

### SLOVENSKI STANDARD SIST EN 9721:2022

01-marec-2022

### Aeronavtika - Splošno priporočilo za arhitekturo BIT v integriranem sistemu

Aerospace series - General recommendation for the BIT Architecture in an integrated system

Luft- und Raumfahrt - Allgemeine Empfehlungen für die integrierte Prüfungs-(BIT)-Architektur in einem integrierten System TANDAR

Série aerospatiale - Recommandations générales pour l'architecture des BIT dans un système intégré (standards.iteh.ai)

Ta slovenski standard je istoveten z: EN 9721:2021

https://standards.iteh.ai/catalog/standards/sist/d7adc8d4-

a858-44f3-8754-0daeffebf689/sist-en-9721-2022

ICS:

49.020 Letala in vesoljska vozila na Aircraft and space vehicles in

splošno general

SIST EN 9721:2022 en,fr,de

**SIST EN 9721:2022** 

## iTeh STANDARD PREVIEW (standards.iteh.ai)

SIST EN 9721:2022

EUROPEAN STANDARD NORME EUROPÉENNE

**EUROPÄISCHE NORM** 

**EN 9721** 

December 2021

ICS 49.020

### **English Version**

# Aerospace series - General recommendation for the BIT Architecture in an integrated system

Série aerospatiale - Recommandations générales pour l'architecture des BIT dans un système intégré

Luft- und Raumfahrt - Allgemeine Empfehlungen für die integrierte Prüfungs-(BIT)-Architektur in einem integrierten System

This European Standard was approved by CEN on 2 November 2020.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

SIST EN 9721:2022

https://standards.iteh.ai/catalog/standards/sist/d7adc8d4-a858-44f3-8754-0daeffebf689/sist-en-9721-2022



EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

| Contents     |                                                                                    |          |
|--------------|------------------------------------------------------------------------------------|----------|
| Europ        | oean foreword                                                                      | 5        |
| Introduction |                                                                                    | 6        |
| 1            | Scope                                                                              | 7        |
| 2            | Normative references                                                               |          |
| 3            | Terms, definitions and abbreviations                                               |          |
| 3.1          | Terms and definitions                                                              |          |
| 3.2          | Abbreviations                                                                      |          |
|              |                                                                                    |          |
| 4            | BIT stakeholders                                                                   |          |
| 4.1          | BIT specifier                                                                      |          |
| 4.2          | BIT designer/developer                                                             |          |
| 4.3<br>4.4   | Operational user                                                                   |          |
|              | Maintenance engineer                                                               |          |
| 4.5<br>4.6   | System technical manager                                                           | 10<br>16 |
| 4.0<br>4.7   | ExpertField data engineer                                                          | 10<br>16 |
|              |                                                                                    |          |
| 5            | System constraints PRITY System design                                             | 16       |
| 5.1          | System design                                                                      | 16       |
| 5.2          | BIT interface function (Standards.itelr.ai) The alarm function                     | 17       |
| 5.2.1        | The alarm function <b>Little Addition</b>                                          | 17       |
| 5.2.2        | The diagnostic function                                                            | 18       |
| 5.2.3        | Built-in reconfiguration                                                           | 18       |
| 5.2.4        | The maintenance function https://standards.iteh.avcatalog/standards/sist/d/adc8d4- | 18       |
| 5.2.5<br>5.3 | System technical states 8-44f3-8754-0daeffebf689/sist-en-9721-2022                 | 10       |
| 5.4          | Functional modes of a system                                                       | 19<br>10 |
| 5.4<br>5.5   | System configuration                                                               |          |
| 5.5.1        | Operational configuration of a system                                              |          |
| 5.5.2        | Technical configuration                                                            |          |
| 5.5.3        | BIT parameterisation                                                               |          |
|              | •                                                                                  |          |
| 6            | BIT types and metrics                                                              |          |
| 6.1<br>6.2   | GeneralThe various types of <i>BIT</i>                                             |          |
| 6.2.1        | Power-up BIT or Power-on BIT (PBIT)                                                |          |
| 6.2.2        | Initiated BIT (IBIT) or Demanded BIT (DBIT)                                        |          |
| 6.2.3        | Continuous BIT (CBIT)                                                              |          |
| 6.2.4        | External BIT (EBIT)                                                                |          |
| 6.2.5        | Maintenance BIT (MBIT)                                                             |          |
| 6.2.6        | Summary of characteristics of the various types of BIT                             | 23       |
| 6.3          | The metrics                                                                        |          |
| 6.3.1        | Role of the mathematical definitions of the metrics                                |          |
| 6.3.2        | Detection rate                                                                     |          |
| 6.3.3        | Isolation rate                                                                     |          |
| 6.3.4        | Unreliabilisation rate caused by the BIT                                           |          |
| 6.3.5        | False alarm rates, false correct operation rates                                   |          |

