AC 25.1309-1

System Design and Analysis
FAA Publication
AbbreviationAC 25.1309–1
Year started1982
Latest versionB
2024 (2024)
OrganizationFederal Aviation Administration
DomainAviation safety

AC 25.1309–1 is an FAA Advisory Circular (AC) (Subject: System Design and Analysis) that identifies acceptable means for showing compliance with the airworthiness requirements of § 25.1309 of the Federal Aviation Regulations, which requires that civil aviation equipment, systems, and installations "perform their intended function under foreseeable operating conditions."[1] The present Revision B was released in August 2024. AC 25.1309–1 establishes the principle that the more severe the hazard resulting from a system or equipment failure, the less likely that failure must be. Catastrophic failures must be extremely improbable.[2]

Airworthiness standards

The airworthiness requirements for transport category (large civil aircraft, both airplanes and helicopters) are contained in Title 14, Code of Federal Regulations (14 CFR) part 25 (commonly referred to as part 25 of the Federal Aviation Regulations (FAR)). Manufacturers of transport category airplanes must show that each airplane they produce of a given type design complies with the relevant standards of part 25.

The present AC 25.1309–1 describes acceptable means for showing compliance with those airworthiness requirements. It recognizes Aerospace Recommended Practices ARP4754 and ARP4761 (or their successors) as such means:[3]

  • ARP4754, Guidelines For Development Of Civil Aircraft and Systems, is a published standard from SAE International, dealing with the development processes which support certification of Aircraft systems. This ARP further recognizes integration of DO-297, DO-178, and DO-254 into the guidelines for development and recognizes ARP5150/5151 as guidelines for in-service operation and maintenance.
  • ARP4761, Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment describes recommended processes for assessing safety for new aircraft and equipment design as well as significant changes to existing designs for compliance with the safety requirements of FAR 25.1309 and FAR 23.1309.[4]

Background

AC 25.1309–1 provides background for important concepts and issues within airplane system design and analysis.

Catastrophic failure condition rate

The circular provides a rationale for the upper limit for the Average Probability per Flight Hour for Catastrophic Failure Conditions of 1 x 10−9 or "Extremely Improbable".[5] Failure Conditions resulting in relatively more severe effects must be relatively less likely to occur; that is, an inverse relationship between severity and likelihood should be a safety objective of aviation system design.

Fail-Safe Design Concept

This AC presents the FAA Fail-Safe Design Concept, which applies basic objectives pertaining to failures:

  1. Failures of any system should be assumed for any given flight regardless of probability and such failures "should not prevent continued safe flight and landing" or otherwise significantly reduce safety.
  2. Subsequent failure during the same flight should also be assumed.

The AC lists design principles or techniques used to ensure a safe design. Usually, a combination of at least two safe design techniques are needed to provide a fail-safe design; i.e. to ensure that Major Failure Conditions are Remote, Hazardous Failure Conditions are Extremely Remote, and Catastrophic Failure Conditions are Extremely Improbable.

Safe Design Principles and Techniques
  • Designed Integrity and Quality
  • Redundancy or Backup Systems
  • Isolation and/or Segregation of Systems, Components, and Elements
  • Proven Reliability
  • Failure Warning or Indication
  • Flight crew Procedures
  • Checkability
  • Designed Failure Effect Limits
  • Designed Failure Path
  • Margins or Factors of Safety
  • Error-Tolerance
Highly integrated systems

With the emergence of highly integrated systems that perform complex and interrelated functions, particularly through the use of electronic technology and software-based techniques [e.g., Integrated Modular Avionics (IMA) ], concerns arose that traditionally quantitative functional-level design and analysis techniques previously applied to simpler systems were no longer adequate. As such the AC includes expanded, methodical approaches, both qualitative and quantitative, that consider the integration of the "whole airplane and its systems".[6]

Definitions and Classifications

A main task of AC 25.1309–1 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety. Where regulations (FAR) and standards (ARP) may use such terms as failure condition, and extremely improbable, AC 25.1309–1 defines their specific meanings, both quantitatively and qualitatively.[7] In this respect, AC 25.1309–1 is comparable to ISO 26262–1 Vocabulary, at least in regard to the relative dependent standards. Key definitions include:

Error, Failures, and Failure Conditions
The re-introduction of Error to the AC recognizes the role of human error (in development, manufacture, operation, or maintenance) as a source of system failures, especially in complex and integrated avionics. The term Failure Conditions provides for a focus on the effects of a failure separate from the causes.
Classification of failure conditions by severity of effect
Catastrophic, Hazardous, Major, Minor, or No Safety Effect
A Catastrophic Failure condition is one "which would result in multiple fatalities, usually with the loss of the airplane.[8]"
Definition of Probability Terms
Extremely Improbable, Extremely Remote, Remote, or Probable
An Extremely Improbable failure condition is one so unlikely that it is not anticipated to occur during the entire operational life of all airplanes of one type. Quantitatively, these probability terms are define as follows: Extremely Improbable (10−9 or less), Extremely Remote (10−7 or less), Remote (10−5 or less), Probable (more than 10−5).[9]

Safety objectives

Classified failure conditions are assigned qualitative and quantitative safety objectives, giving guidance to development and operation.

Quantitative safety objectives
"Quantitative. Those analytical processes that apply mathematical methods to assess system and airplane safety."[5]

The AC defines the acceptable safety level for equipment and systems as installed on the airplane and establishes an inverse relationship between Average Probability per Flight Hour and the severity of Failure Condition effects:

  1. Failure Conditions with No Safety Effect have no probability requirement.
  2. Minor Failure Conditions may be Probable.
  3. Major Failure Conditions must be no more frequent than Remote. (average probability < 1 x 10−5 per flight hour)
  4. Hazardous Failure Conditions must be no more frequent than Extremely Remote.
  5. Catastrophic Failure Conditions must be Extremely Improbable. (average probability < 1 x 10−9 per flight hour)

The safety objectives associated with Catastrophic Failure Conditions may be satisfied by demonstrating that:

  1. No single failure will result in a Catastrophic Failure Condition;
  2. Each Catastrophic Failure Condition is extremely improbable; and
  3. Significant latent failures are addressed in accordance with § 25.1309(b)(4) and § 25.1309(b)(5).[10]
Qualitative safety objectives
"Qualitative. Those analytical processes that assess system and airplane safety in an objective, non-numerical manner."[5]

The failure conditions Catastrophic through No Safety Effect are assigned Functional and Item Design Assurance Levels (DAL) A, B, C, D, E, respectively, with the concept that there is less tolerance for undiscovered design error in systems with more severe failure effects.[11] In this manner, development of systems and components contributing to more severe effects are subject to increasingly rigorous assurances of effective prevention, detection, and removal of design error, DAL A representing the most thorough assurance rigor.[12]

History

First released in 1982, AC 25.1309–1 has been revised to embody increasing experience in development of airplanes and to address the increasing integration and computerization of aircraft functions.

AC 25.1309–1 (original release)

Function criticality

AC 25.1309–1 recommended that top-down analysis should identify each system function and evaluate its criticality, i.e., either non-essential, essential, or critical. The terms Error, Failure, and Failure Condition were defined. Functions were classified Critical, Essential, and Non-Essential according to the severity of the failure conditions they could contribute to; but the conditions were not expressly classified. Failures of Critical, Essential, and Non-Essential functions were expected to be, respectively, Extremely Improbable (10–9 or less), Improbable (10–5 or less), or no worse than Probable (10–5).[13]

Qualitative methods

Previously, system safety analysis was quantitative; that is, it was dependent on evaluating the probability of system failures from physical faults of components. But with the increasing use of digital avionics (i.e., software) it was recognized that development error was a significant contributor to system failure, particularly human errors in any stage of designing, implementing, and testing complex systems. During system certification in the late 1970s, it became clear that the classical statistical methods of safety assessment could not be effective for firmware and software-based systems.[14] Existing quantitative methods could not predict system failure rates resultant from development errors. Qualitative methods were instead recommended for reducing specification, design, and implementation errors in the development of digital avionics.

The guidance of DO-178 (initial release) was recommended by AC 25.1309–1 for development of essential and critical functions implemented in software.[15]

AC 25.1309–1A

AC 25.1309–1A introduced the FAA Fail-Safe Design Concept to this Advisory Circular.[16] This revision also introduced recommended design principles or techniques in order to ensure a safe design.[17]

Classification of failure conditions by severity

The concept of function criticality was replaced with classification of failure conditions according to severity of effects (cf., Probabilistic risk assessment). Failure conditions having Catastrophic, Major, or Minor effects were to have restricted likelihoods, respectively, of Extremely Improbable (10–9 or less), Improbable (10–5 or less), or no worse than Probable (10–5).[18]

Software was still considered to be assessed and controlled by other means; that is, by RTCA/DO-178A or later revision, via Advisory Circular AC 20-115A.[19]

In 2002, work was done on Revision B, but it was not formally released; the result is the Rulemaking Advisory Committee-recommended revision B-Arsenal Draft (2002).

