Last updated
Guidelines For Development Of Civil Aircraft and Systems
Latest versionDecember 2010 (2010-12)
Organization International

ARP4754, Aerospace Recommended Practice (ARP) ARP4754A (Guidelines For Development Of Civil Aircraft and Systems), is a guideline from SAE International, dealing with the development processes which support certification of Aircraft systems, addressing "the complete aircraft development cycle, from systems requirements through systems verification." [1] Revision A was released in December 2010. It was recognized by the FAA in AC 20-174 published November 2011. [2] EUROCAE jointly issues the document as ED79.


Objectives of the document

The Aerospace Recommended Practice (ARP) is a guideline for development of civil aircraft and systems with an emphasis on safety aspects. Revision A is a substantial rewrite of the document which describes the safety process as a part of an Integrated Development Process. A significant new section is devoted to the process of determining Development Assurance Level (DAL) which determines the rigor of complex hardware and software development and verification activities.

It is intended to be used in conjunction with SAE ARP4761 (still under revision in December 2013) and is supported by other aviation standards such as RTCA DO-178C/DO-178B and DO-254.

This guideline addresses Functional Safety and design assurance processes. DAL allocation pertaining to functional failure conditions and hazard severity are assigned to help mitigate risks. Functional Hazard Analyses / Assessments are central to determining hazards and assigning DAL, in addition to requirements based testing and other verification methods. This guideline concerns itself with Physical (item) DAL and Functional (software/systems integration behavior) DAL and the Safety aspects of systems for the whole life-cycle for systems that implement aircraft functions.


ARP4754 was defined in the context of aircraft certification, in particular Part 25 Sections 1301 and 1309 of harmonized civil aviation regulations for transport category airplanes. These are found in the U.S. FAA Federal Aviation Regulations (FAR) at 14 CFR 25.1309 and the corresponding European JAA Joint Aviation Requirements (JAR), which have been replaced by EASA certification standards. FAA Advisory Circular AC 25.1309-1A, System Design and Analysis, explained certification methodology for Part 25 Section 1309. [3]

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them, [4] and the implications of new technology. This task was published in the Federal Register at 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In a parallel effort, SAE published ARP4754 in November 1996. In 2002 ARAC submitted to the FAA a draft Notice of Proposed Rulemaking (NPRM) and draft revision AC 1309-1B (the draft ARSENAL version) recognizing the role of ARP4754 in complex system certification. [5] This draft remains unreleased, but ARP4754 became broadly recognized as an appropriate standard for aircraft system development and certification. The corresponding EASA Acceptable Means of Compliance AMC 25.1309 (included as a section of CS-25) does recognize ARP4754/ED79.

The FAA and EASA have both subsequently recognized ARP4754/ED79 as valid for certification of other aircraft categories, and for specific systems such as avionic databuses.

ARP4754A and ED79A were released by SAE and EUROCAE in December 2010. The document title has changed to Guidelines For Development Of Civil Aircraft and Systems. ARP4754A recognizes AMC 25.1309 (published in 2003) and AC 25.1309-1B-Arsenal draft. This revision expands the design assurance concept for application at the aircraft and system level and standardizes on the use of the term development assurance. As a consequence, Functional Development Assurance Level (FDAL) is introduced for aircraft and systems concerns and the term Design Assurance Level has been renamed Item Development Assurance Level (IDAL). [6] Furthermore, the addition of definitions for Error, Failure, and Failure Condition are acknowledge as derived from AMC 25.1309. [7] The qualitative and quantitative classification of failure conditions by severity and probability now used by ARP4754A [8] and ARP4761 [9] are defined in AMC 25.1309/AC 25.13091B-Arsenal draft.

See also

Related Research Articles

Safety engineering Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. Although technically a guideline, it was a de facto standard for developing avionics software systems until it was replaced in 2012 by DO-178C.

A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different type of hazards. A hazard is a potential condition and exists or not. It may in single existence or in combination with other hazards and conditions become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the Risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, chemical process safety, safety engineering, reliability engineering and food safety.

ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment is an Aerospace Recommended Practice from SAE International. In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

RTCA DO-254 / EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware is a document providing guidance for the development of airborne electronic hardware, published by RTCA, Incorporated and EUROCAE. The DO-254/ED-80 standard was formally recognized by the FAA in 2005 via AC 20-152 as a means of compliance for the design assurance of electronic hardware in airborne systems. The guidance in this document is applicable, but not limited, to such electronic hardware items as

Electronic flight bag

An electronic flight bag (EFB) is an electronic information management device that helps flight crews perform flight management tasks more easily and efficiently with less paper. It is a general purpose computing platform intended to reduce, or replace, paper-based reference material often found in the pilot's carry-on flight bag, including the aircraft operating manual, flight-crew operating manual, and navigational charts. In addition, the EFB can host purpose-built software applications to automate other functions normally conducted by hand, such as take-off performance calculations.

Parts Manufacturer Approval (PMA) is an approval granted by the United States Federal Aviation Administration (FAA) to a manufacturer of aircraft parts.