| 7               | Use of <i>BIT</i>                                                                                      | 34       |
|-----------------|--------------------------------------------------------------------------------------------------------|----------|
| 7.1             | During development                                                                                     | 34       |
| 7.2             | During production                                                                                      | 34       |
| 7.3             | During service                                                                                         | 36       |
| 7.3.1           | In operational mode                                                                                    | 36       |
| 7.3.2           | In maintenance mode                                                                                    |          |
| 7.4             | During validation during repair                                                                        | 36       |
| 8               | Architecture of the BIT                                                                                | 36       |
| 8.1             | The generic functions of the BIT                                                                       |          |
| 8.1.1           | General                                                                                                |          |
| 8.1.2           | BIT Detection function                                                                                 | 38       |
| 8.1.3           | BIT Supervisor function                                                                                | 38       |
| 8.2             | The various architectures of the BIT function                                                          | 41       |
| 8.2.1           | General                                                                                                |          |
| 8.2.2           | Distributed BIT Architecture                                                                           |          |
| 8.2.3           | Centralised BIT Architecture                                                                           |          |
| 8.2.4           | Choice of BIT architecture                                                                             |          |
| 8.3             | Exchanged data typology                                                                                |          |
| 8.4             | Specification process                                                                                  |          |
| 8.4.1           | System design arbitrations: Essential objective and effort                                             |          |
| 8.4.2           | The BIT specification process                                                                          | 47       |
| 8.5             | Generic modelling and configuration language                                                           | 48       |
| 8.5.1<br>8.5.2  | Introduction                                                                                           | 48       |
| 8.5.2<br>8.5.3  | Description of the language teblos                                                                     | 5U       |
| 8.5.4           | Eurotional language story devices                                                                      |          |
| 8.5.5           | Description of the language tables  Functional language Standard Sitch ai  Model instantiation process | 57<br>57 |
| 8.6             | Development process and validation/verification of a <i>BIT</i> system                                 | 57<br>58 |
|                 | GIGT EN 0721,2022                                                                                      |          |
| 9               | Prognosis                                                                                              | 58       |
| 9.1             | Organisation of the prognosis - 0dae ffeb f689/sist-en-9721-2022                                       | 58       |
| 9.2<br>9.3      | Data from <i>BIT</i> for use by the Prognosis                                                          |          |
|                 | , 3                                                                                                    |          |
| 10              | Conclusions                                                                                            | 59       |
| Annex           | A (informative) Examples                                                                               | 61       |
| <b>A.1</b>      | Operational efficiency and performance                                                                 | 61       |
| A.1.1           | General                                                                                                | 61       |
| A.1.2           | Example 1: How do you cut down a tree rapidly?                                                         | 61       |
| A.1.3           | Example 2: How do you cut a slab of butter cleanly?                                                    | 61       |
| A.2             | Example of calculations for some metrics                                                               | 62       |
| A.2.1           | General                                                                                                | 62       |
| A.2.2           | Calculating detection rates                                                                            | 66       |
| <b>A.2.2.</b> 1 | Calculating the FDC (Failure Detection Capability)                                                     | 66       |
| A.2.2.2         | 2 Calculating the FDP (Failure detection probability)                                                  | 67       |
| A.2.3           | Calculating isolation rates                                                                            | 68       |
| <b>A.2.3.</b> 1 | l Calculating the $\mathit{FIP}_{\mathbf{n}}$ (Failure isolation probability)                          | 69       |

