Special Thanks to Linh Le Safety Assessment Program Manager, ANM-117, for developing this presentation Contact him at email@example.com
Acronyms • AC – Advisory Circular • ARAC – Aviation Rulemaking Advisory Committee • ARP – Aerospace Recommended Practice • CTA – Centro Tecnico Aerospacial • DAL – Development Assurance Level • DGAC – Direction Gnrale de l’Aviation Civile • FAA – Federal Aviation Administration • FAR – Federal Aviation Regulations • MCDC – Multiple Condition Decision Coverage • HIRF – High Intensity Radiated Field • SAE – Society of Automotive Engineers • SOW – Statement of Work
S-18 Committee Charter • Develop and maintain recommended practices for accomplishing initial design and in-service safety assessment of aircraft, and related systems and equipment to support effective safety management.
Airbus Boeing Rockwell Collins Honeywell International Cessna Raytheon B.F. Goodrich Hamilton Sundstrand Pratt & Whitney Rolls-Royce FAA DGAC Brazilian CTA Embraer Gulfstream more S-18 Committee Members
Statement of Work (SOW) • Proactively provide state-of-the-art guidance material for aircraft & system safety assessment: • Review & maintain ARP 4761, “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems andEquipment” (1st publication 1996,) as state-of-the-art guidance document for aircraft safety assessment. • Review & maintain ARP 4754, “Certification Considerations for Highly-Integrated or Complex Aircraft Systems” (1st publication 1996,) as state-of-the-art guidance document for aircraft integration, requirements development, verification and validation. • Develop new safety guidance material to meet industry needs.
SOW (cont) • Completion plan: 1st Qtr 2007 • Committee meets 4 times a year. • Next meeting: week of July 25, 2005 • Contacts: • Chair: John Dalton, firstname.lastname@example.org • Co-chair: Eric Peterson, email@example.com • FAA Voting Members: • Linh Le, ANM-117 • Lee Nguyen, AIR-120
Why Change? • Industry has evolved and recognized that existing documents do not fully represent current practices and will not meet future needs • ARPs have a mandatory 5-year review cycle
Why Change? (cont) • Trends toward more integrated system designs create needs for system engineering approach. • New rulemaking • Most notably FAR/CS 25.1309. The ARAC proposed AC material describes applications of ARP4754 and ARP4761. • For proposed rule/AC, see http://www.faa.gov/avr/arm/arac/aractasks/aracsysdesrecommendation.cfm?nav=6
Why Change? (cont) • Publication of new industry guidance • DO-254, “Design Assurance Guidance for Airborne Electronic Hardware”, 4/2000. • ARP5150, “Safety Assessment of Transport Airplanes in Commercial Service”, 11/2003. (S18 is also the author of this ARP.) • Incorporate lessons learned.
Proposed Changes to ARP4754 • New title “Guidance for Development, Validation, and Verification of Aircraft Systems” • Reflects true intent and wider application. • Not limited to “highly-integrated” or “complex” systems. • Implies relationship to in-service safety.
Proposed Changes to ARP4754 • Content is more system-engineering oriented: • Encompasses end-to-end airplane life cycle, including post-certification modification • Adds guidance on airplane-level safety plan • Adds guidance on airplane-level safety assessment (v.s. system-level) • Generically describes safety assessment process and refers to ARP4761 for details • Provides additional details on Configuration Management
Proposed Changes to ARP4754 • Content may be reorganized to • Clarify and guide thought process • More closely reflect the logical process flow • e.g. safety assessment comes before development assurance level assignment
Proposed Changes to ARP4754 • An integral approach to assignment of development assurance levels (DAL) • DAL is a system safety requirement to be captured at the outset of the system development life cycle, and then iterates as system definition matures. • DAL is mapped starting from airplane-level function, through system architecture definition, and finally to software/hardware component definitions.
Proposed Changes to ARP4754 • DAL assignment philosophy: • Uphold “architectural considerations” philosophy of existing ARP4754 • Focus on finding the correct DALs, not on reducing the DAL • Integrates experience with DO-178B and DO-254 • Be mindful of limitations of assurance process
Proposed Changes to ARP4754 • Unlike the current section 5.4, the proposed process does not pre-assign the DAL’s. • Avoids “shoehorning” (forcing the design, or the interpretation of the design, to match one of the 5 example architectures in Table 5.2) • Relies primarily on the mature and generic safety assessment process. Agreement on the safety assessment results often eliminates DAL assignment controversies. • Takes into account the capabilities of the existing software and electronic hardware assurance processes (DO-178B and DO-254, respectively.) • Maximizes flexibility for system engineers
Proposed Changes to ARP4754 • In most cases, results are very similar or identical to those given by today’s ARP4754: • At least one component under the “AND” gate will usually have its DAL directly correlate to the hazard classification of the top failure condition. • In cases where dissimilarity and independence between redundant failure paths are substantiated, and the top failure is caused by loss of function (as opposed to malfunction), the failure paths can be assured at a DAL lower than the top failure effect (e.g. level A system objective is satisfied by level B components)
Proposed Changes to ARP4754 • However, in (rare) situations where the top failure condition can only be caused by malfunctions, one of the redundant paths would be commensurate with the top failure effect, to ensure the necessary error finding assurance activities (i.e., MCDC for catastrophic conditions, verification independence for hazardous conditions, etc.)
In Store for ARP4754 • Recognize that “high severity” design errors (i.e., may cause catastrophic or hazardous consequences) in complex systems (particularly software driven systems) are often traced to requirement errors, rather than implementation (development) errors. • Put more emphasis on requirement specification and validation.
ARP4761 Update • So far, no major changes have been proposed • Minor corrections and clarifications of existing materials.
In Store for ARP4761 • Committee plans to address: • Validation and Verification, traceability of safety requirements • Integration with DO-254 (most notably the “decomposition” process for level A and B functions) • Considerations for human errors in safety assessment • Operational reliability • Software safety assessment • Shared resources • Addition of HIRF to Particular Risk Analysis • Wiring failures
Conclusion • S-18 Aircraft Safety Assessment Committee: • Published “Safety Assessment of Transport Airplanes in Commercial Service” (ARP5150) in 2003 • Plans to complete revision in early 2007: • “Guidance for Development, Validation, and Verification of Aircraft Systems”(ARP-4754) • “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems andEquipment”(APR-4761) • Questions?? Please contact committee chairs (see slide 7) • Thanks again to Linh Le for his help.