1、Designation: F3230 17Standard Practice forSafety Assessment of Systems and Equipment in SmallAircraft1This standard is issued under the fixed designation F3230; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revis
2、ion. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This practice covers internationally accepted methodsfor conducting safety assessments of systems and equipmentfor “small” aircr
3、aft.1.2 The applicant for a design approval must seek theindividual guidance of their respective CAA body concerningthe use of this practice as part of a certification plan. Forinformation on which CAA regulatory bodies have acceptedthis practice (in whole or in part) as a means of compliance tothei
4、r Small Aircraft Airworthiness regulations (hereinafterreferred to as “the Rules”), refer to ASTM F44 webpage(www.ASTM.org/COMMITTEE/F44.htm) which includesCAA website links.1.3 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibil
5、ity of the user of this standard to establish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Referenced Documents2.1 Following is a list of external standards referencedthroughout this practice; the earliest revision acceptable for
6、 useis indicated. In all cases later document revisions are accept-able if shown to be equivalent to the listed revision, or ifotherwise formally accepted by the governing civil aviationauthority; earlier revisions are not acceptable.2.2 ASTM Standards:2F3060 Terminology for AircraftF3061/F3061M Spe
7、cification for Systems and Equipment inSmall Aircraft2.3 SAE Standards:3SAE ARP4761 Guidelines and Methods for Conducting theSafetyAssessment Process on CivilAirborne Systems andEquipment3. Terminology3.1 Terminology specific to this practice is provided below.For general terminology, refer to Termi
8、nology F3060.3.2 Definitions of Terms Specific to This Standard:3.2.1 aircraft type code, nan Aircraft Type Code (ATC) isdefined by considering both the technical considerations re-garding the design of the aircraft and the airworthiness levelestablished based upon risk-based criteria; the method of
9、defining an ATC applicable to this practice is defined inSpecification F3061/F3061M.3.2.2 Catastrophic Failure Condition, na CatastrophicFailure Condition is one that would result in multiple fatalitiesof the occupants, or incapacitation or fatal injury to a flightcrew member, normally with the loss
10、 of the aircraft.3.2.3 complex system, na complex system is a systemwhose operation, failure modes, or failure effects are difficult tocomprehend without the aid of analytical methods or structuredassessment methods, such as Failure Modes and EffectsAnaly-sis (FMEA) or Fault Tree Analysis (FTA); inc
11、reased systemcomplexity is often caused by such items as sophisticatedcomponents and multiple interrelationships.3.2.4 conventional system, na conventional system is asystem whose function, the technological means to implementits function, and its intended usage are all the same as, orclosely simila
12、r to, that of previously approved systems that arecommonly used.3.2.5 design appraisal, na design appraisal is a qualitativeappraisal of the integrity and safety of the system design; aneffective appraisal requires experienced judgment.3.2.6 extremely improbable, nextremely improbablemeans that an e
13、vent is considered so unlikely that it is notanticipated to occur during the entire operational life of allaircraft of one type.1This practice is under the jurisdiction of ASTM Committee F44 on GeneralAviation Aircraft and is the direct responsibility of Subcommittee F44.50 onSystems and Equipment.C
14、urrent edition approved Feb. 15, 2017. Published March 2017. DOI: 10.1520/F3230-17.2For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary pa
15、ge onthe ASTM website.3Available from SAE International (SAE), 400 Commonwealth Dr., Warrendale,PA 15096, http:/www.sae.org.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United StatesThis international standard was developed in accordance with in
16、ternationally recognized principles on standardization established in the Decision on Principles for theDevelopment of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.13.2.7 extremely remote, nextremely remote mea
17、ns that anevent is not anticipated to occur to each aircraft during its totallife, but may occur a few times when considering the totaloperational life of all aircraft of the type.3.2.8 failure condition, na failure condition is a conditionhaving an effect on the aircraft or its occupants or both, e
18、itherdirect or consequential, which is caused or contributed to byone or more failures or errors; the severity of a failurecondition may be affected by flight phase, relevant adverseoperational or environmental conditions, or other externalevents, or combinations thereof.3.2.9 Hazardous Failure Cond
19、itiona Hazardous FailureCondition is one that would reduce the capability of the aircraftor the ability of the crew to cope with adverse operatingconditions to the extent that there would be: a large reductionin safety margins or functional capabilities; physical distress orexcessive workload such t
20、hat the flight crew cannot be reliedupon to perform their tasks accurately or completely; or,serious or fatal injuries to a relatively small number of personsother than the flight crew.3.2.10 installation appraisal, nan installation appraisal isa qualitative appraisal of the integrity and safety of
21、theinstallation; any deviations from normal industry-acceptedinstallation practices should be evaluated.3.2.11 Major Failure Condition, na Major Failure Condi-tion is one that would reduce the capability of the aircraft or theability of the flight crew to cope with adverse operatingconditions to the
