SAE ARP5107

Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems

active, Most Current
Buy Now
Organization: SAE
Publication Date: 1 September 2018
Status: active
Page Count: 76
scope:

This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited Dispatch (TLD) to the thrust control reliability of Full Authority Digital Engine Control (FADEC) systems. The TLD concept is one wherein a fault-tolerant system is allowed to operate for a predetermined length of time with faults present in the redundant elements of the system, before repairs are required. This document includes the background of the development of TLD, the structure of TLD that was developed and implemented on present generation commercial transports, and the analysis methods used to validate the application of TLD on present day FADEC equipped aircraft. Although this document is specific to TLD analyses (for FADEC systems) of the loss of thrust control, the techniques and processes discussed in this document are considered applicable to other FADEC system failure effects or other systems, such as: thrust reverser, and propeller control systems, and overspeed protection systems.

Purpose

The purpose of this document is to provide guidance on achieving approval of time-limited-dispatch (TLD) for full authority digital engine control (FADEC) systems. TLD addresses continued operational safety with faults already detected (by fault detection function, crew, or maintenance activity) and not yet repaired. In this regard, the usage of the term "TLD" refers to the concept that FADEC engine control systems shall be allowed to operate with faults for a specified period of time, after which appropriate repairs shall be made to bring the system back to a "full up" configuration. For the purposes of this document, the term "full up" is used to indicate that the FADEC system is free of faults which affect its loss of thrust control (LOTC) failure rate, as defined in Section 5. Hence, "required repairs" for this application of TLD are limited to only those faults that affect the LOTC rate, and faults that do not affect the LOTC rate, such as faults in sensors used for engine condition monitoring, are not addressed in these guidelines. Sensors that could affect the LOTC rate, such as oil pressure, oil temperature, and exhaust gas temperature (EGT) should be included in the analysis if those sensors are part of the engine's FADEC system.

This document is primarily concerned with LOTC events which are caused by failures and/or faults in the engine's control system. Engine failures from any other causes are not the subject of these guidelines, but failures that may affect MMEL activities outside of the engine should be identified. In addition, this document is not intended to establish specific requirements for FADEC system certification or design. Specific requirements pertaining to certification should be coordinated with the appropriate certifying agency.

Summary of Revisions

Summary of Revision A

A significant improvement in determining the fractional coefficients of the time-weighted-average (TWA) equation, which is the first approach described herein for estimating the average LOTC rate of the system, has been made and is described in 7.1. The new coefficients allow the TWA method to yield a more balanced solution - one which is closer to the Markov model solution and somewhat simpler to use.

Much has changed in the description of the Markov modeling (MM) analysis approach described in this revision. Since the original release in June, 1997, the authors of this ARP have a better understanding of the MM approach as it applies to FADEC as well as other systems. Unique to this document is the description of MM as either an Open Loop or Closed Loop model. The nomenclature of Open Loop and Closed Loop Markov models is unique to this document. The authors have not seen this terminology used elsewhere, and there is no intention herein to set any type of standard in the using of this terminology. The development of the Closed Loop MM approach has led to not having to solve a set of differential equations to obtain the steady state solution for the overall average failure rate of a system, but rather, simply solving a set of algebraic equations to obtain the solution. This was implied in the original release, because the MMs in that release were solved by integrating the differential equations until a steady state solution was obtained, where all the time derivatives were essentially zero. However, it was not specifically called out that the derivatives should be set to zero at the onset, and the resulting set of algebraic equations solved to obtain the values of the state probabilities.

In addition, it was not recognized that the values obtained for the state probabilities, which are dependent on the value of the feedback rate from the fully-failed, loss-of-thrust-control (LOTC) state to the full-up state, do not affect the failure rate of the system. Hence, although the original release provides some rational for setting the feedback or repair rate from the fully failed LOTC state to the full-up state to unity (i.e., 1.0), the value of this feedback rate doesn't matter and the rational for setting the feedback rate to unity can be misleading. As the new material shows, the solution is independent of all state probabilities and the value of the fully failed to full-up feedback rate. The solution is only dependent on the failure rates between the various states of the model and the repair rates used for the short time (ST), long time (LT) states, and if modeled, any no-dispatch (ND) fault states.

