History of safety process and Safety Assessments
in aeronautics
CISEC presentation
Author: JP Heckmann

Presentation CISEC...
History of safety process in aeronautics

 Before the sixties
 The sixties

The seventies
 The eighties
 The nineties...
Safety assessments: Before the sixties
 For a number of years, up to the sixties, the safety approach for granting a type...
The sixties - Concorde regulation (1)
Concord project (starting 1962)
 New Technology: New materials, flight by wire, new...
The sixties - Concorde regulation (2)

Concord project: The certification regulation.
 The existing regulation, mainly pr...
The sixties - Concorde regulation
Inverse relationship between the occurrence probability of a Failure Condition and the
s...
The sixties : Failure Condition severity classification,
Severity
Classes

Effect description

CATASTROPHIC Failure Condit...
THE SIXTIES: QUALITATIVE PROBABILITY SCALE

QUALITATIVE PROBABILITY TERMS DEFINITION
FREQUENT
PROBABLE
REMOTE

Situation a...
THE SIXTIES : ORIGIN OF QUANTIATIVE OBJECTIVES FOR
CATASTROPHIC FAILURE CONDITION

Aircraft level safety objective
 Histo...
THE SIXTIES: ORIGIN OF QUANTIATIVE OBJECTIVES FOR CATASTROPHIC
FAILURE CONDITION
 To be usable during the design process ...
The sixties: Relation between qualitative and
quantitative probability scales
QUALITATIVE
PROBABILITY
CLASSES
FREQUENT

QU...
The sixties
OCCURANCE PROBABILITY
Occurrence
probability
Objective for
the sum of
Failure
Conditions
/HdV

Occurrence
prob...
The Sixties and Seventies
The first applications of the Concorde regulation
 To apply the regulation to Concorde program ...
The Eighties and Nineties
Improvements in methods and process (1)
 It is the time of the Airbus A320 and ATR aircraft pro...
The Eighties and Nineties
improvements in methods and processes (2)
 It is the time of the issue of DO178A/ED12A (1985) a...
Safety assessments: The years 2000’s and 2010’s
ARP 4754 first issue application and safety process improvements
 In Sept...
Safety assessments: The years 2000’s and 2013’s
ARP 4754 first issue application and safety process improvements
 New iss...
Safety assessments: Regulation and Guidelines Documents

Safety Assessment of Aircraft in
Commercial Service
( ARP 5150 / ...
ARP 4754A - Aircraft and System Development Process Model
Notion of Aircraft level functions and «Integral processes »
INT...
Safety assessments: Future tendencies
 The increasing in system complexity will continue as well as integration between s...
End of the presentation

Presentation CISEC, - JPHeckmann

9th of December 2013

Page 21
Upcoming SlideShare
Loading in …5
×

20131209 cisec-history of-safety_process_for_cisec

1,713 views

Published on

This conference aims at describing the evolutions and main steps in the history of the safety process and safety assessment as applied in the aeronautical field of activities. It starts with the Sixties and the Concorde regulation (TSS standards), describes the main steps done within the seventies, the eighties, the nineties, the years 2000 /2010 where the issues of the SAE/EUROCAE recommended practices ARP4754/ED79 (Guideline of development of civil aircraft and systems), ARP4761/ED135 (Safety assessment process guidelines and methods), ARP 5150/EDxx (Safety assessment of aircraft in commercial service) have formalized the safety process. It ends with consideration on the tendencies for the future.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,713
On SlideShare
0
From Embeds
0
Number of Embeds
660
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

