© ACENTISS 2015

Approved Center of Engineering, Technology andIn Service Support

The reproduction and distribution of this document as well as the communication of its contents to others without explicit authorisation by ACENTISS GmbH are prohibited. Offenders will be held liable for the payment of damages

Certification of RPAS Components

Hans Tönskötter, Mireia Medrano, Josef Mendler

BAM, 10.03.2015

© ACENTISS 2015 2

Content

■ Airworthiness of RPAS – Status

■ ELIAS System Components

■ Roadmap to Certification

■ Certification of System Components – Duplex Engine

■ Way Ahead

BAM, 10.03.2015

© ACENTISS 2015 3

Key Technological Challenges

Airworthiness Code with Acceptable Means of Complia nces and Guidance Material (acc. to STANAG 4671 , CS-23, CS-25, …)

Justification and validation of RPAS safety

Security of C2-systems , Data Link and Bandwidth allocation

Integration of RPAS into ATM

RPAS security issues

Safe automated operations

• Current ATM interfaces (Airspace class A – C) + extension to non-controlled areas

• Airborne based D&A systems (HW, SW)• Ground based D&A systems• GCS Human Machine Interface (HMI)• Ground & Obstacle Collision Avoidance• Weather detection + Protection• Detectability solutions• Observer & pilot functions and responsibilities (E-

VLOS)• Hazard protection (e.g. wake vortex)

• Current and future ATM environment

• Infrastructures in correlation with RLOS, BLOS (+ SATCOM)

• Radio bandwidth management

• Threats + potential mitigations

• Automated OCM, Health Monitoring + FTA• Automated Take Off, Mission and Landing• Auto Taxiing + Airport operations

BAM, 10.03.2015

Airworthiness of RPAS - Status

© ACENTISS 2015 4

ATM

CustomerMannedAircraft

Third Party Assets

Public Concern Environment

Roadmap2Certification via EUROPAS

RPAS

Onboard Systems (D&A, Data link, …)

Payload (e.g. Sensor)

Data

Pilot inCommand

GCS

A/C

Data

BAM, 10.03.2015

© ACENTISS 2015 5

■ Airworthiness of RPAS – Status

■ ELIAS System Components

■ Roadmap to Certification

■ Certification of System Components – Duplex Engine

■ Way Ahead

BAM, 10.03.2015

Content

© ACENTISS 2015 6

Data Link InterfaceAntenna

GCS in Container

StabilizedEO/IR-Sensor

Avionics (Navigation (INS/GPS), Data Management, FMC, FCC)

Data Link with electronic Antenna

Cockpit Displays(Flight Instruments, Map, Flight Path)

Mission Equipment of ELIAS

Full system capability with ground control station and sensor dataBAM, 10.03.2015

© ACENTISS 2015 7

ELIAS – System Components

Redundant FCS

Electric redundantMotor

Data-linkage withelectronic Antenna

Step 2:Electrically Redundantlanding gear

Flight Control and Navigation

Integration of highly efficientEnergy Storage

Evolution of technologies covering the roadmap from electric UL to certifiable UAS using the technology demonstrator ELIAS

Step 1:Electrically retractable landing gear

Ground Control Station- Console- Software

BAM, 10.03.2015

© ACENTISS 2015 8

Content

■ Airworthiness of RPAS – Status

■ ELIAS System Components

■ Roadmap to Certification

■ Certification of System Components – Duplex Engine

■ Way Ahead

BAM, 10.03.2015

© ACENTISS 2015 9

Type of Operation Certification Basis

Manned Aircraft • VVZ acc. LTF-UL

Optionally Piloted LTF-UL

Remotely Piloted

• STANAG 4671

• EASA policy E.Y013-01(as far as agency is responsible)

• Or …

Certification Approaches

BAM, 10.03.2015

© ACENTISS 2015 10

ARP 4754a, DO-178C and DO-254

BAM, 10.03.2015

ARP: Aerospace Recommended Practice

© ACENTISS 2015 11

Standards

BAM, 10.03.2015

Certification of RPAS

Substantiation Substantiation

Test / Validation

Developm

ent

Requ. M.

