SYSTEM SAFETY ASSESSMENT PROCESS TREINAMENTO COMPLEMENTAR DE RCE

SYSTEM SAFETY ASSESSMENT PROCESS TREINAMENTO COMPLEMENTAR DE RCE PROCESSO DE “SYSTEM SAFETY ASSESSMENT” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 26 DE OUTUBRO DE 2004 1

SYSTEM SAFETY ASSESSMENT PROCESS OBJETIVO: Tecer comentários sobre o Processo de Avaliação de Segurança de Sistemas na Certificação de Aeronaves de Transporte. (Enfoque da Autoridade Certificadora). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 2

SYSTEM SAFETY ASSESSMENT PROCESS OBJETIVO: DEIXAR A SEGUINTE MENSAGEM: A AUTORIDADE CERTIFICADORA DEVE ENTENDER SEGURANÇA DE SISTEMA COMO UM ASSUNTO MUITO MAIS VASTO DO QUE O CUMPRIMENTO DE REQUISITOS. O APOIO CADA VEZ MAIOR DO RCE É FUNDAMENTAL CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 3

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA? CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 4

SYSTEM SAFETY ASSESSMENT PROCESS NÃO SE TRATA DE UMA AULA, MAS DE UMA TROCA DE IDÉIAS. COMENTÁRIOS SÃO MUITO BEM VINDOS. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 5

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA? CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 6

SYSTEM SAFETY ASSESSMENT PROCESS OVERVIEW: 1 CONSIDERAÇÕES GERAIS 2 SYSTEM SAFETY ASSESSEMENT 3 ONGOING SAFETY ASSESSMENT 4 OBJETIVOS DE SEGURANÇA 5 ENGENHARIA DE CONFIABILIDADE 6 SSA: UMA NOVA ABORDAGEM 7 ARP 4754 8 RISCO ESPECÍFICO CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 7

SYSTEM SAFETY ASSESSMENT PROCESS REFERÊNCIAS: 1 ARP 4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment 2 ARP 4754: Certification Considerations for Highly-Integrated or Complex Aircraft Systems 3 ARP 5150: Safety Assessment of Transport in Commercial Service 4 RTCA/DO-178 Software Considerations in Airborne Systems and Equipment Certification, 5 RTCA/DO-254 Design Assurance Guidance for Airborne Electronic Hardware 6 BASE DE CERTIFICAÇÃO: ERJ 170/190 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 8

SYSTEM SAFETY ASSESSMENT PROCESS Considerações Gerais CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 9

SYSTEM SAFETY ASSESSMENT PROCESS É um agregado de organizações, pessoas, infraestrutura, equipamentos, procedimentos, regras e informações usadas para garantir o produto ou serviço cumpram a função esperada CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 10

SYSTEM SAFETY ASSESSMENT PROCESS Safety : Freedom from unacceptable risk. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 11

SYSTEM SAFETY ASSESSMENT PROCESS SEGURANÇA DE SISTEMAS The application of engineering and management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle. (MIL -STD-882 C STANDARD PRACTICE FOR SYSTEM SAFETY 3. 2. 18). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 12

SYSTEM SAFETY ASSESSMENT PROCESS ENGENHARIA DE SEGURANÇA DE SISTEMAS An engineering discipline requiring specialized professional knowledge and skills applying scientific and engineering principles, criteria, and techniques to identify and eliminate hazards, in order to reduced the associated risk. (MIL-STD 882 C, 3. 2. 20). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 13

SYSTEM SAFETY ASSESSMENT PROCESS GERENCIAMENTO DE SEGURANÇA DE SISTEMAS An management discipline that defines the system safety program requirements and ensures the planning, implementation, and accomplishment of system safety tasks and activities consistent with the overall program requirements. (MIL-STD-882 C, 3. 2. 22). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 14

SYSTEM SAFETY ASSESSMENT PROCESS PROGRAMA DE SEGURANÇA DE SISTEMAS The combined tasks and activities of system safety management and system safety engineering implemented by acquisition project managers. (MIL -STD-882 C, 3. 2. 24). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 15

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY MANAGEMENT DECISION MAKING PROCESS How much does it cost ? Is it safe ? CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 16

SYSTEM SAFETY ASSESSMENT PROCESS SEGURANÇA DE SISTEMAS CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 17

SYSTEM SAFETY ASSESSMENT PROCESS GERENCIAMENTO DA SEGURANÇA (Safety Management) “The goals of system safety can be achieved only with the support of management: A sincere commitment to safety by management is perhaps the most important factor in achieving it. ” An Air Force study of system safety concluded: “Air Force top management support of system safety has not gone unnoticed by contractors (. . . ) An example of how this results was accomplished was the B-1 B program, in which the Program Manager or Deputy Manager chaired the meetings of the group where safety decisions were made. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 18

SYSTEM SAFETY ASSESSMENT PROCESS GERENCIAMENTO DA SEGURANÇA (Safety Management) SEGURANÇA DE SISTEMAS E SEU POSICIONAMENTO NA ESTRUTURA ORGANIZACIONAL CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 19

SYSTEM SAFETY ASSESSMENT PROCESS GERENCIAMENTO DA SEGURANÇA (“Safety Management”) Project engineering Operations Quality assurance System safety Manufacturing Contracting Industrial safety Reliability engineering System safety needs direct communication paths to most parts of the organization CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 20

