Civil Aircraft vs - System Safety 4 U by J4nqtLd


									                           Civil Aircraft vs. Military Aircraft Safety Certification

Both the United States Department of Defense and Federal Aviation Administration strive,
through the regulatory process, to ensure aircraft are safe. MIL-STD-882D, Department of
Defense Standard Practice for System Safety provides safety certification guidance for military
aircraft and FAR (Federal Aviation Regulation) Parts 23, 25, 27 and 29 provide guidance for
civil fixed and rotary wing aircraft. MIL-STD-882D provides some very specific guidance and is
designed to be tailored depending on Program scope. The FAR guidance is more general but is
supplemented by AC (Advisory Circular) 25-1309-1A. In recent years the Society of Automotive
Engineers (SAE) at the request of the FAA published ARP (Aerospace Recommended Practice)
4761,” Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne
Systems and Equipment” and ARP 4754, “Certification Considerations for Highly-Integrated Or
Complex Aircraft Systems” that attempt to provide specific guidance. For example ARP 4761
lays out a sample system safety program including appropriate types of analyses and examples of
analyses results. While the safety certification approach of both organizations is similar there is a
fundamental difference.

Both organizations use the forward looking philosophy of Identify-Analyze-Control. The
fundamental difference is "residual risk acceptance". To understand what I mean by residual risk
acceptance let’s first look at Table 1 from MIL-STD-882D. After a hazard is identified and an
analysis is performed an index number from 1 to 20 is assigned based on the hazards severity
and frequency of occurrence.

                                         Table 1 Hazard Risk Index

FREQUENCY                      CATASTROPHIC (1)       CRITICAL (2)    MARGINAL (3)     NEGLIGIBLE (4)
FREQUENT (A)                             1                  3                7              13
 = or > 100/100K flt hrs
PROBABLE (B)                             2                  5                9              16
10-99/100K flt hrs
OCCASIONAL (C)                           4                  6                11             18
1.0-9.9/100K flt hrs
REMOTE (D)                               8                 10                14             19
0.1-0.99/100K flt hrs
IMPROBABLE (E)                          12                 15                17             20
= or < 0.1/100K flt hrs

The four levels of severity are:
   (1) CATASTROPHIC: Could result in death, permanent total disability, loss
        exceeding $1M, or irreversible severe environmental damage that violates law or
   (2) CRITICAL: Could result in permanent partial disability, injuries or occupational illness
        that may result in hospitalization of at least three personnel, loss exceeding $200K but
        less than $1M, or reversible environmental damage causing a violation of law or
   (3) MARGINAL: Could result in injury or occupational illness resulting in one or more lost
        work days(s), loss exceeding $10K but less than $200K, or mitigatible environmental
        damage without violation of law or regulation where restoration activities can be
    (4) NEGLIGIBLE: Could result in injury or illness not resulting in a lost work day, loss
        exceeding $2K but less than $10K, or minimal environmental damage not violating law
        or regulation.

The five levels of frequency can be expressed either qualitatively or quantitatively. Quantitative
definitions are shown in Table 1 and qualitative definitions are:
    A Frequent: Continuously experienced.
    B Probable: Will occur frequently.
    C Occasional: Will occur several times.
    D Remote: Unlikely, but can reasonably be expected to occur.
    E Improbable: Unlikely to occur, but possible.

When design and procedural options are exhausted what remains is residual risk. Residual risk
must be accepted at the appropriate level of authority as shown below:

Index 1 - 5: HIGH SAFETY RISK, Component Acquisition Executive (e.g. ASN (RD&A))
Index 6 -10: SERIOUS SAFETY RISK, Program Executive Officer
Index 11 -17: MEDIUM SAFETY RISK, Program Manager
Index 18 - 20: LOW SAFETY RISK, as directed

The DOD aircraft safety certification process culminates with the acceptance of residual risk by
the appropriate level of authority.

The civil aircraft safety certification process uses a similar approach that includes hazard
identification, analyses and control. However, it does not classify hazards for the purpose of
accepting residual risk. Civil aircraft safety certification depends on the applicant's ability to
satisfactorily show that all failure conditions meet the appropriate level of probability. Table 2
shows the relationship between failure condition severity levels and both quantitative and
qualitative probability levels.

                     Table 2 Civil Aircraft Severity and Probability Objectives
(Quantitative)      1.0                      1.0E-5                          1.0E-9
Probability            PROBABLE                 IMPROBABLE                      EXTREMELY
(Qualitative)                                                                   IMPROBABLE
Failure Condition    MINOR                      MAJOR              SEVERE       CATASTROPHIC
Severity                                                           MAJOR

The four severity levels are:
        CATASTROPHIC: All failure conditions which prevent continued safe flight and
        SEVERE MAJOR: Large reduction in safety margins or functional capabilities, higher
        workload or physical distress such that the crew could not be relied upon to perform
        tasks accurately or completely, adverse effects upon occupants.
        MAJOR: Significant reduction in safety margins or functional capabilities, significant
        increase in crew workload or in conditions impairing crew efficiency, some discomfort
        to occupants.
        MINOR: Slight reduction in safety margins, slight increase in crew workload, some
        inconvenience to occupants.

The three failure condition probability levels are:
EXTREMELY IMPROBABLE: Failure conditions having a probability on the order of 1x10-9 or
IMPROBABLE: Failure conditions having a probability on the order of 1x10-5 or less, but
greater than on the order of 1x10-9.
PROBABLE: Failure conditions having a probability greater than on the order of 1x 10-5.

FAA Advisory Circular AC25-1309-1A states that for any failure condition with catastrophic
consequences the probability of occurrence must be shown to be less than or equal to 1x10-9.
There are no provisions to "accept" a hazardous condition with catastrophic consequences if its
probability of occurrence is greater than 1x10-9. Similar statements apply to the other severity
and probability levels. To be acceptable the system design must be changed to include additional
mitigation, for example, incorporation of redundant or more reliable components or systems.

Early in a civil aircraft development/modification program the applicant would discuss details of
his safety program with the FAA certification office to include hazard identification techniques
and analyses methods; the objective being to gain concurrence before expending considerable
time and other resources. FAA review and acceptance of the results of the agreed upon safety
program serve as the basis for safety certification.

To top