System Safety Assessment

System Safety Assessment
An Interactive Video Teletraining and Self-Study Course
r-----L------
Developed and Presented by
Brett Portwood
Technical Specialist for Safety and Integration
Federal Aviation
Administration
August 12,1998
Table of Contents
GETTING STARTED How Do I Use This Guide? I. ................................. 1 2 3 4 5
SYSTEMS ENGINEERING CURRICULUM What Does the Curriculum Cover? ................................. Two-Week Job Function Course ............................. Overviews of Technical Subjects .... ..t ..................... Core Technical Subjects Courses ............................
II.
IVT COURSE ORIENTATION 7 About This IVT Course .................................................. 7 What Is IVT? .................................................................. 9 Who Is the Target Audience? .......................................... 9 Who Is the Instructor? .................................................. What Will You Learn? ................................................... 9 .............. 10 How Will This Course Help You On the Job? What Topics Does the Course Cover? ........................... 11 What Are Some Good References? ................................ 14 SELF-ASSESSMENT & EXERCISES Pre- & Post-Course Self-Assessment Questions ............ 15 Job-Related Exercises ..................................................... 17
III.
APPENDICES A. B. C. System Safety Assessment Presentation Visuals Questions for Reviewing System Safety Assessment Proposed Amended Rule Change to 25.1309 (to harmonize Subpart F of part 25 and Subpart F of JAR-25) Course Evaluation Forms
D.
IVT/Self-Study Course Federal Aviation Administration
August, 1998
System Safety Assessment i
Getting Started
How Do I Use This Guide? This document is to be used for both the initial IVT broadcast and the self-study course. The guide provides you with the position of this course in the Systems Curriculum, an orientation to the IVT course, support materials for use during the broadcast and self-study, self-assessment and practice exercises, and both an IVT and self-study course evaluation. Follow these steps to complete your study. 1. Read Section I, Systems Curriculum, to familiarize yourself with the the overall scope and format of the curriculum. 2. Review Section II, IVT Course Orientation, before the broadcast, if possible, or before you watch the tape to get an overview of the purpose of the course, the target audience, the instructor, what you will learn, how this course will help you on the job, the topics covered in the course, and some good references on the topic. 3. Answer the pre-course self-assessment questions in Section III, Self-Assessment and Exercises. 4. Turn to Appendix A, System Safety Assessment Presentation Visuals, and refer to it during the broadcast or while watching the videotape. Appendix A contains the visual support material used by the instructor during the broadcast. You can use these visuals to take notes and follow along with the broadcast presentation. Begin the videotape here if you are completing this as a self-study course. 5. Refer to Appendices B and C for questions to ask yourself while reviewing system safety assessments and for draft regulatory information. 6. Complete the post-course self-assessment and exercises in Section III, Self Assessment and Exercises. 7. Complete the appropriate form (IVT or self-study ) from Appendix D, Course Evaluation Forms. For the IVT course, you will use the keypad you have been using during the course to complete the evaluation.
August, 1998
System Safety Assessment I
Systems Engineering Curriculum
I.

The Systems Engineering Curriculum fits into the broader AIR Training Program that is summarized in the following figure.
What Does the Curriculum Cover?
An Overview
, ASE Systems Job Function 0 ?.-*ak course o Tecbniol o Follow-on Topics-IVTNidm Courser
ASE Airlramc Job Function
ASE Propulsion Job Function
\J,
j ,
FSO-Specific Technical DACT. Training OAT
..-. .- ..-. --._-..

Flight Test Job Function
------First _------ Year with
---._____
Aircraft Certification ___.v----
_---.-_
--. __- Continuing Development
-~~-:I:===
Within the context of the AIR Training Program, the Systems Engineering Curriculum is designed to effectively meet the critical safety mission of the FAA by addressing the following Service goals: Standardization
l
Promote standardization throughout the organization in task accomplishment and application of airworthiness regulations in order to achieve uniform compliance.
System Safety Assessment 2
August, 1998

Job Pe<formance Projkiency
l
Reduce significantly the time required for newly-hired engineers to attain full job performance proficiency. tomer Service Establish and maintain appropriate, effective, and responsive communication, collaboration, leadership, and teamwork with both internal and external customers.
In addition to the Service goals, the Systems Engineering Curriculum is designed to provide ASEs with job function training in three domains:
l
Tasks and procedures governing the work of engineers in design approval, technical project management, certificate management, and designee management. FAR airworthiness requirements that are the purview of electrical and mechanical systems engineers. Generally they are Subpart F of FAR parts 23,25,27, and 29. Technical subjects essential for all new engineers to meet both introductory requirements and, later, minimum technical proficiency level requirements.
The resulting Systems Engineering Curriculum structure consists of three main types of training opportunities 1. Two-Week Job Function Course 2. Overviews of Technical Subjects 3. Follow-on Core Technical Subjects Courses Two-Week Function Course Job The Two-Week Job Function Course uses an instructor-led, classroom-based format with lecture, discussion, and individual and group activities. Supporting materials used in the course include print, overhead transparencies, videotapes, job aids, and documents and sample reports.
August, 1998

The course is divided into the following
Section I
l
two major sections:
Certification Tasks - includes design approval, technical project management, certification management, and DER management. FAR Requirements and Key FAR Sections - includes training in the subparts of the FAR that apply to electrical and mechanical systems engineers (Subpart F) at two levels: an overview of those subparts across FARs 23,25,27, and 29; and in-depth discussion of significant sections of the FAR that are important to the Service. The importance of these sections may stem from problems in interpretation and application of requirements, technical complexity of a design, high visibility projects, or safety considerations that are paramount.
Section
l
Overviews Technical Subjects
of
High-level overviews of 13 technical subjects are presented by NRSs, Technical Specialists or other senior engineers. These overviews are available in two modes:
l
An initial live four-hour IVT satellite broadcast with accompanying course material is received at each Directorate and other downlink sites. A Video/Self-Study Training Package adapted from the initial IVT presentation is available through the Directorate Training Manager.
Basic concepts and FAA-specific applications and examples are provided for each of the following 13 technical subjects: . . For electrical ape ers
l l
Advanced Communications Advanced Display Systems/Heads-Up Displays

August, 1998

l l
Advanced Navigation Low Visibility Systems engineers
For m e&a&al
l
Crashworthiness and Interior Compliance Doors Icing
For both elecrical and mechanical engineers

l l
Automatic Flight Control Systems Complex Hardware Lightning and HIRF Protection Human Factors Software System Safety Analysis
Each technical subject overview is designed to not only provide ASEs with the FAA perspective on the topic, but also serve as an indicator of what further training may be needed.
Core Technical Subjects Courses
As a follow-on to the Overviews of Technical Subjects, the curriculum will provide more in-depth training in the following two subject areas:
l l
System Safety Assessment Reliability & Probability
These core technical subjects are essential to the technical work of the systems engineer in a regulatory environment regardless of product or technology. Training in each of the core subjects will be designed to bring systems engineers to a minimum level
IVlXelf-Study Course Federal Aviation Administration August, 1998 System Safety Assessment 5
Systems Engineering
Curriculum
of technical proficiency and to help promote proficiency in the application of the technical knowledge in an office work environment. Additional technical training for engineers beyond these core subjects will depend largely on AC0 organizational needs stemming from customer requirements, products certified, emerging technology, and the number of staff requiring more specialized training. In short, the more advanced the technical training required, the more individualized it becomes. Such training topics could be as follows: .
l l l l l l l l
I-IIRF Lightning Software Fundumentals Dynamic Seat Testing Icing Certification Accident Investigation Human Factors Flammability Interior Compliance & Crashworthiness
August, 1998
IVT Course Orientation
III. IVT Course Orientation

About This IVT Course System Safety Assessment is one in a series of 13 Overviews of Technical Topics in the Systems Engineering Curriculum designed to prepare you to effectively meet the critical safety mission of the FAA. [For more information on the Curricula, refer back to Section I of this guide.] Through a four-hour Interactive Video Teletraining (IVT) format, Brett Portwood, a Technical Specialist for Safety and Integration, will provide you with the basic concepts of system safety assessment. He will look at the history of design safety that led to the fail-safe concept and ARP 4754 and 4761. Brett will review different types of safety assessment tools: when they are used, what their attributes are, and how they build to create a Preliminary and Final System Safety Assessment. Finally, he will also discuss how and when it is advisable to obtain assistance from a technical or policy specialist. What Is IVT?
Interactive Video Teletraining, or IVT, is instruction delivered using some form of live, interactive television. For the overview courses, the instructor delivers the course from the television studio at the FAA Academy in Oklahoma City. Through the IVT broadcast facility instructors are able to use a variety of visuals, objects, and media formats to support the instruction. Participants are located at various receive sites around the country and can see the instructor and his/her materials on television sets in their classrooms. The participants can communicate with the instructor either through a microphone and/or the simple-to-use Viewer Response System keypads. During the live presentation, when a participant has a question or the instructor asks for specific participant responses to questions, the participant(s) can signal to the instructor using
August, 1998

their keypad. The collective participant responses or the name of a specific participant signalling a question are immediately visible to the instructor on the console at the broadcast site. The instructor can then respond as needed. When the instructor calls on a specific participant to speak from a site, participants at each of the other sites can simultaneously hear the participant who is speaking. This guide provides you with the framework for this course as well as the following appendices to be used for both the IVT and the self-study courses. Appendix A contains the actual visual support material used by the instructor during the broadcast. You can use these visuals to follow along with the videotape and record notes directly on the pages. Appendix B provides questions to ask yourself when reviewing system safety assessments. Appendix C is an NPRM for a rule change to 25.1309 that will harmonize Subpart F of part 25 and Subpart F of JAR25. The topic is revised general function and installation requirements and equipment, systems and installation requirements for transport category airplanes. Appendix D provides the Course Evaluation Forms for the IVT broadcast and the self-study video course.
NT/Self-Study Course Federal Aviation Administration
August, 1998

Who Is the Target Audience? This course is designed for:
l
New and experienced FAA systems engineers who review and approve system safety assessments. Designated Engineering Representatives (DERs) who review and approve system safety assessments. Safety engineers in industry who perform system safety assessments.
Who Is the Instructor?
Brett Portwood is the FAA Technical Specialist for Safety and Integration. Brett has 10 years experience with the FAA in certification of transport avionics systems, including fly-bywire flight guidance systems, flight management systems, and electronic displays. He also was the FAA representative on the SAE S-l 8 System Safety Assessment commitee that authored AW 476 1, Guidelines and Methods of Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Prior to joining the FAA, Brett spent fifteen yars in industry performing fault and failure analysis of avionics systems for a wide range of military aircraft in addition to participating in the Navy nuclear program performing fault/failure analyses on nuclear reactor monitoring systems. Mr. Portwood has a BS degree in Physics from San Diego State University. After completing this course, you will have a basic understanding of the concepts and principles of system safety assessment, including:
l l
What Will You Learn?
Understanding the history behind the fail-safe concept. Identifying the issues leading to th,e development of ARP 4754. Stating the key topics of ARP 4754 and ARP 4761.
August. 1998

Understanding the key concepts and objectives of a functional hazard assessment (FHA), fault tree analysis (FTA), failure modes and effects analysis (FMEA), and common cause analysis (CCA). Knowing the objectives and purpose of a preliminary system safety assessment (PSSA) and system safety assessment (SSA) and understanding what tools are applicable to each. How Will This Course Help You On the Job? At the end of this training session you will be able to: . Identify the key guidance objectives of ARP 4754 and ARP 4761. 0 Identify the safety analysis tools utilized in a safety assessment and their key objectives. Review an FTA and evaluate key architectural attributes of the proposed system with regards to quantitative and qualitative requirements. Understand the typical sources of common cause type faults. Describe the differences between a PSSA and SSA.
August, 1998
System Safety Assessment IO

What Topics Does the Course Cover? The following topic outline is intended to give you an overview of the course content. In addition to this outline, Appendix A contains the visual presentation material used by the instructor during the broadcast. I. II. Course overview Historical evolution A. B. C. D. 1900 - 1930: Integrity 1930- 1945: Integrity with selective redundancy 1945-1955: Single failure concept I 1955 - Present: Fail-safe design concept 1. Continuous development and refinement as an outgrowth of accident experi,ence
III.
Fatal accident rate A. B. Does a disciplined approach to safety work? Safety in perspective
IV. V.
Design for safety Tools A. B. C. D. E. F. G. System safety analyses Which one do I use? Confusion Assessing versus deriving History of aircraft systems reveals many disasters Redundancy violators Safety assessment guidance 1. SAE ARP 926A (1979) 2. SAE ARP 1834 (1986) 3. Problems with ARP 926A and ARP 1834
August, 1998 System Safety Assessment II

VI. The big picture A. B. AIW 4754: CertiJication Considerations for Highly Integrated or Complex Aircraft Systems AIW 4761: Guidelines and Methods of Performing the Safe@ Assessment Process on Civil Airborne Systems and Equipment 1. Replaces ARP 926A and ARP 1834 for purposes of safety
VII. VIII.
New concepts Safety assessment tools A. B. Functional hazard assessment 1. Establishes top-level safety requirements Fault tree analysis 1. Qualitative and quantitative aspects 2. Deriving versus assessing Failure modes and effects analysis 1. How does the FMEA support the SSA? 2. Preparation 3. Analysis 4. Documentation 5. Functional FMEA 6. Piece-part FMEA 7. What is an FMES? Common cause analysis 1. What is a common cause? 2. Zonal safety analysis 3. Particular risks analysis 4. Common mode analysis Tools: In review
C.
D.
E.
August, 1998

X.
Preliminary A. B. C. Form outputs system safety assessment
Purpose
XI.
System safety assessment A. B. C. D. . E. Documentation List of previously agreed-to event probabilities System description List of failure conditions and their classifications Quantitative and qualitative analyses for failure conditions
XII.
Review A. B. C. D. Design safety concept evolution leading to the fail-safe design concept Basic attributes of safety assessment tools: FHA, FTA, FMEA, and CCA PSSA: Identifies safety requirements SSA: Evaluates safety requirements
August, 1998

What Are Some Good References? The instructor has compiled the following references for system safety analysis. These references will provide additional information for specific concerns or areas of interest that you have. SAE S- 18 Committee, Aerospace Recommended Practice (AW) 476 1, Guidelines and Methods of Performing the Safet;v Assessment Process on Civil Airborne Systems and Equipment, SAE, December 1996 SAE SIRT Committee, Aerospace Recommended Practice (ARP) 4754 Certification Considerations for Highly Integrated or Complex Aircraft Systems, SAE, November 1996 Nuclear Regulatory Commission, NUREG -0492 Fault Tree Handbook DODSSP, MIL-HDBK-2 17 Reliability Prediction of Electronic Equipment, Reliability Analysis Center DODSSP, MIL-HDBK-338 MIL-IIDBK-978, MC Reliability Handbook NASA Parts Application Handbook Distribution
NFXD, Nonelectronic Parts Reliability Data Data Exchange Program
RAC FMD-9 1, Failure Mode/Mechanism GIDEP, Government/Industry
IVT/Self-Study Federal Aviation
Course Administration
System August, 1998
Safety
Assessment 14
Self-Assessment and Exercises
IV. Self-Assessment and Exercises

Pre- & PostCourse SelfAssessment Questions The instructor will ask you at the begining and end of the presentation to respond to the following five questions about system safety assessment. Rate your confidence level for each of the following before and after completing the course. statements
1. I understand the basic evolution of design safety leading up to the development of the fail-safe design concept.
Confident BEFORE THE COURSE: AFTER THE COURSE: 0 I
k-Y
Moderately Confi&nJ 0 cl
Not C0nfidw.f III cl
2. I can identify the basic safety assessment tools and their purpose in the overall safety assessment.
Very Confident BEFORE THE COURSE: AFTER THE COURSE: cl cl Moderately Not Confident
q
cl
0
Cl
3. I understand what common cause faults are and the analyses that address them.
Very Confident BEFORE THE COURSE: AFTER THE COURSE: cl Cl Modeiately Confident cl Cl Not Confl
q
0
SystemSafetyAssessment August, 1998

15
Self-Assessment & Exercises

4. I know the objectives of a Preliminary System Safety Assessment. Very
Confidggt BEFORE THE COURSE: AFTER THE COURSE: cl 0 El cl Moderately Not Confide.ml
q
Cl
5. I know the objectives of a System Safety Assessment.

