SAE ARP 6539-2017 Validation and Verification Process Steps for Monitors Development in Complex Flight Control and Related Systems.pdf

1、 _ SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising ther

2、efrom, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be revised, reaffirmed, stabilized, or cancelled. SAE invites your written comments and suggestions. Copyright 2017 SAE International All rights reserved. No part of this

3、publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: +1 724-776-49

4、70 (outside USA) Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.org SAE values your input. To provide feedback on this Technical Report, please visit http:/standards.sae.org/ARP6539 AEROSPACE RECOMMENDED PRACTICE ARP6539 Issued 2017-11 Validation and Verification Proc

5、ess Steps for Monitors Development in Complex Flight Control and Related Systems RATIONALE There is a need for a document that provides a process for the development and approval of monitoring algorithms for highly-integrated and complex aircraft flight control and related systems. This document sat

6、isfies this need. FORWARD A monitor is a mechanism in place to detect failures at the component or system level. The monitor functionality includes input signal sampling, a detection scheme and a corrective action. Poorly designed monitors can result in an inability of the monitor to detect or react

7、 to the failure condition in a time frame appropriate to the failure threat, or in nuisance trips affecting system availability. The inability to detect a failure in a timely fashion can have a negative impact on: Aircraft safety The pilots ability to cope with a developing problem Aircraft safety m

8、argins Nuisance trips can have a negative impact on: Baseline safety due to reductions in redundancy following system re-configuration, or reduced system availabity Degradation of the importance attached to warnings due to complacency resulting from frequency of occurrence Development program cost a

9、nd schedule increases if the issues are only discovered at the aircraft integration rigs, or during flight test Dispatch interruption rate increases and unplanned diversions for fleets if the problems emerge, or persist into revenue service of the aircraft Increase in no fault found rates following

10、unscheduled maintenance removals SAE INTERNATIONAL ARP6539 Page 2 of 12 This recommended practice provides program level guidance to validate and verify the need for, and robustness of monitoring functions for highly integrated aircraft systems. As a general note, the Supplier described in this docu

11、ment is a system, sub-system, or equipment supplier. In some cases though, the monitor(s), or monitoring scheme, may be developed by the OEM, or consist of some combination of OEM and Supplier derived monitors. The process steps for this type of development work are the same and are aimed at the lev

12、el at which the monitor requirements are specified. The OEM monitors development team can be assigned the role of the Supplier in the context of this process. TABLE OF CONTENTS 1. SCOPE . 2 1.1 Field of Application . 2 2. APPLICABLE DOCUMENTS . 3 2.1 Definitions . 3 2.2 Abbreviations 4 3. MONITORS D

13、ESIGN PROCESS STEPS . 5 3.1 Monitors Development Plan . 5 3.1.1 Critical Monitors 6 3.2 Validation, Definition and Review of Monitors 6 3.2.1 Completeness Check . 7 3.2.2 Correctness Check . 7 3.2.3 Peer Communities 7 3.2.4 Monitor Performance 8 3.3 Verification of Monitors . 9 3.3.1 Safety of Fligh

14、t . 10 3.3.2 Type Certification and Entry into Service . 11 3.3.3 Post Entry into Service . 11 3.4 Monitors V however, it can also be used for military aircraft applications. SAE INTERNATIONAL ARP6539 Page 3 of 12 2. APPLICABLE DOCUMENTS There are no applicable documents. 2.1 Definitions ANALYSIS: A

15、n evaluation based on decomposition into simple elements. ASSESSMENT: An evaluation based upon engineering judgment. ASSUMPTIONS: Statements, principles, and/or premises offered without proof. AVAILABILITY: Qualitative or quantitative attribute that a system or item is in a functioning state at a gi

16、ven point in time. It is sometimes expressed in terms of the probability of the system or item not providing its output(s). COMMON CAUSE ANALYSIS: Generic term encompassing zonal safety analysis, particular risk analysis, and common mode analysis. COMMON MODE ANALYSIS: An analysis performed to verif

