Key technologies for airworthiness compliance verification of the solid-state power controller

Solid-state power distribution technology has advantages such as lightweight, automation, high power quality, and high fault tolerance, which has a very broad prospect. As the core device of solid-state power distribution technology, the application of the solid-state power controller (SSPP) is faced with the challenge that it is difficult to use the traditional compliance verification methods to demonstrate compliance with relevant airworthiness regulations in the application process. Based on the C919 aircraft power distribution system, this article proposed corresponding compliance verification methods, which combine explanation, analysis, and test verification, to confirm and validate the relevant functions, performance, and impact after the failure of SSPC. This may provide a reference for the development of related technologies in the future.


Introduction
Multi-power and all-power systems are the current development directions of large aircraft electrical systems, and the corresponding distribution systems are evolving in a distributed direction.Compared to conventional distribution technologies, solid-state distribution technology has many advantages, such as lightweight, automation, high power quality, and high fault tolerance capability.Solid-state Power Controllers (SSPC) are the core components of solid-state distribution technology, which could be used to achieve functions such as automatic load connection and disconnection, fault protection, state monitoring and recording, and Built-In Test (BIT) [1][2].
SSPCs have been commercially used since 1992 [3].With the continuous improvement of design and manufacturing capabilities, 115 V AC and high/low voltage DC SSPCs have been widely used in the distribution systems of large civil aircraft such as A380 and B787, military aircraft like F22 and F35, and some new aircraft.In addition, DC SSPCs with voltage levels ranging from 28 V to 120 V are used in the distribution system of the International Space Station for distributed distribution and circuit protection [4].In recent years, some universities and institutions have also conducted extensive research on AC/DC SSPC distribution technology [5][6][7].
The distribution system of C919 adopts SSPC-distributed distribution technology to replace traditional circuit protection devices.The use of solid-state distribution systems has the following advantages: it enables monitoring of the status of circuit protection devices, greatly reduces the number of control switches and control lines in the cockpit, reduces aircraft weight, improves system reliability and maintainability, and enables automatic control and management of loads, significantly enhancing the overall performance of the aircraft.However, due to the high requirements for the safety and maintainability of civil aircraft, there are still certain risks and challenges in the use of this technology.As compliance verification methods for traditional circuit protection devices are no longer sufficient to demonstrate the compliance of SSPC with relevant airworthiness requirements, both the EASA (European Aviation Safety Agency) and FAA (Federal Aviation Administration) have put forward explicit compliance methods for the application of SSPC technology in the B787 aircraft.In addition, CAAC has also raised special concerns regarding the first application of this technology, requiring applicants to study the airworthiness compliance of SSPC to ensure that SSPC possesses an equivalent level of safety to traditional circuit protection devices.
Based on the specific concerns raised by the CAAC and the design characteristics of the C919 aircraft's distribution system, this paper proposes corresponding compliance verification methods.By combining explanation, analysis, and testing, the relevant functions, performance, and post-failure effects of SSPC are confirmed and validated, demonstrating that this technology has the same level of safety as traditional circuit protection devices.

Key considerations for airworthiness authorities
Based on the considerations mentioned above, regulatory authorities should pay particular attention to the following issues.

Clarification of the protection function of SSPC
This section mainly focuses on four aspects of content: 1) It focuses on defining the protective functions of SSPC, including overload protection and arc fault protection; 2) It ensures the integrity and reliability of SSPC's functions, demonstrating their reliable implementation under corresponding fault conditions; 3) It ensures that SSPC does not have any adverse effects under all electrical fault conditions, such as temperature rise or even fire caused by faults; 4) It assesses the impact of SSPC single-point failures, such as the occurrence of hidden faults in normally closed switches that prevent disconnection during a failure.

Considerations for non-command actuation of SSPC
This section mainly focuses on two issues: 1) The review team requires that the probability of noncommand actuation of SSPC must be minimized; 2) Since all SSPCs in the power supply system adopt the same technology, power source, and control data, the impact of non-command actuation by a group of SSPCs should be considered, and evaluation results at the aircraft level should be provided.

Analysis of common cause failures in SSPC
The analysis of common cause failures includes specific risk analysis and common mode analysis, including risks such as bird strikes, fires, and rotor explosions.In the overall safety analysis of the aircraft, the impact of these specific risks or any other physical damage caused by common mode failures on SSPC and the resulting impact on the power supply system and related equipment should be considered.

