ARP4754

Last updated
Guidelines For Development Of Civil Aircraft and Systems
SAE International logo.svg
AbbreviationARP4754B
Latest versionB
December 2023 (2023-12)
Organization SAE International
DomainAviation Safety
Website www.sae.org/standards/content/arp4754b/

ARP4754, Aerospace Recommended Practice (ARP) ARP4754B (Guidelines for Development of Civil Aircraft and Systems), is a guideline from SAE International, dealing with the development processes which support certification of Aircraft systems, addressing "the complete aircraft development cycle, from systems requirements through systems verification." [1] Revision A was released in December 2010. It was recognized by the FAA through Advisory Circular AC 20-174 published November 2011. [2] [3] EUROCAE jointly issues the document as ED79.

Contents

Objectives of the document

The Aerospace Recommended Practice (ARP) is a guideline for development of civil aircraft and systems with an emphasis on safety aspects. Revision A is a substantial rewrite of the document which describes the safety process as a part of an Integrated Development Process. A significant new section is devoted to the process of determining Development Assurance Level (DAL) which determines the rigor of complex hardware and software development and verification activities.

It is intended to be used in conjunction with SAE ARP4761 (still under revision in December 2013) and is supported by other aviation standards such as RTCA DO-178C/DO-178B and DO-254.

This guideline addresses Functional Safety and design assurance processes. DAL allocation pertaining to functional failure conditions and hazard severity are assigned to help mitigate risks. Functional Hazard Analyses / Assessments are central to determining hazards and assigning DAL, in addition to requirements based testing and other verification methods. This guideline concerns itself with Physical (item) DAL and Functional (software/systems integration behavior) DAL and the Safety aspects of systems for the whole life-cycle for systems that implement aircraft functions.

History

ARP4754 was defined in the context of aircraft certification, in particular Part 25 Sections 1301 and 1309 of harmonized civil aviation regulations for transport category airplanes. These are found in the U.S. FAA Federal Aviation Regulations (FAR) at 14 CFR 25.1309 and the corresponding European JAA Joint Aviation Requirements (JAR), which have been replaced by EASA certification standards. FAA Advisory Circular AC 25.1309-1A, System Design and Analysis, explained certification methodology for Part 25 Section 1309. [4]

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them, [5] and the implications of new technology. This task was published in the Federal Register at 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In a parallel effort, SAE published ARP4754 in November 1996. In 2002 ARAC submitted to the FAA a draft Notice of Proposed Rulemaking (NPRM) and draft revision AC 1309-1B (the draft ARSENAL version) recognizing the role of ARP4754 in complex system certification. [6] This draft remains unreleased, but ARP4754 became broadly recognized as an appropriate standard for aircraft system development and certification. The corresponding EASA Acceptable Means of Compliance AMC 25.1309 (included as a section of CS-25) does recognize ARP4754/ED79.

The FAA and EASA have both subsequently recognized ARP4754/ED79 as valid for certification of other aircraft categories, and for specific systems such as avionic databuses.

ARP4754A and ED79A were released by SAE and EUROCAE in December 2010. The document title has changed to Guidelines For Development Of Civil Aircraft and Systems. ARP4754A recognizes AMC 25.1309 (published in 2003) and AC 25.1309-1B-Arsenal draft. This revision expands the design assurance concept for application at the aircraft and system level and standardizes on the use of the term development assurance. As a consequence, Functional Development Assurance Level (FDAL) is introduced for aircraft and systems concerns and the term Design Assurance Level has been renamed Item Development Assurance Level (IDAL). [7] Furthermore, the addition of definitions for Error, Failure, and Failure Condition are acknowledge as derived from AMC 25.1309. [8] The qualitative and quantitative classification of failure conditions by severity and probability now used by ARP4754A [9] and ARP4761 [10] are defined in AMC 25.1309/AC 25.13091B-Arsenal draft.

