ARP4761A Introduction – Avionics Safety
Aviation Safety via ARP4761A is required for all avionics systems and this ARP4761A whitepaper provides the facts. ARP4761A’s FHA, PSSA, and SSA safety activities are summarized along with the continuous ARP4761 safety feedback required throughout avionics software and hardware development.
At 300+ pages, ARP4761 is rather more than a guideline for aircraft safety. ARP4761 is officially titled “Guidelines and Methods for Conducting The Safety Assessment Process on Civil Airborne Systems and Equipment”. In fact, ARP4761 is almost a tutorial on generalized safety and how to apply various theoretical analysis to assess ongoing development activities toward aircraft safety.
Clearly, ARP4761A lays the foundation for the most fundamental aspect of aircraft regulations: Safety. Clearly, viewing the avionics development ecosystem, ARP4761/A’s prominent place in the upper left conveys its importance:
The Safety Assessment process is a vital aspect of aviation safety, and for avionics, ARP4761 provides the foundation.
Literally every aspect of aviation undergoes safety assessment to better understand potential risks, quantify them, and then prevent, detect, or mitigate them, Experienced aviation persons are truthful when stating the safety assessment process is perhaps the most important element of avionics development. For avionics, the role of the safety assessment is to ensure the safety of the aircraft, its crew, and the occupants. Essentially, aircraft safety is optimized by performing careful analysis, architectural optimization, criticality level determination, component selection, architectural improvement, monitoring, and maintenance. Therefore only by having a thorough safety assessment process can we ensure we have an architecture with additional safety-related requirements which address safety aspects. The title of ARP4761 accurately justifies its importance within this fundamental process:
“Guidelines and Methods for Conducting the Safety assessment Process on Civil Airborne Systems & Equipment”
Clearly, ARP4761A is tightly coupled with ARP4754A and lays the foundation for the most fundamental aspect of aircraft regulations: Safety. Clearly, viewing the avionics development ecosystem, ARP4761A’s prominent place in the upper left conveys its importance; FAA certification and EASA certification now mandate ARP4754A plus a safety assessment, typically ARP4761:
As the ARP4761A-based safety assessment proceeds, the following documentation typically accompanies the various analyses:
- ✓ ARP4761A compliant Aircraft Functional Hazard Assessment (FHA)
- ✓ ARP4761A compliant Aircraft Fault Tree Analysis (FTAs)
- ✓ ARP4761A compliant System FHAs
- ✓ ARP4761A compliant System FTAs
- ✓ ARP4761A compliant System Failure Modes and Effects Analyses (FMEAs)
- ✓ ARP4761A compliant Item FTAs
- ✓ ARP4761A compliant Item FMEAs
ARP4761A: Top Down & Bottom Up:
A key to implementing ARP4761 properly is to remember the top-down versus bottom-up nature of ARP4761’s safety assessments as depicted in the following diagram (page 27 of AFuzion’s 240-page ARP4754A per ARP4761A training:
ARP4761 Common Cause Analysis
In ARP4761 and ARP4761A, common cause analysis is very important. The acceptance of adequate probability of failure conditions is often derived from the assessment of multiple systems based on the assumption that failures are independent. This independence might not exist in the practical sense, and specific studies are necessary to ensure that independence can either be assured or deemed acceptable. The ARP4761 common cause analysis yields additional safety requirements which then trace to implementation and tests, including DO-160 environmental tests. The SAE ARP4761 CCA is concerned with events that could lead to a hazardous or catastrophic failure condition. The CCA is divided into three areas of study:
- ✓ ARP4761 Zonal Safety Analysis (ZSA) — The objective of this analysis per ARP4761A is to ensure that the system and equipment installations within each zone of the aircraft are at an adequate safety standard regarding design and installation, interference between systems, and maintenance errors.