20131209 cisec-history of-safety_process_for_cisec

  1. 1. History of safety process and Safety Assessments in aeronautics CISEC presentation Author: JP Heckmann Presentation CISEC, - JPHeckmann 9th of December 2013 Page 1
  2. 2. History of safety process in aeronautics  Before the sixties  The sixties The seventies  The eighties  The nineties  The years 2000 to 2013  The future Presentation CISEC, - JPHeckmann 9th of December 2013 Page 2
  3. 3. Safety assessments: Before the sixties  For a number of years, up to the sixties, the safety approach for granting a type certificate for an approved design was centered on demonstrating satisfaction against qualitative prescriptive specifications.  Airplane systems were evaluated to specific prescriptive requirements, to the "single fault* criterion, or to the fail-safe* design concept.  There was differences between the applicable regulation from Aeronautical Authority of different countries (e.g. DGAC in France, CAA in England and FAA in the USA)** * Single fault criterion or fail safe design concept: No single fault/failure should lead to Catastrophic repercussions ** DGAC: Direction Générale de l’Aviation Civile. ** CAA: Civil Aviation Authority, ** FAA Federal Aviation Administration Presentation CISEC, - JPHeckmann 9th of December 2013 Page 3
  4. 4. The sixties - Concorde regulation (1) Concord project (starting 1962)  New Technology: New materials, flight by wire, new engines, wide use of computers (mostly analog and some digital)  New functions: engine regulation, CG management, Fly by wire with mechanical back up,  Extended flight envelop (supersonic)  Center of gravity control using Fuel transfer  New Failure Conditions and change in severity classification compared with previous generation aircraft (e.g. DC9, Caravelle)  New design and production process in cooperation (French/English partnership) Presentation CISEC, - JPHeckmann 9th of December 2013 Page 4
  5. 5. The sixties - Concorde regulation (2) Concord project: The certification regulation.  The existing regulation, mainly prescriptive, based mainly on BCAR (UK CAA) and FAR (US Federal Aviation Administration) regulation, where recognized non fully adapted.  Development of a new safety approach “performance based”, standardized in a new regulation applicable to Concorde program ( TSS standards):  Standardization of Occurrence Probability classes (Frequent, Remote, extremely Remote, Extremely Improbable)  Standardization of Safety severity classification (Catastrophic, Hazardous, Major, Minor)  Standardization of the acceptable relations between Safety severity classes and occurrence probability classes (Safety objectives to meet)  Request to perform safety assessments for each aircraft system  In addition to engineering judgment and qualitative assessments, system safety assessments where requested to incorporate a probabilistic assessment to evaluate the aircraft and Failure Condition safety performances. Presentation CISEC, - JPHeckmann 9th of December 2013 Page 5
  6. 6. The sixties - Concorde regulation Inverse relationship between the occurrence probability of a Failure Condition and the severity of its effect on the airplane and/or its occupants : “Farmer curve” Occurrence probability 1 Acceptance Citerions Non Acceptable Risk Acceptable Risque 0 Severity of consequences Risk assessments and results acceptation need the definition of:  A scale of severity of consequences  A scale of occurrence probabilities  Acceptance criterion between “severity of consequences” and “occurrence probabilities” Presentation CISEC –JP Heckmann, 9th of December 2013 Page 6
  7. 7. The sixties : Failure Condition severity classification, Severity Classes Effect description CATASTROPHIC Failure Condition which would result in multiple fatalities, usually with the loss of the aeroplane. HAZARDOUS Failure Condition which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extend that there would be: - a large reduction in safety margins or functional capabilities; or - physical distress or excessive work load such that the flight crew cannot relied upon to perform their tasks accurately and completely; or - serious or fatal injuries to a relatively small number of occupants other than flight crew. MAJOR Failure Condition which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extend that there would be for example: - a significant reduction in safety margin or functional capabilities; or - a significant increase in crew workload or in condition impairing crew efficiency; or - discomfort to flight crew, or physical distress to passengers or cabin crew, possibly including injuries. MINOR Failure Condition which would not significantly reduce aeroplane safety and which involve crew actions that are well within their capabilities. Minor Failure Conditions may include, for example: - a slight reduction in safety margin or functional capabilities; or - a slight increase in crew work load such as routine flight plan changes; or - some physical discomfort to passengers or cabin crew. NO SAFETY EFFECT Presentation CISEC- JPHeckmann, Failure Condition that would have no effect on safety; for example, Failure Condition that would not affect the operational capability of the aeroplane or increase the crew workload. 9th of December2013 Page 7