SYSTEM SAFETY ASSESSMENT PROCESS Man MISSION Machine Medium Management Money CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 21

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 22

SYSTEM SAFETY ASSESSMENT PROCESS The complete process applied during the design of the system to establish safety objectives and to demonstrate compliance with RBHA/FAR/JAA 25. 1309 and other safety related requirement. (ARP 4761) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 23

SYSTEM SAFETY ASSESSMENT PROCESS THE SSA PROCESS IN A NUTSHELL Cert. Plan and CCD (requirements) CRITICALITY VALIDATION FHA Aircraft Systems Software and Complex hardware Hirf/Lightning HIRF/Lightning Certif. Process SW/ Complex HW Certif. Process CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION CASCADE FAILURE PROPAGATION (CMA) SA FFS, A/C, SITS, FTs Performance& Flight Dynamics Analysis and Testing (actual A/C, Iron Bird, SITS, Electric Rig) Aircraft Systems (including Flight Controls and propulsion Dormant faults (1309 § 9. c. (6), P<10 E-3 for flight controls) 24

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT Identificação de todas as condições de falha juntamente com a Argumentação para sua classificação. A saída do FHA é usado como ponto de partida para conduzir a PSSA CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 25

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT PSSA é um exame sistemático das as arquiteturas propostas para os sistemas para determinar como elas podem causar os hazard funcionais identificados na FHA e não satisfazer os Safety Objectives. O Objetivo é estabelecer requisitos de segurança para sistemas, itens, HW/SW (é realizada em múltiplos estágios). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 26

SYSTEM SAFETY ASSESSMENT PROCESS FHA CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 27

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT Aircraft FHA Loss of deceleration capability CONCEPT AND ARCHITECTURE T o p d o w n Aircraft FTA Loss of deceleration capability Loss of thrust reverser Loss of effective wheel braking Loss of speed brakes in wet runway Loss of wheel braking Relationship between FHA, FTA and FMEA CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 28

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT SSA é uma avaliação sistemática, completa dos sistemas implementados para mostrar que os Safety Objectives da FHA e os Safety Requirements derivados da PSSA são cumpridos O SSA é baseado nas FTA da PSSA e usa valores quantitativos obtidos das FMEA. Também inclui resultados das CCA. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 29

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT System FHAs Ldg gear Hydraulic Electric Braking PRELIMINARY DESIGN T o p d o w n LOSS OF WHEEL BRAKING System PFTAs Electric Hydraulic Braking system Loss of wheel braking Loss of normal braking Loss of alternate braking CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 30

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT CONCEPT AND ARCHITECTURE PRELIMINARY DESIGN quantitative System FHAs Aircraft FHA Component FMEAs Accumulator Brake metering valve Anti-skid computer Brake control valve Ldg gear Loss of deceleration capability Pneumatic T o p d o w n Aircraft FTA Loss of deceleration capability Loss of thrust reverser Braking LOSS OF WHEEL BRAKING System PFTAs Electric Hydraulic Loss of effective wheel braking Loss of speed brakes in wet runway Loss of wheel braking Relationship between FHA, FTA and FMEA CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION T o p d o w n Electric Hydraulic Braking system Loss of normal braking Closes the loop DETAILED DESIGN Systems FMEAs B o t t o m u p Pneumatic Electric Hydraulic Braking Loss of wheel braking Loss of normal braking Loss of alternate braking Final SSA FTAs Loss of wheel braking Loss of normal braking Loss of alternate braking 31

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT Design process System concept CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 32

SYSTEM SAFETY ASSESSMENT PROCESS SYSTEM SAFETY ASSESSMENT CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 33

SYSTEM SAFETY ASSESSMENT PROCESS FAULT TREE ANALYSIS Método amplamente usado na indústria aeroespacial, eletrônica e nuclear. Originalmente desenvolvido em 1961 para avaliar o “Minuteman Launch Control System”. Os “top event” considerados eram três: Ignição acidental do motor e Falha no lançamento. Lançamento inadvertido (inesperado), CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 34

SYSTEM SAFETY ASSESSMENT PROCESS ARP 4761: GUIDANCE AND METHODS FOR CONDUCTING THE SAFETY ASSESSMENT PROCESS ON CIVIL, AIRBORNE SYSTEMS AND EQUIPMENT SYSTEMS Métodos de Análise usados em SSA • Fault Tree Analysis/Dependence Diagrams/Markov Analysis (FT/DD/MA) • Failure Mode and Effect Analysis (FMEA) • Failure Mode and Effect Sudmmary (FMES) • Common Cause Analysis (CCA) Zonal Safety Analysis (ZSA) Particular Risk Analysis (PRA) Common Mode Analysis (CMA) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 35

SYSTEM SAFETY ASSESSMENT PROCESS FAULT TREE ANALYSIS TOP EVENT (T): “no flow of water to reactor” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 36

SYSTEM SAFETY ASSESSMENT PROCESS FAULT TREE ANALYSIS TOP EVENT (T): “no flow of water to reactor” C = “valve V fails closed” A = “pump 1 fails to run” B = “pump 2 fails to run” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 37