| A.2.3.1.1     |                                                                              |            |
|---------------|------------------------------------------------------------------------------|------------|
| A.2.3.1.2     | Calculating FIP <sub>1</sub>                                                 | 69         |
| A.2.3.1.3     | Calculating FIP2                                                             | 70         |
| A.2.3.1.4     | Calculating FIP3                                                             | 70         |
| A.2.3.2 Ca    | alculating the $\mathit{FRP}_n$ (Failure resolution probability)             | 70         |
| A.2.3.2.1     | General                                                                      | 70         |
| A.2.3.2.2     | Calculating FRP <sub>1</sub>                                                 | <b>7</b> 3 |
| A.2.3.2.3     | Calculating FRP <sub>2</sub>                                                 | <b>7</b> 3 |
| A.2.3.2.4     | Calculating FRP3                                                             | <b>7</b> 4 |
| A.3 Co        | orrect operation diagnostic vs failure diagnostic                            | 74         |
| A.4 Ex        | cample of propagation of the diagnostic values on a simple architecture case | 75         |
| A.5 Eı        | godicity hypothesis                                                          | 82         |
|               | cample of calculation for assessing the NFF — No fault found rate            |            |
| <b>A.7</b> Ti | ming chart of events                                                         | <b>8</b> 4 |
| Annex B       | (informative) List of recommendations                                        | 86         |
|               | PREVIEW                                                                      |            |
| Index         | (standards.iteh.ai)                                                          | 90         |
|               | (Stational assistant)                                                        |            |

### SIST EN 9721:2022

### **European foreword**

This document (EN 9721:2021) has been prepared by the Aerospace and Defence Industries Association of Europe — Standardization (ASD-STAN).

After enquiries and votes carried out in accordance with the rules of this Association, this document has received the approval of the National Associations and the Official Services of the member countries of ASD-STAN, prior to its presentation to CEN.

This document shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by June 2022, and conflicting national standards shall be withdrawn at the latest by June 2022.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this document: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

(standards.iteh.ai)

SIST EN 9721:2022

### Introduction

A Built-in-test (*BIT*) is a test carried out exclusively with the hardware and software resources specific to an item of equipment/system, in order to test it and/or its sub-assemblies, in view of detecting failures and isolating or even diagnosing them.

System designers are faced with the following questions:

- How do you define a strategy or method for a test built into a system?
- How do you assess the operational efficiency of a system's *BIT* architecture? (False alarms, non-reproducible alarms and false removals)
- How do you obtain a coherent BIT architecture between the various levels of a system? of a system of systems?
- How do you take into account the needs of the various users of the *BIT* function bearing in mind that the implementation, accesses, *BIT* reports, etc. are specific to the users?

## iTeh STANDARD PREVIEW (standards.iteh.ai)

SIST EN 9721:2022

### 1 Scope

The purpose of this document is to harmonise the dialogue between manufacturers, prime contractors, owners and the customer in view of making it easier to draw up specifications, share BIT architecture models and the *BIT* technical configuration of systems during the operational use phase.

This recommendation proposes adopting *BIT* operational efficiency and performance definitions, architecture design principles, and *BIT* specification or validation principles. It provides no recommendations regarding the numeric values for operational efficiency or performance. The diversity of situations, development of technological solutions and ever-changing operational requirements make it impossible to list general recommendations.

Clause 6 and Clause 9 set out the general context of use of the BIT.

Clause 7 lists the constraints to be taken into account to design a *BIT* architecture.

Clause 8 lists the various *BIT* types currently known and the definitions of performance and operational efficiency (metrics).

Clause 10 provides recommendations on the BIT architecture.

Clause 11 recommends a language for exchanging *BIT* architecture models for assembling the complete model of a system.

Clause 12 is an introduction to the prognosis.

This document is mainly intended for system designers.

Although it is based on examples of aeronautic systems, it is applicable to any type of system.

## 2 Normative referencestandards.iteh.ai)

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 5577, Non-destructive testing—8 Ultrasonic testing /sis Vocabulary2022

### 3 Terms, definitions and abbreviations

### 3.1 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 5577 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses:

- ISO Online browsing platform: available at <a href="https://www.iso.org/obp">https://www.iso.org/obp</a>
- IEC Electropedia: available at <a href="https://www.electropedia.org/">https://www.electropedia.org/</a>

### 3.1.1

### ambiguity group

associated to a signature and consists of a set of replaceable elements of the system of which at least one of the failures contributes to this signature but cannot be clearly indentified. Depending on the maintenance level considered, the replaceable elements may be LRU, SRU, components, etc.; the notion of ambiguity group refers to the requirement for isolating the failed element on the system tested with a given maintenance level

### 3.1.2

### cut set

combination of failures, taken from the total list of possible failures (internal or external to the system), which lead to the loss of a service; it is said to be minimal if by removing any failure from the list, the service is no longer failing; the size (or degree) of the cut set is the number of elements on the list

### **EXAMPLE**



In this example, it is presumed that Power supply 1 and 2 are operating as dual redundant parts. Therefore, the service: "Provide 15 V" is lost in the case both power supplies fail.