22、 extent that there would be: a significantreduction in safety margins or functional capabilities; a signifi-cant increase in flight crew workload or in conditions impairingthe efficiency of the flight crew; discomfort to the flight crew;or, physical distress to passengers or cabin crew, possiblyincl
23、uding injuries.3.2.12 Minor Failure Condition, na Minor Failure Con-dition is one that would not significantly reduce aircraft safety,and which involves crew actions that are well within theircapabilities; Minor Failure Conditions may include: a slightreduction in safety margins or functional capabi
24、lities; a slightincrease in crew workload, such as routine flight plan changes;or, some physical discomfort to passengers or cabin crew.3.2.13 Negligible Failure Condition, na Negligible Fail-ure Condition is one that would have no procedural oroperational effect on the flight crew so as to interfer
25、e with thereliable performance of published and trained duties, or on theoperation or capabilities of the aircraft; however, the event mayresult in an inconvenience to aircraft occupants.3.2.14 probable, nprobable means that the event is antici-pated to occur one or more times during the entire oper
26、ationallife of each aircraft.3.2.15 qualitative analysis, na qualitative analysis relieson analytical processes that assess system and aircraft safety inan objective, non-numerical manner.3.2.16 quantitative analysis, na quantitative analysis re-lies on analytical processes that apply mathematical m
27、ethods toassess the system and aircraft safety.3.2.17 redundancy, nthe term redundancy refers to thepresence of more than one independent means for accomplish-ing a given function; each means of accomplishing the functionneed not be identical.3.2.18 remote, nremote means that the event is not antici
28、-pated to occur at each aircraft during its total life, but mayoccur several times when considering the total operational lifeof all aircraft of the type.3.2.19 similarity, nthe term similarity refers to a conditionwhere the equipment type, form, function, design, and instal-lation have only minor d
29、ifferences to previously approvedequipment. The safety and operational characteristics and otherqualities of the new installation should have no appreciableeffects on the airworthiness of the aircraft.3.2.20 simple system, na simple system is a system thatcan be evaluated by only qualitative analysi
30、s and that is not acomplex system; functional performance is determined bycombination of tests and analyses.3.2.21 single failure, na single failure is considered to beany occurrence, or set of occurrences, that: cannot be shown tobe independent from each other; affects the operation ofcomponents, p
31、arts, or elements of a system such that they canno longer function as intended; or, results in inadvertent systemoperation.4. Basic InformationNOTE 1Table 1 provides correlation between various Aircraft TypeCodes and the individual requirements contained within this section; referto 3.2.1. For each
32、subsection, an indicator can be found under each ATCcharacter field; three indicators are used:An empty cell ( ) in all applicable ATC character field columnsindicates that an aircraft must meet the requirements of that subsection.A white circle () in multiple columns indicates that the requirements
33、of that subsection are not applicable to an aircraft only if all such ATCcharacter fields are applicable.A mark-out () in any of the applicable ATC character field columnsindicates that the requirements of that subsection are not applicable to anaircraft if that ATC character field is applicable.Exa
34、mpleAn aircraft with anATC of 1SRLLDLN is being considered.Since all applicable columns are empty for 4.1, that subsection isapplicable to the aircraft. Since the “1” airworthiness level column, the“L” stall speed column, and the “D” meteorological column for 4.2.1 allcontain white circles, then tha
35、t subsection is not applicable; however, foran aircraft with an ATC of 1SRMLDLN, 4.2.1 would be applicable sincethe “M” stall speed column does not contain a white circle.4.1 Failure Condition ClassificationAn assessment of theaircraft and system functions must be performed to identify andclassify t
36、he various failure conditions associated with eachfunction; refer to 3.2.8 and Table 2. A Functional HazardAssessment (FHA) in accordance with the methodology out-lined in SAE ARP4761 is one means of performing thisassessment; however, other simpler methodologies (forexample, a design and installati
37、on appraisal) may be employedas appropriate to the complexity and criticality of the sys-tem(s).4.2 Classification-Based AnalysesBased on the results ofthe assessment per 4.1, the depth of analysis required to showcompliance may be determined using Fig. 1 and the Assess-ment Levels defined in Table
38、3.4.2.1 In showing compliance with the provisions of 4.2, forNegligible Failure Conditions (refer to 3.2.13), a design andF3230 172installation appraisal to establish independence from otherfunctions is necessary for the safety assessment. In general,common design practice provides physical and func
39、tionalisolation from related components which are essential to safeoperation.4.2.2 In showing compliance with the provisions of 4.2, forMinor Failure Conditions (refer to 3.2.12), a design andinstallation appraisal to establish independence from otherfunctions is necessary for the safety assessment.