SYSTEM SAFETY ASSESSMENT PROCESS FAULT TREE ANALYSIS TOP EVENT (T): “no flow of water to reactor” C = “valve V fails closed” A = “pump 1 fails to run” B = “pump 2 fails to run” CONJUNTOS DE CORTE MÍNIMOS: (MINIMAL CUTSETS): A menor combinação de falhas que, se ocorrerem, farão o evento topo ocorrer. MINIMAL CUTSETS: 1) C (de um componente) 2) A. B (de dois componentes) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 38

SYSTEM SAFETY ASSESSMENT PROCESS ONGOING SAFETY ASSESSMENT CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 39

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO ARP 4761 ØMÉTODOS QUANTITATIVOS (necessários para Condições de Falha “Hazardous” e Catastróficas). Análise de Árvores de Falha (FTA) Diagramas de Dependência (DD) Análise de Markov (MA) (Não estudada neste curso) Análise de Modos de Falha e Efeitos (FMEA) Esta publicação não cobre aspectos importantes da Engenharia de Confiabilidade, como, por exemplo, Modelamento e Previsão de Confiabilidade (“Reliability Prediction”). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 40

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO Controle da Qualidade Teoria da Amostragem, Estatística CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 41

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO Teoria de Man(u)tenabilidade e Disponibilidade Incorporação de Requisitos de Manutenção no Projeto ARP 5150: Safety Assessment of Transport Airplanes in Commercial Service CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 42

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO ARP 5150: Safety Assessment of Transport Airplanes in Commercial Service Guidelines, methods and tools used to perform the ongoing safety assessment process, intended to support an overall safety management program. Addresses the “Is it safe” part of a safety management Provides a systematic process to measure and monitor safety to help determine safety priorities and focus available resources in areas tha offer the greatest potential to improve avaition safety. Compendium of best safety practices gathered togheter as reference CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 43

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO ONGOING SAFETY ASSESSMENT PROCESS Safety Assessment is the monitoring, identification, assessment and prioritization according to hazard level and probability of occurrence of risks associated with operations in a company. A process dedicated to assuring that risk is identified and managed properly within established limits; a process of identifying, and estimating, and prioritizing each risk; assessment of accident and injury, and determining if action should be considered. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 44

SYSTEM SAFETY ASSESSMENT PROCESS ONGOING SAFETY ASSESSMENT PROCESS ESTABLISH MONITOR PARAMETERS MONITOR FOR EVENTS ASSESS EVENT & RISK 1 2 3 DEVELOP ACTION PLAN 4 DISPOSTION ACTION PLAN 5 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 45

SYSTEM SAFETY ASSESSMENT PROCESS ONGOING SAFETY ASSESSMENT PROCESS ESTABLISH MONITOR PARAMETERS MONITOR FOR EVENTS ASSESS EVENT & RISK 1 2 3 Appendix O Lessons Learned Appendix B Data Sources and Programs Appendix I Flight Perational Quality Assurance (FOQA) Appendix J Maintenance Error Decision Aid (MEDA) CTA (CENTRO TÉCNICO AEROESPACIAL) DEVELOP ACTION PLAN 4 Appendix A Safety Significant Event Reference Lists Appendix C Qualitative Risk Assessment Appendix D Quantitative Risk Assessment Appendix E Root Cause (Event Tree) Analysis Appendix F Weibull Analysis Appendix G Monte Carlo Analysis Appendix H Relaibility Growth Modeling Appendix N Hazard Tracking BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION DISPOSTION ACTION PLAN 5 Appendix K Operator Service Bulletin Process Appendix L Manufacturer Service Bulletin Process Appendix M Airworthiness Directive Development Process 46

SYSTEM SAFETY ASSESSMENT PROCESS MÉTODOS QUANTITATIVOS When conducting quantitative FT/DD/MA, the probabilities are estimated from the failure rates, and exposure times of the events. Probability calculations for civil aircraft certifications are based on the probabilities calculated for all the aircraft of the same type. For the purpose of these analysis, the failure rates are usually assumed to be constant over time and are estimates of mature failure rats after infant mortality and prior to wear-out. If wear-out or infant mortality is to a consideration then other methods would need to be employed, for example life limitations or enhanced burn-in. Failing that, other distributions (e. g. Weibull) have to be applied or Monte Carlo simulation could be used. But this is beyond the scope of this document. The analysis should calculate average probability of occurrence per flight hour for the failure condition assuming a typical flight of average duration and considering the appropriate exposure and at risk times (ARP 4761). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 47

SYSTEM SAFETY ASSESSMENT PROCESS Distribuição Weibull CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 48

SYSTEM SAFETY ASSESSMENT PROCESS Linkage BETWEEN SYSTEM SAFETY ASSESSMENT AND ICA During the safety assessment process associated with § 25. 1309 compliance, useful information or instructions associated with the continued airworthiness of the airplane might be identified. This information should be made available to those compiling the Instructions for Continued Airworthiness covered by § 25. 1529 VAI 11. 1 EMB-190 SSA-ICA Process CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 49

SYSTEM SAFETY ASSESSMENT PROCESS Objetivos de Segurança CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 50

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? Após o acidente em Three Mile Island o NRC (Nuclear Regulatory Comission), estabeleceu metas qualitativas e quantitativas de segurança. Por exemplo: “The likelihood of a nuclear reactor accident that results in a large-scale core melt should normally be less than one in 10, 000 per year of reactor operation”. “The risk to the population near a nuclear power plant of cancer fatalities that might result from nuclear power plant operation should not exceed one tenth of one percent (0. 1 %) of the sum of cancer fatality risks resulting from all other causes. ” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 51

