ARP4754

Last updated
Guidelines For Development Of Civil Aircraft and Systems
SAE International logo.svg
AbbreviationARP4754
Year started1996
Latest versionB
December 2023 (2023-12)
Organization SAE International
DomainAviation Safety
Website www.sae.org/standards/content/arp4754b/

ARP4754(), Aerospace Recommended Practice (ARP) Guidelines for Development of Civil Aircraft and Systems, is a published standard from SAE International, dealing with the development processes which support certification of Aircraft systems, addressing "the complete aircraft development cycle, from systems requirements through systems verification." [1] Since their joint release in 2002, compliance with the guidelines and methods described within ARP4754() and its companion ARP4761() [2] have become mandatory for effectively all civil aviation world-wide. [3]

Contents

Revision A was released in December 2010. It was recognized by the FAA through Advisory Circular AC 20-174 published November 2011. [4] [5] EUROCAE jointly issued the document as ED79.

Revision B was released in December 2023 and inherits the "mandates" conferred through FAA advisory circulars AC 25.1309-1 and AC 20-174 as acceptable means of demonstrating compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft. This revision also harmonizes with international airworthiness regulations such as European Union Aviation Safety Agency (EASA) CS25.1309.

Objectives of the document

Emphasizing safety aspects, the Aerospace Recommended Practice (ARP) is a guideline for development of civil aircraft and systems. Revision A was a substantial rewrite of the document which describes the safety process as a part of an Integrated Development Process. A significant new section is devoted to the process of determining Development Assurance Level (DAL) which determines the assurance rigor of development and verification activities for complex hardware and software aspects of airborne systems.

ARP4754 is intended to be used in conjunction with the safety assessment process defined in SAE ARP4761 (updated to Revision A in December 2023) and is supported by other aviation standards such as RTCA DO-178C/DO-178B and DO-254.

This guideline addresses Functional Safety and design assurance processes. DAL allocation pertaining to functional failure conditions and hazard severity are assigned to help mitigate risks. Functional Hazard Analyses / Assessments are central to determining hazards and assigning DAL, in addition to requirements based testing and other verification methods. This guideline concerns itself with Physical (item) DAL and Functional (software/systems integration behavior) DAL and the Safety aspects of systems for the whole life-cycle for systems that implement aircraft functions.

History

ARP4754 was defined in the context of aircraft certification, in particular Part 25 Sections 1301 and 1309 of harmonized civil aviation regulations for transport category airplanes. These are found in the U.S. FAA Federal Aviation Regulations (FAR) at 14 CFR 25.1309 and the corresponding European JAA Joint Aviation Requirements (JAR), which have been replaced by EASA certification standards. FAA Advisory Circular AC 25.1309-1A, System Design and Analysis, explained certification methodology for Part 25 Section 1309. [8]

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them, [9] and the implications of new technology. This task was published in the Federal Register as 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In a parallel effort, SAE published ARP4754 in November 1996. In 2002 ARAC submitted to the FAA a draft Notice of Proposed Rulemaking (NPRM) and draft revision AC 1309-1B (the draft ARSENAL version) recognizing the role of ARP4754 in complex system certification. [10] Draft B of AC 25.1309-1 remains unreleased, but ARP4754 became broadly recognized as an appropriate standard for aircraft system development and certification and aircraft have been certified under the AC 25.1309-1B-Arsenal draft. The corresponding EASA Acceptable Means of Compliance AMC 25.1309 (included as a section of CS-25) does recognize ARP4754/ED79.

