AC 25.1309-1

AC 25.13091 is an FAA Advisory Circular (AC) (Subject: System Design and Analysis) that describes acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations. The present unreleased but working draft of AC 25.13091 is the Aviation Rulemaking Advisory Committee recommended revision B-Arsenal Draft (2002); the present released version is A (1988). The FAA and EASA have accepted proposals by type certificate applicants to use the Arsenal Draft on recent development programs.[1][2]

AC 25.13091 establishes the principle that the more severe the hazard resulting from a system or equipment failure, the less likely that failure must be. Failures that are catastrophic must be extremely improbable.[3]

Airworthiness standards

The airworthiness requirements for transport category airplanes are contained in Title 14, Code of Federal Regulations (14 CFR) part 25 (commonly referred to as part 25 of the Federal Aviation Regulations (FAR)). Manufacturers of transport category airplanes must show that each airplane they produce of a given type design complies with the relevant standards of part 25.

AC 25.13091 describes acceptable means for showing compliance with those airworthiness requirements. It recognizes Aerospace Recommended Practices ARP4754 and ARP4761 (or their successors) as such means:[4]

Background

AC 25.13091 provides background for important concepts and issues within airplane system design and analysis.

Catastrophic failure condition rate

The circular provides a rationale for the upper limit for the Average Probability per Flight Hour for Catastrophic Failure Conditions of 1 x 10−9 or "Extremely Improbable".[5] Failure Conditions having less severe effects could be relatively more likely to occur; that is, an inverse relationship between severity and likelihood.

Fail-Safe Design Concept

This AC presents the FAA Fail-Safe Design Concept, which applies basic objectives pertaining to failures:

  1. Failures of any system should be assumed for any given flight regardless of probability and such failures "should not prevent continued safe flight and landing" or otherwise significantly reduce safety
  2. Subsequent failure during the same flight should also be assumed.

The AC lists design principles or techniques used to ensure a safe design. Usually, a combination of at least two safe design techniques are needed to provide a fail-safe design; i.e. to ensure that Major Failure Conditions are Remote, Hazardous Failure Conditions are Extremely Remote, and Catastrophic Failure Conditions are Extremely Improbable.

Safe Design Principles and Techniques
  • Designed Integrity and Quality
  • Redundancy or Backup Systems
  • Isolation and/or Segregation of Systems, Components, and Elements
  • Proven Reliability
  • Failure Warning or Indication
  • Flight crew Procedures
  • Checkability
  • Designed Failure Effect Limits
  • Designed Failure Path
  • Margins or Factors of Safety
  • Error-Tolerance
Highly integrated systems

With emergence of highly integrated systems that perform complex and interrelated functions, particularly through the use of electronic technology and software-based techniques [e.g., Integrated Modular Avionics (IMA) ], concerns arose that traditionally quantitative functional-level design and analysis techniques previously applied to simpler systems were no longer adequate. As such the AC includes expanded, methodical approaches, both qualitative and quantitative, that consider the integration of the "whole airplane and its systems".[6]

Definitions and Classifications

A main task of AC 25.13091 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety. Where regulations (FAR) and standards (ARP) may use such terms as failure condition, and extremely improbable, AC 25.13091 defines their specific meanings.[7] In this respect, AC 25.13091 is comparable to ISO 262621 Vocabulary, at least in regard to the relative dependent standards. Key definitions include:

Error, Failures, and Failure Conditions
The re-introduction of Error to the AC recognizes the role of human error (in development, manufacture, operation, or maintenance) as a source of system failures, especially in complex and integrated avionics. The term Failure Conditions provides for a focus on the effects of a failure separate from the causes.
Classification of failure conditions by severity of effect
Catastrophic, Hazardous, Major, Minor, or No Safety Effect
A Catastrophic Failure condition is one which would result in multiple fatalities usually with the loss of the airplane.
Definition of Probability Terms
Extremely Improbable, Extremely Remote, Remote, or Probable
An Extremely Improbable failure condition is one so unlikely that it is not anticipated to occur during the entire operational life of all airplanes of one type. Quantitatively, these probability terms are define as follows: Extremely Improbable (10−9 or less), Extremely Remote (10−7 or less), Remote (10−5 or less), Probable (more than 10−5).[8]

Safety Objectives

Classified failure conditions are assigned qualitative and quantitative safety objectives, giving guidance to development and operation.

Quantitative

The AC defines the acceptable safety level for equipment and systems as installed on the airplane and establishes an inverse relationship between Average Probability per Flight Hour and the severity of Failure Condition effects:

  1. Failure Conditions with No Safety Effect have no probability requirement.
  2. Minor Failure Conditions may be Probable.
  3. Major Failure Conditions must be no more frequent than Remote.
  4. Hazardous Failure Conditions must be no more frequent than Extremely Remote.
  5. Catastrophic Failure Conditions must be Extremely Improbable.

The safety objectives associated with Catastrophic Failure Conditions may be satisfied by demonstrating that:

  1. No single failure will result in a Catastrophic Failure Condition; and
  2. Each Catastrophic Failure Condition is extremely improbable.
Qualitative

The failure conditions Catastrophic through No Safety Effect are assigned Functional and Item Design Assurance Levels A, B, C, D, E, respectively.[9]

History

First released in 1982, AC 25.13091 has been revised to embody increasing experience in development of airplanes and to address the increasing integration and computerization of aircraft functions.

