VIEWS: 21 PAGES: 3 POSTED ON: 11/20/2012
Civil Aircraft vs. Military Aircraft Safety Certification Both the United States Department of Defense and Federal Aviation Administration strive, through the regulatory process, to ensure aircraft are safe. MIL-STD-882D, Department of Defense Standard Practice for System Safety provides safety certification guidance for military aircraft and FAR (Federal Aviation Regulation) Parts 23, 25, 27 and 29 provide guidance for civil fixed and rotary wing aircraft. MIL-STD-882D provides some very specific guidance and is designed to be tailored depending on Program scope. The FAR guidance is more general but is supplemented by AC (Advisory Circular) 25-1309-1A. In recent years the Society of Automotive Engineers (SAE) at the request of the FAA published ARP (Aerospace Recommended Practice) 4761,” Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment” and ARP 4754, “Certification Considerations for Highly-Integrated Or Complex Aircraft Systems” that attempt to provide specific guidance. For example ARP 4761 lays out a sample system safety program including appropriate types of analyses and examples of analyses results. While the safety certification approach of both organizations is similar there is a fundamental difference. Both organizations use the forward looking philosophy of Identify-Analyze-Control. The fundamental difference is "residual risk acceptance". To understand what I mean by residual risk acceptance let’s first look at Table 1 from MIL-STD-882D. After a hazard is identified and an analysis is performed an index number from 1 to 20 is assigned based on the hazards severity and frequency of occurrence. Table 1 Hazard Risk Index SEVERITY FREQUENCY CATASTROPHIC (1) CRITICAL (2) MARGINAL (3) NEGLIGIBLE (4) FREQUENT (A) 1 3 7 13 = or > 100/100K flt hrs PROBABLE (B) 2 5 9 16 10-99/100K flt hrs OCCASIONAL (C) 4 6 11 18 1.0-9.9/100K flt hrs REMOTE (D) 8 10 14 19 0.1-0.99/100K flt hrs IMPROBABLE (E) 12 15 17 20 = or < 0.1/100K flt hrs The four levels of severity are: (1) CATASTROPHIC: Could result in death, permanent total disability, loss exceeding $1M, or irreversible severe environmental damage that violates law or regulation. (2) CRITICAL: Could result in permanent partial disability, injuries or occupational illness that may result in hospitalization of at least three personnel, loss exceeding $200K but less than $1M, or reversible environmental damage causing a violation of law or regulation. (3) MARGINAL: Could result in injury or occupational illness resulting in one or more lost work days(s), loss exceeding $10K but less than $200K, or mitigatible environmental damage without violation of law or regulation where restoration activities can be accomplished. (4) NEGLIGIBLE: Could result in injury or illness not resulting in a lost work day, loss exceeding $2K but less than $10K, or minimal environmental damage not violating law or regulation. The five levels of frequency can be expressed either qualitatively or quantitatively. Quantitative definitions are shown in Table 1 and qualitative definitions are: A Frequent: Continuously experienced. B Probable: Will occur frequently. C Occasional: Will occur several times. D Remote: Unlikely, but can reasonably be expected to occur. E Improbable: Unlikely to occur, but possible. When design and procedural options are exhausted what remains is residual risk. Residual risk must be accepted at the appropriate level of authority as shown below: Index 1 - 5: HIGH SAFETY RISK, Component Acquisition Executive (e.g. ASN (RD&A)) Index 6 -10: SERIOUS SAFETY RISK, Program Executive Officer Index 11 -17: MEDIUM SAFETY RISK, Program Manager Index 18 - 20: LOW SAFETY RISK, as directed The DOD aircraft safety certification process culminates with the acceptance of residual risk by the appropriate level of authority. The civil aircraft safety certification process uses a similar approach that includes hazard identification, analyses and control. However, it does not classify hazards for the purpose of accepting residual risk. Civil aircraft safety certification depends on the applicant's ability to satisfactorily show that all failure conditions meet the appropriate level of probability. Table 2 shows the relationship between failure condition severity levels and both quantitative and qualitative probability levels. Table 2 Civil Aircraft Severity and Probability Objectives Probability (Quantitative) 1.0 1.0E-5 1.0E-9 Probability PROBABLE IMPROBABLE EXTREMELY (Qualitative) IMPROBABLE Failure Condition MINOR MAJOR SEVERE CATASTROPHIC Severity MAJOR Classification The four severity levels are: CATASTROPHIC: All failure conditions which prevent continued safe flight and landing. SEVERE MAJOR: Large reduction in safety margins or functional capabilities, higher workload or physical distress such that the crew could not be relied upon to perform tasks accurately or completely, adverse effects upon occupants. MAJOR: Significant reduction in safety margins or functional capabilities, significant increase in crew workload or in conditions impairing crew efficiency, some discomfort to occupants. MINOR: Slight reduction in safety margins, slight increase in crew workload, some inconvenience to occupants. The three failure condition probability levels are: EXTREMELY IMPROBABLE: Failure conditions having a probability on the order of 1x10-9 or less. IMPROBABLE: Failure conditions having a probability on the order of 1x10-5 or less, but greater than on the order of 1x10-9. PROBABLE: Failure conditions having a probability greater than on the order of 1x 10-5. FAA Advisory Circular AC25-1309-1A states that for any failure condition with catastrophic consequences the probability of occurrence must be shown to be less than or equal to 1x10-9. There are no provisions to "accept" a hazardous condition with catastrophic consequences if its probability of occurrence is greater than 1x10-9. Similar statements apply to the other severity and probability levels. To be acceptable the system design must be changed to include additional mitigation, for example, incorporation of redundant or more reliable components or systems. Early in a civil aircraft development/modification program the applicant would discuss details of his safety program with the FAA certification office to include hazard identification techniques and analyses methods; the objective being to gain concurrence before expending considerable time and other resources. FAA review and acceptance of the results of the agreed upon safety program serve as the basis for safety certification.
Pages to are hidden for
"Civil Aircraft vs - System Safety 4 U"Please download to view full document