![[NASA Logo]](../Images/nasaball.gif) |
NASA Procedures and Guidelines |
||||
This Document is Obsolete and Is No Longer Used.
|
|||||
|
|
|||||
|
|
||||
| | TOC | ChangeHistory | Preface | Chp1 | Chp2 | Chp3 | Chp4 | Chp5 | Chp6 | All-Appendices | AppdxA | AppdxB-All | AppdxB1 | AppdxB2 | AppdxB3 | AppdxB4 | AppdxC | AppdxD | AppdxE-All | AppdxE1 | AppdxE2 | AppdxF-All | AppdxF1 | AppdxF2 | AppdxF3 | AppdxG | AppdxH-All | AppdxH1 | AppdxH2 | AppdxH21 | AppdxH3 | AppdxH4 | AppdxH5 | AppdxH6 | AppdxH7 | AppdxI-All | AppdxI1 | AppdxI2 | AppdxI3-All | AppdxI31 | AppdxI32 | AppdxI33 | AppdxI34 | AppdxI35 | AppdxJ-All | AppdxJ1 | AppdxJ2 | AppdxJ3 | AppdxJ4 | AppdxJ5 | AppdxJ6 | AppdxJ7 | AppdxJ8 | AppdxJ9 | AppdxJ10 | AppdxJ11 | AppdxK | AppdxL | AppdxM | Cover | ALL | | |||||
1.1.1 Example:
1.1.1.1 What Happened - One of two program aircraft being tested went out of control and crashed. Icing in or around the pitot static tube led to incorrect information being provided to the flight control computers.
1.1.2 Why it Happened - Dominant Root Cause(s):
Finding: The system safety analyses of the aircraft's design did not accurately reflect the potential catastrophic consequences of a failure in the pitot static system, which is a single-string pneumatic source input to the air data computers. No controls for this condition were designed or installed into the system (such as heating of the pitot static tube, software features to mitigate receipt of obviously incorrect data, backup sources of information for crosscheck or emergency system use, or redundant systems).
a. Recommendation: Prior to further program flying of the remaining aircraft, rebaseline the aircraft System Safety Analysis with respect to the severity and probability of all single point failures, including the pitot-static source.
b. Recommendation: Prior to further program flying, institute appropriate measures to mitigate the hazard posed by the loss or degradation of the single pitot-static source.
c. Recommendation: Prior to further program flying, assess proposed mitigation measures by piloted simulation and evaluation of aircraft flight control system performance with air data errors.
d. Recommendation: Systems development and test engineers and managers should be trained in the principles, practices, and management of system safety including:
(1) Complete and thorough system familiarization and operation as an essentia1 prerequisite to effective hazard analysis and risk assessment.
(2) Comprehensive identification of system failure modes and hazards.
(3) Accurate assessment of hazard severity and probability.
(4) Maintaining the currency of hazard analyses, including the effects of system modifications and the results of system simulation and testing.
(5) Thorough tracking and disposition of all identified hazards throughout the system life cycle.
1.1.3 What Contributed, Contributing Root Cause(s):
a. Finding: The original probe had pitot heat, but the design was changed and pitot heat was not considered necessary. The configuration control process failed to document or disseminate that the probe design change did not include pitot heat, and the pitot heat switch was not placarded as inoperative. Therefore, the majority of the test team (pilots, test conductor, safety pilot engineers, and the pilot who turned the pitot heat switch on) were not aware of the pitot heat's inoperative condition.
b. Recommendation: Prior to further program flying, review all existing configuration change documents and implement a formal process of issuance, approval, dissemination, and tracking for all changes to the aircraft.
c. Recommendation: Prior to further program flying, conduct an audit of all cockpit switches and displays to ensure intended functionality and proper labeling.
1.1.4 Significant Observation.
a. Finding: Although the board did not find any actions of the test team (control room) causal, the failure of the control room to act and call for a pause in the mission when the pilot reported an erroneous airspeed does not reflect the overall test team philosophy and procedures for reacting to an anomaly.
b. Recommendation: Test team personnel should remain alert and follow established procedures to ensure proper action is taken when an anomaly occurs.
| TOC | ChangeHistory | Preface | Chp1 | Chp2 | Chp3 | Chp4 | Chp5 | Chp6 | All-Appendices | AppdxA | AppdxB-All | AppdxB1 | AppdxB2 | AppdxB3 | AppdxB4 | AppdxC | AppdxD | AppdxE-All | AppdxE1 | AppdxE2 | AppdxF-All | AppdxF1 | AppdxF2 | AppdxF3 | AppdxG | AppdxH-All | AppdxH1 | AppdxH2 | AppdxH21 | AppdxH3 | AppdxH4 | AppdxH5 | AppdxH6 | AppdxH7 | AppdxI-All | AppdxI1 | AppdxI2 | AppdxI3-All | AppdxI31 | AppdxI32 | AppdxI33 | AppdxI34 | AppdxI35 | AppdxJ-All | AppdxJ1 | AppdxJ2 | AppdxJ3 | AppdxJ4 | AppdxJ5 | AppdxJ6 | AppdxJ7 | AppdxJ8 | AppdxJ9 | AppdxJ10 | AppdxJ11 | AppdxK | AppdxL | AppdxM | Cover | ALL | |
| | NODIS Library | Program Management(8000s) | Search | |