ASTM F3309 F3309M-2018 Standard Practice for Simplified Safety Assessment of Systems and Equipment in Small Aircraft.pdf

1、Designation: F3309/F3309M 18Standard Practice forSimplified Safety Assessment of Systems and Equipment inSmall Aircraft1This standard is issued under the fixed designation F3309/F3309M; the number immediately following the designation indicates the yearof original adoption or, in the case of revisio

2、n, the year of last revision. A number in parentheses indicates the year of last reapproval.A superscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This practice covers methods for conducting a simpli-fied safety assessment of aircraft systems and equ

3、ipment. Thematerial was developed through open consensus of interna-tional experts in general aviation. This information was createdby focusing on Level 1 and Level 2 Normal Category aero-planes employing conventional systems. The content may bemore broadly applicable. It is the responsibility of th

4、e Appli-cant to substantiate broader applicability as a specific means ofcompliance. If the criteria specified within this simplifiedpractice is deemed not to be relevant to a particular application,the Applicant should use the safety assessment process definedin Practice F3230. The topics covered w

5、ithin this practice are:Procedural Flowchart, Failure Condition Identification andClassification, Safety Objectives, Design and InstallationAppraisal, Qualitative Analysis of Failure Conditions, Com-mon Mode Analysis, Use of Similarity, and Documentation.1.2 An applicant intended to propose this inf

6、ormation asMeans of Compliance for a design approval must seek guid-ance from their respective oversight authority (for example,published guidance from applicable CAA) concerning theacceptable use and application thereof. For information onwhich oversight authorities have accepted this standard (inw

7、hole or in part) as an acceptable Means of Compliance totheir regulatory requirements (hereinafter “the Rules”), refer tothe ASTM Committee F44 web page (www.astm.org/COMMITTEE/F44.htm).1.3 UnitsThis practice may present information in SIunits, English Engineering units, or both; the values stated i

8、neach system may not be exact equivalents. Each system shallbe used independently of the other; combining values from thetwo systems may result in nonconformance with the standard.1.4 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is therespo

9、nsibility of the user of this standard to establish appro-priate safety, health, and environmental practices and deter-mine the applicability of regulatory limitations prior to use.1.5 This international standard was developed in accor-dance with internationally recognized principles on standard-iza

10、tion established in the Decision on Principles for theDevelopment of International Standards, Guides and Recom-mendations issued by the World Trade Organization TechnicalBarriers to Trade (TBT) Committee.2. Referenced Documents2.1 Following is a list of external standards referencedthroughout this p

11、ractice; the earliest revision acceptable for useis indicated. In all cases later document revisions are accept-able if shown to be equivalent to the listed revision, or ifotherwise formally accepted by the governing civil aviationauthority; earlier revisions are not acceptable.2.2 ASTM Standards:2F

12、3060 Terminology for AircraftF3061/F3061M Specification for Systems and Equipment inSmall AircraftF3230 Practice for Safety Assessment of Systems andEquipment in Small Aircraft2.3 SAE Recommended Practices:3SAE ARP4761 Guidelines and Methods for Conducting theSafety Assessment Process on Civil Airbo

13、rne Systems andEquipment2.4 Federal Aviation Administration:4AC 43.13-1B Acceptable Methods, Techniques and Prac-tices Aircraft Inspection and RepairAC 43.13-2B Acceptable Methods, Techniques and Prac-tices Aircraft Alterations3. Terminology3.1 Terminology specific to the system safety assessmentpro

14、cess is contained in Practice F3230. Terminology specific to1This practice is under the jurisdiction of ASTM Committee F44 on GeneralAviation Aircraft and is the direct responsibility of Subcommittee F44.50 onSystems and Equipment.Current edition approved June 1, 2018. Published July 2018. DOI: 10.1

15、520/F3309_F3309M-18.2For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary page onthe ASTM website.3Available from SAE International (SAE),

16、400 Commonwealth Dr., Warrendale,PA 15096, http:/www.sae.org.4Available from Federal Aviation Administration (FAA), 800 IndependenceAve., SW, Washington, DC 20591, http:/www.faa.gov.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United StatesThis

17、international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for theDevelopment of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT

18、) Committee.1this standard is provided below. For general terminology, referto Terminology F3060.3.2 Definitions of Terms Specific to This Standard:3.2.1 active failurea failure is active if it is not latent.3.2.2 attributea feature, characteristic, or aspect of asystem or a device, or a condition a

19、ffecting its operation. Someexamples would include design, construction, technology,installation, functions, applications, operational uses, and en-vironmental and operational stresses. It would also includerelationships with other systems, functions, and flight orstructural characteristics.3.2.3 la

20、tent failurea failure is latent until it is made knownto the flight crew or maintenance personnel.4. Procedure4.1 The flowchart shown in Fig. 1 provides an overview ofthe simplified safety assessment process.4.1.1 The following abbreviations are used in the flowchartshown in Fig. 1:4.1.1.1 FC failur

21、e condition4.1.1.2 NSE Negligible Safety Effect4.1.1.3 MIN Minor4.1.1.4 MAJ Major4.1.1.5 HAZ Hazardous4.1.1.6 CAT Catastrophic4.2 Failure Condition Identification and ClassificationAnassessment of the aircraft and system functions must beperformed to identify and classify the various failure condi-t

22、ions associated with each function; refer to Table 1.AFunctional Hazard Assessment (FHA) in accordance with themethodology outlined in SAE ARP4761 is one means ofperforming this assessment; however, other simpler method-ologies may be employed as appropriate to the complexity ofthe system(s) and the

23、 availability of published guidance.4.3 Safety ObjectivesThe assessment described in thesubsequent paragraphs of this practice must be completed to:4.3.1 Show that each failure condition identified by theanalysis specified in 4.2 meets the probability objectives shownin Table 2, and4.3.2 To ensure t

24、hat no other hazard has been introducedbecause of the system installation.4.4 Design and Installation AppraisalA design and instal-lation appraisal must be performed for all system and equip-ment installations.4.4.1 Design AppraisalThis is a qualitative appraisal ofthe integrity and safety of the sy

25、stem design. An effectiveappraisal requires experienced judgment. The design featuresthat provide integrity and safety must be explained in a formthat are easy to follow. The use of system architecture/blockdiagrams are effective ways to aid the understanding of thesystem. Other tools that can aid t

26、he design appraisal include anextended FHA table where the effects listed in the approvedFHA can be shown along with the failure mitigations. Integrityand safety considerations like the use of aerospacecomponents, component qualification, independence,separation, and redundancy should also be discus

27、sed as appro-priate.4.4.2 Installation AppraisalThis is a qualitative appraisalof the integrity and safety of the installation. An effectiveappraisal requires experienced judgment. The installation fea-tures must be presented in forms that are easy to follow such asinstallation drawings, equipment i

28、nstallation requirements, andany required analyses. Deviations from normal, industry-accepted installation practices, for example AC 43-13, need tobe evaluated. The appraisal must consider any potential inter-ference with other aircraft systems and issues introduced bymaintenance. In general, common

29、 design practice providesphysical and functional isolation from components contribut-ing to the Negligible or Minor failure conditions from thecomponents that are essential to safe operation. For systemswith major, hazardous, or catastrophic failure conditions, thepotential for events or influences

30、outside of the systemsconcerned that might invalidate independence must also beconsidered.4.5 Qualitative Analysis of Failure ConditionsThe follow-ing subsections define the requirements that must be addressedfor failure conditions identified in 4.2.4.5.1 Except as provided in 4.5.2, for failure con

31、ditionsclassified as Negligible, Minor, or Major, no additional quali-tative analysis beyond the design and installation appraisals isrequired.4.5.2 For Level 2 aircraft, additional substantiation is re-quired to show that major failure conditions are remote. Thiscan be accomplished using one of the

32、 following methods:4.5.2.1 A similarity argument to a previously approveddesign that was previuosly shown to meet this probabilityobjective. Refer to 4.7;or4.5.2.2 For systems where similarity argument cannot beused, then compliance to the remote safety objective may beshown by means of a qualitativ

33、e assessment. For “loss offunction” failure conditions, this can be accomplished by:(1) Showing that there is redundancy in the equipmentproviding that function. An analysis of a redundant system inthe airplane is usually complete if it shows isolation betweenredundant system channels and satisfacto