40、 This appraisalshould consider the effects of system failures on other systemsand their functions. In general, common design practiceprovides physical and functional isolation from related com-ponents which are essential to safe operation.4.2.3 In showing compliance with the provisions of 4.2, forMa
41、jor Failure Conditions (refer to 3.2.11), a qualitative analy-sis (refer to 3.2.15) must be performed to determine compli-ance with the requirements of Table 4; in certaincircumstances, a quantitative analysis (refer to 3.2.16) mayalso be required. There are several methods of performing avalid qual
42、itative analysis.4.2.3.1 A “similarity argument” allows validation of arequirement by comparison to the requirements of similarcertified systems. A similarity argument gains strength as theperiod of experience with the system increases. If the system issimilar in its relevant attributes to those use
43、d in other aircraftand if the functions and effects of failure would be the same,then a design and installation appraisal and satisfactory servicehistory of either the equipment being analyzed or of a similardesign is usually acceptable for showing compliance. It is theapplicants responsibility to p
44、rovide data that: is accepted,approved, or both; and, supports any claims of similarity to aprevious installation.4.2.3.2 For systems that are not complex, and where simi-larity arguments cannot be used, “qualitative occurrence argu-ments” may be presented to demonstrate that the Major FailureCondit
45、ions of the system, as installed, are consistent with therequirements of Table 4; for example, redundant systems mayqualify for this approach.4.2.3.3 For systems that are complex and possess lowredundancy (for example, a system with a self-monitoringmicroprocessor), a qualitative functional Fault Tr
46、ee Analysis(FTA) or Failure Modes and Effects Analysis (FMEA) sup-ported by failure rate data and fault detection coverage analysismust be presented to demonstrate that the Major FailureConditions of the system, as installed, are consistent with therequirements of Table 4.4.2.3.4 A Qualitative Analy
47、sis of a redundant system isusually complete if it shows isolation between redundantsystem channels and satisfactory reliability for each channel.For complex systems where functional redundancy is required,a qualitative functional FTA or FMEA may be necessary todemonstrate that redundancy actually e
48、xists (for example, nosingle failure affects all functional channels).TABLE 1 ATC Compliance Matrix, Section 4SectionAirworthiness Level Number ofEnginesType ofEngine(s)Stall Speed CruiseSpeedMeteorologicalConditionsAltitude Maneuvers1234SMRTLMHLHDNILHNA44.14.2 CCC4.2.14.2.24.2.34.2.3.14.2.3.24.2.3.
49、34.2.3.44.2.4 CCC4.2.4.14.2.4.24.2.4.34.2.5TABLE 2 Failure Condition ClassificationsClassification of Failure ConditionsNegligibleAMinorAMajorAHazardousACatastrophicAClassificationConsiderationsEffect on Aircraft No effect onoperationalcapabilities or safetySlight reduction infunctionalcapabilities or safetymarginsSignificant reductionin functionalcapabilities or safetymarginsLarge reduction infunctionalcapabilities or safetymarginsNormally with hulllossEffect on Occupants Inconvenience forpassengersPhysical discomfortfor passengersPhysical distress topass
