|
|
We help Organizations quickly Conceptualize, Design, Develop, and Implement Innovative Cost-Effective Solutions for Avionics, Aircraft, and Flight Guidance-Navigation-Control Systems. |
|---|---|
|
|
|
Home
YOU
US
What
We Can
Do
What
We Have
Done -
On
Learjets
Why
ASTECH
ASTECH's
Founder
Expert's
Corner-
AC-25.1309
Links
In
Closing
|
|
|
a. Functional Hazard Assessment. A useful preliminary step is to conduct a functional hazard assessment (FHA) to identify and classify potentially hazardous failure conditions, and to describe them in functional and operational terms. An FHA is qualitative and is conducted using experienced engineering and operational judgment. The criteria described in Paragraph 7f are sometimes sufficient for systems as described therein. For other systems, an FHA tends to be structured because it involves a comprehensive, systematic, deductive, high-level examination of system functional failures to identify and classify the resulting failure conditions. An FHA is often used by applicants as a preliminary engineering tool to help determine the acceptability of a design concept, to identify potential problem areas or desirable design changes, or to determine the need for and scope of any additional analyses. At the applicant's option, an FHA may be included in the certification documentation. in some cases, it may show that additional documentation is not needed. b Analysis of Minor Failure Conditions. An analysis, which could be an FHA, should consider the effects of system failures on other systems or their functions. It is complete if it shows that system failures would cause only minor failure conditions. If the system, in itself, has the potential for only minor failure conditions, and the common design practice of providing physical and functional isolation between it and other systems is used, an analysis that shows such isolation is usually sufficient. c. Analysis of Major Failure Conditions. Major failure conditions must be shown to be improbable. Those that are more severe (reference Paragraph 6h(2)(ii)) should have smaller probabilities than those that are less severe (reference Paragraph 6h(2)(i)). The considerations described in Paragraphs 7c and 7e should always be taken into account. (1) Using experienced engineering and operational judgment, an assessment as described in Paragraph 7f is often sufficient. Compliance may also be shown qualitatively by a failure modes and effects analysis, or by a fault tree or reliability block diagram analysis. A quantitative analysis is sometimes used to support experienced judgment and to supplement qualitative analysis for the more severe major failure conditions. (2) An analysis of a redundant system is usually complete if it shows isolation between redundant system channels and satisfactory reliability for each channel. For complex systems, a failure modes and effects analysis or a fault tree or reliability block diagram analysis is often used to show that isolation actually exists (i.e., that any single failure would not affect more than one redundant system channel), and to show that the failure modes of the system do not have any adverse effects on safety-related functions performed by other systems. d Analysis of Catastrophic Failure Conditions. Catastrophic failure conditions must be shown to be extremely improbable. A very thorough safety assessment is necessary. The considerations described in Paragraphs 7c and 7e should always be taken into account. (1) The assessment usually consists of an appropriate combination of qualitative and quantitative analyses, such as those described in Paragraphs 9 and 10. (2) Using experienced engineering and operational judgment, an assessment as described in Paragraph 7f is sometimes sufficient, provided that the service experience data which should be based on commonly-used systems that are identical or have a very close similarity in their relevant attributes, show that no potentially catastrophic defects have been discovered in the identical or similar systems or their installations. e. Operational and Environmental Conditions. A probability of one should usually be used for encountering a discrete condition for which the airplane is designed, such as instrument meteorological conditions or Category III weather operations. On the other hand, reasonable and rational consideration of the statistically derived probability of a random condition may usually be included in an analysis, provided it is based on an applicable supporting data base and its statistical distribution. When combining the probability of such a random condition with that of a system failure, care should be taken to ensure that the condition and the system failure are independent of one another, or that any dependencies are properly accounted for. Two examples of the reasonable and rational use of such random conditions are the encountering of hazardous turbulence or gust levels after the failure of a structural load alleviation system, and the availability of a suitable alternate airport having a crosswind lower than that at the intended destination airport after a system failure that results in a loss of high rudder authority. The applicant should obtain early concurrence of the cognizant certificating office when such conditions are to be included in an analysis. f. Latent Failures. A latent failure is one which is inherently undetected when it occurs. A significant latent failure is one which would, in combination with one or more other specific failures or events, result in a hazardous failure condition. Because the frequency at which a device is checked directly affects the probability that any latent failure of that device exists, CCRs (reference Paragraph 6b) may be used to help show compliance with paragraphs 25.1309(b) and (d)(2) for significant latent failures. However, the use of CCRs or other checks in lieu of practical and reliable failure monitoring and warning systems to detect significant latent failures when they occur does not comply with paragraphs 25.1309(c) and (d)(4). A practical failure monitoring and warning system is one which is considered to be within the state-of-the-art. A reliable failure monitoring and warning system is one which would not result in either excessive failures of a