Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems
|Publication Date:||1 September 2018|
This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited Dispatch (TLD) to the thrust control reliability of Full Authority Digital Engine Control (FADEC) systems. The TLD concept is one wherein a fault-tolerant system is allowed to operate for a predetermined length of time with faults present in the redundant elements of the system, before repairs are required. This document includes the background of the development of TLD, the structure of TLD that was developed and implemented on present generation commercial transports, and the analysis methods used to validate the application of TLD on present day FADEC equipped aircraft. Although this document is specific to TLD analyses (for FADEC systems) of the loss of thrust control, the techniques and processes discussed in this document are considered applicable to other FADEC system failure effects or other systems, such as: thrust reverser, and propeller control systems, and overspeed protection systems.
The purpose of this document is to provide guidance on achieving approval of time-limited-dispatc
This document is primarily concerned with LOTC events which are caused by failures and/or faults in the engine's control system. Engine failures from any other causes are not the subject of these guidelines, but failures that may affect MMEL activities outside of the engine should be identified. In addition, this document is not intended to establish specific requirements for FADEC system certification or design. Specific requirements pertaining to certification should be coordinated with the appropriate certifying agency.
Summary of Revisions
Summary of Revision A
A significant improvement in determining the fractional coefficients of the time-weighted-averag
Much has changed in the description of the Markov modeling (MM) analysis approach described in this revision. Since the original release in June, 1997, the authors of this ARP have a better understanding of the MM approach as it applies to FADEC as well as other systems. Unique to this document is the description of MM as either an Open Loop or Closed Loop model. The nomenclature of Open Loop and Closed Loop Markov models is unique to this document. The authors have not seen this terminology used elsewhere, and there is no intention herein to set any type of standard in the using of this terminology. The development of the Closed Loop MM approach has led to not having to solve a set of differential equations to obtain the steady state solution for the overall average failure rate of a system, but rather, simply solving a set of algebraic equations to obtain the solution. This was implied in the original release, because the MMs in that release were solved by integrating the differential equations until a steady state solution was obtained, where all the time derivatives were essentially zero. However, it was not specifically called out that the derivatives should be set to zero at the onset, and the resulting set of algebraic equations solved to obtain the values of the state probabilities.
In addition, it was not recognized that the values obtained for the state probabilities, which are dependent on the value of the feedback rate from the fully-failed, loss-of-thrust-contr
Experience has also shown that simulating states representing two or more failures has little influence on the overall LOTC rate of FADEC systems when the repair rates for the various fault states are much more frequent than the failure rates into and out of those fault states. When this is the case, constructing a "single state model" is usually adequate. In single state models, described in 188.8.131.52, only single fault states are modeled, and only those additional single failures that would cause the control system to go from those single fault states to the LOTC state are modeled. Adding additional multiple failure states only affects the answer by small amount, i.e., less than 5%. This is discussed in more detail in Appendix G.
Similar to the above, the use of the terminology "single state model" is unique to this document, and there is no intention to set any terminology standard with the use of this descriptive term. Some who have reviewed this document have commented that the use of the terminology single state model is misleading because a single state model actually models all dual failures that lead to the LOTC state. This is correct. However, the selection of the terminology was made because the model explicitly shows only the single failure states. All dual failures that lead to LOTC events are included in the LOTC failure state, and no dual failures that do NOT result in an LOTC event are modeled.
Revision A of this document aligned with the R1 revision to PS-ANE100-2001-1993-
A discussion of the elements that are considered part of the engine control system and should be represented in the LOTC analysis (see 6.5).
Summary of Revision B
Section 6.4, on Recommendations on Items Considered Part of the FADEC System, has been significantly expanded to provide more guidance on that subject. Section 6.6, on Recommendations on In-Service LOTC Reporting, has been added.
The functions of the system, the elements selected for use in the system, and the design implementation all depend on the overall system architecture. In addition, integration between the engine and the aircraft control systems is constantly changing. All of these factors impact the selection of the elements to include as part of the FADEC system. Therefore, the information included in this section does not provide an absolute answer, but is intended to provide a methodology to use in selecting which elements of the aircraft/engine control system should be included in the analysis.
The added Table 1 in that section illustrates how to consider all elements of the thrust or power control system, the functions and failure modes associated with the element, and then evaluate whether it is or is not part of the TLD restriction envelope depicted in Figure 3B. The table also shows the most likely result of a failure of the element by identifying the applicable area of Figure 3B.
Summary of Revision C
Due to the increased complexity of Engine Control integration into airframe systems, and a tendency of aircraft and engine functions to be interdependent, Engine Control TLD analyses have evolved to address functions that are not purely a function of engine controls.
Following the introduction of new EASA Part-21 requirements on Operational Suitability Data (OSD), EASA has published CM-MMEL-001 to clarify how compliance to the OSD certification basis for MMEL should be conducted by the aircraft applicant on MMEL items already subject to a TLD analysis. The referenced CM addresses EASA's concern of including airframe systems in the Engine Control TLD analysis. The intent of this inclusion is to address dispatch capability of the aircraft in a similar manner as the engine controls related items (e.g., same FADEC Short Term alert message in the cockpit). An alignment activity has been conducted between the SAE E-36 Electronic Engine Controls Committee and EASA for this version of ARP5107. Section 6.2 has been added to provide guidance on clarifying which functions are solely engine related, and which are part of other airframes systems in the TLD analysis.
Field of Application
This document applies to fault-tolerant (or redundant) FADEC control systems for aircraft engines on multi-engine aircraft. TLD addresses the level of degraded resource that is allowable - while still meeting the necessary airworthiness requirements - for FADEC controlled aircraft engines used on multi-engine aircraft. (It is noted that the submittal of a TLD analysis is not a requirement for certification of an engine incorporating a FADEC system. The analysis is a means to substantiate and obtain approval for dispatching and operating a FADEC system - for limited time periods - with faults present in the system.) Although this document specifically applies to FADEC systems on multi-engine aircraft, the methodologies presented herein with regard to achieving an overall average system failure rate can also be applied to other systems.