20131209 cisec-history of-safety_process_for_cisec

9th of December 2013 Presentation CISEC, - JPHeckmann

History of safety process and Safety Assessments

in aeronautics

CISEC presentation

Author: JP Heckmann


History of safety process in aeronautics

Before the sixties

The sixties

The seventies

The eighties

The nineties

The years 2000 to 2013

The future


For a number of years, up to the sixties, the safety approach for granting a type certificate for an approved design was centered on demonstrating satisfaction against qualitative prescriptive specifications.

Airplane systems were evaluated to specific prescriptive requirements, to the "single fault* criterion, or to the fail-safe* design concept.

There was differences between the applicable regulation from Aeronautical Authority of different countries (e.g. DGAC in France, CAA in England and FAA in the USA)**

* Single fault criterion or fail safe design concept: No single fault/failure should lead to Catastrophic repercussions ** DGAC: Direction Générale de l’Aviation Civile. ** CAA: Civil Aviation Authority, ** FAA Federal Aviation Administration

Safety assessments: Before the sixties


The sixties - Concorde regulation (1)

Concord project (starting 1962)

New Technology: New materials, flight by wire, new engines, wide use of computers (mostly analog and some digital)

New functions: engine regulation, CG management, Fly by wire with mechanical back up,

Extended flight envelop (supersonic)

Center of gravity control using Fuel transfer

New Failure Conditions and change in severity classification compared with previous generation aircraft (e.g. DC9, Caravelle)

New design and production process in cooperation (French/English partnership)


The sixties - Concorde regulation (2)

Concord project: The certification regulation.

The existing regulation, mainly prescriptive, based mainly on BCAR (UK CAA) and FAR (US Federal Aviation Administration) regulation, where recognized non fully adapted.

Development of a new safety approach “performance based”, standardized in a new regulation applicable to Concorde program ( TSS standards):

Standardization of Occurrence Probability classes (Frequent, Remote, extremely Remote, Extremely Improbable)

Standardization of Safety severity classification (Catastrophic, Hazardous, Major, Minor)

Standardization of the acceptable relations between Safety severity classes and occurrence probability classes (Safety objectives to meet)

Request to perform safety assessments for each aircraft system

In addition to engineering judgment and qualitative assessments, system safety assessments where requested to incorporate a probabilistic assessment to evaluate the aircraft and Failure Condition safety performances.

9th of December 2013 Presentation CISEC –JP Heckmann,

1

0

Acceptable Risque

Severity of consequences

Occurrence probability

Non Acceptable Risk

Inverse relationship between the occurrence probability of a Failure Condition and the severity of its effect on the airplane and/or its occupants : “Farmer curve”

Acceptance Citerions

Risk assessments and results acceptation need the definition of: A scale of severity of consequences A scale of occurrence probabilities Acceptance criterion between “severity of consequences” and “occurrence probabilities”

The sixties - Concorde regulation

9th of December2013 Presentation CISEC- JPHeckmann,

The sixties : Failure Condition severity classification,

Severity

Classes

Effect description

CATASTROPHIC

Failure Condition which would result in multiple fatalities, usually with the loss of the aeroplane.

HAZARDOUS Failure Condition which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extend that there would be:

- a large reduction in safety margins or functional capabilities; or - physical distress or excessive work load such that the flight crew cannot relied upon to perform their tasks accurately and completely; or - serious or fatal injuries to a relatively small number of occupants other than flight crew.

MAJOR Failure Condition which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extend that there would be for example:

- a significant reduction in safety margin or functional capabilities; or - a significant increase in crew workload or in condition impairing crew efficiency; or - discomfort to flight crew, or physical distress to passengers or cabin crew, possibly including injuries.

MINOR Failure Condition which would not significantly reduce aeroplane safety and which involve crew actions that are well within their capabilities. Minor Failure Conditions may include, for example:

- a slight reduction in safety margin or functional capabilities; or - a slight increase in crew work load such as routine flight plan changes; or - some physical discomfort to passengers or cabin crew.

NO SAFETY EFFECT

Failure Condition that would have no effect on safety; for example, Failure Condition that would not affect the operational capability of the aeroplane or increase the crew workload.


QUALITATIVE PROBABILITY TERMS DEFINITION

Situation anticipated to occur one or more times during the entire operational life of each airplane.

