Chapter 21 - Morphing Devices Safety Reliability A - 2018 - Morphing Wing Tec

CHAPTER
MORPHING DEVICES: SAFETY,

RELIABILITY, AND
CERTIFICATION PROSPECTS
21
Maurizio Verrastro*, Ignazio Dimino†
Leonardo S.p.A., Caselle (TO), Italy* The Italian Aerospace Research Centre, CIRA SCpA, Capua (CE), Italy†
CHAPTER OUTLINE
1 Introduction ................................................................................................................................... 648
2 System Level Approaches to the Certification of Morphing Wing Devices ........................................... 650
2.1 Adaptive Droop Nose ...................................................................................................... 652
2.2 Adaptive Trailing Edge Device ......................................................................................... 652
2.3 Morphing Winglet .......................................................................................................... 653
2.4 Defining the System Level Functions of Morphing Devices ................................................ 654
2.5 Dual Level Safety ........................................................................................................... 656
3 Functional Hazard Assessment ........................................................................................................ 657
4 Dual-Level Approach for the FTA of a Morphing Wing ....................................................................... 675
5 Common Cause Analyses ................................................................................................................ 678
5.1 Particular Risk Analysis .................................................................................................. 680
5.2 Common Mode Analysis ................................................................................................. 680
5.3 Zonal Safety Analysis ..................................................................................................... 680
6 Conclusions ................................................................................................................................... 681
References ........................................................................................................................................ 681
NOMENCLATURE
A/C aircraft
AIAA American Institute of Aeronautics and Astronautics
ARP aerospace recommended practices
ATED adaptive trailing edge device
CCA common cause analyses
Morphing Wing Technologies. https://doi.org/10.1016/B978-0-08-100964-2.00021-6

# 2018 Elsevier Ltd. All rights reserved.
647
648 CHAPTER 21 MORPHING DEVICES
CMR certification maintenance requirement

CS certification specifications
DAL design assurance level
DO (RTCA) document
EADN enhanced adaptive droop nose
EASA European Aviation Safety Agency
EUROCAE European Organisation for Civil Aviation Equipment
ED EUROCAE document
FC failure condition
FDAL functional design assurance level
FH flight hour
FHA functional hazard assessment
FMES failure mode effect summary
FTA fault tree analysis
FT fault tree
HW hardware
IEEE Institute of Electrical and Electronics Engineers
PSSA preliminary system safety assessment
RTCA Radio Technical Commission for Aeronautics
SAE Society of Automotive Engineers
SARISTU Smart Intelligent Aircraft Structures
SSA system safety assessment
SW software
VC cruise velocity
WATE winglet active trailing edge
1 INTRODUCTION
Despite the considerable interest and the growing advances in morphing wing technologies, morphing
devices continue to be perceived as highly difficult to certify by the aviation industry. Although several
morphing wing concepts and demonstrators already were tested in representative environment [1–5]
and, in some cases, even flight tested [6,7], the certification roadmap of these advanced mechanical
systems still suffers from certain safety-related gaps in the attempt to comply with current certification
requirements.
At this time, the authors are not aware of the use of morphing devices in any commercial aircraft.
Two fundamental questions still remain to be addressed: What changes or additions to the traditional
certification processes would be necessary to demonstrate that morphing devices comply with the cer-
tification standards? And is there any room for some nontraditional means of compliance? Answering
to these questions not only would allow for safe use of such highly integrated systems that perform
complex and interrelated aircraft-level functions, but also could result in a successful progress in
the certification prospects of morphing wing structures.
1 INTRODUCTION 649
In this chapter, some gaps in the design approach of morphing devices are discussed in order to
provide sufficient consistency with current standards in aviation. The use of acceptable safety-related
design methodologies, combined with more automated manufacturing, assembly, and integration pro-
cesses, appear to be the most adequate means to certify these mechanical systems within the context of
industry standards. Additionally, beyond structural factors or other considerations of airworthiness to
prevent catastrophic failures, the novel aircraft functions enabled by morphing systems imposes a
thorough examination of the associated risks that can have an impact on aircraft flight capabilities
and crew workload. As with all the other aircraft control surfaces and systems, the real challenge is
to show whether the safety targets are met, until the single system is assessed and the interaction
between conventional and adaptive systems performing different functions are collectively evaluated
at aircraft (A/C) system level. More reliance on verification by analysis, simulation, and limited proofs
of concepts from the early design phase could lead to partial certification credit while preserving the
essential features of safety.
Government Certification agencies such as the Federal Aeronautical Administration (FAA) and the
European Aviation Safety Agency (EASA) require that aircraft manufacturers follow precise design
and certification policies to manage and mitigate systems failure risks throughout the operational life
of an airplane. Historical evidence indicates that the probability of a serious accident because of
operational and airframe-related causes is approximately one per million hours of flight, and only about
10% of the total are attributed to failure conditions (FCs) caused by A/C systems [8]. The process of
identifying risks and quantifying or qualifying the degree of risk they pose to individuals and resources
is usually referred to as safety assessment [9]. A probability approach is typically used to manage these
assessments. A logical and acceptable inverse relationship must exist between the average probability
per flight hour (FH) and the severity of FC effects, as shown in Fig. 1. Catastrophic failures must be
FIG. 1
Relationship between probability and severity of failure condition effects.
extremely improbable and must not result from a single failure [8]. The upper limit for the average
probability per FH for catastrophic FCs shall be 1 10 9, which establishes an approximate probability
value for the term “extremely improbable.” On the other hand, FCs having less severe effects could be
relatively more likely to occur, with upper average probability limits equal to 1 10 7 and 1 10 5 per
FH for hazardous and major, respectively.
According to the EASA CS-25 regulations applicable to large commercial aircraft, safety assess-
ments consist of three major phases, i.e., functional hazard assessment (FHA), preliminary system
safety assessment (PSSA), and system safety assessment (SSA), which consider the interactions among
the aircraft systems, between software and hardware (HW) components, and all the interfaces, includ-
ing pilot and crew. In this frame, systems functions are examined qualitatively to identify potential
design, maintenance or crew faults, and external environment risks. The severity of these hazards is
determined and placed in specific classes, indicative of the maximum tolerable probability of occur-
rence. After that, the link between faults at subsystems level and their end-effects are evaluated in the
FHA, by taking into account the actual system constraints throughout the system lifetime. Each hazard
is quantitatively examined in a top-down fashion, from the events to their causes, until failures of the
basic components are classified. On the basis of the probabilities assigned to failure events of the basic
components, the probability of occurrence of the top event is then calculated. Such a quantitative anal-
ysis usually is achieved with the fault tree (FT) technique.
Starting from a generic overview of A/C system functions, this chapter follows a standard safety
analysis to define both qualitative and quantitative requirements to support the certification practices of
morphing devices with respect to safety and reliability targets. Two main documents combined with the
certification specifications (CS)-25 EASA regulations [8] are considered as guidelines: Society of Au-
tomotive Engineer (SAE) ARP 4754a [9] and SAE ARP 4761 [10]. A complete aircraft FHA, including
morphing systems and functions, is outside the scope of this study. Integrated use of three morphing
devices—droop nose, morphing trailing edge, and adaptive winglet—is assessed through the imposi-
tion of certain constraints after the design phase of the morphing architecture and permitted adaptation
to meet specific system safety properties. Because of the concepts novelty, literature references about a
safety-driven design of morphing devices are hard to find, for both new-generation aircraft and retrofit
applications. Furthermore, the identification and classification of the potential failures of morphing
devices might be a nontrivial exercise. Finally, not all the necessary analysis and modeling tools
are available in the literature and further work might be required to bring such an approach to practical
applications. Because of these points, a conservative approach is used to assign the functional systems
failure severities and safety targets by developing and sharing a high-level mapping between a func-
tional view of morphing devices and their A/C safety-related standards.
2 SYSTEM LEVEL APPROACHES TO THE CERTIFICATION OF MORPHING