Conli ent BEFORE THE COURSE: AFTER THE COURSE: 0 cl
Very
Moderately Confident cl cl
Not Confident cl 0
August, 1998

Job-Related Exercises After viewing the IVT broadcast with the support visuals in Appendix A, complete the following three questions to test your knowledge for conducting a system safety assessment. You can check your answers on the next page.
1. In order to get early concurrence with the FAA that the proposed system architecture can reasonably be expected to meet FAA safety requirements, an applicant . on a major TC program should submit a a) b) c) d) zonal analysis. failure modes and effects analysis. plan for software aspects of certification. preliminary system safety assessment.
2. What type of analysis would you review to determine the top level safety requirements for a given system installation? a) b) c) d) Fault tree analysis. Common cause analysis. Functional hazard analysis. Both a and b.
3. An applicant submits an FMEA as part of a system safety assessment. As part of the review to ensure that the FTA is compatible with the FMEA, you should compare the failure effects of the FMEA with what from the FTA?
a>Minimal cut sets. WTop level failure conditions. C)Primary events. d)Both a and b.
IVT/Self-Study Course Federal Aviation Administration System Safety Assessment 17
August, 1998

Answers Answer 1: D. The PSSA determines if a proposed architecture can reasonably be expected to meet the safety requirements. Answer 2: C. The FHA is the starting point in any safety assessment. The classification of the failure conditions established the top level safety requirements. Answer 3: C. To ensure completeness and the compatibility of an FMEA and FTA, the FMEA effects should be crosschecked with the primary events in the FTA.
August, 1998
Appendix A
Appendix A
System Safety Assessment Presentation Visuals
August, 1998
System Safety Assessment A
Appendix A
SYSTEM SAFm ASSESSMENT

Brett Portwood Technical Specialist for Safety .and Integration ANM-130L (562)627-5350 brett.portwood@faa.dot.gov
SAM 1
ourse Overview
+ Historical Evolution + Safety in Perspective + Safety Assessment Tools l Preliminary System Safety Assessment + System Safety Assessment
SSAM
August, 1998
System Safety Assessment A-l
Appendix A
ourse Scope
This course is intended to bridge the SYSTEMS JOB FUNCTION course and the 2 week SYSTEM SAFETY ASSESSMENT course.
SANT
Historical
Evolution
1900 - 1930 INTEGRITY - First Design Concept + Too good to fail! Hell for Stout!
+ Wright Flyer - 1903 + Spirit of St. Louis - 1927 + Ford Tri Motor - 1930
+ OK for limited flight operations but too many single failure accidents
SSA IiT 1
August, 1998
System Safety Assessment A-2
Appendix A
istorical
Evolution
INTEGRITY WITH SELECTIVE REDUNDANCY + Pre-WWII transports

+ DC-3, DC-4, etc.
+ Could not win public confidence, not safe enough

+ Problems with flight controls, propellers, engine fires
SSAM 5
torical Evolution
SINGLE FAILURE CONCEPT + Industry/government meeting
+ At least one failure assumed regardless of probability - A step forward in safety
+ Public confidence
increased
+ Tremendous air travel growth + Failure combinations appeared

l
SSA M
AAL CONVAIR
240
6
August, 1998
Appendix A
torical
Evo
1955 - Present .--- . FAIL-SAFE DESIGN CON&PT + Any single failure plus any foreseeable combination of failures must be considered + Introduced in 1955 as new transport certification rules for turbine powered aircraft
SSAM 7
Historical
Evolution
+ Fail-safe concept continuously developed and refined with subsequent revisions to FAR part 25 and as an outgrowth of accident experience + 25.1309 amended to reflect fail-safe requirements in 1970
SSAM
August, 1998
Appendix A
tal Accident
Rate
IA
SAlVT
59 61 63 65 67 69 71 73 75 77 7981
83 85 87 89 91 93 95 97
oes a Disciplined Approach To Safety Work?
Air Carrier
SSAIVT
Motor Vehicle
Rail
General Aviation
10 I
August, 1998
Appendix A
afety in Perspective
In everyday life, it is not uncommon to hear 99% used to signify high quality or high-assurance. So, if things around you were 99.9% safe, would you be happy and satisfied?
SAN-Ill
Ii the United States, 99.9% would mean:
+ One hour of unsafe drinking water per month + 20,000 children per year with whooping cough + 16,000 lost pieces of mail per hour + 500 incorrect surgical operations each week + 50 newborns dropped by doctors each week
Source:
SAM-
General
Dynamics
12
August. 1998
Apperidix A
OK, 99.9% is frequently goodenough not nearly
How about 10 times better? How about if things around you were 99.99% good?
SSAIVT 13
lk the United States, 99.99% would mean, on a yearly basis:
+ + + + 2,000 incorrect drug prescriptions 370,000 checks deducted from wrong account 3,200 times your heart would fail to beat 5 children sustaining permanent brain damage due to whooping cough vaccinations
Source:
SSANT
General
Dynamics
14
August, 1998
System Safety Assessment A-l
Appendix A
+ Even 99.99% is not good enough + So, what is good enough? + How many 9s do we need if you newerwant something bad to happen?
+ How about 99.99999999%?

+ Absurd?? + Is this level of assurance + I& it good enough?
SSAM-
possible?
15
DESIGN FOR SAFETY
1 SSAM-
16
August, 1998
Appendix A
te
alyses
Haphazard development has led to Shotgun Analysis

FMEA CA WCA
MCS
PHA OHA
SSA IV-l-
FMECA MSG-3 DMEA FA FMCA STA
O&SHA PSA FRACA LSA ZA DTA
MM GHA SHA HFA SPFA FIA

17
Which one do I use?
ystem Safety Analys

+ Confusion
+ The fact that there was no clear way to develop complete and correct safety design criteria compounded the confusion + Sometimes the criteria are mandated, but their applicability may still be uncertain + Other times the criteria are initially unknown and must be developed from scratch
SSA IVT 18
August, 1998
Appendix A
ystem Safety Analys

+ Assessing versus deriving
+ Further compounding the confusi was a lack of clear distinction between analyses deriving safety design criteria and analyses assessing the design against the criteria
I SSAM
19
tern Safety Analyses

+ History of aircraft systems many disasters reveals
+ Many of those disasters came about through losses or violations of what was thought to be sufficient redundancy
+ One purpose of a safety analysis is to identify for removal all potential redundancy violators
SSAM 20
August, 1998
Appendix A
ystem
Safety Analyses
violators
+ Redundancy
+ Single point failures + Latent failures + Too high probability combinations of failures + Installation problems
+ So we need an approach that addresses these types of failures

SSANT 21
Safety Assessment Guidance

+ SAE ARP 926A (1979)
+ Piece-Part Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA)
+ SAE ARP 1834 (1986)

+ Fault and Failure Analysis Systems for Digital
SSA IVT
22
August, 1998
Appendix A
Safety Assessment Guidance

+ droblems with ARP 926A and ARP 1834 + Guidance not complete for safety purposes + Addressed reliability/maintainability + Outdated
+ Did not fit with DO-1 78B + Did not address aircraft level analysis + Did not adequately cover common mode analysis + No preliminary system safety assessment
SSANI23
are Design
Assurance
Safety
SSA NT
Assessment
Integrated
Complex
Systems
24
August, 1998
Appendix A
RP 4754
Certification Considerations for Highly Integratbd or Complex Aircraft Systems + Describes the aircraft systems engineering process
+ + + + +
SSA M
Requirements capture Allocation of requirements Architectural considerations Software level determination Integration
25
ARP 4754 (continued)

+ Safety assessment
+ Functional + Preliminary
process (high level)
hazard assessment system safety assessment
+ System safety assessment
+ Requirements
validation
+ System verification
S-SAM 26
August, 1998
Appendix A
RP 4761
aGuidelines and Methods of Performing the Safety Assessment Process on Civil Airborne Systems and Equipment + Describes in detail the process
+ Functional hazard assessment + Preliminary system safety assessment + System safety assessment
+ Replaces ARP 926A and ARP 1834 for purposes of safety

SSA M 27
RP 4761 (continued)
+ New concepts + More formal description common cause analysis +Zonal safety analysis risks analysis mode analysis
28
of
+ Particular + Common
SSAIVT
August, 1998
Appendix A
RP 4761 (continued)
+ New concepts (continued) hazard + Aircraft level functional assessment + Preliminary
system safety assessment
+ Provides a more systematic means of evaluating safety early in the design process and to reduce surprises at the end of the development program.
SSANf 29
ARP 4761 (continued)

+ New concepts (continued)
+ Fault tree analysis
+ Probability calculations of the failure condition based on a per flight basis + Probability per flight hour determined by dividing result by average flight time for the particular model aircraft + Exposure time for latent failures is resolved and other cases of monitored failures with imperfect monitors are explained
SAM 30
August, 1998
Appendix A
RP 4761 CAUTION
+ ARP 4761 represents a consensus + Techniques have not been used in their entirety by any one manufacturer + Gradual implementation over time + Existing methods acceptable
+ Intent of the safety analysis
l
if:
is met
May need additional
analysis
31
SSA M
+ Functional
(Dependence
hazard assessment
diagram/Markov analysis)
+ Fault tree analysis + Failure modes and effects analysis

l
SSAM
Common cause analysis

32
August, 1998
Appendix A
FUNCTIONAL HAZARD ASSESSMENT
SSAM
33
Process
+ Start with list of system/aircraft functions + Postulate hazards based on the failures in these functions + Derive overall effect of hazard on system/aircraft and people - failure condition 4 Assess severity of failure condition assign classification
SSA M 34
August, 1998
Appendix
+ Relationships + Independent of hardware the + Provide criteria against which other analyses will assess
+ Provide the PTA top events in the form of events of concern (failure conditions)
SSAM 35
+ Minimum standards must + Consider all functions + Consider all functional failure modes + Consider all operational phases + Derive the failure condition and classify its severity + Be systematic and thorough
SSA M 36
August, 1998
Appendix
+ When to do or revise it + Early in the design process + Revise when functions are added, deleted, altered, or used in different applications + As a final check, it is prudent to review the FHA again at the end of the program.
SSA M 37
= Summary
the top level design criteria
+ An FHA + Provides + Determines analyses the depth of further of the system
+ Allows for derivation architecture + Is independent

SSA M
of hardware
38
August, 1998
i I
AUTOMOTIVE
BRAKING SYSTEM
LIST OF FUNCTIONS
1. PUT ON THE BRAKES TO STOP A. LINEARLY PROPORTIONAL TO INPUT FORCE AND TRAVEL, WITH NEGLIGIBLE TIME DELAY B. WITHSTAND MAXIMUM PEDAL FORCE WITHOUT BREAKING C. CAPABLE OF ABSORBING MAXIMUM BRAKE ENERGY D. NOT TOO MUCH TRAVEL ON PEDAL E. CAPABLE OF MAXIMUM BRAKING UNDER MAXIMUM TRACTION CONDITION F. LEFilRlGHT BRAKING FORCES BALANCED G. FRONT/REAR BRAKING FORCES BALANCED H. WORK UNDER ALL ANGULAR VELOCITIES
2. CAPABLE OF ALL THE ABOVE IN ALL ENVIRONMENTAL CONDITIONS
3. SELF-TIGHTENING
1 IS THIS ALL?
AUTOMOTIVE
BRAKING
SYSTEM
LIST OF FUNCTIONS
A. LINEARLY PROPORTIONAL TO INPUT FORCE AND TRAVEL, WITH NEGLIGIBLE TIME DELAY B. WITHSTAND MAXIMUM PEDAL FORCE WITHOUT BREAKING C. CAPABLE OF ABSORBING MAXIMUM BRAKE ENERGY D. NOT TOO MUCH TRAVEL ON PEDAL E. CAPABLE OF MAXIMUM BRAKING UNDER MAXIMUM TRACTION CONDITION F. LEFT/RIGHT BRAKING FORCES BALANCED G. FRONT/REAR BRAKING FORCES BALANCED H. WORK UNDER ALL ANGULAR VELOCITIES 1 CONDITIONS
1. PUT ON THE BRAKES TO STOP
1 2. RELEASE BRAKES WHEN PEDAL FORCE is RELEASED OF ALL THE ABOVE IN ALL ENVIRONMENTAL
3. CAPABLE
4. SELF-TIGHTENING HOPEFULLY NOW WE HAVE ALL THE FUNCTIONS LISTED ARE HELPFUL HERE
cA2171.08
BRAINSTORMING AND OTHER TECHNIQUES IN TRYING TO NOT OVERLOOK FUNCTIONS
PREPAREDBY REVIEWED
6~ COMPLIANCE APPROACH OR DISPOSITION (SEE INSTRUCTIONS) 7 Af : $ II A 6
HANN BY LARSON
SYSTEM 3 FAILURE (EFFECT OF HAZARD ON MHICLE) CONDITION r4 A E 02 NONE 1. GRADUAL INiZREASE IN PEDAL TRAVEL OVER TlME 2. WEAR WITHOUT ADJUSTMENT ON AFFECTED WHEEL EVENTUALLY LEADS TO INEFFECTIVE BRAKING ON AFFECTED WHEEL 3. VEHICLE INCREASED STOPPING DISTANCE. 4. ASYMMnRlC BRAKING MAY LEAD TO LOSS OF CONTROL OF THE VEHICLE IN A PANIC STOP DRIVER CORRECTIVE ACTION REQUIRED EFFECT OF HAZARD ON OTHER SYSTEMS 4 5
BRAKES
SYSTEM FUNCTIONAL HAZARD ANALYSIS (FHA)
I
A. 8. C. 0. A SELF-ADJUST FAILS TO OPERATE (ONE WHEEL)
FUNCTIONS
(SYSTEM LEVEL)
HAZARD DESCRlPTlON FUNCTION LOSS MALFUNCT 6 UNWANTED ACT. MALFUNCT OF OTHER SYS MISUSE/EXTERNAL EVENTS APPROACH: DESIGN IT SO THIS CANNOT HAPPEN, OR DEMONSTRATE THAT WORST CASE IS CONTROWBLE
REMARKS
. BRAKE-SHOE TIGHTNESS SELF-ADJUST (KEEPS EXCESS SLACK OUT OF THE BRAKES AS THE LINING WEARS)
OPERATING PHASES (COL 3)
(COL
6)
MAINTENANCE Ml POWERED M2 POWER OFF M3 DIAGNOSTICS M4 OTHER (DESCRIBE)
HAZARD CLASS CLASS CLASS CLASS
IV Ill II I
ClASSlFlCATlONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET -a 1 OF cA2171.1 5
OPERATION 01 VEHICLE 02 VEHICLE 03 VEHICLE 04 VEHICLE 05 VEHICLE 06 OTHER ACCELERATING DECELERATING MOVING - CONSTANT RATE STATIONARY MOVlNG W/ENGINE OFF (DESCRIBE)
PREPAREDBY REVIEWED
6n COMPLIANCE APPROACHOR DISPOSITION (SEE INSTRUCTIONS) 7 A: =A t;s 0s a
HANN
BY
SYSTEM
2 FAILURE (EFFECT OF HAZARD ON VEHICLE) CONDITION A. B. C. 0. rl A Es 03 TOO MUCH POSSIBLE dN FRWY LOCKED WHEEL TOO TIGHT ON ONE WHEEL NONE B. DRAGGING BRAKE DESIGN SO THIS CANNOTHAPPEN 8. SELF-ADJUST ADJUSTS BRAKES EFFECT OF HA2ARD ON OTHER SYSTEMS 3 4 5
BRAKES

LARSON
FUNCTIONS
REMARKS
(SYSTEM LEVEL)
HAZARD OESCRlPTlON FUNCTION LOSS MALFUNCT 6 UNWANTED ACT. MALFUNCT OF OTHER SYS MISUSE/EXTERNAL EVENTS
1. SELFADJUST
POSSIBLE
BRAKE
DAMAGE
POSSl6LE
FIRE
I IF FIRE NOT WSIBLE
DESIGN CANNOT
SO THIS HAPPEN
INOPERATiE
VEHICLE
I IF IS EMERGENCY MHC CLE
DESIGN CANNOT
SO THIS HAPPEN
OPERATING PHASES (COL 3) ACCELERATING DECELERATING MOVING - CONSTANT RATE STATIONARY MOVlNG W/ENGINE OFF
(COL
6)
OPERATION 01 VEHICLE 02 VEHlCLE 03 VEHICLE 04 VEHICLE 05 VEHICLE
MAINTENANCE Ml POWERED M2 POWER OFF M3 DlAGNOSllCS M4 OTHER (DESCRIBE)
HAZARD CLASSlFlCATlONS CLASS IV MINOR CLASS Ill MAJOR CLASS II HAZARDOUS CLASS I CATASTROPHIC
SHEn -- 2 OF 5
.. 4
PREPAREDBY REVIEWED BY LARSON
SYSTEM
BRAKES

5 FAILURE (EFFECT OF HAZARD ON MHICLE) 3 0s AL =A APPROACH OR DlSPOSlTlON (SEE INSTRUCTIONS) CONDITION
HANN
HC
r
COMPLIANCE
e
REMARKS
FUNCTIONS
(SYSTEM LEVEL) s 02 SAME AS A OR B iAME AS OR E NONE SAME
L 1. :. ). C. NONE 0. FAN DISINTEGRATE. ROAD DEBRIS. BATTERY LEAKAGE
HAZARD DESCRIPTION FUNCTION LOSS MALFUNCT 6 UNWANTED ACT. MALFUNCT OF OTHER SYS MISUSE/EXTERNAL MNTS P H A EFFECT OF HAZARD ON OTHER SYSTEMS
1. SELFADJUST
AS A OR B
OPERATING PHASES (COL 3) ACCELERATINQ DECELERATING MOVING - CONSTANT RATE STATIONARY MOVlNG W/ENGINE OFF
(COL
6)
MAINTE NCE Ml PO WEIRED M2 PO WER OFF M3 OlAGNOSTlCS MO OTHER (DESCRIBE)
2ARE ASS CLASS CLASS CLASS
I Ill II I
JSSIFICATlONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHER -3 OF 5
OPERATION 01 VEHICLE 02 VEHICLE 03 VEHICLE 04 VEHICLE 05 VEHICLE
PREPAREDBY REVIEWED BY HANN
LARSON
SYSTEM
3 COMPLIANCE FAILURE (EFFECT OF HAZARD ON VEHICLE) Es N/A I AL zA AS APPROACH OR DlSPOSfTlON (SEE INSTRUCTIONS) CONDITION c A : 01 :: VEHICLE HAS NO BRAKES TO STOP: COLUSION IS LIKELY, RESULTING IN INJURY OR DEATH EFFECT OF HAZARD ON OTHER SYSTEMS 4 5
AUTOMOBILE
BRAKES