There are 2 separate minimal cuts sets that have the same service failure (15 V loss):

- cut set 1: Loss of "Power supply 1" AND Loss of "Power supply 2" (upstream output fails);
- cut set 2: "Power supply board a failure: iteh.ai/catalog/standards/sist/d7adc8d4-a858-44f3-8754-0daeffebf689/sist-en-9721-2022

However, there are many non-minimal cut sets. For example, the following cut set 3 is not minimal:

cut set 3: (Loss of "Power supply 1" AND "Power supply board" failure) OR (No loss of "Power supply 1" AND "Power supply board" failure).

Cut set 2 is preferable over Cut set 3.

### 3.1.3

### defect

non-compliance to a requirement, within the context of a specified or expected use

### 3.1.4

### degradation or failure cause

circumstances related to the design, manufacture and use that resulted in the failure or incident

Note 1 to entry: In this document, it is assumed that there is no system design fault.

[SOURCE: adapted from NF X 60-500]

### 3.1.5

### degradation

gradual and partial change in a system's ability to complete certain but not all required functions

### 3.1.6

### degraded state

following a degradation (see the definition of "degradation" above), a system

### 3.1.7

### detectability

system's failure detection capability is assessed for each of the failures that may occur: a failure is detectable or not

Note 1 to entry: Detectability is a metric that assesses the operational efficiency of an architecture. It takes into account the operational efficiency of the tests (or presumes total operational efficiency of the tests).

#### 3.1.8

### diagnostic

identification of the probable cause of the failure (or failures) using a logical reasoning based on a set of information coming from an inspection, a control or a test

### 3.1.9

### disturbing test

test that is likely to modify the operational behaviour of the element tested

### 3.1.10

### effect

### iTeh STANDARD

result of a cause. This effect may be cascaded (domino effect) in the system; it is then a cause in relation to the effects propagated at the upper level K. V. K.

### 3.1.11 failure

## (standards.iteh.ai)

stopping of a system's ability to complete the required function; it is observable through its effects (lack of behaviour) such as the deviation of a physical variable outside of a given tolerance range; it is noted f in this document https://standards.iteh.ai/catalog/standards/sist/d7adc8d4-

[SOURCE: adapted from NF X 60-500]

### 3.1.12

### failure isolation

(troubleshooting) involves reducing the size of the ambiguity group through observations or additional tests; the failure isolation process (troubleshooting) is iterative; it ends when the diagnostic stops being ambiguous and when the troubleshooting is validated

### 3.1.13

### failure sets

in this document, various failure sets (in the mathematical meaning of the term) will be used; they include

- *E*: set of all failures:  $E = HF \cup SDF = \{f_i\}$  for *i* from 1 to Card(*E*),
- HF: set of failures caused by the hardware. This set excludes hardware design faults,
- *DF*: set of failures detectable by the test considered. *DF* is included in *E*,
- FE: set of failures that have an effect deemed "to be considered" (for example, with regard to criticality, a given usage scenario, etc.). FE is included in E. The scope of FE depends on the purpose of the analysis and therefore on the type of effects: operational, safety, commercial, etc.,

- DFE: set of detectable failures that have an effect deemed "to be considered". DFE = DF  $\cap$  FE and
- SDF: set of software design failures (whether executed by a micro-processor or by a programmable component). Theoretically, this set should be empty. Consequently, these software failures are not considered in the FMECA analyses or in the detection rate calculations. However, experience shows that they exist and that some of them can be detected by integrity tests.



Figure 2 — Failure sets
Teh STANDARD

- SDF1: Detectable software design faults and that do not have an effect.
- SDF2: Detectable software design faults and that have an effect.
- SDF3: Software design faults that have an effect but that are not detected by integrity tests.

Note 1 to entry: Software design faults will not be considered in the remainder of this document. This document will focus on the *HF* set. Consequently, and used somewhat imprecisely, all of the sets that will be mentioned in the remainder of this document will be understood to be restricted to the intersection with *HF*.

standards.iteh.

Note 2 to entry: Mathematical reminder: the cardinal of the set E noted "Card(E)" is the number of elements constituting this set.

### 3.1.14

### failure signature

exhaustive combination (not minimal) of observable symptoms (OK or NOK results) resulting from the failure of a service; the signature consists of a core and periphery; the signature core is the combination of symptoms, always observable, that are sufficient to diagnose the failure; the periphery is the set of symptoms that may accompany the core (cascade failure phenomenon)

Note 1 to entry: **Recommendation 5:** With respect to failure signatures, it is important to state whether it is the signature core (design approach) that is addressed or the signature "core + periphery" set (maintenance approach).