Experience has also shown that simulating states representing two or more failures has little influence on the overall LOTC rate of FADEC systems when the repair rates for the various fault states are much more frequent than the failure rates into and out of those fault states. When this is the case, constructing a "single state model" is usually adequate. In single state models, described in 7.2.2.3, only single fault states are modeled, and only those additional single failures that would cause the control system to go from those single fault states to the LOTC state are modeled. Adding additional multiple failure states only affects the answer by small amount, i.e., less than 5%. This is discussed in more detail in Appendix G.

Similar to the above, the use of the terminology "single state model" is unique to this document, and there is no intention to set any terminology standard with the use of this descriptive term. Some who have reviewed this document have commented that the use of the terminology single state model is misleading because a single state model actually models all dual failures that lead to the LOTC state. This is correct. However, the selection of the terminology was made because the model explicitly shows only the single failure states. All dual failures that lead to LOTC events are included in the LOTC failure state, and no dual failures that do NOT result in an LOTC event are modeled.

Revision A of this document aligned with the R1 revision to PS-ANE100-2001-1993-33.28TLD-R1, Policy for Time Limited Dispatch (TLD) of Engines Fitted with Full Authority Digital Engine Controls (FADEC) Systems.

A discussion of the elements that are considered part of the engine control system and should be represented in the LOTC analysis (see 6.5).

Summary of Revision B

Section 6.4, on Recommendations on Items Considered Part of the FADEC System, has been significantly expanded to provide more guidance on that subject. Section 6.6, on Recommendations on In-Service LOTC Reporting, has been added.

The functions of the system, the elements selected for use in the system, and the design implementation all depend on the overall system architecture. In addition, integration between the engine and the aircraft control systems is constantly changing. All of these factors impact the selection of the elements to include as part of the FADEC system. Therefore, the information included in this section does not provide an absolute answer, but is intended to provide a methodology to use in selecting which elements of the aircraft/engine control system should be included in the analysis.

The added Table 1 in that section illustrates how to consider all elements of the thrust or power control system, the functions and failure modes associated with the element, and then evaluate whether it is or is not part of the TLD restriction envelope depicted in Figure 3B. The table also shows the most likely result of a failure of the element by identifying the applicable area of Figure 3B.

Summary of Revision C

Due to the increased complexity of Engine Control integration into airframe systems, and a tendency of aircraft and engine functions to be interdependent, Engine Control TLD analyses have evolved to address functions that are not purely a function of engine controls.

Following the introduction of new EASA Part-21 requirements on Operational Suitability Data (OSD), EASA has published CM-MMEL-001 to clarify how compliance to the OSD certification basis for MMEL should be conducted by the aircraft applicant on MMEL items already subject to a TLD analysis. The referenced CM addresses EASA's concern of including airframe systems in the Engine Control TLD analysis. The intent of this inclusion is to address dispatch capability of the aircraft in a similar manner as the engine controls related items (e.g., same FADEC Short Term alert message in the cockpit). An alignment activity has been conducted between the SAE E-36 Electronic Engine Controls Committee and EASA for this version of ARP5107. Section 6.2 has been added to provide guidance on clarifying which functions are solely engine related, and which are part of other airframes systems in the TLD analysis.

Field of Application

This document applies to fault-tolerant (or redundant) FADEC control systems for aircraft engines on multi-engine aircraft. TLD addresses the level of degraded resource that is allowable - while still meeting the necessary airworthiness requirements - for FADEC controlled aircraft engines used on multi-engine aircraft. (It is noted that the submittal of a TLD analysis is not a requirement for certification of an engine incorporating a FADEC system. The analysis is a means to substantiate and obtain approval for dispatching and operating a FADEC system - for limited time periods - with faults present in the system.) Although this document specifically applies to FADEC systems on multi-engine aircraft, the methodologies presented herein with regard to achieving an overall average system failure rate can also be applied to other systems.

Document History

SAE ARP5107
September 1, 2018
Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems
This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited...
November 1, 2006
Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems
This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited...
January 1, 2005
Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems
This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time Limited...
June 1, 1997
Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems
SCOPE: This SAE Aerospace Recommended Practice (ARP) provides methodologies and approaches which have been used for conducting and documenting the analyses associated with the application of Time...

References

Advertisement