Safety design method of a civil aircraft cargo door actuation system

: A safety design method of a civil aircraft cargo door actuation system has been listed in this study in order to fulfil the requirements of airworthiness throughout the product's life circle, in which a safety design process has been illustrated to show the entire process which will have an impact on the function design. A safety analysis method of fault tree analysis has been chosen to realise the purpose, which is based on the fault modes provided from failure modes and effects analysis and the system reliability prediction results. A design refinement has been made according to the analysis results in order to realise a high safety system.


Introduction
Among the most significant criterions of civil aircraft, safety, economy, amenity and so on, safety is the priority that should be considered preliminary, as a result, the safety objective shall be achieved in the design of civil aircraft [1][2][3]. If certain problems occurred in operation, it may cause severe impact on the life and property of passengers [4]. In order to avoid safety problems, a reasonable safety design method shall be performed throughout aircraft system design [5].
A mechatronic actuator scheme has been used to perform the actuation function of the C919 aircraft cargo door. As a key actuation part of the cargo door system, if the door accidentally opened during flight, it is likely to lead to crash and death for the aircraft [6]. In order to avoid the door accidentally open, it is essential to perform a safety design to avoid security failures.
A series of research related to aircraft safety have been discussed, the safety factors in civil aircraft design requirements have been discussed in [7], the wire failures have been analysed into quantitative safety analysis in [8]; these discussions give the useful information of the safety design in this paper. A preliminary assessment research has been illustrated in [9], which gives an information of how to solve a preliminary design.
The safety design of the cargo door actuation system based on SAE ARP4761, guidelines and methods for conducting the safety assessment process on civil aircraft systems and equipment, which includes the quantitative results of functional hazard assessment (FHA), the analysis of preliminary system safety assessment and system safety assessment which comprising the analysis of failure modes and effects analysis (FMEA) and fault tree analysis (FTA) based on the results of system reliability prediction (SRP). Common mode analysis is performed to verify that the base events in FTA are independent in the actual implementation [10]. The paper using the safety and reliable analysis results to give a feedback for system design, which aimed to realise a high safety as well as a well performance system. The relationship of the analyses of the safety design process is shown in Fig. 1 [11].

System overview
Each aircraft has two cargo door actuation systems which are mounted on the front and rear cargo doors. A cargo door actuation system is comprised of three line replaceable units (LRU): a linear actuator (LA), a control panel (CP) and a flexible shaft (FS). The LA is installed between the cargo door of the aircraft and the fuselage structure to open and close the cargo door. The CP is installed on the stressed-skin structure of the aircraft. The FS is used to connect the LA and the CP, when the power is cutting off, the cargo door actuation system can be manually operated through the FS.
The structural block diagram of the cargo door actuation system is shown in Fig. 2. The grey parts represent the three LRUs of the system, the main components are shown in white in diagram. The cargo door actuation system has two control modes: electric mode and manual mode. Ground crew can choose either of them considering of the environment condition from the CP.
In the electric mode, ground crew can operate the door open/ close button on the CP, and then the control command can be sent from the CP to the control driver, which can drive the mechatronic actuator to realise the open/close function. When the opening button is pressed, the actuator will lift the cargo door to the open position and then hold it until received the next control command. The transmission path of the electric mode is when powered on as well as the e-brake received the unlocked signal, the brake can be released then the motor can drive the transmission components to realise the actuation to lift the cargo door. When the door is in holding mode and power is off, if accident move occurred, both noback and e-brake need to use the backstop function to prevent the movement. When the close button is pressed, the actuator pulls the cargo door back to the closed position [12].
In the manual mode, ground crew input torque at the manual power input end of the CP with the driving tool, and the FS drives the cargo door actuator to extend/retract to realise the open/close action of the cargo door.

Safety analysis
System safety assessment is a key link in the safety analysis process of the cargo door actuation system. By doing safety assessment, it is possible to determine how failures in the cargo door actuation system will lead to the failure states identified in FHA and how the quantitative safety objectives and requirements identified in FHA can be met.
The system safety assessment of the cargo door actuation system using a method of FTA is based on the results of SRP, FHA and FMEA which can make a decision that whether the safety of the system can meet the safety requirements or not.
The safety assessment of the cargo door actuation system is based on certain assumptions: (i) In the calculation, prediction and allocation of safety analysis, it is assumed that the system's failure is subjected to an exponential distribution, the failure rate of the exponential distribution is subject to a bathtub curve, inside, the failure rate is divided into early failure stage, accidental failure stage and loss failure stage. (ii) Software and human operation is completely reliable, failure rate is 0. (iii) All reliability calculation results are calculated according to MIL-HDBK-217F and NPRD, NSWC. (iv) A flight duration is 3 h.
(v) The designed monitor provides a 100% effective range of fault detection for functional components.

