1、 AEROSPACE RECOMMENDED PRACTICE GUIDELINES AND METHODS FOR CONDUCTING THE SAFETY ASSESSMENT PROCESS ON CIVIL AIRBORNE SYSTEMS AND EQUIPMENT SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this r
2、eport is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefrom, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancell
3、ed. SAE invites your written comments and suggestions. Copyright 1996 Society of Automotive Engineers, Inc. All rights reserved.Printed in U.S.A. Land Sea Air and SpaceFor Advancing MobilityThe Engineering SocietyINTERNATIONAL400 Commonwealth Drive, Warrendale, PA 15096-0001Issued 1996-12 ARP4761 TA
4、BLE OF CONTENTS 1. SCOPE 4 1.1 Purpose 4 1.2 Intended Users 4 1.3 How To Use This Document .4 2. REFERENCES6 2.1 Applicable Documents.6 2.1.1 SAE Publications.6 2.1.2 U.S. Government Publications 6 2.1.3 FAR Publications.6 2.1.4 RTCA Publications 6 2.1.5 Other References 6 2.2 Definitions7 2.3 Acron
5、yms 11 3. SAFETY ASSESSMENT PROCESS 12 3.1 Safety Assessment Overview12 3.2 Functional Hazard Assessment (FHA) 16 3.3 Preliminary System Safety Assessment (PSSA).17 3.4 System Safety Assessment (SSA) 21 3.5 Verification Means Used for Aircraft Certification22 4. SAFETY ASSESSMENT ANALYSIS METHODS .2
6、2 4.1 Fault Tree Analysis/Dependence Diagram/Markov Analysis (FTA/DD/MA)22 4.1.1 Applications of the FTA/DD/MA.22 4.1.2 Software in FTA/DD/MA 24 4.1.3 Average Exposure Time Probability 25 SAE values your input. To provide feedback on this Technical Report, please visit http:/www.sae.org/technical/st
7、andards/ARP4761 SAE ARP4761 - 2 - TABLE OF CONTENTS (Continued) 4.2 Failure Modes and Effects Analysis (FMEA).25 4.3 Failure Modes and Effects Summary (FMES).26 4.4 Common Cause Analysis (CCA) .26 4.4.1 Zonal Safety Analysis (ZSA) .27 4.4.2 Particular Risks Analysis (PRA) 27 4.4.3 Common Mode Analys
8、is (CMA) 28 5. SAFETY RELATED MAINTENANCE TASKS AND INTERVALS28 6. TIME LIMITED DISPATCH (TLD) .30 6.1 FADEC Application30 APPENDIX A FUNCTIONAL HAZARD ASSESSMENT (FHA).31 APPENDIX B PRELIMINARY SYSTEM SAFETY ASSESSMENT (PSSA) 40 APPENDIX C SYSTEM SAFETY ASSESSMENT (SSA)45 APPENDIX D FAULT TREE ANAL
9、YSIS .50 APPENDIX E DEPENDENCE DIAGRAMS.104 APPENDIX F MARKOV ANALYSIS (MA).108 APPENDIX G FAILURE MODES AND EFFECTS ANALYSIS (FMEA).135 APPENDIX H FAILURE MODES AND EFFECTS SUMMARY (FMES)147 APPENDIX I ZONAL SAFETY ANALYSIS (ZSA)151 APPENDIX J PARTICULAR RISKS ANALYSIS (PRA)156 APPENDIX K COMMON MO
10、DE ANALYSIS (CMA) .159 APPENDIX L CONTIGUOUS SAFETY ASSESSMENT PROCESS EXAMPLE.168 SAE ARP4761 - 3 - ACKNOWLEDGMENTS The leadership of the S-18 Committee would like to thank the actively contributing committee members, and their sponsoring companies, for the time, effort, and expense expended during
11、 the years of development of this document. Without the experience, cooperation and dedication of these people, development of this document would not have been possible. Thanks to the following committee members. *John Dalton, Chairman Boeing Commercial Airplane Group *Larry Lacy, Vice Chairman Roc
12、kwell Collins Avionics Michael Burkett Allison Engine Dale Davidson Honeywell Commercial Div. *Jeff Hasson Boeing Commercial Airplane Co. Jean Pierre Heckmann Aerospatiale Jan Myers SAE *Claus Nagel Daimler Benz Aerospace *Barbara Pederson Rockwell/Collins, General Aviation *Eric Peterson Honeywell
13、Air Transport *Michael Peterson Honeywell Air Transport Brett Portwood Federal Aviation Administration *Warren Prasuhn Rockwell/Collins, Air Transport Tilak Sharma Boeing Commercial Airplane Co. Gerry Southcombe British Aerospace James Treacy Federal Aviation Administration Andrew G. Ward Rolls Royc
14、e Steve Wilson Allied Signal, General Aviation * Members of the Edit Committee SAE ARP4761 - 4 - 1. SCOPE: This document describes guidelines and methods of performing the safety assessment for certification of civil aircraft. It is primarily associated with showing compliance with FAR/JAR 25.1309.