WING DEVICES
Depending on the time-scale of deployment, three different functions might be associated with a
morphing device:
• Morphing on the order of minutes: Lift (and drag) control during long mission segments (mainly
cruise) to compensate aircraft weight reduction because of fuel consumption.
2 SYSTEM LEVEL APPROACHES TO THE CERTIFICATION 651
• Morphing on the order of seconds: Active lift distribution control to minimize drag during
short off-design mission segments (mainly climbing and turning operations).
• Morphing in less than a second: Wing load alleviation by reducing gust-induced root bending
moment (RBM) peaks on aircraft wing.
For some recent-generation aircraft, such as Boeing 787 and Airbus A350, some novel aircraft func-
tions, such as differential flap setting, already are performed by innovative flap actuation system con-
cepts. Distributed actuation enables decentralized load control along the wing span, which is
particularly suited for active lift distribution control for induced drag reduction. More tailored control
systems and inherent positioning sensors contribute to guarantee this functionality.
A standard system safety assessment of aircraft systems, whose the key phases are shown in Fig. 2,
must consider both the crew workload and operation implications of potential failures by establishing
key capabilities and related limitations.
As part of the certification process, after requirement analysis has been completed, the top-level
requirements assigned through the aircraft level FHA need to flow down to next level (the morphing
wing system FHA), and subsequently to lower levels, such us morphing devices FHA. Without a
specific A/C application, a generic set of aircraft level functions can be chosen arbitrarily to define
high-level links between enhanced morphing system functions and standard aircraft functions by
identifying, at the same time, the criticalities associated with the FCs. The analyses are intended at
subsystem level, and performed with a typical bottom-up approach.
The SSA invokes a quantitative analysis of the FTs generated for potential failures with hazardous
or catastrophic consequences. The reliability data of the system components are necessary to calculate
FIG. 2
Safety process overview diagram.
basic events probability figures which are typically requested to the components suppliers (commonly
required by contract and by equipment specification) prior to the system integration and assembly
phases.
We will elaborate on the safety process assessment approach by focusing on three morphing
systems:
• Enhanced adaptive droop nose (EADN).

• Adaptive trailing edge device (ATED).
• Winglet active trailing edge (WATE).
A/C functions enabled by these systems are identified individually as explicitly requested by safety-
related standards. It is assumed that for a safe integration of such morphing devices in a morphing wing,
they are rigidly connected to a wing box without losing any deployment performance because of struc-
tural interactions. After that, their impact on A/C operation is evaluated by assessing their individual
and combined A/C level functions and hazards.
2.1 ADAPTIVE DROOP NOSE

Aircraft use high-lift systems that create gaps when moving from high-lift to cruise flight position or
vice versa [11]. Gaps create a discontinuous surface that interrupts the laminar flow and causes it to
detach from the surface. In order to maintain a great region of laminar flow on the wing, the surface
must be as continuous as possible in the desired aerodynamic shape with tight geometrical tolerances.
The adaptive droop nose is a movable morphing leading edge that can adapt its shape in order to
reduce the drag during take-off and landing by acting as a high-lift device. This device can create a
laminar flow by drastically enhancing aircraft aerodynamic performance in high-lift conditions, espe-
cially when combined with a morphing flap. Less drag directly reduces fuel consumption and affects
the aircrafts weight by up to 3%. The concept of this smart leading edge device was developed to in-
tegrate functions such as de-/anti-icing, bird strike protection, erosion protection, and lightning strike
protection. The structure-kinematics system was characterized by a low-complexity, lightweight kine-
matics, good fatigue performance [12].
2.2 ADAPTIVE TRAILING EDGE DEVICE

The main purpose of ATED is to reduce drag and increase efficiency (L/D ratio) in off-design flight
points by adapting wing shape and lift distribution through a static deflection of the device [13] – [15].
ATED function can be referred to as continuous and quasistatic wing TE shape optimization control.
While weight and angle of attack vary throughout the flight, ATED allows the aircraft trim configu-
ration to remain optimal in terms of efficiency or minimal drag. The wing trailing edge shape optimi-
zation is aimed at compensating for a reduction in aircraft weight because of fuel burning. Because
span-wise variations can be attained, weight savings potentially can be achieved in the design phase
through RBM reduction. Smart Intelligent Aircraft Structures (SARISTU) demonstrated that aircraft
fuel consumption can be lowered by at least 3% for a three-hour flight.
2.3 MORPHING WINGLET

Aircraft winglets are a proven way to reduce drag, save fuel, cut carbon dioxide and nitrogen oxide
emissions, and reduce community noise. Blended winglets are offered as standard equipment on
new aircraft designs and also are available as retrofit installations on existing commercial airplanes.
The addition of winglets also increases aircraft range.
Winglets, however, introduce significant loads into the main wing structure that can diminish the
expected benefits. These additional loads result in a heavier design, new wingtip interfaces, and an
overall re-engineering of the wing box to allow for the winglet surface integration. The idea of an adap-
tive winglet has been successfully investigated in several theoretical studies and small-scale experi-
ments. Adaptive winglets, where the geometry can be adjusted to the changing flow conditions, has
the potential to improve the aerodynamic performance during climb and high-speed off-design condi-
tions by providing adapted wing lift distribution throughout the A/C flight envelope. Additionally, they
can significantly reduce aerodynamic loads at critical flight points (active load alleviation) that have
variable trailing edge control.
Major aircraft manufacturers such as Airbus, Boeing, and McDonnell Douglas have received sev-
eral patents that focus on changing the winglet shape to achieve minimal drag at multiple flight points
[16,17]. Among the many prototypes of morphing winglets found in the literature, the adaptive winglet
with active trailing edge, developed in the framework of the SARISTU project, is one of the latest and
most advanced examples [18]. A full-scale carbon fiber reinforced plastics (CFRP) adaptive winglet
device, including skin, stringers and four ribs, was designed, manufactured, and tested in a wind tunnel,
and it showed very promising results. An active flap actuated by an electromechanical actuator and
attached to the winglet’s rear spar by a fail-safe connection (five single hinges) was commanded
through a pure feed-forward control with no adaptation. In addition, a morphing skin covered the region
between the fixed and movable parts, ensuring a smooth morphing shape. This design, however, led to
additional actuation power to deform the morphing material under operative loads. Furthermore, a
C-shape cut-out was necessary to avoid excessive membrane deformation at the winglet trailing edge,
significantly reducing the expected aerodynamic benefits.
An adaptive winglet is definitively a “safety critical” structure. Past investigations on such a me-
chanical system have demonstrated that loss of the adaptive winglet control can be classified as cat-
astrophic for aircraft [18]. Thus, the probability of its occurrence must be below the threshold value of
<10 9 per FH for safety reasons, as written in paragraph CS 25.1309.
The design of a morphing winglet design must follow a standard safety-critical system design ap-
proach, starting from a functional safety analysis. A failure hazard assessment is then needed to derive
the design prerequisites for the system architecture and for the control system. After such qualitative
safety classification is made for each functional failure, the overall system can be iteratively designed
using fault tree analysis (FTA) on the basis of empirical values and experience for subsystem
failure rates.
The safety classification and relevant safety figures are also a design driver for systems related to
structural load alleviation/control functions. In fact, the recommended safety factor used for structural
sizing purposes increases with the probability of being in FC, as shown in Fig. 3.
Although a FC related to degraded performance of an adaptive winglet can be classified as minor
because of the minor safety repercussions on the aircraft occupants, a FT is always recommended for
such systems in order to be able to compute the ultimate load for jam in the worst-case load positions.
FS
1.5
10–9 10–5 1
Q - Probability of being in failure condition
FIG. 3
Computation of the safety factor [8].
2.4 DEFINING THE SYSTEM LEVEL FUNCTIONS OF MORPHING DEVICES

A very generic overview of A/C level functions is proposed in Ref. [19]. This reference collects the
results of a working group of specialists at several organizations such as AIAA, SAE, IEEE, and many
manufacturers in aerospace (e.g., Boeing, Rockwell, Honeywell, Airbus). These top-level functions
define the high-level requirements for the intended aircraft, Fig. 4. Their details are not investigated
in this work but focus is given to the general process flow of current certification practices, starting
from such a system functions assignment. As a result, the scope here is to give an overview and
not a full descriptive narrative.
The list of a morphing wing device functions, which contribute to enhance standard A/C-level func-
tions, is given in Table 1.
A high-level description of the morphing device system is required to understand the functional
breakdown. Overall, these systems aim at reducing wing drag, controlling wing lift distribution,
and reducing wing loads (including vibrations and fatigue loads). In addition, the wing structural
Aircraft functions
1. Provide and 3. Provide crew, 5. Distribute 7. Provide A/C

distribute passenger and information and movement and
communications cargo environment communications attachment
and services capability
2. Plan, generate 4. Detect and 6. Generate and 8. Provide

and control A/C analyze A/C manage internal containment and
movement condition for flight power and internal support
manage systems
FIG. 4
Aircraft top-level functions.
Table 1 Morphing Wing System Functional Breakdown