SYSTEM SAFETY ASSESSMENT PROCESS COMO AUMENTAR A SEGURANÇA ? On 17 July 1996 a Trans World Airlines Boeing 747, registered N 93119 departed New York-JFK for a flight (TWA 800) to Paris. About 12 minutes after takeoff, while climbing through 13700 ft, an explosion occurred and the aircraft broke up. Flaming debris fell into the sea. All 229 occupants were killed. Em decorrência: Estabelecida a White House Commission on Aviation Safety and Security (Gore Commission). Juntamente com a National Civil Aviation Review Comission (1997) pediram: 1. Uma redução dos acidentes fatais em aeronaves comercias em 80% em 10 anos (até 2007). 2. Uma redução de 10 vezes a taxa de acidentes, em 20 anos. O FAA e os fabricantes formaram o Commercial Aviation Safety Team (CAST). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 52

SYSTEM SAFETY ASSESSMENT PROCESS AVALIAÇÃO DE RISCOS R=P D MATRIZ DE RISCO ÍNDICES DE RISCO CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION P = probabilidade D = dano 53

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY CATEGORIES DESCRIPTION CATEGORY DEFINITION CATASTROPHIC I Death, system loss, or severe environmental damage CRITICAL II Severe injury, severe occupational illness, major system or environmental damage MARGINAL III Minor injury, minor occupational illness, major system or environmental damage NEGLIGEABLE IV Less than minor injury, occupational illness, or less than minor system or environmental damage CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 54

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD PROBABILITY LEVELS LEVEL FREQUENT A Likely to occur frequently Continuously experienced PROBABLE B Will occur several times in the life of the item Will occur frequently OCCASIONAL C Likely to occur some time in the life of an item Will occur several times REMOTE D Unlikely but possible to occur in the life of an item Unlikely but can reasonably be expected to occur E So unlikely, it can be assumed occurrence may not be experienced Unlikely to occur, but possible IMPROBABLE SPECIFIC INDIVIDUAL ITEM FLEET OR INVENTORY DESCRIPTION CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 55

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY CATEGORIES FREQUENCY OF OCCURANCE I CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENT 1 A 2 A 3 A 4 A PROBABLE 1 B 2 B 3 B 4 B OCCASIONAL 1 C 2 C 3 C 4 C REMOTE 1 D 2 D 3 D 4 D IMPROBABLE 1 E 2 E 3 E 4 E CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 56

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY CATEGORIES FREQUENCY OF OCCURANCE I CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENT 1 3 7 13 PROBABLE 2 5 9 16 OCCASIONAL 4 6 11 18 REMOTE 8 10 14 19 IMPROBABLE 12 15 17 20 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 57

SYSTEM SAFETY ASSESSMENT PROCESS ARP 5151: SAFETY ASSESSMENT OF GENERAL AVIATION AIRPLANES & ROTORCRAFT IN COMMERCIAL SERVICE The “Ongoing Safety Assessment Process. ” SAE S-18 GAR Subcommittee Hazard Identification Risk Assessment Risk Reduction / Mitigation Risk Control Implementation General Aviation airplanes and Rotorcraft (GAR) Hazard Tracking CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 58

SYSTEM SAFETY ASSESSMENT PROCESS GERENCIAMENTO DE RISCOS Programa Fases • Etapas do Processo de Gestão 1. Primeira Fase • ETAPA 1: Define os requisitos para a implementação do gerenciamento. 2. Todas as Fases (seqüencialmente) • ETAPA 2: Identificação e Avaliação dos Riscos • ETAPA 3: Decisão e Ação (Analisar a aceitabilidade dos riscos e as opções de redução) • ETAPA 4: Controle, comunicação e aceitação de riscos. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 59

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY DESCRIPTION CATEGORY DEFINITION CATASTROPHIC 1 Fatal injury or aircraft severe damage or loss CRITICAL 2 Severe injury or substantial aircraft damage MARGINAL 3 Minor injury or minor damage NEGLIGEABLE 4 No significant effects CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 60

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD PROBABILITY LEVELS FLEET OR INVENTORY DESCRIPTION LEVEL FREQUENT A Continuously experienced PROBABLE B Will occur frequently OCCASIONAL C Will occur several times REMOTE D Unlikely but can reasonably be expected to occur IMPROBABLE E Unlikely to occur, but possible CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 61

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY CATEGORIES FREQUENCY OF OCCURANCE I CATASTROPHIC II CRITICAL IIII MARGINAL IV NEGLIGEBLE FREQUENT Extremaly High Medium PROBABLE Extremaly High Medium Low OCCASIONAL High Medium Low REMOTE Medium Low IMPROBABLE Low Low CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 62

SYSTEM SAFETY ASSESSMENT PROCESS 25. 1309 Equipment, systems, and installations. (a) The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition. (b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that— (1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and (2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 63

SYSTEM SAFETY ASSESSMENT PROCESS FAILURE CONDITION (SEVERITY) CLASSIFICATIONS (1) No Safety Effect Failure Conditions that would have no effect on safety; for example, Failure Conditions that would not affect the operational capability of the airplane or increase crew workload life of each airplane. (2) Minor Failure Conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor Failure Conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in work load, such as routine flight plan changes, or some physical discomfort to passengers or cabin crew. (3) Major Failure Conditions which would reduce airplane the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for a significant reduction in safety margins or functional capabilities, a significant increase in work load or in conditions impairing crew efficiency, or discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 64