34、ry reliability for eachchannel; or(2) In the case where single failures can cause the failurecondition, by showing the system is simple, uses conventionalarchitecture, is appropriately qualified for the installed envi-ronment and the individual failure rates of its components arebelow the objective

35、of 1E-5.4.5.2.3 For “malfunction” failure conditions, this can beaccomplished by:(1) Showing that the failure condition requires at least twoindependent failures; or(2) In the case where a single component can cause theevent, showing that only specific component failure modes ora subset of a units i

36、nternal components can result in the failurecondition. Justification must be provided for the failure rateapportionment and how that would result in a failure rate in theorder of 1E-5.4.5.3 Hazardous Failure ConditionsThese failure condi-tions must be shown to be extremely remote. This can beaccompl

37、ished using one of the following methods:F3309/F3309M 1824.5.3.1 A similarity argument to a previously approveddesign that was previously shown to meet this probabilityobjective. Refer to 4.7;or4.5.3.2 Qualitative analysis showing that each scenario thatcan cause the failure condition can only resul

38、t from two ormore independent failures. If the second failure in eachcombination is latent for more than one flight, the function ofthe component must be verified at an interval not to exceed theaircrafts annual inspection (or equivalent 100 h inspection asappropriate to the aircraft maintenance pro

39、gram). This can beaccomplished by requiring an AFM/AFMS preflight check orby including an inspection/maintenance task in the Instructionsfor Continued Airworthiness. If a longer interval is desired, themethods outlined in Practice F3230 must be used. Commonmodes that could invalidate the independenc

40、e between thesefailures must be addressed in accordance with 4.6.FIG. 1 Overview of the Simplified Safety Assessment ProcessF3309/F3309M 1834.5.4 Catastrophic Failure ConditionsThese failure con-ditions must be shown to be extremely improbable and mustnot occur as the result of a single failure. Thi

41、s can beaccomplished using one of the following methods:4.5.4.1 A similarity argument to a previously approveddesign that was previously shown to meet this probabilityobjective. Refer to 4.7;or4.5.4.2 Qualitative analysis shown that each scenario thatcan cause the failure condition requires at least

42、 two indepen-dent failures. One of these failures could be latent provided itis not latent for more than one flight. The other failure must bean active failure. This qualitative analysis must identify howeach failure would be detected. Common modes that couldinvalidate the independence between these

43、 failures must beaddressed in accordance with 4.6.4.6 Common Mode Analysis:4.6.1 When credit is taken for the independence betweenfailures, a common mode analysis must be performed to ensurethat there are no common mode failures that would invalidatethe assumed independence. The analysis must substa

44、ntiate thatthe two failures are indeed independent when considering theirdesign, installations, wiring, and potential common dependen-cies such as electrical power. Where this independence is noteasily justifiable, additional analysis such as an FMEA may berequired. Consideration must be given to th

45、e implications ofcommon mode failures such as power sources or electricalground returns which may affect both otherwise independentevents at the same time. The design and proposed Instructionsfor Continued Airworthiness must also be reviewed to identifyany potential installation or maintenance error

46、s that couldinvalidate the independence. The use of functional and designdissimilarity between the events required for a failure conditionto occur is encouraged as a good solution but it is not arequirement for compliance with this practice.4.7 Use of SimilarityAsimilarity argument to a previouslyap

47、proved design that was previously shown to meet thisprobability objective can be used to substantiate that a systemdesign and installation meets the requirements of SpecificationF3061/F3061M. Similarity regarding system design,installation, and operating conditions must be established. Theapplicant

48、must develop AFM/AFMS procedures or ICA tasksto appropriately address any latent failures for their installa-tion. The similarity argument gains strength as the accumulatedflight time with the system increases. If the system is similar inits relevant attributes to those used in other aircraft and if

49、 thefunctions and effects of failure would be the same, then adesign and installation appraisal and satisfactory service his-tory of either the equipment being analyzed or of a similardesign is usually acceptable for showing compliance.4.8 DocumentationThe results of complying with 4.2 4.7 of this practice must be documented in a manner that isappropriate for showing compliance to the applicable CAA.5. Checklist5.1 Table 3 below provides a checklist that can be used toTABLE 1 Failure Condition ClassificationsClassification of Failure ConditionsNegl