Jump to content

AC 25.1309-1

From Wikipedia, the free encyclopedia
System Design and Analysis
FAA Publication
AbbreviationAC 25.1309–1
Year started1982
Latest versionArsenal Draft for Rev. B
2002 (2002)
OrganizationFederal Aviation Administration AFS-800
DomainAviation safety

AC 25.1309–1 is an FAA Advisory Circular (AC) (Subject: System Design and Analysis) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations. Revision A was released in 1988. In 2002, work was done on Revision B, but it was not formally released; the result is the Rulemaking Advisory Committee-recommended revision B-Arsenal Draft (2002). The Arsenal Draft is "considered to exist as a relatively mature draft".[1] The FAA and EASA have subsequently accepted proposals by type certificate applicants to use the Arsenal Draft on development programs.[1][2]

AC 25.1309–1 establishes the principle that the more severe the hazard resulting from a system or equipment failure, the less likely that failure must be. Failures that are catastrophic must be extremely improbable.[3]

Airworthiness standards

[edit]

The airworthiness requirements for transport category (large civil aircraft, both airplanes and helicopters) are contained in Title 14, Code of Federal Regulations (14 CFR) part 25 (commonly referred to as part 25 of the Federal Aviation Regulations (FAR)). Manufacturers of transport category airplanes must show that each airplane they produce of a given type design complies with the relevant standards of part 25.

AC 25.1309–1 describes acceptable means for showing compliance with those airworthiness requirements. It recognizes Aerospace Recommended Practices ARP4754 and ARP4761 (or their successors) as such means:[4]

  • ARP4754A, Guidelines For Development Of Civil Aircraft and Systems, is a guideline from SAE International, dealing with the development processes which support certification of Aircraft systems. This ARP further recognizes integration of DO-297, DO-178, and DO-254 into the guidelines for development and recognizes ARP5150/5151 as guidelines for in-service operation and maintenance.
  • ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process On Civil Airborne Systems and Equipment

Background

[edit]

AC 25.1309–1 provides background for important concepts and issues within airplane system design and analysis.

Catastrophic failure condition rate

The circular provides a rationale for the upper limit for the Average Probability per Flight Hour for Catastrophic Failure Conditions of 1 x 10−9 or "Extremely Improbable".[5] Failure Conditions resulting in relatively more severe effects must be relatively less likely to occur; that is, an inverse relationship between severity and likelihood should be a safety objective of aviation system design.

Fail-Safe Design Concept

This AC presents the FAA Fail-Safe Design Concept, which applies basic objectives pertaining to failures:

  1. Failures of any system should be assumed for any given flight regardless of probability and such failures "should not prevent continued safe flight and landing" or otherwise significantly reduce safety.
  2. Subsequent failure during the same flight should also be assumed.

The AC lists design principles or techniques used to ensure a safe design. Usually, a combination of at least two safe design techniques are needed to provide a fail-safe design; i.e. to ensure that Major Failure Conditions are Remote, Hazardous Failure Conditions are Extremely Remote, and Catastrophic Failure Conditions are Extremely Improbable.

Safe Design Principles and Techniques
  • Designed Integrity and Quality
  • Redundancy or Backup Systems
  • Isolation and/or Segregation of Systems, Components, and Elements
  • Proven Reliability
  • Failure Warning or Indication
  • Flight crew Procedures
  • Checkability
  • Designed Failure Effect Limits
  • Designed Failure Path
  • Margins or Factors of Safety
  • Error-Tolerance
Highly integrated systems

With the emergence of highly integrated systems that perform complex and interrelated functions, particularly through the use of electronic technology and software-based techniques [e.g., Integrated Modular Avionics (IMA) ], concerns arose that traditionally quantitative functional-level design and analysis techniques previously applied to simpler systems were no longer adequate. As such the AC includes expanded, methodical approaches, both qualitative and quantitative, that consider the integration of the "whole airplane and its systems".[6]

Definitions and Classifications

[edit]

A main task of AC 25.1309–1 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety. Where regulations (FAR) and standards (ARP) may use such terms as failure condition, and extremely improbable, AC 25.1309–1 defines their specific meanings.[7] In this respect, AC 25.1309–1 is comparable to ISO 26262–1 Vocabulary, at least in regard to the relative dependent standards. Key definitions include:

Error, Failures, and Failure Conditions
The re-introduction of Error to the AC recognizes the role of human error (in development, manufacture, operation, or maintenance) as a source of system failures, especially in complex and integrated avionics. The term Failure Conditions provides for a focus on the effects of a failure separate from the causes.
Classification of failure conditions by severity of effect
Catastrophic, Hazardous, Major, Minor, or No Safety Effect
A Catastrophic Failure condition is one "which would result in multiple fatalities, usually with the loss of the airplane.[8]"
Definition of Probability Terms
Extremely Improbable, Extremely Remote, Remote, or Probable
An Extremely Improbable failure condition is one so unlikely that it is not anticipated to occur during the entire operational life of all airplanes of one type. Quantitatively, these probability terms are define as follows: Extremely Improbable (10−9 or less), Extremely Remote (10−7 or less), Remote (10−5 or less), Probable (more than 10−5).[9]

Safety objectives

[edit]

Classified failure conditions are assigned qualitative and quantitative safety objectives, giving guidance to development and operation.

