Transcript SAE ARP 4761 Process
SAE ARP 4761 Process
Barry Hendrix Workshop AM Presentation
SAE ARP 4761 Process
» Title: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.
First promulgated in 1996 Currently SAE ARP 4761 A undergoing re-write under SAE S-18 (Safety Committee Headed by John Dalton – Boeing) Rewrite is to bring in line to dovetail with Prerequisite SAE ARP 47 54A Update Promulgated in 2010 from 1996 Version.
2
SAE ARP 4761 Process
» So SAE ARP 4761 and SAE ARP 4754 go hand in hand and use functional approach to safety.
» Both ARPS focused on complex aircraft systems development and safety assessments leading to Certifications. Three Basic Work Products from ~10 tasks.
Functional Hazard Assessments (FHA)
Preliminary System Safety Assessments (PSSA)
System Safety Assessments (SSA)
Other supporting analyses, such as FTAs, FMECAs, Zonals Focus is on determining top level events, functional failure conditions, root causes of faults, and contributing causal factors before hazards are identified.
3
SAE ARP 4761 Process
» Suitable for airborne systems only. On modern and complex safety-critical systems, hazard based methods/approaches alone can’t meet FAR /JAR 25.1309. » FHA, PSSA, SSAs can be endless living documents » Civil/Commercial methods in ARPs require: Hazard and Risk Based Approach Criteria Based Approach Requirements Based Approach Functional Based Approach Safety Verification Based Approach Airworthiness Based Approach Safety Requirements must be met for Cert with no exceptions (FAA) 4
SAE ARP 4761 Process
» SAE ARP 4754A current and ARP 4761A process (in rewrite) convention is based on Catastrophic, Hazardous, Major and Minor Failure Conditions and corresponding Design Assurance Levels (DAL) for Software/Systems.
» Convention also dovetails well with DO-178B/C Software Design Assurance Objectives A B C D as Objective Evidence of Compliance.
5
SAE ARP 4761 Process
» SAE ARP 4754A Introduced DALs, are either Item DALS (IDALS) or Functional DALS (FDALS) » IDALs relate to System, HW Equipment, Items » FDALs priorities for level of rigor and special safety tests relate to software and safety-critical Functions implemented in software/systems » Aircraft and or System FHA Safety-criticality is up front focus for future analysis and assessment 6
SAE ARP 4761 Process
» Center theme of ARPs are failure conditions leading to hazards referred to as: Loss of or Hazardously Misleading Information of a specific function causing the hazard » Examples Loss of and Hazardously Misleading Events: Loss of Airspeed, Loss of thrust, Loss of electrical power, Loss of hydraulics, Loss of stability augmentation, Loss of flight control Hazardously Misleading Information: Unannunciated erroneous (Airspeed, Attitude, Altitude, Engine Displays, Flight Displays), False Indications or wrong commands or cues. 7
SAE ARP 4761 Process
» Some areas authorized by SAE ARP 4761 that have proven to be essential Common Cause Analysis » Zonal Safety Analysis » Particular Risk Analysis » Common Mode Analysis » Failure Modes Effects Testing (FMETs), Fault Insertion Testing (FIT) and Failure Immunity Testing (FIT) dovetail well and are mutually enhancing with the APR functional approach. 8
SAE ARP 4761 Process
» Fault Tree Analyses, Event Trees and quantitative methods and software safety analyses (Typically IEEE STD 1228 Software Safety are often used as part of the ARP process for Safety critical inputs to FHAs, PSSA and SSAs.
» The systems engineering process from INCOSE used with the commercial standards.
» Residual risk not part of ARP process as requirements must be met with few exceptions.
9
Summary of ARPs
» SAE ARP 4761, SAE ARP 4754 , IEEE STD 1228, DO-178B/C collective Civil/Commercial Best Practices require more system safety analysis and assessment involvement to influence airborne systems requiring airworthiness certification to get into certain airspace: Safety-Critical Functions and Requirements allocation (required for continued safe flight and landing under all required conditions and environment) Safety is viewed as a vital “functional “ attribute of a system Risk mitigation strategies, such as architectural redundancy, comprehensive monitoring, software semi-autonomous control, engineered safety features Design Assurance Levels (DALs) correspond to Failure Conditions/Hazard Severity Safety Verification methods, such as Failure Modes Effects Testing, Failure Immunity Testing, Software Functional Testing, Requirements Based Testing and other methods to ensure overall design assurance, safety, airworthiness and technical integrity.
