PRELIMINARY SYSTEM SAFETY HAZARD ANALYSIS OF A TRANSPORT HELICOPTER SHM SYSTEM

: The purpose of this paper is to provide the Mi-8/17 helicopter Structural Health Monitoring (SHM) System Preliminary System Safety Hazard Analysis (PSSHA). The PSSHA identifies and classifies potential hazards, and the actions necessary to reduce or eliminate the risks resulting from the installation and operation of SHM System on board of the helicopter. The overall objective of the PSSHA is to establish that the potential Mi 8/17 helicopter modification does not introduce unacceptable hazard conditions to both the helicopter and personnel. The MIL-STD-882 risk assessment methodology is applied to assess hazards and risk acceptance levels for both hardware and software elements of the SHM system.


Introduction
The fundamental objective of system safety is accident prevention. Accident prevention can be achieved by means of identification, assessment, and elimination or control safety-related hazards, to acceptable levels. A hazard is a real or potential condition that could lead to an unplanned event or series of events (i.e. mishap) resulting in death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment [1]. Risk expresses the impact of an unplanned or undesired event in terms of its severity and event probability.
Structural Health Monitoring (SHM) of fixed and rotary wing aircraft is one of the major current research and development direction which enhance safety of aircraft operation and may reduce maintenance costs [2][3][4][5][6][7].
The purpose of this paper is to provide an analysis of the Mi-8/17 helicopter systems and personnel safety hazards when potentially modified by installation of an SHM system. This Mi-8/17 Helicopter SHM System Preliminary System Safety Hazard Analysis (PSSHA) identifies and classifies potential hazards, and the actions necessary to reduce or eliminate the risks resulting from the installation and operation of SHM System on board of Mi-8/17 helicopter.

Configuration of Mi-8/17 Helicopter SHM System
For the purpose of this PSSHA it was assumed that Mi-8/17 Helicopter SHM System consists of 6 SHM subsystems [5-7] which could be optionally chosen by the military customer according to its needs and possibilities. A list of the hardware elements of the SHM system is presented in tab. 1. Figure 1 presents a graphical representation of Mi-8/17 SHM System hardware variants. Particular block symbols used in fig. 1 are explained in the tab. 2.  Preliminary system safety hazard analysis of a transport helicopter SHM system Table 2 SHM System's configuration block symbols

Visual representation Description
This block represents the entire SHM system which consists of 6 subsystems.
This block represents optional choice and has the same meaning as traditional OR gate.
This block represents the particular SHM subsystem and has the same meaning as traditional AND gate.
This block represents combined optional choice: one-out-oftwo OR both of equipment.
This block represents particular equipment/unit.

Hazards and risk acceptance levels for hardware
All of the new or modified (sub)systems comprising of the SHM system were evaluated against a selected list of potential hazards shown in tab. 3. The risk identifier codes were used to identify the most likely risks incurred for each (sub)system.

Eliminated (F) Eliminated
Finally the mishap risk acceptance levels for the Mi-8/17 SHM System modification are shown in tab. 5 below. The mishap risk acceptance level for the low risk category was assigned a level of "Acceptable" based on an initial assessment of the potential modifications. All of the acceptance levels are subject to change by the Program Manager after consulting with the military customer and assessing the impacts of potential hazards on Mi-8/17 helicopter.

Example of hazard analysis of SMP unit
SMP unit is a signal conditioning and sensor calibration unit for KAM-500/SSR-500. The unit operates with up to 32 channels for strain gages. In each channel, a measuring bridge completion resistors are provided for half -and quarter -bridge configuration. Additionally, calibrating resistor is also installed for each channel, to calculate transfer function from volts to engineering units.

Anticipated Risks
SMP unit has not been tested to confirm compliance with the environmental specification requirements. It was developed as research equipment. However, SMP unit was designed for airborne experiments applications with consideration of all specific requirements for such, and as so all necessary tests can be conducted with no considerable hardware changes.
No new risks are expected as a consequence of the installation of the SMP unit as long as the installation is in accordance with commercial and military standards for avionics. However, integration safety hazards may include incomplete or incorrect integration with the KAM-500 or SSR-500. This can cause malfunctions in operation of both SMP unit and KAM-500 or SSR-500.

Risk Reduction/Mitigation
SMP unit should be installed in accordance with commercial and military standards for avionics. They were taken into account by ITWL during Operational Loads Programs (OLM) conducted on: PZL-130 Orlik TC II turboprop aircraft, Su-22 fighter-bomber aircraft, MiG-29 and MiG-29UB fighter aircraft, Mi-14 and Mi-24 helicopters. Therefore there are minimal risks involved with the potential installation and integration of this system on board of Mi-8/17 helicopter.

Ground and Flight Testing
Ground checkout procedures will be accomplished following the Ground Test Plans. Operational checks should be accomplished in flight to verify functioning of the complete system in accordance with appropriate airworthiness documents.

Hazard Assessments
Risks identified for the on-board installation of SMP unit include System Hazard Identifiers HAZ001, HAZ002, HAZ003, HAZ010 and HAZ022 from tab. 3. Risk mitigation efforts that include: accomplishment of aircraft electrical load analysis and power source capacity analysis, provision of all materials and equipment as specified in the appropriate airworthiness documents, performance of weight and balance check -since SMP unit is a new system added to baseline helicopter configuration -should be sufficient to ensure a successful installation. The probability and the severity of failure are outlined in tab. 6.

Hazards and risk acceptance levels for software
A selected list of potential software hazards is shown in tab. 7. The risk identifier codes were used to identify the most likely risks incurred for the software.

SHM system software hazard analysis
The Mi-8/17 SHM system software generates information of a structural integrityrelated nature used to make decisions by the operator or maintainer, but requires neither maintainer nor operator action to avoid a mishap. It is ground-based software and neither exercises control authority over potentially safety-significant hardware systems, subsystems, or components nor issues commands over safety-significant hardware systems, subsystems, or components.

cd. tab. 6
Risks identified include System Hazard Identifiers HAZ100, HAZ101 and HAZ102 from tab. 7. Risk mitigation efforts that include using an officially recognized standard, method, technique or practice for software risk elimination or reduction should be sufficient to ensure a successful software operation. The probability and the severity of software failure are outlined in tab. 8.

Hazard analysis summary
Finally hazard analysis summary for both hardware and software elements of the SHM system is presented in tab. 9.

Conclusions
MIL-STD-882 risk assessment methodology was successfully applied to assess hazards and risk acceptance levels for both hardware and software elements of the Mi 8/17 helicopter SHM system.
The SHM System Preliminary System Safety Hazard Analysis (PSSHA) shows that the installation of an SHM system on Mi-8/17 helicopter does not introduce unacceptable hazard conditions to both the helicopter and personnel, provided that some mitigation actions are taken.
After imposing risk reduction/mitigation activities Risk Acceptance Levels for all identified hazards are not higher than Allowable.