- ✓ ARP4761 Particular Risks Analysis (PRA) — Particular risks in ARP4761 and ARP4754A are those events or influences outside the systems of interest (for example, fire, leaking fluids, bird strike, HIRF, lightning, etc.). Each risk should be the subject of a specific study to examine and document the simultaneous or cascading effects (or influences) that might violate independence. The objective of the PRA per ARP4761 is to ensure that the safety related effects are either eliminated or that the risk is acceptable.
- ✓ ARP4761 Common Mode Analysis (CMA) — The CMA is performed to confirm the assumed independence of the events that were considered in combination for a given failure condition. Another way of saying this is that the CMA is performed to verify that combinatorial events in the FTA are truly independent in the actual implementation. ARP4761 mandates consideration of the effects of development, manufacturing, installation, maintenance and crew errors, and failures of system components that defeat the independence should be analyzed.
ARP4761A is rather more than a guideline for aircraft safety. ARP4761A (formally issued in 2018) is officially titled “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment”. In fact, ARP4761 is almost a tutorial on generalized safety and how to apply various theoretical analysis to assess ongoing development activities toward aircraft safety.
Clearly, ARP4761A is tightly coupled with ARP4754A and lays the foundation for the most fundamental aspect of aircraft regulations: Safety. Clearly, viewing the avionics development ecosystem, ARP4761A’s prominent place in the upper left conveys its importance, as depicted below from AFuzion’s ARP4754A Training with ARP4761A details:
The safety assessment should answer the following questions for the aircraft, then each system, as depicted below:
A key is remembering that the safety assessment process begins with an overall Functional Hazard Assessment, followed by a Preliminary Assessment; both of these are top-down. Then, during and after implementation, the final System Safety Assessment is performed inclusive of FMEA which is bottom-up. This process is depicted below (excerpted from AFuzion’s ARP4754A training class with ARP4761A Training):
The purpose then of the FHA is summarized in the figure below excerpted from AFuzion’s ARP4754A training (with ARP4761A training info):
For avionics, the set of regulations is helpfully focused; the avionics safety assessment process primarily utilizes the following relevant industry and government documents:
- SAE ARP4761/A – Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment
- SAE ARP4754A – Guidelines for Development of Civil Aircraft and Systems
- FAA Advisory Circular AC23.1309-1E – Equipment, Systems, and Installations in Part 23 Airplanes
- FAA Advisory Circular AC25.1309-1A – System Design and Analysis
- FAA Advisory Circular AC27-1B – Certification of Normal Category Rotorcraft
- FAA Advisory Circular AC29-2C – Certification of Transport Category Rotorcraft
- RTCA DO-160 – Environmental Conditions and Test Procedures for Airborne Equipment
- RTCA DO-178C – Software Considerations in Airborne Systems and Equipment Certification
- RTCA DO-254 – Design Assurance Guidance for Airborne Electronic Hardware
If the information herein were on overall aviation safety, or even aircraft safety, the scope would expand greatly. But the purpose here is purely upon individual avionics systems. The safety assessment process utilizes experienced engineers (versed in the above documents and regulations) to proceed through a series of analyses pertaining to the system and aircraft. As the safety assessment proceeds, the following documentation typically accompanies the various analyses:
- Aircraft Functional Hazard Assessment (FHA) per ARP4754A / ARP4761A
- Preliminary Aircraft Safety Assessment (PASA) per ARP4754A / ARP4761A
- Aircraft Fault Tree Analyses (FTAs) per ARP4754A / ARP4761A
- Preliminary System Safety Assessment (PSSA) per ARP4754A / ARP4761A
- System FHAs per ARP4754A / ARP4761A
- System FTAs per ARP4754A / ARP4761A
- System Failure Modes and Effects Analyses (FMEAs) per ARP4754A / ARP4761A
- Item FTAs per ARP4754A / ARP4761A
- Item FMEAs per ARP4754A / ARP4761A
The world of ARP4761A “safety” has its own language and lexicon. Experienced safety engineers are well versed in this language, but you are probably not reading these words if you are an experienced avionics safety engineer. To begin, please ponder the following words and test yourself by verbalizing a 1-2 sentence definition for each word (answers follow, but please spend just a few minutes pondering these words yourself before looking at the answer. Note that most aircraft and system developers build or buy ARP4761A Safety planning document templates and checklists; AFuzion’s can be viewed here: https://afuzion.com/plans-checklists/ .