genuine warning, or excessive or untimely false warnings which can sometimes be more hazardous than lack of provision for, or failures of, genuine but infrequent warnings. Experienced judgment should be applied when determining whether or not a failure monitoring and warning system would be practical and reliable. Comparison with similar, previously approved systems is sometimes helpful. Paragraphs 8g(4) and 11 provide further guidance on the use of CCRs. g. Acceptable means of compliance with 25.1309(c). Section 25.1309(c) requires that warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. It also requires that systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards. Compliance with this section is shown qualitatively. (1) Failure warning or indication may either be natural (inherent) or designed into a system. In either case, it should be timely, rousing, obvious, clear, and unambiguous. It should occur at a point in a potentially catastrophic sequence of failures where the airplane's capability and the crew's ability still remain sufficient for appropriate corrective crew action. (2) Unless they are accepted as normal airmanship, procedures for the crew to follow after the occurrence of failure warning should be described in the FAA-approved Airplane Flight Manual (AFM) or AFM revision or supplement. (3) Even if operation or performance is unaffected or insignificantly affected at the time of failure, warning is required if it is considered necessary for the crew to take any action or observe any precautions. Some examples would include reconfiguring a system, being aware of a reduction in safety margins, changing the flight plan or regime, or making an unscheduled landing to reduce exposure to a more hazardous failure condition that would result from subsequent failures or operational or environmental conditions. Warning is also required if a failure must be corrected before a subsequent flight. If operation or performance is unaffected or insignificantly affected, warning may be inhibited during specific phases of flight where corrective action by the crew is considered more hazardous than no action. (4) The use of CCRs or other checks in lieu of practical and reliable failure monitoring and warning systems to detect significant latent failures When they occur does not comply with paragraphs 25.1309(c) and (d)(4). Paragraphs 8f and 11 provide further guidance on the use of CCRs. (5) The assumptions of Paragraph 11a that the flightcrew
will take appropriate corrective action and perform required
checks correctly are based on compliance with the
requirement for a design that minimizes the potential for
hazardous crew errors; however, quantitative assessments of
the probabilities of crew errors are not considered
feasible. Particular attention should be given to the
placement of switches or other control devices, relative to
one another, so as to minimize the potential for inadvertent
incorrect crew action, especially during emergencies or
periods of high workload. Extra protection, such as the use
of guarded switches, may sometimes be needed. |
|
|
Various methods for assessing the causes, severities, and likelihood of potential failure conditions are available to support experienced engineering and operational judgment. Some of these methods are structured. The various types of analysis are based on either inductive or deductive approaches. Descriptions of typical types of analysis and explanations of qualitative probability terms are provided below. a. Design Appraisal. A qualitative appraisal of the integrity and safety of the design. An effective appraisal requires experienced judgment, and in accordance with Paragraph 7e, should place special emphasis on any failure conditions that are likely to prevent continued safe flight and landing. b. Installation Appraisal. A qualitative appraisal of the integrity and safety of the installation. An effective appraisal requires experienced judgment, and in accordance with Paragraph 7e, should place special emphasis on any failure conditions that are likely to prevent continued safe flight and landing. Any deviations from normal, industry-accepted installation practices, such as clearances or tolerances, should be evaluated, especially when appraising modifications made after entry into service. c. Failure Modes and Effects Analysis. A structured, inductive, bottom-up analysis which is used to evaluate the effects on the system and the airplane of each possible element or component failure. When properly formatted, it will aid in identifying latent failures, and the possible causes of each failure mode. d. Fault Tree or Reliability Block Diagram Analysis. Structured, deductive, top-down analyses which are used to identity the conditions, failures, and events that would cause each defined failure condition. They are graphical methods of identifying the logical relationship between each particular failure condition and the primary element or component failures, other events, or combinations thereof that can cause it. A failure modes and effects analysis is usually used as the source document for those primary failures or other events. A fault tree analysis is failure-oriented, and is conducted from the perspective of which failures must occur to cause a defined failure condition. A reliability block diagram analysis is success-oriented, and is conducted from the perspective of which failures must not occur to preclude a defined failure condition. e. Qualitative Probability Terms. When using qualitative analyses to determine compliance with 25.1309 (b), the following descriptions of the probability terms used in this regulation and this AC have become commonly accepted as aids to engineering judgment: (1) Probable failure conditions are those anticipated to occur one or more times during the entire operational life of each airplane. (2) Improbable failure conditions are those not anticipated to occur during the entire operational life of a single random airplane. However, they may occur occasionally during the entire operational life of all airplanes of one type. (3) Extremely improbable failure conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. |
|
|