Morphing System Functions
Drag minimization function

Lift adaptation function
Turbulence/gust load alleviation
Maneuvers load alleviation
Vibration and fatigue control
integrity also can be taken into account because of the structural load alleviation, protection, and con-
trol function, as seen in A/C function 8: Provide containment and internal support. An exploded view of
the aircraft level functions is given in the Table 2. High-level functions that might be potentially in-
volved by the use of an adaptive trailing edge device can be linked to the A/C function: Plan, generate,
and control A/C movement.
The functional safety analysis of a morphing wing concept and integrating different and indepen-
dently actuated morphing devices, must be performed at two different levels: the morphing wing level
and the single morphing device level. In order to integrate such results, a clear mapping of aircraft level
functions, morphing system functions, and physical devices becomes mandatory. These links create the
basis for a clear matching between the top-down morphing wing FHA and the bottom-up morphing
wing subsystems FHAs.
Table 2 Aircraft Functions Affected by Morphing Wing Concept

Aircraft Functions
2. Plan, generate and control A/C movement

2.2 Generate and control aircraft movement
2.2.5 Control A/C aerodynamics configuration
2.2.5.1 Control lift and drag
2.2.6 Protect aerodynamic control
2.2.6.1 To provide protection against turbulence effects
2.2.6.2 To provide protection against stall load
2.2.7 Provide aerodynamic control forces
2.2.8 Support supplemental flight control
2.2.8.1 To provide overload protection and A/C load protection
2.2.8.2 To provide protection against maneuvers effects
2.2.13 Generate lift
2.2.14 Provide aerodynamic stability
8. Provide containment and internal support
8.1 Provide containment
8.1.2 Provide structural integrity and loads distribution
8.1.2.1 To provide fatigue protection
Table 3 Functional Link Between Aircraft Level and Morphing System Functions
Morphing System
Functions Aircraft Level Functions
Drag minimization 2. Plan, generate and control A/C 2.2.5.1 Control lift and drag
function movement 2.2.7 Provide aerodynamic control forces
Lift adaptation function 2. Plan, generate and control A/C 2.2.5.1 Control lift and drag
movement 2.2.7 Provide aerodynamic control forces
2.2.13 Generate lift
2.2.14 Provide aerodynamic stability
Turbulence/gust load 2. Plan, generate and control A/C 2.2.6.1 To provide protection against turbulence
alleviation movement effects
Maneuvers load 2. Plan, generate and control A/C 2.2.8.2 To provide protection against maneuvers
alleviation movement effects
Vibration and fatigue 8. Provide containment and 8.1.2.1 To provide fatigue protection
control internal support
A/C load protection 2. Plan, generate and control A/C 2.2.6.2 To provide protection against stall load
movement 2.2.8.1 To provide overload protection and A/C
load protection
This work proposes a dual-level functional link, as reported in Tables 3 and 4. By combining these
tables, it is possible to draft the functional, logical and architectural relationships among aircraft level
functions, morphing wing system, functions and morphing device functions.
2.5 DUAL LEVEL SAFETY

The adaptation capability of the morphing wing investigated in this work is limited to a few predeter-
mined states reached by the combination of three different morphing devices: a droop nose, a morphing
trailing edge, and an adaptive winglet. The consequence is that the FHA analyses coming from the
single devices or subsystems must be integrated and harmonized at both the wing level and the aircraft
level, respectively.
The FHA harmonization/integration process, depicted in Fig. 5, is an iterative process in which the
results from the two level analyses are compared and properly combined. This approach allows for the
integration of the results coming from the single morphing devices in order to prove that functional and
safety properties are satisfied under operational conditions. For instance, the safety classification of a
generic failure reached by a single morphing device cannot be categorized with higher severity than the
associated failure managed at wing level, because other morphing devices or control surfaces might be
deployed to compensate for the loss of the corresponding wing level morphing function.
After the morphing wing FHA is drafted, then the lower level FTs can be prepared using the iden-
tified FCs as top events for every morphing device. After they are completed, the higher level (wing
level) FTs can be finalized by combining the lower level results, with the addition of the proper con-
ditioning factors and external events. Such a recommended approach is likely to be applicable to a
wider variety of morphing systems having different adaptive surfaces or functions.
3 FUNCTIONAL HAZARD ASSESSMENT 657
Table 4 Wing Morphing Subsystem Functional Matching

Morphing
System Involved
Functions Subsystem Way to Operate FHA Functions
Drag EADN Continuous/ Wing shape optimization function

minimization quasistatic “Drag minimization” and “lift adaptation” functions are
function operation connected together (i.e., a modification of the
ATED Continuous/ aerodynamic profile in order to increase lift also causes a
quasistatic drag coefficient change). The EADN will be used also as
operation high-lift device, during take-off and landing phases
WATE Continuous/
quasistatic
operation
Lift adaptation EADN Continuous/
function quasistatic
operation
ATED Continuous/
quasistatic
operation
WATE Continuous/
quasistatic
operation
Turbulence/ WATE Dynamic Turbulence/gust load alleviation function
gust load operation
alleviation
Maneuvers WATE Dynamic Maneuvers load alleviation function
load alleviation operation
Vibration and WATE Fast-dynamic Wing vibration and fatigue control function
fatigue control operation
A/C load WATE Dynamic Wing loads protection function
protection operation
3 FUNCTIONAL HAZARD ASSESSMENT

The FHAs are typically carried out at both aircraft and system levels. Such documents contain the
following information managed for each function (aircraft or system level accordingly):
• Identified FCs.
• Effects of FCs.
• Classification of each FC based on the identified effects.
• A statement summarizing the assumptions used for classifying each FC (e.g., adverse operational or
environmental conditions and phase of flight).
A discrete scale allows the categorization of the severity of the effects of a FC according to the CS-25
regulation criteria. The classification levels are defined as: Catastrophic, hazardous, major, major,
A/C level functional

definition
Morphing wing system

functional definition
Morphing wing system FTA and SSA
Morphing wing system

FHA (draft)
Wing Morphing Morphing
system final FHA device 01
Morphing
FTA
device 02
FTA Morphing
device 03
FHA harmonization/integration FTA
process Morphing
device 01
FHA
Morphing
device 02
FHA
Morphing
Morphing device device 03
01 FHA (draft) Morphing device FHA
02 FHA (draft)
Morphing device
03 FHA (draft)
Morphing device 01
physical
Morphing device 02
behavior
physical
Morphing device 03
behavior
physical
behavior
FIG. 5
Dual level safety process overview.
minor, or no safety effect, depending on the related impact on aircraft operation and crew workload, as
follows [8]:
No safety effect: FCs that have no effect on safety and do not affect the operational capability of the
airplane or increase crew workload. As a safety target, these failures have no probability requirement.
Minor: FCs that do not significantly reduce airplane safety, and that involve crew actions that are
well within their capabilities. Minor FCs include, for example, a slight reduction in safety margins or
functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some
physical discomfort to passengers or cabin crew. When using quantitative analyses, these failures are
3 FUNCTIONAL HAZARD ASSESSMENT 659
commonly accepted as probable, i.e., FCs having an average probability per FH less than the order of
1 10 5.
Major: FCs that reduce the capability of the airplane or the ability of the crew to cope with adverse
operating conditions. For example, a significant reduction in safety margins or functional capabilities, a
significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to the
flight crew, or physical distress to passengers or cabin crew, possibly including injuries. When using
quantitative analyses, these failures are commonly accepted as remote, i.e., FCs having an average
probability per FH greater than of the order of 1 10 5, but less than of the order of 1 10 7.
Hazardous: FCs that reduce the capability of the airplane or the ability of the crew to cope with
adverse operating conditions resulting in a large reduction in safety margins or functional capabilities,
an excessive workload to the flight crew or a serious or fatal injury to a relatively small number of the
occupants other than the flight crew. When using quantitative analyses, these failures are commonly
accepted as extremely remote, i.e., FCs having an average probability per FH greater than the order of
1 10 7 or less than of the order of 1 10 9.
Catastrophic: FCs that result in multiple fatalities, usually with the loss of the airplane. When using
quantitative analyses, these failures are commonly accepted as extremely improbable, i.e., FCs having
an average probability per FH greater than of the order of 1 10 9.
The goal of this step is to clearly identify the circumstances and severity of each FC along with the
rationale for its classification. For every identified morphing wing function, the following FCs can be
considered:
• Loss of function (total or partial).
• Erroneous provision of function.
• Inadvertent provision of function.
An example of subsystem level FHA developed in the framework of SARISTU project for the morph-
ing trailing edge device is shown in Table 5 [20]. The main information from the FHA includes
• The failure mode identification number.
• The failure mode description.
• The flight phase in which the failure mode can occur.
• The severity classification referred to CS-25 norms and the resulting probability figure required to
comply with CS-25 safety regulations.
• The FC details.
• A description of the A/C level effects.
• The detection method (if detection is possible).
• The flight crew reaction after failure detection (if detection is possible).
• The possible requirements coming from safety considerations (e.g., redundancy requirements,
inspections, etc.).
• The external events involved in the hazard (if applicable).
• The justification for safety categorization following CS-25 regulations.
Both qualitative and quantitative requirements result from the FCs safety classification. The typical
example is an electromechanical actuator (EMA) jamming. This failure mode leads to a FC that
can be identified with a functional loss. In detail, if the actuator allows the EMA-based morphing de-
vice to be configured to reduce drag, its jamming leads to a drag minimization function loss. As a result,
Table 5 Fault Hazard Assessment of the ATED [20]

