Zonal safety analysis

Last updated

Zonal Safety Analysis (ZSA) is one of three analytical methods which, taken together, form a Common Cause Analysis (CCA) in aircraft safety engineering under SAE ARP4761. [1] The other two methods are Particular Risks Analysis (PRA) and Common Mode Analysis (CMA). Aircraft system safety requires the independence of failure conditions for multiple systems. Independent failures, represented by an AND gate in a fault tree analysis, have a low probability of occurring in the same flight. Common causes result in the loss of independence, which dramatically increases probability of failure. CCA and ZSA are used to find and eliminate or mitigate common causes for multiple failures.

Contents

General description

ZSA is a method of ensuring that the equipment installations within each zone of an aircraft meet adequate safety standards with respect to design and installation standards, interference between systems, and maintenance errors. In those areas of the aeroplane where multiple systems and components are installed in close proximity, it should be ensured that the zonal analysis would identify any failure or malfunction which by itself is considered sustainable but which could have more serious effects when adversely affecting other adjacent systems or components.

Aircraft manufacturers divide the airframe into zones to support airworthiness regulations, the design process, and to plan and facilitate maintenance. The commonly used aviation standard ATA iSpec 2200, which replaced ATA Spec 100, contains guidelines for determining airplane zones and their numbering. Some manufacturers use ASD S1000D for the same purpose. The zones and subzones generally relate to physical barriers in the aircraft. A typical zone map for a small transport aircraft is shown. [2]

Aircraft zones differ in usage, pressurization, temperature range, exposure to severe weather and lightning strikes, and the hazards contained such as ignition sources, flammable fluids, flammable vapors, or rotating machines. Accordingly, installation rules differ by zone. For example, installation requirements for wiring depends on whether it is installed in a fire zone, rotor burst zone, or cargo area.

ZSA includes verification that a system's equipment and interconnecting wires, cables, and hydraulic and pneumatic lines are installed in accordance with defined installation rules and segregation requirements. ZSA evaluates the potential for equipment interference. It also considers failure modes and maintenance errors that could have a cascading effect on systems, [3] such as:

Potential problems are identified and tracked for resolution. For example, if redundant channels of a data bus were routed through an area where rotorburst fragments could result in loss of all channels, at least one channel should be rerouted.

Case studies

On July 19, 1989, United Airlines Flight 232, a McDonnell Douglas DC-10-10, experienced an uncontained failure of its No. 2 engine stage 1 fan rotor disk assembly. The engine fragments severed the No. 1 and No. 3 hydraulic system lines. Forces from the engine failure fractured the No. 2 hydraulic system line. With the loss of all three hydraulic-powered flight control systems, safe landing was impossible. The lack of independence of the three hydraulic systems, although physically isolated, left them vulnerable to a single failure event due to their close proximity to one another. This was a zonal hazard. The aircraft crashed after diversion to Sioux Gateway Airport in Sioux City, Iowa, with 111 fatalities, 47 serious injuries and 125 minor injuries. [4] [5] [6]

On August 12, 1985, Japan Air Lines Flight 123, a Boeing 747-SR100, experienced cabin decompression 12 minutes after takeoff from Haneda Airport in Tokyo, Japan, at 24,000 feet. The decompression was caused by failure of a previously repaired aft pressure bulkhead. Cabin air rushed into the unpressurized fuselage cavity, overpressurizing the area and causing failure of the auxiliary power unit (APU) firewall and the supporting structure for the vertical fin. The vertical fin separated from the airplane. Hydraulic components located in the aft body were also severed, leading to a rapid depletion of all four hydraulic systems. The loss of the vertical fin, coupled with the loss of all four hydraulic systems, left the airplane extremely difficult, if not impossible, to control in all three axes. Lack of independence of four hydraulic systems from a single failure event was a zonal hazard. The aircraft struck a mountain at forty-six minutes after takeoff with 520 fatalities and 4 survivors. [7]

See also

Related Research Articles

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

<span class="mw-page-title-main">American Airlines Flight 191</span> May 1979 plane crash in Chicago, US

American Airlines Flight 191 was a regularly scheduled domestic passenger flight in the United States from O'Hare International Airport in Chicago, Illinois, to Los Angeles International Airport in California. On the afternoon of May 25, 1979, the McDonnell Douglas DC-10 operating this flight was taking off from runway 32R at O'Hare International when its left engine detached from the wing, causing a loss of control, and the aircraft crashed less than one mile (1.6 km) from the end of the runway. All 258 passengers and 13 crew on board were killed, along with two people on the ground. With 273 fatalities, it is the deadliest aviation accident to have occurred in the United States.