SYSTEM SAFETY ASSESSMENT PROCESS 25. 1309 Equipment, systems, and installations (HARMONIZED) (b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed and installed so that: (1) Each catastrophic failure condition (i) is extremely improbable; and (ii) does not result from a single failure; and (2) Each hazardous failure condition is extremely remote; and (3) Each major failure condition is remote. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 65

SYSTEM SAFETY ASSESSMENT PROCESS FAILURE CONDITION (SEVERITY) CLASSIFICATIONS (4) HAZARDOUS Failure Conditions which would reduce airplane the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be: i. A large reduction in safety margins or functional capabilities ii. Physical distress or excessive workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely; or iii. Serious or fatal injury to a relatively small number of the occupants other than the flight crew. (2) CATASTROPHIC Failure Conditions which would result in multiple fatalities, usually with the loss of airplane cabin crew. (would prevent continued safe flight and landing). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 66

SYSTEM SAFETY ASSESSMENT PROCESS SAFETY OBJECTIVES (1) Probable Failure Conditions are those anticipated to occur one or more times during the entire operational life of each airplane. (2) Remote Failure Conditions are those unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type. (3) Extremely Remote Failure Conditions are those not anticipated to occur to each airplane during its total life but which may occur a few times when considering the total operational life of all airplanes of the type. (4) Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 67

SYSTEM SAFETY ASSESSMENT PROCESS HAZARD SEVERITY CATEGORIES HAZARDOUS MAJOR MINOR NO SAFETY EFFECT NO PROBAILITY REQUIREMENT 1 A 2 A 3 A 4 A 4 A PROBABLE FREQUENCY OF OCCURANCE CATASTROPHIC 1 B 2 B 3 B 4 B 4 B REMOTE 1 C 2 C 3 C 4 C 4 C 1 D 2 D 3 D 4 D 4 D 1 E 2 E 3 E 4 E 4 E EXTREMELY REMOTE EXTREMELY IMPROBABLE CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 68

SYSTEM SAFETY ASSESSMENT PROCESS Causas primárias de acidentes: Frota de jatos comerciais: 1994 -2004 CTA (CENTRO TÉCNICO AEROESPACIAL) Fonte: Boeing BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 69

SYSTEM SAFETY ASSESSMENT PROCESS SAFETY OBJECTIVES ACIDENTES SÉRIOS 1/106 horas de vôo 10 % CAUSADOS POR SISTEMAS 1/107 horas de vôo 100 Condições de falha potencialmente CATASTRÓFICAS 1/109 horas de vôo <10 -9 AVERAGE Probability per Flight Hour for Catastrophic Conditions would be 1 10 -9 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 70

SYSTEM SAFETY ASSESSMENT PROCESS SAFETY OBJECTIVES <10 -3 (1) Probable Failure Conditions are those anticipated to occur one or more times during the entire operational life of each airplane. <10 -5 (2) Remote Failure Conditions are those unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type. <10 -7 (3) Extremely Remote Failure Conditions are those not anticipated to occur to each airplane during its total life but which may occur a few times when considering the total operational life of all airplanes of the type. <10 -9 (4) Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 71

SYSTEM SAFETY ASSESSMENT PROCESS <10 -3 <10 -5 <10 -7 <10 -9 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 72

SYSTEM SAFETY ASSESSMENT PROCESS ENGENHARIA DE CONFIABILIDADE CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 73

SYSTEM SAFETY ASSESSMENT PROCESS DEFINIÇÃO DE CONFIABILIDADE É a probabilidade de que um produto ou serviço opere como esperado por um período de tempo especificado (“design life”) nas condições de operação previstas em projeto. Portanto confiabilidade é a operação sem falhas em condições de operação especificadas, por um período especificado. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 74

SYSTEM SAFETY ASSESSMENT PROCESS APROXIMAÇÃO p/ EVENTO RARO CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 75

SYSTEM SAFETY ASSESSMENT PROCESS MODELAMENTO DA CONFIABILIDADE 1 Components and Failure Rates of the Tape Component Function Failure Rate 1 0. 0003 2 Take-up spool, guides the tape 0. 0002 3 Erase head, erases the contents of the tape 0. 0005 4 Record/Replay head, transforms magnetized 0. 0008 5 Pressure pad, supports tape 0. 0001 6 Components of a Tape Cassette Feed-spool, advances the tape Pinch wheel, provides tension in tape 0. 00025 7 Capstan, ensures flatness of tape 0. 0002 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 76

SYSTEM SAFETY ASSESSMENT PROCESS SISTEMA EM SÉRIE Exemplo de um Diagrama de Blocos de Confiabilidade (RELIABILITY BLOCK DIAGRAMS) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 77

SYSTEM SAFETY ASSESSMENT PROCESS Modelamento de Telecomunicação para ATCS AES = Aeronautical earth station GES = Ground earth station ARTCC = Air Route traffic control center Proposed Oceanic Operating Environment (ADS) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 78

SYSTEM SAFETY ASSESSMENT PROCESS Modelamento de Telecomunicação para ATCS CMU = Control Module Unit SDU = Satellite Data Unit RFU = Radio Frequency Unit Figura 5: Possible AES Avionics Configuration CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 79

