ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment is an Aerospace Recommended Practice from

SAE International SAE International, formerly named the Society of Automotive Engineers, is a United States-based, globally active professional association and standards developing organization for engineering professionals in various industries. SAE Internatio ...

. In conjunction with

ARP4754 ARP4754, Aerospace Recommended Practice (ARP) ARP4754A (''Guidelines For Development Of Civil Aircraft and Systems''), is a guideline from SAE International, dealing with the development processes which support certification of Aircraft systems, ad ...

, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S.

Federal Aviation Administration The Federal Aviation Administration (FAA) is the largest transportation agency of the U.S. government and regulates all aspects of civil aviation in the country as well as over surrounding international waters. Its powers include air traffic ...

(FAA)

airworthiness In aviation, airworthiness is the measure of an aircraft's suitability for safe flight. Initial airworthiness is demonstrated by a certificate of airworthiness issued by the civil aviation authority in the state in which the aircraft is register ...

regulations for

transport category Transport category is a category of airworthiness applicable to large civil airplanes and large civil helicopters. Any aircraft's airworthiness category is shown on its airworthiness certificate. The name "transport category" is used in the US, Ca ...

aircraft An aircraft is a vehicle that is able to fly by gaining support from the air. It counters the force of gravity by using either static lift or by using the dynamic lift of an airfoil, or in a few cases the downward thrust from jet engine ...

, and also harmonized international airworthiness regulations such as

European Aviation Safety Agency The European Union Aviation Safety Agency (EASA) is an agency of the European Union (EU) with responsibility for civil aviation safety. It carries out certification, regulation and standardisation and also performs investigation and monito ...

(EASA) CS–25.1309. This Recommended Practice defines a process for using common modeling techniques to assess the safety of a system being put together. The first 30 pages of the document covers that process. The next 140 pages give an overview of the modeling techniques and how they should be applied. The last 160 pages give an example of the process in action. Some of the methods covered: * Functional Hazard Assessment (FHA) *Preliminary System Safety Assessment (PSSA) *System Safety Assessment (SSA) *

Fault Tree Analysis Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify ...

(FTA) *

Failure Mode and Effects Analysis Failure mode and effects analysis (FMEA; often written with "failure modes" in plural) is the process of reviewing as many components, assemblies, and subsystems as possible to identify potential failure modes in a system and their causes and effe ...

(FMEA) *Failure Modes and Effects Summary (FMES) *Common Cause Analysis (CCA), consisting of: ** Zonal Safety Analysis (ZSA) **Particular Risks Analysis (PRA) ** Common Mode Analysis (CMA)

Safety life cycle

The general flow of the safety life cycle under ARP4761 is: # Perform the aircraft level FHA in parallel with development of aircraft level requirements. # Perform the system level FHA in parallel with allocation of aircraft functions to system functions, and initiate the CCA. # Perform the PSSA in parallel with system architecture development, and update the CCA. # Iterate the CCA and PSSA as the system is allocated into hardware and software components. # Perform the SSA in parallel with system implementation, and complete the CCA. # Feed the results into the certification process. The Functional Safety process is focused on identifying functional failure conditions leading to hazards. Functional Hazard Analyses / Assessments are central to determining hazards. FHA is performed early in aircraft design, first as an Aircraft Functional Hazard Analysis (AFHA) and then as a System Functional Hazard Analysis (SFHA). Using qualitative assessment, aircraft functions and subsequently aircraft system functions are systematically analyzed for failure conditions, and each failure condition is assigned a hazard classification. Hazard classifications are closely related to Development Assurance Levels (DALs) and are aligned between ARP4761 and related aviation safety documents such as ARP4754A, 14 CFR 25.1309, and Radio Technical Commission for Aeronautics (RTCA) standards DO-254 and

DO-178B DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RT ...

. FHA results are normally shown in spreadsheet form, with columns identifying function, failure condition, phase of flight, effect, hazard classification, DAL, means of detection, aircrew response, and related information. Each hazard is assigned a unique identifier that is tracked throughout the entire safety life cycle. One approach is to identify systems by their ATA system codes and the corresponding hazards by derivative identifiers. For example, the thrust reverser system could be identified by its ATA code 78-30. Untimely deployment of thrust reverser would be a hazard, which could be assigned an identifier based on ATA code 78-30. FHA results are coordinated with the system design process as aircraft functions are allocated to aircraft systems. The FHA also feeds into the PSSA, which is prepared while the system architecture is developed. The PSSA may contain qualitative FTA, which can be used to identify systems requiring redundancy so that catastrophic events do not result from a single failure (or dual failure where one is latent). A fault tree is prepared for each SFHA hazard rated hazardous or catastrophic. Fault trees may be performed for major hazards if warranted. DALs and specific safety design requirements are imposed on the subsystems. The safety design requirements are captured and traced. These may include preventive or mitigation strategies selected for particular subsystems. The PSSA and CCA generate separation requirements to identify and eliminate common mode failures. Subsystem failure rate budgets are assigned so that hazard probability limits can be met. The CCA consists of three separate types of analyses which are designed to uncover hazards not created by a specific subsystem component failure. The CCA may be many separate documents, may be one CCA document, or may be included as sections in the SSA document. The Particular Risk Analysis (PRA) looks for external events which can create a hazard such as a birdstrike or engine turbine burst. The Zonal Safety Analysis (ZSA) looks at each compartment on the aircraft and looks for hazards that can affect every component in that compartment, such as loss of cooling air or a fluid line bursting. The Common Mode Analysis (CMA) looks at the redundant critical components to find failure modes which can cause all to fail at about the same time. Software is always included in this analysis as well as looking for manufacturing errors or "bad lot" components. A failure such as a bad resistor in all flight control computers would be addressed here. The mitigations for CMA discoveries is often DO-254 or DO-178B components. The SSA includes quantitative FMEA, which is summarized into FMES. Normally FMES probabilities are used in quantitative FTA to demonstrate that the hazard probability limits are in fact met. Cutset analysis of the fault trees demonstrates that no single failure condition will result in a hazardous or catastrophic event. The SSA may include the results of all safety analysis and be one document or may be many documents. An FTA is only one method for performing the SSA. Other methods include dependence diagram or

reliability block diagram A reliability block diagram (RBD) is a diagrammatic method for showing how component reliability contributes to the success or failure of a redundant. RBD is also known as a dependence diagram (DD). An RBD is drawn as a series of blocks conn ...

and Markov Analysis. The PSSA and CCA often result in recommendations or design requirements to improve the system. The SSA summarizes the residual risks remaining in the system and should show all hazards meet the 1309 failure rates. The ARP4761 analyses also feed into Crew Alerting System (CAS) message selection and the development of critical maintenance tasks under ATA MSG3.

Future changes

In 2004, SAE Standard Committee S-18 began working on Revision A to ARP4761. When released,

EUROCAE The European Organisation for Civil Aviation Equipment (EUROCAE) deals exclusively with aviation standardisation, for both airborne and ground systems and equipment. It was created in 1963 in Lucerne, Switzerland by a decision of the European Civi ...

plans to jointly issue the document as ED–135.

References

{{SAE International Handbooks and manuals Engineering literature

Safety life cycle

Future changes

See also

References