Upload
dinhdung
View
253
Download
14
Embed Size (px)
Citation preview
SAE ARP 4761 ProcessBarry HendrixWorkshop AM Presentation
2
» Title: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.First promulgated in 1996Currently SAE ARP 4761A undergoing re-write
under SAE S-18 (Safety Committee Headed by John Dalton – Boeing)
Rewrite is to bring in line to dovetail with Prerequisite SAE ARP 4754A Update Promulgated in 2010 from 1996 Version.
SAE ARP 4761 Process
3
» So SAE ARP 4761 and SAE ARP 4754 go hand in hand and use functional approach to safety.
» Both ARPS focused on complex aircraft systems development and safety assessments leading to Certifications. Three Basic Work Products from ~10 tasks. Functional Hazard Assessments (FHA) Preliminary System Safety Assessments (PSSA) System Safety Assessments (SSA) Other supporting analyses, such as FTAs, FMECAs, Zonals
Focus is on determining top level events, functional failure conditions, root causes of faults, and contributing causal factors before hazards are identified.
SAE ARP 4761 Process
4
» Suitable for airborne systems only. On modern and complex safety-critical systems, hazard based methods/approaches alone can’t meet FAR /JAR 25.1309.
» FHA, PSSA, SSAs can be endless living documents
» Civil/Commercial methods in ARPs require:
Hazard and Risk Based Approach Criteria Based Approach Requirements Based Approach Functional Based Approach Safety Verification Based Approach Airworthiness Based Approach Safety Requirements must be met for Cert with no exceptions (FAA)
SAE ARP 4761 Process
5
» SAE ARP 4754A current and ARP 4761A process (in rewrite) convention is based on Catastrophic, Hazardous, Major and Minor Failure Conditions and corresponding Design Assurance Levels (DAL) for Software/Systems.
» Convention also dovetails well with DO-178B/C Software Design Assurance Objectives A B C D as Objective Evidence of Compliance.
SAE ARP 4761 Process
6
» SAE ARP 4754A Introduced DALs, are either Item DALS (IDALS) or Functional DALS (FDALS)
» IDALs relate to System, HW Equipment, Items» FDALs priorities for level of rigor and special
safety tests relate to software and safety-critical Functions implemented in software/systems
» Aircraft and or System FHA Safety-criticality is up front focus for future analysis and assessment
SAE ARP 4761 Process
7
» Center theme of ARPs are failure conditions leading to hazards referred to as:Loss of or Hazardously Misleading Information of a
specific function causing the hazard» Examples Loss of and Hazardously Misleading Events:
Loss of Airspeed, Loss of thrust, Loss of electrical power, Loss of hydraulics, Loss of stability augmentation, Loss of flight control
Hazardously Misleading Information: Unannunciated erroneous (Airspeed, Attitude, Altitude, Engine Displays, Flight Displays), False Indications or wrong commands or cues.
SAE ARP 4761 Process
8
» Some areas authorized by SAE ARP 4761 that have proven to be essentialCommon Cause Analysis
» Zonal Safety Analysis» Particular Risk Analysis» Common Mode Analysis
» Failure Modes Effects Testing (FMETs), Fault Insertion Testing (FIT) and Failure Immunity Testing (FIT) dovetail well and are mutually enhancing with the APR functional approach.
SAE ARP 4761 Process
9
» Fault Tree Analyses, Event Trees and quantitative methods and software safety analyses (Typically IEEE STD 1228 Software Safety are often used as part of the ARP process for Safety critical inputs to FHAs, PSSA and SSAs.
» The systems engineering process from INCOSE used with the commercial standards.
» Residual risk not part of ARP process as requirements must be met with few exceptions.
SAE ARP 4761 Process
10
» SAE ARP 4761, SAE ARP 4754 , IEEE STD 1228, DO-178B/C collective Civil/Commercial Best Practices require more system safety analysis and assessment involvement to influence airborne systems requiring airworthiness certification to get into certain airspace: Safety-Critical Functions and Requirements allocation
(required for continued safe flight and landing under all required conditions and environment)
Safety is viewed as a vital “functional “ attribute of a system Risk mitigation strategies, such as architectural redundancy,
comprehensive monitoring, software semi-autonomous control, engineered safety features
Design Assurance Levels (DALs) correspond to Failure Conditions/Hazard Severity
Safety Verification methods, such as Failure Modes Effects Testing, Failure Immunity Testing, Software Functional Testing, Requirements Based Testing and other methods to ensure overall design assurance, safety, airworthiness and technical integrity.
