System Design, Hydraulic

8/3/2019 System Design, Hydraulic

1/15

System Design, Hydraulic

The basic procedure for conducting system design for an aerospace hydraulic system is outlinedbelow. The major considerations in each design step are listed. As always design is an iterativeprocess and every design has unique characteristics. Hence it is impossible to outline every

possible nuance or detail in a design or a design process. The intent of the procedure outlinedhere is to assist a system design engineer by showing the bigger picture, providing a sensiblepath to follow for design and providing a sufficient list of considerations at each step in theprocess.

The ultimate (or idealistic) goal of any design is to produce a cost effective, manufacturabledesign that meets all performance, safety and reliability specifications one time through theprocess. In practice, this is an unrealistic assumption but if follow on design changes can beminimized by proper planning, organizing, analysis and design technique then a system designengineer has done his/her job very well.

A general hydraulic system is shown in Figure 1. This figure shows the components in the powergeneration system and shows typical components used for the actuation functions. Figure 1 isgeneric system and is not based on any specific flight vehicle.


2/15


3/15

Figure 1 General Hydraulic System

A redundant hydraulic system layout is shown in Figure 2. This system uses 2 independentsystems with electric motor backup for each system. Note that the electric motor pump could be

located outside of the rotor noncontainment zone to protect against a dual loss scenario from asingle event. Also note there are no connections between the two systems. In someapplications a power transfer unit (motor & pump connected through a shaft) will be installed toallow one system to drive the other system under certain failure conditions. For more informationon power transfer units see Motor, Hydraulic Description.


4/15

Figure 2 Redundant Hydraulic System Layout

Overall System Sizing Methodology

The overall sizing methodology is illustrated in the flowchart shown in Figure 3. As illustrated inFigure 3, many steps need to be repeated for each hydraulic system on the vehicle. The flow is

shown as a serial process, but in reality many tasks are done in parallel using the best dataavailable at a given point in time. Not shown in the process are steps for writing specifications,reviewing proposals, formal design reviews, and customer/regulatory agency review meetings.

Select & Size EachHydraulic Actuation Component

Identify All Functions ThatRequire Hydraulic Power

Perform HydraulicSystem Redundancy

Analysis(1, 2 or 3 systems)

Determine Method of Shut Off andFlow Control to Each Actuation Component

Build Power Generation System

Requirements Table

Design Power Generation System

Finalize System Layoutsand Component Installations

Develop Preliminary System Layoutsand Component Installations

Conduct System Level Design Studies

Valid Design with Requirements

Conduct Component Qualification Tests

Conduct Vehicle Ground & Flight Tests

Iterate As Required

Complete These Stepsfor each IndependentHydraulic System

Perform Safety Analysis

Iterate As Required

Develop System Schematic


5/15

Figure 3 Overall Sizing Flowchart

Hydraulic System Redundancy

When approaching a new aerospace vehicle design, the first question is whether hydraulic powerwill be used in the vehicle. If the answer is yes, then the follow on questions are what services

will require hydraulic power and what level of hydraulic power system redundancy is required foreach service.

Redundancy is driven by the need for backup systems so that continued safe flight and landing(or mission completion) has a high probability of success. For example, when hydraulicallypowered (PCU based) primary flight controls are used more than one hydraulic power control unitis required for each surface (unless mechanical linkage backups are provided). Normally eachPCU is supplied by separate hydraulic systems and hence there will be at least two hydraulicsystems on this type of airplane. Redundancy requirements are derived through a safetyanalysis.

A safety analysis consists of two basic activities: (1) determination of vehicle and system levelhazards and (2) completion of a failure modes and effects analysis (FMEA) and fault tree analysisto show that systems designs meet the required hazard levels. For example, loss of roll control in

conventional airplanes is considered a catastrophic failure. The requirement for a catastrophicfailure condition is that the probability of loss of roll control must be less than one in a billion flighthours (< 1.0E-09 per flight hour). So loss of roll control is the hazard and the design requirementis that the probability of occurrence must be less than 1 failure in a billion flight hours. A failuremodes and effects analysis in combination with a fault tree analysis are used to show that thelikelihood for loss of roll control is less than one failure in a billion flight hours. For more onhazards and safety analysis, see Safety Analysis module.