A/C Safety Requirement
Flight
Failure Scenarios FC Title Phase(s) Severity Objective
Loss of wing shape FC01 Loss of Loss of ATED All MIN- 1E-3/FH
optimization function ATED control function flight MAJ 1E-5/FH
phases
Erroneous provision of FC02 Erratic Erratic ATED All MAJ 1E-5/FH
wing shape ATED control function flight
optimization function phases
Inadvertent provision of FC03 Uncommanded All MIN- 1E-3/FH
wing shape Uncommanded ATED function flight MAJ 1E-5/FH
optimization function ATED control phases
Partial loss wing shape FC04 Symmetric Symmetric partial All MIN- 1E-3/FH
control capability partial loss of loss of ATED flight MAJ 1E-5/FH
(symmetric) ATED function function phases
Asymmetric partial loss FC05 Asymmetric Asymmetric partial All MAJ 1E-5/FH
of wing shape control partial loss of loss of ATED flight
capability ATED function function phases
Partial loss of wing FC06 Partial loss Loss of ATED Landing MAJ- 1E-5/FH
shape control capability of ATED control on one wing HAZ 1E-7/FH
(asymmetric) combined (asymmetric) (asymmetric)
with one engine loss at combined with combined with one
landing one engine loss at engine loss at
landing landing
Partial loss of wing FC07 Partial loss Loss of ATED Landing MAJ- 1E-5/FH
shape control capability of ATED control on one wing HAZ 1E-7/FH
(asymmetric) combined (Asymmetric) (asymmetric)
with strong cross-wind combined with combined with
at take-off or landing strong cross wind strong cross-wind at
at landing landing
the qualitative requirement becomes a driver for the system architecture definition and affects both the
actuation kinematics and the deployment logics. In case of a safety critical systems, the morphing
device also must be designed with a proper integrity level and redundancies. Monitoring of safety
critical functions is a safety target for system designers: morphing wing surfaces that cause forced
oscillations or free floating, potentially resulting in wing structural collapse, must be designed with
a fail-safe approach (e.g., mass balancing preventing free float induced vibrations) or with an indepen-
dent control/monitor architecture that can prevent forced oscillations.
The ATED fault hazard assessment is also applicable at morphing wing system level for the
identification of the FCs. They are listed in Table 6. The main criticalities associated with the simul-
taneous use of different morphing devices could include:
• The droop nose device can cause a sudden stall, possible catastrophic scenario in case of take-off
and landing phases (no time for the pilot to perform recovery actions).
Table 6 Fault Hazard Assessment of a Morphing Wing Incorporating a Droop Nose, a Morphing Trailing Edge Device,
and an Adaptive Winglet
Safety Requirement Traceability
A/C External
ID Failure Flight Failure Cause/ Event or
Mode Title Phase(s) Severity Objective Involved Subsystem WATE ATE EADN Condition
1 2.2.5.1-01 Loss of wing All flight MAJ 1E-5/FH FC 2.2.5.1-01: Total 1.c 1.1– Row 2
Drag shape phases loss of SARISTU (FC2); 1.4
minimization/ optimization wing shape control 1.e
lift adaptation function capability (including (FC6)
jamming)
– Loss of WATE
quasistatic
operation
– Loss of ATE

control
– Loss of EADN
control
1.1 2.2.5.1-02 Erroneous All flight MAJ 1E-5/FH See FC 2.2.5.1-01: 3.a-d 3.1– Row
Drag provision of phases Erratic provision of 3.4 10–12
minimization/ wing shape SARISTU wing
lift adaptation optimization shape control
function – Erratic WATE
quasistatic
operation or
– Erratic ATE
control or
– Erratic EADN
control
1.2 2.2.5.1-03 Inadvertent All flight MAJ 1E-5/FH See FC 2.2.5.1-01: 2.a, 2. 2.2, Row 8
Drag provision of phases Inadvertent provision b, 2.d 2.4
minimization/ wing shape of SARISTU wing (FC4,
lift adaptation optimization shape control FC6,
function function FC2)
– Inadvertent
WATE
661
quasistatic
operation
Continued
662
and an Adaptive Winglet—cont’d
CHAPTER 21 MORPHING DEVICES

A/C External
– Uncommanded
ATE control
– Uncommanded
EADN control
2 2.2.5.1-04 Partial loss All flight MIN- 1E-3/FH FC 2.2.5.1-04: Partial 1.c 1.3, Row
Drag wing shape phases MAJ 1E-5/FH loss of SARISTU (FC2); 1.4 13–15,
minimization/ control wing shape control 1.e 34–39
lift adaptation capability function (FC6)
(symmetric) – Loss of WATE
quasistatic
operation or
– Loss of ATE
control or
– Loss of EADN
control
1.3 2.2.5.1-05 Asymmetric All flight MAJ 1E-5/FH See FC 2.2.5.1-01: 1.d 2.1, Row
2.2.7-01 partial loss of phases Loss of SARISTU (FC3, 2.3 31–33
Drag wing shape wing shape control on FC4)
minimization/ control one wing only
lift adaptation capability combined with
symmetry check
failure
– Loss of WATE
quasistatic
operation on one
wing or
– Loss of ATE
control on one
wing or
– Loss of EADN on
one wing control
3 2.2.7-02 Partial loss of Take-off HAZ 1E-7/FH FC 2.2.7-02: Loss of 1.d 2.3.1 Row One engine
Drag wing shape and SARISTU wing (FC4) 31–33 loss
minimization/ control landing shape control on one
lift adaptation capability wing only (with
(asymmetric) symmetry check
combined with failure) combined
one engine loss with one engine
at take-off or failure
landing – Loss of WATE
quasistatic
operation on one
wing or
– Loss of ATE
control on one
wing or
– Loss of EADN on
one wing control
N.B. For the

reference A/C the
classification is
HAZ due to the
engine collocation
(on the fuselage)
which causes a
limited yaw
moment in case of
one engine failure
4 2.2.7-03 Partial loss of Take-off CAT 1E-9/FH FC 2.2.7-03: Loss of 1.d 2.1 Row Strong
Drag wing shape and SARISTU wing (FC4) 31–33 crosswind
minimization/ control landing shape control on one
lift adaptation capability wing only (with
(asymmetric) symmetry check
combined with failure) combined
strong with strong crosswind
crosswind at – Loss of WATE
take-off or quasistatic
landing operation on one
wing or
663
Continued
664