Quantitative safety objectives

The AC defines the acceptable safety level for equipment and systems as installed on the airplane and establishes an inverse relationship between Average Probability per Flight Hour and the severity of Failure Condition effects:

  1. Failure Conditions with No Safety Effect have no probability requirement.
  2. Minor Failure Conditions may be Probable.
  3. Major Failure Conditions must be no more frequent than Remote.
  4. Hazardous Failure Conditions must be no more frequent than Extremely Remote.
  5. Catastrophic Failure Conditions must be Extremely Improbable.

The safety objectives associated with Catastrophic Failure Conditions may be satisfied by demonstrating that:

  1. No single failure will result in a Catastrophic Failure Condition; and
  2. Each Catastrophic Failure Condition is extremely improbable.
Qualitative safety objectives

The failure conditions Catastrophic through No Safety Effect are assigned Functional and Item Design Assurance Levels (DAL) A, B, C, D, E, respectively, with the concept that there is less tolerance for undiscovered design error in systems with more severe failure effects.[10] In this manner, development of systems and components contributing to more severe effects are subject to increasingly rigorous assurances of effective prevention, detection, and removal of design error, DAL A representing the most thorough assurance rigor.[11]

History

[edit]

First released in 1982, AC 25.1309–1 has been revised to embody increasing experience in development of airplanes and to address the increasing integration and computerization of aircraft functions.

AC 25.1309–1 (original release)

[edit]

Function criticality

[edit]

AC 25.1309–1 recommended that top-down analysis should identify each system function and evaluate its criticality, i.e., either non-essential, essential, or critical. The terms Error, Failure, and Failure Condition were defined. Functions were classified Critical, Essential, and Non-Essential according to the severity of the failure conditions they could contribute to; but the conditions were not expressly classified. Failures of Critical, Essential, and Non-Essential functions were expected to be, respectively, Extremely Improbable (10–9 or less), Improbable (10–5 or less), or no worse than Probable (10–5).[12]

Qualitative methods

[edit]

Previously, system safety analysis was quantitative; that is, it was dependent on evaluating the probability of system failures from physical faults of components. But with the increasing use of digital avionics (i.e., software) it was recognized that development error was a significant contributor to system failure, particularly human errors in any stage of designing, implementing, and testing complex systems. During system certification in the late 1970s, it became clear that the classical statistical methods of safety assessment could not be effective for firmware and software-based systems.[13] Existing quantitative methods could not predict system failure rates resultant from development errors. Qualitative methods were instead recommended for reducing specification, design, and implementation errors in the development of digital avionics.

The guidance of DO-178 (initial release) was recommended by AC 25.1309–1 for development of essential and critical functions implemented in software.[14]

AC 25.1309–1A

[edit]

AC 25.1309–1A introduced the FAA Fail-Safe Design Concept to this Advisory Circular.[15] This revision also introduced recommended design principles or techniques in order to ensure a safe design.[16]

Classification of failure conditions by severity

[edit]

The concept of function criticality was replaced with classification of failure conditions according to severity of effects (cf., Probabilistic risk assessment). Failure conditions having Catastrophic, Major, or Minor effects were to have restricted likelihoods, respectively, of Extremely Improbable (10–9 or less), Improbable (10–5 or less), or no worse than Probable (10–5).[17]

Software was still considered to be assessed and controlled by other means; that is, by RTCA/DO-178A or later revision, via Advisory Circular AC 20-115A.[18]

AC 25 1309–1B

[edit]
Note: No Revision B has been released. This section discusses the Arsenal Draft of Revision B.

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them,[19] and the implications of new technology. This task was published in the Federal Register at 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In 2002, the FAA provided a Notice of Proposed Rulemaking (NPRM) relevant to 14 CFR Part 25. Accompanying this notice is the Arsenal Draft of AC 1309–1.[20] Existing definitions and rules in § 25.1309 and related standards have posed certain problems to the certification of transport category airplanes. Said problems are discussed at length within the NPRM. The FAA proposed revisions to several related standards in order to eliminate such problems and to clarify the intent of these standards. In some proposed changes, definitions or conventions developed in lower level regulations or standards were adopted or revised within the subsequent Advisory Circular.

