1、 Standard ANSI/AIAA S-102.2.11-2009 Performance-Based Anomaly Detection and Response Analysis AIAA standards are copyrighted by the American Institute of Aeronautics and Astronautics (AIAA), 1801 Alexander Bell Drive, Reston, VA 20191-4344 USA. All rights reserved. AIAA grants you a license as follo
2、ws: The right to download an electronic file of this AIAA standard for storage on one computer for purposes of viewing, and/or printing one copy of the AIAA standard for individual use. Neither the electronic file nor the hard copy print may be reproduced in any way. In addition, the electronic file
3、 may not be distributed elsewhere over computer networks or otherwise. The hard copy print may only be distributed to other employees for their internal use within your organization. ANSI/AIAA S-102.2.11-2009 American National Standard Performance-Based Anomaly Detection and Response Analysis Sponso
4、red by American Institute of Aeronautics and Astronautics Approved 17 November 2008 American National Standards Institute Abstract This standard provides the basis for developing identification and response methods for system anomalies or faults that pose unacceptable risk. The requirements for cont
5、ractors, planning and reporting needs, and analytical tools are established. The linkage of this standard to the other standards in the new family of performance-based reliability and maintainability standards is described. ANSI/AIAA S-102.2.11-2009 ii Library of Congress cataloging-in-publication d
6、ata on file Published by American Institute of Aeronautics and Astronautics 1801 Alexander Bell Drive, Reston, VA 20191 Copyright 2009 American Institute of Aeronautics and Astronautics All rights reserved No part of this publication may be reproduced in any form, in an electronic retrieval system o
7、r otherwise, without prior written permission of the publisher. Printed in the United States of America ANSI/AIAA S-102.2.11-2009 iii Contents Forewordiv 1 Scope 1 1.1 Purpose. 1 1.2 Application 1 2 Applicable Documents . 2 2.1 Normative References . 2 2.2 Relationship To Other S-102 Standards . 3 3
8、 Vocabulary 3 3.1 Acronyms and Abbreviated Terms 3 3.2 Terms and Definitions 4 4 General Requirements. 6 4.1 Contractor Responsibility. 6 4.2 Planning 6 4.3 ADR Analysis Report . 7 5 Detailed Requirements. 7 5.1 System Design and Operational Data Collection . 7 5.2 Functional Failure Mode Identifica
9、tion 7 5.3 Functional Failure Analysis 8 5.4 ADR Analysis Database. 11 5.5 Data Exchange Between ADR Analysis Process And Other Activities. 12 5.6 ADR Analysis Process Performance Evaluation 12 5.7 Lessons Learned 15 5.8 Structured Review 16 Annex A AIAA S-102 Document Tree (normative) 17 Annex B AI
10、AA S-102 Anomaly Detection and Response Analysis Capability Level Requirements (normative). 18 Annex C AIAA S-102 ADR Analysis Keyword Data Element Description (normative) 21 Figures Figure 1 System FFA Process Flow (Notional). 9 Figure 2 Example of an FFA Dataset Performance Rating 15 Tables Table
11、1 AIAA S-102 Failure Severity Classification 8 Table 2 FFA Dataset Maturity Rating Criteria. 13 ANSI/AIAA S-102.2.11-2009 iv Foreword Although the terms quality and reliability are often used interchangeably they have different meanings. Quality as used in this standard, is the ability of a product
12、to meet the workmanship criteria established by an organization. A different, but often used, definition of quality: Quality is the set of all desired attributes that can be put in a product. In this sense, quality cannot be achieved without achieving the desired reliability. Reliability is the abil
13、ity of a product or system to perform its intended function(s) for a specified time or operating cycles. A high-quality product may not be a high-reliability product even though it conforms to stringent workmanship specifications. The ISO 9000 series standards that establish the ability of an organi
14、zation to consistently produce high-quality products do not necessarily establish that same organizations ability to consistently deliver high-reliability products. Consequently, the ISO 9000 series certification process, which serves as the main international reference for Quality Program requireme
15、nts in business-to-business dealings, is not the appropriate reference for international or domestic R timely establishment of ADR analysis technical performance metrics (TPM); timely collection and evaluation of necessary engineering information e.g., signal lists, specs, interface control drawing
16、(ICD), test data, operational data, schematics, and product failure mode, effects, and criticality analysis (FMECA) to identify all functional failure modes that pose unacceptable risk; timely creation of a functional failure analysis (FFA) dataset that defines the detection, verification, isolation
17、, and response methods, as applicable, for each identified functional failure mode; timely validation of each FFA dataset; and timely documentation of the ADR Analysis. The FFA is a systematic methodology for identifying and responding to functional failure modes that require such actions as defined