Flight operational quality assurance, also known as flight data monitoring (FDM) or flight data analysis, is a method of capturing, analyzing and/or visualizing the data generated by an aircraft moving through the air from one point to another. Applying the information learned from this analysis helps to find new ways to improve flight safety and increase overall operational efficiency. Several airlines and air forces have initiated FOQA programs to collect, store and analyze recorded flight data. The goal is to improve the organization or unit's overall safety, increase maintenance effectiveness and reduce operational costs.


DO-160, Environmental Conditions and Test Procedures for Airborne Equipment is a standard for the environmental testing of avionics hardware. It is published by the Radio Technical Commission for Aeronautics (RTCA) and supersedes DO-138.

The Modification and Replacement Parts Association is the Washington, D.C.-based trade association that represents manufacturers of government-approved after market aircraft parts. These aircraft parts are often known as PMA parts, from the acronym for Parts Manufacturer Approval. The manufacture of PMA parts is regulated in the United States by the Federal Aviation Administration.

DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The document is published by RTCA, Incorporated, in a joint effort with EUROCAE, and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011. It became available for sale and use in January 2012.

Zonal Safety Analysis (ZSA) is one of three analytical methods which, taken together, form a Common Cause Analysis (CCA) in aircraft safety engineering under SAE ARP4761. The other two methods are Particular Risks Analysis (PRA) and Common Mode Analysis (CMA). Aircraft system safety requires the independence of failure conditions for multiple systems. Independent failures, represented by an AND gate in a fault tree analysis, have a low probability of occurring in the same flight. Common causes result in the loss of independence, which dramatically increases probability of failure. CCA and ZSA are used to find and eliminate or mitigate common causes for multiple failures.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

Advisory circular (AC) refers to a type of publication offered by the Federal Aviation Administration (FAA) to provide guidance for compliance with airworthiness regulations, pilot certification, operational standards, training standards, and any other rules within the 14 CFR Aeronautics and Space Title. They define acceptable means, but not the only means, of accomplishing or showing compliance with airworthiness regulations. Generally informative in nature, Advisory Circulars are neither binding nor regulatory; yet some have the effect of de facto standards or regulations.

AC 25.1309–1 is an FAA Advisory Circular (AC) that describes acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations. The present unreleased but working draft of AC 25.1309–1 is the Aviation Rulemaking Advisory Committee recommended revision B-Arsenal Draft (2002); the present released version is A (1988). The FAA and EASA have accepted proposals by type certificate applicants to use the Arsenal Draft on recent development programs.

FAA Order 8130.34C, Airworthiness Certification of Unmanned Aircraft Systems, establishes procedures for issuing either special airworthiness certificates in the experimental category or special flight permits to unmanned aircraft systems (UAS), optionally piloted aircraft (OPA), and aircraft intended to be flown as either a UAS or an OPA.

Regulation of unmanned aerial vehicles

The use of unmanned aerial vehicles (UAVs) or Drones, is generally regulated by the national aviation authority of the country.

The Advisory Circular AC 20-115, Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), identifies the RTCA published standard DO-178 as defining a suitable means for demonstrating compliance for the use of software within aircraft systems. The present revision D of the circular identifies ED-12/DO-178 Revision C as the active revision of that standard and particularly acknowledges the synchronization of ED-12 and DO-178 at that revision.

Boeing 737 MAX certification

The Boeing 737 MAX was initially certified in March 2017 by the U.S. Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA). The MAX was given the same type certificate as the 737NG and previous 737 generations, thus grandfathering it. Boeing designed the MAX for such commonality to reduce pilot training and save money for its airline customers, a major selling point. Following two crashes, Lion Air Flight 610 and Ethiopian Airlines Flight 302, the MAX was grounded worldwide in March 2019. Contributing to both fatal accidents was a new automated flight control, the Maneuvering Characteristics Augmentation System (MCAS). Boeing had persuaded the FAA that MCAS did not have hazardous nor catastrophic failure conditions, and that pilots could use existing flight procedures; thus, MCAS was omitted from the airplane manuals, leaving pilots unaware of the system until after the first accident.

The Advisory Circular AC 00-69, Best Practices for Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), initially issued in 2017, supports application of the active revisions of ED-12C/DO-178C and AC 20-115. The AC does not state FAA guidance, but rather provides information in the form of complementary "best practices".


  1. Bill Potter. Complying with DO-178C and DO-331 using Model-Based Design (PDF). SAE 2012 Aerospace Electronics and Avionics Systems Conference (12AEAS). MathWorks, Inc. Retrieved 2019-02-13.
  2. S18 (2010). Guidelines for Development of Civil Aircraft and Systems. SAE International. ARP4754A.CS1 maint: multiple names: authors list (link)
  3. ANM-110 (1988). System Design and Analysis (pdf). Federal Aviation Administration. Advisory Circular AC 25.1309-1A. Retrieved 2011-02-20.
  4. ARP4754A, p. 7
  5. ARAC Systems Design and Analysis Harmonization Working Group (2002). Task 2 – System Design and Analysis Harmonization and Technology Update (PDF). Federal Aviation Administration. Archived from the original (pdf) on 2006-10-05. Retrieved 2011-02-20.
  6. ARP4754A, pp. 7-8
  7. ARP4754A, pp. 11
  8. ARP4754A, p. 34
  9. S18 (1996). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. p. 9. ARP4761.CS1 maint: multiple names: authors list (link)