1、_ SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising there
2、from, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancelled. SAE invites your written comments and suggestions. Copyright 2010 SAE International All rights reserved. No part of this publication m
3、ay be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: +1 724-776-4970 (outside U
4、SA) Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.orgSAE values your input. To provide feedback on this Technical Report, please visit http:/www.sae.org/technical/standards/ARP4754AAEROSPACERECOMMENDEDPRACTICEARP4754 REV. A Issued 1996-11 Revised 2010-12Superseding A
5、RP4754 (R) Guidelines for Development of Civil Aircraft and Systems RATIONALEThis document provides updated and expanded guidelines for the processes used to develop civil aircraft and systems. TABLE OF CONTENTS 1. SCOPE 51.1 Purpose . 61.2 Document Background: 72. REFERENCES 82.1 Applicable Documen
6、ts 82.1.1 SAE Publications . 82.1.2 FAA Publications . 82.1.3 EASA Publications 92.1.4 RTCA Publications 92.1.5 EUROCAE Publications 92.2 Definitions . 102.3 Abbreviations and Acronyms 143. DEVELOPMENT PLANNING . 163.1 Planning Process 163.2 Transition Criteria 173.2.1 Deviations from Plans . 194. A
7、IRCRAFT AND SYSTEM DEVELOPMENT PROCESS. 194.1 Conceptual Aircraft/System Development Process 204.1.1 Development Assurance . 224.1.2 Introduction to Development Assurance Process . 224.1.3 Introduction to Hierarchical Safety Requirements Generated from Safety Analyses . 234.1.4 Identification of Air
8、craft-Level Functions, Function Requirements and Function Interfaces 254.1.5 Allocation of Aircraft Functions to Systems 254.1.6 Development of System Architecture . 254.1.7 Allocation of System Requirements to Items 254.1.8 System Implementation 254.2 Aircraft Function Development 254.3 Allocation
9、of Aircraft Functions to Systems 284.4 Development of System Architecture: 284.5 Allocation of System Requirements to Items 284.6 System Implementation 294.6.1 Information Flow - System Process To the variety of potential systems applications, the rapid development of systems engineering, and indust
10、ry experience with the evolving guidance contained in DO-178, DO-178A/ED-12A and DO-178B/ED-12B being particularly significant. The current trend in system design is an increasing level of integration between aircraft functions and the systems that implement them. While there can be considerable val
11、ue gained when integrating systems with other systems, the increased complexity yields increased possibilities for errors, particularly with functions that are performed jointly across multiple systems. Following the Aviation Rulemaking Advisory Committee (ARAC) recommendations to respond to this in
12、creased integration which referenced ARP4754/ED-79 in advisory materials for compliance to 14CFR/CS 23.1309 (see AC23.1309-1D, issued in 2009) and 25.1309 (see AMC 25.1309, published in 2003 and AC25.1309-Arsenal draft) the use of the ARP4754/ED-79 in aircraft certification has become increasingly w
13、idespread. Along with the increasing use, in particular Section 5.4 Assignmentof Development Assurance Levels in the original ARP4754, come insights on the strengths and weaknesses of its guidelines. The underlying philosophy is succinctly represented in the original section 5.4 of ARP4754 as follow
14、s:“If the PSSA shows that the system architecture provides containment for the effects of design errors, so that the aircraft-level effects of such errors are sufficiently benign, the development assurance activities can be conducted at a reduced level of process rigor for the system items wholly wi
15、thin the architectural containment boundary.”Experience has shown that the processes and definitions used to determine containment have yielded different interpretation and application of the philosophy. Improvement to the development assurance level assignment process is one of the main features of
16、 this revision by providing a methodology to assign the correct development assurance levels.When the original ARP 4754/ED-79 was published in 1996, the SIRT and WG-42 groups were dissolved. When the document came due for revision, a group with sufficient expertise at the aircraft level was required