Remember, you didn’t learn to drive a car by simply reading the user manual: the real learning came when you practiced driving):
- Adverse Effect?
- Average probability per flight hour?
- Complex System?
- Design Assurance Level?
- Extremely remote failure condition?
- Extremely improbable failure condition?
- Failure condition?
- Functional hazard assessment?
- Primary Function?
- Primary System?
- Secondary System?
- Simple System?
The safety assessment should answer the following questions for the aircraft, then each system, as depicted below:
A key is remembering that the safety assessment process begins with an overall Functional Hazard Assessment, followed by a Preliminary Assessment; both of these are top-down. Then, during and after implementation, the final System Safety Assessment is performed inclusive of FMEA which is bottom-up. This process is depicted below (excerpted from AFuzion’s ARP4761A Training; details here: https://afuzion.com/private-training/arp-4761a-training-aviation-safety-training/ ):
Functional Hazard Assessment
The ARP4761A compliant functional hazard assessments (FHAs) are carried out at both the aircraft and system levels. The objective of the FHA is to identify failure conditions of aircraft and system functions (loss of function, malfunction, etc.), and their classification (catastrophic, hazardous, major, etc.) so that aircraft and system designs may be proposed and achieved which decrease the probability of the occurrence of the failure conditions to acceptably lesser levels. In avionics certifications, all parties recognize the importance of the ARP4761 FHA. The applicant is responsible for identifying each failure condition and choosing the methods for safety assessment. The applicant should then obtain early concurrence from the cognizant certificating authority on the identification of failure conditions, their classifications, and the choice of an acceptable means of compliance.
The purpose then of the ARP4761A FHA is summarized in the AFuzion figure below:
Key Purposes of ARP4761A Functional Hazard Assessments (FHA)
Functional hazard assessment (FHA);
(1) Before an applicant proceeds with a detailed safety assessment, an FHA of the airplane and system functions to determine the need for and the scope of subsequent analysis should be prepared. This assessment may be conducted using service experience, engineering and operational judgment, or service experience and a top-down deductive qualitative examination of each function. An FHA is a systematic, comprehensive examination of airplane and system functions to identify potential no safety effect, minor, major, hazardous, and catastrophic failure conditions that may arise, not only as a result of malfunctions or failure to function but also as a result of normal responses to unusual or abnormal external factors. The FHA concerns the operational vulnerabilities of systems rather than a detailed analysis of the actual implementation.
(2) Each system function should be examined regarding the other functions performed by the system because the loss or malfunction of all functions performed by the system may result in a more severe failure condition than the loss of a single function. In addition, each system function should be examined regarding functions performed by other airplane systems because the loss or malfunction of different but related functions, provided by separate systems, may affect the severity of failure conditions postulated for a particular system.
(3) The FHA is an engineering tool that should be performed early in the design and updated as necessary. It is used to define the high-level airplane or system safety objectives that should be considered in the proposed system architectures. Also, it should be used to assist in determining the DALs for the systems. Many systems may need only a simple review of the system design by the applicant to determine the hazard classification. An FHA requires experienced engineering judgment and early coordination between the applicant and the certification authority.
The FHA is much more than a lengthy derivation; the FHA also includes aircraft and system level requirements that allow the objectives for failure probability to be achieved including:
- Design constraints
- Redundancy considerations
- Specification & annunciation of failure conditions
- Proposed pilot and crew mitigation action
- Recommended maintenance activity
FHA output data includes:
- Function list
- An FHA worksheet (table) showing the following:
- function identification
- failure conditions
- phase of flight
- effect of the failure condition on the aircraft, flight crew, and occupants
- classification of the failure condition
- verification method that the probability requirement is met
- reference to supporting material
- Derived requirements for lower-level systems
The following figure shows classic Part-23 aircraft probabilities congruent to ARP4761:
ARP4761 Part-23 Aircraft Classifications
Preliminary Aircraft Safety Assessment (PASA) – New Assessment in 4761A
PASA is a systematic examination of a proposed aircraft architecture to determine how failures could cause the Failure Conditions identified by the Aircraft FHA. The PASA process begins during the initial aircraft architecture development phase. Therefore, early identification of aircraft level safety requirements like function development assurance level, independence and probabilistic budgets, etc. helps to reduce risks during system development process. The PASA is particularly important for evaluating aircraft level failure conditions when multiple systems involved in performing an aircraft function.