17、y that failure events identified in the ASA/SSA are independent in the actual implementation. DERIVED REQUIREMENTS: Additional requirements resulting from design or implementation decisions during the development process which are not directly traceable to higher-level requirements. ERROR: An omitte

18、d or incorrect action by a crewmember or maintenance person, or a mistake in requirements, design, or implementation. FAILURE: An occurrence which affects the operation of a component, part or element such that it can no longer function as intended. This includes both loss of function and malfunctio

19、n. Note: errors may cause failures, but are not considered to be failures. FAILURE CONDITION: A condition having an effect on the aircraft and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant

20、adverse operational or environmental conditions or external events. FAILURE EFFECT: A description of the operation of a system or item as the result of a failure; i.e., the consequence(s) a failure mode has on the operation, function or status of a system or an item. FAULT: A manifestation of an err

21、or in an item or system that may lead to a failure. FUNCTIONAL HAZARD ASSESSMENT: A systematic, comprehensive examination of functions to identify and classify Failure Conditions of those functions according to their severity. HAZARD: A condition resulting from failures, external events, errors, or

22、combinations thereof where safety is affected. ITEM: A hardware or software element having bounded and well-defined interfaces. MONITOR: A monitor is a mechanism in place to detect failures at the component or system level. ORIGINAL EQUIPMENT MANUFACTURER: Airframe manufacturer, typically responsibl

23、e for structural and systems requirements specification and aircraft level integration. PRELIMINARY SYSTEM SAFETY ASSESSMENT: A systematic evaluation of a proposed system architecture and its implementation, based on the Functional Hazard Assessment and Failure Condition classification, to determine

24、 safety requirements for systems and items. SAE INTERNATIONAL ARP6539 Page 4 of 12 SYSTEM: A combination of inter-related items arranged to perform a specific function(s). SYSTEM SAFETY ASSESSMENT: A systematic, comprehensive evaluation of the implemented system to show that the relevant safety requ

25、irements are met. TRACEABILITY: The recorded relationship established between two or more elements of the development process. For example, between a requirement and its source or between a verification method and its requirement. VALIDATION: The determination that the requirements for a product are

26、 correct and complete. i.e. Are we building the right aircraft/ system/ function/ item? VERIFICATION: The evaluation of an implementation of requirements to determine that they have been met. i.e. Did we build the aircraft/ system/ function/ item right? 2.2 Abbreviations AFHA Aircraft Functional Haz

27、ard Assessment ARP Aerospace Recommended Practice ASA Aircraft Safety Assessment CAS Crew Alerting Systems CCA Common Cause Analysis CDR Critical Design Review CMA Common Mode Analysis DCS Designated Certification Specialist (EASA) DER Designated Engineering Representative (FAA) EASA European Aviati

28、on Safety Agency EIS Entry into Service FAA Federal Aviation Administration FHA Functional Hazard Assessment FMEA Failure Modes and Effect Analysis OEM Original Equipment Manufacturer PASA Preliminary Aircraft Safety Assessment PDR Preliminary Design Review PSSA Preliminary System Safety Assessment

29、SFHA Systems Functional Hazard Assessment SoF Safety of Flight SSA System Safety Assessment V&V Validation and Verification SAE INTERNATIONAL ARP6539 Page 5 of 12 3. MONITORS DESIGN PROCESS STEPS The intent of these steps is to ensure proper time and effort is planned into the design process from be

30、ginning of the program to implement a rigorous Validation and Verification (V&V) process of the monitors design. Figure 1 shows how the monitors V&V process steps fit into a typical aircraft development program. The activities encompassed in steps 3.1 through 3.4 are discussed in the next sections o

31、f this ARP. Figure 1 - Monitors development V&V cycle 3.1 Monitors Development Plan Early in the development of an aircraft program, the Supplier should prepare a Monitor Development Plan that includes the following activities: a. Senior peer community at the Suppliers facility to review the monitor

32、ing strategies and mechanisms during the requirements definition phase b. Supplier design team to present preliminary monitor layouts and development plan with the system architecture at the Preliminary Design Review (PDR), or other program specific planning review milestone c. OEM and Supplier work