As a general rule, hazards that are labeled catastrophic or hazardous require a minimum of twoindependent hydraulic systems to meet the required reliability levels. These hazards thereforedrive system redundancy. For any powered flight control on commercial aircraft at least twohydraulic systems will be required. In some cases a third hydraulic system may be required.Two hydraulic systems may be sufficient if a mechanical backup is provided. If three hydraulicsystems are used, the 3

rdsystem will likely be a system with reduced capacity and driven by an

auxiliary power unit, ram air turbine or electrical motor driven pump. The 3rd system will providehydraulic power to the minimum functions required for safe flight and landing.

As stated above, the formal method for determining the required system redundancy is driven bya failure analysis process. However, for early design activity the required level of redundancy canbe determined by looking at similar aircraft and using some approximate system reliabilitynumbers. An estimate for loss of a hydraulic system is 1.0E-05 / flight hour (i.e., loss of hydraulicsystem is expected to occur once every 100,000 flight hours for a given aircraft fleet). Loss of apower control unit would be in the range of 1.0E-04 / flight hour (loss of a power control unit isexpected to occur once every 10,000 flight hours). Other specific failures can drive systemredundancy as well, most notably, engine rotor noncontainment. The rotor noncontainmentcondition of interest is the potential for an uncontained engine compressor disc that takes out thehydraulic system for the opposite engine. This is a single failure condition that takes out twoindependent hydraulic systems.

System Schematic

Development of a system schematic is required to help assess whether all components havebeen identified and to identify required connections between components. The schematicresembles Figures 4 or 5 where hydraulic symbols are used for all components andinterconnections. The schematic allows quick assessments of systems and interconnections.Thorough reviews of system schematics should be conducted periodically to ensure allcomponents are accounted for and interconnections are correct. The schematic supports system


6/15

level simulation analysis and development of 3D CAD layouts. Schematics can also be helpful toassess locations for check valves, priority valves, shuttle valves, etc in the system.

Preliminary 3D CAD Layout

At the same time as components are being sized and flow control determined, preliminary 3D

CAD layouts should be prepared. The layouts are used to validate that installation of the systemcomponents is feasible and that acceptable paths for routing and tube supports are available. Acommon mode analysis, which includes rotor non-containment studies, can be used to assesslayout feasibility. Also, company design standards for system routing can be utilized, if available.The layouts should be continuously updated as the design matures.

Actuation Component Design

For actuator sizing see Actuator, Hydraulic Sizing and for motor sizing see Motor, Hydraulic Sizing. The inputs to the sizing procedures are maximum operating load (either force or torque),required rate (either linear or angular) and stroke length for an actuator. Basic installationgeometry and kinematics must be known prior to component sizing to resolve airplane loads(such as from a flight surface) to the actuator. The outputs of the sizing procedure will berequired actuator size (piston areas for an actuator or motor displacement) and the necessaryflow required to achieve maximum rate at maximum load. The sizing procedures assume a 25-30% loss in system pressure between the pump and actuator or motor. As the system designmatures, it will be necessary to validate (or improve upon) the assumed pressure loss betweenpump and actuation component. Similarly, the pump flow capability at the worst case conditionwill need to be verified as system design progresses. These checks are captured in the validaterequirements portion of the flow chart. The physical volume of an actuator or motor can beestimated using vendor catalogs of similar actuators or through discussions with hydraulicactuator or motor manufacturers.

For primary flight control surfaces where Power Control Units (PCUs) will be used, more effort isrequired. PCU sizing follows the sizing for a servoactuator, but PCUs will contain additionalcomponents (e.g., accumulators, mode control valves) that must also be sized. An important

aspect of PCU design is identifying the necessary functions that must be contained within thePCU. Most of the additional functions are driven by failure mode analysis. The primary failuremodes are loss of hydraulic pressure, loss of electrical input, jammed valve spool and a jammedactuator. Determination of PCU volume and shape requires completion of a preliminary designfor the PCU. In some cases where previous data is available for a PCU with similar loads andfunctions an existing actuator can be used for a baseline or the existing may be scaled in size(either up or down). See Power Control Units, Hydraulic Description and Power Control Units,Hydraulic Sizing for more details on PCUs.