Config. M.

Change M.

Qual. M.

Safety

© ACENTISS 2015 12

ARP 4754a, DO-178C and DO-254

� ARP 4754AGuidelines for the development for systems that support aircraft level functions and have failure modes with the potential effect to the safety of the aircraft

� DO-178CGuidelines for the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements through objectives for software life cycle.

� DO-254Guidelines for the development and design assurance of airborne electr onic hardware such that it safely performs its tasks.

BAM, 10.03.2015

© ACENTISS 2015 13

■ Qualitative:no single failure shall lead to a catastrophic effect

■ Quantitative:acceptable range applies for each individual failure condition

if not achieved on individual level go to => SYSTEM level: on system level combination of all catastrophic failure conditions is characterised by an occurrence of 10-5 per flight hour or less

EXAMPLE STANAG 4671: Safety Objectives

Certification Approaches

BAM, 10.03.2015

Results in multiple fatalities and/or loss of the system

Reduces the capability of the system or operator to cope with adverse operating conditions ….

FAA Safety HB

n/a

> 10 -5 / FH

> 10 -7 / FH

> 10 -9 / FH

< 10 -9 / FH

© ACENTISS 2015 14

Typical Safety Assessment Process[ref. CS-25]

Certification Approaches

BAM, 10.03.2015

§ CS25.1309

CS 25.1309 Equipment, systems and installations(See AMC 25.1309)(b) The aeroplane systems and associated components, considered separately and in relation to other systems, must be designed so that -

(1) Any catastrophic failure condition(i) is extremely improbable; and(ii) does not result from a single failure; and

(2) Any hazardous failure condition isextremely remote; and(3) Any major failure condition is remote.

(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards.

© ACENTISS 2015 15

AMC.1309 (b) Functional hazard assessment (FHA) [re f. STANAG 4671 ed.1]

■ A systematic, comprehensive examination of UAV and system functions to identify potential Minor, Major, Hazardous and Catastrophic failure conditions that may arise as a result of a malfunction or failure to function.

■ The FHA consists of:identifying all the functions at the level under study (aerial vehicle - payloads, etc.) and its interfaces (UCS - data link, etc.),identifying and describing the failure conditions associated with these functionsdetermining the effects and the severity of these failure conditions

■ The FHA should include – but not be limited to – consideration of the failure conditions in Appendix A of FAA Advisory Circular 23-1309-1C.

Certification Approaches

BAM, 10.03.2015

© ACENTISS 2015 16

Safety Assessment Process ARP 4761

FHA• Identify each failure condition along with rationale• Starting point for the next step which is the PSSA

PSSA

• Systematic examination of proposed system architecture• Establishes the safety requirements of the system and to determine that the proposed

architecture can reasonably be expected to meet the safety objectives outlined in the FHA• Takes the form of an FTA

SSA

• Based on the PSSA• To show that the safety objectives from FHA and derived safety requirements from PSSA are

met• Carried out with the help of FMES (summary of failures identified by FMEA)

BAM, 10.03.2015

PSSA: Preliminary System Safety AssessmentSSA: System Safety Assessment (SSA)

© ACENTISS 2015 17

Content

■ Airworthiness of RPAS – Status

■ ELIAS System Components

■ Roadmap to Certification

■ Certification of System Components – Duplex Engine

■ Way Ahead

BAM, 10.03.2015

© ACENTISS 2015 18

Redundant Power (Duplex Engine)

BAM, 10.03.2015

Concept and Design

� Electrical and Mechanical Redundant (except of Propeller und Drive Shaft)Increase of Safety and power consumption during cruise condition

� Overall Redundancy (engine, controller, inverter , Battery-Management-System, electrical power supply (batteries))

� Certification: Single Engine Category within UL-Standards

� Additional safety aspects based on Duplex-Engine means weight penalties

� Weight penalties are compensated by increased engine efficiency of Duplex-Engine related to partial-load operational range (Shutdown of one engine) –depending on flight mission (endurance)