See also

Related Research Articles

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RTCA SC-167 of the Radio Technical Commission for Aeronautics (RTCA) and WG-12 of the European Organisation for Civil Aviation Equipment (EUROCAE). RTCA published the document as RTCA/DO-178B, while EUROCAE published the document as ED-12B. Although technically a guideline, it was a de facto standard for developing avionics software systems until it was replaced in 2012 by DO-178C.

A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different types of hazards. A hazard is a potential condition and exists or not. It may, in single existence or in combination with other hazards and conditions, become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, food safety, occupational safety and health, process safety, reliability engineering.

<span class="mw-page-title-main">ARP4761</span>

ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment is an Aerospace Recommended Practice from SAE International. In conjunction with ARP4754, ARP4761 is used to demonstrate compliance with 14 CFR 25.1309 in the U.S. Federal Aviation Administration (FAA) airworthiness regulations for transport category aircraft, and also harmonized international airworthiness regulations such as European Aviation Safety Agency (EASA) CS–25.1309.

RTCA DO-254 / EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware is a document providing guidance for the development of airborne electronic hardware, published by RTCA, Incorporated and EUROCAE. The DO-254/ED-80 standard was formally recognized by the FAA in 2005 via AC 20-152 as a means of compliance for the design assurance of electronic hardware in airborne systems. The guidance in this document is applicable, but not limited, to such electronic hardware items as

<span class="mw-page-title-main">DO-160</span>

DO-160, Environmental Conditions and Test Procedures for Airborne Equipment is a standard for the environmental testing of avionics hardware. It is published by the Radio Technical Commission for Aeronautics (RTCA) and supersedes DO-138.

The Modification and Replacement Parts Association is the Washington, D.C.-based trade association that represents manufacturers of government-approved after market aircraft parts. These aircraft parts are often known as PMA parts, from the acronym for Parts Manufacturer Approval. The manufacture of PMA parts is regulated in the United States by the Federal Aviation Administration.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The document is published by RTCA, Incorporated, in a joint effort with EUROC and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011. It became available for sale and use in January 2012.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

<span class="mw-page-title-main">Advisory circular</span>

Advisory circular (AC) refers to a type of publication offered by the Federal Aviation Administration (FAA) to "provide a single, uniform, agency-wide system … to deliver advisory (non-regulatory) material to the aviation community." Advisory circulars are now harmonized with soft law Acceptable Means of Compliance (AMC) publications of EASA, which are nearly identical in content. The FAA's Advisory Circular System is defined in FAA Order 1320.46D.

<span class="mw-page-title-main">AC 25.1309-1</span> American aviation regulatory document

AC 25.1309–1 is an FAA Advisory Circular (AC) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations. Revision A was released in 1988. In 2002, work was done on Revision B, but it was not formally released; the result is the Rulemaking Advisory Committee-recommended revision B-Arsenal Draft (2002). The Arsenal Draft is "considered to exist as a relatively mature draft". The FAA and EASA have subsequently accepted proposals by type certificate applicants to use the Arsenal Draft on development programs.

<span class="mw-page-title-main">FAA Order 8130.34</span>

FAA Order 8130.34D, Airworthiness Certification of Unmanned Aircraft Systems, establishes procedures for issuing either special airworthiness certificates in the experimental category or special flight permits to unmanned aircraft systems (UAS), optionally piloted aircraft (OPA), and aircraft intended to be flown as either a UAS or an OPA.

<span class="mw-page-title-main">AC 20-115</span>

The Advisory Circular AC 20-115( ), Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), recognizes the RTCA published standard DO-178 as defining a suitable means for demonstrating compliance for the use of software within aircraft systems. The present revision D of the circular identifies ED-12/DO-178 Revision C as the active revision of that standard and particularly acknowledges the synchronization of ED-12 and DO-178 at that revision.

