1、_SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising theref
2、rom, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be revised, reaffirmed, stabilized, or cancelled. SAE invites your written comments and suggestions.Copyright 2012 SAE International All rights reserved. No part of this pub
3、lication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: +1 724-776-4970
4、(outside USA) Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.orgSAE values your input. To provide feedback on this Technical Report, please visit http:/www.sae.org/technical/standards/AIR6027AEROSPACEINFORMATIONREPORTAIR6027 Issued 2012-05 Considerations for Safe Stor
5、e Operation on Manned and Unmanned Vehicles RATIONALEIn discussions between SAE ASD committees and customers, it was apparent that there is a lack of common understanding of matters associated with the safety considerations applicable to weapon operation on aircraft. Although numerous safety standar
6、ds exist, they cover only specific aspects of the subject and there are often misunderstandings on such matters as independence of functions, implementation of safety critical commands and ensuring that adequate safeguards exist where necessary. A short survey of members of AS-1B revealed that there
7、 is no single over-arching and comprehensive standardisation or description of the safety features applicable to weapon operation on aircraft, which would facilitate the design and implementation of safe systems.This situation was made all the more apparent when AS-1B was requested by the JAUS commi
8、ttee (AS-4) for guidance in their work associated with adding weapon operation capabilities to Unmanned Ground Systems, or robots in the first place, with future consideration in Unmanned Aerial Systems. This standard is intended to provide an overview of the established safety concepts generally em
9、ployed on manned combat aircraft for safe operation and release of weapons and to provide recommendations for how these principles may be applied to the operation of weapons on other (unmanned) platforms or robots. 1. SCOPE The information presented in this AIR is intended to provide designers of ar
10、med unmanned systems with guidelines that may be applied to ensure safe integration and operation of weapons on unmanned platforms. The guidelines have been developed from experiences gained in the design and operation of weapons on manned aircraft that have been accepted by relevant safety authorit
11、ies in the USA and Europe and proven effective over many years. Whilst the guidelines have been developed from experience with aircraft operations, the concepts are considered equally applicable to non-aircraft systems, such as those used on the surface or undersea environments. This document does n
12、ot attempt to define or describe a comprehensive safety program for unmanned systems. System Safety is a system characteristic and a non-functional requirement. It has to be addressed at each level of system design, system integration and during each phase of system operation. System safety is achie
13、ved when the system operation does not cause inadvertent personnel injuries, destruction of the system or damage to the environment. Section 3 of the document contains an introduction to methods by which the safety of a system can be assessed. Section 4 describes the safety principles commonly appli
14、ed to the design and operation of weapons on manned aircraft. Section 5 describes how the safety principles established for manned aircraft may be applied to unmanned systems,Section 6 provides conclusions and recommendations. Copyright SAE International Provided by IHS under license with SAENot for
15、 ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE AIR6027 Page 2 of 24 2. APPLICABLE DOCUMENTS The following publications form a part of this document to the extent specified herein. The latest issue of SAE publications shall apply. The applicable issue of other publica
16、tions shall be the issue in effect on the date of the purchase order. In the event of conflict between the text of this document and references cited herein, the text of this document takes precedence. Nothing in this document, however, supersedes applicable laws and regulations unless a specific ex
17、emption has been obtained. 2.1 SAE Publications Available from SAE International, 400 Commonwealth Drive, Warrendale, PA 15096-0001, Tel: 877-606-7323 (inside USA and Canada) or 724-776-4970 (outside USA), www.sae.org.AS5725 Interface Standard, Miniature Mission Store Interface AS5726 Interface Stan
18、dard, Interface for Micro Munitions ARP4754 Guidelines for Development of Civil Aircraft and SystemsARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment2.2 IEEE Publications Available from Institute of Electrical and Electronics Engineer
19、s, 445 Hoes Lane, Piscataway, NJ 08854-1331, Tel: 732-981-0060, www.ieee.org.IEEE STD 1228-1994 Standard for Software Safety Plans 2.3 RTCA Publications Available from Radio Technical Commission for Aeronautics Inc., 1828 L Street, NW, Suite 805, Washington, DC 20036, Tel: 202-833-9339, www.rtca.org
20、.RTCA DO-178 Software Considerations in Airborne Systems and Equipment Certification 2.4 U.S. Government Publications Available from the Document Automation and Production Service (DAPS), Building 4/D, 700 Robbins Avenue, Philadelphia, PA 19111-5094, Tel: 215-697-6257, http:/assist.daps.dla.mil/quic
21、ksearch/.MIL-STD-882 Standard Practice For System Safety MIL-STD-1553 Interface Standard For Digital Time Division Command/Response Multiplex Data Bus MIL-STD-1629 procedures for performing a failure mode, effects and criticality analysis (cancelled) MIL-STD-1760 Aircraft/Store Electrical Interconne
22、ction System MIL-HDBK 516 Airworthiness Certification Criteria Copyright SAE International Provided by IHS under license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE AIR6027 Page 3 of 24 2.5 Other Publications N. G. Levinson A New Approach To System
23、Safety Engineering Various Authors System Software Safety Handbook (2010) 3. RISK ASSESSMENT, HAZARD ANALYSIS AND SOFTWARE SAFETY CLASSIFICATION This section provides an overview of the analyses that must be carried out when designing the safety characteristics of a system. It should be noted that t
24、here are many documents containing guidelines and requirements applicable to system safety design for the operation of weapons on platforms. Adherence to any one document will not necessarily ensure compliance with others. Documents applicable to the operation of stores on platforms include: MIL-STD
25、-882, IEEE STD 1228, SAE ARP4761 and SAE ARP4754. In general, it is important that when designing the safety characteristics of any system, reference should be made to the complete set of safety documents relevant to the system. A common understanding of the set of required safety characteristic sho