  8. 8. THE SIXTIES: QUALITATIVE PROBABILITY SCALE QUALITATIVE PROBABILITY TERMS DEFINITION FREQUENT PROBABLE REMOTE Situation anticipated to occur one or more times during the entire operational life of each airplane. Situation unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type. EXTREMELY REMOTE Situation not anticipated to occur to each airplane during its total life but which may occur a few times when Considering the total operational life of all airplanes of the type. EXTREMELY IMPROBABLE Situation so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. Presentation CISEC –JP Heckmann, 9th of December 2013 Page 8
  9. 9. THE SIXTIES : ORIGIN OF QUANTIATIVE OBJECTIVES FOR CATASTROPHIC FAILURE CONDITION Aircraft level safety objective  Historical evidence indicated that the probability of a serious accident due to operational and airframe-related causes was approximately one per million hours of flight or 1x10-6 per flight hour.  Furthermore, about 10 percent of the total were attributed to Failure Conditions caused by the aeroplane's systems. It seemed reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aeroplane designs.  From the evidences above It was reasonable to expect that the probability of a serious accident from all such Failure Conditions be not greater than one per ten million flight hours or 1 x 10-7 per flight hour for a newly designed aeroplane.  The difficulty with such global objective is that it is not possible to say whether the target has been met until all the systems on the aeroplane are collectively analysed numerically. Presentation CISEC –JP Heckmann, 9th of December 2013 Page 9
  10. 10. THE SIXTIES: ORIGIN OF QUANTIATIVE OBJECTIVES FOR CATASTROPHIC FAILURE CONDITION  To be usable during the design process the global aircraft level objective of 1x10-7 per flight hour should be apportioned at function failure level (Failure Condition level).  Based on previous aircraft design, around seventy Catastrophic Failure Conditions where identified. It was assumed arbitrarily that there will be no more than one hundred significant (quantitatively speaking) Failure Conditions in an airplane, which could be Catastrophic.  Using an equal-repartition rule, the global airplane target (allowable Average occurrence Probability per Flight Hour of 1 x 10-7) was thus apportioned equally among these Failure Conditions, resulting in an allocation of not greater than 1 x 10-9 per flight hour to each.  The upper limit for the Average occurrence Probability per Flight Hour for each Catastrophic Failure Conditions was set to 1 x 10-9 per flight hour , which establishes the upper probability value for the term "Extremely Improbable".  Failure Conditions having less severe effects could be relatively more likely to occur.  The upper limit for the sum of the average occurrence probability of Catastrophic Failure Condition remaining 1x10-7 per flight hour Presentation CISEC –JP Heckmann, 9th of December 2013 Page 10
  11. 11. The sixties: Relation between qualitative and quantitative probability scales QUALITATIVE PROBABILITY CLASSES FREQUENT QUANTITATIVE PROBABILITY CLASSES DEFINITION Situation anticipated to occur one or more times during the entire operational life of each airplane. PROBABLE REMOTE 10- 3 to 10-5 / HdV Remote Failure Conditions are those unlikely to occur to each aeroplane during its total life, but which may occur 10-5 to 10-7 / HdV several times when considering the total operational life of a number of aeroplanes of the type. EXTREMELY REMOTE Extremely Remote Failure Conditions are those not anticipated to occur to each aeroplane during its total life but which may occur a few times when considering the total operational life of all aeroplanes of the type. EXTREMELY IMPROBABLE Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all aeroplanes of one type. Presentation CISEC –JP Heckmann, > 10-3 / HdV 9th of December 2013 10-7 to 10-9 / HdV ≤10-9 / HdV Page 11
  12. 12. The sixties OCCURANCE PROBABILITY Occurrence probability Objective for the sum of Failure Conditions /HdV Occurrence probability objective per Failure Condition /HdV - 10-3 - 10-5 10-5 Severity of Consequences and acceptable occurrence probabilities 10-7 Unacceptable Risk Acceptable Risk 10-7 10-9 No single failure MINOR MAJOR HAZARDOUS CATASTROPHIC SEVERITY OF CONSEQUENCES Presentation CISEC –JP Heckmann, 9th of December 2013 Page 12