Summary of ARPs
11
Top-Level System Safety Process
Determine Impact of S/W
Design
Define Initial System Safety
Design Requirements
SIL Testing Ground Testing Flight Testing
Determine severity of failure conditions on the A/C or aircrew
Determine S/W Levels
A/B/C/D/E
Allocate S/W functions to
appropriate CSCIsCSCs, CSUs
Software Requirements and Definition
System Safety Engineering IAW ARP 4761
Software Coding And
Unit Testing
PDR CDR
SOFTWARE DESIGN
Analyze System Hazards
Refine HazardMitigations and
Identify Derived Safety Reqmts
INTEGRATION TESTING/ QUALIFICATION TESTING
Determine S/W Safety Involvement
Determine S/W Level
Define S/W Safety Critical Requirements
Determine S/W Safety
Hazard Mitigations
Define S/W Safety Verification
Requirements
Ensure Compliance with Safety-Critical Requirements
Conduct S/W Safety Analyses
Per 1228
IEEE 12207 /DO-178B Software Design Assurance
SSPPper “882”
PSSA SSA
Software Safety IAW IEEE STD 1228
Perform Test Safety Analysis & Develop S-C Test Requirements
(FMETs/FTs/CWAs)
IntegrationSpecs &
SRSs
TDOCs
FHA
Strength and Weaknesses of Each Process Barry HendrixWorkshop PM Presentation
13
» ANSI – Strengths: Flexible for commercial, less complex systems (non-military, non-space)Easily tailored, limited Gov’t involvement, ideal for
products to reduce hazard risk Ideal for start up system safety
Weakness: Since ANSI 010 was developed by G-48 as de-militarized version of MIL-882, it is unknown if many or any industries or companies are actually aware of existence and if so using it.
Strengths and Weaknesses of Each Process
14
» MIL-STD-882E: Strength is now more comprehensive than before:
FHA and better software safety guidance. Still suitable for majority of complex DoD military ground and shipboard systems where no alternative methods.
Weakness is NOT ideally suited (alone) for aircraft and airborne systems with software intensive systems requiring airworthiness and system certification and FAA compliance considering the SAE ARP integrate aircraft systems and safety (many ARPs for all airborne systems)
Strengths and Weaknesses of Each Process
15
» SAE ARPs are ideally geared for safety analysis and assessment methods for commercial and complex military aircraft platforms requiring airworthiness certification and to get into FAA controlled airspace. Most military aircraft can easily adapt to ARP methods with blended MIL-STD-882.
» Weakness: ARPs are “Aerospace” oriented only and not structured to be suitable for ground or shipboard systems, but something similar could be developed with more emphasis on functional approach (FHA) and Software and system certifications.
Strengths and Weaknesses of Each Process
16
» The following Matrix chart shows basic of the most popular system safety methods by DoD, NASA, FAA.
» Excluded is IEC 61508 Functional Approach to safety most widely used worldwide by auto industry, oil and gas industry, and chemical industries, Nuclear Power. Many consider it the best safety standard of all. This is debatable of course.
Required HUMOR…NO! Auburn just lost to FL State 34-31…this presentation is finished!
Contrast and Compare
17
US DOD MIL-STD-882 Hazard Severity Levels & HRI
UK MOD DEF-STAN 00-56 (SIL/SIR) to Influence SW Rigor
AC/AMJ 25 1309, SAE ARP 4761/ 4754
DO-178B/C SW Levels
Standard ModelSoftware Criticality (Level of Rigor)
I Catastrophic SIL 4 I Catastrophic A (66 Objectives)
Safety Critical (High LOR)
II Critical SIL 3 II Hazardous B (65 Objectives)
Safety Significant(Med LOR)
III Marginal SIL 2 III Major C (~45 Objectives)
Safety Related
IV Negligible SIL 1 IV Minor D I
E
18
Top-Level System Safety Process
Determine Impact of S/W
Design
Define Initial System Safety
Design Requirements
SIL Testing Ground Testing Flight Testing
Determine severity of failure conditions on the A/C or aircrew
Determine S/W Levels
A/B/C/D/E
Allocate S/W functions to
appropriate CSCIsCSCs, CSUs
Software Requirements and Definition
System Safety Engineering IAW ARP 4761
Software Coding And
Unit Testing
PDR CDR
SOFTWARE DESIGN
Analyze System Hazards
Refine HazardMitigations and
Identify Derived Safety Reqmts
INTEGRATION TESING/ QUALIFICATION TESTING
Determine S/W Safety Involvement
Determine S/W Level
Define S/W Safety Critical Requirements
Determine S/W Safety
Hazard Mitigations
Define S/W Safety Verification
Requirements
Ensure Compliance with Safety-Critical Requirements
Conduct S/W Safety Analyses
Per 1228
DO-178B Software Design Assurance
SSPPper “882”
PSSA SSA
Software Safety IAW IEEE STD 1228
Perform Test Safety Analysis & Develop S-C Test Requirements
(FMETs/FTs/CWAs)
IntegrationSpecs &
SRSs
TDOCs
FHA