Considerations for environmental qualification and installation
For the impact of aircraft environment and installation on SSPC, the following aspects should be emphasized: 1) SSPC must meet the development assurance level (DAL) requirements defined by the system.Since the loss of short-circuit protection functionality can lead to fire, the DAL of SSPC should be at least level B; 2) Temperature effects should be considered in environmental qualification and equipment installation (treating SSPC as a heat source).Adequate heat dissipation methods need to be demonstrated to avoid adverse effects on the power center of the power supply system and surrounding equipment; 3) Protection against lightning and HIRF should be considered for SSPC, including common mode effects (non-command actuation and short circuits); 4) We evaluate the impact of SSPC on the EMI of other systems; 5) We should protect SSPC and its power supply lines.

Considerations for human-machine interface
When adopting SSPC technology, the corresponding human-machine interface differs significantly from the traditional circuit protection devices.Therefore, the review team needs to focus on the following three issues: 1) It should demonstrate compliance with CCAR25.1357 in Section (d), which states that if flight safety requirements necessitate the ability to reset a circuit breaker or replace a fuse, the location and labeling of such circuit breakers or fuses should allow for easy resetting or replacement during flight.The design of SSPC's in-flight reset function and in-flight fuse replacement design needs to be clarified; 2) We evaluate the consideration of displaying and controlling the working status of SSPC in the cockpit and cabin; 3) We consider the human factors.

Protective function of SSPC 1) Definition of the protective function of SSPC
SSPCs on the C919 aircraft are installed in Remote Power Distribution Units (RPDUs), with each RPDU accommodating up to six SSPC cards.Each SSPC card could be configured with several independent power channels, with separate control and protection for each channel.
Each SSPC channel is equipped with electronic circuit breaker-based overcurrent protection and arc fault protection to safeguard the power supply lines from the SSPC output to the input of the electrical devices.
The action characteristics of the electronic circuit breaker overcurrent protection in the SSPC are similar to those of conventional thermal circuit breakers.The higher the overcurrent value is, the shorter the action time of the electronic circuit breaker is, as shown in Figure 1 (the 15 A SSPC is taken as an example).The rated current of each electronic circuit breaker in the power channels is programmatically set and can be set to 3 A, 5 A, 7.5 A, 10 A, or 15 A. Figure 1 shows the trip curve of the electronic circuit breaker overcurrent protection with a rated current value of 15 A. The trip curves for electronic circuit breakers with other rated output values are similar to Figure 1, with only differences in the magnitude of the trip current.When the SSPC detects an impulse current of 10 times or higher than its rated current, the electronic circuit breaker immediately trips to provide protection.This protection logic is primarily implemented to prevent excessive impulse current from damaging the hardware circuits of SSPC.In addition to the electronic circuit breaker, each SSPC power channel is also equipped with a fuse that matches its rated current value, providing backup protection in cases where the electronic circuit breaker fails to trip correctly during a fault.
The arc fault protection function of the SSPC (both AC and DC) is designed based on the Society of Automotive Engineers (SAE) Aerospace Standard (AS) 5692.Considering previous instances of false trips of similar SSPC arc fault protection functions in certain aircraft models, the arc fault protection function of the SSPC will not be enabled on the C919 aircraft.Instead, arc faults detected by the SSPC will only be logged in the Circuit Breaker Indication and Control system (CBIC) and be provided as maintenance information.Figure 2 shows the CBIC interface.