33、shop activity prior to the system Critical Design Review (CDR) to validate the monitor design cases and understand the aircraft cases driving the monitor characteristics see 3.2 d. Supplier design team to prepare and document monitor implementation and validation details as a CDR deliverable SAE INT

34、ERNATIONAL ARP6539 Page 6 of 12 e. Supplier design team to further refine the monitors design characteristics and proceed with monitor verification activity of the critical monitors for Safety of Flight (SoF) f. OEM and Supplier workshop to review the SoF monitors V&V design data as part of the firs

35、t flight readiness activities see 3.3 g. Supplier to provide monitors V&V design data to support Type Certification h. Supplier to finalize the entire monitors V&V activity with monitor design details for Entry into Service (EIS) with a peer review of the design data with the OEM see 3.4 NOTES: 1. T

36、he V&V activity and workshops associated with the monitors work is quite labor intensive due to the complexity of highly integrated digital systems. Development planning should include time and effort for this activity to be iterative in nature and require focused attention of senior engineers for e

37、xtended periods of time at both the Supplier and the OEM facilities, depending on the activity. 2. Monitor design data should be provided by the monitor design team to the OEM to chronicle the V&V activity, design characteristics and design assumptions after the prescribed Supplier and OEM peer revi

38、ews for each of the development gates. Major program milestones, reviews, and Supplier deliverables are typically defined in a system specific statement of work, which should include the monitor related activities and artifacts defined herein, with details of the activities captured in a Supplier Mo

39、nitor Development Plan. 3.1.1 Critical Monitors Critical monitors warrant special scrutiny early during the design cycle to mitigate cost and schedule risk associated with late discovery of issues. A critical monitor in this context is one that may pose a program risk, either during development or i

40、n revenue service. Monitors that may pose a program risk in development are those that meet one or more of the following criteria, and should be validated and verified for SoF to minimize program risk: a. Traces to an aircraft safety case b. Creates a Crew Alerting System (CAS) message requiring pil

41、ot action c. Forces a system reconfiguration reducing performance or redundancy Monitors that may pose a program risk in revenue service are those that meet one or more of the following criteria, and should be validated and verified in time for EIS to minimize the impact of nuisance behaviors on cus

42、tomer operations: d. Creates a CAS or maintenance message that will prevent dispatch e. Creates a CAS or maintenance message that will force operational limitations The later the critical monitor V&V activity is deferred, the further out the risk of poor monitor design consequences is carried, with

43、exponentially increasing cost and schedule threats. 3.2 Validation, Definition and Review of Monitors Failure monitoring requirements originate from and should be traced to: a. Safety requirements derived from the AFHA, PASA, SFHA, PSSA, SSA, CCA, CMA, FMEA and other safety related documentation b.

44、Crew awareness requirements driving CAS messages included in the system interface definition documents with the OEM and other Suppliers SAE INTERNATIONAL ARP6539 Page 7 of 12 c. Derived requirements at lower level hardware or software requirements d. Maintenance and health monitoring requirements e.

45、 Economic requirements in place to protect expensive equipment from damage The monitors design data should contain the traceability for each monitor clearly stating the safety, or other, aircraft level requirement or assumption from which it is derived. The validation data should be completed by the

46、 Supplier and included in the CDR package. 3.2.1 Completeness Check A completeness check should be done as part of the design validation activity to ensure the top down and bottom up traceablity for requirements coverage of monitors. Specific attention should be paid during the check of safety criti

47、cal monitors to ensure the independence requirements are properly represented in the monitoring architecture. For instance, independence between control and monitor lanes must be established to ensure a fault condition does not affect the two lanes in a manner that would mask the failure condition.

48、3.2.2 Correctness Check A correctness check should be done first by the Supplier design team and then repeated in detail by both the Supplier and OEM peer communities. The correctness check should address: Justification of the monitor existence Peformance of the monitor Robustness of the monitor 3.2

49、.3 Peer Communities The Supplier peer community should include senior specialists with specific product knowledge of current and legacy programs to fully leverage lessons learned in the detailed implementations of the monitors from disciplines like: Actuation Electronics Software Systems Special attention should be paid to details of legacy implementations that may affect the monitored characteristi