For each actuation component, the necessary data required for system design are minimumrequired inlet pressure, minimum required flow rate, any minimum or maximum temperaturelimitations and a fluid cleanliness requirement. This data should be captured during componentdesign for use in power generation system design (see Power Generation System Design,Hydraulic)

Support structure for actuation components must be capable of withstanding maximum actuationloads with minimum deflection. For flight control actuation, the stiffness of the surroundingstructure is important since it contributes to overall hydraulic natural frequency (see Actuator,Hydraulic Equations). Static strength, fatigue characteristics and stiffness of support structureshould be analyzed carefully. In addition, actuators will be mounted on spherical bearings andwill rotate some amount during extension and retraction of the actuator. Clearances tosurrounding structure through the range of movement should be analyzed. Lastly, for actuatorswith high duty cycles, a thermal analysis of the actuator bay should be completed. Sufficient


7/15

heat sinks for cooling should be provided to prevent actuator overheating or overheating ofsurrounding structure.

Actuation Component Flow Control

The next step is to select the method for controlling the rate of the actuator or motor, and the

method of allowing and shutting off flow to the component. Shut off (on/off control) and flowcontrol can be contained in the same valve. Shut off (on/off) control is normally done with a spoolvalve (servo).

For opening (allowing) and closing off flow to a valve, the primary component is a 2 position, 3 or4 way spool valve. Manifold assemblies can be built which consist of multiple 2 position valvesenclosed in a single assembly. This is common in landing gear control valves where nose, maingear and gear door valves are contained in a single manifold block.

Choices for controlling flow are (1) fixed orifice in the hydraulic line, (2) orifice installed in a 2position on/off valve, (3) flow control valve, (4) pressure regulator, (5) torque motor controlledservo valve or (6) direct drive proportionally controlled solenoid servovalve. The choice primarilydepends on the required accuracy for controlling rate and/or position. Weight and cost are theother factors. An orifice is sized for a given condition and flows will vary at off-design conditions

(see Orifice, Hydraulic Description). An orifice installed in a 2 position valve will behave like astandalone orifice where flow will vary for off design conditions. This orifice is installed in theoutlet of the 2 position valve. The benefit of this choice over an orifice is that shut off and flowmodulation are done in single entity (hence a single part number). A flow control valve regulatesto a set flow rate over a wide range of inlet pressures. The accuracy of the flow regulation isdependent on the flow tolerance capability of the valve (set by the manufacturer). Where twocontrol valves are used to control separate parallel actuators (such as spoiler surfaces or thrustreversers), tight flow tolerances may be required. Note that while flow regulation may hold to aset value, the output pressure of the flow control valve will depend on inlet pressure. So outletpressure can vary at a constant flow rate. A pressure regulator modulates a flow orifice to hold aconstant pressure at the outlet of the regulator. Flow from a pressure regulator will vary as inletpressure varies. So, a pressure regulator will behave opposite to a flow control valve constantpressure output at varying flow vs. constant flow with a varying outlet pressure. The variationoccurs with varying inlet pressure. If the inlet pressure is constant (or relatively constant), theneither valve will have consistent flow and pressure at the output. Note that a flow control valvewill produce constant speed with varying force (or torque), while a pressure regulator will produceconstant force (or torque) at varying speed. The remaining two methods for controlling flow are aservovalve (controlled through a torque motor or direct drive solenoid to position the servo at anychosen flow position). Servovalves provide highly accurate flow control and are normally used inposition (feedback) control applications. The servo within the servovalve is positioned with anapplied current, so flow area varies proportionally with current. As servovalves are sophisticatedand expensive, they are only used in applications where accurate position control is required,such as primary surface control, thrust vectoring or spoileron surface control.

An example of a system showing actuator, flow control and shut off valves is shown in Figure 4for a thrust reverser actuation system. In this system flow control is accomplished through a twoway restrictor which controls actuator rate in both directions. The two way restrictor is essentially

an orifice where the orifice size is different for flow in each direction. The shut off valve providesa dual means of protecting against an inadvertent thrust reverser deployment (other means is thecontrol valve which is biased to the retract position). The thrust reverser latch actuators are alsospring loaded to the retract position. The latch actuators latch (lock) the thrust reverser actuatorsin the stowed position. Normally the isolation valve and control valve solenoids are controlledthrough separate and independent electrical circuits. The isolation valve may be tied to weight onwheels (WOW) switches and/or wheel speed plus throttle lever position (throttle switch that isclosed when throttle levers are in idle position). The isolation valve effectively arms the system.The control valve solenoid would be controlled by thrust reverser control levers located on or nearthe engine throttle levers in the flight compartment.


8/15

Figure 4 Thrust Reverser Actuation System

For sizing of individual components, see the Sizing section for the component of interest.

