below V1
Abort TakeOff. Slight reduction in safety
margin. Minor D <10
-3 / h
DM- 1.1 ff. Partial loss of drive due
to one motor failureTakeoff above V1
Reduction in safety margin. Emergency
landing of UAV.Major C <10
-4 / h Flight Test Data
DM-1 Drive the
Propeller
(Ref. 5 R8, R10,
R35) See below
See below
BAM, 10.03.2015
1.
Derivation of the functions
from the requirements
� To identify the necessary tasks and to write the verification there are derived quantitative and qualitative safety requirements.
© ACENTISS 2015 25
Reliability analysis of drive system
� A failure rate analysis of the drive systems was done.
� The following components were analyzed on component level:
� For the assessment following simplified load profile was taken into account:20% total load (70Nm, 330A engine power) � Take-Off and climb80% partial load (30Nm, 150A engine power) � Cruise
� The analysis was done for different operating temperatures.
=> Result:
� The Duplex-Engine-Concept greatly facilitate the compliance with the required reliability and certification issues
� There is an essential influence of the batteries with BMS on the reliability of the whole drive system.
=> Requirement of continuous redundancy, incl. Powe r supply
− HPD25D (single-disc)− PI300 (controller + inverter)− Battery (Li-Ionen batteries)− BMS (Battery Management Systems)
BAM, 10.03.2015
© ACENTISS 2015 26
Flying Test Bed� Test bed as UAS-Technology Demonstrator for the verification of avionics-
components, camera sensor, data link, ground control station etc. to support the UAS-/OPV-development and for customer presentation
� Although the test bed is controlled by a pilot, it can be operated outside of reserved airspace.
ELIAS all electric Flight Test System
Aircraft
Ground Control Station
ELIAS UAS Technology-Demonstrator
© ACENTISS 2015 27
Content
■ Airworthiness of RPAS – Status
■ ELIAS System Components
■ Roadmap to Certification
■ Certification of System Components – Duplex Engine
■ Way Ahead
BAM, 10.03.2015
© ACENTISS 2015 28BAM, 10.03.2015
■ Airworthiness of RPAS – Current Situation
→ STANAG 4671, CS-23, CS-25, EASA policy E.Y013-0, … as a ramp-up scenario for
establishing a Roadmap2Certifcation
■ Challenges operating RPAS focus on operation and integration
→ Automated Flight (Cruise, Landing)
→ Collision Avoidance
→ Data Link Robustness
→ Ground Control Station (Certifiable HW and SW)
→ Pilot-in-Command: Roles & Responsibilities (Training, Competencies)
Way Ahead