SYSTEM SAFETY ASSESSMENT PROCESS Modelamento de Telecomunicação para ATCS Figura 6: Reliability Block Diagram for the AES Avionics CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 80

SYSTEM SAFETY ASSESSMENT PROCESS Modelamento de Telecomunicação para ATCS Table: Failure Data of the System’s Component/Subsystem Failure Rate (Failures/Hr) Satellite data units (SDU) 2. 5 X 10 – 6 Communication management unit (CMU) 1. 42 X 10 – 6 Radio frequency unit (RFU) 0. 8 X 10 – 6 Aeronautical telecomunications network (ATN) 1. 75 X 10 – 4 Air router traffic services (ATS) 2. 85 X 10 – 4 Automatic dependent surveillance unit (ADSU) 5 X 10 – 4 Splitter 3 X 10 – 6 Combiner 5 X 10 – 6 High-power antenna (HPA) 6 X 10 – 5 High-power relay (HPR) 4 X 10 – 6 High-gain antenna (HGA) 4 X 10 – 5 Low-gain antenna (LGA) 3. 5 X 10 – 5 Low-noise antenna (LNA) 2 X 10 – 5 Beam steering unit (BSU) 8. 7 X 10 – 6 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 81

SYSTEM SAFETY ASSESSMENT PROCESS Automatic Dependence Surveillance CONCLUSÕES: 1) Necessidade de reprojetar a maioria dos componentes da “aeronautical earth station” para reduzir sua taxa de falhas. 2) Os componentes da “air route traffic control center” pedem mudanças de projeto ou redundância para alguns componentes ou links. 3) A confiabilidade da “ground earth station” excede os requisitos mínimos do sistema. 4) As técnicas de modelamento e estimativa de confiabilidade podem ser ferramentas de projeto efetivas para configurações complexas. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 82

SYSTEM SAFETY ASSESSMENT PROCESS MODELAMENTO DE SISTEMAS CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 83

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA Previsões de Confiabilidade (Reliability Predictions): Ø Comumente usadas no desenvolvimento de produtos e sistemas. ØComparação de abordagens de projeto alternativos ØAvaliação do progresso em direção as especificações de confiabilidade. ØFornecem “insight” em custos de segurança, manutenção e garantia. Criticadas por não serem estimativas precisas da taxa de falha real (aproximações sem base científica). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 84

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA ØSegundo Jensen , "Achieving high reliability is a process of sound design and manufacturing practices. Using handbook predictions for design comparisons is rarely a good idea". It can mislead the designer to select a less reliable component over a more reliable one due to the lack of coherence between predicted values. ERROS SÃO CONSERVATIVOS EXEMPLO: As taxas de falha dos componentes dos sistemas de “display” eletrônicos dos B-757 e B-767 eram 20 por cento das previsões da MIL-HDBK-217. Jensen; "Electronic Component Reliability, Fundamental, Modeling, Evaluation, and Assurance", 2 nd Edition John Wiley & Sons 1985. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 85

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA ØExemplo de discrepâncias nas estimativas de taxas de falhas * Table 1: Predicted values of 64 K DRAM hazard rate in FITs (1994) *The British Telecom Handbook of Reliability Data HDR 4 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 86

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA MIL-HDBK-217 "Reliability Prediction of Electronic Equipment" – Apesar de não ser mantido atualizado pelos “US military”, ainda é a abordagem mais usada pelos projetistas militares e comerciais. Bellcore (agora Telcordia) TR-332 – A abordagem Bellcore é amplamente usada na indústria de telecomunicações e foi recentemente atualizada para SR-332 em maio de 2001. Muito parecida com a MIL-HDBK-217. RDF 2000 – A mais recente e completa metodologia européia desenvolvida pela CNET. Ainda não recebeu muita atenção dos US mas pode evoluir para um novo padrão mundial se a MIL-HDBK-217 continuar desatualizada. Assim como a abordagem PRISM ela também usa modelamentp de “thermal cycling” e “dormant system”. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 87

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA PRISM - PRISM é uma nova tecnologia desenvolvida pelo Reliability Analysis Center que tem a capacidade de modelar os efeitos de “thermal cycling” e “dormancy”. Physics-of-Failure – Esta família de abordagens difere significantemente das outras metodologias empíricas listadas acima, por buscar o mecanismo detalhado da falha. Usado principalmente no nível de sub-dispositivos na fase de projeto. The IEEE Gold Book - IEEE STD 493 -1997, IEEE Recommended Practice for the Design of Reliable Industrial and Commercial Power Systems, fornece dados em sistemas de distribuição de potencia comerciais. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 88

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA Equipamentos mecânicos: Representa um desafio em termos de previsão de confiabilidade devido a especificidade e variedade dos componentes e montagens. Estes sistemas são freqüentemente suscetíveis a desgastes, o que normalmente não é um problema em eletrônica. NPRD-95 - The Nonelectronic Parts Reliability Data (NPRD-95) databook é amplamente utilizado. È publicado pelo Reliability Analysis Center e fornece um compêndio de histórico de taxas de falha em serviço para uma vasta gama de montagens mecânicas. CTA (CENTRO TÉCNICO AEROESPACIAL) NSWC-94/L 07 - Handbook of Reliability Prediction Procedures for Mechanical Equipment. Este handbook apresenta uma abordagem única para a predição de confiabilidade de componentes mecânicos, apresentando modelos de taxas de falha para classes fundamentais de componentes eletrônicos. BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 89