AC 25.1309–1B–Arsenal Draft

In May 1996, the FAA Aviation Rulemaking Advisory Committee (ARAC) was tasked with a review of harmonized FAR/JAR 25.1309, AC 1309-1A, and related documents, and to consider revision to AC 1309-1A incorporating recent practice, increasing complex integration between aircraft functions and the systems that implement them,[20] and the implications of new technology. This task was published in the Federal Register at 61 FR 26246-26247 (1996-05-24). The focus was to be on safety assessment and fault-tolerant critical systems.

In 2002, work was done on Revision B, but it was not formally released at that time. That year, the FAA provided a Notice of Proposed Rulemaking (NPRM) relevant to 14 CFR Part 25. Accompanying this notice was the "Draft ARSENAL Revised" of AC 1309–1.[21] Existing definitions and rules in § 25.1309 and related standards had posed certain problems to the certification of transport category airplanes. Said problems are discussed at length within the NPRM. The FAA proposed revisions to several related standards in order to eliminate such problems and to clarify the intent of these standards. In some proposed changes, definitions or conventions developed in previously released lower-level regulations or standards were adopted or revised within the Advisory Circular draft.[22]

The Arsenal Draft was "considered to exist as a relatively mature draft".[23] The FAA and EASA subsequently accepted proposals by type certificate applicants to use the Arsenal Draft on development programs.[23][24]

Boeing referenced the guidance of the Arsenal Draft in its 2004-2009 type certification program for the 787 Dreamliner.[25]

Refinement of failure condition classifications

Experience in application of the prior circulars and ARPs witnessed the division of the Major failure condition into two conditions (for example, Hazardous-severe/Major and Major).[26] Additionally, this experience recognised the existence of failure conditions that have no effect on safety, which could be so classified and thereby assigned no safety objectives. Catastrophic Failure Condition was previously defined as "any failure condition which would prevent continued safe flight and landing"; but is now defined as "Failure conditions which would result in multiple fatalities, usually with the loss of the airplane.[8]"

Extension of qualitative controls to aircraft functions

The FAA Fail-Safe Design Concept and design principles or techniques for safe design are maintained. However, owing to the increasing development of Highly Integrated Systems in aircraft, qualitative controls previously considered necessary for safe software development are extended to the aircraft function level.[6] (Similar guidance (Functional Safety framework) has been provided for highly integrated automotive systems through the 2011, release of ISO 26262.[27])

AC 25.1309–1B

Revision B was released in August 2024 in coordination with a number of rules changes addressing aircraft system safety. This release is a significant expansion, elaborating on the FAA's Fail-Safe Design Concept and crystalizing and harmonizing FAA system safety terminology, such as the intent of “Extremely Improbable.”

Catastrophic Single Latent Failure Plus One

A particular matter in Revision B, which was the topic of a Notice of Proposed Rulemaking[28] completed in June 2024,[29] is the failure condition designated as Catastrophic Single Latent Failure Plus One (CSL+1). The established safety objective for catastrophic failure conditions, "No single failure will result in a Catastrophic Failure Condition," is now explicitly extended to undetected failures having either hazardous or catastrophic effects, now designated as "significant latent failures" (SLF). Applicants must now demonstrate that latent catastrophic failures are eliminated from their design to all practical extent and the residual risk of remaining latent failure is managed such that the "extremely improbable" requirement is maintained.[30]