AC 25.13091 (original release)

Function criticality

AC 25.13091 recommended that top-down analysis should identify each system function and evaluate its criticality, i.e., either non-essential, essential, or critical. The terms Error, Failure, and Failure Condition were defined. Functions were classified Critical, Essential, and Non-Essential according to the severity of the failure conditions they could contribute to; but the conditions were not expressly classified. Failures of Critical, Essential, and Non-Essential functions were expected to be, respectively, Extremely Improbable (109 or less), Improbable (105 or less), or no worse than Probable (105).[10]

Qualitative methods

Previously, system safety analysis was quantitative; that is, it was dependent on evaluating the probability of system failures from physical faults of components. But with the increasing use of digital avionics (i.e., software) it was recognized that development error was a significant contributor to system failure. During system certification in the late 1970s, it became clear that the classical statistical methods of safety assessment for flight critical software based systems were not possible.[11] Existing quantitative methods could not predict system failure rates resultant from development errors. Qualitative methods were instead recommended for reducing specification, design, and implementation errors in the development of digital avionics.

The guidance of DO-178 (initial release) was recommended by AC 25.13091 for development of essential and critical functions implemented in software.[12]

AC 25.13091A

AC 25.13091A introduced the FAA Fail-Safe Design Concept to this Advisory Circular.[13] This revision also introduced recommended design principles or techniques in order to ensure a safe design.[14]

Classification of failure conditions by severity

The concept of function criticality was replaced with classification of failure conditions according to severity of effects (cf., Probabilistic risk assessment). Failure conditions having Catastrophic, Major, or Minor effects were to have restricted likelihoods, respectively, of Extremely Improbable (109 or less), Improbable (105 or less), or no worse than Probable (105).[15]

Software was still considered to be assessed and controlled by other means; that is, by RTCA/DO-178A or later revision, via Advisory Circular AC 20-115A.[16]

AC 25 13091B

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them,[17] and the implications of new technology. This task was published in the Federal Register at 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In 2002, the FAA provided a Notice of Proposed Rulemaking (NPRM) relevant to 14 CFR Part 25. Accompanying this notice is the Arsenal draft of AC 13091.[18] Existing definitions and rules in § 25.1309 and related standards have posed certain problems to the certification of transport category airplanes. Said problems are discussed at length within the NPRM. The FAA proposed revisions to several related standards in order to eliminate such problems and to clarify the intent of these standards. In some proposed changes, definitions or conventions developed in lower level regulations or standards were adopted or revised within the subsequent Advisory Circular.

Refinement of failure condition classifications

Experience in application of the prior circulars and ARPs witnessed the division of the Major failure condition into two conditions (for example, Hazardous-severe/Major and Major).[19] Additionally, this experience recognised the existence of failure conditions that have no effect on safety, which could be so classified and thereby assigned no safety objectives. Catastrophic Failure Condition was previously defined as "any failure condition which would prevent continued safe flight and landing"; but is now defined as "Failure conditions which would result in multiple fatalities, usually with the loss of the airplane.[20]"

Extension of qualitative controls to aircraft functions

The FAA Fail-Safe Design Concept and design principles or techniques for safe design are maintained. However, owing to the increasing development of Highly Integrated Systems in aircraft, qualitative controls previously considered necessary for safe software development are extended to the aircraft function level.[6] (Similar guidance (Functional Safety framework) has been provided for highly integrated automotive systems through the 2011, release of ISO 26262.[21])

See also

References

  1. Spitzer, Cary R., ed, Digital Avionics Handbook, 2nd ed., Avionics, Development and Implementation, CRC Press, Boca Raton, FL. 2007,p. 7-9.
  2. AC 25-19A, Certification Maintenance Requirements, 2011, p. 2
  3. "Software Certification". Aviation Today. October 31, 2005. Retrieved 2014-03-31.
  4. Spitzer, p. 7-9
  5. AC 25.13091B-Arsenal Draft, 2002, p. 5-6.
  6. 1 2 AC 25.13091BArsenal Draft, p. 7.
  7. AC 25.13091BArsenal Draft, p. 3.
  8. AC 25.13091BArsenal Draft, p. 9.
  9. ARP4754A, Guidelines for Development of Civil Aircraft and Systems, SAE Aerospace, December, 2010, p. 38
  10. AC 25.13091, 1982, p. 3-5.
  11. Johnson, Leslie A. (Schad). DO-178B, "Software Considerations in Airborne. Seattle, Washington: Flight Systems, Boeing Commercial Airplane Group.
  12. AC 25.13091, p. 9.
  13. AC 25.13091A, 1988, p. 2.
  14. AC 25.13091A, p. 3.
  15. AC 25.13091A, pp. 4,5,7, 13-15.
  16. AC 25.13091A, p. 7.
  17. ARP4754A, p. 7
  18. Revised General Function and Installation Requirements for Equipment, Systems, and Installations on Transport Category Airplanes, Notice of proposed rulemaking, Draft R6X Phase 1 – June 2002, also known as the Arsenal Draft of AC 25.1309-1B
  19. RTCA/DO-178B (subsequently DO-178C, Software Considerations in Airborne Systems and Equipment Certification, Radio Technical Commission for Aeronautics, December 1, 1992, p. 7
  20. AC 25.13091BArsenal Draft, p. 8.
  21. Beeby, Martin, DO-178C the future of Avionics Certification, atego HighRely, pp. 6–7
This article is issued from Wikipedia - version of the 1/31/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.