10
Top-Level System Safety Process
Determine Impact of S/W Design Determine S/W Safety Involvement
IEEE 12207 /DO-178B Software Design Assurance
Determine severity of failure conditions on the A/C or aircrew Determine S/W Levels A/B/C/D/E Allocate S/W functions to appropriate CSCIs CSCs, CSUs
INTEGRATION TESTING/ QUALIFICATION TESTING
Software Requirements and Definition
PDR CDR
Software Coding And Unit Testing SIL Testing Ground Testing Flight Testing
SOFTWARE DESIGN
Determine S/W Level
Software Safety IAW IEEE STD 1228
Define S/W Safety Critical Requirements Conduct S/W Safety Analyses Per 1228 Determine S/W Safety Hazard Mitigations Define S/W Safety Verification Requirements Ensure Compliance with Safety-Critical Requirements SSPP per “882” FHA Define Initial System Safety Design Requirements PSSA Analyze System Hazards Refine Hazard Mitigations and Identify Derived Safety Reqmts Perform Test Safety Analysis & Develop S-C Test Requirements (FMETs/FTs/CWAs) SSA
System Safety Engineering IAW ARP 4761
Integration Specs & SRSs TDOCs 11
Strength and Weaknesses of Each Process
Barry Hendrix Workshop PM Presentation
Strengths and Weaknesses of Each Process
» ANSI – Strengths: Flexible for commercial, less complex systems (non-military, non-space) Easily tailored, limited Gov’t involvement, ideal for products to reduce hazard risk Ideal for start up system safety Weakness: Since ANSI 010 was developed by G-48 as de militarized version of MIL-882, it is unknown if many or any industries or companies are actually aware of existence and if so using it.
13
Strengths and Weaknesses of Each Process
» MIL-STD-882E: Strength is now more comprehensive than before: FHA and better software safety guidance. Still suitable for majority of complex DoD military ground and shipboard systems where no alternative methods. Weakness is NOT ideally suited (alone) for aircraft and airborne systems with software intensive systems requiring airworthiness and system certification and FAA compliance considering the SAE ARP integrate aircraft systems and safety (many ARPs for all airborne systems) 14
Strengths and Weaknesses of Each Process
» SAE ARPs are ideally geared for safety analysis and assessment methods for commercial and complex military aircraft platforms requiring airworthiness certification and to get into FAA controlled airspace. Most military aircraft can easily adapt to ARP methods with blended MIL-STD-882.
» Weakness: ARPs are “Aerospace” oriented only and not structured to be suitable for ground or shipboard systems, but something similar could be developed with more emphasis on functional approach (FHA) and Software and system certifications.
15
Contrast and Compare
» The following Matrix chart shows basic of the most popular system safety methods by DoD, NASA, FAA. » Excluded is IEC 61508 Functional Approach to safety most widely used worldwide by auto industry, oil and gas industry, and chemical industries, Nuclear Power. Many consider it the best safety standard of all. This is debatable of course. Required HUMOR…NO! Auburn just lost to FL State 34-31…this presentation is finished!
16
US DOD MIL STD-882 Hazard Severity Levels & HRI UK MOD DEF-STAN 00-56 (SIL/SIR) to Influence SW Rigor AC/AMJ 25 1309, SAE ARP 4761/ 4754 I Catastrophic SIL 4 DO-178B/C SW Levels I Catastrophic A (66 Objectives) Standard Model Software Criticality (Level of Rigor) Safety Critical (High LOR) II Critical SIL 3 III Marginal IV Negligible SIL 2 SIL 1 II Hazardous III Major IV Minor B (65 Objectives) C (~45 Objectives) D E Safety Significant (Med LOR) I Safety Related 17
Top-Level System Safety Process
Determine Impact of S/W Design Determine S/W Safety Involvement
DO-178B Software Design Assurance
Determine severity of failure conditions on the A/C or aircrew Determine S/W Levels A/B/C/D/E Allocate S/W functions to appropriate CSCIs CSCs, CSUs Software Requirements and Definition Determine S/W Level
PDR CDR SOFTWARE DESIGN
Software Coding And Unit Testing
INTEGRATION TESING/ QUALIFICATION TESTING
SIL Testing Ground Testing Flight Testing
Software Safety IAW IEEE STD 1228
Define S/W Safety Critical Requirements Conduct S/W Safety Analyses Per 1228 Determine S/W Safety Hazard Mitigations Define S/W Safety Verification Requirements Ensure Compliance with Safety-Critical Requirements SSPP per “882” FHA Define Initial System Safety Design Requirements PSSA Analyze System Hazards Refine Hazard Mitigations and Identify Derived Safety Reqmts Perform Test Safety Analysis & Develop S-C Test Requirements (FMETs/FTs/CWAs) SSA
System Safety Engineering IAW ARP 4761
Integration Specs & SRSs TDOCs 18