See also

References

  1. ^ Marc Ronell (November 18–20, 2020). "Discussion of aviation software oversight improvement". Proceedings of the 2020 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software. p. 127. doi:10.1145/3426428.3426926. ISBN 978-1-4503-8178-9. Retrieved 2024-12-03. Regulation 1309 similarly requires equipment, systems, and installations to perform their intended function under foreseeable operating conditions.
  2. ^ "Software Certification". Aviation Today. October 31, 2005. Retrieved 2014-03-31.
  3. ^ Spitzer, p. 7-9
  4. ^ Jolan Eduardo Berquó (2013-06-04). "SAE ARP 4761: Excellence in Procedure for Safety Assessment" (PDF). Improve Your Knowledge (IYK) (37): 2. Retrieved 2024-12-09.
  5. ^ a b c AC 25.1309–1B, 2024, p. 5-6. "3.2.4.1 Intent of the Term Extremely Improbable."
  6. ^ a b AC 25.1309–1B–Arsenal Draft, p. 7.
  7. ^ AC 25.1309–1B, pp. 3-1 through 3-3.
  8. ^ a b AC 25.1309–1B–Arsenal Draft, p. 8.
  9. ^ AC 25.1309–1B, p. 3-4.
  10. ^ AC 25.1309–1B, 2024, p. 4-3. "4.3 Safety Objectives for Catastrophic Failure Conditions."
  11. ^ ARP4754A, Guidelines for Development of Civil Aircraft and Systems, SAE Aerospace, December, 2010, p. 38
  12. ^ Cary Spitzer, Uma Ferrell, Thomas Ferrell Digital Avionics Handbook, 3rd ed., CRC Press, Boca Raton, FL. 2015, p. 10-2. "Therefore, in order to show compliance to "1309" for systemic failures, processes are applied to the aircraft, system, equipment, and software/AEH development to provide some assurance that errors have been minimized to a required level of rigor."
  13. ^ AC 25.1309–1, 1982, p. 3-5.
  14. ^ Johnson, Leslie A. (Schad). DO-178B, "Software Considerations in Airborne Systems and Equipment Certification. Seattle, Washington: Flight Systems, Boeing Commercial Airplane Group.
  15. ^ AC 25.1309–1, p. 9.
  16. ^ AC 25.1309–1A, 1988, p. 2.
  17. ^ AC 25.1309–1A, p. 3.
  18. ^ AC 25.1309–1A, pp. 4,5,7, 13-15.
  19. ^ AC 25.1309–1A, p. 7.
  20. ^ ARP4754A, p. 7
  21. ^ Revised General Function and Installation Requirements for Equipment, Systems, and Installations on Transport Category Airplanes, Notice of proposed rulemaking, Draft R6X Phase 1 – June 2002, also known as the Arsenal Draft of AC 25.1309-1B Archived 2014-04-13 at the Wayback Machine
  22. ^ AC 25.1309–1B Arsenal Draft (Archived 2014-04-13 at the Wayback Machine), 2002, p. 5-6.
  23. ^ a b Spitzer, Cary R., ed, Digital Avionics Handbook, 2nd ed., Avionics, Development and Implementation, CRC Press, Boca Raton, FL. 2007, p. 7-9.
  24. ^ AC 25-19A Archived 2014-04-13 at the Wayback Machine, Certification Maintenance Requirements, 2011, p. 2
  25. ^ "Auxiliary Power Unit Battery Fire : Japan Airlines Boeing 787-8, JA829J" (PDF). Aircraft Incident Report (AIR-14/01). National Transportation Safety Board. November 21, 2014. Retrieved 2022-05-18. Boeing indicated in certification documents that it used a version of FAA Advisory Circular (AC) 25.1309, "System Design and Analysis" (referred to as the Arsenal draft), as guidance during the 787 certification program. However, the analysis that Boeing presented in its EPS safety assessment did not appear to be consistent with the guidance in the AC. See 2013 Boeing 787 Dreamliner grounding.
  26. ^ RTCA/DO-178B (subsequently DO-178C, Software Considerations in Airborne Systems and Equipment Certification, Radio Technical Commission for Aeronautics, December 1, 1992, p. 7
  27. ^ Beeby, Martin, DO-178C the future of Avionics Certification, atego HighRely, pp. 6–7
  28. ^ Federal Aviation Administration (FAA) (December 8, 2022). "[Docket No.: FAA–2022–1544; System Safety Assessments; Unified Agenda". Federal Register. 87 (235). Retrieved 2024-12-06.
  29. ^ "Rulemaking Docket: System Safety Assessments". Regulations.gov. Retrieved 2024-12-06.
  30. ^ "System Safety Assessments: A Rule by the Federal Aviation Administration". Federal Register. 2024-08-27. Retrieved 2024-12-06. A "CSL+1 (Catastrophic Single Latent Plus One)" refers to a catastrophic failure condition caused by a single latent failure and an active (evident) failure. Section 25.1309(b)(5)(i), adopted as proposed, is similar to § 25.1309(b)(4) in that it also requires the dual failure to be eliminated if practical. An example is an AD action that eliminated the CSL+1 dual failure that caused the catastrophic Lauda Air Flight 004 (1994); the AD required that a third lock be added to the thrust reverser system. This change converted the dual failure condition to a triple failure condition and removed the airplane from a situation where it was one failure away from a catastrophic accident. If the dual failure condition cannot be eliminated, additional control is appropriate beyond the traditional "extremely improbable" (average risk) requirement applied to a combination of failures. [see also 2. Revise Nonregulatory Definitions]