Zonal safety analysis

Last updated January 01, 2025

Zonal Safety Analysis (ZSA) is one of three analytical methods which, taken together, form a Common Cause Analysis (CCA) in aircraft safety engineering under SAE ARP4761.^[1] The other two methods are Particular Risks Analysis (PRA) and Common Mode Analysis (CMA). Aircraft system safety requires the independence of failure conditions for multiple systems. Independent failures, represented by an AND gate in a fault tree analysis, have a low probability of occurring in the same flight. Common causes result in the loss of independence, which dramatically increases probability of failure. CCA and ZSA are used to find and eliminate or mitigate common causes for multiple failures.

General description

ZSA is a method of ensuring that the equipment installations within each zone of an aircraft meet adequate safety standards with respect to design and installation standards, interference between systems, and maintenance errors. In those areas of the aeroplane where multiple systems and components are installed in close proximity, it should be ensured that the zonal analysis would identify any failure or malfunction which by itself is considered sustainable but which could have more serious effects when adversely affecting other adjacent systems or components.

Aircraft manufacturers divide the airframe into zones to support airworthiness regulations, the design process, and to plan and facilitate maintenance. The commonly used aviation standard ATA iSpec 2200, which replaced ATA Spec 100, contains guidelines for determining airplane zones and their numbering. Some manufacturers use ASD S1000D for the same purpose. The zones and subzones generally relate to physical barriers in the aircraft. A typical zone map for a small transport aircraft is shown.^[2]

Zone map of an aircraft

Aircraft zones differ in usage, pressurization, temperature range, exposure to severe weather and lightning strikes, and the hazards contained such as ignition sources, flammable fluids, flammable vapors, or rotating machines. Accordingly, installation rules differ by zone. For example, installation requirements for wiring depends on whether it is installed in a fire zone, rotor burst zone, or cargo area.

ZSA includes verification that a system's equipment and interconnecting wires, cables, and hydraulic and pneumatic lines are installed in accordance with defined installation rules and segregation requirements. ZSA evaluates the potential for equipment interference. It also considers failure modes and maintenance errors that could have a cascading effect on systems,^[3] such as:

Flailing torque shaft
Oxygen leak
Accumulator burst
Fluid leak
Rotorburst
Loose fastener
Bleed air leak
Overheated wire
Connector keying error

Potential problems are identified and tracked for resolution. For example, if redundant channels of a data bus were routed through an area where rotorburst fragments could result in loss of all channels, at least one channel should be rerouted.

Case studies

On July 19, 1989, United Airlines Flight 232, a McDonnell Douglas DC-10-10, experienced an uncontained failure of its No. 2 engine stage 1 fan rotor disk assembly. The engine fragments severed the No. 1 and No. 3 hydraulic system lines. Forces from the engine failure fractured the No. 2 hydraulic system line. With the loss of all three hydraulic-powered flight control systems, safe landing was impossible. The lack of independence of the three hydraulic systems, although physically isolated, left them vulnerable to a single failure event due to their close proximity to one another. This was a zonal hazard. The aircraft crashed after diversion to Sioux Gateway Airport in Sioux City, Iowa, with 111 fatalities, 47 serious injuries and 125 minor injuries.^[4]^[5]^[6]

On August 12, 1985, Japan Air Lines Flight 123, a Boeing 747-SR100, experienced cabin decompression 12 minutes after takeoff from Haneda Airport in Tokyo, Japan, at 24,000 feet. The decompression was caused by failure of a previously repaired aft pressure bulkhead. Cabin air rushed into the unpressurized fuselage cavity, overpressurizing the area and causing failure of the auxiliary power unit (APU) firewall and the supporting structure for the vertical fin. The vertical fin separated from the airplane. Hydraulic components located in the aft body were also severed, leading to a rapid depletion of all four hydraulic systems. The loss of the vertical fin, coupled with the loss of all four hydraulic systems, left the airplane extremely difficult, if not impossible, to control in all three axes. Lack of independence of four hydraulic systems from a single failure event was a zonal hazard. The aircraft struck a mountain at forty-six minutes after takeoff with 520 fatalities and 4 survivors.^[7]

Related Research Articles

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

American Airlines Flight 191 was a regularly scheduled domestic passenger flight from O'Hare International Airport in Chicago to Los Angeles International Airport. On the afternoon of May 25, 1979, the McDonnell Douglas DC-10 operating this flight was taking off from runway 32R at O'Hare International when its left engine detached from the wing, causing a loss of control. The aircraft crashed about 4,600 feet (1,400 m) from the end of runway 32R. All 271 occupants on board were killed on impact, along with two people on the ground. With a total of 273 fatalities, the disaster is the deadliest aviation accident to have occurred in the United States.