15、The methods outlined here identify a systematic means, but not the only means, to show compliance. A subset of this material may be applicable to non-25.1309 equipment. The concept of Aircraft Level Safety Assessment is introduced and the tools to accomplish this task are outlined. The overall aircr
16、aft operating environment is considered. When aircraft derivatives or system changes are certified, the processes described herein are usually applicable only to the new designs or to existing designs that are affected by the changes. In the case of the implementation of existing designs in a new de
17、rivation, alternate means such as service experience may be used to show compliance. 1.1 Purpose: This document presents guidelines for conducting an industry accepted safety assessment consisting of Functional Hazard Assessment (FHA), Preliminary System Safety Assessment (PSSA), and System Safety A
18、ssessment (SSA). This document also presents information on the safety analysis methods needed to conduct the safety assessment. These methods include the Fault Tree Analysis (FTA), Dependence Diagram (DD), Markov Analysis (MA), Failure Modes and Effect Analysis (FMEA), Failure Modes and Effects Sum
19、mary (FMES) and Common Cause Analysis (CCA). CCA is composed of Zonal Safety Analysis (ZSA), Particular Risks Analysis (PRA), and Common Mode Analysis (CMA). 1.2 Intended Users: The intended users of this document include, but are not limited to, airframe manufacturers, system integrators, equipment
20、 suppliers and certification authorities who are involved with the safety assessment of civil aircraft and associated systems and equipment. 1.3 How To Use This Document: The guidelines and methods provided in this document are intended to be used in conjunction with other applicable guidance materi
21、als, including ARP4754, RTCA/DO-178, RTCA SC-180 Document DO-(TBD), and with the advisory material associated with FAR/JAR 25.1309. (For engines and propeller applications, reference the applicable FAR/JAR advisory material.) The intent of this document is to identify typical activities, methods, an
22、d documentation that may be used in the performance of safety assessments for civil aircraft and their associated systems and equipment. The specific application of such activities needs to be established by the organization conducting the assessment and the appropriate recipient. SAE ARP4761 - 5 -
23、1.3 (Continued): This document provides general guidance in evaluating the safety aspects of a design. The primary analytical methods and tools and the relationship of these are introduced. Users who need further information on a specific method or tool may obtain detailed information from appendice
24、s A through K. These appendices provide information on Functional Hazard Assessment (FHA), Preliminary System Safety Assessment (PSSA), System Safety Assessment (SSA), Fault Tree Analysis (FTA), Dependence Diagram (DD), Markov Analysis (MA), Failure Modes and Effects Analysis (FMEA), Failure Modes a
25、nd Effects Summary (FMES), Zonal Safety Analysis (ZSA), Particular Risks Analysis (PRA) and Common Modes Analysis (CMA). Appendix L provides an example of the safety assessment process for a hypothetical system. This contiguous example illustrates the relationships between the processes and methods
26、in creating the overall safety evaluation of an aircraft or system as it develops through the design cycle. NOTE: The appendices are not stand alone documents, but are intended to be used in conjunction with the information contained in the basic document. The user is cautioned not to use the append
27、ices independent of the basic document. Further, the examples in the Appendix L “Contiguous Example” should not be used without making reference to the corresponding appendix and to the main body of this document. Examples presented in this document, including documentation examples, are intended on
28、ly as guidance. The examples should not be interpreted as an addition to or an amplification of any requirement. Throughout this document and the appendixes, reference is made to using Fault Tree Analyses. It should be understood by the reader that Dependence Diagrams or Markov Analyses may be selec
29、ted to accomplish the same purpose, depending on the circumstances and the types of data desired. ARP1834 and ARP926A contain information about Fault/Failure Analysis but are superseded by this document for purposes of civil aircraft safety assessment. They are being amended to reflect this superses
30、sion. SAE ARP4761 - 6 - 2. REFERENCES: 2.1 Applied Documents: The following publications form a part of this document to the extent specified herein. The latest issue of SAE publications shall apply. In the event of conflict between the text of this document and references cited herein, the text of
31、this document takes precedence. Nothing in this document, however, supersedes applicable laws and regulations unless a specific exemption has been obtained. 2.1.1 SAE Publications: Available from SAE, 400 Commonwealth Drive, Warrendale, PA 15096-0001. ARP4754 Certification Considerations for Highly-
32、Integrated or Complex Aircraft Systems 2.1.2 U.S. Government Publications: Available from DODSSP, Subscription Services Desk, Building 4D, 700 Robbins Avenue, Philadelphia, PA 19111-5094. MIL-HDBK-217 Reliability Prediction of Electronic Equipment, Reliability Analysis Center MIL-HDBK-338 Reliabilit
