Safety Assessment Processes of ARP4761: Major Revision

1 Jim MarkoManager, Aircraft Integration & Safety Assessment14 November 2018 Safety Assessment Processes of arp4761 : Major Revision What is changing arp4761 Relationship to ARP4754A Development Assurance New methods Changes to existing methods Safety methods other than ARP4761A14 November 20182 Presentation OutlineWhat s happening to ARP 4761? Revision commenced in early 2012 within the SAE S18 Aircraft & Systems Development and Safety Assessment Committee. Essentially a near complete Revision of the document that is nearing publication. New Processes and analytical methods being added to reflect the trend towards more highly integrated and increasingly complex system designs.

2 Introduces the concept of Aircraft-Level Safety Assessment to complement the traditional system-level Safety Assessment November 20183 ARP4761A Safety Assessment ProcessCurrent ARP 4761 Rev-Appendices Functional Hazard AssessmentPreliminary System Safety AssessmentContiguous ExampleSystem Safety AssessmentParticular Risk AnalysisZonal Safety AnalysisFTA, DD, FMEA, Markov14 November 20184 Common Mode AnalysisAircraft Functional Hazard AssessmentSystem Functional Hazard AssessmentNew Appendices for ARP 4761 Rev A Cascading Effects AnalysisAircraft Safety AssessmentPreliminary Aircraft Safety AssessmentModel Based Safety AssessmentSingle Event Effects AIR 6218 Contiguous ExampleIn-Service Safety Assessment ARP 5150/5151 Development Assurance AssignmentOther Developments14 November 20185 ARP 4754A Development Assurance ProcessesARP4761A Safety Assessment Process Interactions Modern aircraft architecture is increasingly becoming a system-of-systems.

3 Where many systems interact with and are dependent upon each other to perform aircraft functional objectives. The era of having federated systems that can be correctly and completely assessed in silos, independent from other systems, is rapidly closing. The Challenge: Ensuring that a correct and complete Safety Assessment process is carried out in this environment. ARP 4761 Ahas been designed to start at the highest functional level and capture the Safety objectives that are necessary to meet these aircraft and system functional November 20186 arp4761 Relationship to ARP4754A Development Assurance The Safety Assessment Processes of ARP 4761A are carried out at all stages of the design development process eventually producing derived Safety requirements.

4 These derived Safety requirements can be both qualitative and quantitative in nature that feed into the systems development assurance Processes of ARP 4754A. The ARP 4754A Processes perform validation and verification of Safety requirements in order to increase the confidence that errors have been minimized to the maximum extent practicable. 14 November 20187 arp4761 Relationship to ARP4754A Development Assurance14 November 20188 IdentificationUnit VerificationSystem VerificationAircraft FHAA ircraft FTAA ircraft CCAS ystem CCAA ircraft IdentificationAircraft VerificationnUit AllocationUnit IntegrationSystems IntegrationAircraft VerificationSystems VerificationDvAProcessDsAProcessSYSTEM REQUIREMENTS IDENTIFICATIONITEMREQUIREMENTS IDENTIFICATIONITEMVERIFICATIONSYSTEMVERI FICATIONA ircraft FHAPASAA ircraft CCAS ystem CCAAIRCRAFTREQUIREMENTSIDENTIFICATIONAIR CRAFTVERIFICATIONItem PSSAItem CMAS oftware Design Aircraft VerificationSystems VerificationDO-178C/DO-254

5 ProcessED-12C/ED-80 ProcessARP4754B ProcessSystem PSSAItemAllocationSystemAllocationSystem FHAItemIntegrationSystemIntegrationHardw are DesignItem VerificationItem FMEA/FMESItem SSAItem CMAS ystem SSAS ystem CCAASAA ircraft CCAITEM DESIGN & IMPLEMENTATIONV alidation ofrequirements atthe next highestlevelValidation ofrequirements atthe next highestlevelValidation ofrequirements atthe next highestlevelBottom UpSafetyRequirementsVerificationTop DownSafetyRequirementsDevelopment & & & & FMEA/FMESARP4754B ProcessARP4761 Relationship to ARP4754A Development AssuranceAircraft Functional Hazard Assessment (AFHA)14 November 20189 The Aircraft Functional Hazard Assessment (AFHA) is a top level process that allows the identification and evaluation of potential hazards related to an aircraft regardless of the details of its design.

6 It is performed early in the development process and is used to establish the Safety objectives for the functions of the aircraft to achieve a safe design. The AFHA process is a top down method for identifying aircraft-level functional failure conditions, how those functions can fail ( loss or malfunction) and the severity of failure condition effects. Aircraft Functional Hazard Assessment (AFHA)14 November 201810 Aircraft Functional Hazard Assessment (AFHA)14 November 201811 TheAFHA isnotexpectedtosignificantlychangeasthed evelopmentprocessproceedssincetheaircraf tlevelfunctionsanddecompositiondonotdepe ndonsystemarchitecture. Onlyassumptionsfoundtobeincorrect,change stobasicairframedefinitions,introduction ofnewfunctionsorhighleveloperatingparame tershavethepotentialtoinvokearevisionoft heAFHA.

7 AFHA results are an input to the PASA. If the PASA identifies deficiencies in the analysis, or design deficiencies that cause aircraft functional information to be changed, this may result in an iteration of the Functional Hazard Assessment (AFHA)14 November 201812 Completeness and correctness of the AFHA: All the aircraft level functions have been considered; All failure conditions have been identified for each aircraft function; The failure effects on the aircraft, crew and occupants are complete and correct for each failure condition occurring during each flight phase; The correct failure classification has been selected based on the failure effects.

8 And The assumptions used to develop the Assessment are confirmed and evidence is provided. Preliminary Aircraft Safety Assessment (PASA)14 November 201813 The PASA process, beginning during the initial aircraft architecture development phase, assesses a proposed aircraft architecture with the intent of identifying the need for aircraft level Safety requirements. The PASA is important when evaluating complex integration of aircraft systems that pose additional failure combinations that might not otherwise be present when aircraft functions are implemented by stand-alone systems. The PASA identifies the interactions and dependencies between the aircraft systems that together implement an aircraft-level Aircraft Safety Assessment (PASA)14 November 201814 PASA assesses how these interactions can lead to the aircraft level failure conditions identified by the AFHA, and determines whether the Safety objectives can be met.

9 Includes assessing the reliance on common resources, hydraulic power, electrical power, air data, air-ground logic, common computing and data networks. The main objectives of the PASA are to assess the aircraft architectures and develop Safety requirements so that aircraft and individual systems development can proceed with reduced risk. Preliminary Aircraft Safety Assessment (PASA)14 November 201815 Preliminary Aircraft Safety Assessment (PASA)14 November 201816 Interdependenceanalysis Providesvisibilityoftheinteractionsbetwe enaircraftfunctionsandsystems. Usedinthefailureconditionevaluationtoide ntifytheneedforfunctionalindependenceand separation.

10 An aircraft-level function and associated AFHA failure conditions to analyze, all systems in the aircraft architecture (which may include resource systems), which systems could contribute to that aircraft-level failure condition, above steps for each aircraft level function and associated AFHA failure Aircraft Safety Assessment (PASA)14 November 201817 Preliminary Aircraft Safety Assessment (PASA)14 November 201818 Failure Condition Evaluation From the Interdependence analysis, an Assessment of these systems contributions to aircraft-level failure conditions is carried out. Introduces the concept of an aircraft-level, fault tree for each aircraft-level failure condition to help understand interactions and relationships of systems.