Sofema Aviation Services (SAS) www.sassofia.com considers the development and evolution of Aircraft Certification Concepts and Techniques, concerning the EASA System Safety Analysis
Introduction
For several years aeroplane systems were evaluated to specific requirements, to the “single fault’” criterion, or the fail-safe design concept.
As later-generation aeroplanes developed, more safety-critical functions were required to be performed, which generally increased the complexity of the systems designed to perform these functions.
The potential hazards to the aeroplane and its occupants which could arise in the event of loss of one or more functions provided by a system or that system’s malfunction had to be considered, as also did the interaction between systems performing different functions.
- This has led to the general principle that an inverse relationship should exist between the probability of a failure condition and its effect on the aeroplane and/or its occupants
- In assessing the acceptability of a design it was recognised that rational probability values would have to be established.
- Historical evidence indicated that the probability of a serious accident due to operational and airframe-related causes was approximately one per million hours of flight.
- Furthermore, about 10 % of the total was attributed to failure conditions caused by the aeroplane’s systems.
o It seems reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aeroplane designs.
o It is reasonable to expect that the probability of a serious accident from all such failure conditions be not greater than one per ten million flight hours or 1 × 10-7 per flight hour for a newly designed aeroplane.
How to Evaluate the Success of Assigned Criteria
The difficulty with this is that it is not possible to say whether the target has been met until all the systems on the aeroplane are collectively analysed numerically.
- For this reason it was assumed, arbitrarily, that there are about one hundred potential failure conditions in an aeroplane, which could be Catastrophic.
- The target allowable average probability per flight hour of 1 × 10-7 was thus apportioned equally among these failure conditions, resulting in an allocation of not greater than 1 × 10-9 to each.
- The upper limit for the average probability per flight hour for catastrophic failure conditions would be 1 × 10-9, which establishes an approximate probability value for the term extremely improbable’. Failure conditions having less severe effects could be relatively more likely to occur.
Fail-Safe Design Concept.
The CS-25 airworthiness standards are based on, and incorporate, the objectives and principles or techniques of the fail-safe design concept, which considers the effects of failures and combinations of failures in defining a safe design.
The following basic objectives about failures apply:
- In any system or subsystem, the failure of any single element, component, or connection during any one flight should be assumed, regardless of its probability. Such single failures should not be catastrophic.
- Subsequent failures of related systems during the same flight, whether detected or latent, and combinations thereof, should also be considered.
- The fail-safe design concept uses the following design principles or techniques in order to ensure a safe design.
- The use of only one of these principles or techniques is seldom adequate.
o A combination of two or more is usually needed to provide a fail-safe design; i.e. to ensure that major failure conditions are remote, hazardous failure conditions are extremely remote, and catastrophic failure conditions are extremely improbable:
- Designed Integrity and Quality, including Life Limits, to ensure intended function and prevent failures.
- Redundancy or Backup Systems to enable continued function after any single (or other defined number of) failure(s); e.g., two or more engines, hydraulic systems, flight control systems, etc.
- Isolation and/or Segregation of Systems, Components, and Elements so that the failure of one does not cause the failure of another.
- Proven Reliability so that multiple, independent failures are unlikely to occur during the same flight.
- Failure Warning or Indication to provide detection.
- Flight crew Procedures specifying corrective action for use after failure detection.
- Checkability: the capability to check a component’s condition.
- Designed Failure Effect Limits, including the capability to sustain damage, to limit the safety impact or effects of a failure.
- Designed Failure Path to control and direct the effects of a failure in a way that limits its safety impact.
- Margins or Factors of Safety to allow for any undefined or unforeseeable adverse conditions.
- Error-Tolerance that considers adverse effects of foreseeable errors during the aeroplane’s design, test, manufacture, operation, and maintenance.
Development of Aeroplane and System Functions.
A concern arose regarding the efficiency and coverage of the techniques used for assessing safety aspects of aeroplane and systems functions implemented through the use of electronic technology and software-based techniques.
- The concern is that design and analysis techniques traditionally applied to deterministic risks or to conventional, non-complex systems may not provide adequate safety coverage for these aeroplane and system functions.
- Thus, other assurance techniques, such as
o Development assurance utilising a combination of integral processes (e.g. process assurance, configuration management, requirement validation and implementation verification), or
o Structured analysis or
o Assessment techniques applied at the aeroplane level and across integrated or interacting systems,
Their systematic use increases confidence that development errors and integration or interaction effects have been adequately identified and corrected.
Notes considering the above developments
- As well as revisions made to the CS 25.1309, new approaches are introduced, both qualitative and quantitative, which may be used to assist in determining safety requirements and establishing compliance with these requirements, and to reflect revisions in the rule, considering the whole aeroplane and its systems.
- It also provides guidance for determining when, or if, particular analyses or development assurance actions should be conducted in the frame of the development and safety assessment processes.
- Numerical values are assigned to the probabilistic terms included in the requirements for use in those cases where the impact of system failures is examined by quantitative methods of analysis.
- The analytical tools used in determining numerical values are intended to supplement, but not replace, qualitative methods based on engineering and operational judgement.
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services (www.sassofia.com) offers training to cover CS 25 System Safety Assessments
For additional questions or comments – please email team@sassofia.com
Tags:
process assurance, Assessment techniques, electronic technology, Designed Failure Path, flight control systems, hydraulic systems, Life Limits, implementation verification, requirement validation, configuration management, Flight Crew, System Functions, Fail-Safe Design Concept, newly designed aeroplane, aeroplane designs, CS-25 airworthiness standards, CS25-1309, Aircraft Certification Concepts, SAS blogs, Hazards