a. Probability Analysis. A failure modes and effects, fault tree, or reliability block diagram analysis which also includes numerical probability information. The probabilities of primary failures can be determined from failure rate data and exposure times, using failure rates derived from service experience on identical or similar items, or acceptable industry standards. The conventional mathematics of probability can then be used to calculate the estimated probability of each failure condition as a function of the estimated probabilities of its identified contributory failures or other events. (1) It is recognized that, for various reasons, component failure rate data are not precise enough to enable accurate estimates of the probabilities of failure conditions. This results in some degree of uncertainty, as indicated by the wide line on Figure 1, Probability vs. Consequence Graph, and the expression "on the order of" in the descriptions of the quantitative probability terms that are provided in Paragraph 10b. When calculating the estimated probability of each failure condition, this uncertainty should be accounted for in a way that does not compromise safety. (2) Because the improbable range is broad (reference Paragraph 8c), the applicant should obtain early concurrence of the cognizant certificating office on an acceptable probability for each major failure condition. Unless acceptable probability criteria are provided elsewhere, such as in other ACs, acceptable probabilities for failure conditions should be derived from complete event scenarios leading to an inability for continued safe flight and landing. The considerations described in Paragraphs 7c and 7e should always be taken into account so that the probability requirements are rational and realistically based. Using experienced engineering and operational judgment, acceptable probabilities should have reasonable tolerances because the uncertainty is accounted for as discussed in Paragraph 10a(1). b. Quantitative Probability Terms. When using quantitative analyses to help determine compliance with 25.1309(b), the following descriptions of the probability terms used in this regulation and this AC have become commonly accepted as aids to engineering judgment. They are usually expressed in terms of acceptable numerical probability ranges for each flight-hour, based on a flight of mean duration for the airplane type. However, for a function which is used only during a specific flight operation; e.g., takeoff, landing, etc., the acceptable probability should be based on, and expressed in terms of, the flight operation's actual duration. (1) Probable failure conditions are those having a probability greater than on the order of 1 x 10-5 (2) Improbable failure conditions are those having a probability on the order of 1 x 10-5 or less, but greater than on the order of 1 x 10-9. (3) Extremely Improbable failure conditions are those
having a probability on the order of 1 x 10-9 or
less. |
|
|
a. Flightcrew Action. When assessing the ability of the flightcrew to cope with a failure condition, the warning information and the complexity of the required action Should be considered (reference Paragraph 8g(5)). If the evaluation indicates that a potential failure condition can be alleviated or overcome during the time available without jeopardizing other safety-related flightcrew tasks and without requiring exceptional pilot skill or strength, credit may be taken for correct and appropriate corrective action, for both qualitative and quantitative assessments. Similarly, credit may be taken for correct flightcrew performance of CCRs if overall flightcrew workload during the time available to perform them is not excessive and if they do not require exceptional pilot skill or strength. Unless flightcrew actions are accepted as normal airmanship, they should be described in the FAA-approved AFM or AFM revision or supplement. b. Groundcrew Action. Credit may be taken for correct groundcrew accomplishment of reasonable CCRs, for both qualitative and quantitative assessments. Such requirements should be provided for use in FAA-approved maintenance programs. c. Certification Check Requirements. As discussed in Paragraphs 6b and 8f, CCRs (also referred to as Certification Maintenance Requirements, or CMRs) may be needed to help show compliance with 25.1309(b) and (d)(2) for significant latent failures. Rational methods, which usually involve quantitative analyses or relevant service experience data, should be used to determine CCR intervals. These intervals should have reasonable tolerances so that CCRs can be performed concurrently with other maintenance, inspection, or check procedures not required by design for compliance with paragraphs 25.1309(b) and (d)(2). Such tolerances are acceptable because the uncertainty described in Paragraph 10a(1) is accounted for as discussed therein. If CCRs are used, they and their intervals and tolerances, and any post-certification changes, or procedures provided in the type design for an airplane owner or operator to make such changes, should be approved by, or with the concurrence of, the certificating office having cognizance over the type design that relates to the system and its installation. (1) Any applicant originating CCRs that are to be performed by flightcrews should provide all relevant information to owners and operators of the airplane in the FAA-approved AFM or AFM revision or supplement. (2) Any applicant originating CCRs that are to be performed by groundcrews should provide all relevant information to owners and operators of the airplane early enough for well-planned, timely incorporation into FAA-approved maintenance programs. If appropriate, approved procedures for reasonable adjustments to CCR intervals as a result of knowledge acquired from service experience may be provided for use in FAA-approved maintenance programs. (3) Any owner or operator of an airplane may request that alternative CCRs or their intervals be allowed and specified in an operator's-specification approved under the applicable operating regulation or in accordance with an FAA-approved maintenance program. As discussed in Paragraph 11c, concurrence of the certificating office having cognizance over the type design that relates to the system and its installation is necessary. d. Flight with Equipment or Functions Inoperative.