A/C External
– Loss of ATE
control on one
wing or
– Loss of EADN on
one wing control
5 2.2.13-01 Loss of A/C Take-off CAT 1E-9/FH FC 2.2.13-01: Loss of Row 1,
Lift control due to and SARISTU wing 3, 4–6,
adaptation symmetric or landing shape control (high 31–33
asymmetric loss lift device function)
of EADN – Loss of EADN
control as high control as high lift
lift device device
5.1 2.2.13-05 Partial loss of Take-off CAT 1E-9/FH See FC 2.2.13-01: Row Icing
Lift EADN control and Partial loss of 13, 15, conditions
adaptation as high lift landing SARISTU wing 34, 36,
device shape control (high 37, 39
combined with lift device function)
icing conditions combined with icing
conditions
– Loss of EADN
performance as
high lift device
and icing
5.2 2.2.13-06 Erroneous Take-off CAT 1E-9/FH See FC 2.2.13-01: Row Icing
Lift provision of and Erroneous provision 10, 12 conditions
adaptation EADN control landing of SARISTU wing
as high lift shape control (high
device lift device function)
combined with combined with icing
icing conditions conditions
– Erroneous EADN
provision as high
lift device AND
icing
6 2.2.13-02 Partial loss of Take-off MIN 1E-3/FH FC 2.2.13-02: Partial Row
Lift EADN control and loss of SARISTU 13, 15,
adaptation as high lift landing wing shape control 34, 36,
device (high lift device 37, 39
function)
– Loss of EADN
control
efficiency/
reduction of
performance as
high lift device
61 2.2.13-03 Erroneous Take-off MAJ 1E-5/FH FC 2.2.13-03: Row
Lift provision of and Erroneous provision 10, 12
adaptation EADN control landing of SARISTU wing
– EADN erroneus

provision as high
lift device
7 2.2.13-04 Unexpected Take-off CAT 1E-9/FH FC 2.2.13-04: Row 7,
Lift provision of and Provision of 9
adaptation EADN control landing SARISTU wing
when not required
– EADN high lift
function
(unwanted
activation)
N 2.2.14-01 Loss (complete All flight NSE N/A Total/partial loss, 1.c to 1.1– Row
Drag or partial), phases erroneus or 1.g 3.4 13 to
minimization/ erroneus or inadvertent provision 15, 34
lift adaptation inadvertent of SARISTU wing to 39
provision of shape control
wing shape function
optimization – WATE generic
function failure
665
Continued
666

A/C External
– EADN generic
failure (low
excursion only)
– ATE generic
failure
8 2.2.6.1-01 Total loss of All flight NSE N/A FC 2.2.6.1-01: Loss 1.e, 1.g 1.4
Turbulence/ turbulence/gust phases of SARISTU (FC5)
gusts load load alleviation turbulence/gust load
alleviation capability alleviation:
– Loss of WATE
dynamic/
occasional gust
load alleviation
function
9 2.2.6.1-02 Total loss of All flight MAJ- 1E-5/FH FC 2.2.6.1-02: Loss 1.d, 1.f 1.4 Gusts/
Turbulence/ turbulence/gust phases HAZ 1E-7/FH of SARISTU (FC5) turbulences
gusts load load alleviation turbulence/gust load
alleviations capability in alleviation combined
case of gusts/ with turbulence/gusts
turbulences – Loss of WATE
dynamic/
occasional gust
load alleviation
function
10 2.2.6.1-03 Undetected All flight HAZ 1E-7/FH FC 2.2.6.1-03: Loss 1.d, 1.f 1.3 Gusts/
Turbulence/ total loss of phases of SARISTU (FC5) turbulences
gusts load turbulence/gust turbulence/gust load
alleviation load alleviation alleviation combined
capability in
turbulences and SHM/BIT failure
– Loss of WATE
dynamic/
occasional gust
load alleviation
function
8.1 2.2.6.1-04 Partial loss of All flight NSE N/A See FC 2.2.6.1-01: 1.e, 1.g 1.4
Turbulence/ turbulence/gust phases Partial loss of (FC5)
gusts load load alleviation SARISTU
alleviation capability turbulence/gust load
alleviation
– Loss of WATE
dynamic/
occasional gust
load alleviation
function
efficiency

9.1 2.2.6.1-05 Partial loss of All flight MAJ 1E-5/FH See FC 2.2.6.1-02: 1.e, 1.g 1.4 Gusts/
Turbulence/ turbulence/gust phases Partial loss of (FC5) turbulences
gusts load load alleviation SARISTU
alleviation capability in turbulence/gust load
case of gusts/ alleviation combined
turbulences with turbulence/gusts
– Loss of WATE
dynamic/
occasional gust
load alleviation
function
efficiency
10.1 2.2.6.1-06 Undetected All flight HAZ 1E-7/FH See FC 2.2.6.1-03: 1.d, 1.f 1.3 Gusts/
Turbulence/ partial loss of phases Partial loss of (FC5) turbulences
gusts load turbulence/gust SARISTU
alleviation load alleviation turbulence/gust load
capability in alleviation combined
turbulences and SHM/BIT failure
– Loss of WATE
dynamic/
667
occasional gust
load alleviation
function
efficiency
Continued
668

A/C External
11 2.2.6.1-07 Inadvertent/ All flight MAJ- 1E-5/FH FC 2.2.6.1-07: 2.a, 2. 2.1–
Turbulence/ undesired phases HAZ 1E-7/FH Inadvertent/ b, 2.d 2.4
gusts load provision of undesired provision (FC5,
alleviation turbulence/gust of SARISTU FC7)
load alleviation turbulence/gust load
function alleviation
– WATE dynamic/
occasional
function provided
when not needed
12 2.2.6.1-08 Erroneus All flight CAT 1E-9/FH FC 2.2.6.1-08: 3.a-d 3.1–
Turbulence/ provision of phases Erroneus provision of (FC5) 3.4
gusts load turbulence/gust SARISTU
alleviation load alleviation turbulence/gust load
function alleviation (during
turbulences/gusts)
– WATE dynamic/
occasional
function provided
with erroneus
parameters
13 2.2.8.2-01 Total loss of All flight MAJ 1E-5/FH FC 2.2.8.1-01: Loss 1.e, 1.g 1.4 Maneuver
Maneuvers maneuvers load phases of SARISTU (FC5) load
load alleviation maneuvers load
alleviation capability alleviation
– Loss of WATE
dynamic/
occasional
function in case
of A/C maneuvers
14 2.2.8.2-02 Undetected All flight HAZ 1E-7/FH FC 2.2.8.2-02: Loss 1.d, 1.f 1.3 Maneuver
Maneuvers total loss of phases of SARISTU (FC5) load
load maneuvers load maneuver load
alleviation alleviation alleviation with loss
capability of SHM/BIT function
– Loss of WATE
dynamic/
occasional
function in case
of A/C maneuvers
15 2.2.8.2-03 Partial loss of All flight MIN- 1E-3/FH FC 2.2.8.2-03: Partial 1.e, 1.g 1.4 Maneuver
Maneuvers maneuvers load phases MAJ 1E-5/FH of SARISTU (FC5) load
load alleviation maneuver load
alleviation capability alleviation
– Loss of WATE
dynamic/
occasional
function

efficiency in case
of A/C maneuvers
16 FC 2.2.8.2-04 Undetected All flight MAJ 1E-5/FH FC 2.2.8.2-04: Partial 1.d, 1.f 1.3 Maneuver
Maneuvers partial loss of phases of SARISTU (FC5) load
load maneuvers load maneuver load
alleviation alleviation alleviation with loss
capability of SHM/BIT function
– Loss of WATE
dynamic/
occasional
function
efficiency in case
of A/C maneuvers
17 2.2.8.2-05 Inadvertent/ All flight MIN- 1E-3/FH FC 2.2.8.2-05: 2.a, 2. 2.1– Maneuver
Maneuvers undesired phases MAJ 1E-5/FH Inadvertent/ b, 2.d 2.4 load
load provision of undesired provision (FC5,
alleviation maneuvers load of SARISTU FC7)
alleviation maneuver load
function alleviation
– WATE dynamic/
occasional
669
maneuvers load
alleviation
function provided
when not required
Continued
670