DO-248C, Supporting Information for DO-178C and DO-278A, published by RTCA, Incorporated, is a collection of Frequently Asked Questions and Discussion Papers addressing applications of DO-178C and DO-278A in the safety assurance of software for aircraft and software for CNS/ATM systems, respectively. Like DO-178C and DO-278A, it is a joint RTCA undertaking with EUROCAE and the document is also published as ED-94C, Supporting Information for ED-12C and ED-109A. The publication does not provide any guidance additional to DO-178C or DO-278A; rather, it only provides clarification for the guidance established in those standards. The present revision is also expanded to include the "Rationale for DO-178C/DO-278A" section to document items that were considered when developing DO-178B and then DO-178C, DO-278A, and DO-330, as well as the supplements that accompany those publications.

<span class="mw-page-title-main">Boeing 737 MAX certification</span> Certification of aircraft

The Boeing 737 MAX was initially certified in 2017 by the U.S. Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA). Global regulators grounded the plane in 2019 following fatal crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. Both crashes were linked to the Maneuvering Characteristics Augmentation System (MCAS), a new automatic flight control feature. Investigations into both crashes determined that Boeing and the FAA favored cost-saving solutions, which ultimately produced a flawed design of the MCAS instead. The FAA's Organization Designation Authorization program, allowing manufacturers to act on its behalf, was also questioned for weakening its oversight of Boeing.

CAST-32A, Multi-core Processors is a position paper, by the Certification Authorities Software Team (CAST). It is not official guidance, but is considered informational by certification authorities such as the FAA and EASA. A key point is that Multi-core processor "interference can affect execution timing behavior, including worst case execution time (WCET)."

The Advisory Circular AC 00-69, Best Practices for Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178( ), initially issued in 2017, supports application of the active revisions of ED-12C/DO-178C and AC 20-115. The AC does not state FAA guidance, but rather provides information in the form of "best practices" complementary to the objectives of ED-12C/DO-178C.

The Certification Authorities Software Team (CAST) is an international group of aviation certification and regulatory authority representatives. The organization of has been a means of coordination among representatives from certification authorities in North and South America, Europe, and Asia, in particular, the FAA and EASA. The focus of the organization has been harmonization of Certification Authorities activities in part though clarification and improvement of the guidance provided by DO-178 and DO-254.

<span class="mw-page-title-main">CAST-15</span>

CAST-15, Merging High-Level and Low-Level Requirements is a Certification Authorities Software Team (CAST) Position Paper. It is an FAA publication that "does not constitute official policy or guidance from any of the authorities", but is provided to applicants for software and hardware certification for educational and informational purposes only.

References

  1. Bill Potter. Complying with DO-178C and DO-331 using Model-Based Design (PDF). SAE 2012 Aerospace Electronics and Avionics Systems Conference (12AEAS). MathWorks, Inc. Retrieved 2019-02-13.
  2. Leanna Rierson (19 December 2017) [7 January 2013]. Developing Safety-Critical Software: A Practical Guide for Aviation Software and DO-178C Compliance. CRC Press. p. 49. ISBN   9781351834056 . Retrieved 2024-04-10. On September 30, 2011, the Federal Aviation Administration (FAA) published Advisory Circular (AC) 20–174, entitled Development of civil aircraft systems. AC 20–174 recognizes ARP4754A as 'an acceptable method for establishing a development assurance process.'
  3. S18 (2010). Guidelines for Development of Civil Aircraft and Systems. SAE International. ARP4754A.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)
  4. ANM-110 (1988). System Design and Analysis (PDF). Federal Aviation Administration. Advisory Circular AC 25.1309-1A. Retrieved 2011-02-20.{{cite book}}: CS1 maint: numeric names: authors list (link)
  5. ARP4754A, p. 7
  6. ARAC Systems Design and Analysis Harmonization Working Group (2002). Task 2 – System Design and Analysis Harmonization and Technology Update (PDF). Federal Aviation Administration. Archived from the original (PDF) on 2006-10-05. Retrieved 2011-02-20.
  7. ARP4754A, pp. 7-8
  8. ARP4754A, pp. 11
  9. ARP4754A, p. 34
  10. S18 (1996). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Society of Automotive Engineers. p. 9. ARP4761.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.