<span class="mw-page-title-main">Ram air turbine</span> Small power source installed on aircraft

A ram air turbine (RAT) is a small wind turbine that is connected to a hydraulic pump, or electrical generator, installed in an aircraft and used as a power source. The RAT generates power from the airstream by ram pressure due to the speed of the aircraft. It may be called an air driven generator (ADG) on some aircraft.

<span class="mw-page-title-main">Safety-critical system</span> System whose failure would be serious

A safety-critical system or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

<span class="mw-page-title-main">United Airlines Flight 232</span> 1989 aviation accident

United Airlines Flight 232 was a regularly scheduled United Airlines flight from Stapleton International Airport in Denver to O'Hare International Airport in Chicago, continuing to Philadelphia International Airport. On July 19, 1989, the DC-10 serving the flight crash-landed at Sioux Gateway Airport in Sioux City, Iowa, after suffering a catastrophic failure of its tail-mounted engine due to an unnoticed manufacturing defect in the engine's fan disk, which resulted in the loss of many flight controls. Of the 296 passengers and crew on board, 112 died during the accident, while 184 people survived. 13 of the passengers were uninjured. It was the deadliest single-aircraft accident in the history of United Airlines.

In aviation, a controlled flight into terrain is an accident in which an airworthy aircraft, fully under pilot control, is unintentionally flown into the ground, a mountain, a body of water or an obstacle. In a typical CFIT scenario, the crew is unaware of the impending collision until impact, or it is too late to avert. The term was coined by engineers at Boeing in the late 1970s.

<span class="mw-page-title-main">Aviation safety</span> State in which risks associated with aviation are at an acceptable level

Aviation safety is the study and practice of managing risks in aviation. This includes preventing aviation accidents and incidents through research, educating air travel personnel, passengers and the general public, as well as the design of aircraft and aviation infrastructure. The aviation industry is subject to significant regulation and oversight.

<span class="mw-page-title-main">Al Haynes</span> American-born airplane pilot (1931–2019)

Alfred Clair Haynes was an American airline pilot. He flew for United Airlines, and in 1989, came to international attention as the captain of United Airlines Flight 232, which crashed in Sioux City, Iowa, after suffering a total loss of controls. Having recovered and returned to service as a pilot, Haynes retired from United Airlines in 1991, and subsequently became a public speaker for aviation safety.

<span class="mw-page-title-main">American Airlines Flight 96</span> 1972 aviation accident

American Airlines Flight 96 (AA96/AAL96) was a regular domestic flight operated by American Airlines from Los Angeles to New York via Detroit and Buffalo. On June 12, 1972, the left rear cargo door of the McDonnell Douglas DC-10-10 operating the flight blew open and broke off en route between Detroit and Buffalo above Windsor, Ontario; the accident is thus sometimes referred to as the Windsor incident, although according to the NTSB it is an accident, not an incident.

In aviation, a phugoid or fugoid is an aircraft motion in which the vehicle pitches up and climbs, and then pitches down and descends, accompanied by speeding up and slowing down as it goes "downhill" and "uphill". This is one of the basic flight dynamics modes of an aircraft.

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RTCA SC-167 of the Radio Technical Commission for Aeronautics (RTCA) and WG-12 of the European Organisation for Civil Aviation Equipment (EUROCAE). RTCA published the document as RTCA/DO-178B, while EUROCAE published the document as ED-12B. Although technically a guideline, it was a de facto standard for developing avionics software systems until it was replaced in 2012 by DO-178C.

<span class="mw-page-title-main">ARP4761</span>

ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment is an Aerospace Recommended Practice from SAE International. In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

<span class="mw-page-title-main">United Air Lines Flight 859</span> 1961 aviation accident

United Airlines Flight 859 was a Douglas DC-8, registration N8040U, on a scheduled passenger flight that crashed on landing at Stapleton International Airport in Denver, Colorado after departing from Omaha, Nebraska's Eppley Airfield on July 11, 1961. Eighteen people were killed, and 84 were injured.