Situation unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type.

Situation not anticipated to occur to each airplane during its total life but which may occur a few times when Considering the total operational life of all airplanes of the type.

Situation so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type.

PROBABLE

REMOTE

EXTREMELY

REMOTE

EXTREMELY

IMPROBABLE

FREQUENT

THE SIXTIES: QUALITATIVE PROBABILITY SCALE


THE SIXTIES : ORIGIN OF QUANTIATIVE OBJECTIVES FOR CATASTROPHIC FAILURE CONDITION

Aircraft level safety objective Historical evidence indicated that the probability of a serious accident due to operational and airframe-related causes was approximately one per million hours of flight or 1x10-6 per flight hour.

Furthermore, about 10 percent of the total were attributed to Failure Conditions caused by the aeroplane's systems. It seemed reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aeroplane designs.

From the evidences above It was reasonable to expect that the probability of a serious accident from all such Failure Conditions be not greater than one per ten million flight hours or 1 x 10-7 per flight hour for a newly designed aeroplane.

The difficulty with such global objective is that it is not possible to say whether the target has been met until all the systems on the aeroplane are collectively analysed numerically.


THE SIXTIES: ORIGIN OF QUANTIATIVE OBJECTIVES FOR CATASTROPHIC FAILURE CONDITION

To be usable during the design process the global aircraft level objective of 1x10-7 per flight hour should be apportioned at function failure level (Failure Condition level).

Based on previous aircraft design, around seventy Catastrophic Failure Conditions where identified. It was assumed arbitrarily that there will be no more than one hundred significant (quantitatively speaking) Failure Conditions in an airplane, which could be Catastrophic.

Using an equal-repartition rule, the global airplane target (allowable Average occurrence Probability per Flight Hour of 1 x 10-7) was thus apportioned equally among these Failure Conditions, resulting in an allocation of not greater than 1 x 10-9 per flight hour to each.

The upper limit for the Average occurrence Probability per Flight Hour for each Catastrophic Failure Conditions was set to 1 x 10-9 per flight hour , which establishes the upper probability value for the term "Extremely Improbable".

Failure Conditions having less severe effects could be relatively more likely to occur.

The upper limit for the sum of the average occurrence probability of Catastrophic Failure Condition remaining 1x10-7 per flight hour


The sixties: Relation between qualitative and quantitative probability scales

DEFINITION QUANTITATIVE

PROBABILITY

CLASSES

> 10-3 / HdV

10- 3 to 10-5 / HdV

Situation anticipated to occur one or more times during the entire operational life of each airplane.

Remote Failure Conditions are those unlikely to occur to each aeroplane during its total life, but which may occur several times when considering the total operational life of a number of aeroplanes of the type.

10-5 to 10-7 / HdV

Extremely Remote Failure Conditions are those not anticipated to occur to each aeroplane during its total life but which may occur a few times when considering the total operational life of all aeroplanes of the type.

10-7 to 10-9 / HdV

Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all aeroplanes of one type.

≤10-9 / HdV

PROBABLE

REMOTE

EXTREMELY

REMOTE

EXTREMELY

IMPROBABLE

FREQUENT

QUALITATIVE

PROBABILITY

CLASSES


Acceptable Risk

Unacceptable Risk

MINOR MAJOR HAZARDOUS CATASTROPHIC

SEVERITY OF CONSEQUENCES

OCCURANCE PROBABILITY

Occurrence

probability

objective per

Failure Condition

/HdV

10-3

10-5

10-7

10-9

Occurrence

probability

Objective for

the sum of

Failure

Conditions

/HdV

-

-

10-5

10-7

No single failure

Severity of Consequences and acceptable occurrence probabilities

The sixties


The Sixties and Seventies The first applications of the Concorde regulation

To apply the regulation to Concorde program the Franco-English consortium developed:

Safety methods for PSSA/SSA with format and content

Computer aided safety assessment based on safety model of the systems (beginning of what is called today “Model based Safety assessments”.

Synthesis document to verify that aircraft qualitative and quantitative requirement where met

In service follow up using probabilistic approach to determiner rectification time when there was evidence that safety objectives are not met in service (development of the “Gun Stone” approach)

Concorde has been certified by French DGAC, UK CAA and US FAA

In the sixties and seventies these principles have been used for certification of the first Airbus programs (A300 starting 1965 first flight 1972 and then A310, A300/600 programs)

It is also the time of the Boeing 737 and 747 certification using FAA FAR25 code

The principles developed in the Sixties for Concorde aircraft program have been used and remains the base for the safety assessment and the certification processes for the civil transport aircraft including modern aircraft like A380, A350, Boeing 787, etc.