26、uld be reached with the safety authorities. It should also be noted that there is likely to be more than one safety authority associated with the operation of stores on a platform. There may be separate authorities covering explosives and fuzing, store safety, platform safety, airworthiness and clea
27、rances for flying in controlled airspace in the case of air platforms. Each nation or armed service may have its own organization holding these authorities. In addition, caution should be exercised in the use of terminology due to the lack of commonality across the documents. As an example, MIL-STD-
28、882 Rev D contains very specific definitions of the words hazard and mishap that are not necessarily contained in other relevant documents. As an example the banana peel is the hazard, slipping on it is the mishap. In this AIR, the term failure is used to encompass all instances of the system not op
29、erating as expected, including mishaps or the arising of hazards that were (or were not) previously identified, as defined in MIL-STD-882. The following paragraphs describe some of the approaches and processes commonly used when designing and assessing the safety characteristics of store operation o
30、n manned aircraft. They are offered for consideration when designing unmanned systems. 3.1 Risk Assessment Procedure The system safety assessment is a continuous systems engineering process applied during the whole system life cycle. Hazard Analyses and Safety Assessments using different techniques,
31、 including software safety analyses, are performed on all system development levels to the level of rigor required to ensure robustness and correct operation of the system. The first step in mitigating safety risks is early identification of failure modes to which the design of the aircraft and stor
32、esystem can contribute. Causes of potential failures are identified by a combination of activities: analytical methods, including, but not limited to Functional Hazard Assessments, Fault Tree Analysis, Failure Modes, Effects and Criticality Analysis, experience from legacy programmes, and identifica
33、tion of new failures and their causes during the development of the system. Copyright SAE International Provided by IHS under license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE AIR6027 Page 4 of 24 Risk assessment is performed to establish safety r
34、isks to the weapon system caused by functional failure of system component(s) (which includes operator actions) or faults and failure conditions. Functional Hazard Assessments and Preliminary Hazard Analyses, and System safety assessments, using blended approaches and methods from SAE ARP4761, SAE A
35、RP4754, MIL-STD-882, and IEEE STD 1228, when combined with effective system safety techniques should identify failure modes and enable risk mitigation. This is often through derived requirements that specify safety features in the design. Safety Critical (SC) Functions associated with weapons ready,
36、 weapons solutions and/or release and control that are commanded, controlled and monitored by software will require a software safety effort using IEEE STD 1228-1994 or equivalent alternative methods. Each (system) function must be evaluated with respect to the effect of the function failure on the
37、mission, platform/personnel and environment. The principal failure modes are: Loss of function Provision of function when not required Provision of function incorrectly Hazardously misleading information that could lead to malfunction or human error NOTE: MIL-STD-1629A (cancelled) provides more deta
38、iled failure modes: Premature operation Failure to operate at prescribed time Intermittent operation Failure to cease operation at prescribed time Loss of output of failure during operation Degraded output or operational capability Other unique failure conditions, as applicable, based upon system ch
39、aracteristics and operational requirements or constraints.System boundary conditions are established to focus on the relevant activities within the system being analyzed. These activities may include operator actions, and some initial conditions, which best describe the system in a fault-free state.
40、 Initial conditions are therefore steady state events, which are normally expected and directly related to the circumstances for which the analysis (e.g., fault tree) is performed. The effect of the failure on other subsystems must be considered, contributing factors (e.g., maintenance, operational,
41、 or environmental influences, etc.) including secondary failures, which may influence the mishap severity must be identified. The determination of a mishap risk requires consideration of two aspects: the probability of occurrence and the consequences.Copyright SAE International Provided by IHS under
42、 license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE AIR6027 Page 5 of 24 Consideration of the consequences of a mishap occuring usually assumes a number of levels of severity. The following levels are extracted from MIL-STD-882: Catastrophic: causi
43、ng death and/or platform loss Critical: causing severe injury and/or major platform damage Marginal: causing minor injury and/or minor platform damage Negligible: causing less than minor injury and/or platform damage Other standards may expand these definitions; for example, by taking into account t
44、he damage to the environment.Table 1 provides an example of the approval authority required for acceptance of the combination of mishap probabilities and consequences: TABLE 1 - MISHAP RISK ACCEPTANCE AUTHORITY Severity Catastrophic Critical Marginal Negligible Probability Frequent (= 10-1)Probable
45、(=10-2)Occasional (=10-3)Remote (=10-6)Improbable (SAFESafeStore Present on StationSAFEGuardedInterlockAddress goodBIT passedUNSAFEUNLOCKEDStore on stationLIVEARMLIVEARMLOCKUNLOCKSAFESTANDBY, LIVESTANDBYOFFARMSIMULATESAFEARMSAFEGuardedhealthyUNSAFEUNLOCKEDStore on stationLIVEARMGuarded(150kts) or We
46、ight_on_Wheels := FALSE In flight: Weapon Release PreparationProbable Hazards: Unintended weapon arming or releaseweapon loss S Timing of operations within the vehicle must be closely defined, especially for irreversible actions or actions associated with weapon release; Allocating end-to-end timing
47、 delays among elements within the UCS, vehicle, weapon, and UCS-to-vehicle communications. These total delays are measured from operator physical action at the user interface to final responsive event in the weapon (including its release), and from event in the weapon to confirming display or alert
48、at the operator interface; Minimum time needed for communications between transmitters and receivers located in both the UCS and the vehicle, including multi-hop transfers where applicable; Maximum time allowed for timing delays and/or loss of communication before initiation of measures in the UCS, vehicle and/or weapon necessary to ensure safe and predictable vehicle behaviour. 5.2.3 System Status and Situational Awareness The design of the complete system should include consideration of the operator uncertainty that would arise from relatively long intervals between UCS op
