passenger aircraft environmental control system safety analysis presented by: brian cranley, ali...
TRANSCRIPT
Passenger AircraftEnvironmental Control System
Safety AnalysisPresented By:
Brian Cranley, Ali Dalal, Chris Hankins, Josh Martin
Objective
• To analyze and perform a System Safety Analysis on Environmental Control Systems (ECS) in passenger aircraft
• To derive possible redesigns in procedures and hardware involved in the functionality of the ECS
Scope
• Focuses on the hazards involved in a passenger aircraft cruising at an altitude of 35,000ft
System Components
• Bleed Air
• Air Conditioning
• Ventilation &Distribution
• PressureRegulation boeing.com
System Description• Bleed Air
”heart” of the ECS
automatic aside from an on/off switch in cockpit
comprised of the engine, valves, ports, and sensors that allow airflow
selects the right bleed port to send air through (dependant upon where the aircraft is, i.e. takeoff, cruise, or landing)
decreases the pressure and temperature of air entering the aircraft so it can be dispersed for the remainder of the
ECS
ASHRAE
System Description (cont.)
• Ozone Converter
disassociates ozone to
oxygen molecules
uses a catalyst such as palladium (Pd)
up to 95% effective when newlimcoairepair.com
System Description (cont.)
• Air-conditioning Packs air is dried to 10-20% humidity
air is cooled from 400°F (temperature when leaving ozone converter) to 60°F
most commercial aircraft utilize two or three air-cycle machines linked in parallel as a safety precaution against in-flight failures
ntsb.gov
System Description (cont.)
• Distribution and Filtration air from air-conditioner is
mixed in manifold with filtered, re-circulated air.
air is treated with a HEPA (high-efficiency particulate air) filter - nearly 99.9% effective in removing microbes
air is distributed from manifold to ductwork, and then through vents at roughly 500 fpm
air stays in cabin 2-3 minutes before it is re-circulated
boeing.com
System Description (cont.)
• Backup Oxygen Supplyin event of ECS system failure
oxygen stored in container and valve assemblies at 1850psi
reduced to 70psi for delivery through overhead masks
System Description (cont.)
• Pressure Regulationdesired pressure altitude
of 8000ft
cabin controlled by
pressure regulator
located so that all cabin air
must pass through the outflow
valve section to return to the atmosphere
regulator assembly recognizes the changes in ambient pressure and controls the inflow and/or outflow of air depending on controller signals
safety valve incorporated to reduce high cabin pressure
boeing.com
Analyses Performed
• Preliminary Hazard Analysis (PHA)
• Failure Mode & Effects Analysis (FMEA)
• Fault Tree Analysis (FTA)
Preliminary Hazard Analysis
• PHAtakes place during the design phase
review of historical safety experience
identifies areas for concern
identifies and evaluates hazards
begins to consider safety design criteria
Preliminary Hazard Analysis *
Part
Hazard Description
Cause
Effect
Probability
Corrective Measure
Severity
Ozone converter
Ozone concentration exceeding safety limit
Catalyst Poisoning
Health effects: Nasal congestion, eye-irritation, chest pain, cough, headache
Remote
- High quality equipment - Periodic replacement schedule
III
IP Valve failure
Mechanical, Electrical malfunction
Atmospheric air flow ceases
Improbable
- Allowance of manual turn-on - Redundant valve downstream - Rigorous maintenance - Provide backup oxygen supply
system
II
Bleed Air System
“Pressure Regulating and shut-off” valve failure
Mechanical, Electrical malfunction
Air flow too High or too Low Damage to Air packs, cabin interior damage
Remote
- Divert air to cowl or exhaust - Backup oxygen system
II
Air packs
Air pack fails
Turbine, compressor, or power failure
Hot and humid air
Remote
- Shut off malfunctioning air pack - Provide multiple air packs - Maintenance
III
Filtration
Impure air
HEPA filter aged
Infectious air likely to spread disease
Remote
- Regular maintenance/replacement
IV
Distribution
Damage in ducts
Human error during maintenance
Lower air exchange rate
Remote
- Detect and patch leaks periodically
IV
Back-up Oxygen tank
Leak in storage tank
Damaged valve Cylinder fatigue Tank failure
Explosion, Structural damage, Fire
Improbable
- Isolation - Rigorous maintenance of tank to
ascertain integrity.
I
Regulator assembly malfunctions
Loss of calibration
Variation in pressure
Improbable
- Frequent calibration, maintenance
III
Pressurization System
Outflow valve fails
Mechanical, Electrical failure
Increase in pressure, damage to structure
Improbable
- Redundancy
II
* To avoid excessive complications in the hazard analyses, the following simplifying assumptions were made to define the system: - Environment control system of a commercial aircraft, cruising at 35,000ft with engines functioning ideally
PHA(cont.)
