Add Graphic(s) or Photo(s) CAD/PAD Staff Engineer System Safety – Risk Assessments and Their Role in Service Life Extensions Add Graphic(s) or Photo(s) USS Forrestal http://www.navy.mil/navydata/nav_legacy.asp?id=73 Rae Azorandia CAD/PAD Staff Engineer 23 May 2017
Agenda System Safety CAD/PAD System Safety Approach Background Risk Baseline Service Life Extension Drivers Service Life Extension (SLE) Process Risk Analysis Risk Assessment Risk Acceptance Issues Proactive Efforts
System Safety Definitions: System safety is defined as “The application of engineering and management principles, criteria, and techniques to achieve acceptable mishap risk, within the constraints of operational effectiveness and suitability, time, and cost, throughout all phases of the system life cycle” (MIL-STD-882D). Definitions: System Safety – The practice of identifying, classifying, mitigating, and accepting residual mishap risk Hazard – An event or situation that has the possibility of causing an undesirable impact to safety, cost, schedule, or mission performance Risk – Classifying a hazard based on severity and probability Safety Risk (Prevent Mishaps & Accidents) Program Risk (Prevent impact to cost, schedule, or performance) Read green Simply identifying and documenting hazards Determine how bad and how often Mitigate where possible Re-evaluate
CAD/PAD System Safety Approach Nature of CAD/PAD dictates System Safety be done a bit differently than other programs. Focus on components of some other sub-system or system Coordination with higher level System Safety structure Serve varying customers (services, NASA, Foreign Military sales, and private organizations) Varying requirements (performance, safety, logistics, fielding) Provisioned by differing program offices Facilitates grouping items together by attributes (design characteristics, application, use, and/or acquisition method) Energetic content in CAD/PAD dictates special attention to explosive safety as a key component of System Safety Components within complex systems Different customers have different requirements – some are more risk averse than others Leverage similar designs in assessments Since CAD/PAD contain energetics, explove risk must be considered – not just will it go or not when called upon, but is it safe to be around
Background CAD/PAD System Safety Program evaluates safety risk over the life cycle of the program Focuses on: CAD/PAD component System used Energetic materials used in the device Life cycle includes development, qualification, in-service which includes service life, demilitarization Risk posture is monitored during each phase of life cycle Start with the hazards of the component alone Consider the system it is used in both directly – what is it connected to, but also what is the environment this system sees. What are the constituents of the item, what affects them – and how does it affect them… Begin with assessing risk at development and monitor thought its lifecycle through CODRs and OAs
Risk Baseline Performance is baselined during development and qualification Performance limits are established System performance limits Design limits Lot acceptance limits Verified by qualification testing and documented in procurement documents (drawings, spec, acceptance test plans) At service release, risks assessed to be negligible Frequency of Hazard/Failure less than improbable Service life established at time of qualification Baselined during qualification using as much information as we have… What are the known hazards to an item – what affects them. Environments, installation, transportation Establish performance limits 3 levels of limits Lot Acceptance limits are within the design limits which are within the system limits. We know the energetics in items change over time, so we try to determine LAT limits within the design limits to ensure we are within specification limits for the life of the unit Verify these limits with testing At release we assess and mitigate hazards so their likelihood is less than improbable. Establish service life.