The Eighties and Nineties Improvements in methods and process (1)

It is the time of the Airbus A320 and ATR aircraft program with new complexities:

Full flight by wire for the A320, First “IMA like” implementation on ATR through the implementation of a “Multifunction Computer”

In parallel the HERMES project (European space shuttle ) started in the nineties leading to improvement in methodologies by mixing space safety approach and aeronautical safety approach.

To control these increases in complexity, and to complete the Concorde methodology, Airbus performed Functional Hazard Assessments (FHA), Common Mode Analysis (CMA) and Human Factor Analysis (HFA). These methods where applied on ATR aircraft programs and a Safety Assessment management tools (SARA Tool) was developed in Airbus to manage FHA and PSSA/SSA

The control of development process of aircraft and systems was reinforced leading to improvement in the aircraft level approach (Aircraft FHA and aircraft level safety synthesis), the Common Mode Analysis, the consideration of the development errors (DAL concept) and the improvement of the requirement capture and associated Validation/Verification activities.

It is also the time where the Aeronautical authorities from the different European countries are integrated in the JAA organization (Joint Airworthiness Agency), that the JAR 25 regulation is issued and that begin discussions between JAA and FAA for harmonization of civil aviation regulation

It is also the time of the certification of Boeing 767 and 777


The Eighties and Nineties improvements in methods and processes (2)

It is the time of the issue of DO178A/ED12A (1985) and DO178B/ED12B (1992) for software certification and the elaboration of D0254/ED80 (issued in year 2000): Design Assurance Guidance for Airborne Electronic Hardware certification

It is the time of Safety process and Safety method standardization in SAE Aeronautical Recommended Practices (ARP) and EUROCAE European Directives (ED):

ARP4754/ED79 fist issue ( “Certification Considerations for Highly-Integrated or Complex Aircraft Systems”) was issued in December 1996. In particular the ARP 4754/ED79 asked to consider errors during aircraft/system development in addition to failures. Generalization of the concept of “Development Assurance Level” called (DAL)

ARP 4761 (“Guidelines and methods for conducting the Safety Assessments process on civil airborne systems and equipment “) was issued in November 1996.

Introduction, in the airworthiness monitoring regulation, of the “Gun stone” method (JAR 39- actually AMC21A.3B) allowing quantitative consideration for airworthiness monitoring decisions

ARP5150 (“Safety Assessment of Transport Airplanes in Commercial Service”) started in the Nineties and issued in November 2003

The ARP4754/ED79 was partially applied on Airbus A330/A340 program (starting 1987) and was fully applied on the A380 Airbus project (started year 1995).


Safety assessments: The years 2000’s and 2010’s

ARP 4754 first issue application and safety process improvements

In September 2003 the JAA activities where transferred to the EASA (European Aviation Safety Agency) and the JAR 25 regulation became the CS 25 regulation ( Certification Specification for large aircraft)

The application of the ARP4754/ED79 first issue on Airbus A380 program showed that:

The way the DAL assignment process recommended in the ARP 4754 for consideration of development error was misleading

The requirement capture and Validation/verification process needed to be developed

There was some inconsistencies in DAL assignment process and DAL consideration between interrelated documents (mainly between ARP4754/ED79, DO178B/ED12B)

There was need for a re-enforcement of the development assurance for activities at aircraft level and at system level


Safety assessments: The years 2000’s and 2013’s

ARP 4754 first issue application and safety process improvements

New issue of the ARP 4754 (ARP4754A/ED79A) and DO178 (DO178C/ED12C) where started.