  13. 13. The Sixties and Seventies The first applications of the Concorde regulation  To apply the regulation to Concorde program the Franco-English consortium developed:  Safety methods for PSSA/SSA with format and content  Computer aided safety assessment based on safety model of the systems (beginning of what is called today “Model based Safety assessments”.  Synthesis document to verify that aircraft qualitative and quantitative requirement where met  In service follow up using probabilistic approach to determiner rectification time when there was evidence that safety objectives are not met in service (development of the “Gun Stone” approach)  Concorde has been certified by French DGAC, UK CAA and US FAA  In the sixties and seventies these principles have been used for certification of the first Airbus programs (A300 starting 1965 first flight 1972 and then A310, A300/600 programs)  It is also the time of the Boeing 737 and 747 certification using FAA FAR25 code  The principles developed in the Sixties for Concorde aircraft program have been used and remains the base for the safety assessment and the certification processes for the civil transport aircraft including modern aircraft like A380, A350, Boeing 787, etc. Page 13 Presentation CISEC, - JPHeckmann 9th of December 2013
  14. 14. The Eighties and Nineties Improvements in methods and process (1)  It is the time of the Airbus A320 and ATR aircraft program with new complexities:  Full flight by wire for the A320,  First “IMA like” implementation on ATR through the implementation of a “Multifunction Computer”  In parallel the HERMES project (European space shuttle ) started in the nineties leading to improvement in methodologies by mixing space safety approach and aeronautical safety approach.  To control these increases in complexity, and to complete the Concorde methodology, Airbus performed Functional Hazard Assessments (FHA), Common Mode Analysis (CMA) and Human Factor Analysis (HFA). These methods where applied on ATR aircraft programs and a Safety Assessment management tools (SARA Tool) was developed in Airbus to manage FHA and PSSA/SSA  The control of development process of aircraft and systems was reinforced leading to improvement in the aircraft level approach (Aircraft FHA and aircraft level safety synthesis), the Common Mode Analysis, the consideration of the development errors (DAL concept) and the improvement of the requirement capture and associated Validation/Verification activities.  It is also the time where the Aeronautical authorities from the different European countries are integrated in the JAA organization (Joint Airworthiness Agency), that the JAR 25 regulation is issued and that begin discussions between JAA and FAA for harmonization of civil aviation regulation It is also the time of the certification of Boeing 767 and 777 Presentation CISEC, - JPHeckmann 9th of December 2013 Page 14
  15. 15. The Eighties and Nineties improvements in methods and processes (2)  It is the time of the issue of DO178A/ED12A (1985) and DO178B/ED12B (1992) for software certification and the elaboration of D0254/ED80 (issued in year 2000): Design Assurance Guidance for Airborne Electronic Hardware certification  It is the time of Safety process and Safety method standardization in SAE Aeronautical Recommended Practices (ARP) and EUROCAE European Directives (ED):  ARP4754/ED79 fist issue ( “Certification Considerations for Highly-Integrated or Complex Aircraft Systems”) was issued in December 1996. In particular the ARP 4754/ED79 asked to consider errors during aircraft/system development in addition to failures. Generalization of the concept of “Development Assurance Level” called (DAL)  ARP 4761 (“Guidelines and methods for conducting the Safety Assessments process on civil airborne systems and equipment “) was issued in November 1996.  Introduction, in the airworthiness monitoring regulation, of the “Gun stone” method (JAR 39actually AMC21A.3B) allowing quantitative consideration for airworthiness monitoring decisions  ARP5150 (“Safety Assessment of Transport Airplanes in Commercial Service”) started in the Nineties and issued in November 2003  The ARP4754/ED79 was partially applied on Airbus A330/A340 program (starting 1987) and was fully applied on the A380 Airbus project (started year 1995). Presentation CISEC, - JPHeckmann 9th of December 2013 Page 15
  16. 16. Safety assessments: The years 2000’s and 2010’s ARP 4754 first issue application and safety process improvements  In September 2003 the JAA activities where transferred to the EASA (European Aviation Safety Agency) and the JAR 25 regulation became the CS 25 regulation ( Certification Specification for large aircraft)  The application of the ARP4754/ED79 first issue on Airbus A380 program showed that:  The way the DAL assignment process recommended in the ARP 4754 for consideration of development error was misleading  The requirement capture and Validation/verification process needed to be developed  There was some inconsistencies in DAL assignment process and DAL consideration between interrelated documents (mainly between ARP4754/ED79, DO178B/ED12B)  There was need for a re-enforcement of the development assurance for activities at aircraft level and at system level Presentation CISEC, - JPHeckmann 9th of December 2013 Page 16
