HCRQ
System Safety, Software Safety Experts
Since 1986
"The Key To A Safer World"
salus populi suprema lex




Avionics System Safety


NEW - Free Monthly System/Software Safety Newsletter

Please click here to subscribe.


Knowledge and experience in system safety, software safety, system engineering, project management, and reliability are necessary for one to work effectively in avionics safety.


One Of Our Avionics Contracts

 System Safety SME For DND's MHP Defense Helicopter Acquisition

HCRQ was responsible for specifying system safety requirements (e.g., SOW, CDRLs, DIDs), reviewing system safety portions of other SOW sections and DIDs (e.g., project management, system engineering, airworthiness) for the Canadian Martime Helicopter Project.

This position interfaced directly with human factors engineering, system engineering, software, project management, configuration management, and airworthiness aspects of this project. The MHP contract was awarded to Sikorsky who praised the quality of our work.

This work thus established the baseline for system safety of the CH148 Cyclone.

Another Avionics Contract

 System Safety Analysis For UAV De-Icing System

HCRQ is responsible for the reliability, maintainability and safety analyses for Ice Management Systems' Electro-Expulsive De-icing System (EEDS) used on the WK450 Watchkeeper UAV.

The WK450 will be based on the Elbit 450 Hermes tactical UAV.

Clouds with supercooled liquid water constitute a significant aviation hazard because of the potential risk of air-craft icing. Icing reduces rate of lift, rate of climb, and fuel efficiency while increasing drag, stalling speed, weight, and power requirements.

At pre-determined intervals, the EEDS passes a pulse of current through embedded conductors. Electromagnetic forces repel the top layer away from the rigidly mounted bottom layer. The top layer imparts a shock/acceleration force to the outer surface. This rapid acceleration force breaks the surface tension of the ice on the outer surface of the cuff and shatters the ice into harmless particles.

Another Avionics Contract

 System Safety Support For ECU

HCRQ is providing SAE ARP4761 system safety support to RCCT (formerly Athena Technologies Inc.) on an Engine Control Unit project.

Technical Airworthiness Manual (TAM) Critique

We critiqued DND's TAM identifying deficiencies with respect to system safety.

After spending this many years in system safety, we quickly focus on what is missing and what is wrong.


SAE ARP 4761

SAE ARP4761 is specifically oriented towards "airborne systems and equipment". This standard nicely marries to:

  • SAE ARP 4754 (certification considerations),
  • RTCA DO-178B (software considerations), and
  • RTCA DO-254 (hardware considerations).

SAE ARP4761 is based on qualitative safety targets, in the form of Development Assurance Levels, and quantitative safety targets which are flowed down and verified.

Similar to other approaches to system safety, its intent is to influence architectural design.

SAE ARP4761 utilizes the concept of failure conditions which are classified according to severity.

Since this standard focuses on aircraft hazards, it does not address the other types and their associated analyses.


SAE ARP4761 Critique

While writing system safety SOW text and DIDs for a client, we noted that this standard was deficient in a few areas.

We critiqued SAE ARP4761 and forwarded our comments to the originators.
Some of our comments were concerned with omissions.
Others were concerned with definition and nomenclature inconsistencies.


Development Assurance Levels (DALs)

DALs are primarily an SAE ARP4761 concept and are similar to Safety Integrity Levels (SILs).

The System Safety Program defines DALs for aircraft functions, for systems, for items, for hardware and for software.

DALs must be determined by experienced system safety engineers as their assignment is crucial.

DALs for aircraft functions are determined from the hazard or failure condition severities.

DALs are utilized to establish confidence that system development has been accomplished in a sufficiently disciplined manner to limit the likelihood of development errors that could impact safety.

The hardware and software design levels establish the degrees of rigor to be used in the associated development processes.


Safety Assessments

SAE ARP4761 calls up:

CCA is addressed very well and is embodied in FHA, PSSA and SSA.

By the way, did you that you can purchase DIDs from us for FHA, PSSA, SSA and more? For more information contact Haley MacGregor.

SAE ARP4761 advocates the following analytical approaches:


CMRs

A Certification Maintenance Requirement (CMR) is a mandatory periodic task, required to maintain the safety of the aircraft, which is established during the design certification of the aircraft as an operating limitation of the type certificate.

The maintenance requirements, and the necessary interval between these focused maintenance activities in order to ensure adequate safety coverage, are derived by the System Safety Program.

The use of periodic maintenance or flight crew checks to detect significant latent failures when they occur is undesirable and should not be used in lieu of practical and reliable failure monitoring and indication.

CMRs are identified within the PSSA and verified within the SSA.


MMEL

A Master Minimum Equipment List (MMEL) regulates the dispatch of aircraft with inoperative equipment.

It defines the aircraft equipment allowed to be inoperative under certain conditions for a specific aircraft.


RTCA DO-178B

RTCA DO-178B utilizes Software Development Assurance Levels defined by the application of SAE ARP 4761.

  • A - Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a catastrophic failure condition for the aircraft
  • B - Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a hazardous/severe-major failure condition for the aircraft
  • C - Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a major failure condition for the aircraft
  • D - Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a minor failure condition for the aircraft
  • E - Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function with no effect on aircraft operational capability or pilot workload

RTCA has formed subcommittee SC-205 to produce DO-178C and DO-248C.


RTCA DO-254

RTCA DO-254 utilizes Hardware Development Assurance Levels defined by the application of SAE ARP 4761.

  • A - Hardware functions whose failure or anomalous behavior, as shown by the hardware safety assessment, would cause a failure of system function resulting in a catastrophic failure condition for the aircraft
  • B - Hardware functions whose failure or anomalous behavior, as shown by the hardware safety assessment, would cause a failure of system function resulting in a hazardous/severe-major failure condition for the aircraft
  • C - Hardware functions whose failure or anomalous behavior, as shown by the hardware safety assessment, would cause a failure of system function resulting in a major failure condition for the aircraft
  • D - Hardware functions whose failure or anomalous behavior, as shown by the hardware safety assessment, would cause a failure of system function resulting in a minor failure condition for the aircraft
  • E - Hardware functions whose failure or anomalous behavior, as shown by the hardware safety assessment, would cause a failure of system function with no effect on aircraft operational capability or flight crew workload

For more information contact Blake Palmer.