6~
1 FUNCTIONS
6 REMARKS
(SYSTEM LEVEL)
A. B. C. D.
HAZARD DESCRIPTION FUNCTION LOSS MALFUNCT 6 UNWANTED ACT. MALFUNCT OF OTHER SYS MISUSE/EXTERNAL EVENTS
PROPORTIONAL
A. LOSS OF PROPORTIONAL BRAKING FORCE CAUSING AU 4 WHEELS TO TURN FREELY
KK: NOT PROPORTlONAL RESULTING IN MORE RAPID THAN NORMAL BRAKE APPLICATION 02 N/A IN PANIC BRAKING, VEHICLE MAY SKID DUE TO HIGHER THAN EXPECTED BRAKING FORCES: RESULTING SKID MAY CAUSE LOSS OF CONTROL AND POSSIBLE COLLISION AND INJURY II
PR0BABlLll-Y (P) OF OCCURRENCE NOT TO EXCEED 1 x 10 FOR A l.HOUR EXPOSURE TEST VEHICLE RESPONSE TO SKID INPUTS FOR CONTROLlABILITY. RE-EVALUATE HAZARD CATEGORY BASED ON TEST RESULTS SEVERITY DEPENDENT UPON OPERATORS ABILITY TO MODULATE BRAKINt AND REGAIN CONTROL OF CAR
8.
(COL
6)
MAINTENANCE Ml POWERED M2 POWER OFF M3 DIAGNOSTICS MQ OTHER (DESCRIBE)
HAZARD CLASS CLASS CLASS cuss
IV Ill II I
CLASSlFlCATlONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET -4 OF cA2171.11 5
OPERATION 01 VEHICLE ACCELERATING 02 VEHICLE DECELERATING 03 VEHICLE MOVlNG - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVlNG W/ENGINE OFF 06 OTHER (DESCRIBE)
PREPAREDBY REVIEWED BY HANN
LARSON
SYSTEM
3 COMPLIANCE APPROACHOR FAILURE Af CONDITION P H A EFFECT OF HAZARD ON OTHER SYSTEMS 4 5
BRAKES

6~
(EFFECT
ON VEHICLE) Es (SEE INSTRUCTIONS)
1 FUNCTIONS
7
DISPOSITION
6 REMARKS
(SYSTEM LEVEL) s C. NONE
A. 6. C. D.
HAZARD DESCRIPTION FUNCTION LOSS MALFUNCT & UNWANTED ACT. MALFUNCT OF OTHER SYS MISUSE/EXTERNAL EVENTS
OF HAZARD
zA A s
1. CONTINUED N/A I
D.
FOREIGN OBJECT DAMAGE RENDERS INOPERATIVE
IMPACT BRAKES
01 02 03
VEHICLE HAS NO BRAKES TO STOP; COLLISION IS LIKELY, RESULTING IN INJURY OR DEATH
P OF FAILURE NOT TO EXCEED 1 x 109
(COL
6)
HAZARD CLASS CLASS CLASS cuss
IV Ill II I
CLASSIFICATIONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET
OPERATION 01 VEHICLE ACCELERATING 02 VEHICLE DECELERATING 03 VEHICLE MOVING - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVING W/ENGINE OFF 06 OTHER (DESCRIBE)
-- 5 OF
cA2171.12
.,,,,.
,_-
FINISH THE FHA

FOLLOW DOWN THE LIST OF FUNCTIONS UNTIL COMPLETE
SYSTEMATICALLY
HAVE INDEPENDENT REVIEWER RUN THROUGH ANALYSIS . REVIEW FOR ANY MISSING FUNCTIONS . DO NOT SLIGHT UNWANTED ACTIVATION l PAY PARTICULAR AlTENTlON TO MISUSE/EXTERNAL EVENTS. POTENTIAL MISUSES BEEN CONSIDERED?
HAVE ALL
SUMMARIZE RESULTS UP FRONT; LIST ALL ASSUMPTIONS MADE, SCOPE OF WORK PERFORMED . CLEARLY LIST ALL EVENTS OF CONCERN AND PROBABILISTIC CRITERIA THAT ARE TO BE MET. SHOW ANY/ALL TESTING NEEDED TO BE DONE
FINALLY, PLAN ON SEVERAL RE-REVIEWS OF THE FHA AS DEVELOPMENT PROGRAM CONTINUES
. THE NEXT REVIEW MAY BE WHEN FINISHING THE FMEA. ASK DID EVERY PART I ANALYZED FIT INTO A FUNCTION THAT I HAD LISTED IN THE FHA? AND DID I FIND ANY EVENTS OF CONCERN AS A RESULT OF COMPONENT FAILURES THAT WERE NOT IDENTIFIED BY THE FAILURE OF THAT SAME FUNCTION IN THE FHA?
Appendix
SSAM
39
u/t Tree Analysis

+ Top down deductive + Focuses + Provides + Hierarchical analysis event causes on one undesired method
for determining format
graphical
+ Ensures that design safety aspects identified and controlled

S-SAM
are
40
August, 1998
Appendix
Fault Tree Analysis

+ Attributes + Facilitates technical/regulatory reviews + Assesses + Allocates events
SSAM
design modification budgets to lower level

41
+ Quantifies top event probabilities
u/t Tree Analysis

+ Attributes (continued) common cause boundaries of design and latency
42
+ Assesses single and multiple faults + Identifies + Assesses contribution errors + Assesses exposure intervals
SSAM
August, 1998
Appendix
u/t Tree Analysis

+ Two main logic symbols 4 AND gate n
+ Top event can occur only when ALL the next lower conditions are true
l
OR gate /\ l Top event can occur if any one or more of the next lower conditions are true
43
SSANT
u/t Tree Analysis

+ Other symbols
0
I
Basic event Top or intermediate Conditional event
AND gate
SAM
44
August, 1998
Appendix
u/t Tree Analysis.

EVENT = (A or B) and (C and D) = (A+B) x (CxD)
A
SSAM
CD
45
u/t Tree Analysis

+ Sources of top level events Oriain of TOR Event FTA Indenture Level Event Aircraft FHA Aircraft System System FHA Item System FTA Sub-Item Item FTA
SSAM 46
August, 1998
Appendix
u/t Tree Analysis

+ Six + + + + + +
SAM
basic steps Define the goal for the fault tree Define the analysis boundaries Define the undesired event Gather and analyze current system data Construct the fault tree Analyze and summarize the FTA results
47
u/t Tree Analysis

+ To + + + analyze FTA Determine FTA minimal cut sets Determine failure rates of basic events Determine coverage factors and exposure/at-risk times + Establish required order factors + Perform the FTA numerical calculations
48
SSA M
August, 1998
Appendix
ult Tree Analysis

+ hinimal cut set determination + The smallest set of primary events that must all occur in order for the undesired top level event to occur + Be aware of a potential lack of independence between two or more primary events + Use Boolean reduction following Boolean logic rules
SAM 49
u/t Tree Analysis

i Determining basic event failure rates + Failure rate data from field use of similar equipment, if possible + MIL-HDBK-217, MIL-HDBK-338, etc. + Complex digital devices require engineering judgment + Failure rates may be obtained from the applicable FMEA/FMES
SSAM
so
August, 1998
Appendix
ult Tree Analysis

& Examples of determining coverage factors and exposure/at-risk times
+ Basic event of an item used throughout the entire flight + Basic event of an item used only in particular phases of flight + Latent failure of an item + Protective devices (e.g., fault monitors)
l
SSAIVT
Imperfect
monitors
51
ult Tree Analysis

+ Qualitative
Qualitative
vs. quantitative
FTA
Quantitative
Minimal Cut Set Qual. Importance Common Cause
Numeric Probability Want. Importance Sensitivity Eval.
I SA
IVT
52
August, 1998
Appendix
u/t Tree Analysis

nclusion of hardware and software errors in fault trees + Included in a purely qualitative manner + Assesses the design assurance level needed to ensure that common-mode errors cannot degrade the safety level achieved by protecting against random hardware faults
SAM 53
FAILURE MODES AND EFFECTS ANALYSIS
SAM
54
August, 1998
FTA
WHAT DOES IT START WITH? WHERE DOES THE INFORMATION COME FROM?
FROM
TOP EVENT COMES FROM LIST OF EVENTS OF

FHA
PnNCFRN
LOGIC OF TREE COMES FROM ARCHITECTURE OF SYSTEM 0 = 10 / ILURE RATE IMES FROM iISTORICAL 3ELIABILIlY
PROBABILITIES COME FROM HISTORICAL SAFETY DATA /
FAILURE MODE AND ITS EFFECT (CAUSING THE EVENT ABOVE) COMES FROM FMEA
EXPOSURE TIME OR TIME SINCE I LAST KNEW IT WORKED COMES FROM FMEA WHAT FINDS THE FAILURE?
*VERIFICATION THAT AND GATE IN FACT REPRESENTS A COMBINATION OF TRULY INDEPENDENT FAILURES COMES FROM C 0 M M 0 N c A US E A N c\ LY s \ s
FTA
WHATS THE THOUGHT PROCESS AND PROCEDURE?
START WITH TOP EVENT AND WORK DOWN . DIFFERENT TREE REQUIRED FOR EACH DIFFERENT TOP EVENT
METHODICALLY ROAD MAP EACH BRANCH TO AID IN LAYMANS UNDERSTANDING OF WHERE TREE IS GOING -
WORK DOWN TO COMPONENT FAILURE MODE (FROM FMEA) AT BOITOM OF EACH BRANCH
THOROUGHLY REVIEW AND CRITIQUE LOGIC OF TREE BEFORE ASSIGNING PROBABILITIES. ONE LOGIC ERROR CAN RESULT IN TOP EVENT PROBABILITIES THAT MAY BE MANY ORDERS OF MAGNITUDE OFF
SIMPLIFY WITH BOOLEAN ALGEBRA AND CALCULATE THE TOP-EVENT PROBABILITY TREE
cA2168.07
DRAW THE SIMPLIFIED
FTA
WHAT OTHER INPUTS MUST BE CONSIDERED?
EXTERNAL SINGLE EVENTS (OR INTERNAL CASCADING FAILURES) THAT CAUSE AND GATES TO REALLY ACT AS OR GATES (FOUND BY ZONAL ANALYSIS AND/OR EVENT REVIEWS)
HUMAN ERROR POTENTIAL - WHERE HUMANS ARE REQUIRED TO ACT OR MAKE SOMETHING LESS CRITICAL - iVllJST INDICATE WHERE INACTIVITY OR WRONG ACTION CAN CAUSE SERIOUS/FATAL RESULTS (FMEA INFORMATION)
MINIMUM EQUIPMENT LIST - WHERE SYSTEM CAN BE USED WITH CERTAIN THINGS BROKEN - FTA MUST START WITH ASSUMPTION THAT THESE ITEMS ARE ALREADY FAILED (REDUNDANCY GIVEN AWAY) THEN GO FROM THERE - COXDI~~-~131~~ A&
CA2168.08
? 2 0
\\ c
FTA
WHEN TO DO ONE?
PRELIMINARY TREES CAN BE DONE AS EARLY AS DESIGN ARCHITECTURE HAS SOME PRELIMINARY DEFINITION: USED IN VALIDATING SYSTEM ARCHITECTURE CAN BE ASSIGNED TO PROVIDE NEED 1 x 1og
ROUGH ESTIMATES OF FAILURE PROBABILITY GUIDANCE AS TO REDUNDANCY NEEDS

CATASTROPHIC EVENT
\ I I
COMPONENT
A
FOR EXAMPLE: A 2-ELEMENT REDUNDANT SYSTEM I

COMPONENT 8
Q-1
x 1o3
cam1
x 1o-3
YOU CAN SEE THAT MOST LIKELY A THIRD REDUNDANT ELEMENT IS NEEDED TO MEET THE I x IO- CRITERION
AND IS COMPLETED
CA2168.09
UPDATE AND FINALIZE AS DESIGN MATURES
P L 4 a
I\ 4
.,
. .
.,
,.
,,..
_ ,... . . .._ . . . . ---~.-x.-,-_I _x___
HOW DO I START A FAULT TREE?

SNEl-Y-CRKlCAL EVENT
(FROM FHA)
I
I
ASK THESE ANY SINGLE FAILURES? FAILURES? MULTIPLE OIJESTIONS
IF THERE ARE NO SINGLE FAILURES, FAILURES. THEN YOU MIGHT STARI
ONLY MULllPLE LIKE:
WITH SOMETMING
NlhELEMENl i OF REDUNDANl :
! :
L--,-,-,--J
SYSTEM
FAILS
CA2173.W
I\.C
,,
,,
,...
.._
---~.-x
.-,__
HOW DO I START A FAULT TREE?

(CONTINUED)
NOW CONSIDER IF MONITORING IS USED TO DETECT LOSS OF REDUNDANCY, THEN THE INITIAL TREE SETUP MIGHT BE:
SAFETV-CRITICAL
EXTREME
MUST ASSUME THE MONITOR FAILS FIRST - MORE cA21n.26 Il.4
CARE MUST WITH THE FUNCTION THAT IT MONITORS. ON WHY A BIT LATER
? 2 rc,
--^I----.-
--r.
-l-.-X-*.--.
(_
-..,
_ _,-
ll-lll.-.
. . .
..,.__
..-.
/,-,...,
;-. .I . . . ., ,,
,,..
_ ,... . . .._ . . . . . --_-x ..-,__
Appendix
&Identifies the failure modes of a system, item, function, or piece part + Determines the effects at the next higher level of design + The detection method, if any, for failure modes is usually determined + For a quantitative FMEA, a failure rate is determined for each failure mode
SAM 55
PURPOSE: Supports the other analysis techniques of the SSA SCOPE: Must account for all safety related effects LIMITATIONS: Does not usually account for multiple failure modes
SSA IV-T 56
August, 1998
Appendix
How does the FMEA support
the SSA?
An FMEA supports the verification of the FTA through a comparison of the FMEA failure effects with the basic events of the fault tree. It can also provide failure rates to quantify the basic events of the fault tree.
SAN-T 57
+ FMEA process: + Preparation + Analysis + Documentation
Major steps
August, 1998
Appendix
+ Safety related and requested failure effects and operating modes. + Specs, drawings, + Parts list + Functional block diagrams materials
59
schematics
(current)
+ Theory of operation/explanatory
SSAM
+ Analysis + Determine failure modes and assign failure effect codes

+ Avoid poorly defined failure modes
+ Determine detection
means, if required
+ Verify analysis conclusions with lab and/or aircraft data for safety related functions
SSAM 60
IVTISelf-Study Course Federal Aviation Administration
August, 1998
Appendix
nctional
FMEA
+ Break down the system into functional blocks + Postulate the failure modes for each functional block + Determine failure effect/detection + Determine failure rate, if quantitative
SSAM 61
System: ATA:
function name function code tallure mode
Function: FTA Ref:

failure rate flight phase failure effect detect method
Date: Rev.
comments
Sheet-of-
Example of Functional
FMEA Format
August, 1998
System Safety Assessment A-3 1
Appendix
Piece-Part
FMEA
+ Determine the failure modes of each individual component + Determine failure effect/detection + Determine failure rate, if quantitative
System: ATA:
lumber
Component: FTA Ref:

type
Date: Rev.
failure effect detect method comments
pati
failure mode
failure rate
flight phase
Sheet-of-
Example of Piece-Part FMEA Format

;A M 64
August, 1998
Appendix
Report
&The report for an FMEA should include
+ Purpose and objective of the FMEA and block + Brief overview diagram + Analysis + Complete of operation
approach
and assumptions
list of FMEA worksheets identification

65
+ Configuration
SSAM
+ Failure rate sources
at is an FMES?
& Failure Modes and Effects Summary + Grouping effects of failure modes with like
+ FMES failure rate is the sum of the failure rates coming from each FMEA + Used as an aid to quantify FTA primary events
S-SAW-IL 66
August. 1998
AUTOMOBILE
PRELIMINARY LAYOUT
BRAKE SYSTEM
MASTER CYLINDER
REAR LEFT
REAR RIGHT
FRONT LEFT
(BRAKE
FRONT RIGHT
DRUM OMITTED FOR SIMPLICITY)
. LAYOUT, AS SHOWN, UNACCEPTABLE WILL CAUSE LOSS OF ALL BRAKES
- SINGLE-POINT
FAILURES IF IT IS TO MEET
CA2171.15
ARCHICTECTURE NEEDS MODIFICATION PROBABILISTIC CRITERIA
AUTOMOB ILE BRAKE SYSTEM

NEW LAYOUT BASED ON FHA FINDINGS
TANDEM MASTER CYLINDE
REAR RIGHT
FRdilT
L-EFT
FRONT RIGHT
CYLINDER MADE DUAL AS WELL AS REDUNDANT HYDRAULIC BRAKE CIRCUIT (ONE FOR THE FRONT WHEELS, ONE FOR THE REAR WHEELS) PIAN IS TO KEEP LINES PHYSICALLY SEPARATED
CA2171.16
MASTER
NEW LAYOUT
SYSTEM
CYLINDER FUNCTION
DESIGN ENGINEER
FAILURE
HYDRAULIC PREPAREDBY MARK LARSON OF COMPONENT TO INPUT REVIEYVED
RLLIAl3IlJlY
MODE AND EFFECTS ANALYSIS