United Airlines Flight 232 was a regularly scheduled United Airlines flight from Stapleton International Airport in Denver to O'Hare International Airport in Chicago, continuing to Philadelphia International Airport. On July 19, 1989, the DC-10 serving the flight crash-landed at Sioux Gateway Airport in Sioux City, Iowa, after suffering a catastrophic failure of its tail-mounted engine due to an unnoticed manufacturing defect in the engine's fan disk, which resulted in the loss of all flight controls. Of the 296 passengers and crew on board, 112 died during the accident, while 184 people survived. Thirteen of the passengers were uninjured. It was the deadliest single-aircraft accident in the history of United Airlines.

In aviation, a controlled flight into terrain is an accident in which an airworthy aircraft, fully under pilot control, is unintentionally flown into the ground, a body of water or other obstacle. In a typical CFIT scenario, the crew is unaware of the impending collision until impact, or it is too late to avert. The term was coined by engineers at Boeing in the late 1970s.

Aviation safety is the study and practice of managing risks in aviation. This includes preventing aviation accidents and incidents through research, educating air travel personnel, passengers and the general public, as well as the design of aircraft and aviation infrastructure. The aviation industry is subject to significant regulation and oversight.

Crew resource management or cockpit resource management (CRM) is a set of training procedures for use in environments where human error can have devastating effects. CRM is primarily used for improving aviation safety and focuses on interpersonal communication, leadership, and decision making in aircraft cockpits. Its founder is David Beaty, a former Royal Air Force and a BOAC pilot who wrote The Human Factor in Aircraft Accidents (1969). Despite the considerable development of electronic aids since then, many principles he developed continue to prove effective.

American Airlines Flight 96 (AA96/AAL96) was a regular domestic flight operated by American Airlines from Los Angeles to New York via Detroit and Buffalo. On June 12, 1972, the left rear cargo door of the McDonnell Douglas DC-10-10 operating the flight blew open and broke off above Windsor, Ontario, after takeoff from Detroit, Michigan; the accident is thus sometimes referred to as the Windsor incident, although according to the NTSB it is an accident, not an incident.

In aviation, a phugoid or fugoid is an aircraft motion in which the vehicle pitches up and climbs, and then pitches down and descends, accompanied by speeding up and slowing down as it goes "downhill" and "uphill". This is one of the basic flight dynamics modes of an aircraft.

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RTCA SC-167 of the Radio Technical Commission for Aeronautics (RTCA) and WG-12 of the European Organisation for Civil Aviation Equipment (EUROCAE). RTCA published the document as RTCA/DO-178B, while EUROCAE published the document as ED-12B. Although technically a guideline, it was a de facto standard for developing avionics software systems until it was replaced in 2012 by DO-178C.

ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment is an Aerospace Recommended Practice from SAE International. In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

ARP4754 , Aerospace Recommended Practice (ARP) Guidelines for Development of Civil Aircraft and Systems, is a published standard from SAE International, dealing with the development processes which support certification of Aircraft systems, addressing "the complete aircraft development cycle, from systems requirements through systems verification." Since their joint release in 2002, compliance with the guidelines and methods described within ARP4754 and its companion ARP4761 have become mandatory for effectively all civil aviation world-wide.

The aft pressure bulkhead or rear pressure bulkhead is the rear component of the pressure seal in all aircraft that cruise in a tropopause zone in the Earth's atmosphere. It helps maintain pressure when stratocruising and protects the aircraft from bursting due to the higher internal pressure.

Mohawk Airlines Flight 40 was a scheduled passenger flight between Syracuse, New York and Washington, DC, with an intermediate stop in Elmira, New York. On June 23, 1967 it suffered a loss of control and crashed, killing all 30 passengers and four crew on board. It was the deadliest disaster in the airline's history. A valve in the auxiliary power unit had suffered a complete failure, spreading fire to the tailplane, causing a loss of pitch control.

A turbine engine failure occurs when a gas turbine engine unexpectedly stops producing power due to a malfunction other than fuel exhaustion. It often applies for aircraft, but other turbine engines can also fail, such as ground-based turbines used in power plants or combined diesel and gas vessels and vehicles.

