Sometimes it is taken for granted what your aircraft has gone through to be considered a "safe" machine. A systems safety approach is incorporated from the design concept all the way to the retirement phase. This approach includes the expertise of many specialists from a variety of disciplines. Engineers play a major role in the development of the aircraft, but one of the newer specialties involves human factors people. HF people could be considered a link between the design engineers and the pilots. In other words, the engineers know that the flap indicator is required and so do the pilots. But the question is "how can we design this indicator to give easy-to-read and unambiguous information at the proper location in the cockpit?" This is where human factors come in. The FAA defines human factors as "a multidisciplinary field devoted to optimizing human performance and reducing human error."

            FAA Advisory Circular 25.1309-1A addresses System Design and Analysis for transport category aircraft. Federal Aviation Regulations (FAR) Part 25 postulates the criteria for system safety standards on transport category aircraft. An understanding of Advisory Circular 25.1309-1A would be appropriate at this time.

            System Safety Design and Analysis deals with the "big picture," compared to specific systems that will be defined in Part 25. The analysis deals with "what if" scenarios and their outcomes based on probability/consequence. Highlights of AC 25.1309-1A include:

• Purpose: Compliance guideline procedures.
• Applicability: Provides a logical and acceptable inverse relationship between the probability and the severity of each failure condition and requires that compliance be shown primarily by analysis.
• Background: the Part 25 airworthiness standards are based on the fail-safe design concept that has evolved over the years. In recent years, there has been an increase in the degree of system complexity and integration, and in the number of safety-critical functions performed by systems. Difficulties had been experienced in assessing the hazards that could result from failures of such systems, or adverse interactions among them. These difficulties led to the use of structured means for showing compliance.
• THE FAA FAIL-SAFE DESIGN CONCEPT: The Part 25 airworthiness standards are based on, and incorporate, the objectives, and principles or techniques, of the fail-safe design concept, which considers the effects of failures and combinations of failures in defining a safe design. The following basic objectives pertaining to failures apply:

a)      In any system or subsystem, the failure of any single element, component, or connection during any one flight (brake release through ground deceleration to stop) should be assumed, regardless of its probability. Such single failures should not prevent continued safe flight and landing, or significantly reduce the capability of the airplane or the ability of the crew to cope with the resulting failure conditions.

b)      Subsequent failures during the same flight, whether detected or latent, and combinations thereof, should also be assumed, unless their joint probability with the first failure is shown to be extremely improbable.

The fail-safe design concept uses the following design principles or techniques in order to ensure a safe design. The use of only one of these principles or techniques is seldom adequate. A combination of two or more is usually needed to provide a fail-safe design; i.e., to ensure that major failure conditions are improbable and that catastrophic failure conditions are extremely improbable.

A.     Designed Integrity and Quality, including Life Limits, to ensure intended function and prevent failures.

B.     Redundancy or Backup Systems, to enable continued function after any single (or other defined number of) failures(s); e.g., two or more engines, hydraulic systems, flight control systems, etc.

C.     Isolation of Systems, Components, and Elements, so that the failure of one does not cause the failure of another. Isolation is also termed independence.

D.     Proven Reliability, so that multiple, independent failures are unlikely to occur during the same flight.

E.      Failure Warning or Indication to provide detection.

F.      Flightcrew Procedures for use after failure detection, to enable continued safe flight and landing by specifying crew corrective action.

G.     Checkability: The capability to check a component's condition.

H.     Designed Failure Effects Limits, including the capability to sustain damage, to limit the safety impact or effects of a failure.

I.        Designed Failure Path to control and direct the effects of a failure in a way that limits its safety impact.

J.       Margins or Factors of Safety to allow for any undefined or unforeseeable adverse conditions.

K.    Error-Tolerance that considers adverse effects of foreseeable errors during the airplane's design, test, manufacture, operation, and maintenance.

The probability that a failure condition would occur may be assessed as probable, improbable, or extremely improbable. Each failure condition should have a probability that is inversely-related to its severity. The Probability vs. Consequence Graph below illustrates this relationship.

1.      Minor failure conditions may be probable.

2.      Major failure conditions must be improbable.

3.      Catastrophic failure conditions must be extremely improbable.

Acceptable numerical probability ranges for each flight-hour, based on a flight of mean duration for the airplane type

• Probable failure conditions are those having a probability greater than on the order of 1 X 10 ^-5

• Improbable failure conditions are those having a probability on the order of 1 X 10 ^-5 or less, but greater than that on the order of 1 X 10 ^-9

• Extremely improbable failure conditions are those having a probability on the order of 1 X 10 ^-9 or less.

A Functional Hazard Assessment (FHA) is a typical preliminary step to identify and classify potentially hazardous failure conditions, and to describe them in functional and operational terms. An FHA is qualitative and is conducted using experienced engineering and operational judgment.

a)      Analysis of Minor Failure Conditions. An analysis should consider the effects of system failures on other systems or their functions.

b)      Analysis of Major Failure Conditions. Major failure conditions must be shown to be improbable.

c)      Analysis of Catastrophic Failure Conditions. Catastrophic failure conditions must be shown to be extremely improbable. A very thorough safety assessment is necessary.

d)      Operational or Environmental Conditions. A probability of one should usually be used for encountering a discrete condition for which the airplane is designed, such as instrument meteorological conditions or Category III weather operations.

e)      Latent Failures. A latent failure is one which is inherently undetected when it occurs. A significant latent failure is one which would, in combination with one or more other specific failures or events, result in a hazardous failure condition.

f)        Acceptable Means of Compliance. Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. It also requires that systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.

Flight with equipment or functions inoperative

An applicant for certification may elect to develop a list of equipment and functions which need not be operative for safe flight and landing, based on stated compensating precautions that should be taken; e.g., operational or time limitations, or flightcrew or groundcrew checks. The documents used to show compliance, together with any other relevant information, should be considered in the development of this list, which then becomes the basis for a Master Minimum Equipment List (MMEL).  Experienced engineering and operational judgment should be applied during the development of the MMEL.

Let's now take a look at the specific FAA Part 25 requirements and how they are complied with for the Learjet aircraft. For the purpose of this paper, the Learjet 35A will be used to exemplify a typical jet aircraft certification process. Although there are many subtle differences amongst Part 25 (transport category) aircraft, the certification requirements are essentially the same. Due to the large amount of information available, only a sampling of major systems will be addressed. Continue =>

BACK