|
【范围】
|
This document discusses the development of aircraft systems taking into account the overall aircraft operating
environment and functions. This includes validation of requirements and verification of the design implementation for
certification and product assurance. It provides practices for showing compliance with the regulations and serves to
assist a company in developing and meeting its own internal standards by considering the guidelines herein.
The guidelines in this document were developed in the context of Title 14 Code of Federal Regulations (14CFR) Part 25
and European Aviation Safety Agency (EASA) Certification Specification (CS) CS-25. It may be applicable to other
regulations, such as Parts 23, 27, 29, 33, and 35 (CS-23, CS-27, CS-29, CS-E, CS-P).
This document addresses the development cycle for aircraft and systems that implement aircraft functions. It does not
include specific coverage of detailed software or electronic hardware development, safety assessment processes, in-
service safety activities, aircraft structural development nor does it address the development of the Master Minimum
Equipment List (MMEL) or Configuration Deviation List (CDL). More detailed coverage of the software aspects of
development are found in RTCA document DO-178B, “Software Considerations in Airborne Systems and Equipment
Certification” and its EUROCAE counterpart, ED-12B. Coverage of electronic hardware aspects of development are
found in RTCA document DO-254/EUROCAE ED-80, “Design Assurance Guidance for Airborne Electronic Hardware”.
Design guidance and certification considerations for integrated modular avionics are found in appropriate
RTCA/EUROCAE document DO-297/ED-124. Methodologies for safety assessment processes are outlined in SAE
document ARP4761, “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems
and Equipment”. Details for in-service safety assessment are found in ARP5150, “Safety Assessment of Transport
Airplanes In Commercial Service” and ARP5151 Safety Assessment of General Aviation Airplanes and Rotorcraft In
Commercial Service.“ Post-certification activities (modification to a certificated product) are covered in section 6 of this
document. The regulations and processes used to develop and approve the MMEL vary throughout the world. Guidance
for the development of the MMEL should be sought from the local airworthiness authority.
Figure 1 outlines the relationships between the various development documents, which provide guidelines for safety
assessment, electronic hardware and software life-cycle processes and the system development process described
herein.
{ee707573f75127aabe9e1dd775207f81.jpg}
1.1 Purpose
The guidelines herein are directed toward systems that support aircraft-level functions and have failure modes with the
potential to affect the safety of the aircraft. Typically, these systems involve significant interactions with other systems in
a larger integrated environment. Frequently, significant elements of these systems are developed by separate
individuals, groups or organizations. These systems require added design discipline and development structure to ensure
that safety and operational requirements can be fully realized and substantiated. A top down iterative approach from
aircraft level downwards is key to initiating the processes outlined herein.
The contents are recommended practices and should not be construed to be regulatory requirements. For this reason,
the use of words such as “shall” and “must” is avoided except if used in the context of an example. It is recognized that
alternative methods to the processes described or referenced in this document may be available to an organization
desiring to obtain certification.
This document provides neither guidelines concerning the structure of an individual organization nor how the
responsibilities for certification activities are divided. No such guidance should be inferred from the descriptions provided.
1.2 Document Background:
During development of Revision B to RTCA/EUROCAE document DO-178/ED-12, it became apparent that system-level
information would be required as input to the software development process. Since many system-level decisions are
fundamental to the safety and functional aspects of aircraft systems, regulatory involvement in the processes and results
relating to such decisions is both necessary and appropriate.
This document was originally developed in response to a request from the FAA to SAE. The FAA requested that SAE
define the appropriate nature and scope of system-level information for demonstrating regulatory compliance for highly-
integrated or complex avionic systems. The Systems Integration Requirements Task group (SIRT) was formed to
develop an ARP that would address this need.
The initial members of SIRT recognized that harmonization of international understanding in this undertaking was highly
desirable and encouraged participation by both Federal Aviation Administration (FAA) and Joint Aviation Authorities (JAA)
representatives. A companion working group was formed under EUROCAE, WG-42, to coordinate European input to the
SIRT group. The task group included people with direct experience in design and support of large commercial aircraft,
commuter aircraft, commercial and general aviation avionics, jet engines, and engine controls. Regulatory personnel with
a variety of backgrounds and interests participated in the work of the task group. Both formal and informal links with
RTCA special committees (SC-167 and SC-180) and SAE committee (S-18) were established and maintained.
