SAE ARP 4761 ProcessBarry HendrixWorkshop AM Presentation

2

» Title: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.First promulgated in 1996Currently SAE ARP 4761A undergoing re-write

under SAE S-18 (Safety Committee Headed by John Dalton – Boeing)

Rewrite is to bring in line to dovetail with Prerequisite SAE ARP 4754A Update Promulgated in 2010 from 1996 Version.

SAE ARP 4761 Process

3

» So SAE ARP 4761 and SAE ARP 4754 go hand in hand and use functional approach to safety.

» Both ARPS focused on complex aircraft systems development and safety assessments leading to Certifications. Three Basic Work Products from ~10 tasks. Functional Hazard Assessments (FHA) Preliminary System Safety Assessments (PSSA) System Safety Assessments (SSA) Other supporting analyses, such as FTAs, FMECAs, Zonals

Focus is on determining top level events, functional failure conditions, root causes of faults, and contributing causal factors before hazards are identified.

SAE ARP 4761 Process

4

» Suitable for airborne systems only. On modern and complex safety-critical systems, hazard based methods/approaches alone can’t meet FAR /JAR 25.1309.

» FHA, PSSA, SSAs can be endless living documents

» Civil/Commercial methods in ARPs require:

Hazard and Risk Based Approach Criteria Based Approach Requirements Based Approach Functional Based Approach Safety Verification Based Approach Airworthiness Based Approach Safety Requirements must be met for Cert with no exceptions (FAA)

SAE ARP 4761 Process

5

» SAE ARP 4754A current and ARP 4761A process (in rewrite) convention is based on Catastrophic, Hazardous, Major and Minor Failure Conditions and corresponding Design Assurance Levels (DAL) for Software/Systems.

» Convention also dovetails well with DO-178B/C Software Design Assurance Objectives A B C D as Objective Evidence of Compliance.

SAE ARP 4761 Process

6

» SAE ARP 4754A Introduced DALs, are either Item DALS (IDALS) or Functional DALS (FDALS)

» IDALs relate to System, HW Equipment, Items» FDALs priorities for level of rigor and special

safety tests relate to software and safety-critical Functions implemented in software/systems

» Aircraft and or System FHA Safety-criticality is up front focus for future analysis and assessment

SAE ARP 4761 Process

7

» Center theme of ARPs are failure conditions leading to hazards referred to as:Loss of or Hazardously Misleading Information of a

specific function causing the hazard» Examples Loss of and Hazardously Misleading Events:

Loss of Airspeed, Loss of thrust, Loss of electrical power, Loss of hydraulics, Loss of stability augmentation, Loss of flight control

Hazardously Misleading Information: Unannunciated erroneous (Airspeed, Attitude, Altitude, Engine Displays, Flight Displays), False Indications or wrong commands or cues.

SAE ARP 4761 Process

8

» Some areas authorized by SAE ARP 4761 that have proven to be essentialCommon Cause Analysis

» Zonal Safety Analysis» Particular Risk Analysis» Common Mode Analysis

» Failure Modes Effects Testing (FMETs), Fault Insertion Testing (FIT) and Failure Immunity Testing (FIT) dovetail well and are mutually enhancing with the APR functional approach.

SAE ARP 4761 Process

9

» Fault Tree Analyses, Event Trees and quantitative methods and software safety analyses (Typically IEEE STD 1228 Software Safety are often used as part of the ARP process for Safety critical inputs to FHAs, PSSA and SSAs.

» The systems engineering process from INCOSE used with the commercial standards.

» Residual risk not part of ARP process as requirements must be met with few exceptions.

SAE ARP 4761 Process

10

» SAE ARP 4761, SAE ARP 4754 , IEEE STD 1228, DO-178B/C collective Civil/Commercial Best Practices require more system safety analysis and assessment involvement to influence airborne systems requiring airworthiness certification to get into certain airspace: Safety-Critical Functions and Requirements allocation

(required for continued safe flight and landing under all required conditions and environment)

Safety is viewed as a vital “functional “ attribute of a system Risk mitigation strategies, such as architectural redundancy,

comprehensive monitoring, software semi-autonomous control, engineered safety features

Design Assurance Levels (DALs) correspond to Failure Conditions/Hazard Severity

Safety Verification methods, such as Failure Modes Effects Testing, Failure Immunity Testing, Software Functional Testing, Requirements Based Testing and other methods to ensure overall design assurance, safety, airworthiness and technical integrity.