Note 2 to entry: Several failures may have the same signature.

Note 3 to entry: The degree of the signature is *n* when this signature is associated to an ambiguity group of size *n*.

### 3.1.15

### fault (Failed state)

internal cause that lead to a failure. In the case of fault, the item is in failed state

Note 1 to entry: The system can continue providing the service for example if its architecture has redundancies.

[SOURCE: adapted from NF X 60-500]

### 3.1.16

### false alarm

result of a decision made between two possible choices (positive and negative), declared as positive, when it is in reality negative

### 3.1.17

### list of system failures

The list of failures is the set of failures identified during the design stage and enhanced by return of experience. It may be formalised in a *FMECA* type form [2]; for each failure, it will also give as a minimum:

- its occurrence rate (except for the failures which causes are outside the scope of the system considered);
- its effect(s);
- the *LRU/SRU* or the resource/condition outside the scope of the system considered

Note 1 to entry: **Recommendation 4:** The design of the testability and the tests shall be based on the list of system failures.

Note 2 to entry: The level of detail of the list of failures shall be precise enough to guarantee the relevance of the values from metrics.

Note 3 to entry: For this, the failure modes of the functions provided by replaceable elements at the chosen maintenance level should be defined.

#### 3.1.18

### operational efficiency

SIST EN 9721:2022

<solution> measures https://standards.iteh.ai/catalog/standards/sist/d7adc8d4-a858-44f3-8754-0daeffebf689/sist-en-9721-2022

- the level of result obtained with regard to the effect sought by unit of time or effort to be made by the operator or
- the time necessary or the degree of effort to be made by the operator to obtain the level of result expected with regard to the effect sought

Note 1 to entry: Operational efficiency is an operational metric.

Note 2 to entry: Operational efficiency is the result of the performance and context of use:

Operational efficiency = function(Performance, Context)

Note 3 to entry: This notion is illustrated by the example given in A.1.

### 3.1.19

### performance

intrinsic quality of the solution irrespective of the usage contexts; it is a design metric

Note 1 to entry: This notion is illustrated by the example given in A.1.

### 3.1.20

### symptom

physical manifestation of a failure; symptoms can be observed through inspection, through tests or come from the system's usage information

### **EXAMPLE**

For example, the failure symptom (landing gear not down) has a *NOK* result to the test "Is the LG down?" when the "landing gear up" information is coded following a "lower landing gear" command. Respectively, the result will be OK if the "landing gear down" information is coded after sending the command.

Distinction between symptom and test result:

A test result is the coded expression of the result of observation of a symptom.

There are 2 types of test results:

- primary test results: those that result from the direct observation of a symptom;
- summary test results: those that result from an equation that combines other test results (primary or summary).

<u>Distinction between symptom</u> and coded information

In the landing gear example, the "landing gear not down" symptom originates from a combination of coded usage information: "lower landing gear" command and "landing gear up" information that do not come from the *BIT*.

### **3.1.21** SIST EN 9721:2022

system failure rate

https://standards.iteh.ai/catalog/standards/sist/d7adc8d4a858-44f3-8754-0daeffebf689/sist-en-9721-2022

frequency of occurrence of the failure *f*, expressed in number of occurrences per hour

Note 1 to entry: In the remainder of this document, it is considered that failure rates are constant over time. (This hypothesis is commonly accepted for electronic systems).

Note 2 to entry: The failure rate  $\lambda$  of a system is assessed based on the failure rates of the set of failures identified for this system. The system failure rate is equal to the sum of the failure rates for the failures identified for this system (with the constant failure rate hypothesis).

Note 3 to entry: The system failure rate only applies to the intrinsic failures of the system considered.

#### 3.1.22

### technical efficiency

measurement of operational efficiency related to the technical resources necessary for the solution; it is a design metric

### 3.1.23

#### test result

image of the presence or absence of a symptom; the result may take the OK or NOK value

# **3.1.24 troubleshooting** failure isolation process

### 3.2 Abbreviations

A table of indexes is provided at the end of the document (Annex C). It is used to find the definitions of the main terms used in this document.

The abbreviations are explained in Table 1.

## iTeh STANDARD PREVIEW (standards.iteh.ai)

SIST EN 9721:2022