18、 by the FMECA or other failure analysis such as system test; failure reporting, analysis, and corrective action system (FRACAS); system safety; or risk management. 1.2 Application This standard applies to acquisitions for the design, development, fabrication, test, and operation of commercial, civil
19、, and military systems, equipment, and associated computer programs. This standard provides capability-rating criteria that are intended to categorize the capability of sets of commonly used activities in ADR analysis practices. The capability criteria provide the logical order of activities for imp
20、roving the effectiveness of an existing ADR analysis practice in stages. To use these criteria to improve an existing ADR analysis practice, establish minimal-acceptance criteria and compare them to the activities of that practice. The minimal-acceptance criteria may include all or only some of the
21、activities in one of the predefined capability levels in this standard. This comparison identifies the activities that need to be added to the existing ADR analysis practice. This standard also applies to the integration of the ADR analysis database with a project R (2) Hardware Reliability any unde
22、sired state of a component or system; (3) Components a defect or flaw in a hardware or software component NOTE (1) A fault may cause a failure. 2Definition source: MIL-HDBK-338B 3Definition source: MIL-HDBK-338B 4Definition source: S-102 Working Group 5Definition source: IEEE 100, The Authoritative
23、Dictionary of IEEE Standards Terms ANSI/AIAA S-102.2.11-2009 5 NOTE (2) A fault does not necessarily require failure. failure coverage ratio of failures detected to failure population, expressed as a percentage6failure resolution degree to which failure diagnostics procedures can isolate a failure w
24、ithin an item; generally expressed as the percent of the cases for which the isolation procedure results in a given ambiguity group size7failure response action(s) taken to address the fault, whether by safing, initiating a transition state, or completely restoring the system functionality FFA datas
25、et logical representation of the set of detection, verification, isolation, or response methods for a specific functional failure mode8independent verification provision of sufficient information for an organization or individual to obtain the same results as the analysts when redoing the analysis m
26、ission assurance process a top-down, comprehensive, risk-management process that is performed over the life cycle of a high unit-value system to identify, evaluate, and mitigate or control all potential hazards and failures that pose an unacceptable risk to mission success. NOTE: Potential, damage-t
27、hreatening hazards and mission-impacting failures may be caused by requirements, developmental activities, handling methods, environmental conditions, physical interactions, functional characteristics, or operator actions. non-credible failure mode failure mode with a probability of occurrence less
28、than 1.0E-6, 0.000001, or one in a million performance-based R b) automated detection, isolation, and safing or restoration11of identified functional failure modes that are potentially damage threatening; and c) automated detection, isolation, and restoration12of identified functional failure modes
29、that are not potentially damage threatening. The contractor shall develop and implement the system FFA process in accordance with the approved ADR analysis plan. Figure 1 illustrates the notional flow process for the development and implementation of the system FFA process. 11Failure restoration may
30、 be either partially automated (i.e., man-in-the-loop) or fully automated (i.e., no man-in-the-loop) 12Failure restoration may be either partially automated (i.e., man-in-the-loop) or fully automated (i.e., no man-in-the-loop) ANSI/AIAA S-102.2.11-2009 9 Figure 1 System FFA Process Flow (Notional) T
31、he FFA for each functional failure mode that requires an automated response or manual operational procedures shall be validated13in accordance with the ADR analysis plan. The analysis results for all such functional failure modes shall be documented in the FFA report. This document shall be reviewed
32、 and approved by all affected project functions and maintained under formal project configuration control. 5.3.1 Failure Detection Analysis The contractor shall identify the system data needed to detect each functional failure mode that poses unacceptable risk, or provide rationale for taking no act
33、ion. This includes the specific data parameters appropriate to detect the functional failure mode along with the limits appropriate to indicate loss of functionality. The failure detection method shall be documented in the FFA dataset for each functional failure mode. Where required, the method of f