  17. 17. Safety assessments: The years 2000’s and 2013’s ARP 4754 first issue application and safety process improvements  New issue of the ARP 4754 (ARP4754A/ED79A) and DO178 (DO178C/ED12C) where started.  ARP 4754A/ED79A (Guidelines for development of civil aircraft systems) was issued end 2010. The main improvements are:  Aircraft level safety plan and Aircraft Safety Assessment (preliminary: PASA and final: ASA)  Safety case/Safety synthesis  New DAL assignment process  Extended requirement capture and associated Validation/Verification process  Extended development assurance process  The application of ARP4754A/ED79A is recommended by the authorities. It is referenced in CS 25 1309 AMC and in EASA CRI F 22. its application is recommended by the FAA through AC 20 - 174  New issue of D0178 (DO178C/ED12C) issued 2012  New issue of the ARP4761 (ARP4761A/ED135) in progress to assure coherency with the new issue of the ARP 4754A/ED79A. Issued planned beginning 2015  A new issue of the ARP5150 may be necessary to assure coherencies with other documents new issues Presentation CISEC, - JPHeckmann 9th of December 2013 Page 17
  18. 18. Safety assessments: Regulation and Guidelines Documents Safety Assessment of Aircraft in Commercial Service ( ARP 5150 / 5151) Safety Assessment Process Guidelines & Methods ( ARP 4761 / ED- 135) Intended Aircraft Function REGULATION - EASA CS25 1309 - FAA FAR 25 1309 ED = EUROCAE Document DO = RTCA DOcument ARP = SAE Aeronautical Recommended Practices SAE= Society of Automotive Engineers RTCA= Radio Technical Commission for Aeronautics EASA= European Aviation Safety Agency CS= EASA Certification specification FAA= Federal Aviation administration FAR= FAA Federal Aviation Regulation Presentation CISEC, - JP Heckmann Function, Failure & Safety Information System Design Information Guidelines for development of Civil Aircraft and Systems ( ARP4754A /ED79A) Functional System Operation Guidelines for Integrated Modular Avionics ( DO- 297/ ED- 124) Hardware Development Life- Cycle ( DO- 254 / ED- 80) Software Development Life- Cycle ( DO- 178 B/ ED- 12B) Development Phase In Service Operational Phase 9th of December 2013 Page 18
  19. 19. ARP 4754A - Aircraft and System Development Process Model Notion of Aircraft level functions and «Integral processes » INTEGRAL PROCESSES PLANNING 3.0 - 5.1 SAFETY ASSESSMENT - 5.2 DEVELOPMENT ASSURANCE LEVEL ASSIGNMENT - 5.3 REQUIREMENTS CAPTURE - 5.4 REQUIREMENTS VALIDATION - 5.6 CONFIGURATION MANAGEMENT - 5.7 PROCESS ASSURANCE - 5.8 CERTIFICATION & REGULATORY AUTHORITY COORDINATION 5.5 IMPLEMENTATION VERIFICATION AIRCRAFT/SYSTEM DEVELOPMENT PROCESS 4.0 CONCEPT AIRCRAFT FUNCTION DEVELOPMENT 4.2 ALLOCATION OF AIRCRAFT FUNCTIONS TO SYSTEMS DEVELOPMENT OF SYSTEM ARCHITECTURE 4.3 4.4 ALLOCATION OF SYSTEM REQUIREMENTS TO ITEMS SYSTEM IMPLEMENTATION 4.5 DATA & DOCUMENTATION 4.6 Each integral process should be structured by: - A plan describing, in accordance with development plan, the organization, the responsibilities, the tasks to perform, the management principles, the deliverables. - Method documents describing how to perform tasks identified in the plan and defining deliverables format and contents, - Technical deliverables resulting from the application of the plan and method documents Presentation CISEC- JPHeckmann, 9th of December2013 Page 19
  20. 20. Safety assessments: Future tendencies  The increasing in system complexity will continue as well as integration between systems.  Functions are no more performed by Systems defined as an integration of components but will be performed by systems that are integration of systems: “System of systems”  The design best practices recorded in the ARP4754A will have to be applied strictly particularly the requirement capture and the Validation Verification integral process.  Due to the increase in complexity, the assurance that all the system dysfunctional configuration have been considered during the design process and during safety studies may become illusory. In that case the application of requirements for independence including dissimilarity will have to be reinforced.  Safety assessments (PASA, PSSA, SSA, ASA, CMA) will become more difficult to perform without the help of Model Based Safety Assessment techniques (computer aided safety assessment based on system functional and dysfunctional model)  Development of Unmanned Aeronautical Vehicle (UAV) and Sub Orbital Airplanes (SOA) and their possible integration in the normal aeronautical traffic management (ATM) will need to reconsider the regulation and have more integration between aircraft systems and ATM systems safety assessments Presentation CISEC, - JPHeckmann 9th of December 2013 Page 20
  21. 21. End of the presentation Presentation CISEC, - JPHeckmann 9th of December 2013 Page 21

×