Slide 1

Safety Assessment Process

SAE ARP 4761 - Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment •

Provides general guidance in evaluating the safety aspects of a design

•

Describes the safety assessment process for certification of civil aircraft

•

Identify systematic means to show compliance with FAR/JAR 25.1309

•

It is intended to be used in conjunction with other applicable guidance materials, including AC’s, ARP 4754 and DO-178.

Safety Assessment Process

Aircraft Functional Hazard Assessment (FHA) - Aircraft functions identification Aircraft Functions

1st level Control Thrust

Control Flight Path

Determine Orientation

2nd level

Determine Air/Ground Transition

Decelerate Aircraft on the Ground

Control Aircr. Direction on the Ground

Determine Position and Heading

Control Aircraft on the Ground

Control Cabin Environment

Aircraft Functional Hazard Assessment (FHA) - Failure conditions effects determination 1. Function

2. Failure Condition

Decelerate Loss of Deceleration Aircraft on the Capability Ground

4. Effect of Failure on Aircraft/Crew Landing/RTO/ See below Taxi 3. Phase

a. Unannuciated loss Landing/RTO Crew is unable to decelerate of deceleration the aircraft, resulting in a high capability speed overrun. b. Annunciated loss of Landing Crew selects a more suitable deceleration capability airport, notifies emergency ground support, and prepares occupants for landing overrun. c. Unannunciated loss Taxi of deceleration capability

d. Annunciated loss of Taxi deceleration capability

Crew is unable to stop the aircraft on the taxi way resulting in low speed contact with terminal, aircraft, or vehicles. Crew steers the aircraft clear of any obstacles and calls for a portable stair.

5. Classification

Aircraft Functional Hazard Assessment (FHA) - Failure conditions effects classification: Severity Severity Classification FAA JAA Catastrophic

Severe Major

Major

Minor

Failure Condition Effect

Catastrophic All failure conditions which prevent continued safe flight and landing

Hazardous

Large reduction in safety margins or functional capabilities Higher workload or physical distress such that the crew could not be relled upon to perform tasks accurately or completely Adverser effects upon occupants

Major

Significant reduction in safety margins or functional capabilities Significant increase in crew workload or in conditions impalring crew efficiency Some discomfort to occupants

Minor

Slight reduction in safety margins Slight increase in crew workload Some incovenience to occupants

Aircraft Functional Hazard Assessment (FHA) - Failure conditions effects classification 1. Function

2. Failure Condition

Decelerate Loss of Deceleration Aircraft on the Capability Ground

4. Effect of Failure on Aircraft/Crew Landing/RTO/ See below Taxi 3. Phase

5. Classification

a. Unannuciated loss Landing/RTO Crew is unable to decelerate Catastrophic of deceleration the aircraft, resulting in a high capability speed overrun. b. Annunciated loss of Landing Crew selects a more suitable Hazardous deceleration capability airport, notifies emergency ground support, and prepares occupants for landing overrun. c. Unannunciated loss Taxi of deceleration capability

d. Annunciated loss of Taxi deceleration capability

Crew is unable to stop the Major aircraft on the taxi way resulting in low speed contact with terminal, aircraft, or vehicles. Crew steers the aircraft clear of No Safety any obstacles and calls for a Effect portable stair.

Aircraft Functional Hazard Assessment (FHA) - Safety requirements Severity Classification

Probability

Probability per flight hour

FAA

JAA

FAA

JAA

Catastrophic

Catastrophic

Extremely Improbable

Extremely Improbable

P < E-9

Severe Major

Hazardous

Extremely Remote

P < E-7

Major

Remote

P < E-5

Minor

Reasonably Probable

P < E-3

Frequent

P < E-9

Improbable Major

Minor

Probable

Aircraft Functional Hazard Assessment (FHA) - Preliminary aircraft FTA BASIC EVENT – A basic initiating fault requiring no further development UNDEVELOPED EVENT – An event which is not further developed either because it is of insufficient consequence or because information is unavailable

HOUSE EVENT – An event which is normally expected to occur

Aircraft Functional Hazard Assessment (FHA) - Preliminary aircraft FTA AND – Output fault occurs if all of the input faults occur

OR – Output fault occurs if a least one of the input faults occurs

TRANSFER IN – Indicates that the tree is developed further at the occurrence of the corresponding TRANSFER OUT (e.g., on another page)

TRANSFER OUT – Indicates that this portion of the tree must be attached at the corresponding TRANSFER IN

Aircraft Functional Hazard Assessment (FHA) - Preliminary Aircraft Fault Tree Analysis (FTA)

Safety Objective Verification

Safety Objective Verification System FHA Failure Conditions

Yes

Hazardous or Catastrophic ?

No

No

Major?

Yes

Yes

No

Service Experience Relevant?

High Complexity ?

No

Yes

Qualitative and Quantitative Analyis

Qualitative Analyis

FHA Summary

System Functional Hazard Assessment (FHA) 1. Function

4. Effect of Failure on Aircraft/Crew Landing See below or RTO

2. Failure Condition 3. Phase

Decelerate Total loss of wheel Aircraft using braking Wheel Braking

5. Classification

a. Unannuciated loss Landing The crew detects the failure Hazardous of wheel braking or RTO when the brakes are operated. The crew uses spoilers and thrust reversers maximum extent possible. This may result in a runway overrun. b. Annunciated loss Landing Crew selects a more suitable Hazardous of wheel braking airport, notifies emergency ground support, and prepares occupants for landing overrun. Crew uses spoilers and thrust reversers to the maximum extent possible.