Summary of ARPs

11

Top-Level System Safety Process

Determine Impact of S/W

Design

Define Initial System Safety

Design Requirements

SIL Testing Ground Testing Flight Testing

Determine severity of failure conditions on the A/C or aircrew

Determine S/W Levels

A/B/C/D/E

Allocate S/W functions to

appropriate CSCIsCSCs, CSUs

Software Requirements and Definition

System Safety Engineering IAW ARP 4761

Software Coding And

Unit Testing

PDR CDR

SOFTWARE DESIGN

Analyze System Hazards

Refine HazardMitigations and

Identify Derived Safety Reqmts

INTEGRATION TESTING/ QUALIFICATION TESTING

Determine S/W Safety Involvement

Determine S/W Level

Define S/W Safety Critical Requirements

Determine S/W Safety

Hazard Mitigations

Define S/W Safety Verification

Requirements

Ensure Compliance with Safety-Critical Requirements

Conduct S/W Safety Analyses

Per 1228

IEEE 12207 /DO-178B Software Design Assurance

SSPPper “882”

PSSA SSA

Software Safety IAW IEEE STD 1228

Perform Test Safety Analysis & Develop S-C Test Requirements

(FMETs/FTs/CWAs)

IntegrationSpecs &

SRSs

TDOCs

FHA

Strength and Weaknesses of Each Process Barry HendrixWorkshop PM Presentation

13

» ANSI – Strengths: Flexible for commercial, less complex systems (non-military, non-space)Easily tailored, limited Gov’t involvement, ideal for

products to reduce hazard risk Ideal for start up system safety

Weakness: Since ANSI 010 was developed by G-48 as de-militarized version of MIL-882, it is unknown if many or any industries or companies are actually aware of existence and if so using it.

Strengths and Weaknesses of Each Process

14

» MIL-STD-882E: Strength is now more comprehensive than before:

FHA and better software safety guidance. Still suitable for majority of complex DoD military ground and shipboard systems where no alternative methods.

Weakness is NOT ideally suited (alone) for aircraft and airborne systems with software intensive systems requiring airworthiness and system certification and FAA compliance considering the SAE ARP integrate aircraft systems and safety (many ARPs for all airborne systems)

Strengths and Weaknesses of Each Process

15

» SAE ARPs are ideally geared for safety analysis and assessment methods for commercial and complex military aircraft platforms requiring airworthiness certification and to get into FAA controlled airspace. Most military aircraft can easily adapt to ARP methods with blended MIL-STD-882.

» Weakness: ARPs are “Aerospace” oriented only and not structured to be suitable for ground or shipboard systems, but something similar could be developed with more emphasis on functional approach (FHA) and Software and system certifications.

Strengths and Weaknesses of Each Process

16

» The following Matrix chart shows basic of the most popular system safety methods by DoD, NASA, FAA.

» Excluded is IEC 61508 Functional Approach to safety most widely used worldwide by auto industry, oil and gas industry, and chemical industries, Nuclear Power. Many consider it the best safety standard of all. This is debatable of course.

Required HUMOR…NO! Auburn just lost to FL State 34-31…this presentation is finished!

Contrast and Compare

17

US DOD MIL-STD-882 Hazard Severity Levels & HRI

UK MOD DEF-STAN 00-56 (SIL/SIR) to Influence SW Rigor

AC/AMJ 25 1309, SAE ARP 4761/ 4754

DO-178B/C SW Levels

Standard ModelSoftware Criticality (Level of Rigor)

I Catastrophic SIL 4 I Catastrophic A (66 Objectives)

Safety Critical (High LOR)

II Critical SIL 3 II Hazardous B (65 Objectives)

Safety Significant(Med LOR)

III Marginal SIL 2 III Major C (~45 Objectives)

Safety Related

IV Negligible SIL 1 IV Minor D I

E

18

Top-Level System Safety Process

Determine Impact of S/W

Design

Define Initial System Safety

Design Requirements

SIL Testing Ground Testing Flight Testing

Determine severity of failure conditions on the A/C or aircrew

Determine S/W Levels

A/B/C/D/E

Allocate S/W functions to

appropriate CSCIsCSCs, CSUs

Software Requirements and Definition

System Safety Engineering IAW ARP 4761

Software Coding And

Unit Testing

PDR CDR

SOFTWARE DESIGN

Analyze System Hazards

Refine HazardMitigations and

Identify Derived Safety Reqmts

INTEGRATION TESING/ QUALIFICATION TESTING

Determine S/W Safety Involvement

Determine S/W Level

Define S/W Safety Critical Requirements

Determine S/W Safety

Hazard Mitigations

Define S/W Safety Verification

Requirements

Ensure Compliance with Safety-Critical Requirements

Conduct S/W Safety Analyses

Per 1228

DO-178B Software Design Assurance

SSPPper “882”

PSSA SSA

Software Safety IAW IEEE STD 1228

Perform Test Safety Analysis & Develop S-C Test Requirements

(FMETs/FTs/CWAs)

IntegrationSpecs &

SRSs

TDOCs

FHA