FUELEAP Model-Based System Safety Analysis

NASA researchers, in a partnership with Boeing, are investigating a fuel-cell powered variant of the X-57 “Maxwell” Mod-II electric propulsion aircraft, which is itself derived from a stock Tecnam P2006T. The “Fostering Ultra-Efficient Low-Emitting Aviation Power” (FUELEAP) project will replace the X-57 power subsystem with a hybrid Solid-Oxide Fuel Cell (SOFC) system to increase the potential range of the electric-propulsion aircraft while dramatically improving efficiency and emissions over stock internal-combustion engines. Our FUELEAP safety analysis faces two primary challenges. First, the Part 23 certificated Tecnam P2006T is undergoing significant modifications to host the hybrid electric-propulsion system, and the challenge is to assure that the safety inherent in the stock aircraft (and subsequently in X-57 Mod-II) is not compromised by changes in avionics, aircraft structural loading, weight and balance, or other considerations. Secondly, because the SOFC power system has little (if any) relevant in-service precedent, our challenge is to assure that we identify and mitigate all reasonably plausible hazards introduced by unique FUELEAP equipage. We are investigating and utilizing Model-Based Safety Analysis (MBSA) methods to help us address these FUELEAP safety challenges. We captured aircraft-level system hazard conditions using instances of a SysML hazard block via aircraft-level Functional Hazard Analysis (FHA). Then, using SysML models of the FUELEAP architecture, we related the hazard conditions to initiating system events and possible mitigations, such as design architecture modifications or operational constraints. We are continuing to define our approach to MBSA by developing a component-by-component inventory of local failure modes and tracing their possible contribution to hazard conditions. Finally, we are applying an argument-based approach to FUELEAP assurance. Through a FUELEAP “safety case,” we are providing an explicit argument for FUELEAP safety by associating assurance evidence with overarching safety claims through a structured argument.