DEVELOP PRESSURE STROKE BY 6 7 EFFECT ON THE SYSTEM (FAILURE CONDITION) NONE. BRAKES OPERATE NORMALLY NoSMo KlNG
SAFElY
(FMEA)
DATE
cD~pDN~~T WW PROPORTIONAL BRAKING 3 EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM :$ IV B) REAR C) D) E) N/A F) MASTER DISASSEMBLY CYLINDER AND VlSUAL MIA N/A PISTON AFT SEAL FLUIDLEAKS PASTSEALBUT IS PREVENTED FROM LEAKINQ OUT BY SECOND SEAL MASTER CYLINDER CONTINUES TO OPERATE NORMALLY YES A) NONE - LATENT FAILURE ;j$ C LEGIN ; ; L lCONT T A A WITH 4s H SYSTEM AND FORCE
MASTER
COMPONENT
P/N
sYsTEM
AUTOMOTIVE
DATE %lC $: :i IV : g EAFoFDE~A~~ (~R~~~~K~c)
i ; 02
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE )UTSIDE FACTCRS)
2P
6 A 8 C: D. E. F.
FAILURE INDICATION TO OPERATOR OTHER FAILURES W/SAME INDlCAnON HOW DOES OPR ISOLATE THE FAILURE? CORRECTWE ACTION EFFECT OF UKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
2) REAR PISTON FORWARD SEAL FAILS AND LEAKS DUE TO:
1) FOREIGN DBJECT(S) CUT SEAL 2) SEAL CRACKS DUE TO MFG DEFECT INSPECTION
3) SEAL DAMAGED DURING INSTALLATION
IF SECOND SEAL FAILS, THEN FLUID WILL ULTIMATELY LEAK OUT RESULTING IN LOSS OF REAR BRAKES. LOSS OF REAR BRAKES RESULfI IN SLIGHTLY HIGHER PEDAL FORCES THAN IS NORMALLY NEEDED TO STOP. IT IS LIKELY THAT LOSS OF REAR BRAKES WILL BE LATENT. AGAIN, THIS IS A SECOND FAILURE EFFECT. (COL 4 6 8)
OPERATlON 01 VEHICLE ACCELERATING 02 VEHICLE DECELERATING 03 VEHICLE MOVINO - CONSTANT RATE 04 VEHICLE STATlONARY 05 VEHICLE MOVING W/ENGINE OFF 06 OTHER (DESCRIBE)
MAINTENANCE Ml POWERED M2 POWER OFF M3 DlAGNOSllCS M4 OTHER (DESCRIBE)
IV Ill II I
CLASSlFlCAnONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET --
OF
1%
.,
.,
,.
.el(i..il--~l,~,.
_ ,... . . .._ . . . . ---~.-x .-,--
SCHEMATIC OF TANDEM MASTER CYLINDER

SEALING LID
/-
CYLINDER BODY
CHAMBER
2 OUTLET TO REAR BRAKES OUTLET TO FORWARD BRAKES
13
. ..
,.
.el(,..il.,-~l,~,. . _ .
,...
. .._
.. . .
--_-x .-, ,,,I.
SYSTEM
CYLINDER
FUNCTION
DESIGN ENGINEER
FAILURE
OF COMPONENT PROPORTIONAL REVIEWED
REllAl3lLllV

DEVELOP PREPAREDBY
TO INPUT BY NoSMo KlNG
h SAFEW
(FMEA)
MARK LARSON
DATE
ZOMPONENT (MAW
PRESSURE STROKE AND
MASTER
HYDRAULIC
:OMPONENT BRAKING FORCE

7 EFFECT ON THE SYSTEM (FAILURE CONDITION) 3 EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM L A s NO A) PEDAL DOES NOT MOVE WHEN FOOT PRESSURE IS APPLIED. CAR DOES NOT DECELERATEASEXPECTED. B) BRAKE PEDAL JAM. INPUT SHAFT JAM C) NOT POSSIBLE D) DOWNSHIFT TO DECELERATE STEER TO AVOID COLLJSION E) OPERATOR SUFFICIENTLY MAY CRASH F) DISASSEMBLE MASTER WSUALLY INSPECT UNABLE TO DECREASE AND AVOID OBSTACLES; CYUNDER AND SPEED MASTER CYLINDER
P/N SYSTEM
SYSTEM
AUTOMOTIVE
DATE
: E Dl 02 03 05 PISTON WILL NOT STROKE IN CYUNDER. REAR PISTON SEIZURE PREVENTS FORWARD PISTON FROM STROKING, TOO. NEITHER CHAMBER DEVELOPS HYDRAULIC PRESSURE I kiN ICON1 WITH INOP (ym)
*P
6sHc z:k h3 MDS I
g EZ;7AY:F ~RgJT~Kyc
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE 1UTSlDE FACTORS)
4s Ii y A s 2 TA E R MDS
6 A B C: D. E. F.
FAILURE INDICATION TO OPERATOR OTHER FAILURES w6AME INDlCAnoN HOW DOES OPR ISOLATE THE FAILURE? CORRECTIVE ACTION EFFECT OF LIKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
3) REAR PISTON JAMS IN RETRACTED POSITION DUE TO:
1) FOREIGN OBJECT JAMS BETWEEN PISTON AND CYUNDER WALL
CAR CANNOT BE STOPPED USING BRAKING SYSTEM. UNLESS IDEAL TRAFFIC SITUATION EXISTS OR HIGH DRIVER SKILL LEVEL IS EMPLOYED, CRASH IS UKELY WITH SERIOUS OR FATAL INJURY
2) GAULING OF CYLINDER AND SEIZURE OF PISTON
AND
SINGLE-POINT FAILURE IDENTIFIED CAUSING DUAL SYSTEM BRAKE FAILURE. ElTHER BRAKE! MUST BE MADE FULLY REDUNDANT 01 ALTERNATE BRAKING MUST BE PROVIDED TO MEET ft76 CRITERIA
3) CORROSION
(COL
4 6 6)
OPERATION 01 VEHICLE 02 VEHICLE 03 VEHICLE 04 VEHICLE ACCELERATING DECELERATING MOWNO - CONSTANT RATE STATIONARY VEHICLE MOVING W/ENGINE OFF OTHER (DESCRIBE)
05
IV Ill II I
SHEET AOF CA2172.14
06
! Iq I
.,
. .
.,
,,
I-,_.--._-,
,,
.,
._
_ ,..I . . .._ . . . . ---~.-x ..-, ,,
SYSTEM
CYLINDER ww PRESSURE REVIEWED BRAKING RELlA9ILllV 7 EFFECT ON THE SYSTEM (FAILURE CONDITION) 3 LEGIN /CONT WITH INOP No SYSTEM STROKE AND FORCE BY NOSMO PROPORTIONAL TO INPUT FUNCTION OF COMPONENT DEVELOP NYDRAULlC PREPARED BY MARK IARSoN DESIGN ENGINEER
FAILURE
(FM=)
DATE
ZOMPONENT
MASTER
ZOMPONEM
PIN
KING
8 SlvEpl F;c SZk TAS :ts I g DATE
;~EM
AUTOMOTIVE
i ; I
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE IUTSIDE FACTORS)
*P
.c,:-. EFFECljOFFAILURE OR ERROR ON r, THE SUBSYSTEti.% *,: -5 ;li.. ;:y :;.y;. II , I .;I .,. ::.:. .. A) PEDAL DOES NOT MOVE WHEN FOOT PRESSURE IS APPLIED. CAR DOES NOT DECELERATE AS EXPECTED. B) BRAKE PEDAL JAM. INPUT SHAFT JAM C) NOT POSSIBLE MASTER CYLINDER
qS H Y A C s 2 L f A A E R s MD(Ym)
6 A B C: D. E. F.
FAILURE INDICATION TO OPERATOR OTHER FAILURES W/SAME INDlCAnON HOW DOES OPR ISOLATE THE FAILURE? CORRECnVE ACTION EFFECT OF LIKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
EFFECT OF ADD. FAIL (~R&fM~iK~C)
4) FORWARD PISTON JAMS RETRACTED POSITION DUE TO:
IN
01 02 03 05
PISTON WILLNOTSlRolCE IN CYUNDER. FORWARD P&TON : SEIZURE PREVENTS REAR : : PISTON FROM STROKING AWO. NEITHER CHAMBER DEVELOPS HYDRAULIC PRESSURE
1) FOREIGN OBJECT JAMS BETWEEN PISTON AND CYLINDER WALL D) DOWNSHIFT ~0 ~CELERA~E AND STEER TO AVOID COLuSlON I. Ej OPERATOR UNABLE Td DECREASE SUFFICIENTLY AND AVOID OBSTACLES: MAY CRASH .. F) DISASSEMBLE MAStiR VISUALLY INSPECT CYUNiJER
CARCANNOTBE STOPPED USING BRAKING SYSTEM. UNLESS IDEAL TRAFFIC SlTUATlON EXISTS OR HIGH DRIVER SKILL LEVEL IS EMPLOYED, CRASH IS LIKELY WITH SERIOUS OR FATAL INJURY SPEED
SINGLE-POINT FAILURE CAUSING DUAL SYSTEM BRAKE FAILURE. DESIGN CORRECTIVE ACTION NEEDED
AND
3) CORROSION
: .,
(COL
4 6 6)
IV Ill II I
CLASSlFlCAnONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET 4OFs \ CA2172.15
OPERATION 01 VEHICLE ACCELERATING 02 VEHICLE DECELERATING 03 VEHICLE MOVlNG - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVING W/ENGINE OFF 06 OTHER (OESCRIBE)
IS
SYSTEM FAILURE
CYLINDER
FUNCTION PRESSURE BRAKING AND
RELlABlLrrY
MODE AND EFFECTS

DEVELOP PREPAREDBY LARSON DESIGN ENGINEER TO INPUT REVIEWED BY HANN
6 SAFETY
ANALYSIS
(FMEA)
DATE
COMPONENT
OF COMPONENT PROPORTIONAL STROKE (HAME)
MASTER
HYDRAULIC
COMPONENT
P/N
SYSTEM FORCE 4s 7 EFFECT ON THE SYSTEM (FAILURE CONDITION)
AUTOMOBILE
SYSTEM
DATE
*P
*sHC I:; ED MbS II
:KFi!A,p: ~R&iJ&Kyc)
EFFECT OF FAILURE
OR ERROR ON THE SUBSYSTEM
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE bUTSIDE FACTORS) i : III WILL 01 02 i; B) OTHER FAILURES RESULTING OF FORWARD BRAKES C) NOT POSSIBLE D) INCREASE PEDAL TO STOP SAFELY E) NONE F) OISASSEMBLE MASTER VISUALLY INSPECT LIKELY CYLINDER AND FORCES SLIGHTLY IN LOSS FORWARD PISTON WILL NOT STROKE IN CYLINDER. WHEN BRAKE PEDAL DEPRESSED, THE FORWARD PISTON WILL NOT MOVE, BUT SPRING BETWEEN FORWARD AND REAR PISTON WILL COMPRESS, ALLOWING REAR PISTON TO STROKE AND DEVELOP HYDRAULIC PRESSURE NO A) NONE LIKELY. SLIGHTLY PEDAL FORCES NECESSARY NOT LIKELY BE NOTICED HIGHER TO STOP y s T E M L A s S kiN ICONT WITH INOP (YM)
It A f A R 0
8 A. s C: D. E. F.
FAILURE INDlCATlON TO OPERATOR OTHER FAILURES w/SAME iNDicATiON HOW DOES OPR ISOLATE THE FAILURE? CORRECTM ACTION EFFECT OF UKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
4) FORWARD PISTON JAMS IN RETRACTED POSITION DUE TO:
1) FOREIGN OBJECT JAMS BETWEEN PISTON AND CWNDER WALL
LOSS OF FORWARD BRAKES; REAR BRAKES FUNCTION NORMAUY. OPERATOR NOT LIKELY TO NOTICE ANY ABNORMALITY UNDER NORMAL CONDlTlONS. IN PANIC STOP, CAR MAY SKID DUE TO REAR BRAKE LOCKUP CAUSING NEED FOR IMMEDIATE CORRECTIVE ACTlON TO REGAIN CONTROL
LATENT LOSS OF HALF OF HYDRAULIC BRAKE SYSTEM MAY CAUSE DIFFICULTY IN SHOWING P,<lxlo: CONSIDER MONITOR SCHEME TO DETECT LOSS OF REDUNDANCI
3) CORROSION
OPERATING PHASES (COL 2) ACCELERATING DECELERATING MOVING - CONSTANT RATE STATIONARY MOVING W/ENGINE Off (DESCRIBE)
(COL
4 & 8)
OPERATION 01 VEHICLE 02 VEHICLE 03 VEHICLE 04 VEHICLE 05 VEHICLE 06 OTHER
MAINTENANCE Ml POWERED M2 POWER OFF M3 DlAGNOSTlCS M4 OTHER (DESCRIBE)
IV Ill II I
CLASSIFICATlONS MINOR MAJOR HAZARDOUS CATASTROPHIC
SHEET -m4 OF 5 CA2172.16
lb
SYSTEM
LINE FUNCTlON
DESIGN ENGINEER
FAILURE
OF COMPONENT
FLUID REVIEWED CnlNDER
RELIABIUIY
MODE AND EFFECTS

HYDRAULIC
PRESSURE BY NOSMO KING
L SAFf3.Y
ANALYSIS
PREPARED BY MARK LARSON
(FMEA)
DA=
<:OMPONENT LINE THAT MASTER PAW

TRANSMlTS BRAKING TO REAR 4s EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM ; T E M III No A) NONE LIKELY. SLIGHTLY PEDAL FORCES NECESSARY GO UNNOTICED B) FORWARD C) NOT POSSIBLE PISTON JAM HIGHER TO STOP MAY : A R D EFFECT ON THE SYSTEM (FAILURE CONDITION) Ii 7 SLAVE CYLINDERS P H f E 01 02 ;; FLUID WILL LEAK OUT OF REAR BRAKE SYSTEM. FORWARD SYSTEM OPERATES NORMALLY. MASTER CYLINDER WILL NOT DEVELOPBRAKEPRESSURE TO REAR BRAKES D) SLIGHT INCREASE IN PEDAL NEEDED TO STOP IN EOUIVALENT - PERSON NOT LIKELY TO EVEN E) NONE F) CHECK FLUID LEVEL UNDER CAR FOR LEAKS LIKELY AND INSPECT PRESSURE DISTANCE NOTICE c L A s s SBEG~N /CONT WITH INOP (Y/NJ SySTEM AND FROM
REAR BRAKE
C:OMPONENT
PIN
! ;ySTEM
AUTOMOBILE
DATE
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE 0 UTSIDE FACTORS)
6 A B: C. D. E. F.
FAILURE INOICATION TO OPERATOR OTHER FAILURES WISAME INDICATION HOW DOES OPR ISOLATE THE FAILURE? CORRECTIVE ACTION EFFECT OF LIKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
%4c yA SZ: iis MDS Ill
E&F;C;Ay[ ~R$$JJ~Kqc
5: ) HYDRAULIC LI INE LEAKS Fl LUID DUE TO:
1) FOREIGN 0 IBJECT STRIKES L INE AND S EVERS IT
2 ) CORROSION
3 ) FLAW
IN L INE CAUSES I1I TO RUPTURE
LOSSOFREAR BRAKES; FRONT BRAKES FUNCTION NORMALLY. ODERATOR NOT LIKELY TO NOTICE ANY ABNORMAUTY. IN PANIC STOP, THE FRONT WHEELS MAY LOCK UP. OPERATOR NEEDS TO CORRECT SKID SITUATION THAT MAY DEVELOP
LATENT LOSS OF HALF OF BRAKES. SECOND FAILURE THAT CAUSES LOSS OF FORWARD BRAKES IS POTENTIALLY CATASTROPHIC RECOMMENO ADDING MDNITOI TO DETECT LOZ OF EITHER BRAKE SYSTEM KEUCE EXPOSURE TIMI
4 ) CRACKED
B-NUT
(COL
4 6 6)
MAINTENANCE Ml POWERED M2 POWER Off M3 DIAGNOSTICS M4 OTHER (DESCRIBE)
IV Ill II I
SHEET AOFs
OPERATION 01 VEHICLE ACCELERATINQ 02 VEHICLE DECELERATING 03 VEHICLE MOVING - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVING W/ENGINE OFF 06 OTHER (DESCRIBE)
AUTOMOBILE
BRAKE SYSTEM
NEW LAYOUT BASED ON FHA AND FMEA

HAND BRAKE BRAKE FAILURE 4% LIGHT
c I
REAR LEFT
REAR RIGHT
FRONT LEFT
FRONT RIGHT
CA2173.06
-------.-
--r.
-l-.-x-*.-..
(_
-..,
---t-ll-,.ll.-l
. . .
,.,.-*
...l..,l,...,
;-_
.,
.,
,. I-,_.C_-._-, ,, . . _ ,... . .._ . . . . -I--.X^I. ,,. ..j
Appendix
SSAM
67
at Is a Common
Cause?
An event that bypasses or invalidates redundancy or independence, i.e., an event that causes the simultaneous loss of redundant or independent items.
SSA M
6s
August, 1998
Appendix
ommon
Cause Analysis
+ ACIAMJ 25.1309
Establishes the need for the safety assessment process to address the impacts of potential common cause faults (leading to catastrophic or hazardous failure conditions).
SSAM
69
ommon
Cause Analysis
into three areas
+ CCA subdivided of study + + +
Zonal safety analysis Particular risks analysis Common mode analysis
SAM
70
lVT/Self-Study Course Federal Aviation Administration
August, 1998
Appendix
nal Safety Analysis