The FAA and EASA have both subsequently recognized ARP4754/ED79 as valid for certification of other aircraft categories, and for specific systems such as avionic databuses. ARP4754A and ED79A were released by SAE and EUROCAE in December 2010 with the document title changed to Guidelines For Development Of Civil Aircraft and Systems. ARP4754A recognizes AMC 25.1309 (published in 2003) and AC 25.1309-1B-Arsenal draft. [11] This revision expands the design assurance concept for application at the aircraft and system level and standardizes on the use of the term development assurance. As a consequence, Functional Development Assurance Level (FDAL) is introduced for aircraft and systems concerns and the term Design Assurance Level has been renamed Item Development Assurance Level (IDAL). [12] Furthermore, there is acknowledgement that the terms Error, Failure, and Failure Condition come from AMC 25.1309. [13] The qualitative and quantitative classification of failure conditions by severity and probability now used by ARP4754A [14] and ARP4761 [15] are defined in AMC 25.1309/AC 25.13091B-Arsenal draft.

See also

Related Research Articles

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RTCA SC-167 of the Radio Technical Commission for Aeronautics (RTCA) and WG-12 of the European Organisation for Civil Aviation Equipment (EUROCAE). RTCA published the document as RTCA/DO-178B, while EUROCAE published the document as ED-12B. Although technically a guideline, it was a de facto standard for developing avionics software systems until it was replaced in 2012 by DO-178C.

A hazard analysis is one of many methods that may be used to assess risk. At its core, the process entails describing a system object that intends to conduct some activity. During the performance of that activity, an adverse event may be encountered that could cause or contribute to an occurrence. Finally, that occurrence will result in some outcome that may be measured in terms of the degree of loss or harm. This outcome may be measured on a continuous scale, such as an amount of monetary loss, or the outcomes may be categorized into various levels of severity.

<span class="mw-page-title-main">ARP4761</span> Aerospace recommended practice from SAE International

ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment is an Aerospace Recommended Practice from SAE International. In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

RTCA DO-254 / EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware is a document providing guidance for the development of airborne electronic hardware, published by RTCA, Incorporated and EUROCAE. Initially released in 2000, the DO-254/ED-80 standard was not necessarily considered policy until recognized by the FAA in 2005 through AC 20-152 as a means of compliance for the design assurance of electronic hardware in airborne systems. The guidance in this document is applicable, but not limited, to such electronic hardware items as

<span class="mw-page-title-main">DO-160</span> Standard for environmental testing of avionics hardware

DO-160, Environmental Conditions and Test Procedures for Airborne Equipment is a standard for the environmental testing of avionics hardware. It is published by the Radio Technical Commission for Aeronautics (RTCA) and supersedes DO-138.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The document is published by RTCA, Incorporated, in a joint effort with EUROC and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011. It became available for sale and use in January 2012.

Zonal Safety Analysis (ZSA) is one of three analytical methods which, taken together, form a Common Cause Analysis (CCA) in aircraft safety engineering under SAE ARP4761. The other two methods are Particular Risks Analysis (PRA) and Common Mode Analysis (CMA). Aircraft system safety requires the independence of failure conditions for multiple systems. Independent failures, represented by an AND gate in a fault tree analysis, have a low probability of occurring in the same flight. Common causes result in the loss of independence, which dramatically increases probability of failure. CCA and ZSA are used to find and eliminate or mitigate common causes for multiple failures.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

<span class="mw-page-title-main">Advisory circular</span> Publication offered by the Federal Aviation Administration

Advisory circular (AC) refers to a type of publication offered by the Federal Aviation Administration (FAA) to "provide a single, uniform, agency-wide system … to deliver advisory (non-regulatory) material to the aviation community." Advisory circulars are now harmonized with soft law Acceptable Means of Compliance (AMC) publications of EASA, which are nearly identical in content. The FAA's Advisory Circular System is defined in FAA Order 1320.46D.

<span class="mw-page-title-main">AC 25.1309-1</span> American aviation regulatory document

AC 25.1309–1 is an FAA Advisory Circular (AC) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations, which requires that civil aviation equipment, systems, and installations "perform their intended function under foreseeable operating conditions." Revision A was released in 1988. In 2002, work was done on Revision B, but it was not formally released; the result is the Rulemaking Advisory Committee-recommended revision B-Arsenal Draft (2002). The Arsenal Draft is "considered to exist as a relatively mature draft". The FAA and EASA have subsequently accepted proposals by type certificate applicants to use the Arsenal Draft on development programs.