17、 to address this work. TheSAE S-18 Airplane Safety Committee was chosen because of their familiarity with the original document and the close association of the documents they develop and this ARP. Several S-18 committee members were on the SIRT group that developed the original ARP4754 document. At
18、 the same time, EUROCAE chartered a Working Group to update ED-79. WG-63 incorporated members from the original WG-42 working group, as well as representatives from a wide range of industrial and academic participants in the European Aerospace industry. Keeping to the Memorandum of Understanding for
19、 this document, WG-63 worked alongside S-18 to ensure that ED-79A is word-for-word equivalent to ARP4754A. Copyright SAE International Provided by IHS under license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE ARP4754A Page 8 of 115Revision A contain
20、s updates to the document that take into account the evolution of the industry over the intervening years. The relationship between ARP 4754/ED-79 and ARP 4761, and their relationship with DO-178B/ED-12B and DO-254/ED-80 are strengthened and discrepancies between the documents are identified and add
21、ressed. Revision A also expands the design assurance concept for application at the aircraft and system level and standardizes on the use of the term development assurance. As a consequence, for aircraft and systems Functional Development Assurance Level (FDAL) is introduced and the term design assu
22、rance level has been renamed Item Development Assurance Level (IDAL). Also included are enhancements created by feedback from the industry since the first publication. In addition, S-18 / WG-63 coordinated this revision effort with RTCA Special Committee 205 (SC-205) / EUROCAE WG-71 to ensure that t
23、he terminology and approach being used are consistent with those being developed for the update to DO-178B / ED-12B. 2. REFERENCES 2.1 Applicable Documents The following publications are referenced in this guideline document. The applicable issue of referenced publications is the revision noted in t
24、his section. Where later versions of these documents are available, applicants should check their applicability. Note that the revision level of references may not be noted elsewhere in the document unless pertinent. 2.1.1 SAE Publications Available from SAE International, 400 Commonwealth Drive, Wa
25、rrendale, PA 15096-0001, Tel: 877-606-7323 (inside USA and Canada) or 724-776-4970 (outside USA), www.sae.org.ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems ARP5150 Safety Assessment of Transport Airplanes In Commercial Service ARP5151 Safety As
26、sessment of General Aviation Airplanes and Rotorcraft In Commercial Service 2.1.2 FAA Publications Available from Federal Aviation Administration, 800 Independence Avenue, SW, Washington, DC 20591, Tel: 866-835-5322, www.faa.gov.14CFR Part 21 Certification Procedures for Products and Parts 14CFR Par
27、t 23 Airworthiness Standards: Normal, Utility, Acrobatic and Commuter Category Airplanes 14CFR Part 25 Airworthiness Standards: Transport Category Airplanes 14CFR Part 27 Airworthiness Standards: Normal Category Rotorcraft 14CFR Part 29 Airworthiness Standards: Transport Category Rotorcraft 14CFR Pa
28、rt 33 Airworthiness Standards: Aircraft Engines 14CFR Part 35 Airworthiness Standards: Propellers AC 23.1309-1D System Safety Analysis And Assessment For Part 23 Airplanes AC 25.19 Certification Maintenance Requirements AC 25.1309-1A System Design and Analysis, Advisory Circular Copyright SAE Intern
29、ational Provided by IHS under license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-,-SAE ARP4754A Page 9 of 1152.1.3 EASA Publications Available from European Aviation Safety Agency, Otto Platz 1, Postfach 101253, D-50452, Cologne, Germany, www.easa.eu.int
30、.IR-21 Certification Procedures for Aircraft, and Related Products agreement between the expected or specified result and the actual result. COMPONENT: Any self-contained part, combination of parts, subassemblies or units, that perform a distinctive function necessary to the operation of the system.