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA 1) Cálculo a partir de “Reliability Handbooks” FMD-97, Failure Mode/Mechanism Distributions, 1997, Reliability Analysis Center, Rome, N. Y. OREDA Offshore Reliability Data database 2) Estimativa por meio de experiência de campo Ø EXPERIÊNCIA ANTERIOR EM SITUAÇÕES SIMILARES Ø Estatísticas de Itens Removidos (Fabricante, Operador) 3) Ensaios “ad hoc” em laboratório Ø PLANEJAMENTO DE EXPERIMENTOS Ø USO DE TÉCNICAS ESTATÍSTICAS: §Testes de aderência, testes paramétricos e não-paramétricos. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 90

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA MIL-HDK-217 • Modelos de taxas de falha para dezenove categorias principais de componentes eletrônicos usados em sistemas modernos, desde microcircuitos e Exemplo: Diodos de Baixa Freqüência (MIL-S-19500) semicondutiors discretos a componentes passivos (resistores e capacitores). • Modelos desenvolvidos pelo ajuste de curvas a dados de falha históricos, coletados da operação em campo e testes em laboratório. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 91

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA: “STRESS” superior a “STRENGHT” Figura: Distribuição de falha de transistores submetidos a temperaturas crescentes CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 92

SYSTEM SAFETY ASSESSMENT PROCESS DETERMINAÇÃO DAS TAXAS DE FALHA Decorrência de projeto pobre, problemas com fabricação e “workmanship” Característica da população de componentes Figura: Função de Densidade de Probabilidade de Componentes na Visão do Fabricante ou do Usuário-Final, quando não se realizou nenhum tipo de “burn-in” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 93

SYSTEM SAFETY ASSESSMENT PROCESS Early failures Main population failures CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 94

SYSTEM SAFETY ASSESSMENT PROCESS Burn-in Experiments 200 componentes eletrônicos População anômala representa cerca de 10 % Tempo de depuração 10 a 20 horas Figura: Weilbull plot early failures in printed circuit boards tested at 70º C ambient CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 95

SYSTEM SAFETY ASSESSMENT PROCESS ENSAIOS EM LABORATÓRIO Morte prematura representa cerca de 15 % Weilbull plot early failures in printed circuit boards under conditions of use at 25º C CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 96

SYSTEM SAFETY ASSESSMENT PROCESS TAXAS DE FALHA CONSTANTES A maioria dos modelos utilizados em aviação baseiam-se em taxa de falha constante. Isto implica que a função de confiabilidade do sistema não depende de sua idade. 1) Equipamentos começam a ser usados após a eliminação das falhas precoces. 2) Equipamentos completam a missão antes que a fase de desgaste “wearout” se manifeste (como descrito na curva da banheira). 3) Sistema, do ponto de vista do usuário, deve ser depurado. 4) Taxa de falha não é susceptível a “overloads”, “duty cycles” severos e outros fatores encontrados em serviço. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 97

SYSTEM SAFETY ASSESSMENT PROCESS CURVA DA BANHEIRA STRESS FAILURE QUALITY FAILURE WEAROUT FAILURE CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 98

SYSTEM SAFETY ASSESSMENT PROCESS SSA: UMA NOVA ABORDAGEM CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 99

SYSTEM SAFETY ASSESSMENT PROCESS AC/AMJ 25. 1309 ARSENAL Advisory Advisory Circular Material Joint CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 100

SYSTEM SAFETY ASSESSMENT PROCESS AC/AMJ 25. 1309 ARSENAL 3. RELATED DOCUMENTS. 4. a. Advisory Circulars, Advisory Material Joint. (1) AMJ 25. 1322 Alerting Systems. (2) AC 25. 19/AMJ 25. 19 Certification Maintenance Requirements. (3) AC 20 -115 B RTCA, Inc, Document DO 178 B/ AMJ 20 -115 B EUROCAE ED -12 B. (4) AC/AMJ 25 -901 Safety Assessment of Powerplant Installations. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 101

SYSTEM SAFETY ASSESSMENT PROCESS AC/AMJ 25. 1309 ARSENAL b. Industry documents. (1) RTCA, Inc. , Document No. DO-160 D/EUROCAE ED 14 D, Environmental Conditions and Test Procedures for Airborne Equipment. (2) RTCA, Inc. , Document No. RTCA/DO-178 B/EUROCAE ED 12 B, Software Considerations in Airborne Systems and Equipment Certification. (3) Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754/EUROCAE ED-79, Certification Considerations for Highly Integrated or Complex Aircraft Systems. (4) SAE ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 102

SYSTEM SAFETY ASSESSMENT PROCESS ERJ 170/190 CERTIFICATION BASIS Embraer made an application for the ERJ-170/190 series aircraft on 20 May 1999 (Ref. Embraer letter PCE-0809/99, dated 20 May 1999). US FAR 25, including: Amendments 25 -1 through 25 -98 effective on 10 March 1999, Amdt. 25 -99, 25 -100, 25 -101, 25 -102 (paragraphs 25. 981(a) and 25. 981(b) only, and Appendix H); 25103, 25. 104, 25 -105, 25 -107, except paragraph 25. 735(h); 25 -108, 25 -109. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 103