© ACENTISS 2015 19

Integration of Engine

BAM, 10.03.2015

Challenges:

� Cooling Concept must be optimized: Usage of Aircraft Ram Air ; Maximum power output only required during take-off and Cruise

� Cooling Air must be dry and dustless

� Cooling device must be aerodynamically compatible (no addtiional drag)

� Environmental robustness of aircraft (e.g. rain)

Solution:

� Integrating concept of ACENTISS for electric power engines considering Ram Air Cooling System (weight optimized)

� Cooling System is integrated into ELIAS aircraft:

� Flight testing

� Wind tunnel test campaign

� Integrated into Duplex-Engine

© ACENTISS 2015 20

Duplex-Engine Development

Basis: Duplex-Engine of Geiger HPD25D (Prototype)� Electrically & mechanically redundant (except drive shaft)

� 2 Engines in one case

� Both engines act over free-wheel on a drive shaft(propeller shaft)

� Max. power 32 kW (2 x 16 kW)� Continuous power 25 kW (2 x 12.5 kW)� Nominal voltage 58VDC; � Max. currentr 2 x 275 A

Challenges: Cooling of the Duplex-Engine IABG/ACENTISS:

� Development of a Duplex-Engine-Integration into the electrical ultralight airplane ELIAS

� Development of an effective cooling system for the Duplex-Engine in consideration of the installation conditions in the typical ultralight airplane

� Verification of the solution with the modified Duplex-Engine at a test rig and in a wind tunnel

BAM, 10.03.2015

Inverter with controller

Duplex-Engine HPD25D

© ACENTISS 2015 21

Validation of Duplex-Engine

� ACENTISS-Engine test rig Systematic testing of the redundant drive system with cooling; consisting of engine, inverter, controller and battery pack with BMS

� Wind tunnelTesting of the Duplex-Engine with propeller under conditions similar to flight

� Flight test with ELIASHalf of the engine, the engine controller and the inverter are designed in the same way as the single-disc engine HPD13.5 integrated in ELIAS=> Results of the flight test of ELIAS are also relevant for the Duplex-Engine

BAM, 10.03.2015

Wind tunnel test of the ELIAS - fuselage incl. Engine and propeller at TU Munich

Duplex-Engine-support with the fairing for the wind tunnel test

© ACENTISS 2015 22

Ground Tests – Engine Test Rig

BAM, 10.03.2015

Portable Engine-Test rig for the system test of the Duplex-Engine� Test rig for the examination of electrical single-disc – and Duplex-Engine under special

consideration of the Certififcation aspects.

� Complete platform of the redundant engine system including:

Duplex-Engine

2 x Engine-Controller and inverter

Adjustable supply of coolingair (pressure and flow rate of 100g/s)

Measuring system of drive,torque, current and voltage

Variation of the powerwith eddy current brake(40 kW)

Electrical power supply through2 x 3 Li-Ionen- battery packwith BMS*

Testing with propeller instead of brake is possible Cooling air supply:

Compressor with speedregulator

Power supply 58VDC2 Li-Ionen-Battery-pack with BMS

Cooling air distributor

Eddy current brakeE-Engine

(under the fairing)

Engine controller with cooling element

*) BMS: Battery Management System

© ACENTISS 2015 23

FHA drive system

� Develop Functional Hazard Assessments (FHA) for the drive system based on the guidelineof ARP4761 by ACENTISS

� The process of the safety analysis consists of several steps:

ARP4761

Advisory Circular 23.1309-1E

NASA/TM-2007-214539

BAM, 10.03.2015

2.

Identification of failure

3.

Determination of the effects

of failure

4.

Classification of criticality

5.

Classification of FDAL +

Prob/ FH to failure

6.

Identification of support material

7.

Identification of method for verification of

failure

1.

Derivation of the functions

from the requirements

© ACENTISS 2015 24

FHA drive system

2.