Examines each physical zone of the aircraft to ensure that equipment installation and potential physical interference with adjacent systems do not violate the independence requirements of the system under study.
SAM
71
nal Safety Analysis

+ Part of aircraft development
l
Based on CAD, mockups, aircraft
+ Usually performed by the airframer + Problems fed back into design

SAM 72
August, 1998
Appendix
nal Safety Analysis

Checklist
Flailing Oxygen
examples:
torque leaks burst shafts Loose nuts or bolts Bleed air leaks Overheated Connector wires keying
Accumulator Fluid leaks Rotorburst
SSANT
73
rticular
Risks Analysis
Examines those common events or influences that are outside the system(s) concerned but which may violate independence requirements. These particular risks may influence several aircraft zones.
SSA IVT
74
August, 1998
Appendix
rticular
+ + + +
Risks Analysis
Mostly a qualitative analysis Drawings, models, mock-ups, aircraft Performed on a risk-by-risk basis Applies to the whole aircraft development process Some risks may be subject to specific airworthiness requirements (e.g., engine rotor burst, tire burst, etc.)
7s
SAW-I-
rticular
Risks Analysis
Bulkhead rupture Hail/ice/snow Rotor burst Manifold rupture
Typical risks include: Fire Bird strike Tire burst Wheel rim release
NOTE: Some events may also be analyzed as part of the Zonal Safety Analysis
SAIW 76
August, 1998
Appendix
rticular
+ Process
o Define the risk o Define failure o Define affected o Define affected
Risks Analysis
model used zones/areas systems/items (Ref. FMEA/PSSA) (multiple systems)

77
(Ref. ZA)
o Review consequences o Review effect on aircraft

SAM
rticular
Risks Analysis
+ Analyze results: Are the consequences acceptable? + If yes, prepare justification. + If no, initiate a design change.
SAM
78
August, 1998
Appendix
ommon
Mode Andysis
+ Provides an assessment that the independence claims made in the FTA are valid + This analysis covers the effects of design, manufacturing, and maintenance errors and the effects of common component failures
SSA M i-3
ommon
Mode Analysis
+ Carried out at all levels from item design to aircraft level design + Includes an evaluation of the components within an item + Based on inputs from the FHA and PSSA + Verifies that independence principles have been applied when necessary
SSAM en
August, 1998
Appendix
Common
l
Mode Analysis
Scope + For each hazardous or catastrophic event documented in the FHA and/or PSSA, identify each AND event (AND gate in fault tree) to determine which failure combinations must be assured to be independent.
81
SSAIVT
ommon
Mode Analysis
+ Examples of common modes + Software design error + Hardware design error + Hardware failures + Production/repair flaw + Stress related events (abnormal) + Environment (temp., vib., etc.)
SAIVT 82
August, 1998
Appendix
ommon
Mode Analysis
perform a CMA, the analyst needs to know the systems design concept
+ Design architecture + Equipment/component + Maintenance + Crew procedures + Systems, equipment, specifications
SSAM
and installation characteristics
plan
and test tasks & software

83
ommon
Mode Analysis
+ Concepts used to eliminate or minimize common mode effects

+ + + + 4 +
SSA NT
Diversity (dissimilarity, redundancy, etc.) Testing & preventive maintenance programs Design control and design quality level Operational procedures Training Quality Control
84
August, 1998
Appendix
ommon
+ Process
Mode Analysis
~3 Determine potential common mode failures/ errors associated with each AND event + Analyze potential common mode failure/ error to verify compliance with independence reqs. ~3 For non acceptance, solutions 4 Follow
SSAM
determine actions
possible
up corrective
65
ommon
Mode Analysis
+ Output (documentation)
+ Reference documents, drawings, and support material + List of CMA demands from FHA/PSSA + Description of system/item analyzed + Rationale for compliance withCMA requirements + Identification and resolution of problems or concerns identified
L:
SSAM
86
August,
1998
Appendix
ok: In Review
FHA FTA FMEA CCA Establishes fop-/ewe/ safety requirements for function Top down quantitative and qualitative multiDIe failure analysis Bottom up sincrle failure analysis supports the FTA Verifies system - and redundancv independence that
SSAlvT
87
PRELIMINARY SYSTEM SAFETY ASSESSMENT
SSAM
88
August, 1998
Appendix
SSA
+ Definition A system evaluation of the proposed architecture(s) and implementation(s) based on the function hazard assessment (FHA) failure condition classifications to determine safety requirements of the system.
SSA M 89
SSA
+ The PSSA is
+ lmbedded within the overall development with the + An iterative process associated design definition
+ Conducted at multiple stages including system, sub-system, LRWLRM, and hardware/software levels
SSAIW 90
August, 1998
Appendix
SSA Purpose?
+ The objective of the PSSA is to establish the safety requirements of the system and to determine that the proposed architecture/ implementation can reasonably be expected to meet the safety objectives identified by the PSSA.
SSAM 91
SA
+ Identifies separation/isolation requirements
+ The CCA proceeds to address the common-cause fault potential across each boundary identified by the PSSA and should identify the fault containment strategies to be used
S!SANT
92
August, 1998
Appendix
SSA
l
Inputs + FHA
+ Proposed architecture interfaces + System functional
SSAM
93
he PSSA should
+ Show how item failures combine to lead to the considered failure condition + Identify requirements for event independence verification + Show that quantitative and qualitative requirements can be met + Show how maintenance tasks/intervals driven by latent failures + Identify design assurance levels
S-SAM 94
August, 1998
Appendix
+ Form
+ The PSSA can be thought fault tree with budgets of as a
+ Primary events associated with AND gates provide common-cause demands
SSAIW
95
SSA
+ outputs
+ Safety requirements
allocated
to items
+ Installation requirements (separation, segregation, isolation, etc.) + Hardware and software assurance levels design
+ Safety maintenance tasks and associated non-exceed times

SSANT 96
August, 1998
SET SAFETY DESIGN CRITERIA

(PARTIAL LIST) BASED ON FHA RESULTS
HAZARD CLASS I II MAXIMUM ALLOWABLE PROBABILITY 1og IO I
LOSS OF ALL BRAKES
LOSS OF ADJUST FUNCTION ON ONE WHEEL
PLUS: 1. NO SINGLE FAILURE SHALL CAUSE OR ALLOW EITHER OF THESE TWO EVENTS 2. MUST KEEP REDUNDANT SYSTEMS PARTS AND INTERCONNECTIONS SEPARATED TO ENSURE INDEPENDENCY
cA2171.14
I . !
AUTOMOBILE
PRELIMINARY LAYOUT a
BRAKE SYSTEM
REAR LEFT
REAR RIGHT
FRONT LEFT - SINGLE-POINT
FRONT RIGHT
(BRAKE DRUM OMITTED FOR SIMPLICITY)
LAYOUT, AS SHOWN, UNACCEPTABLE WILL CAUSE LOSS OF ALL BRAKES
FAILURES IF IT IS TO MEET
CAZ171.15
ARCHICTECTURE NEEDS MODIFICATION PROBABILISTIC CRITERIA
i.1
. .,_. ,,,.,_ _ ..I,,
,.I.
,,
.I,
AUTOMOBILE
NEW LAYOUT BASED ON FHA FINDINGS
-
BRAKE SYSTEM
TANDEM MASTER CYLINDER
IALL II
REAR LEFT
REAR RIGHT
FRONT LEFl
FRONT RIGHT
MASTER CYLINDER&MADE DUAL AS WELL AS REDUNDANT HYDRAULIC BRAKE CIRCUIT (ONE FOR THE FRONT WHEELS;ONE FOR THE REAR .WHEELS) SEPARATED
cA2171.w
NEW LAYOUT PLAN IS TO KEEP LINES PHYSICALLY
&STEM
CYUNDER FUNCTION DESION D((YIIEER PROPORTIONAL RmmED BRAKING EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM IV YES B) REAR PISTON Al7 C) N/A 0) NIA E) N/A F) MASTER CYLINDER DISASSEMBLY AND VlSUAL SEAL A) NONE - LATENT FAILURE EFFECT ON THE SVSTEM (FAILURE CONDITION) NONE. BRAKES OPERATE NORMALLY ! 7 REUABRlTT4 SYSTEM BY NOSMO KING SAFm % I:L t 2 MDS Iv TO INPUT STROKE AND FORCE OF COMPONENT PREPAqED By wm DEVELOP HYDRAULIC PRESSURE MARK LARSON
FAILURE
MODE AND EFFECTS
ANALYSIS
(FMEA)
DATE
wMPONENT
MASTER
COMPONENT
P/N
SB~M
AUTOMOTIVE
DATE : EFFECTOF ADD. FAIL (%E%KT)
*P
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE XfTSIDE FACTCRS) FLUID LEAKS PAST SEAL BUT IS PREVENTED FROM LEAKlNQ OUT BY SECOND SEAL MASTER CYLlNDER CONTINUES TO OPERATE NORMALLY
SH 5 y A c BEGIN S 2 L /CONT TAA WITH E R s INOP MDs (VN)
5 A. FAILURE INDICATION TO OPERATOR B. OTHER FAILURES W/SAME INDlCATlON c. HOW DOES OPR ISOLATE THE FAILURB? D. CORRECTIVE ACTION E. EFFECT OF UKELY INCORRECT ACTlON F. HOW DOES MAlNT CREW ISOLATE FAILURE?
2) REAR PISTON FORWARD SEAL FAILS AND LEAKS
02
DUE TO:
1) FOREIGN OBJECT(S) CUT SEAL 2) SEALCRACKS DUE 10 MFG DEFECT 3) SEAL DAMAGED DURING INSTALlATlON INSPECTION
IF SECOND SEAL FAILS. THEN FLUID WILL ULTIMATELY LEAK OUT RESULTlNG IN LOSS OF REAR BRAKES. LOSS OF REAR BRAKES RESULT! IN SLIQHTLV HIGHER PEDAL FORCES THAN IS NORMALLY NEEDED TO STOP. IT IS UKELY THAT LOSS OF REAR BRAKES WIU BE IATENT. AQAIN, THIS IS A SECOND FAlLURE EFFECT. (COL 4 6 8)
OPERATINO PHASES WL 2)
OPERATlON 01 VEHICLE ACCELERATlNCI 02 VEHlCLE DECELERATING 03 VEHICLE MOVlNO - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVING W/ENGINE Off 06 OTHER (DESCRIBE)
ClASSlFlCATlONS IV MINOR Ill MAJOR II HAZARDOUS I CATASTROPHIC
SHEI m- 2 OF 5 CA217213
SCHEMATIC OF TANDEM .. . MASTER CYLINDER 1

SEALING LID
TO REAR BRAKES
TO FORWARD BRAKES
CA217223
SYSTEM
CYUNDER FUNCTION
FAILURE
OF COMPONENT DESIGN ENGINEUI

DEVELOP TO INPUT REVIEWED 4 7v EFFECT ON THE SWTEM (FAILURE CONDITION) RELUB1ul-v ilY . NOSMO KINQ a SAFETY 6sHc x:; 3 YDS I g EZ7A?l ~R~M~p STROKE AND HYDRAULIC PREPAREDBY MARK
(FMW
LARSON
DATE
COMPONENT InAW
PRESSURE BRAKING SYSTEM FORCE PROPORTIONAL
MASTER
COMPONENT
P/N
SYSTEM
AUTOMOTIVE
DAlE
:: g 01 02 03 05 a) BRAKE PEDAL JAM, INPUT SHAn JAM C) D) DOWNSHI~ TO DECELERATE STEER TO AVOID COLLISION E) OPERATOR SUFFICIENTLY MAY CRASH F) DISASSEMBLE MASTER VlSUALLY INSPECT UNABLE TO DECREASE AND AVOID OBSTACLES; CYUNDER AND SPEED NOT POSSIBLE MASTER CYLINDER PISTON WILL NOT STROKE IN CYUNDER. REAR PISTON SEIZURE PREVENTS FORWARD PISTON FROM STROKING, TOO. NEITHER CHAMBER DEVELOPS HYDRAULIC PRESSURE I NO A) PEDAL DOES NOT MOVE WHEN FOOT PRESSURE IS APPLIED. CAR DOES NO7 DECELERATE AS EXPECTED. . EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM c L A s :EGlN /CGNT WITH INOP (VW)
FAILURE OR ERROR MODE AND FAILURE CAUSE (INCLUDE bUTSIDE FACTORS)
2P
IS H Y A S z T A E R MDs
6 A. B. C. D. E. F.
FAILURE INDICATION TO OPERATOR OTMER FAILURES W/SAME INDICAT?ON MOW DOES OPR ISOLATE THE FAILURE? CORREC7lVE ACTtON EFFECT OF LIKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE7
3) REAR PISTON JAMS IN RETRACTED POSITION DUE TO:
CAR CANNOT
1) FOREIGN OBJECT JAMS BETWEEN PISTON AND CYLINDER WALL
BE STOPPED USING BRAKING SYSTEM. UNLESS IDEAL TRAFFIC SlTUATlON EXlSTS OR HIGH DRIVER SKILL LEVEL Is EMPLOYED, CRASH IS UKELY WITH SERIOUS OR FATAL INJURY
2) GAULlidG OF CYLINDER AND SEfZURE OF PISTON
SINGLE-POIN7 FAILURE IDENllFlED CAUSING DUAL SYSTEM BRAKE FAILIJRE. EITHER BRAKES MUST BE MADE FULLY REDUNDAHT OR ALTERNATE BRAKING MUST BE PROVIDED TO MEET lD6 CRITERIA AND
3) CORROSION
(COL
4 A 6) ? SHEE7 3OFA cA2172.14 IV Ill II I
OPERATION 01 VEHICLE ACCELERATlNG 02 VEHICLE DECELERATING 03 VEHICLE MOVING - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOWNG W/ENGINE OFF 06 OTHER (DESCRIBE)
SYSTEM
FUNCTION DEVELOP TO INPUT BY BRAKING SYSTEM SlROKE AND FORCE NOW0 KING RElUBllJTYAsAFETv HYDRAULIC PRESSURE PROPORTIONAL OF COMPONENT PREPARED BY MARK CYLINDER WA=) LARSON DESIGN MQIWEER
FAILURE
MODE AND EFFECTS
ANALYSIS
(FMEA)
DATE
COMPONENT
MASTER
COMPONENT
P/N
AVTOMOTIVE
DATE
D. CORRECTM ACTION E. EFFECT OF UKELY INCORRECT AtXlON F. HOW DOES MAINT CREW ISOLATE FAILURE) ;. l :.NO ...:.. .. B) BRAKE PEDAL JAM. INPUT SHAFl JAM . D) DOWNSHIFT TO DECELEfjATE AND STEER TO AVOID COUISION;i ;;;: E) OPERATOR ui8iii.k ~0 DECREASE SUfflClENTLY,.AND AVOID-QBST~CLES; MAY CRASH .y: : ..:;:j,:y : .v: :: : F) DlSASSiMBLE MAST&l VISUALLY INSPECT : ,:. CYti&EtiiND .:a. .. :.. .. . sPEL0 : 1: : ,i :. . : 5; .jy . C) NOT h&lBLE MASTER CYLINDER PISTON WltiNof&~fj$ii; IN < CYUNDER. FORWhlD PISTON SEIZURE PREVENTS REAR I,: :.: PISTON FROM STROKJNGALSO. NEITHER CHAMBER OWELOPS HYDRAULIC PRESSURE, A) PEDAL DOES NOT MOVE WHEN PRESSURE IS APPLIED. CAR DOES DECELERATE AS EXPECTED. FOOT NOT I SINGLE-POINT FAILURE CAUSING DUAL SYSTEM BRAKE FAILURE. DESIGN CORRECTIVE ACTION NEEDED
4) FORWARD PISTON JAMS RETRACTED POSITION DUE TO:
IN
01 02 03 05
1) FOREIGN OBJECT JAMS BETWEEN PISTON AND CYLINDER WALL ..
CARCANNOTBE STOPPED USING BRAKING SYSTEM. UNLESS IDEAL TRAFFIC SlTUATlON EXISTS OR HIGH DRIVER SKILL LEVEL IS EMPLOYED, CRASH IS UKELY WITH SERIOUS OR FATAL INJURY .:,y. ,:;-- . .... : ,: ..... : ;;:. i .. .:, .. :. :: .:I;;{ :;. ,. . : .: );:, ... j :.:I .,:..,: :.: ,. .. .....it-.i.: C.l:,,, ..;i.;;:. ,$: ;;*
2) GAULINC OF CYLINDER AND SEIZURE OF PISTON
3) CORROSION
..
(COL
4 6 B)
OPERATION 01 VEHICLE ACCELERATING 02 VEHICLE DECELERATING 03 VEHICLE MOWNO - CONSTANT RATE 04 VEHICLE STATIONARY 05 VEHICLE MOVlNG W/ENGINE OFF 06 OTHER (DESCRIBE)
MAINTENANCE Ml POWERED MZ POWER OFF hl3 DlAGNOSTlCS M4 OTHER (DESCRIBE)
IV Ill II I
SHEET -- 4 OF s
SYSTEM
CYLINDER
FdlLURE
FUNCTION
a DESIGN ENCIKEER PRESSURE PROPORTIONAL REVIEWED AND S H, BEGII ei INOP (VW NO WILL A) NONE LIKELV. SLIGHTLY PEDAL FORCES NECESSARY NOT LIKELY BE NOTICED B) OTHER FAILURES RESULTING OF FORWARD BRAKES C) D) INCREASE PEDAL TO STOP SAFELY E) NONE F) DISASSEMBLE MASTER VISUALLY INSPECT LIKELY CYLINDER AND FORCES SLIGHTLY NOT POSSIBLE IN LOSS HIGHER TO STOP FORCE BV HANN RELlABllJW & SAFETV TO INPUT STROKE OF COMPONENT DEVELOP PREPAREDBV HYDRAULIC LARSON
MODE AND EFFECTS
ANALYSIS
(FMEA)
DATE
COMPONENT WA=)
MASTER
COMPONENT BRAKING
PRI
SYSTEM
AUTOMOBILE
SYSTEM
DATE
EFFECT OF FAILURE OR ERROR ON THE SUBSVSTEY z: EfRA MD Ill EFFECTON THE SYSTEM (FAILURE CONDITION)
FAILUREOR ERROR MODE AND FAILURE CAUSE (INCLUDE RJTSIDE FACTORS FORWARD PISTON WILL NOT STROKE IN CYLINDER. WHEN BRAKE PEDAL DEPRESSED, THE FORWARD PISTON WILL NOT MOVE, BUT SPRING BETmEN FORWARD AND REAR PISTON WILL COMPRESS, ALLOWING REAR PISTON TO STROKE AND DEVELOP HYDRAULIC PRESSURE
3
FAILURE INDlCATlON TO OPERATOR OTHER FAILURES W/SAME INDICATION HOW DOES OPR ISOLATE THE FAILURE; CORRECTNE ACTION EFFECT OF UKELV INCORRECT ACllON HOW DOES MAINT CREW ISOLATE FAILURE
5
6 A 8. C. D. E. F.
I) FORWARD ISTON JAMS N RRRACTED OSlnOH XJE TO:
I) FOREIGN JBJECT JAMS BETWEEN PISTON &ND CNNDER WALL
?) GAULING OF CYLINDER AND SElZURE OF PISTON
LOSS OF FORWARD BRAKES; REAR BRAKES FUNCTION NORMAUV. OPERATOR NOT LIKELY TO NOTICE ANV ABNORMALITV UNDER NORMAL CONDITIONS. IN PANIC STOP, CAR MAY SKID DUE TO REAR BRAKE LOCKUP CAUSING NEED FOR IMMEDIATE CORRECTlIfE ACTION TO REGAIN CONTROL
LATENT LOSS OF HALF OF HVDRAUUC BRAKE SYSTEM MAY CAUSE DlFflCULTY IN SHOWING Pr,dx 10: CONSIDER MONITOR SCHEME TO DE?ECl LOSS DF REDUNDANC!
3) CORROSION
OPERATING PHASES (WL 2) VEHICLE ACCELERATING VEHICLE DECELERATING VEHICLE MOVING - CONSTANT RATE VEHICLE STATIONARY VEHICLE MDVlNG W/ENGINE OFF OTHER (DESCRIBE1
(CC
zij
01 02 03 04 05 06
MAINTENANCE Ml POWERED M2 POWER OFF M3 DlAGNOSTlCS M4 OTHER (DESCRIBE)
I CLASSIFICATIONS I V MINOR Ill MAJOR II HAZARDOUS I CATASTROPHIC
SHEET -- 4 OF 6
cA21R.10
lb
SYSTEM
FUNCTION TRANSMlTS RMmD BRAKING CYLINDER A ?I
EFFECT ON THE SYSTEM (FAILURE CONDITION) RELlMnrW
FAILURE
OF COMPONENT FLUID @y NOSMO KING
& SAFETY
MODE AND EFFECTS