<span class="mw-page-title-main">FAA Order 8130.34</span>

FAA Order 8130.34D, Airworthiness Certification of Unmanned Aircraft Systems, establishes procedures for issuing either special airworthiness certificates in the experimental category or special flight permits to unmanned aircraft systems (UAS), optionally piloted aircraft (OPA), and aircraft intended to be flown as either a UAS or an OPA.

<span class="mw-page-title-main">AC 20-115</span>

The Advisory Circular AC 20-115( ), Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), recognizes the RTCA published standard DO-178 as defining a suitable means for demonstrating compliance for the use of software within aircraft systems. The present revision D of the circular identifies ED-12/DO-178 Revision C as the active revision of that standard and particularly acknowledges the synchronization of ED-12 and DO-178 at that revision.

<span class="mw-page-title-main">AC 20-152</span>

The Advisory Circular AC 20-152A, Development Assurance for Airborne Electronic Hardware, identifies the RTCA-published standard DO-254 as defining "an acceptable means, but not the only means" to secure FAA approval of electronic hardware for use within the airspace subject to FAA authority. With the 2022 release of Revision A, this Advisory Circular becomes a very important instrument for completing some guidance of DO-254 and providing applicants with clarifications and additional information on that standard.

DO-248C, Supporting Information for DO-178C and DO-278A, published by RTCA, Incorporated, is a collection of Frequently Asked Questions and Discussion Papers addressing applications of DO-178C and DO-278A in the safety assurance of software for aircraft and software for CNS/ATM systems, respectively. Like DO-178C and DO-278A, it is a joint RTCA undertaking with EUROCAE and the document is also published as ED-94C, Supporting Information for ED-12C and ED-109A. The publication does not provide any guidance additional to DO-178C or DO-278A; rather, it only provides clarification for the guidance established in those standards. The present revision is also expanded to include the "Rationale for DO-178C/DO-278A" section to document items that were considered when developing DO-178B and then DO-178C, DO-278A, and DO-330, as well as the supplements that accompany those publications.

<span class="mw-page-title-main">Boeing 737 MAX certification</span> Certification of aircraft

The Boeing 737 MAX was initially certified in 2017 by the U.S. Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA). Global regulators grounded the plane in 2019 following fatal crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. Both crashes were linked to the Maneuvering Characteristics Augmentation System (MCAS), a new automatic flight control feature. Investigations into both crashes determined that Boeing and the FAA favored cost-saving solutions, which ultimately produced a flawed design of the MCAS instead. The FAA's Organization Designation Authorization program, allowing manufacturers to act on its behalf, was also questioned for weakening its oversight of Boeing.

The Advisory Circular AC 00-69, Best Practices for Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), initially issued in 2017, supports application of the active revisions of ED-12C/DO-178C and AC 20-115. The AC does not state FAA guidance, but rather provides information in the form of "best practices" complementary to the objectives of ED-12C/DO-178C.

The Certification Authorities Software Team (CAST) is an international group of aviation certification and regulatory authority representatives. The organization of has been a means of coordination among representatives from certification authorities in North and South America, Europe, and Asia, in particular, the FAA and EASA. The focus of the organization has been harmonization of Certification Authorities activities in part though clarification and improvement of the guidance provided by DO-178C and DO-254.

<span class="mw-page-title-main">CAST-15</span>

CAST-15, Merging High-Level and Low-Level Requirements is a Certification Authorities Software Team (CAST) Position Paper. It is an FAA publication that "does not constitute official policy or guidance from any of the authorities", but is provided to applicants for software and hardware certification for educational and informational purposes only.