Safety requirement
Failure conditions in FHA can be qualitatively divided into two categories, availability failure conditions and integrity failure conditions [10]. Considering the two characteristics in system safety design of the cargo door actuation system, the following failure conditions can be summarised: (i) Loss of actuation on the ground; (ii) Accident actuation on the ground; (iii) Accidental actuation during flight.
Given a qualitative failure rate value decomposed from the cargo door system, the result and preliminary design scheme can be given in Table 1.
A failure condition assessment can be given as follows, for safety requirement 01, loss of actuation on the ground is defined as a class IV failure, which will slightly increase the load of the crew and have no impact on the aircraft and passengers. For safety requirement 02, accident actuation on the ground is defined as a class III failure, which will affect the safety of ground staff. In the initial stage of take-off, the aircraft will be interrupted, which will have a great impact on the aircraft plan, but no impact on the aircraft and passengers. For safety requirement 03, accident actuation during flight is defined as a class I failure, which will lead to aircraft pressure relief, aircraft structural damage and crash, which will greatly increase the work load of the crew and may cause loss of working ability, results in death or injury of passengers.
As a key part in safety assessment in system design, the FHA results can be used as an input of the whole safety analysis, and each failure condition is placed in the upper level of FTA in Section 3.3.

Reliability prediction
A preliminary SRP has been performed based on the architecture of the current cargo door actuation system (CDAS) system. The reliability prediction analysis is based on MIL-HDBK-217F, notice 2 for electronic components and NPRD-95, NSWC-98 for the mechanical components. The result of the main functional components of CDAS is shown in Table 2, which is used to provide the fundamental information of the FTA.

Fault tree analysis
FTA is one of the safety design and evaluation of the probability calculation analysis tools [13,14] and the FTA method is based on SAE ARP4761, specific events which are not expected to occur in the system can be researched through a deductive fault analysis approach, strictly using fault level to make a causal logic analysis, then the logic diagram can be drew step by step [15], finally all reasons and causes of the top event in FHA can be found.
The following assumptions are made for the analysis of FTA:  (i) All fault trees assume that the airplane has been dispatched on the current flight with a properly working CDAS and there are no outstanding maintenance actions.
(ii) All fault trees assume that CDAS is manufactured with the correct components properly installed and rigged, and that the components have been determined to be operating within their manufacturer specific tolerances.
(iii) All failure rates are assumed to be constant over the life of the airplane.
The ram commander gates used in this FTA are shown and defined in Fig. 3.
The FTA of 'loss of actuation on the ground' is shown in Fig. 4. The results of the tree indicate that the final probability of loss actuation on the ground is 3.2 × 10 −6 /H, which can fulfil the system requirement of 01 in FHA. From the FTA, there exist three combination factors, meantime loss of manual and powered actuation, mechanical jam and FS transmission fault, if any of the three happens, then the CDAS system will lose actuation function.
The FTA of 'accident actuation on the ground' is shown in Fig. 5. The results show that the final probability of accident actuation on the ground is 4.54 × 10 −6 /H, which can fulfil the system requirement of 02. There are several factors which influenced the final result, such as failure rate of control command, FPGA logic, transmission structure, the locked function loss of noback and e-brake. As the reason of the probability has little margin to satisfy the safety requirements, a design improvement need to be made through the CDAS system structure design, the approaches are shown in Section 4.
The FTA of 'accidental actuation during flight' is shown in Fig. 6. The result shows that the final probability of accidental actuation during flight is 0.2 × 10 −12 /H, which can fulfil the requirements of SR003 in FHA.

Design refinement
A conclusion from the above results of FTA can be made that during the safety analysis process, the safety requirement of accident actuation on the ground will be highly concerned. In the previous system design, when in the electric mode, no-back can realise the function of prevent accidental action; when in the manual mode, e-brake can lock the motor shaft to realise the function of prevent accidental action. To realize both the aim of the system function and safety design, a high reliability e-brake can to be chosen to reduce the failure rate as well as a dual redundancy no-back structure is designed to improve system structure, meanwhile, the reliability of electronic components needs to be promised.
For the design of a dual redundancy no-back structure, the new system structure can be shown in Fig. 7. A redundancy no-back (in yellow) is designed inside the CP as a connected part between the  transmission part and the manual power tool interface. When choosing the electric mode, the CP no-back can promise stop actuation in parallel with the LA no-back, which effectively improve the no-back mechanism's reliability. In order to reduce the failure rate of the electronic components, in the design process, CDAS system choose the approach to improve the classification of quality as well as conduct the tolerance, derating, protecting circuit and shock-proof designs and other technological measures. Meanwhile, CDAS system also have an automatic motor speed limit program, and the motor control is designed to provide dynamic braking to limit the speed of the motor to cope with the door in the event that the e-brake fails to hold the door in position.

Conclusion
A safety assessment process throughout the cargo door actuation system design development has been listed in this paper using the analysis method of FTA. The results show that a design improvement of the CDAS system has been made throughout the safety design process which is necessary to achieve the safety requirements. After the iterative design, a high safety characteristic can be achieved in the CDAS system.