34、ailure prognostics shall be documented in the FFA dataset also. Failure prognostics shall include the system health data that is required to predict failures but which is outside the normal operating data specified for nominal system operation. The additional system health data that are considered f
35、or prognostics shall include sensor location, sample rate, telemetry format, etc. The FFA shall establish that all of the data needed to identify the functional failure are present and accessible, either sequentially or simultaneously. The ADR analysis and FFA datasets shall include the necessary lo
36、gic to combine the system health data sensor values, as needed, to identify the detection method for each system failure condition. If the system health data sensors that are needed to detect a particular functional failure are not available, then that failure shall be declared “undetectable” and re
37、corded accordingly in the ADR analysis report. The method for calculating the predicted failure coverage of the system shall be defined in the ADR analysis plan. The plan shall require the predicted failure coverage to be determined using data that correlates each detected failure with the signature
38、 it produces during system operation. The failure coverage prediction shall include the documented ordering of signatures with corresponding failed items. An unacceptable failure coverage prediction value shall be reported to project management in a timely manner. 13FFA validation includes peer revi
39、ew and certification in accordance with approved program peer review procedures and checkout using modeling or simulation tools. ANSI/AIAA S-102.2.11-2009 10 Verification of the failure detection method shall be included in the validation of the FFA dataset for each system failure condition. The rat
40、ionale for selecting particular system health data sensors as the preferred detection method along with the defined data limits shall be evaluated and approved. 5.3.2 Failure Verification Analysis The contractor shall identify a method to verify the persistence of each functional failure mode detect
41、ed. The failure persistence method shall be documented in the FFA report for the FFA dataset that addresses each functional failure mode. The FFA datasets shall not allow the isolation methods to be triggered by a transient or intermittent condition unless it is first verified to be a functional fai
42、lure by the persistence method. The ADR analysis plan shall define the type of persistence method that is to be used for each functional failure mode. The failure persistence methods shall minimize false alarms and maximize functional failure mode detection while optimizing the time needed to achiev
43、e successful failure isolation. The failure persistence method shall be included in the validation of the FFA datasets for each functional failure mode. The rationale for selecting the particular method to monitor system health data shall be evaluated and approved. 5.3.3 Failure Isolation Analysis I
44、f required, the contractor shall identify a method to isolate each detected functional failure mode to its source. The failure isolation method shall be documented in the FFA report for the dataset that addresses each functional failure mode. The availability of the system health data shall be consi
45、dered. The FFA shall establish that all of the data needed to isolate the functional failure are present and accessible, either sequentially or simultaneously. The ADR analysis must include the necessary logic to combine the system health data values in order to isolate to a system failure site. If
46、the system health sensors needed to isolate a particular functional failure are not available, then it shall be declared as an isolation risk and recorded accordingly in the ADR analysis report. The method for calculating the predicted failure resolution of the system shall be defined in the ADR ana
47、lysis plan. The plan shall require the predicted failure resolution to be determined using data that correlates each detected failure with the signature it produces during system operation. The failure resolution prediction shall include the documented ordering of signatures with the corresponding f
48、unctioning items that must be tested to locate the failed item. Unacceptable failure resolution prediction values shall be reported to project management in a timely manner. Verification of the failure isolation method shall be included in the validation of the FFA dataset for each system failure co
49、ndition. The rationale for selecting particular system health data sensors for the preferred isolation method along with the defined data limits shall be evaluated and approved. 5.3.4 Failure Response Analysis If required, the contractor shall identify and specify a response for each detected functional failure mode. The failure response method shall be documented in the FFA report for the dataset that addresses each functional failure mode. The failure responses shall define the actions necessary to safe the system or compensate for specific failure modes. All