References

  1. Bill Potter. Complying with DO-178C and DO-331 using Model-Based Design (PDF). SAE 2012 Aerospace Electronics and Avionics Systems Conference (12AEAS). MathWorks, Inc. Retrieved 2019-02-13.
  2. Marc Ronell (November 18–20, 2020). "Discussion of Aviation Software Oversight Improvement". Proceedings of the 2020 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward! ’20): 128. Retrieved 2024-12-03. ARP4754 and ARP4761 describe guidelines and methods of performing a safety assessment for the certification of civil aircraft.
  3. "The twin pillars of safety revisited: ARP4754B and ARP4761A". Update. SAE International: 40. December 2023. Retrieved 2024-12-03. since then, compliance has become mandatory for 99% of the world's civil aircraft.
  4. Leanna Rierson (19 December 2017) [7 January 2013]. Developing Safety-Critical Software: A Practical Guide for Aviation Software and DO-178C Compliance. CRC Press. p. 49. ISBN   9781351834056 . Retrieved 2024-04-10. On September 30, 2011, the Federal Aviation Administration (FAA) published Advisory Circular (AC) 20–174, entitled Development of civil aircraft systems. AC 20–174 recognizes ARP4754A as 'an acceptable method for establishing a development assurance process.'
  5. S18 (2010). Guidelines for Development of Civil Aircraft and Systems. SAE International. ARP4754A.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)
  6. Anastasiia Balashova (March 12, 2024). "Release of ARP4754B: Exploring the updates". DMD Solutions. Retrieved 2024-09-04. All of these [advisory circulars] elevates it from a 'guideline' to a 'mandatory' status, which the new version ARP4754B inherits. ... ARP4754B primarily focuses on alignment with the recently released ARP4761A, indicating that there are no significant changes in development principles compared to ARP4754A. The core of the development process remains consistent, and we expect some big changes in the forthcoming version, ARP4754C.
  7. "SAE ARP4754, Revision B, 2023: Guidelines for Development of Civil Aircraft and Systems". oviss.jp. Retrieved 2024-09-04. Revision B is primarily focused on the necessary updates to align its contents with ARP4761A/ED-135. There were extensive discussions within S-18/WG-63 on the need to limit scope of this revision versus expanding its contents to include emerging system development techniques in use by the industry. Given the timeframe of ARP4761A/ED-135 publication, and the necessity to maintain consistency between both ARP4754B/ED-79B and ARP4761A/ED-135, the first option, limiting the scope, was chosen and suggested changes that would further expand ARP4754/ED-79 contents were deferred for a new Revision C. As a result, while the general principles of FDAL/IDAL assignment were retained in ARP4754B/ED-79B, the details of FDAL/IDAL assignment activities were transferred to ARP4761A/ED-135. The same approach was adopted for all safety assessment process contents in ARP4754B/ED-79B.
  8. ANM-110 (1988). System Design and Analysis (PDF). Federal Aviation Administration. Advisory Circular AC 25.1309-1A. Retrieved 2011-02-20.{{cite book}}: CS1 maint: numeric names: authors list (link)
  9. ARP4754A, p. 7
  10. ARAC Systems Design and Analysis Harmonization Working Group (2002). Task 2 – System Design and Analysis Harmonization and Technology Update (PDF). Federal Aviation Administration. Archived from the original (PDF) on 2006-10-05. Retrieved 2011-02-20.
  11. Cary Spitzer, Uma Ferrell, Thomas Ferrell Digital Avionics Handbook, 3rd ed., CRC Press, Boca Raton, FL. 2015, p. 9-10. "At this writing, that AC[25.1309-1B-Arsenal draft] has not been adopted, but is considered to exist as a rather mature draft referred to as the arsenal version. The FAA has accepted proposals by applicants to use arsenal on recent development programs, while EASE has incorporated similar guidance within CS-25, ...."
  12. ARP4754A, pp. 7-8
  13. ARP4754A, pp. 11
  14. ARP4754A, p. 34
  15. S18 (1996). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. p. 9. ARP4761.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)