2) Integrity and reliability of SSPC functionality
The SSPCs on the C919 aircraft are provided by the UTAS.The reliability and integrity of UTAS's SSPC technology have been proven through its application on many aircraft models, including the Bombardier Global Express, ERJ 170, ERJ 190, B787-8, and B787-9.
In addition to the experiential data from these aircraft models, various methods such as analysis, equipment-level testing, and system integration testing will be employed to demonstrate the integrity and reliability of the SSPC functionality on the C919 aircraft.
(1) During the development process of the SSPCs, Failure Mode Effect Analysis (FMEA) is conducted to analyze all failure modes of the SSPCs and their impact on the equipment, ensuring that the design of the SSPCs complies with the relevant design requirements.For software and complex electronic hardware failures that cannot be analyzed in FMEA, we should strictly abide by the Provisions of DO-178B and DO-254 during the development of software and complex electronic hardware to limit the probability of failures.
(2) Various types of fault tests will be performed on the SSPCs to examine their ability to trip and protect correctly in the event of a fault.For DC SSPC power channels, ground fault tests will be conducted.For AC SSPC power channels, single-phase, two-phase, and three-phase ground fault tests, as well as phase-to-phase fault tests, will be conducted.For both DC and AC power channels, reset tests, high-resistance fault tests, and arc fault tests will also be performed under fault conditions.
(3) Matching tests between SSPC and different types of loads should be conducted to prove that SSPC can supply power to the corresponding loads normally under the expected load frequency state and load power factor state.
3) Considerations for SSPC's resistance to fault effects An equipment qualification assessment will be conducted on the RPDU to demonstrate that the SSPCs can operate properly under the expected working environmental conditions.The working environmental conditions of the SSPCs are determined based on their installation location, safety level, and the Standard of DO-160.Typical working environmental conditions include factors such as temperature, temperature variation, vibration, and altitude.
4) Considerations for single-point failure of SSPCs Fail-safe design principles must be employed.Special attention must be paid to single-point failures (including potential latent failures) of closed contact switches.To prevent failures due to overheating, SSPC must provide heating protection functions (fuses and circuit breakers) to prevent overheating failure.In the design and validation process of the SSPCs, the following measures will be taken: (1) The aircraft power distribution design will consider the function and safety requirements of the electrical equipment and the fail-safe characteristics of the SSPCs.For each equipment, the default state (i.e., the default position in fail-safe mode) of the SSPC channels in the event of failure will be defined.For critical systems with many redundant channels, at least one channel will be powered by a conventional thermal circuit breaker to prevent catastrophic failure caused by SSPC malfunctions.
(2) The safety analysis of the power and electrical systems will consider the safety implications of SSPCs failing to disconnect, both in notified and non-notified scenarios.
(3) A fuse will be installed in each SSPC power channel to provide backup protection in case the electronic circuit breaker fails to trip correctly.
(4) CBIC software (in the Gateway RPDU) will be implemented to monitor the status of each SSPC power channel and indicate the on/off status of the SSPCs on the multifunction display in the cockpit.If SSPC trips (whether the electronic circuit breaker trips or the fuse is blown), CAS information of "CB TRIP" will be generated.
(5) The SSPCs on the C919 aircraft incorporate self-diagnostic capabilities to detect internal faults and provide corresponding maintenance information.In the power system Failure Mode Effect Analysis (FMEA), all potential failure modes of the SSPCs will be analyzed, and their detectability will be examined.If there are any latent failures within the SSPCs, the applicant will determine the maintenance tasks corresponding to those failures through safety analysis and MSG-3 analysis and implement them in the respective manuals.

Non-directed action
To minimize risks, non-directed actions must be minimized.During the design process, software and complex electronic hardware related to the control of SSPC switching must be developed in accordance with at least Level B Standards of DO-178B and DO-254 to meet the safety requirements of the aircraft's electrical power system for SSPC power supply.
Additionally, when considering a set of SSPCs for common non-directed failures, attention should be given to issues that may arise from the use of the same technology, power sources, and data.In the safety analysis of the aircraft and power system, the applicant will evaluate the safety implications of many SSPCs failing to verify the correctness of the safety requirements in SSPC design.Once the correctness of the SSPC safety requirements is confirmed, the design of the SSPCs will be checked to ensure compliance with the relevant safety requirements.

Safety analysis
In the safety analysis of the power supply system, it is necessary to consider the physical damages caused by bird strikes, fires, rotor explosions, or other common-mode failures.The applicant will examine whether these common-cause failures could potentially result in the simultaneous failure of multiple SSPC channels.Based on the aircraft-level impact assessment of multiple SSPC channels failing together, the applicant will further analyze whether the probability of common-cause failures is acceptable, i.e., whether the probability of multiple SSPC channels failing simultaneously is within an acceptable range.