A/C External
18 2.2.8.2-06 Erroneus All flight CAT 1E-9/FH FC 2.2.8.2-06: 3.a-d 3.1– Maneuver
Maneuvers provision of phases Erroneus provision of (FC5) 3.4 load
load maneuvers load SARISTU maneuver
alleviation alleviation load alleviation
function – WATE dynamic/
occasional
maneuvers load
alleviation
function
parameters error
19 8.1.2.1-01 Total loss of All flight MIN- 1E-3/FH FC 8.1.2.1-01: Loss 1.e, 1.g 1.4
Wing vibration and phases MAJ 1E-5/FH of SARISTU (FC5)
vibration and fatigue control vibration and fatigue
fatigue function control function
control – Loss of WATE
fast-dynamic/
continuous
function to
control fatigue
loads
20 8.1.2.1-02 Undetected All flight MAJ 1E-5/FH FC 8.1.2.1-02: Loss 1.d, 1.f 1.3
Wing total loss of phases of SARISTU (FC5)
vibration and vibration and vibration and fatigue
fatigue fatigue control control function
control function combined with SHM
and/or BIT failure
– Loss of WATE
fast-dynamic/
continuous
function to
control fatigue
loads
21 8.1.2.1-03 Partial loss of All flight MIN 1E-3/FH FC 8.1.2.1-03 (or see 1.e, 1.g 1.4
Wing vibration and phases FC8.1.2.1-01 (FC5)
vibration and fatigue control depending on its
fatigue function classification): Loss
control of SARISTU
vibration and fatigue
control function
efficiency
– Loss of WATE
fast-dynamic/
continuous
function
efficiency to
control fatigue
loads
20.1 8.1.2.1-04 Undetected All flight MAJ 1E-5/FH See FC 8.1.2.1-02: 1.d, 1.f 1.3
Wing partial loss of phases Loss of SARISTU (FC5)

vibration and vibration and vibration and fatigue
fatigue fatigue control control function
control function efficiency with the
loss of SHM/BIT
monitoring
– Loss of WATE
fast-dynamic/
continuous
function
efficiency to
control fatigue
loads
22 8.1.2.1-05 Erroneus All flight CAT 1E-9/FH FC 8.1.2.1-05: 3.a-d 3.1–
Wing provision of phases SARISTU vibration (FC5) 3.4
vibration and vibration and and fatigue control
fatigue fatigue control function erroneus
control function provision
– Erroneus
parameters
providing WATE
fast-dynamic/
671
continuous
function to
control fatigue
loads
Continued
672

A/C External
23 2.2.8.1-01 Total loss of All flight NSE N/A Loss of SARISTU 1.e, 1.g 1.4
2.2.6.2-01 wing loads/ phases wing overload/stall (FC5)
Wing load overloads load protection
protection protection – Loss of WATE
function dynamic/
occasional load
protection
24 2.2.8.1-02 Total loss of All flight HAZ 1E-7/FH FC 2.2.8.1-02: Loss 1.e, 1.g 1.4 Overload
Wing load wing loads/ phases of SARISTU wing (FC5) condition
protection overloads overload/stall load
protection protection in
function in case conjunction with
of wing overload condition
overload – Loss of WATE
dynamic/
occasional load
protection when
needed
25 2.2.6.2-02 Total loss of Take-off CAT 1E-9/FH FC 2.2.6.2-02: Loss 1.e, 1.g 1.4 Stall load
Wing load wing loads/ and of SARISTU wing (FC5)
protection overloads landing overload/stall load
protection protection in
function in case conjunction with
of high stall overload condition
load – Loss of WATE
dynamic/
occasional load
protection when
needed
23.1 2.2.8.1-03 Partial loss of All flight NSE N/A Loss of SARISTU 1.e, 1.g 1.4
2.2.6.2-03 wing loads/ phases wing overload/stall (FC5)
Wing load overloads load protection
protection protection efficiency
function
– Loss of WATE
dynamic/
occasional load
protection
efficiency
26 2.2.8.1-04 Partial loss of All flight MAJ 1E-5/FH FC 2.2.8.1-04: Loss 1.e, 1.g 1.4 Overload
Wing load wing loads/ phases of SARISTU wing (FC5) condition
function in case – Loss of WATE
of wing dynamic/
overload occasional load
protection
efficiency
27 2.2.6.2-04 Partial loss of All flight MAJ- 1E-5/FH FC 2.2.6.2-04: Loss 1.e, 1.g 1.4 Stall load
Wing load wing loads/ phases HAZ 1E-7/FH of SARISTU wing (FC5)

of stall load dynamic/
occasional load
protection
efficiency
28 2.2.8.1-05 Undetected All flight HAZ 1E-7/FH FC 2.2.8.1-05: Loss 1.d, 1.f 1.3 Overload
Wing load partial loss of phases of SARISTU wing (FC5) condition
protection wing loads/ overload/stall load
overloads protection efficiency
protection and/or SHM/BIT:
of wing dynamic/
overload occasional load
protection
efficiency
28.1 2.2.6.2-05 Undetected All flight HAZ 1E-7/FH See FC 2.2.8.1-05 or 1.d, 1.f 1.3 Stall load
Wing load partial loss of phases FC 2.2.6.2-04 if (FC5)
protection wing loads/ considered HAZ:
overloads Loss of SARISTU
protection wing overload/stall
673
Continued
674

A/C External
function in case load protection
of stall load efficiency and/or
SHM/BIT
– Loss of WATE
dynamic/
occasional load
protection
efficiency
29 2.2.8.1-06 Inadvertent/ All flight HAZ 1E-7/FH FC 2.2.8.1-06: 2.a, 2. 2.1– Overload
2.2.6.2-06 undesired phases Inadvertent/ b, 2.d 2.4 or stall load
Wing load provision of undesired provision (FC5,
protection overload/stall of SARISTU FC7)
load protection overload/stall load
function protection
– WATE dynamic/
occasional
function provided
when not needed
30 2.2.8.1-07 Erroneus All flight CAT 1E-9/FH FC 2.2.8.1-07: 3.a-d 3.1– Overload
2.2.6.2-07 provision of phases Erroneus provision of (FC5) 3.4 or stall load
Wing load overload/stall SARISTU overload
protection load protection protection function
function (in case of overload)
– WATE dynamic/
occasional
function provided
with erroneus
parameters
31 8.1.2-01 Loss of All flight CAT 1E-9/FH FC 8.1.2-01: Mobile 1.b, 2.c 1.1,
Provide structural phases surfaces free float (FC1) 1.2
structural integrity due to (mechanical
integrity and SARISTU disconnection, total
loads device free float loss of system
distribution dumping)—WATE
only TBC
4 DUAL-LEVEL APPROACH FOR THE FTA OF A MORPHING WING 675
• Possible induced oscillations for fast dynamic actuated devices.

• Possible morphing devices asymmetric configurations causing asymmetric drag, critical or
catastrophic in combination with further external asymmetry causes (e.g., single engine loss,
crosswind). Also in this case, the worst scenario can occur during take-off or landing.
The morphing droop nose device is a single subsystem that can cause a catastrophic failure because of
the possible detachment of aerodynamic flow after an erroneous deployment. For this device, no com-
mon cause can lead to this scenario. A single functional design assurance level (FDAL) A or a dual
FDAL B design is necessary to match the safety requirements [9] (see SAE ARP 4754a for details).
Furthermore, because of the dynamic deployment, an independent control/monitor architecture
must be implemented into the adaptive winglet to prevent induced oscillations. A symmetric deploy-
ment check (with the possibility to stop the morphing devices if an asymmetry is detected) is also fun-
damental to prevent failure case scenarios and to comply with the quantitative safety targets to make the
selected architectures certifiable and airworthy.
Regarding the possibility to achieve wing load/vibrations alleviation/control functions with fast-
actuated morphing devices, the CS-25 regulations impose that the additional load caused by the failed
morphing device shall be considered in the design load. The consequence is that every related FC (from
the structural standpoint) is classified no more than minor in the frame of morphing wing FHA. Finally,
it has to be noted that although software functions should be considered in the FHA and the proper DAL
shall be assigned, these topics are not discussed because they are outside the scope of this chapter.
These can be found within the referenced documents [9].
4 DUAL-LEVEL APPROACH FOR THE FTA OF A MORPHING WING