Power Generation System


9/15

For each hydraulic system installed in the airplane, a power generation system is required. At aminimum, a power generation system will consist of the pump, reservoir, reservoir indicationpanel, pressure sensors, pressure relief valve, pressure line filter, return line filter and groundservice connectors. Other equipment that may be part of the power generation system includesan accumulator, case drain line filter, temperature sensors, and heat exchanger.

A basic power generation system schematic is shown in Figure 5. This figure shows the

fundamental components contained in a hydraulic power generation system. The only optionalcomponents would be the case drain filter (if case drain filter is not used the case drain must flowthrough the normal return filter) and the accumulator. Hydraulic hoses are used for connectionsto the pump due to relative motion between pump and supporting structure. The hoses also helpdampen pump pressure pulses. Ground service lines are shown with check valves at theconnection fitting to prevent loss of fluid if a ground service connection fails. An item not shownin Figure 5 is the reservoir fluid quantity indication. Reservoir fluid quantity indication is amandatory feature for hydraulic systems (see Reservoir, Hydraulic Description).

Figure 5 Basic Power Generation System Schematic

Refer to Power Generation System Design, Hydraulic for details on the process for designing apower generation system.

Finalize 3D CAD Layouts & Evaluation


10/15

At this point in the process, the 3D layouts need to be finalized. Finalization implies all tubingruns are well defined including all straight line segments, bends, hose locations, tube supportsand clamps have been defined. Detail drawings are not necessarily required at this stage. Welldefined installation drawings will suffice. Clearances of components to structure, wiring, oxygenand hot bleed air lines should be assessed and deemed acceptable when evaluated againstrelevant design standards. Rotor non-containment (all rotors, not just turbine engines), wheelwell zonal analysis, ventilation and drainage studies should also be included in the validation ofthe layout. An additional aspect that requires evaluation is clearances of hardware under limitload deflections of the airframe. All or these aspects are required for certification of commercialaircraft and are validated through a combination of engineering design reviews, analysis, groundtest and vehicle inspections.

System level analysis of pressure and flow characteristics should also be reviewed and finalizedat this time. Preliminary studies should have been completed as the 3D layouts were evolving.Both pressure lines and return lines should be evaluated. For pressure lines, the following shouldbe evaluated

Required inlet pressure is available at each actuation component

Required flow rates are available to each component under worst case operatingconditions and considering flow to all other components

Pump or pump/accumulator combination can supply necessary flow at the requiredpressure

Pressure wave and pressure spike assessments

o Two position spool valves with fast acting solenoids are a common causes ofspikes

Return lines and the overall return system should be evaluated for the following

Highest back pressure that may be applied to a component, primarily actuationcomponents

o Normal and transient pressure levels should be evaluated (transient pressurescan feed back to actuation components causing erratic behavior or causeswitches to cycle or locking devices to unlock)

o High transient back pressures can occur when several high flow devices areoperating simultaneously

Effects of a clogged filter and system operating in bypass mode

Capability of the reservoir to maintain required pump inlet conditions (inlet pressure andflow) under the worst case operating condition

Requirements Evaluation

As a hydraulic system design evolves, a good practice is to periodically evaluate component andsystem design relative to the original requirements. Requirement assessments are normallydone at preliminary design reviews and critical design reviews. Good practice is to conductrequirements assessments at the completion of the initial preliminary design and update afterevery significant design change. A good idea is to also assess requirements during the testing ofthe 1

stprototype components.

Assessments should include performance requirements and any logic or control functions builtinto a component. For an actuator, motor or valve component, requirements relate toperformance (rate, load capability, stroke, and friction) as there is usually no intelligence builtinto these components. Servovalves and power control units are usually paired with a


11/15

sophisticated electronic controller. In this case, the controller and hydraulic component should beevaluated both individually and as a subsystem.

In some instances, sub-assemblies can be tested and evaluated. An example of a sub-assemblywould be a servo within a servovalve. Another example would be a switch or actuator lockassembly contained with an actuator. Sub-assembly testing can help with risk reduction byproviding feedback on actual hardware functionality faster than waiting for a complete design and

build to be completed.

As the system level, requirements should also be periodically evaluated as design details becomeknown. In some cases, when component designs are worked out an incompatibly (or non-compliance) with a requirement may become identified. Compromises may need to be made andrequirements re-evaluated or adjusted.