National Airlines Flight 27 was a scheduled passenger flight between Miami, Florida, and San Francisco, California, in the United States, with intermediate stops at New Orleans, Houston and Las Vegas.

Baikal Airlines Flight 130 was a scheduled domestic passenger flight from Irkutsk to Moscow that crashed on 3 January 1994. The plane involved in the crash was a Tupolev Tu-154 operated by Russian airline Baikal Airlines. The plane was carrying 115 passengers and 9 crew members and was en route to Moscow when one of the engines suddenly burst into flames. The crew then tried to return to Irkutsk, but lost control of the plane and crashed into a dairy farm near the town of Mamony. All 124 people on board and one person on the ground were killed in the crash. The accident was judged to have been caused by a foreign object entering the engine and slicing several crucial lines to the airplane's hydraulic and fuel systems.

Caspian Airlines Flight 7908 was a scheduled commercial flight from Tehran, Iran, to Yerevan, Armenia, that crashed near the village of Jannatabad, outside the city of Qazvin in north-western Iran, on 15 July 2009. All 153 passengers and 15 crew members on board died.

In aeronautics, loss of control (LOC) is the unintended departure of an aircraft from controlled flight and is a significant factor in several aviation accidents worldwide. In 2015 it was the leading cause of general aviation accidents. Loss of control may be the result of mechanical failure, external disturbances, aircraft upset conditions, or inappropriate crew actions or responses.

AC 25.1309–1 is an FAA Advisory Circular (AC) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations, which requires that civil aviation equipment, systems, and installations "perform their intended function under foreseeable operating conditions." The present Revision B was released in August 2024. AC 25.1309–1 establishes the principle that the more severe the hazard resulting from a system or equipment failure, the less likely that failure must be. Catastrophic failures must be extremely improbable.

An in-flight breakup is a catastrophic failure of an aircraft structure that causes it to break apart in mid-air. This can result in the death of all occupants and the destruction of the aircraft. In-flight breakups are rare but devastating events that can be caused by various factors.

References

↑ Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. 1996. ARP4761.
↑ Linzey, W. G. (2006). Development of an Electrical Wire Interconnect System Risk Assessment Tool (PDF). Federal Aviation Administration. DOT/FAA/AR-TN06/17. Retrieved 2011-02-19.
↑ Portwood, Brett (1998). System Safety Assessment. Federal Aviation Administration.
↑ Aircraft Accident Report-- United Airlines Flight 232, McDonnell Dougless DC-10-10, Sioux Gateway Airport, Sioux City, Iowa, July 19, 1989 (PDF). National Transportation Safety Board. 1990. NTSB/AAR-SO/06. Retrieved 2011-02-19.
↑ "Lessons Learned from Transport Airplane Accidents". Archived from the original on February 15, 2013. Retrieved February 24, 2015.
↑ "United Airlines Flight 232, DC-10". Federal Aviation Administration. 19 July 1989. Retrieved 2013-09-10.
↑ "Japan Air Lines Flight 123, Boeing 747-SR100, JA8119". Federal Aviation Administration. 12 August 1985. Retrieved 2013-09-10.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. 1996. ARP4761.

[2] Linzey, W. G. (2006). Development of an Electrical Wire Interconnect System Risk Assessment Tool (PDF). Federal Aviation Administration. DOT/FAA/AR-TN06/17. Retrieved 2011-02-19.

[3] Portwood, Brett (1998). System Safety Assessment. Federal Aviation Administration.

[4] Aircraft Accident Report-- United Airlines Flight 232, McDonnell Dougless DC-10-10, Sioux Gateway Airport, Sioux City, Iowa, July 19, 1989 (PDF). National Transportation Safety Board. 1990. NTSB/AAR-SO/06. Retrieved 2011-02-19.

[5] "Lessons Learned from Transport Airplane Accidents". Archived from the original on February 15, 2013. Retrieved February 24, 2015.

[6] "United Airlines Flight 232, DC-10". Federal Aviation Administration. 19 July 1989. Retrieved 2013-09-10.

[7] "Japan Air Lines Flight 123, Boeing 747-SR100, JA8119". Federal Aviation Administration. 12 August 1985. Retrieved 2013-09-10.

[1]

[2]

[3]

[4]

[5]

[6]

[7]