31、 CONFIGURATION BASELINE: A known aircraft/ system /item configuration against which a change process can be undertaken.CONFIGURATION ITEM: Aircraft, system, item and related data that is under configuration control. CONFORMANCE: Established as correct with reference to a standard, specification or d
32、rawing. DEMONSTRATION: A method of proof of performance by observation. DERIVED REQUIREMENTS: Additional requirements resulting from design or implementation decisions during the development process which are not directly traceable to higher-level requirements.DEVELOPMENT ASSURANCE: All of those pla
33、nned and systematic actions used to substantiate, at an adequate level of confidence, that errors in requirements, design and implementation have been identified and corrected such that the system satisfies the applicable certification basis. (AMC 25).DEVELOPMENT ERROR: A mistake in requirements det
34、ermination, design or implementation. ERROR: An omitted or incorrect action by a crewmember or maintenance person, or a mistake in requirements, design, or implementation (derived from AMC 25.1309). EXTERNAL EVENT: An occurrence which has its origin distinct from the aircraft or the system being exa
35、mined, such as atmospheric conditions (e.g., wind gusts/shear, temperature variations, icing, lightning strikes), operating environment (e.g. runway conditions, conditions of communication, navigation, and surveillance services), cabin and baggage fires, and bird-strike. The term is not intended to
36、cover sabotage. FAILURE: An occurrence which affects the operation of a component, part or element such that it can no longer function as intended, (this includes both loss of function and malfunction). Note: errors may cause Failures, but are not considered to be Failures. (AMC 25.1309) FAILURE CON
37、DITION: A condition having an effect on the aircraft and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant adverse operational or environmental conditions or external events (AMC 25.1309).FAILU
38、RE EFFECT: A description of the operation of a system or item as the result of a failure; i.e., the consequence(s) a failure mode has on the operation, function or status of a system or an item. FAILURE MODE: The way in which the failure of a system or item occurs. FAILURE RATE: The gradient of the
39、failure distribution function divided by the reliability distribution function at time t. (t) = F(t)/(1-F(t) FAULT: A manifestation of an error in an item or system that may lead to a failure. FUNCTION: Intended behavior of a product based on a defined set of requirements regardless of implementatio
40、n. FUNCTION Development Assurance Level: The level of rigor of development assurance tasks performed to Functions. Note: The FDAL is used to identify the ARP4754 /ED-79 objectives that need to be satisfied for the aircraft/system functions.FUNCTIONAL FAILURE SET: A single Member or a specific group
41、of Members that are considered to be independent from one another (not necessarily limited to one system) that lead(s) to a top level Failure Condition. Copyright SAE International Provided by IHS under license with SAENot for ResaleNo reproduction or networking permitted without license from IHS-,-
42、,-SAE ARP4754A Page 12 of 115FUNCTIONAL HAZARD ASSESSMENT: A systematic, comprehensive examination of functions to identify and classify Failure Conditions of those functions according to their severity. FUNCTIONAL INDEPENDENCE: An attribute where the Functions are different in order to minimize the
43、 likelihood of a common requirement error. GUIDANCE: Recommended procedure for complying with regulations. GUIDELINE: Supporting information that can be helpful but is not considered to be guidance. HARDWARE: An item that has physical being. HAZARD: A condition resulting from failures, external even
44、ts, errors, or combinations thereof where safety is affected. IMPLEMENTATION: The act of creating a physical reality from a specification. INDEPENDENCE: 1. A concept that minimizes the likelihood of common mode errors and cascade failures between aircraft/system functions or items, 2. Separation of
45、responsibilities that assures the accomplishment of objective evaluation e.g. validation activities not performed solely by the developer of the requirement of a system or item. INSPECTION: An examination of a system or item against a specific standard. INTEGRATION: 1. The act of causing elements of
46、 a system / item to function together. 2. The act of gathering a number of separate functions within a single implementation. INTEGRITY: Qualitative or quantitative attribute of a system or an item indicating that it can be relied upon to work correctly. It is sometimes expressed in terms of the pro
47、bability of not meeting the work correctly criteria. INTERCHANGEABILITY: The ability to substitute one part for another within a system and have the system perform to its specification.ITEM: A hardware or software element having bounded and well-defined interfaces. ITEM DEVELOPMENT ASSURANCE: All of
48、 those planned and systematic tasks used to substantiate, to an adequate level of confidence, that development errors have been identified and corrected such that the items satisfy a defined set of requirements.ITEM DEVELOPMENT Assurance Level (IDAL): The level of rigor of development assurance tasks performed on Item(s). e.g. IDAL is the appropriate Software Level in DO-178B/ED-12B, and design assurance level in DO-254/ED-80 objectives that need to be satisfied for an item. ITEM DEVELOPMENT INDEPENDENCE An attribu