33、y Engineering Handbook MIL-HDBK-978 NASA Parts Application Handbook 2.1.3 FAR Publications: Available from FAA, 800 Independence Avenue, SW, Washington, DC 20591 FAR 25.1309 Airworthiness Standards: Transport Category Airplanes, Federal Aviation Regulations AC 25.19 2.1.4 RTCA Publications: Availabl
34、e from RTCA Inc., 1140 Connecticut Ave., NW, Suite 1020, Washington, DC 20036 RTCA/DO-178 Software Considerations in Airborne Systems and Equipment Certification, RTCA Inc. RTCA/DO-TBD Design Assurance Guidance for Airborne Electronic Hardware (RTCA Special Committee -180) 2.1.5 Other References: JA
35、R 25.1309 Large Aeroplanes, Joint Aviation Requirement AC 25.1309-1A System Design and Analysis, Advisory Circular, FAA AMJ 25.1309 System Design and Analysis, Advisory Material Joint, JAA NUREG-0492 Fault Tree Handbook, U.S. Nuclear Regulatory Commission RAC NPRD Nonelectronic Parts Reliability Dat
36、a RAC FMD-91 Failure Mode/Mechanism Distribution GIDEP Government Industry Data Exchange Program Rome Laboratory Reliability Engineers Toolkit SAE ARP4761 - 7 - 2.2 Definitions: NOTE: An effort has been made to maintain consistency between the definitions in ARP4754 and those in this document. AIRWO
37、RTHINESS: The condition of an item (aircraft, aircraft system, or part) in which that item operates in a safe manner to accomplish its intended function. ANALYSIS: An evaluation based on decomposition into simple elements. APPROVAL: The act of formal sanction of an implementation by a certification
38、authority. APPROVED: Accepted by the certification authority as suitable for a particular purpose. (ICAO) ASSESSMENT: An evaluation based upon engineering judgement. ASSUMPTION: Statements, principles and/or premises offered without proof. ASSURANCE: The planned and systematic actions necessary to p
39、rovide adequate confidence that a product or process satisfies given requirements. (RTCA DO 178B) “AT RISK” TIME: The period of time during which an item must fail in order to cause the failure effect in question. This is usually associated with the final fault in a fault sequence leading to a speci
40、fic failure condition. AUTHORITY: The organization or person responsible within the State (Country) concerned with the certification of compliance with applicable requirements. AVAILABILITY: Probability that an item is in a functioning state at a given point in time. CERTIFICATION: The legal recogni
41、tion that a product, service, organization, or person complies with the applicable requirements. Such certification comprises the activity of technically checking the product, service, organization or person, and the formal recognition of compliance with the applicable requirements by issue of a cer
42、tificate, license, approval, or other documents as required by national laws and procedures. CERTIFICATION AUTHORITY: Organization or person responsible for granting approval on behalf of the nation of manufacture. COMMON CAUSE: Event or failure which bypasses or invalidates redundancy or independen
43、ce. COMMON CAUSE ANALYSIS: Generic term encompassing Zonal Analysis, Particular Risks Analysis and Common Mode Analysis. COMMON MODE FAILURE: An event which affects a number of elements otherwise considered to be independent. SAE ARP4761 - 8 - 2.2 (Continued): COMPLEXITY: An attribute of systems or
44、items which makes their operation difficult to comprehend. Increased system complexity is often caused by such items as sophisticated components and multiple interrelationships. COMPLIANCE: Successful performance of all mandatory activities; agreement between the expected or specified result and the
45、 actual result. COMPONENT: Any self-contained part, combination of parts, subassemblies or units, which perform a distinct function necessary to the operation of the system. CONFORMITY: Agreement of physical realization of the item with the defining document. CRITICALITY: Indication of the hazard le
46、vel associated with a function, hardware, software, etc., considering abnormal behavior (of this function, hardware, software, etc.) alone, in combination or in combination with external events. DEFECT: State of an item consisting of the non-performance of specified requirements by a characteristics
47、 of the item. A defect may, but need not, lead to a failure. DEMONSTRATION: A method of proof of performance by observation. DERIVED REQUIREMENTS: Additional requirements resulting from design or implementation decisions during the development process. Derived requirements are not directly traceable
48、 to higher level requirements; though derived requirements can influence higher level requirements. DESIGN: The result of the design process. DESIGN PROCESS: The process of creating a system or an item from a set of requirements. DEVELOPMENT ASSURANCE: All those planned and systematic actions used t
49、o substantiate, to an adequate level of confidence, that development errors have been identified and corrected such that the system satisfies the applicable certification basis. DEVELOPMENT ERROR: A mistake in requirements determination or design. ERROR: (1) An occurrence arising as a result of an incorrect action or decision by personnel operating or maintaining a system. (JAA AMJ 25.1309) (2) A mistake in specification, design, or implementation. EVENT: An occurrence which has its origin distinct from the aircraft, such as atmospheric conditions (e.g., wind gusts, temperat