Identification of failure

3.

Determination of the

effects of failure

4.

Classification of criticality

5.

Classification of FDAL +

Prob/ FH to failure

6.

Identification of support material

7.

Identification of method for verification of

failure

Function Ref. Failure Condition Phase Effect of Failure Condition on Aircraft Class. FDAL Prob. / FHSupporting

MaterialVerification

DM-1.1 Complete loss of drive

Taxi/Takeoff below

V1/ Takeoff above V1/

TakeOff /Enroute/ Go

Around

DM- 1.1 a a. Complete loss of drive Takeoff below V1Abort TakeOff. Slight reduction in safety

margin. Minor D <10

-3 / h

DM- 1.1 f f. Complete loss of drive Takeoff above V1 Uncontrolled loss of UAV Catastrophic C <10-6

/ h

DM-1.2Partial loss of drive due to

one motor failure

Taxi/Takeoff below

V1/ Takeoff above V1/

TakeOff /Enroute/ Go

Around

DM- 1.1 aa. Partial loss of drive due

to one motor failureTakeoff below V1

Abort TakeOff. Slight reduction in safety

margin. Minor D <10

-3 / h

DM- 1.1 ff. Partial loss of drive due

to one motor failureTakeoff above V1

Reduction in safety margin. Emergency

landing of UAV.Major C <10

-4 / h Flight Test Data

DM-1 Drive the

Propeller

(Ref. 5 R8, R10,

R35) See below

See below

BAM, 10.03.2015

1.

Derivation of the functions

from the requirements

� To identify the necessary tasks and to write the verification there are derived quantitative and qualitative safety requirements.

© ACENTISS 2015 25

Reliability analysis of drive system

� A failure rate analysis of the drive systems was done.

� The following components were analyzed on component level:

� For the assessment following simplified load profile was taken into account:20% total load (70Nm, 330A engine power) � Take-Off and climb80% partial load (30Nm, 150A engine power) � Cruise

� The analysis was done for different operating temperatures.

=> Result:

� The Duplex-Engine-Concept greatly facilitate the compliance with the required reliability and certification issues

� There is an essential influence of the batteries with BMS on the reliability of the whole drive system.

=> Requirement of continuous redundancy, incl. Powe r supply

− HPD25D (single-disc)− PI300 (controller + inverter)− Battery (Li-Ionen batteries)− BMS (Battery Management Systems)

BAM, 10.03.2015

© ACENTISS 2015 26

Flying Test Bed� Test bed as UAS-Technology Demonstrator for the verification of avionics-

components, camera sensor, data link, ground control station etc. to support the UAS-/OPV-development and for customer presentation

� Although the test bed is controlled by a pilot, it can be operated outside of reserved airspace.

ELIAS all electric Flight Test System

Aircraft

Ground Control Station

ELIAS UAS Technology-Demonstrator

© ACENTISS 2015 27

Content

■ Airworthiness of RPAS – Status

■ ELIAS System Components

■ Roadmap to Certification

■ Certification of System Components – Duplex Engine

■ Way Ahead

BAM, 10.03.2015

© ACENTISS 2015 28BAM, 10.03.2015

■ Airworthiness of RPAS – Current Situation

→ STANAG 4671, CS-23, CS-25, EASA policy E.Y013-0, … as a ramp-up scenario for

establishing a Roadmap2Certifcation

■ Challenges operating RPAS focus on operation and integration

→ Automated Flight (Cruise, Landing)

→ Collision Avoidance

→ Data Link Robustness

→ Ground Control Station (Certifiable HW and SW)

→ Pilot-in-Command: Roles & Responsibilities (Training, Competencies)

Way Ahead

© ACENTISS 2015 29

Contact

Dr. Josef MendlerCEO

ACENTISS GmbHEinsteinstrasse 28a85521 OttobrunnGermany

Phone +49 89 4111 934 10Fax +49 89 4111 934 95 E-Mail mendler@acentiss.deWeb www.acentiss.de

BAM, 10.03.2015