There’s a lot to consider when developing and engineering aircraft. All those considerations come with a lot of QA activities, safety and structural tests, and rigorous analysis—if only more people knew how many assessments like these occurred, fear of flying might be a thing of the past. Ultimately, all the trials and tests come down to ensuring safe, reliable flights, no matter the conditions, cargo, or crew. Specifically for aircraft systems safety, the multistep process gets lengthy and difficult to navigate at times. So, we developed a four-step review covering the key milestones in aircraft system safety assessments, centered around the primary standard, ARP-4761A.
First, let’s take a quick look at ARP-4761A and the purpose of Aircraft System Safety Assessments.
ARP-4761A provides the guidelines and methods for conducting the Safety Assessment Process on civil airborne systems and equipment. A common misconception is that the safety assessment goal is to eradicate the potential for hazards. Though noble, that goal is simply impossible considering all complexities, variables and necessarily asynchronous avionics systems involved in aircraft. Instead, potential hazards must be effectively uncovered and quantified via the following philosophy:
- A severe hazard may be tolerable if the probability of its occurrence is acceptably low
- A probable hazard may be tolerable if the effect of the hazard on the aircraft, flight crew, and occupants is acceptable
- The probability of the occurrence of a hazard must be inversely proportional to its severity
The entire safety assessment process, supported by ARP-4761A, involves a series of analyses pertaining to the system and aircraft. As the safety assessment proceeds, the following documentation typically accompanies the various analyses:
• Aircraft Functional Hazard Assessment (FHA)
• Aircraft Fault Tree Analyses (FTAs)
• System FHAs
• System FTAs
• System Failure Modes and Effects Analyses (FMEAs)
• Item FTAs
• Item FMEAs
Here are those documents comprising Aircraft System Safety Assessment and their functions condensed and explained in four key steps:
Step 1: Functional Hazard Assessment
The objective of the Functional Hazard Assessment (FHA) is to identify functions, failure conditions of functions (loss of function, malfunction, etc.), and their classification (catastrophic, hazardous, etc.) so that aircraft and system designs may be proposed and achieved, decreasing the probability of the occurrence of the failure conditions to acceptably lesser levels.
The FHA also includes aircraft and system level requirements that allow the objectives for failure probability to be achieved including:
Design Constraints:
Redundancy Considerations
Specification & Annunciation of Failure Conditions
Proposed Pilot and Crew Mitigation Action
Recommended Maintenance Activity
FHA Output Data inclu des:
Function List
An FHA worksheet (table) showing the following:
Function Identification
Failure Conditions
Phase of Flight
Effect of the Failure Condition on the Aircraft, Flight Crew, and Occupants
Classification of the Failure Condition
Verification Method that the Probability Requirement is met
Reference to Supporting Material
Derived Requirements for Lower-Level Systems
Step 2: Preliminary System Safety Assessment
The PSSA is a set of analyses normally performed during the system requirements and item requirements phases of the aircraft life cycle. The PSSA is where the proposed aircraft and system architectures are evaluated and defined; this provides the ability to derive system and item safety requirements. The input documents to the PSSA are the aircraft FHA, preliminary aircraft FTA, and the system FHAs. The documents produced during the PSSA are the updated aircraft and system FHAs, updated aircraft and systems FTAs, and the preliminary system Common Cause Analyses (CCAs).
The PSSA is a continuous and iterative process. The objective of the PSSA is to determine how the aircraft and system failures can lead to the hazards identified in the FHAs and to determine how the FHA requirements can be met.
Step 3: Software and Complex Hardware Review
Unlike physical hardware (where you can quantify the safety of an item by calculating its probability of failure over a specified period of time), software and complex hardware safety cannot be numerically measured because of the unmeasurable probability of design error. So, rather than specifying probabilities of failure associated with design error according to the severity of the failure condition – the application of design assurance is established according to the severity of the failure condition associated with the failure of the software or complex hardware to perform its intended function.
Step 4: Common Cause Analysis
The acceptance of adequate probability of failure conditions is often derived from the assessment of multiple systems based on the assumption that failures are independent. This independence might not exist in the practical sense, and specific studies are necessary to ensure that independence can either be assured or deemed acceptable. The CCA is concerned with events that could lead to a hazardous or catastrophic failure condition and is specifically design to ensure that failures assumed to be independent are in fact independent.
The CCA is divided into three areas of study:
Zonal Safety Analysis (ZSA) – The objective of this analysis is to ensure that the equipment installations within each zone of the aircraft are at an adequate safety standard regarding design and installation, interference between systems, and maintenance errors.
Particular Risks Analysis (PRA) – Particular risks are those events or influences outside the systems of interest (for example, fire, leaking fluids, bird strike, HIRF, lightning, etc.). Each risk should be the subject of a specific study to examine and document the simultaneous or cascading effects (or influences) that might violate independence. The objective of the PRA is to ensure that the safety related effects are either eliminated or that the risk is acceptable.
Common Mode Analysis (CMA) – The CMA is performed to confirm the assumed independence of the events that were considered in combination for a given failure condition. Another way of saying this is that the CMA is performed to verify that combinatorial events in the FTA are truly independent in the actual implementation.
The takeaway
Hopefully, this article made some of the more complex steps in aircraft system safety assessment clearer. The key thing to remember is testing is meant to show acceptable levels of failure conditions, not to simply eliminate any change of a failure occurring. If you’re looking for more details or want a copy of this article, download our full guide on Aircraft System Safety Assessment or contact us for more information on our training to learn more about how ConsuNova can help you ensure a safe flight for your avionics projects.