Preliminary System Safety Assessment (PSSA)
The PSSA is a set of analyses normally performed during the system requirements and item requirements phases of the aircraft life cycle. The PSSA is where the proposed system architectures are evaluated and defined; this provides the ability to derive system and item safety requirements. The input documents to the PSSA are the aircraft FHA, preliminary aircraft FTA, and the system FHAs. The documents produced during the PSSA are the updated aircraft and system FHAs, updated aircraft and systems FTAs, and the preliminary system Common Cause Analyses (CCAs).
The PSSA identifies derived system safety requirements like redundancy, partitioning, monitoring, dissimilarity, etc. The PSSA also identifies the necessary Development Assurance Levels for the system functions and items.
The PSSA is a continuous and iterative process conducted at multiple stages of system development. The objective of the PSSA is to determine how the aircraft and system failures can lead to the hazards identified in the FHAs and to determine how the FHA requirements can be met.
System Safety Assessment (SSA)
The SSA verifies that the implemented aircraft and system designs meet the requirements of the aircraft/system FHA and the PSSA. The SSA documentation generated during the SSA includes:
- List of failure conditions from the system FHA and safety requirements allocated to the SSA with FTAs
- Results of the qualitative assessments of each failure condition or safety requirement
- Any material used to validate the failure condition classifications
- Any material shows that assumptions used in the assessment to be valid like flight manual procedures, not-to-exceed intervals, etc.
- Documentation showing item installation requirements
- If necessary, revised maintenance manuals detailing new maintenance tasks aimed at reducing component exposure times
- If necessary, revised flight crew operating manuals detailing procedures to be followed in the event of certain failure conditions
- Information showing that the system and items were developed in accordance with assigned development assurance levels.
The following figure shows the ARP4761 FDAL versus IDAL delineation:
Figure: ARP4754A / ARP4761 FDAL versus IDAL Delineation
Aircraft Safety Assessment (ASA) – New Assessment in 4761A
Aircraft Safety Assessment is a systematic, comprehensive evaluation of the implemented aircraft to verify that the implemented aircraft design meets the safety requirements as defined in the PASA. The ASA determines that the requirements from the AFHA and PASA have been met. The ASA also demonstrates that aircraft architecture, the relationships between aircraft functions and systems are acceptable.
ASA is kind of final assessment that covers results and evidence of safety assessments performed during development process. The ASA basically covers;
- The list of Aircraft FHA Failure Condition with the evidence that they are satisfied
- Evidence that Safety Program Plan objectives have been achieved
- Evidence that aircraft architecture meets the qualitative and quantitative safety requirements
- Evidence that aircraft architecture meets the Development Assurance Level allocation requirements
- The status of open problem reports and their consequences on the aircraft
Note: ARP4761 and ARP4761A are complex topics, best handled via training. AFuzion’s AFP4761A training is available here: https://afuzion.com/private-training/arp-4761a-training-aviation-safety-training/
Fault Tree Analysis
Fault Tree Analysis (FTA) is a top-down analysis technique to determine what single failures or combinations of failures can exist at the lower levels that might cause each failure condition.
The primary purpose of an FTA is to determine the probability of occurrence of the top event — therefore, demonstrating compliance with a probability requirement specified in a higher level document (usually an FHA). Also, the FTA meets additional objectives:
- FTAs allow the evaluation of the proposed system architecture enabling the assignment of reliability budgets to systems and items
- FTAs identify the need for design modification:
- Added reliability of components redundancy
- Additional redundancy
- Additional monitoring
- Increased maintenance activity
The FTA Basic Events may get their failure rates from the FMEA.