RYDRAULIC FROM , MASTER UNE THAT PREPARED n BY MARK IARSON DESIGNENDREER AND PRESSURE SLAVE CYLINDERS
ANALYSIS
(FMW
DATE
COMPONENT
NEAR
BRAKE LINE (w-1
COMPONENT SYSTEM TO REAR
PIN
SYSTEM
EFFECT OF FAILURE OR ERROR ON THE SUBSYSTEM c L A s NO MAY A) NONE LIKELY. SLIGHTLY PEDAL FORCES NECESSARY GO UNNOTICED 8) C) NOT POSSIBLE FORWARD PISTON JAM HIGHER. TO STOP
AUTOMOBILE
DATE
ii E 01 D2 E; FLUID WILL LEAK OUT OF REAR eRAKE SYSTEM. FORWARD SYSTEM OPERATES NORMALLY. MASTER CYLINDER WILL NOT OEVELOPBRAKEPRESSURE III
FAILUREOR ERROR MODE AND FAILURE CAUSE (INCLUDE bUTSIDE FACTORS) ;EGlN ICONT WITH INOP (v/H)
2P H
gsHc
YA SZ; 23 MDS Ill
g
%?A:~ mR&$iKyc
4s H Y A S z T A E R MDS
6 A B: C. D. E. F.
FAILURE INDlCATlON TO OPERATOR OTHER FAILURES WlSAME INDlCATlON HOW DOES OPR ISOLATE THE FAILURf? CORRECTIVE ACTlON EFFECT OF LIKELY INCORRECT ACTION HOW DOES MAINT CREW ISOLATE FAILURE?
;) HYDRAULIC .INE LEAKS :LUID DUE TO:
I) FOREIGN IEJECT STRIKES .INE AND iEVERS IT
TOREARBRAKES
D) SLIGHT INCREASE IN PEDAL NEEDED TO STOP IN EQUIVALENT - PERSON NOT LIKELY TO EVEN E) NONE F) CHECK FLUID LEVEL UNDER CAR FOR LEAKS LIKELY AND . INSPECT
LOSS OF REAR BRAKES; FRONT BRAKES FUNCTION NORMALLY. 0ERATOR NOT LIKELY TO NOTICE ANY ABHORMAW.. IN PANIC STOP, THE FRONT WHEELS MAY
!) CORROSION
PRESSURE DISTANCE NOTlCE
LOCK UP. OPERATOR

NEEDS TO CORRECT SKID SITUATION THAT MAY DEVELOP
I) FLAW IN JNE CAUSES 1 TO RUPTURE
LATENT LOSS OF HALF OF BRAKES. SECOND FAILURE THAT CAUSES LOSS OF FORWARD BRAKES IS POTENTIALLY CATASTROPHIC. RECOMMEND ADDING YONlTOP TO DETECT LOS OF EITHER BRAKE SYSTEM EE
I) CRACKED
B-NUT
EXPOSURE
TIME
OPERATING PHASES (COL 2) ACCELERATING
OPERATION 01 VEHICLE
02 VEHICLE VEHICLE
WOVlNG - CONSTANT RATE VEHICLE STATIONARY VEHICLE YOWNG W/ENGINE Off OTHER (DESCRIBE)
DECELERANNG
HAZARD CLASS
(COL Iv
4 6 8)
cuss
CLASS cuss
MAINTENANCE Ml POWERED M2 POWER OFF MJ DIAGNOSTICS M4 OTHER. (DESCRIBE)
CLASSIFICATIONS MINOR Ill MuOR II HAZARDOUS I CATASTROPHIC
SHEET m-5 OF S
03 04 05 05
.. 0
.I. 0
Lj
AUTOMOBILE BRAKE SYSTEM.
NEW LAYOUT BASED ON.FHA AND FMEA
FIREWALL f
CYLINDER
L-ii+%!
REARLEFT
FRONT LEFT
CA2173.oB I
AUTOMOBILE
BRAKING
SYSTEM
EXPANDING FROM THE BASIC TREE STRUCTURE
,,,,,
,,,,,,
,,
,,
,,,,
,I,
,,,,,
,, ,, I, ,,, ,,. I, ,, ,, ,,
.,/I.
I,
Y
A-48 I
FAULT TREE DATA SUBSTANTIATION

EVENT WHERE FOUND OR IDENTIFIER NO. MAIN TREE LEVEL 5 NEAR RIGHT MAIN TREE LEVEL 5 NEAR LER 2 x loms AUTOMOBILE FAILURE DATA, NTSB FROM . . . 4 HR 2 x 10 AUTOMOBILE FAILURE DATA, NTSB FROM . . . 1 HR FAILURE RATE JUSTIFICATION EXPOSURE TIME JUSTIFICATION
PEDAL AITACHMENT FAILS
FAILURE ANNUNCIATED IMMEDIATELY - CONSERVATIVE EXPOSURE TIME ASSUME OPERATE CAR 1 HOUR PER DAY AND USE HANDBRAKE ONCE EVERY 4 DAYS - JAMMED HANDLE WILL BE BE APPARENT WHEN PULLED UPON
HANDLE (HANDBRAKE) JAMS IN OFF POSITION
DIFFERENTIAL PRESSURE SWITCH FAILURE
MAIN TREE BOTTOM CENTER
6.7 x 10-O
AUTOMOBILE FAILURE DATA, NTSB FROM . . .
300
SWITCH WILL BE CHECKED AT 7,500-MILE SERVICING. ASSUME 25 MPH AVERAGE SPEED 7,500 MILES 25 MILES HOUR = 300 H&IRS
ETC.
FAILURE RATES ARE FOR EXAMPLE PURPOSES ONLY. NOT REAL DATA
NOTE:
AUTOMOBILE
BRAKING
SYSTEM
FAULT TREE NUMERIC
RESULTS
on: F,,LF,E RAN ARE FABRICNED FOR UIypu OWL AJSD Do no1 REFLECT REALWOWU) VALUES (LSPECULLV THOSE < 101 cA2173.11 AI 1.10. A.- 1.10 A= 6.7. to A= i.10 A. 1 I 10
TRANSFER
TREE RESULTS
FAULT TREE NUMERIC RESULTS

0 I 3.764 1 lo4
FO$i&D
0 = 3.30 110
LOSS OF REAR HkD$KtJvC
a = 1.12 II lo4
FAILURE OF FWD HYDRAUUC TRANSMISSION LINES
FAILURE OF SLAVE CYLINDERS
,,l,m: FAlLUflE RATES ARE FABRICATED FOR UAMPLF. AND M, NOT RLNCT REAL-WORLD VALUES
OWL*
h=lslO (X2173.12
WHAT NOW?
TREE DOES NOT MEET NUMERIC CRITERIA
LOSSOFHANDBRAXE DRIYEN SOLELY BY OPERATOR FOROETllNO To USE I T !
SUMMARIZING INTERMEDIATE ANSWERS TO BASIC TOP-LEVEL TREE
=lax lo
MONITOR FAILINO PROBABILIlV VERY HION DUE T O JOQHR LATENCY
SOME DESIGN MODIFICATION
ALTERNATIVES
TRAINING PEOPLE TO USE HANDBRAKE IN EMERGENCY IS NOT A LIKELY SOLUTION CHANGING THE DESIGN TO ADD A CHECK OF THE BRAKE FAIL LIGHT COULD SOLVE THE PROBLEM . INCORPORATE AN IGNITION SWITCH CHECK THAT LIGHTS UP WARNING BULB WHEN STARTING CAR - CHECKS . BULB . GROUND l POWER l SOCKET
REDUCES LATENCY EXPOSURE TIME FROM 300 HR TO 1 HR FOR THOSE FAILURE MODES
AUTOMOBILE
BRAKE SYSTEM
NEW LAYOUT BASED ON FHA AND FMEA
HAND BRAKE PEDAL BRAKE o
/3;,
@?
ALL
AUTOMOBILE
BRAKE SYSTEM
NEW LAYOUT BASED ON FHA, FMEA, AND FTA

HAND BRAKE
FIREWALL
SWITCH (MOMENTARY)
FRONT RIGHT
Appendix
SSAM
97
A system safety assessment is a systematic, comprehensive evaluation of the implemented system to be certified to show that the qualitative and quantitative safety requirements as defined in the FHA and PSSA have been met.
SSAM
9.3
August. 1998
Appendix
The SSA is usually based on the PSSA, and FTA and uses the quantitative values obtained from the FMEA/FMES. + The SSA should verify that the FMEA effects and the FTA primary events are compatible + The SSA should also include the common-cause analysis results
SSAM 99
SA
+ Documentation
+ List of previously probabilities + System description + List of failure classifications conditions and their analyses
100
agreed-to
event
+ Quantitative and qualitative for failure conditions

SAM
August, 1998
Appendix
Review.
....
leading
+ Design safety concept evolution to the fail-safe design concept
+ Basic attributes of safety assessment tools (Le., FHA, FTA, FMEA, and CCA) + PSSA(identifies safety requirements) and SSA (evaluates safety requirements)
SAM
101
SYSTEM SAFm ASSESSMENT
SSA M
102
August, 1998
Appendix B
Appendix B
Questions for Reviewing System Safety Assessments
August, 1998
System Safety Assessment B
Appendix B
Ask yourself the following assessments. questions when reviewing system safety
When reviewing 0 0 0 0
FHAs:
Are all failure conditions adequately described with respect to loss of function and malfunction? Are all flight phases considered? Is the failure condition effect on the aircraft, crew and occupants described? Do the failure condition classifications seem reasonable? (Note: Compare with FHAs porn previous similar projects as an extra aid to guard against overlooking some of the less frequently encountered failure conditions.) FTAs:
When reviewing
Is the system design reflected in the construction of the fault tree? Do the probability budgets (PSSA) or actual probability values seem reasonable? (After reviewing several fault trees, you will develop a sense for reasonable probability values for certain types offailures, e.g., 1x1 O-for loss of single hydraulic system, 1Om4 IO-for loss of single string electronic system, etc.) or Are the exposure or at-risk periods identified and make sense? Are imperfect monitor coverages (~100%) accounted for in the fault tree calculation? Is the independence of primary events verified with a common cause anaIysis or equivalent for redundant /monitored architectures?
August, 1998
System Safety Assessment B-l
Appendix B
When Reviewing 0 0 FMEAs:
Do the effects described at the next higher level make sense given the particular system architecture? For functional FMEAs, are the failure modes adequately described? For example: l Poor, not enough information 0 28V power supply fails l Good, describes all possible functional failure modes l 28V power supply short to ground 0 28V power supply open l 28V power supply loss of/reduced filtering l 28V power supply out of specification/loss of regulation For a piece-part FMEA, are all component failure modes adequately described? (e.g., capacitor short, capacitor open, low capacitance) Are the detection means of significant failure modes specified? (Note: Not all FMEAs list detection method as part of the worksheets. However, the means of detection of signtfkant failure modes should be documented as part of the overall safety assessment.) For quantitative FMEAs, are the failure rates obtained from reliable data sources? (e.g., tfservice history data are used, is the device technology and operating environment equivalent?)
Common Cause Analysis: (This is a relatively new concept as it is described in the ARPs. The major airfiamers have been addressing common cause failures using a variety of separate analyses, such as zonal analysis, wiring separation analysis, etc. Regardless of how the applicant packages the analysis, the overall objectives of common cause analysis should be satisfied. Heavy emphasis should be placed on common causes that contribute to catastrophic failure conditions, and to a lesser degree, common causes that contribute to hazardous failure conditions.)
IVT/Self-Study Course Federal Aviation Administration August, 1998 System Safety Assessment B-2
Appendix B
Zonal Analysis: 0 0 0 How, when, and by whom was the assessment made? (i.e., mock-ups, CAD/CAM, aircraft, etc.) Are potential equipment interferences properly highlighted as a potential problem? Have the problems highlighted in the analysis been adequately resolved? (i.e., deviations should result in a design change or just@ation of the design) Risks Analysis:
Particular 0 0 0
Are the details of the particular risk defined and a failure model used by the analysis defined? (e.g., tire burst model) Are the affected zones and equipment identified? gear bays, hydraulic lines, actuators, etc.) (e.g., Zanding
Are the consequences-of the particular risk adequately described and resolved?
Common Mode Analysis: 0 Are the potential common mode failures/errors associate with each significant AND gate in the FTA denoted? (e.g., requirements errors, maintenance errors, etc.) Are the potential common mode failures/errors adequately resolved? (e.g., Level A software for common requirements errors, special maintenance procedures for common mode maintenance errors, etc.)
August, 1998
System Safety Assessment B-3
Appendix C
Appendix C
DRAFT Proposed Amended Rule Change to 25.1309