A tolerance analysis for critical performance requirements is also recommended. Included intolerance analysis are variations in part dimensional and characteristics, variation in installation,in-service wear affects, and environmental factors (such as temperature range). Numerous tools,many statistical, are available for tolerance analysis. Tolerance analysis is the examination ofcomponent or installation variation on critical performance criteria. An example of a toleranceanalysis would be an examination the range of flow within a flow control valve and how motor oractuator rate would vary over this range. Another example would be evaluation of a pump

performance over a wide range of operating conditions and how actuation component behaviorwould be affected by pump flow/pressure variation.

Beyond performance and control functions, all remaining requirements should be evaluated.Specifications can emanate from military specifications, contractual specifications, regulatoryagencies (such as FAA) and even in-house design guides and specifications. For militaryvehicles, numerous military specifications may be applied. The requirements in eachspecification must be evaluated for applicability and compliance. In addition to operationalparameters, requirements will include items such as materials, material compatibility, coatings,seals, environmental aspects, reliability and maintainability. Failure to assess and validate allrequirements can lead to re-design activity or financial penalties.

Validation of requirements is done through a combination of engineering design reviews (such asmaterial verification), analysis (e.g., stress analysis or safety analysis), sub-assembly testing,component level testing and system level testing. A good technique is to create a spreadsheetthat contains all requirements, the source of the requirement, the method of validation and wherecompliance will be documented. This technique will ensure all requirements are properlyconsidered in the design and that the design is compliant.

Qualification Test Plans

Qualification testing is done for all components in a hydraulic system. Component qualificationtests ensure that the equipment will operate under all foreseeable operating conditions.Qualification tests normally follow the guidelines of RTCA/DO-160 or Mil-Std-810 / Mil-Std-461 /Mil-Std-464. The first military specification addresses mechanical aspects of qualification and thelast two military specifications address electronic aspects of qualification. RTCA/DO-160addresses both mechanical and electronic qualification aspects. The tests that should be

conducted for equipment qualification are discussed in Qualification Hydraulic Components.Components that may only require limited qualification testing are tubes, fittings (connectors) andmounts. This would be the case if previous history on other products is available to substantiateinstallation guidelines and practices. For example, if an existing vehicle with good service historyutilizes swaged fittings for hydraulic lines then little or no qualification may be required. Proof andburst testing is normally required on tubes and connectors (as well as all components). Althoughnot normally done, proof and burst testing can be done at hot or cold temperature extremes.Also, vibration testing can be accomplished on representative tubing arrangements with


12/15

connectors. Other tests such as fluid susceptibility and pressure impulse tests can be performedas required.

Included in equipment qualification is functional testing. Functional tests may be run underenvironmental conditions such as temperature extremes, during vibration, at altitude and so on.At a minimum, functional tests will include maximum operating load, no load rate, rate at nominalload and rate at maximum load, no load friction, operation of any switch(s) located in a

component, leakage, etc. Functional tests are based on the requirements identified in thecomponent specification. All required functionality should be verified during componentqualification. When a electronic controller is used in conjunction with a hydraulic component(regardless of complexity), the functionality of the controller and hydraulic component should beverified as a subsystem. Of special consideration is power control units which will normally havecomplex functionality, especially when fault detection is done within the component or controller.Fault detection logic and subsequent component operation should always be verified duringequipment qualification.

Vehicle Test Plans

Vehicle test plans include ground and flight test plans that evaluate operation of the system onthe vehicle. Ground testing will normally include full functionality tests at the vehicle level.

Functional tests will ensure subsystem and overall hydraulic system(s) operate as intended onthe airplane. Verification of operation times, switches open and close properly, actuation deviceswork without binding, there are no unacceptable pressure transients are examples of items thatshould be evaluated during ground testing. Where feasible, fault testing of the system should beaccomplished on the vehicle. Fault testing that can be done at the vehicle level can be inducedsensor faults, loss of hydraulic pressure in one system, etc. Certain fault tests, such as servo jamor failure in a controller are usually done during component level tests and not at the vehicle level.Flight tests validate operation of the system during actual flight operation. For example, smoothoperation of the flaps, landing gear, thrust reversers, etc can be validated. Actuation rates chosen during preliminary design - are also evaluated to ensure they are appropriate for thevehicle. Both ground and flight test procedures should be as thorough as possible. Anyanomalies found during testing should be analyzed and appropriate corrective action taken.