Any applicant may elect to develop a list of equipment and
functions which need not be operative for safe flight and
landing, based on stated compensating precautions that
should be taken; e.g., operational or time limitations, or
flightcrew or groundcrew checks. The documents used to show
compliance with paragraphs 25.1309(b), (c), and (d),
together with any-other relevant information, should be
considered in the development of this list, which then
becomes the basis for a Master Minimum Equipment List
(MMEL). Experienced engineering and operational judgment
should be applied during the development of the MMEL. |
|
|
 This guide and Figure 2 are not certification checklists, and they do not include all the information provided in this AC. There is no necessity for an applicant to use them or for the FAA to accept them, in whole or in part, to show compliance with any regulation. Their sole purposes are to assist applicants by illustrating a systematic approach to design safety assessments, to enhance understanding and communication by summarizing some of the information provided in this AC, & to provide some suggestions on documentation. a. Define the system and its interfaces, and identify the functions that the system is to perform. Determine Whether or not the system is complex, similar to systems used on other airplanes, and conventional. b. Identify and classify the significant (i.e., non-trivial) failure conditions. All relevant applicant engineering organizations, such as systems, structures, propulsion, and flight test, should be involved in this process. This identification and classification may be done by conducting an FHA, Which is usually based on one of the following methods, as appropriate: (1) If the system is not complex, and if its relevant attributes are similar to those of systems used on other airplanes, this identification and classification may be derived from design and installation appraisals and the service experience of the comparable, previously-approved systems. (2) If the system is complex, it is necessary to systematically postulate the effects on the safety of the airplane and its occupants resulting from any possible failures, considered both individually and in combination with other failures or events. c. Choose the means to be used to determine compliance with 25.1309(b), (c), and (d). The depth and scope of the analysis depends on the types of functions performed by the system, the severities of system failure conditions, and whether or not the system is complex. For major failure conditions, experienced engineering and operational judgment, design and installation appraisals, and comparative service experience data on similar systems may be acceptable, either on their own or in conjunction with qualitative analyses or selectively-used quantitative analyses. For catastrophic failure conditions, a very thorough safety assessment is necessary. The applicant should obtain early concurrence of the cognizant certificating office on the failure conditions, their classifications, and the choice of an acceptable means of compliance. d. Implement the design and produce the data which are agreed with the certificating office as being acceptable to show compliance. To the extent feasible, an analysis should be self-contained; however, if it is not, all other documents needed should be referenced. A typical analysis should include the following information to the extent necessary to show compliance: (1) A statement of the functions, boundaries, and interfaces of the system. (2) A list of the component parts & equipment of which the system is comprised, and their design standards. This list may reference other documents; e.g., Technical Standard Orders (TSOs), manufacturer's or military specifications, etc. (3) The conclusions, including a statement of the failure conditions and their classifications and probabilities (expressed qualitatively or quantitatively, as appropriate), that show compliance with the requirements of paragraphs 25.1309(b), (c), and (d). (4) A description that establishes correctness and
completeness and traces the work leading to the conclusions.
This description should include the basis for the
classification of each failure condition (e.g., analysis or
ground, flight, or simulator tests.) It should also include
a description of precautions taken against common-mode or
common-cause failures, provide any data such as component
failure rates and their sources and applicability, support
any assumptions made, and identify any required flightcrew
or groundcrew actions, including any CCRs. |
|
|
For more information on how ASTECH Engineering may be able to help you, please contact Jeff Wilson at astech@cox.net or call 316-304-6157. © Copyright 1996 ASTECH Engineering. All rights reserved. No part of this document may be reproduced in any form without the expressed written consent of the author. |