Risk Baseline - Qualification System Component Exceeds NAVSEA 8020.5C Final (Type) Qualification Requirements Tailored for system application MIL-D-23615, Design and Evaluation of Cartridge Actuated Devices MIL-D-21625, Design and Evaluation of Cartridges for Cartridge Actuated Devices MIL-C-83124, Cartridge Actuated Devices/Propellant Actuated Devices, General Specification For MIL-C-83125, Cartridge for Cartridge Actuated/Propellant Actuated Devices, General Specification For MIL-C-83126, Propulsion Systems, Aircrew Escape, Design Specification For MIL-DTL-23659, Initiator, Electric, General Design Specification MIL-D-81980, Design and Evaluation of Signal Transmission Subsystem, General Specification For MIL-D-81514B, Devices restraint Harness take-up, Inertia-Locking, powers-Retracting, General Specification MIL-D-81303, Design and Evaluation of Cartridges for Store Suspension Equipment MIL-S-9479, Seat System, Upward Ejection, Aircraft, General Specification For, MIL-STD-1512, Electro-explosive Subsystem, Electrically Initiated, Design Requirements and Test Methods These are the types of tests we do at qualifcation
Service Life Extension Drivers CAD/PAD Program Processes SLEs on 800+ items/mo Acquisition/delivery delays Obsolescence causing more late deliveries increasing need for SLEs (especially AV-8) Operational needs (i.e. deployments) SLEs are usually “pulled” via SLE requests. Occasionally “pushed” in particular situations Not the same as permanent Service Life Change (SLC) Many SLEs per month – many automatic Katie mentioned earlier there are sometimes delays in awarding contracts. Obsolescence is affecting ability to procure and deliver Sometimes the operational need drives the SLE request – a deployment may mean an aircraft is not available at the necessary time for change out Right now, SLEs are typically requested by the user. Sometimes they are requested by the logistician when there is a known delivery delay SLEs are not the same as service life changes. A service life change occurs when we have sufficient data to permanently extend the life of the unit. Essentially we have tested the units and we can say with confidence the item can be installed longer with no increase in hazard risk.
Service Life Extension Process Review of Ordnance Assessment and other data Compared to baseline data (qualification, lot acceptance testing (LAT)) Compared to system design limits Three levels of review/approval Automatic, previously approved decisions - immediate Within spec but requires engineering review Out of spec and beyond design limits, requires system review and risk analysis/assessment OA data is compared to qualification and LAT data. Determine if the unit is acting as expected. Compared to design limits – are we within the range the component has been qualified for. Three levels of review
Service Life Extension Process All recommendations to approve or deny are reviewed by the CAD/PAD Senior Engineer before being processed in the SLE module Fleet requests extension through SLE module in VFS Review SLE request and relevant data Performance within requirements? Approve request through SLE module Risk Analysis Yes Approve or limited approve request through SLE module No Calculate expected performance and failure rate at requested lives Submit expected performance and failure rate to appropriate PMA Yes Risk accepted? Deny request through SLE module Flow chart of the previous bullet points. All recommendations are reviewed by the CAD/PAD Senior Engineer – Bob Hastings No
Common Performance Parameters Risk Analysis Trends are analyzed at projected extension limit Impact to system performance calculated at extension limits (via NAVAIR Models) Common Performance Parameters Go / No-Go Delay time Thrust Burn time Impulse System Impact Seat timing/Interference Seat timing/Minimum safe altitude Tail clearance Physiological impact Canopy removal Review trends Are the parameters changing Is max thrust increasing with time? Or decreasing? Each response has a system impact More in a catapult thrust means greater risk of spinal damage for a pilot Less thrust means you may not have the same tail clearance
Risk Analysis Sample Delay Time Data Current Life Requested Life Expected Need
Risk Assessment NAVAIR System models determine impact in system System engineering (NAVAIR 4.6) and NAVAIR System Safety (4.1.1) evaluate impact Collective recommendation taken to platform for concurrence (Hazard Risk Index (HRI) = 1-20) Decision documented in NAVAIR formal System Safety Risk Assessment (SSRA) and signed by appropriate offices as function of risk For Navy and Navy FMS items we rely on NAVAIR to determine system impacts They model the response using the new parameters Typically they start with a worst case scenario (90º nose down, high speed) Often program offices want to evaluate a more realistic scenario so this part of the risk assessment is often iterative. The impact is then given an index value and depending on the value of that risk a higher office may be necessary to approve and accept it
Risk Acceptance SSRA reviewed and signed by appropriate offices as function of risk HRI chart indicating the offices that are necessary for approval Frequency is per flight hours, meaning likelihood of ejection is calculated with the hazard. Often that means we are in the improbable region since the likelihood of ejection is low, but those values are platform specific.
Potential Issues Data on current installs not available for all items Exact date of installation Hours flown (vibratory effects) Environments (shelf and install) Combined issues require combined analysis Analysis required on more than one component at a time May have been insufficiently baselined at system level Read bullets - paraphrase
Proactive Efforts Developing second sources for problem propellants/items Monitoring projected delivery delays to preemptively conduct risk assessments Running models prior to need, just in case Verifying/establishing system/design/LAT limits during system qualification
Questions? http://www.navy.mil/navydata/nav_legacy.asp?id=73