Inspections of installed equipment should also be accomplished to ensure clearances/separationfrom structure, wires, oxygen and environmental lines and surrounding equipment are adequate.In commercial inspection activity is referred to as compliance inspections. When doinginspections, clearances should also be verified under fuselage and wing loading conditions. Thiscan be can be accomplished through a combination of analysis, ground test and vehicleinspections. When doing inspections, all access covers should be removed for access. In somecases, equipment or other hardware may need to be removed.

FMEAs and Safety Analysis

An FMEA is a failure mode and effects analysis. An FMEA is created by identifying all failureswithin a component and system and determining the effect of that failure on the component andthen on the system. The affect on the system failure will also need to be evaluated at the vehiclelevel. Every failure within a component must be identified and evaluated. Normally tables arebuilt that list each failure and have columns for the failure effect on the component, the failureeffect on the system, the failure effect on the vehicle, the method of detecting the failure, theprobability of failure and whether the failure is latent (undetectable). Special considerations aregiven to latent (undetected) failures. A vehicle is considered fail safe when no single failure willprohibit continued safe flight and landing. An example of a failure mode effects and analysistable is shown in Figure 6. Some key elements in the FMEA table are flight phase, effect offailure on the system, effect of failure on the aircraft and method of indication. These columns


13/15

provide a good understanding of the failure effects. Pilot action is also important to understandwhat action (if any) the pilot would take should the failure occur. Many times pilot actions areverified during flight phase. A comments column is also provided to provide additionalinformation including identifying latent failures.


14/15

COMPONENT NAME

FUNCTION OF

COMPONENT PREPARED BY

COMPONENT ATA NO. REVIEWED BY

SYSTEM NAME

(COL 1)

ENTRY

NO.

(COL 2)

FAILURE MODES AND

CAUSES

(COL 3)

FLT

PHASE

(COL 4)

EFFECT OF

FAILURE ON THE

SYSTEM

(COL 5)

EFFECT OF FAILURE

ON THE AIRCRAFT

(COL 6)

INDICATION OR

METHOD OF

DETECTION

(COL 7)

PILOT ACTIO

COMPENSAT

PROVISION

FLIGHT PHASES (COL 3.) HAZAR

GROUND TAKEOFF IN-FLIGHT LANDING

G0 ALL GROUND T0 ALL TAKEOFF F0 ALL FLIGHT L0 ALL LANDING "CAT"= CG1 TAXI T1 PRIOR TO V1 F1 CLIMB F6 APPROACH L1 LANDING ROLL "HAZ"= HG2 IN REVERSE THRUST T2 AFTER V1 F2 GEAR DOWN F7 GO-AROUND L2 GROUND ROLL "MAJ"= MG3 TRANSITION TO STOW AND ROLL-OUT T3 PRIOR TO ROTATION F3 GEAR UP F8 ICE PROTECTION ON L3 BRAKING "MIN"= MG4 AIRPLANE STATIC-SYSTEM OPERATING T4 AFTER ROTATION F4 CRUISE F9 BEFORE LANDING

T5 REJECTED TAKEOFF F5 DESCENT F10 OTHER (DESCRIBE)

Figure 6 Sample Failure Mode and Effects Analysis Table


15/15

Safety analysis is the process for (1) identifying vehicle and system level hazards, (2) assigninghazard level to each hazard (one of four choices: minor, major, hazardous or catastrophic), (3)building FMEA tables and (4) building fault trees to determine the probability associated with eachhazard.

Included in safety analysis is common mode, particular risk and zonal analysis. A common modeis a single failure that would lead to a hazardous or catastrophic event. A common mode analysislooks at fault trees to identify assumptions that may have been made when constructing the faulttrees and verifies that these assumptions are valid. The Common Mode Analysis is applied to thetop AND gate in fault trees for hazardous and catastrophic failure conditions. Particular riskanalysis looks at the effects of a particular risk on the system and on the vehicle. Two examplesof particular risk analysis are rotor noncontainment (rotorburst) studies and a thrown tire tread.The zonal safety analysis examines the standards used in the design and installation of theaircraft, effect of certain failures on the aircraft and possible effect on multiple systems,implications of maintenance errors and that the installation meets the independence assumptionsused in the System Safety Analysis reports. Zonal analysis typically involves aircraft inspectionsto look at the proximity of components and installation details. CAD systems usually do notprovide sufficient detail or necessary perspectives to conduct a complete zonal analysis.Therefore, a zonal analysis cannot be completed until an aircraft is built.

For more information on safety analysis, see Safety Analysis.

System Design, Hydraulic

Documents