The System Safety Assessment is a document that reports all the identified hazards for the system under
analysis and shows the compliance with the safety requirements. FTs are required for each FCs clas-
sified as HAZ or CAT by the FHA.
The FTA is a modeling technique able to represent the failure combination that can cause a hazard.
The quantitative data for the FTs are usually taken from the reliability data and analyses provided by the
device manufacturer. In the FTA, the FCs are usually linked with logic gates. For preliminary and sim-
ple FT, and and or logic gates are usually sufficient to represent the most common conditions. FTs
typically are built for a standard flight, which is defined by the aircraft manufacturer on the basis
of the aircraft type. Nevertheless, the safety requirements are expressed on the basis of a single FH.
With reference to the proposed morphing wing system, a dual-level approach was followed. This
involves a bottom-up process for subsystems and devices and a top-down process for the whole wing.
The following example shows how to implement the dual-level approach in the FTA. Fig. 6 represents a
subsystem FC developed with a FT technique. Basic events represent HW (mechanical or electric/
electronic) failures provided by supplier or by reliability books or FMES entry.
Concerning the ATED device, a number of FTs were produced to evaluate the impact of actuation
kinematics on the device system morphing authority, reliability, and functionality up to the top-level
aircraft functions. An example of FTA corresponding to the failure case “asymmetric partial loss of
ATED function,” whose FHA severity was identified as major, is shown in Fig. 7. The probability
Failure condition
identified at
subsystem/device
level
SUBSYS1_FC1
Basic events Basic events

combination combination
SUBSYS1_GATE1 SUBSYS1_GATE2
Basic event 2: Basic event 3:

Basic event 1: Basic event 4:
physical, physical,
physical, mechanical, physical, mechanical,
mechanical, or mechanical, or
or electronic failure or electronic failure
electronic failure electronic failure
SUBSYS1_BASIC1 SUBSYS1_BASIC2 SUBSYS1_BASIC3 SUBSYS1_BASIC4
r=0 r=0 r=0 r=0

FIG. 6
Example of subsystem/device level FT.
of failure of the top event was then analyzed along with its compliancy with the expected severity with
the purpose of making ATED a sufficiently reliable device for aircraft application.
Several indexes, such as actuator position control, motor shaft angle sensors, and actuator absorbed
power, can help reveal ATED failures. The construction of the FT is based on relationships between
events and causes, represented by means of logical and or gates, which solve the system complexity and
Asymmetric
Partial Loss
ASYM_LOSS
4 DUAL-LEVEL APPROACH FOR THE FTA OF A MORPHING WING

Q = 0,0001051
Loss of Loss of
Right_ATED Left_ATED
LOSS_RIGHT_ATED LOSS_LEFT_ATED
Q = 5,254E-05
FR = 5,254E-05
Failure in Failure in Failure in ribs

kinematic chain interfaces kinematics
ACTUATION_FAILURE INTERFACE_FAILURE RIBS_FAILURE

Q = 4,942E-05 Q = 3E-06 Q = 1,2E-07
Actuation beam/
Linear guide ATED WB Actuator / Spar Primary hinges Secondary
Actuator failure Actuation crank morphing rib Links fail
failure attachment attachment fail hinges fail
attachment
BENTAL LINEAR_GUIDE CRANK ATED_WB_FAIL ACT_SPAR_FAIL BEAM_RIB_FAIL PR_HINGES_FAIL SEC_HINGES_FAIL LINKS_FAIL
FR = 4,742E-05 FR = 1E-06 FR = 1E-06 FR = 1E-06 FR = 1E-06 FR = 1E-06 FR = 1E-08 FR = 1E-08 FR = 1E-07
FIG. 7
Fault tree example with failure rates per hour for asymmetric partial loss of ATED function [20].
677
its potential failures. To this aim, the failure probability of each basic component of the morphing ki-
nematics must be collected.
The main drawback associated with the use of electromechanical actuators is mechanical failure or
jamming, which can typically lead to hazardous/catastrophic A/C FCs. Conversely, according to the
ATED FHA, asymmetric ATED failure caused, for example, by actuators jamming, is classified as
major. This means that the associated impact on wing loads can be reduced by acting on conventional
aircraft control surfaces on the basis of the detected ATED shapes. Nevertheless, although minimal
impacts are expected on A/C controllability, pilot workload increases in order to trim the aircraft lon-
gitudinally and laterally. In addition, safety margins on aircraft block fuel must be considered to com-
pensate the potential loss of ATED functions in flight.
Although the failure rate of the top event is not fully compliant with the safety requirement
(Failure rate for major events: 1.0E-5/FH), the investigated architecture does not incorporate any
standard device for detecting and minimizing asymmetric conditions onboard aircraft. The easiest
option can include, for instance, an ATED position sensor and a brake system that can be activated
automatically to stop further ATED movement after the position sensors detect any asymmetric sit-
uation. Their use would allow the ATED meeting the safety requirements starting from a failure rate
of 0.1 per FH. For morphing systems performing load (static or dynamic) alleviation such as the
adaptive winglet, a dual command and monitoring lane with its own control unit (ECU) is mandatory
to guarantee an adequate redundancy. In addition, an acceptable number of linear variable displace-
ment transducers (LVDTs) mounted to the actuator ball screw and angular sensors are needed for
operational reliability.
An example of higher level FTA is shown in Fig. 8. The potential failures at the morphing wing
level are a combination of subsystems (single morphing devices) failure cases with proper exposure
factors or external events. If a failure mode does not have immediate and detectable effect, the related
events are called “latent” or “dormant.” Commercial FT software can be used to evaluate these events
through mathematical models. Latent or dormant failures can be detected only with specific func-
tional tests or maintenance actions. Proper inspection intervals also can be scheduled to satisfy safety
requirements. The currently available technology is able to minimize the certification maintenance
requirement (CMR) with the implementation of self-test ability, in particular for complex electronic
devices.
5 COMMON CAUSE ANALYSES

As already reported, the safety analysis is not limited to the verification of quantitative requirements for
the FCs identified in the FHA. Common cause analyses (CCA) are also necessary to verify the inde-
pendence of the systems failures, in terms of
• particular risk analysis

• common mode analysis
• zonal safety analysis.
5 COMMON CAUSE ANALYSES 679
Top event: failure

condition at
morphing wing
level
WING_FC1
Combination of
morphing wing
subsystems failures
leading to morphing
wing hazard
WING_GATE1
Conditioned Conditioned Undeveloped event:

failure condition failure condition failure condition
identified at identified at identified at
subsystem/device subsystem/device subsystem/device level
level level
SUBSYS1_CONTRIB SUBSYS2_CONTRIB SUBSYS3_FC1
r=0
Undeveloped event: Undeveloped event:

Exposure factor Exposure factor
failure condition failure condition
(flight phase (flight phase
identified at identified at
duration) duration)
subsystem/device level subsystem/device level
SUBSYS1_FC1 FLIGHT_PHASE SUBSYS2_FC1 FLIGHT_PHASE2
r=0 r=0 r=0 r=0

FIG. 8
Example of morphing wing level FT.
5.1 PARTICULAR RISK ANALYSIS

Particular risk analysis and zonal safety analysis are related mainly to the physical installation and de-
sign of the systems. Without the actual application and associated constraints, these analyses can be
drafted only by supporting some assumptions about the general morphing wing concept. For the EADN
device, a bird strike is one of the most important risks to be considered. According to the CS-25, the
EADN design shall be designed to assure capability of continued safe flight and landing of the airplane
after impact with a 4-lb bird when the velocity of the airplane (relative to the bird along the airplanes
flight path) is equal to cruise velocity (VC) at sea level or 0.85 VC at 2438 m (8000 ft), whichever is the
most critical. Compliance can be shown by analysis only when based on tests carried out on sufficiently
representative structures of similar design.
5.2 COMMON MODE ANALYSIS

For catastrophic FCs, the quantitative requirement (failure probability <1E-9/FH) is not sufficient to
make an aircraft system airworthy. An additional requirement is that no single failure shall lead to the
top hazard. This condition can be checked by verifying the FT structure. A FT branch shall be combined
with another one by means of an and gate before reaching the top event to be compliant with this re-
quirement. This check is usually performed by the tool with the “minimal cut set” extraction.
In case of a software function executed by a dedicated HW leading to a catastrophic FC, a dissim-
ilarity is required. For instance, the same function must be executed by two different sets of HW, with
two different sets of software developed by independent teams. A HW/SW dissimilarity is not required
for the wind tunnel test demonstrator, but the proposed architecture for the safety critical subsystems
must take into account the possibility to be upgraded in case of real scenario application.
5.3 ZONAL SAFETY ANALYSIS