Preliminary System Safety Assessment (PSSA) - System FTA

Preliminary System Safety Assessment (PSSA) - Derived Safety Requirements Safety Requirement Design Decisions Remarks 1. Loss of all wheel braking More than one hydraulic system The overall wheel brake system (unannunciated or annunciated) required to achieve the objective availability can reasonably satisfy during landing or RTO shall be less (service experience). Dual channel this requirement. than 5E-7 per flight. BSCU and multimode brake operations. 2. Asymmetrical loss of wheel Separate the rudder and nose The wheel braking system will be braking coupled with loss of wheel steering system from the shown to be sufficiently rudder or nose wheel steering wheel braking system. Balance independent from the rudder and during landing shall be less than hydraulic supply to each side of nose wheel steering systems. 5E-7 per flight. the wheel braking system. 3. Inadvertent wheel braking with None Requirement 4 is more stringent all wheels locked during takeoff and hence drives the design. roll before V1 shall ve less than 5E-7 per flight. 4. Inadvertent wheel braking of all No single failure shall result in this None wheels during takeoff roll after V1 condition. shall ve less than 5E-9 per flight.

Hardware Design - ARP 4761: Wheel Brake System Analysis

Safety Assessment Process

System Safety Assessment (SSA) - Functional Failure Modes and Effects Analysis (FMEA) Function Name 5 Volt

Failure Mode 5V out of spec.

5V short to ground

Total Failure Rate

Failure Rate Flight Failure Effect Detection Method Comments (E-6) Phase 0,2143 All Possible P/S Power Supply Monitor trips, shuts BSCU channel fails shutdown down supply and passes "invalid power supply (P/S)" to other BSCU system 0,2857 All P/S shutdown Power Supply Monitor passes BSCU channel fails invalid P/S to other BSCU system

Loss of/reduced 0,3571 filtering

All

5V open

0,5714

All

No Effect

0,1429 1,5714

All

Increase Ripple May pass out of spec voltage to May cause rest of BSCU if ripple is such that it spurious P/S is not detected by P/S monitor monitor trip P/S shutdown Power Supply Monitor passes BSCU channel fails invalid P/S to other BSCU system No Effect

None/No Effect

No Effect

System Safety Assessment (SSA) - Piece Part FMEA Component ID C1

C2

U1A

U1B

Part type Ceramic Capacitor

Ceramic Capacitor

Failure Mode

Failure Rate Failure Effect (E-6) Code

short

0,0073

3

open

0,0013

2

low cap.

0,0019

2

short

0,0073

3

open

0,0013

2

low cap.

0,0019

Failure Effect

Detection Method

Under voltage monitor stuck tripped Loss of delay, spurious monitor trips Decrease delay to trip

P/S shut down by monitor P/S shutdown

P/S shut down by monitor P/S shutdown

2

Over voltage monitor stuck tripped Loss of delay, spurious monitor trips Decrease delay to trip

0,0124

1

Under volt monitor stuck valid

Bench test

output gronded

0,0056

3

Under volt monitor trips

P/S shutdown

high offset voltage

0,0062

4

Loss of monitor sensitivity

Bench test

0,0124

1

Over volt monitor stuck valid

Bench test

output gronded

0,0056

3

Over volt monitor trips

P/S shutdown

high offset voltage

0,0062

4

Loss of monitor sensitivity

Bench test

Comparator IC output open

Comparator IC output open

System Safety Assessment (SSA) - System FTA

Integration Cross-check - System Integration Cross-check FHA REQUIREMENT

DESIGN RESULTS FROM SSA

No. 1

Condition Loss of all braking during landing or RTO

Objective 5,00E-07

Event Probability Loss of all wheel braking 3,20E-08

2

Asymmetrical loss of wheel 5,00E-07 braking & loss of rudder or nose steering

(Editor's Note: Not developed in this example)

3

Inadvertent wheel braking during takeoff or landing rollout

5,00E-07

(Editor's Note: Not developed in this example)

4

Inadvertent wheel braking during takeoff before V1

5,00E-09

(Editor's Note: Not developed in this example)

5

Undetected inadvertent 5,00E-09 wheel braking during takeoff

(Editor's Note: Not developed in this example)

Integration Cross-check - Installation Cross-check COMMON MODE SOURCE Location

COMMON MODE ERROR Local event leading to total loss of wheel braking.

JUSTIFICATION Main equipment of both systems is located at the landing gear zone. Physical segregation of electrical wires and hydraulic paths.

INSTALLATION Procedures and Fitter

Installation error

Installation quality: double inspection. After installation phase, visual inspection and operational tests of the Normal, Alternate and Emergency systems are performed.

SAE ARP 4761 - Summary •

Iterative, system engineering process that can start in concept formation stage

•

Assumes accidents are caused by chains of component failures and malfunctions

•

Focuses on component failures, common cause/mode failures

•

Primarily quantitative, i.e., to show compliance with FAR/JAR 25.1309. Qualitative analyses (e.g., CCA) are used where probabilities cannot be derived or are not appropriate

•

Human factors is treated separately from and not addressed by ARP 4761

•

Operations generally not included except for generating installation and maintenance requirements

Activities - Step 1 • Safety Criteria • Severity • Life time

- Step 2 • Safety Criteria • Probability definition • System functions

Safety criteria - Severity

Safety criteria - Severity SEVERITY CATEGORIES Description

Severity Category

Catastrophic

1

Critical

2

Marginal

3

Negligible

4

Mishap Result Criteria

Safety criteria - Probability

Safety criteria - Severity PROBABILITY LEVELS Description

Level

Frequent

A

Probable

B

Occasional

C

Remote

D

Improbable

E

Eliminated

F

Specific Individual Item

Fleet or Inventory

Safety criteria - Probability

Safety criteria - Risk (Mil)

Safety criteria - Risk (Mil)

Safety criteria - Probability Vs. Severity (Civil)

Safety criteria - Probability Vs. Severity (Civil)