Search Results

The Safety Assessment Process, defined by SAE ARP4761 and associated regulatory guidance, is described in the context of conventional, crewed civil aircraft. While this material has been used for decades to evaluate airplanes and rotorcraft, the evolution of technology challenges it. As new entrants venture into aviation, they bring perspectives, which may not clearly align to those conventional concepts. For those skilled in the art of aviation safety assessment, the approach to new technologies might appear straight forward. Such an individual might easily perceive the accommodations for unconventional applications. Once accommodations are made, and failure conditions are established and classified to those new architectures, the rest of the process is somewhat mechanical -they flow out of these conditions. However, the context of their experience betrays the reality of the process description in the ARP and guidance.

Aerospace Recommended Practice (ARP) 4754 Revision A (ARP4754A), “Guidelines for Development of Civil Aircraft and Systems,” [1] is recognized through Advisory Circular (AC) 20-174 (AC 20-174) [2] as a way (but not the only way) to provide development assurance for aircraft and systems to minimize the possibility of development errors. ARP4754A and its companion, Aerospace Information Report (AIR) 6110, “Contiguous Aircraft/System Development Process Example,” [3] primarily describe development processes for an all new, complex and highly integrated aircraft without strong consideration for reused systems or simple systems. While ARP4754A section 5 mentions reuse, similarity, and complexity, and section 6 is intended to cover modification programs, the descriptions in these sections can be unclear and inconsistent. The majority of aircraft projects are not completely new Products nor are they entirely comprised of complex and highly integrated systems.

In the last several years, technical advances and regulatory pressures have motivated the need for flexible, simple, and performance-based solutions for conducting development assurance in support of a system safety assessment process. Additionally, the affected design space for commercial vehicles has been growing beyond the conventional regulations for airplanes, rotorcraft, engines, and propellers, addressed by current Aerospace Recommended Practices (ARPs). This space is beginning to include commercial technologies such as unmanned aerial systems, multi-stage spacecraft systems, and road-able aircraft. These developing areas are each accompanied with their own development assurance expectations in support of their safety criteria. Concurrently, the industry and regulators are working to simplify guidance for system safety and development assurance, which has been foundational in the aircraft industry for decades.

The unrestrained design space for unmanned aerial systems (UAS) presents challenges to accurate safety assessment and the assurance of development to appropriate levels of rigor within those systems. The established safety and development assurance standards and practices were developed for vehicles operating in highly controlled conditions with continuous oversight. The very nature of unmanned systems introduce new failure conditions, even in those systems operating within the strict rules of the National Airspace System (NAS), particularly failures of control and command, situational awareness, and control security. Beyond those, the new concepts of operation being conceived by UAS developers introduce their own new set of considerations with regards to operating in uncontrolled airspace, often in close proximity to bystanders. These new concepts require new technologies beyond those currently supported by the hardware and software development assurance processes.

Aerospace Recommended Practice (ARP) 4754 Revision A (ARP4754A), Guidelines for Development of Civil Aircraft and Systems [1], and ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment [2], together describe a complex set of intertwining processes which comprehensively prioritize development activities for a product's systems based on their safety criticality. These processes work at specific levels of detail (aircraft and system) and interact with a set of processes at lower levels of detail (item) defined by Radio Technical Commission for Aeronautics (RTCA) standards. The aircraft and system development process (ARP4754A) supplies functions, requirements, and architectural definitions to the System Safety process (ARP4761), which in turn supplies Development Assurance Levels back to the development process and on to the RTCA processes.

The Safety Assessment Process defined by SAE ARP4761 [1] and associated regulatory guidance and the system development process defined by SAE ARP4754 [2] are built on an understanding of the functions performed by a system or systems. SAE Technical Paper 2022-01-0008 [3] proposes a process to assist the system or product developer with identifying and describing functions at each level of abstraction used in describing the architecture. This paper walks through the process described in SAE Technical Paper 2022-01-0008, examining some of the issues and considerations encountered using this approach, and resulting in an example function list for a passenger aircraft. The example aircraft is typical except that an autonomous operating mode is included.

The Safety Assessment Process, defined by SAE ARP4761 and associated regulatory guidance and the system development process defined by SAE ARP4754 are built on an understanding of the functions performed by a system or systems. [1, 2] These recommended practices do not provide, or reference, specific guidance regarding function definition, though they do provide some conventional airplane examples. ASTM E2013-20 describes function identification principles for cost evaluations, but does not consider how functions are used in safety assessments.[3] Without a systematic process for establishing and describing functions for safety assessments, the application of the development and safety assessment processes can be complicated by inappropriate function selections. Such functions may be overly inclusive, applied at the wrong level of abstraction, or might not describe the intended behaviors adequately.

The safety of commercial aviation industry has come under extensive scrutiny and how the system safety process is applied. One specific system safety regulation concerns how unsafe system operating conditions are meeting regulatory requirements. Minimal regulatory guidance was available on this topic and an industry committee (American Society for Testing of Materials) decided to provide a consensus standard with input from a cross-section of airplane manufacturers, suppliers, and regulatory authorities on what is meant by an unsafe system operating condition and how compliance can be shown to the regulation(s). The committee determined that an unsafe system operating condition is when a failure condition severity increases (to hazardous or catastrophic) due to crewmember(s) inaction. For example, if a hazard has occurred it is possible the severity can increase to an unacceptable level as the crewmember(s) are not aware of the hazard.