<span class="mw-page-title-main">Aft pressure bulkhead</span>

The aft pressure bulkhead or rear pressure bulkhead is the rear component of the pressure seal in all aircraft that cruise in a tropopause zone in the Earth's atmosphere. It helps maintain pressure when stratocruising and protects the aircraft from bursting due to the higher internal pressure.

<span class="mw-page-title-main">Mohawk Airlines Flight 40</span> 1967 aviation accident

Mohawk Airlines Flight 40 was a scheduled passenger flight between Syracuse, New York and Washington, DC, with an intermediate stop in Elmira, New York. On June 23, 1967 it suffered a loss of control and crashed, killing all 30 passengers and four crew on board. It was the deadliest disaster in the airline's history. A valve in the auxiliary power unit had suffered a complete failure, spreading fire to the tailplane, causing a loss of pitch control.

<span class="mw-page-title-main">Turbine engine failure</span> Turbine engine unexpectedly stops producing power due to a malfunction other than fuel exhaustion

A turbine engine failure occurs when a turbine engine unexpectedly stops producing power due to a malfunction other than fuel exhaustion. It often applies for aircraft, but other turbine engines can fail, like ground-based turbines used in power plants or combined diesel and gas vessels and vehicles.

<span class="mw-page-title-main">Baikal Airlines Flight 130</span> 1994 aviation accident

Baikal Airlines Flight 130 was a scheduled domestic passenger flight from Irkutsk to Moscow that crashed on 3 January 1994. The plane involved in the crash was a Tupolev Tu-154 operated by Russian airline Baikal Airlines. The plane was carrying 115 passengers and 9 crew members and was en route to Moscow when one of the engines suddenly burst into flames. The crew then tried to return to Irkutsk, but lost control of the plane and crashed into a dairy farm near the town of Mamony. All 124 people on board and one person on the ground were killed in the crash. The accident was judged to have been caused by a foreign object entering the engine and slicing several crucial lines to the airplane's hydraulic and fuel systems.

<span class="mw-page-title-main">LOT Polish Airlines Flight 16</span> 2011 aviation accident

LOT Polish Airlines Flight 16 was a Boeing 767 passenger jet on a scheduled service from Newark, United States, to Warsaw, Poland, that on 1 November 2011 made a successful gear-up emergency landing at Warsaw Chopin Airport, after its landing gear failed to extend. All 231 aboard survived without serious injuries. A leak in one of the aircraft's hydraulic systems occurred shortly after takeoff, resulting in the loss of all of the hydraulic fluid supplying the primary landing gear system.

In aeronautics, loss of control (LOC) is the unintended departure of an aircraft from controlled flight and is a significant factor in several aviation accidents worldwide. In 2015 it was the leading cause of general aviation accidents. Loss of control may be the result of mechanical failure, external disturbances, aircraft upset conditions, or inappropriate crew actions or responses.

<span class="mw-page-title-main">AC 25.1309-1</span> American aviation regulatory document

AC 25.1309–1 is an FAA Advisory Circular (AC) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations. Revision A was released in 1988. In 2002, work was done on Revision B, but it was not formally released; the result is the Rulemaking Advisory Committee-recommended revision B-Arsenal Draft (2002). The Arsenal Draft is "considered to exist as a relatively mature draft". The FAA and EASA have subsequently accepted proposals by type certificate applicants to use the Arsenal Draft on development programs.

References

  1. Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. 1996. ARP4761.
  2. Linzey, W. G. (2006). Development of an Electrical Wire Interconnect System Risk Assessment Tool (PDF). Federal Aviation Administration. DOT/FAA/AR-TN06/17. Retrieved 2011-02-19.
  3. Portwood, Brett (1998). System Safety Assessment. Federal Aviation Administration.
  4. Aircraft Accident Report-- United Airlines Flight 232, McDonnell Dougless DC-10-10, Sioux Gateway Airport, Sioux City, Iowa, July 19, 1989 (PDF). National Transportation Safety Board. 1990. NTSB/AAR-SO/06. Retrieved 2011-02-19.
  5. "Lessons Learned from Transport Airplane Accidents". Archived from the original on February 15, 2013. Retrieved February 24, 2015.
  6. "United Airlines Flight 232, DC-10". Federal Aviation Administration. 19 July 1989. Retrieved 2013-09-10.
  7. "Japan Airlines Flight 123, Boeing 747-SR100, JA8119". Federal Aviation Administration. 12 August 1985. Retrieved 2013-09-10.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.