A common mode failure also can be caused by the interaction of nearly installed equipment without
adequate protection/isolation. Thus it might be important to evaluate the possible zonal hazards in case
of real scenario application after the early design stage. General zonal hazards can be because of
• Hot point or electrical cables/connectors installed in proximity of pipes, tanks, or accumulators

containing flammable fluids (mainly fuel or hydraulic oil).
• Equipment with explosion risk or with high kinetic energy components (mainly rotating parts such
as turbines) that can result in high energy debris release. In this case, every nearly installed
component can be damaged without a proper protection.
• Equipment that can result in an uncontained fire (engine combustor, electrical equipment). The
possible scenario is a propagation of damage to surrounding equipment or tubes, cables, etc.
• Equipment filled with aggressive fluids (such as acid). A fluid leakage can cause damage or
contamination to surrounding components.
Proper protection of cable and pipe routings must be considered in order to minimize zonal safety haz-
ards. Some previously exposed hazards seem to derive from the combination of at least two indepen-
dent failures. For example, in case of electrical cables/connectors positioned near fuel or hydraulic
REFERENCES 681
pipes, the fire/explosion event can be envisaged only if an electrical arc/spark is generated (failure of
cable or connector) in combination with a flammable fuel leakage (pipe rupture).
6 CONCLUSIONS
The design of morphing devices must not compromise the aircrafts general performance and intrinsic
functions. This chapter covers the major safety and reliability aspects associated with the design and
integration of morphing systems into an aircraft wing. The summary recommendation is that a three-
step strategy is needed for a safe use and successful certification of morphing devices. This strategy
consists of individual and combined safety assessments, followed by system design activities to comply
with the corresponding safety requirements, and design assurance using the latest A/C safety standards.
For future applications, theoretical and detailed simulations must support these steps along with model-
based design techniques. Furthermore, the verification process of the system level functional and safety
target can require different testing plans and tools to assess the associated risks. Although the chapter
has focused on some particular morphing devices and types, such a flow and recommendations are
likely to be applicable to a wider variety of morphing concepts.
REFERENCES
[1] www.saristu.eu (Accessed 17 December 2016).
[2] G. Amendola, I. Dimino, M. Magnifico, R. Pecora, Distributed actuation concepts for a morphing aileron
device. Aeronaut. J. 120 (1231) (2016) 1365–1385, https://doi.org/10.1017/aer.2016.64.
[3] G. Amendola, I. Dimino, F. Amoroso, R. Pecora, Experimental characterization of an adaptive aileron: lab
tests and FE correlation, SPIE Smart Structures/NDE, Las Vegas, NV, March 2016. Proc. SPIE 9803, Sensors
and Smart Structures Technologies for Civil, Mechanical, and Aerospace Systems 2016, 98034P (2016);
https://doi.org/10.1117/12.2219187.
[4] I. Dimino, A. Concilio, and R. Pecora, Primary structural components characterization of an adaptive trailing
edge device (ATED), 24th AIAA/AHS Adaptive Structures Conference, AIAA SciTech, 4–8 January, 2016.
[5] Pecora, R., Concilio, A., Dimino, I., Amoroso, F., Ciminello, M., Structural design of an adaptive wing trail-
ing edge for enhanced cruise performance, 24th AIAA/AHS Adaptive Structures Conference, AIAA Sci-
Tech, 4–8 January, 2016.
[6] NASA, US AFRL, “Adaptive Compliant Trailing Edge Flight Experiment”, RC Soaring Digest, Vol. 31,
N.14, pp. 85–86, 2014.
[7] NASA Website, http://www.nasa.gov/press/2014/november/nasa-tests-revolutionary-shape-changing-
aircraft-flap-for-the-first-time, Release 14-308, November 7, 2014.
[8] European Aviation Safety Agency, Certification Specifications and Acceptable Means of Compliance for
Large Aeroplanes. CS-25. Amendment 17, 2015.
[9] SAE ARP4754A, Guidelines for Development of Civil Aircraft and Systems, SAE Aerospace Recommended
Practice, SAE International, 2010.
[10] SAE ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne
Systems and Equipment, SAE International, 1996.
[11] O. Heintze, S. Steeger, A. Falken, J. Heckmann, in: Enhanced adaptive droop nose—from computer model to
multi-functional integrated part, Smart Intelligent Aircraft Structures (SARISTU). ISBN 978-3-319-22413-8,
2015, pp. 97–111, https://doi.org/10.1007/978-3-319-22413-8_5.
[12] M. Kintscher, J. Kirn, S. Storm and F. Peter, Assessment of the SARISTU enhanced adaptive droop nose, in
Smart Intelligent Aircraft Structures (SARISTU), 2015, pp. 113–140, isbn 978-3-319-22413-8.
[13] R. Pecora, F. Amoroso, M. Magnifico, I. Dimino, A. Concilio, KRISTINA: kinematic rib based structural
system for innovative adaptive trailing edge, SPIE Smart Structures/NDE, Las Vegas, NV, March 2016. Proc.
SPIE 9801, Industrial and Commercial Applications of Smart Structures Technologies 2016, 980107, April
16 (2016); https://doi.org/10.1117/12.2218516.
[14] I. Dimino, G. Diodati, A. Concilio, A. Volovick, L. Zivan, Distributed Electromechanical Actuation System
Design for a Morphing Trailing Edge Wing, SPIE Smart Structures/NDE, Las Vegas, Nevada (USA) March
2016, in: Proc. SPIE 9801, Industrial and Commercial Applications of Smart Structures Technologies 2016,
980108, April 16, 2016.
[15] I. Dimino, A. Concilio, M. Schueller, A. Gratias, An Adaptive Control System for Wing TE Shape Control,
in: SPIE International Conference on Smart Structures 2013, San Diego, California, USA, 10-14 March 2013.
[16] Allen, J.B., Articulating winglets, US5988563 A, 1999.
[17] Irving, J., Davies, R., Wing tip device, US7275722 B2, 2007.
[18] A. Wildschek, S. Storm, M. Herring, D. Drezga, V. Korian, O. Roock, Design, optimization, testing, veri-
fication, and validation of the wingtip active trailing edge, Smart Intelligent Aircraft Structures (SARISTU),
pp. 219–255.
[19] Working group document, Framework for the Application of Systems Engineering in the Commercial
Aircraft Domain. Version 1.2a, July 28. 2000.
[20] I. Dimino, A. Concilio and R. Pecora, Safety and reliability aspects of an adaptive trailing edge device
(ATED), 24th AIAA/AHS Adaptive Structures Conference, AIAA SciTech, 4–8 January, 2016.

Chapter 21 - Morphing Devices Safety Reliability A - 2018 - Morphing Wing Tec

Uploaded by

Copyright:

Available Formats

Chapter 21 - Morphing Devices Safety Reliability A - 2018 - Morphing Wing Tec

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 21 - Morphing Devices Safety Reliability A - 2018 - Morphing Wing Tec

Uploaded by

Copyright:

Available Formats

CHAPTER

MORPHING DEVICES: SAFETY,

Morphing Wing Technologies. https://doi.org/10.1016/B978-0-08-100964-2.00021-6

CMR certification maintenance requirement

2 SYSTEM LEVEL APPROACHES TO THE CERTIFICATION OF MORPHING

• Enhanced adaptive droop nose (EADN).

2.1 ADAPTIVE DROOP NOSE

2.2 ADAPTIVE TRAILING EDGE DEVICE

2.3 MORPHING WINGLET

2.4 DEFINING THE SYSTEM LEVEL FUNCTIONS OF MORPHING DEVICES

1. Provide and 3. Provide crew, 5. Distribute 7. Provide A/C

2. Plan, generate 4. Detect and 6. Generate and 8. Provide

Table 1 Morphing Wing System Functional Breakdown

Drag minimization function

Table 2 Aircraft Functions Affected by Morphing Wing Concept

2. Plan, generate and control A/C movement

2.5 DUAL LEVEL SAFETY

Table 4 Wing Morphing Subsystem Functional Matching

Drag EADN Continuous/ Wing shape optimization function

3 FUNCTIONAL HAZARD ASSESSMENT

A/C level functional

Morphing wing system

Morphing wing system

Table 5 Fault Hazard Assessment of the ATED [20]

3 FUNCTIONAL HAZARD ASSESSMENT