(To harmonize Subpart F of part 25 and Subpart F of JAR-25)
August, 1998
System Safety Assessment C
Appendix C
DRAFT
DEPARTMENT
OF TRANSPORTATION
No. 97-J
Federal Aviation Administration [14 CFR Part 251 [Docket No. ; Notice
RIN
Revised general function and installation requirements requirements for Transport Category Airplanes. and equipment, systems and installations
AGENCY: ACTION:
Federal Aviation Administration, DOT. Notice of proposed rulemaking. SUMMARY: This notice proposes to revise the general function and installation requirements and equipment, systems and installations requirements of the Federal Aviation Regulations (FAR) for transport category airplanes by incorporating changes developed in cooperation with the Joint Aviation Authorities (JAA) of Europe and the Aviation Rulemaking Advisory Committee (ARAC). This action is necessary because current U.S. and European requirements impose unnecessary costs on airplane manufacturers. This action would reduce some of the testing and analysis requirements for systems which have no effect on airplane safety and establish common U.S. and European requirements at a reduced cost to the airplane manufacturers. This action would make some of the requirements more rational and eliminate differences between current U.S. and European requirements that impose unnecessary costs on airplarie manufacturers. These proposals are intended to achieve common requirements and language between the requirements of the U.S. regulations and the Joint Aviation Requirements (JAR) of Europe while maintaining at least the level of safety provided by the current regulations.
DATES:
ADDRESSES:
) 1997.
Comments on this notice may be mailed in triplicate to: Federal Aviation Administration (FAA), Office of the Chief Counsel, Attention: Rules Docket (AGC-200), Docket No. 800 Independence Avenue SW., Washington, DC 20591; or delivered in triplicate to: Room 915G, 800 lndependknce Avenue SW., Washington, DC 20591. Comments delivered must be marked Docket No. Comments may be examined in Room 915G weekdays, except Federal holidays, between 8:30 a.m. and 5:OG In addition, the FAA is maintaining an information docket of comments in the Transport Airplane Directorate (ANM- IOO), FAA, 160 I Lind Avenue SW., Renton, WA 980554056. Commends in the information docket may be examined weekdays, except Federal holidays, between 7:30 a.m. and 4:00 p.m.
FOR FURTHER INFORMATION CONTACT: Charles Huber, Systems and Flight Test Branch, ANM- 111, Transport Airplane Directorate, Aircraft Certification Service, FAA, 1601 Lind Avenue, SW., Renton, WA 98055-4056; telephone (206) 227-2589.
SUPPLEMENTARY
INFORMATION
Comments Invited Interested persons are invited to participate in this proposed rulemaking by submitting such written data, views, or arguments as they may desire. Comments relating to any environmental, energy, or economic impact that might result from adopting the proposals contained in this notice are invited. Substantive comments should be accompanied by cost estimates. Commenters should identify the regulatory docket or notice number and submit comments in triplicate to the Rules Docket address above. All comments received on or before the closing date for comments will be considered by the Administrator before taking action on this proposed rulemaking. The proposals contained in this notice may be changed in light of comments received. All comments received will be available in the Rules Docket, both before and after the comment period closing date, for examination by interested persons. A report summarizing each substantive public contact with FAA personnel concerning this rulemaking will be filed in the docket. Persons wishing the FAA to acknowledge receipt of their comments must submit with those comments
August, I998
System Safety Assessment C-l
Appendix C
DRAFT a self-addressed, stamped postcard on which the following statement The postcard will be date/time stamped and returned to the commenter. is made: Comments to Docket NO. .
Availability of NPRM Any person may obtain a copy of this notice by submitting a request to the Federal Aviation Administration, Office of Public Affairs, Attention: Public Inquiry Center, APA-230,800 Independence Avenue SW., Washington, DC 20591; or by calling (202) 267-3484. Communications must identify the notice number of this NPRM. Persons interested in being placed on a mailing list for future rulemaking documents should also request a COPY of Advisory Circular No. I I-2A, Notice of,Proposed Rulemaking Distribution System, which describes the application procedure. Background The manufacturing, marketing and certification of transport airplanes is increasingly an international endeavor. In order for U. S. manufacturers to export transport airplanes to other countries the airplane must be designed to comply, not only with the U.S. airworthiness requirements for transport airplanes (I4 CFR part 25) but also with the transport airworthiness requirements of the countries to which the airplane is to be exported. The European countries have developed a common airworthiness code for transport category airplanes that is administered by the JAA of Europe. This code is the result of a European effort to harmonize the various airworthiness codes of the European countries and is called the Joint Aviation Requirements (JAR)-25. It was developed in a format similar to I4 CFR part 25. Many other countries have airworthiness codes that are aligned closely to part 25 or to JAR-25, or they use these codes directly for their own certification purposes. Although JAR-25 is very similar to part 25, there are differences in methodologies and criteria that often result in the need to address the same design objective with more than one kind of analysis or test in order to satisfy both part 25 and JAR airworthiness codes. These differences result in additional costs to the transport airplane manufacturers and additional costs to the U.S. and foreign authorities that must continue to monitor compliance with a variety of different airworthiness codes. In 1988, the FAA, in cooperation with the JAA and other organizations representing the U.S. and European aerospace industries, began a process to harmonize the airworthiness requirements of the United States with the airworthiness requirements of the European authorities. The objective was to achieve common requirements for the certification of transport category airplanes without a substantive change in the level of safety provided by the regulations. Other airworthiness authorities such as Transport Canada have also participated in this process. In 1992, the harmonization effort was undertaken by the Aviation Rulemaking Advisory Committee (ARAC). By notice in the Eederal R& (58 FR I38 19, March I 5, 1993) the FAA chartered a working group of industry and government specialists from Europe, the United States, and Canada. The harmonization effort has now progressed to a point where some specific proposals have been developed by the working group for the system design and analysis of Subpart F of part 25, Equipment, and these proposals have been recommended to FAA by letter dated 1998 This notice contains the proposals necessary to achieve harmonization for the system design -9 and analysis requirements of part 25. The ARAC working group is also considering other changes to the system design and analysis requirements that may become proposals for future rulemaking. Certain technical differences in the part 25 and JAR-25 system design and analysis requirements have resulted in extensive revision or redevelopment of the criteria and methodology for specific requirements and identified new issues which may be made the subject of future notices. Some standards were already in the process of revision and improvement by the FAA in conjunction with aviation industry committees including the Society of Automotive Engineers, RTCA, Inc. and EUROCAE when the harmonization effort was initiated. These changes have also been included in the harmonization process and the results are included in this notice. In addition, there has been coordination with the Power Plant Installation Harmonization Working Group to provide system design and analysis requirements which are common and applicable to both Subpart E- Propulsion and Subpart F- Equipment of Part 25. Because the means of compliance recognized by the FAA to meet the system design and analysis requirements are complex and in some cases different from those used by the JAA. a harmonized advisory circular/advisory material joint was generated by the ARAC process and is included as a part of this notice.
System August. 1998
Safety
Assessment c-2
Appendix C
DRAFT This notice provides changes to the general function and installation requirements and the system design and analysis requirements of Subpart F of part 25 which were identified as part of the activities associated with the harmonization of Section 25.1309 and a revision to Advisory Circular No. 25.1309, System Design and Analysis. A comparison ofthe proposals in this NPRM with the current version of JAR-25 may not show identical wording between the proposed part 25 sections and the equivalent JAR-25 sections since, in many cases, proposals are being made to change both the FAR and the JAR versions at the same time. However, the proposals in this notice, when taken in context with the Notices of Proposed Amendment (NPA) currently proposed by the JAA and FAA Notice No. , will harmonize the general function and installation requirements and the system design and analysis requirements of Subpart F of part 25 and Subpart F of JAR-25. Two minority opinions regarding the advisory circular and advisory material joint were registered from one member of the harmonization working group. The first is in regard to the definition and calculation of mean flight duration in paragraph 5.c and in Appendix 3 of the advisory circular/advisory material joint. The dissenter is concerned that the mean flight duration should be defined and calculated based on an average weighting, particularly for airplanes for which a wide variation in utilization roles is expected. The dissenters concern is that without such weighting, such airplanes which are marketed and sold on the basis of having a long range capability (for example, flights of more than seven hours duration), may be used in a majority of flights in short range roles (for example, flights on the order of one to two hours duration). When looking at the intended usage, the dissenters concern is that it may be found that such airplanes could spend a significant amount of their accumulated flight time (roughly on the order of thirty percent to forty percent) in long range usage. Thus, when looking at the total fleet hours, the vast majority of the cumulative flight hours for such airplanes could be spent on long range flights. Appendix 3 of the draft AC/AMJ proposes that the average flight duration should reflect the applicants best estimate of the cumulative flight hours divided by the cumulative aircraft flights for the service life of the aircraft. The dissenter is concerned that using an unweighted calculation, as the advisory circular suggests, would not be sufficiently conservative for cases where wide variation in utilization roles is expected. The working group majority does not concur that weighting is necessary as an explicit item in the advisory material. Appendix 3 of the advisory material states that the average flight duration should be estimated based on the applicants expectations and historical experience for similar types. The working group majority maintained that a weighting factor, as expressed in the minority opinion, would not be appropriate as a general requirement for all airplane types, but that when intended usage and historical experience formed the basis for calculating flight duration, it is intended that any weighting factors deemed appropriate for a particular airplane type should be agreed with the regulatory authority. The second minority opinion is in regard to the advisory circular/advisory material joint, paragraph 8.d, wherein it is provided that exceptionally, if it is not technologically or economically practicable to meet the numerical criteria for a catastrophic Failure Condition, the safety objective may be met by accomplishing all of the following: (1) Utilizing well proven methods for the design and construction of the system; and (2) Determining the Average Probability per Flight Hour of each Failure Condition using structured methods, such as Fault Tree Analysis, Markov Analysis, or Dependency Diagrams; and (3) Demonstrating that the sum of the Average Probabilities per Flight Hour of all catastrophic Failure Conditions caused by systems is on the order of I OS7 less. or The dissenters concern is that the advisory material, for certain catastrophic single failures, may be overriding the regulation. Also, the dissenter is concerned with the use of the term economically practicable, and maintains that economic practicability should not be a concern for airworthiness standards. The dissenter is also concerned with the possible subjectivity in interpreting this statement, and by what means such an exception would be formally recognized. The working group majority does not concur. The majority maintains that in certain exceptional cases, the technology necessary to meet a requirement may be beyond current engineering capabilities or may only be available at a cost so prohibitive as to be unavailable in any practical sense. To assure that marginal or even frivolous claims regarding technological or economic nonpracticability would be appropriately dealt with, the IVT/Self-Study Course Federal Aviation Administration System Safety Assessment c-3
August, I998
Appendix C
DRAFT
working group stipulated the requirements 8d(I), (2) and (3), reproduced that of above,shouldapply, sothat the analysis,regardless exceptionalclaims,wasboth rigorousandassured the overall systems safety objective of that wasmet.
Discussion
Modem transportairplanes containequipment which hasno effect on the safeoperationof the airplane.Typically, this equipment associated amenities the passengers includes is with for and entertainment displays,audiosystems, in-flight telephones, lighting, and equipment food storage preparation. minor problemfor airplane for and A manufacturershasbeencaused when certification authorities questioninstallations this type because are of they not performingin accordance with their systemspecifications thereforearenot functioning properly when and installed.The proper functioningof suchequipmentis not necessary the safeoperationof the airplane.The only for safetyissue associated this type of equipment systemis its possible with and interference with other airplane equipment either asa resultof its normaloperationor in the event of its failure. Theserequirements now are containedin Section25.1309(a)and(b) and acceptablemeans compliance described the advisory circular. of are in Section25.1301(d)is deletedasbeingredundant with the revisionto 25.1309(a).This requirement equipment for andsystems which have an effect on the safeoperationof the airplaneor which arerequiredto be installedby regulationis now containedin 25.1309(a)(l) and is discussed belowin moredetail. For equipment which doesnot affect the safeoperationof the airplane,these changes 25.1301(d)and25.1309(a) to are intended eliminatethe requirement demonstrate this type of equipment to to that performsits intendedfunction when installed.In addition, the changes 25.I30 l(d) and25.1309(a) are intended simplify the safety to to assessment to reducethe testingnecessary environmental and for qualification for this type of equipment those to testsnecessary verify that its normaloperationdoesnot interferewith the properoperationof other equipment. to The title to Section25.1309is modified to includea reference the advisorycircular to be compatiblewith JAA to practice. The FAA interpretationof the requirements Section25.1309hasbeenthat it is a rule of generalapplicability of which is applicable unless requirements its conflict with the morespecificrequirements anothersectionof Pan of 25. The JAA hasinterpretedthe requirements Paragraph of 25.1309to beapplicablein additionto the requirements of othersections Part 25. The harmonized of requirements Section/Paragraph of 25.1309containa new introductory paragraph identify the applicability moreexplicitly. It is intendedthat the requirements 25.1309areapplicable to of in additionto specificregulations may apply, exceptwherethe requirements 25.1309,or a part of them,are that of exceptedin the regulation. Certainsinglefailuresor jamscoveredby JAR 25.671(c)(l) and$/JAR 25.671(c)(3)are exceptedfrom the requirements /JAR 25.1309(b)(l)(ii). Section25.671(c)(l) andJAR 25.67l(c)( I) are not yet harmonized. of Section25.6710(l) requires consideration singlefailures,regardless the probability of the failure. JAR the of of 25.67I (c)( I) doesnot consider effectsof singlefailuresif their probability is shownto beextremely improbable the and the failuresalsomeetthe requirements JAR 25.57I(a) and(b). of Certainsinglefailurescoveredby 25.735(b)(l) areexceptedfrom the requirements of25.l309(b). The reason concerns brakesystem the requirement limitsthe effect of a singlefailure to doublingthe brakeroll stopping that distance.This requirement beenshownto provide a satisfactorylevel of safety without the needto analyzethe has particularcircumstances conditionsunderwhich the singlefailure occurs. and The failure effects coveredby 25.8lO(a)(l)(v) and25.812arealsoexceptedfrom the requirements of25.l309(b). The failure conditionsassociated these with cabinsafety equipment installations associated varied are with evacuationscenarios which the probability cannot be determined.It hasnot beenproven possible define for to appropriate scenarios underwhich compliance with FAR/JAR 25.1309(b)canbe demonstrated. is therefore It considered morepracticalto requireparticulardesignfeatures specificreliability demonstrations exceptthese or and itemsof equipment from the requirements $/JAR25.1309(b). Traditionally, this approach beenfound to be of has acceptable. The requirements 25.1309aregenerallyapplicable engine,propeller,andpropulsion of to systeminstallations. The specificapplicability andexceptions statedin /JAR25.90I(c). Section25.901(c) andJAR 25.901 are in the are (c) process beingharmonized.It is intended both /JAR 25.901(c)and/JAR 25.1309 are issued concurrently. of that IVT/Self-Study Course Federal Aviation Administration SystemSafetyAssessment C-4
August, 1998
I
DRAFT
Appendix C
Section 25.1309(a) is revised to eliminate the reference to equipment, systems, and installations whose functioning is required by this subchapter. This phrase did not appear in the JAA wording. As part of the considerations for the Airworthiness Review Program, Amendment No. 5 (42 FR 36960, July 18, 1977), Proposal 5-22 proposed the
replacement of the word subchapter with the word adopted because commentators objected to broadening chapter in Section 25.1309(a) the scope of the requirement and (e). to include The change was not
systems, equipment
and installations required by the subchapters dealing with various operating rules. In addition, there was a concern that the change could be interpreted as requiring the installation of,equipment prescribed by an operating rule in order to obtain a type certificate, even though the airplane was not operated in accordance with those operating rules In order to harmonize with the JAR requirement, clarify the classification of the severity of failure conditions associated with the lost or malfunction of systems, equipment or installations which are part of the airplane type design and are also required by an operating rule, and also to remove unnecessary requirements currently imposed on installed equipment and systems which do not have an effect on the safe operation of the airplane, the word subchapter has been deleted. This change broadens the scope of existing Section 25.1309(a) to all installed airplane equipment and systems whose improper functioning would reduce safety regardless of whether required by type certification rules, operating rules, or not required ( i.e. optional equipment). The increasing complexity and interdependence of airplane equipment and systems and the desire to improve safety makes it necessary to evaluate all such systems at the time of type certification and to identify the standards which were used to evaluate them. However for systems required by the operating rules or optional equipment it is now recognized and acknowledged that the operating rules or associated supporting advisory material applicable at the time of type certification should be the criteria to be used for normal performance or failure assessment. The discussions associated with the development of this rule also identified a problem with the way current systems, particularly those associated with communications, navigation and surveillance, are evaluated and limited by airplane flight manual limitations. One commenter believed that in some cases the FAA applies limitations in a manner which is contrary to the intent of FAR regulations associated with airplane flight manual operating limitations. The commenter believed that airplane flight manual limitations should not be issued against possible future uses of equipment and systems because theuse of such systems must be considered in the context of the airspace characteristics and operating procedures. Members of the Systems Design and Analysis Harmonization Working Group which provided the basis for this NPRM, generally concurred with these sentiments, but believed that the solution of this problem was beyond the scope of the working group. It is recommended that Advisory Circular 25.158 I - 1 be revised to provide more specific guidance on the use of flight manual limitations. Section airplane. systems classes of equipment and systems installed in the covered by 25.1309(a)(2), for installed equipment and of the airplane, and by 25.1309(a)(l), for installed equipment and systems which do have a safety effect or are installed in order to meet regulatory requirements for type certification or operational approval. The phrase improper functioning is intended to identify equipment and system failures which have an effect on airplane safety and are therefore failure conditions. The known loss of optional equipment or systems is not typically considered to adversely affect safety. Any installed equipment or system, the failure or malfunction of which results in a minor or more severe failure condition is considered to have an effect on the safe operation of the airplane. The environmental qualification requirements for certification of the airplane equipment and systems which do not have a safety effect are reduced to those tests necessary to verify that its normal operation does not interfere with the proper operation of other equipment. Although these types of equipment and systems are not required to function properly when installed, they must be functioning when tested to verify that they do not interfere with the operation of other airplane equipment and systems. Other environmental testing for this type of equipment is no longer required. In addition, 25.1309(a)(2) and the information in the advisory circular describes the minimum safety assessment applicable to these types of equipment and systems with the intent of reducing the cost of certification to airplane and equipment manufacturers without reducing the level of safety provided by part 25. As a minimum. a qualitative evaluation of the design and installation of such equipment and systems as installed in the airplane must be 25.1309(a) now has requirements for two different The requirements for these two classes are those which do not have an effect on the safe operation
System August, I998
Safety
Assessment c-5
Appendix C
DRAFT performed to determine that neither their normal operation nor their failure will adversely affect the operation of other systems, or the safety of occupants of the airplane. It is expected that in most cases normal installation practices will result in sufficiently obvious isolation between systems to allow substantiation of the isolation based only on the qualitative evaluation. If isolation between systems is questionable or is provided by complex means, more formal methods of analysis or a design when change installed may be necessary. modified for the airplane equipment and systems
The requirement
to function
properly
has been
which have a safety effect or which are required by regulation for certification or operational approval. For this type of equipment and systems, the requirement to function properly when installed, formerly contained in 25.1301 (d), has been expanded and is now contained in 25.1309(a)(I). This type of equipment and systems must be designed and installed to function as intended when the airplane is exposed to its operating and environmental conditions. The words function as intended are used to provide a regulatory requirement to limit design and implementation errors. The advisory circular describes acceptable means of compliance by reference to various industry standards which provide development assurance for a system and its components including both software and hardware. The intended functions of this type of equipment must be performed satisfactorily when the equipment is installed and the airplane is operated in its expected environment. Note that unusual functional inputs and environmental conditions can be generated for each item of installed equipment when the airplane is operated at the limits of its expected environment. This requirement has been changed to include the consideration of airplane operating and environmental conditions rather than any foreseeable operating condition. This change was made in response to the observation that although certain operating conditions are foreseeable, it is not always possible to achieve normal performance when they exist. For example, ash clouds from volcanic eruptions are foreseeable, but airplanes with current technology cannot safely fly in such clouds. Section 25.1309(b) is revised to use failure condition categories and probability terms that have been harmonized with the JAA. Although the terminology has changed, the intent has not been changed from the current regulation, except that an additional requirement has been added which requires that catastrophic failure conditions do not result from the failure of any single component or part. The definition of these terms and the means of compliance with these requirements are explained in detail in the advisory circular. This change is being made to harmonize the wording and interpretation of the FAA and JAA requirements and to explicitly include a fail safe design requirement that single failures must not result in catastrophic failure conditions, regardless of their probability. This change removes perceived differences in the FAA and JAA interpretation of this requirement and is compatible with the single failure concepts of the Power Plant Installation Harmonization Working Group. Section 25.1309(c) has been revised to be compatible with the requirements of Section 25.1322 which distinguishes between caution, warning ,and advisory lights. Rather than a warning which is required by the current rule, Section 25.1309(c) has been revised to require that information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication is only required if immediate crew member action is required.. The advisory circular has been revised to describe recommended practices associated with failure monitoring annunciation. Information about other unsafe system operating conditions can be in the form of data shown on a cockpit display, or a status, advisory, or caution message with appropriate aletting. The particular method of indication depends on the urgency and need for flight crew awareness or action that is necessary for the particular failure. The wording of the requirement for the design of systems and controls, including indications and annunciations to minimize crew errors which could create additional hazards has been revised to clarify the intent. The additional hazards to be minimized are those which could occur after a failure that are caused be inappropriate crew member actions made in response to the failure. The costs and benefits of these changes are TBD . Section 25.1309(d) has been deleted because this section actually describes a means of compliance to the requirements of 25.1309(b). The advisory circular now contains a means of compliance which is similar, but not identical to, the requirements formerly stated in Section 25.1309(d). The advisory circular describes the factors which must be considered in the analysis needed to show compliance with Section 25.1309(b). The analysis has been expanded to require the consideration of failure conditions and their causes, crew errors, maintenance errors, specification errors, design errors, implementation errors and environmental conditions. The wording has been revised to consider alerting cues rather than warning cues.
System August, I998
Safety
Assessment
C-6
Appendix C
DRAFT Further revisions have been made to the current advisory material associated with JAR/FAR 25.1309. These revisions cover the rule changes , add material to address advances in technology and provide clearer guidance in the areas where the intent of the rule is unchanged. The following section of this preamble is to amplify the intent of certain changes to the advisory material. Considerable effort has been put in to developing Aerospace Recommended Practices (ARP 4754 and 4761) for carrying out Safety Assessments for airborne Systems and equipment particularly for highly integrated or complex aircraft. While this work is considered worthwhile, the ARP documents merit recognition in the advisory material as a useful means of demonstrating compliance with the requirements of FAR/JAR 25.1309. It was never the intention that the applicant be in any way constrained to using the reference ARPs to demonstrate compliance. Section 9b(5) covers the use of Crew and Maintenance actions to assist the applicant in demonstrating compliance with FAR/JAR 25.1309. The activities identified in the advisory material which should be accomplished to demonstrate compliance are not changed in principal from existing advice. The intent is that reasonable judgment by appropriate specialists will conclude that the given indication will be recognized and the appropriate actions correctly carried out. Section 8 of the advisory material introduces the new concept of the No Safety Effect hazard category. This is considered a useful addition to cover those failures where it can be demonstrated that there is no effect on the safety of the aircraft or its occupants although it may cause some inconvenience to those occupants. It is not the intent to require any analysis beyond that required to demonstrate the failure falls into the No Safety Effect category which will normally be through the design and installation appraisal. Since the Safety Assessment is by its nature predictive, the assessment will require the use of failure rates and mechanisms based on or derived from experience with similar systems and components. it is appropriate that a reasonable level of justification be given for the data used and assumptions made to accomplish the safety assessments. Recognizing the inherent limitations in the safety assessment process, it is not intended in Paragraph I I h of the advisory material to always require the highest level of rigor in the justification of the assumption, data sources and analytical techniques, but rather a level appropriate to the criticality of the system being analyzed The costs and benefits of these changes are TBD . A new Section25.1310 hasbeenaddedfor powerdistributionsystems. Theserequirements, formerly containedin Section25.1309(e)and(f), arenot directly relatedto the other safetyandanalysis requirements Section25.1309 of andarestatedseparately the purpose clarity. There isno significantchange theserequirements. for of to The requirements formerly containedin Section25.1309(g)havebeendeletedbecause wereconsidered be they to redundant. Sincethere is no significantchangeto the requirements, there isno increase costassociated the in with additionof Section25.I3 10. Section25. I3 IO andJAR 25.I3 IO will not becompletelyharmonized that JAR in 25.1310containsrequirements maintenance airworthiness for of essential services after failure of any two engines on a threeengineairplane. Regulatory Evaluation Summary PreliminaryRegulatoryEvaluation,Initial RegulatoryFlexibility Determination, Trade ImpactAssessment and Proposed changes Federalregulations to mustundergoseveral economic analyses.First. Executive Order 12866 directsthat eachFederalagencyshallpropose adopta regulationonly upona reasoned or determination the that benefitsof the intendedregulation justify its costs. Second, RegulatoryFlexibility Act of 1980requires the agencies to analyzethe economic effect of regulatory changes smallentities. Third, the Offrce of Management on and Budgetdirectsagencies assess effectsof regulatorychanges international to the on trade. In conductingthese analyses, FAA hasdetermined this rule: (I) would generate the that benefitsthatjustify its costsandis not a significant regulatoryaction asdefinedin the Executive Order; (2) is not significantasdefinedin the Depamnent of Transportations (DOT) RegulatoryPolicies Procedures; would not havea significantimpacton a and (3) substantial numberof smallentities;and (4) would not constitutea barrierto international trade. Theseanalyses, availablein the docket, aresummarized below.
IVTLSelf-Study Course FederalAviation Administration
August, I998
SystemSafetyAssessment c-7
Appendix C
DRAFT EvaDepending on airplane design and the equipment installed, the proposed changes to section 25.1301 would result in savings in compliance costs for some manufacturers. There would not be an increase in compliance costs for any manufacturer. The proposed change to section 25.1309 and the revised advisory circular would TBD. The additionof section25.13IO is editorial in natureandhasno effect on compliance costsfor any manufacturer. The FAA solicitsinformation from manufacturers other interested and partiesconcerningtheseandother benefitsof the proposed rule.
Regulatory
Flexibility
Determination
The RegulatoryFlexibility Act of 1980(RFA) wasenactedby Congress ensure smallentitiesarenot to that unnecessarily disproportionatelyburdened Federalregulations.The RFA requires and by agencies determine to whetherruleswould have a significanteconomicimpacton a substantial numberof smallentities, and,in cases wherethey would, to conducta regulatory flexibility analysis. Based FAA Order 2 100.14A, Regulatory on Flexibility Criteria and Guidance,the FAA hasdetermined the proposed that revisionswould not have a significant economicimpacton a substantial numberof smallentitiesbecause thereareno smallmanufacturers transport of categoryairplanes. InternationalTrade Impact Assessment The proposed would not constitutea barrierto international rule trade, includingthe export of U.S. airplanes to foreign markets the import of foreign airplanes the United States. Because proposed would and into the rule harmonize with the JAR, it would, in fact, lessen restraints trade. on Federalism Implications The regulations proposed hereinwould not have substantial direct effects on the states, the relationship on between the nationalgovernmentandthe states, on the distributionof powerandresponsibilities or amongthe variouslevels of government. Thus,in accordance with Executive Order 12612, it is determined this proposal that does have not sufficient federalism implicationsto warrantthe preparation a Federalism of Assessment. Conclusion Because proposed the changes the generalfunction andinstallationrequirements not expectedto resultin any to are substantial economic costs,the FAA hasdetermined this proposed that regulationwould not be significantunder Executive Order 12866. Because there hasnot beensignificantpublic interestin this issue, FAA hasdetermined that this action is not significantunderDOT RegulatoryPolicies Procedures FR 11034;February25, 1979). and (44 In addition,sincethere areno smallentitiesaffectedby this rulemaking,the FAA certifiesthat the rule, if promulgated, would not have a significanteconomicimpact,positive or negative,on a substantial numberof small entitiesunderthe criteria of the RegulatoryFlexibility Act, sincenonewould beaffected. A copy of the regulatory evaluationprepared this project may be examinedin the RulesDocketor obtainedfrom the person for identified underthe captionFOR FURTHER INFORMATION CONTACT. List of Subjects in I4 CFR part 25 Air transportation, Aircraft, Aviation safety, Safety. The Proposed Amendments Accordingly, the FederalAviation Administration(FAA) proposes amend14 CFRpart 25 of the Federal to Aviation Regulations follows: as PART 25 - AIRWORTHINESS STANDARDS: TRANSPORTCATEGORY AIRPLANES 1. The authority citation for Part25 continues readasfollows: to Authority: 49 U.S.C. App. 1347,1348,1354(a),1357(d)(2), 1372,1421through 1430, 1432,1442.1443. 1472,1510, 1522,1652(e),1655(c),1657(f),49 U.S.C. 106(g) 2. Section 25.1301 is amended by deleting the text of paragraph (d).
IVT/Self-Study Course FederalAviation Administration
August, I998
SystemSafetyAssessment C-8
Appendix C
DRAFT 3. Section 25.1309 is amended by revising the title and text to read as follows:
25.1309 Equipment, systems, and installations (see AUAMJ 25.1309-Xx) The requirements of this section, except as identified below, are applicable, in addition to specific design requirements of part 25, to any equipment or system as installed in the airplane. Although this section does not apply to the performance and flight characteristic requirements of subpart B and the structural requirements of subparts C and D, it does apply to any system on which compliance with any of those requirements is dependent. Certain single failures or jams covered by JAR 25.67 l(c)(l) and /JAR 25.67 l(c)(3) are excepted from the requirements of /JAR 25.1309(b)(l)(ii). Certain single failures covered by /JAR 25.735(b)( 1) are excepted from the requirements of $/JAR 25.1309(b). The failure effects covered by /JAR 25.8lO(a)( l)(v) and /JAR 25.812 are excepted from the requirements of /JAR 25.1309(b). The requirements of /JAR 25.1309(b) apply to power plant installations as specified in $/JAR 25.901(c). (a) The airplane equipment and systems must be designed and installed so that:
(1) Those required for type certification or by operating rules, or whose improper functioning would reduce safety, perform as intended under the airplane operating environmental conditions. (2) Other equipment and systems are not a source of danger in themselves adversely affect the proper functioning of those covered by paragraph section. (b) The airplane systems and associated components, other systems, must be designed so that(1) Any catastrophic (i) (ii) is extremely failure condition and and remote; and is extremely considered separately and do not (a)( 1) of this
and
and in relation
to
improbable; failure condition
does not result from a single failure; failure condition is remote.
(2) Any hazardous (3) Any major
(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations, must be designed to minimize crew errors which could create additional hazards.
25.1310
Power
source capacity
and distribution
(a) Each installation whose functioning is required for type certification or by operating rules. and that requires a power supply is an essential load on the power supply. The power sources and the system must be able to supply the following power loads in probable operating combinations and for probable durations:
August,
1998
System Safety Assessment c-9
Appendix C
DRAFT
(1) Loads connected to the system with the system functioning normally. (2) Essential loads, after failure of any one prime mover, power converter, or energy storage device. (3) Essential loads after failure of(i) Any one engine on two-engine airplanes; and (ii) Any two engines on three-or-more engine airplanes. (4) Essential loads for which an alternate source of power is required, after any failure or malfunction in any one power supply system, distribution system, or other utilization system. (b) In showing compliance with paragraphs (a)(2) and (3) of this section, the power loads may be assumed to be reduced under a monitoring procedure consistent with safety in the kinds of operation authorized. Loads not required in controlled flight need not be considered for the two-engine-inoperative condition on airplanes with three or more engines.
Issued in Washington
D.C. on
, 1997
Thomas E. McSweeny. Director, Aircraft Certification
Service
IVT/Self-Study Course FederalAviation Administration
August. 1998
SystemSafety Assessment C-IO
Appendix D
Appendix D
Course Evaluation Forms