ARP 4754A/ED79A (Guidelines for development of civil aircraft systems) was issued end 2010. The main improvements are:

Aircraft level safety plan and Aircraft Safety Assessment (preliminary: PASA and final: ASA)

Safety case/Safety synthesis

New DAL assignment process

Extended requirement capture and associated Validation/Verification process

Extended development assurance process

The application of ARP4754A/ED79A is recommended by the authorities. It is referenced in CS 25 1309 AMC and in EASA CRI F 22. its application is recommended by the FAA through AC 20 - 174

New issue of D0178 (DO178C/ED12C) issued 2012

New issue of the ARP4761 (ARP4761A/ED135) in progress to assure coherency with the new issue of the ARP 4754A/ED79A. Issued planned beginning 2015

A new issue of the ARP5150 may be necessary to assure coherencies with other documents new issues

9th of December 2013 Presentation CISEC, - JP Heckmann

Safety assessments: Regulation and Guidelines Documents

Intended

Aircraft

Function

System

Design

Information

Functional

System

Function , Failure

& Safety

Information

Guidelines for development of

Civil Aircraft and Systems

( ARP 4754A / ED - 79A )

Hardware Development

Life - Cycle

( DO - 254 / ED - 80 )

Safety Assessment of Aircraft in

Commercial Service

( ARP 5150 / 5151 )

Operation

Guidelines for Integrated

Modular Avionics

( DO - 297 / ED - 124 )

Development Phase In - Service Operational Phase

Software Development

Life - Cycle

( DO - 178 B / ED - 12 B )

Safety Assessment Process

Guidelines & Methods

( ARP 4761 / ED - 135 )

REGULATION - EASA CS25 1309 - FAA FAR 25 1309

ED = EUROCAE Document DO = RTCA DOcument ARP = SAE Aeronautical Recommended Practices SAE= Society of Automotive Engineers RTCA= Radio Technical Commission for Aeronautics EASA= European Aviation Safety Agency CS= EASA Certification specification FAA= Federal Aviation administration FAR= FAA Federal Aviation Regulation

9th of December2013 Presentation CISEC- JPHeckmann,

ARP 4754A - Aircraft and System Development Process Model Notion of Aircraft level functions and «Integral processes »

CONCEPT

AIRCRAFT

FUNCTION

DEVELOPMENT

ALLOCATION OF

AIRCRAFT

FUNCTIONS TO

SYSTEMS

DEVELOPMENT

OF SYSTEM

ARCHITECTURE

ALLOCATION OF

SYSTEM

REQUIREMENTS

TO ITEMS

SYSTEM

IMPLEMENTATION

PLANNING

- 5.1 SAFETY ASSESSMENT

- 5.2 DEVELOPMENT ASSURANCE LEVEL ASSIGNMENT

- 5.3 REQUIREMENTS CAPTURE

- 5.4 REQUIREMENTS VALIDATION

- 5.6 CONFIGURATION MANAGEMENT

- 5.7 PROCESS ASSURANCE

- 5.8 CERTIFICATION & REGULATORY AUTHORITY COORDINATION

AIRCRAFT/SYSTEM

DEVELOPMENT PROCESS

4.0

4.2 4.3 4.4 4.5 4.6

3.0

DATA &

DOCUMENTATION

5.5 IMPLEMENTATION VERIFICATION

INTEGRAL PROCESSES

Each integral process should be structured by:

- A plan describing, in accordance with development plan, the organization, the responsibilities,

the tasks to perform, the management principles, the deliverables.

- Method documents describing how to perform tasks identified in the plan and defining

deliverables format and contents,

- Technical deliverables resulting from the application of the plan and method documents


Safety assessments: Future tendencies

The increasing in system complexity will continue as well as integration between systems.

Functions are no more performed by Systems defined as an integration of components but will be performed by systems that are integration of systems: “System of systems”

The design best practices recorded in the ARP4754A will have to be applied strictly particularly the requirement capture and the Validation Verification integral process.

Due to the increase in complexity, the assurance that all the system dysfunctional configuration have been considered during the design process and during safety studies may become illusory. In that case the application of requirements for independence including dissimilarity will have to be reinforced.

Safety assessments (PASA, PSSA, SSA, ASA, CMA) will become more difficult to perform without the help of Model Based Safety Assessment techniques (computer aided safety assessment based on system functional and dysfunctional model)

Development of Unmanned Aeronautical Vehicle (UAV) and Sub Orbital Airplanes (SOA) and their possible integration in the normal aeronautical traffic management (ATM) will need to reconsider the regulation and have more integration between aircraft systems and ATM systems safety assessments


End of the presentation

20131209 cisec-history of-safety_process_for_cisec

Technology

Transcript of 20131209 cisec-history of-safety_process_for_cisec