Failure Modes and Effects Analysis
Failure Modes and Effects Analysis (FMEA) is a systematic, bottom-up analysis performed to identify the failure modes of a system, item, or function and determining the effect of the failure on the next higher level. FMEA’s can be done at the component, function, or LRU level. Generally, an FMEA deals with the individual and the combined effects of single failures.
As a minimum, an FMEA should include the following:
- Identification of the component or function
- Failure mode(s) of the component or function
- Failure rate for each failure mode
- Severity of failure effects
- Failure effect at the next higher level
- Means of detecting the failure
- Compensating actions (i.e., automatic or manual)
Functional Independence concerns using different functional requirements to implement an aircraft or system level function as explained in the following figure:
Figure: ARP4754A and ARP4761 Functional Independence
(for details of Item Independence, download the rest of this ARP4761A PDF whitepaper)
Safety Aspects of Software
Unlike hardware (where you can quantify the safety of an item by calculating its probability of failure over a specified period of time) software safety cannot be numerically measured.
So, rather than specifying probabilities of failure associated with software according to the severity of the failure condition — the intensity of the software documentation and verification is established according to the severity of the failure condition associated with the failure of the software to perform its intended function.
Software failure condition categories are similar to the hardware failure condition categories described earlier in this white paper. The following table is from DO-178.
Failure Condition Category
Software Development Assurance Level
|Catastrophic||Failure conditions that would prevent continued safe flight and landing||A|
|Failure Conditions that would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be:
1. a large reduction in safety margins or functional capabilities,
2. physical distress or higher workload such that the flight crew could not be relied upon to perform their tasks accurately or completely, or
3. adverse effects on occupants including serious injury or potential fatal injuries to a small number of occupants
|Major||Failure conditions that would reduce the capability of the aircraft or the capability of the crew to cope with adverse operating conditions to the extent that there would be, for example:
1. a significant reduction in safety margins or functional capabilities,
2. a significant increase in crew workload or in conditions impairing crew efficiency, or
3. discomfort to occupants, possibly including injuries
|Minor||Failure conditions that would not significantly reduce aircraft safety and that would involve crew actions that are well within their capabilities. For example:
1. A slight reduction in safety margins or functional capabilities
2. A slight increase in crew workload, such as routine flight plan changes, or
3. Some inconvenience to occupants
Common Cause Analysis
The acceptance of adequate probability of failure conditions is often derived from the assessment of multiple systems based on the assumption that failures are independent. This independence might not exist in the practical sense, and specific studies are necessary to ensure that independence can either be assured or deemed acceptable. The CCA is concerned with events that could lead to a hazardous or catastrophic failure condition. The CCA is divided into three areas of study:
- Zonal Safety Analysis (ZSA) — The objective of this analysis is to ensure that the system and equipment installations within each zone of the aircraft are at an adequate safety standard regarding design and installation, interference between systems, and maintenance errors.
- Particular Risks Analysis (PRA) — Particular risks are those events or influences outside the systems of interest (for example, fire, leaking fluids, bird strike, HIRF, lightning, etc.). Each risk should be the subject of a specific study to examine and document the simultaneous or cascading effects (or influences) that might violate independence. The objective of the PRA is to ensure that the safety related effects are either eliminated or that the risk is acceptable.
- Common Mode Analysis (CMA) — The CMA is performed to confirm the assumed independence of the events that were considered in combination for a given failure condition. Another way of saying this is that the CMA is performed to verify that combinatorial events in the FTA are truly independent in the actual implementation. The effects of development, manufacturing, installation, maintenance and crew errors, and failures of system components that defeat the independence should be analyzed.
For the remaining 16 pages of this AFuzion ARP4761A Technical Whitepaper, please download below.
Information Request Form
Please provide the following information to receive your full WhitePaper