There are two course evaluation forms in this appendix. Please select the one appropriate for your course of study.
l l
IVT broadcast Self-study video course
If you are taking this course via IVT, then you will probably complete the course questionnaire by using the Viewer Response System keypad that youve been using during the course. Your IVT instructor will provide directions on how to complete the course evaluation.
IVT/Self-Study Video Course Federal Aviation Administration
August, 1998
System Safety Assessment D
Appendix D
IVT COURSE EVALUATION AIR - System Safety Assessment 8112198

Please give us your candid opinions concerning the training youve just completed. Your evaluation of the IVT course is important to us, and will help us provide the best possible products and services to you. Use your Viewer Response Keypad to answer the following questions.
Very Good 1. Length of course 2. Depth of information 3. Pace of training 4. Clarity of objectives 5. Sequence of content 6. Quality of course materials 7. Quality of graphics/visual aids 8. Readability of text on monitor A A A A A A A A
Good
Average
Poor D D D D D D D D
Very Poor E E E E E E E E
c
C C C C C C C
Press the Flag key to indicate when you are ready to go to the next page.
IVT Course Federal Aviation
System Administration August, 1998
Safety
Assessment D-l
Appendix D
Very Good 9. Effectiveness of instructor(s) 10. Communication between student and instructor 11. Applicability of material to your job. 12. Overall quality of the course 13. Overall effectiveness of the IVT format A Good B Average C Poor D Very Poor E
3 E E
A A
B B
C C
D D
14. Would you like to take other IVT courses? A. -YES
B. NO
C. UNDECIDED
15. On the key pad, enter your number of years of FAA experience. (numeric answer)
When jinished, press the Next Quest key on your keypad and answer YES, then Enter.
Additional
Comments may be faed to the IVT Studio:
405-954-0317 I 9507
IVT Course Federal Aviation Administration
August, 1998
System Safety Assessment D-2
Appendix D
Self-Study Video Course Evaluation AIR - System Safety Assessment

Original Broadcast Date: 8/12/98
Please give us your candid opinions concerning the training youve just completed. Your evaluation of the self-study video course is important to us, and will help us provide the best possible products and services to you. Date(s) You Used the Self-Study Video Course Package: Number of years of FAA experience: (Optional) Name: Office phone: ( )
For the following, please completely darken the circle appropriate to your response. Very Good 1. Length of course 2. Depth of information 3. Pace of training 4. Clarity of objectives 5. Sequence of content 0 0 0 0 0 Good 0 0 0 0 0 0 0 0 0
0
Average 0 0 0 0 0 0 0 0 0
0
Poor 0 0 0 0 0 0 0 0 0 0
very Poor 0 0 0 0 0 0 0 0 0 0
N/A 0 0 0 0 0 0 0 0 0 0
6. Amount of activities/practice 0 7. Quality of course materials 0
8. Effectiveness of instructor(s) 0 9. Overall quality of the course 0 10. Overall effectiveness of the self-study video format
Self-Study Video Course Federal Aviation Administration
August, 1998
System Safety Assessment D-3
Appendix D
11. Rate your level of knowledge Very BEFORE AFTER THE COURSE: THE COURSE: 0 0 0 0 0 0 0 0 of the topic before and after taking this self-study course. Very
0 0
12. What did you like best about the course?
13. What would you improve
in the course?
14. What previous experience, 0 None
if any, have you had with self-study courses? 0 Moderate 0 Considerable
15. Were you comfortable If not, why not?
with the self-study video format?
0 Yes
0 No
0 Undecided
16. Would you like to take other self-study video courses? If not, why not?
0 Yes
0 No
0 Undecided
17. Additional
comments:
PLEASE SEND THIS COMPLETED FORM TO YOUR DIRECTORATE/DIVISION TRAINING MANAGER (ATM). THANK
Self-Study Video Course Federal Aviation Administration August, 1998
YOU.
System Safety Assessment D-4 t

System Safety Assessment

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Safety Assessment

Uploaded by

Copyright:

Available Formats

System Safety Assessment

An Interactive Video Teletraining and Self-Study Course

Developed and Presented by

IVT/Self-Study Course Federal Aviation Administration