Boeing referenced the guidance of the Arsenal Draft in its 2004-2009 type certification program for the 787 Dreamliner.[21]

Refinement of failure condition classifications

[edit]

Experience in application of the prior circulars and ARPs witnessed the division of the Major failure condition into two conditions (for example, Hazardous-severe/Major and Major).[22] Additionally, this experience recognised the existence of failure conditions that have no effect on safety, which could be so classified and thereby assigned no safety objectives. Catastrophic Failure Condition was previously defined as "any failure condition which would prevent continued safe flight and landing"; but is now defined as "Failure conditions which would result in multiple fatalities, usually with the loss of the airplane.[8]"

Extension of qualitative controls to aircraft functions

[edit]

The FAA Fail-Safe Design Concept and design principles or techniques for safe design are maintained. However, owing to the increasing development of Highly Integrated Systems in aircraft, qualitative controls previously considered necessary for safe software development are extended to the aircraft function level.[6] (Similar guidance (Functional Safety framework) has been provided for highly integrated automotive systems through the 2011, release of ISO 26262.[23])

See also

[edit]

References

[edit]
  1. ^ a b Spitzer, Cary R., ed, Digital Avionics Handbook, 2nd ed., Avionics, Development and Implementation, CRC Press, Boca Raton, FL. 2007, p. 7-9.
  2. ^ AC 25-19A Archived 2014-04-13 at the Wayback Machine, Certification Maintenance Requirements, 2011, p. 2
  3. ^ "Software Certification". Aviation Today. October 31, 2005. Retrieved 2014-03-31.
  4. ^ Spitzer, p. 7-9
  5. ^ AC 25.1309–1B Arsenal Draft (Archived 2014-04-13 at the Wayback Machine), 2002, p. 5-6.
  6. ^ a b AC 25.1309–1B–Arsenal Draft, p. 7.
  7. ^ AC 25.1309–1B–Arsenal Draft, p. 3.
  8. ^ a b AC 25.1309–1B–Arsenal Draft, p. 8.
  9. ^ AC 25.1309–1B–Arsenal Draft, p. 9.
  10. ^ ARP4754A, Guidelines for Development of Civil Aircraft and Systems, SAE Aerospace, December, 2010, p. 38
  11. ^ Cary Spitzer, Uma Ferrell, Thomas Ferrell Digital Avionics Handbook, 3rd ed., CRC Press, Boca Raton, FL. 2015, p. 10-2. "Therefore, in order to show compliance to "1309" for systemic failures, processes are applied to the aircraft, system, equipment, and software/AEH development to provide some assurance that errors have been minimized to a required level of rigor."
  12. ^ AC 25.1309–1, 1982, p. 3-5.
  13. ^ Johnson, Leslie A. (Schad). DO-178B, "Software Considerations in Airborne. Seattle, Washington: Flight Systems, Boeing Commercial Airplane Group.
  14. ^ AC 25.1309–1, p. 9.
  15. ^ AC 25.1309–1A, 1988, p. 2.
  16. ^ AC 25.1309–1A, p. 3.
  17. ^ AC 25.1309–1A, pp. 4,5,7, 13-15.
  18. ^ AC 25.1309–1A, p. 7.
  19. ^ ARP4754A, p. 7
  20. ^ Revised General Function and Installation Requirements for Equipment, Systems, and Installations on Transport Category Airplanes, Notice of proposed rulemaking, Draft R6X Phase 1 – June 2002, also known as the Arsenal Draft of AC 25.1309-1B Archived 2014-04-13 at the Wayback Machine
  21. ^ "Auxiliary Power Unit Battery Fire : Japan Airlines Boeing 787-8, JA829J" (PDF). Aircraft Incident Report (AIR-14/01). National Transportation Safety Board. November 21, 2014. Retrieved 2022-05-18. Boeing indicated in certification documents that it used a version of FAA Advisory Circular (AC) 25.1309, "System Design and Analysis" (referred to as the Arsenal draft), as guidance during the 787 certification program. However, the analysis that Boeing presented in its EPS safety assessment did not appear to be consistent with the guidance in the AC. See 2013 Boeing 787 Dreamliner grounding.
  22. ^ RTCA/DO-178B (subsequently DO-178C, Software Considerations in Airborne Systems and Equipment Certification, Radio Technical Commission for Aeronautics, December 1, 1992, p. 7
  23. ^ Beeby, Martin, DO-178C the future of Avionics Certification, atego HighRely, pp. 6–7