• Bleed Air SystemIP Valve
temperature sensor
• Pressurization Systemregulator assembly
relief valve
Failure Mode & Effects Analysis
• FMEA
reliability form of analysis
may contain events that will not contribute to an accident
analyzes system components for their contribution to a state of unreliability
Failure Mode & Effects Analysis
Failure Effects
Subsystem
Standards/Reg
Component
Causes of
Failure Subsystem Failure
Controls System
Failure Level
Failure Controls
Ozone Converter FAR 25.832 FAR 121.578 ASHRAE 62-1989
Noble Catalyst (Palladium)
Improper Maintenance Catalyst Poisoning
No O3 Conversion
Harmful Air, Health effects: Nasal congestion, eye-irritation, chest pain, cough, headache
No effect
Remote
High quality
equipment Periodic
replacement schedule
IP Valve
Mechanical, Electrical malfunction
FC: Subsystem Failure, Atmospheric air flow ceases FO: Loss of air flow control
FC: No cabin airflow FO: Excessive airflow, Non-ideal air in cabin
FC: System Malfunction FO: System overload
Improbable
FC: Warnings / Alarms, Activate back-up O2 system, Rigorous maintenance FO: Redundant valve downstream, Warnings / Alarms, Periodic maintenance
Pressure Regulating and shut-off valve
Mechanical, Electrical malfunction
FC: Whole Subsystem Failure, Atmospheric air flow ceases FO: Loss of air flow control
FC: No cabin airflow FO: Increased cabin pressure
FC: No airflow FO: Damage to airpacks, Cabin environment damage
Improbable
FC: Divert air to cowl or exhaust, Activate back-up O2 system, Warnings / Alarms FO: Divert air to wing anti-ice, Redundant valve
Bleed Air FAR/ JAR 25.1309, 25.1438
Temperature Sensor
Mechanical, Electrical malfunction
Temperature of Air entering Air packs may be too high (FAM valve shuts) or too low (FAM valve fully opens)
Too Hot or Too cold air in the cabin
Possible damage to air packs, and cabin interior.
Improbable
Warning, Redundant sensor, Close shut-off valve
Failure Effects
Subsystem
Standards/Re
g
Component
Causes of Failure
Subsystem Failure Controls
System
Failure Level
Failure Controls
Bleed Air
Precooler
Mechanical malfunction Obstruction in the cooler
Temp of bleed air exceeds fuel safety threshold
Hot air in the cabin
Damage to air-packs
Improbable
Warning Divert flow to cowl
Heat Exchanger
Mechanical malfunction Obstruction in the cooler
Air pack will overheat
Hot and humid air
Damage to air-packs, Possible damage to water separator
Improbable
Provide excessive air packs. Use reliable equipment Maintain periodically
Air packs FAR/JAR 25.1309 FAR/JAR 25.1461
Water Separator
Mechanical / Electrical malfunction
Failure to remove water from sir
Humid air
Humid air entering cabin
Improbable
Use multiple air-packs. Maintain regularly
Filtration No standards yet formed
HEPA Filter
HEPA filter aged Not replaced during maintenance
Failure to purify air
Infectious air likely to spread disease
Impure air entering cabin
Improbable
Regular maintenance/ replacement Reduce amount of air recirculated
Distribution No standards yet formed
Network of Ducts
Human error during maintenance, manufacture
Lower air exchange rate
More energy Consumed
Inefficient performance
Improbable
Periodic Maintenance
Auxiliary Oxygen Supply Relevant standards not found
Oxygen tank
Damaged valve Cylinder fatigue Tank failure
System malfunction
Hazardous oxygen present. Explosion, Structural damage, Fire
Major damage to the system.
Improbable
Isolation, Rigorous maintenance of tank to ascertain integrity Fire protection measures
Failure Effects
Subsystem
Component
Causes of
Failure Subsystem Failure Controls System
Failure Level
Failure
Controls
Masks
Panel gets stuck
Oxygen delivery fails
Lack of oxygen to passenger. Potential for bodily harm
System malfunction
Improbable
Allow manual operation by crew.
Pressurization Regulator assembly
Loss of calibration
Assembly fails to perform correctly
Possible overpressure
System failure
Improbable
Stress on calibration during maintenance
Outflow valve
Mechanical, Electrical failure
FC: possible overpressure FO: Depressurization
Increase in pressure, damage to structure, impure air.
Impure air
Improbable
Redundancy,
Relief Valve
Mechanical failure
FC: No change if other components function successfully FO: Depressurization
FC: Possible overpressure if other components fail FO: No pressurization
FC: No change if other components function successfully FO: Depressurization
Improbable
Thorough maintenance
FC: Fails Closed FO: Fails Open FAM: Fan Air Modulator FAR: Federal Aviation Regulation JAR: Joint Aviation Regulation ASHRAE: American Society of Heating, Refrigerating and Air-Conditioning Engineers
FMEA (cont.)
• Bleed Air SystemIP Valve
temperature sensor
• Pressurization Systemregulator assembly
relief valve
• Auxiliary Oxygen Supplystorage tank
fire protection
Fault Tree Analysis
• FTAmethod structures relations in a graphic representation to
form a Boolean logic model
structured to end in a specific outcome
directs deductively to accident-related events
can be qualitative or quantitative
provides insight into system behavior
Poor Air
Filtration(C)
Air Cond(A)
Temp.Sensor
Press.Sensor
HEPAO3
Conv.
TurbineFailure
Bleed Air(C)
LikelihoodImprobable
Remote
FrequencyMedium - Low
T = A + B + C = 6 E -4
Comp.Failure
No Air
Back-Up(B)
Bleed Air(A)
ReliefValve
Press.Valve
O2
MaskO2
Tanks
IPValve
Pressure Reg(C)
LikelihoodAll events are extremely improbable
FrequencyLow
T = A*B = 6 E -12
Conclusions & Recommendations
• Install redundant temperature sensors downstream of precoolerentrance to cabin
• Add redundant valvesdownstream of IP valvecabin relief valves
C & R (cont.)
• Fire protectionfire resistant materials
install sprinkler heads
smoke hoods
• Auxiliary Oxygen Supplyexplosion resistant casing for storage tank
O2 sensors
manual O2 mask release
C & R (cont.)
• Frequent software upgrades
• Detailed maintenance procedures
Questions