Considerations for environmental assessment and installation 1) SSPC development assurance level
For the issue of the DAL of SSPC, in the Preliminary System Safety Assessment (PSSA) of the power supply system, the FDAL of the SSPC is allocated as B. In the development of the SSPC, all software and complex electronic hardware related to SSPC power supply and fault protection are developed at least according to the B-level DAL.
2) Considerations for SSPC heat dissipation For the SSPCs in the RPDU of the C919 aircraft, natural convection cooling is employed to ensure the normal operation of internal devices under normal ambient temperatures.During the equipment qualification tests of the RPDU, environmental temperature tests will be conducted to verify the RPDU's ability and operate properly at a maximum ambient temperature of 70°C.In the installation design of the RPDU, the separation distance between the heat dissipation surface and surrounding devices, as well as the design of environmental control systems within the installation area, are considered to prevent adverse effects on the operation of surrounding equipment caused by the heat generated during operation.
3) Protection against lightning and HIRF for SSPCs Based on the functional level (B-level) and installation position of the SSPCs, corresponding requirements for lightning and high-intensity radiated fields (HIRF) protection are defined.The SSPC's identification tests will demonstrate that its lightning and HIRF protection designs meet the relevant design requirements.
4) EMI impact on other systems For the assessment of the EMI impact of SSPCs on other systems, in the design of the SSPCs, the RF energy emission level of the RPDU is defined as L, in accordance with the aircraft-level electromagnetic compatibility design requirements and relevant provisions of DO-160F in Section 21, to limit the electromagnetic interference levels that may be generated during operation.The equipment qualification activities of the RPDU will demonstrate that the electromagnetic interference generated during its operation does not exceed the provisions of DO-160F in Section 21 for RF energy emission level L. Furthermore, the C919 aircraft will undergo comprehensive electromagnetic compatibility tests on the ground and during flight to verify that the radiation levels of the SSPCs do not have an impact on surrounding equipment.5) Protection of SSPCs and their power supply lines For the protection of SSPCs and their power supply lines: 1) The protection of the SSPCs and the power supply lines to the electrical equipment is discussed in this document; 2) As for the protection of the power supply input lines to the SSPC boards, i.e., the protection of the busbars from the power system to the SSPC boards, a thermal circuit breaker is installed in the power supply system to protect each SSPC board.

The interface with the flight crew 1) Compliance with CCAR 25.1357 (d)
Regarding the issue of demonstrating compliance with CCAR 25.1357 (d), the design of the C919 aircraft's power supply system and the onboard electrical system ensures that there are no conditions or situations in flight where resetting an SSPC is crucial for flight safety.Therefore, there is no need to perform SSPC reset operations in flight.
2) SSPC status display and control capability For the evaluation of SSPC status display and control capability in the cockpit and cabin, as mentioned above, manual reset operations of SSPCs are not required in flight on the C919 aircraft.The on/off commands for SSPCs are generated by the main processor board of the Gateway RPDU and directly issued by the power/internal communication boards within each RPDU.Each SSPC power or maintain the state prior to the signal failure.For the SSPC status display, the Circuit Breaker Indication and Control (CBIC) software residing in the Gateway RPDU can provide an SSPC power channel status display through the multifunction display located in the cockpit.If an SSPC trips, a CAS alert message of "CB TRIP" will be generated.Based on the requirements, the reset strategy requires approval.Manual reset operations of SSPCs are not necessary in flight for the C919 aircraft.
3) Consideration of human factors For the consideration of human factors, the interface for Circuit Breaker Indication and Control (CBIC) on the C919 aircraft is a maintenance interface intended for use by maintenance personnel, and it is not required for use by the flight crew.The CBIC user interface has the following characteristics: 1) The CBIC interface is accessible and available both on the ground and in flight; 2) It can be accessed through the main display; 3) The CBIC interface standard incorporates graphical user interface standards for key flight crew and is a mature interface standard; 4) By using graphical user interface standards for flight crew, it can interact with other main displays; 5) Using standard graphical user interface standards for flight crew ensures that the CBIC interface is readable and usable in flight and during motion; 6) The use of standard interfaces reduces the possibility of unintended user inputs.
To support the maintenance use of SSPCs, the CBIC interface provides various methods for locating specific SSPCs.Specific SSPCs can be found based on the power distribution bus they are connected to, their installation location, the corresponding ATA chapter number of the equipment connected to the SSPC, or the status of the SSPC circuit breaker.

Conclusions
This article focuses on the key technologies for airworthiness compliance verification of solid-state power controllers (SSPCs) for civil aircraft.Through a comprehensive analysis of the design characteristics of the power distribution system of C919 aircraft and the requirements of airworthiness authorities, corresponding verification methods have been proposed.Through verification, it has been proven that SSPC has protection functions, consideration of nondirective actions, common cause analysis, environmental identification and installation, and compliance with human-machine interfaces.This research provides a reference for civil aircraft to use SSPC technology.When using SSPC technology, it is still necessary to pay attention to safety and maintainability requirements and comply with the regulations of airworthiness authorities.
channel has two redundant control signals.If both control signals fail, the SSPC will enter a pre-set open or closed state