Communication with the harmonization working group addressing 14CFR/CS 25.1309 was maintained throughout
development of this document.
Throughout development of this document, discussion returned repeatedly to the issue of guideline specificity. Strong
arguments were presented in favor of providing a list of very specific certification steps, i.e. a checklist. Equally strong
arguments were made that the guidelines should focus on fundamental issues, allowing the applicant and the certification
authority to tailor details to the specific system. It was recognized that in either case certification of all but the most
idealized systems would require significant engineering judgment by both parties. The quality of those judgments is
served best by a common understanding of, and attention to, fundamental principles. The decision to follow this course
was supported by several other factors; the variety of potential systems applications, the rapid development of systems
engineering, and industry experience with the evolving guidance contained in DO-178, DO-178A/ED-12A and DO-
178B/ED-12B being particularly significant.
The current trend in system design is an increasing level of integration between aircraft functions and the systems that
implement them. While there can be considerable value gained when integrating systems with other systems, the increased
complexity yields increased possibilities for errors, particularly with functions that are performed jointly across multiple systems.
Following the Aviation Rulemaking Advisory Committee (ARAC) recommendations to respond to this increased integration
which referenced ARP4754/ED-79 in advisory materials for compliance to 14CFR/CS 23.1309 (see AC23.1309-1D, issued in
2009) and 25.1309 (see AMC 25.1309, published in 2003 and AC25.1309-Arsenal draft) the use of the ARP4754/ED-79 in
aircraft certification has become increasingly widespread. Along with the increasing use, in particular Section 5.4 Assignment
of Development Assurance Levels in the original ARP4754, come insights on the strengths and weaknesses of its guidelines.
The underlying philosophy is succinctly represented in the original section 5.4 of ARP4754 as follows:
“If the PSSA shows that the system architecture provides containment for the effects of design errors, so that the aircraft-
level effects of such errors are sufficiently benign, the development assurance activities can be conducted at a reduced
level of process rigor for the system items wholly within the architectural containment boundary.”
Experience has shown that the processes and definitions used to determine containment have yielded different
interpretation and application of the philosophy. Improvement to the development assurance level assignment process is
one of the main features of this revision by providing a methodology to assign the correct development assurance levels.
When the original ARP 4754/ED-79 was published in 1996, the SIRT and WG-42 groups were dissolved. When the
document came due for revision, a group with sufficient expertise at the aircraft level was required to address this work. The
SAE S-18 Airplane Safety Committee was chosen because of their familiarity with the original document and the close
association of the documents they develop and this ARP. Several S-18 committee members were on the SIRT group that
developed the original ARP4754 document. At the same time, EUROCAE chartered a Working Group to update ED-79.
WG-63 incorporated members from the original WG-42 working group, as well as representatives from a wide range of
industrial and academic participants in the European Aerospace industry. Keeping to the Memorandum of Understanding for
this document, WG-63 worked alongside S-18 to ensure that ED-79A is word-for-word equivalent to ARP4754A.
Revision A contains updates to the document that take into account the evolution of the industry over the intervening years.
The relationship between ARP 4754/ED-79 and ARP 4761, and their relationship with DO-178B/ED-12B and DO-254/ED-80
are strengthened and discrepancies between the documents are identified and addressed. Revision A also expands the
design assurance concept for application at the aircraft and system level and standardizes on the use of the term
development assurance. As a consequence, for aircraft and systems Functional Development Assurance Level (FDAL) is
introduced and the term design assurance level has been renamed Item Development Assurance Level (IDAL). Also
included are enhancements created by feedback from the industry since the first publication. In addition, S-18 / WG-63
coordinated this revision effort with RTCA Special Committee 205 (SC-205) / EUROCAE WG-71 to ensure that the
terminology and approach being used are consistent with those being developed for the update to DO-178B / ED-12B.strRefField
|