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EQUIVALENT LEVEL OF SAFETY (30/07/02) STATEMENT OF ISSUE: The current guidance material for compliance with RBHA/FAR 25. 1309 is not considered to be sufficiently effective and complete for assessing the safety aspects of complex and highly integrated systems that perform interrelated multi-functions (particularly through the use of electronic technology and software based techniques), such as those installed in the ERJ-170 aircraft. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 104

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations DISCUSSION: As a result of the FAA/JAA Harmonization Working Groups activities, both authorities have reached an agreement on a revised text for the systems safety assessment requirements, as well as, on the guidance material related with the associated acceptable means of compliance. Such revisions have included new areas of concern and related substantiation methodologies, which were developed to cope with modern aircraft complex systems, highly integrated, performing multiple functions with extensive use of software techniques. The proposed modifications of the related requirements are presently at the final stages of the rulemaking process by both authorities. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 105

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations DISCUSSION (cont. ): Embraer has indicated its willingness to comply with the related parts of those modifications, transcribed below from the FAA draft NPRM for better understanding, including the associated guidance material, as an equivalent level of safety to the RBHA/FAR 25. 1309 at Amendment 98 (ERJ-170 default certification basis). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 106

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations CTA POSITION: The regulatory changes foreseen by the JAA NPA 25 F-281 and FAA NPRM on sections 25. 1301, 25. 1309 and new 25. 1310 bring a considerable improvement for the systems, equipment and installation requirements of the Chapter 25, due to the clarification of already existing provisions and identification of new related concepts (…) Therefore, the application of those impending new rules, as an equivalent level of safety for the current requirements, and the corresponding substantiation methodology established in the revised AC/AMJ 25. 1309 above referred, is opportune for the ERJ-170 certification program and will surely provide an adequate and satisfactory approach for compliance. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 107

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations CTA POSITION (cont. ): A final noteworthy remark regarding powerplant installations (last sentence of the main paragraph of the proposed 25. 1309) is opportune. Since the proposed rule, albeit resulting from a technical consensus is not in effect, any last minute changes should not be ruled out. This concern applies specifically to powerplant installations; therefore, considering that current powerplant installations are not explicitly covered by 25. 1309, and the focus of this FCAR is indeed on highly integrated aircraft systems and equipment, the CTA will not require compliance with 25. 901(c) under the framework of 25. 1309(b). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 108

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION: Embraer agrees with the general intent of CTA position. Some background discussion, however, is needed for a better understanding of Embraer position, as explained below. Embraer is aware that the ERJ-170 is an aircraft with highly integrated systems performing complex and interrelated functions and agrees with CTA that the present guidance material for compliance with RBHA/FAR 25. 1309 is not considered enough effective and complete for assessing the safety aspects of highly integrated and complex systems. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 109

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 1) In order to address the concerns related to systems integration Embraer adopted the following: 1. Process to prevent errors on requirements, design and implementation; 2. Systems safety assessment based on FAA/JAA harmonized material for systems safety assessment requirements; 3. Aircraft safety assessment, covering failure conditions that affect multiple aircraft level functions; and 4. Verification of aircraft level safety assessment by means of actual tests using an integrated iron bird rig. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 110

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 2): Below follows an explanation about each item above: 1. PROCESS: Regarding the applicability of SAE ARP 4754/ED 79 to the ERJ-170 program, Embraer performed a detailed analysis on that document and prepared an adequacy plan. Such plan was presented to CTA, JAA and FAA and it was considered acceptable for program ERJ-170 usage. In order to formalize the plan, Embraer issued the ENS-003188 titled ARP 4754 - Adequacy for ERJ-170, attached to this letter. CTA ( CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 111

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (Cont. 3): 2. SYSTEM SAFETY ASSESSMENT The safety assessment for each aircraft system verifies compliance with the safety objectives related to RBHA/FAR/JAR 25. 1309 requirements, defined in the corresponding system functional hazard analysis. Each system safety assessment is conducted in accordance with Embraer standard ENS-002175 – System Safety Assessment Reports – Guidelines. This standard is based on: - NPA 25 F-281; - AC 25. 1309, Arsenal revised; and - SAE ARP 4761. Systems safety assessment considers all equipment/hardware that affect systems functions and includes fault tree analysis for each catastrophic and hazardous failure condition. Independency claims at fault trees are supported by common cause analysis. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 112

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 4): 3. AIRCRAFT SAFETY ASSESSMENT Systems integration introduces failure conditions affecting simultaneously multiple systems and aircraft top level functions. In order to address the failure propagation assessment at aircraft level, related to potential sources of cascading/common cause failures, fault propagation and final effect on aircraft level functions, Embraer will develop an aircraft safety assessment, in addition to the traditional systems safety assessment. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 113

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 5): 3. AIRCRAFT SAFETY ASSESSMENT: In this assessment, it will be considered failures conditions of equipment/systems with multiple functions – integrated controllers, multi-user control signals and power sources – predicting the effects/criticalities on systems/functions and determining the global effect on the aircraft top level functions. The combination of those failures will generate the matrix of potential failure cases. These failure conditions will be covered in the aircraft safety assessment (report 170 MSS 012). The following are the main components for the matrix of potential failure cases: CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 114

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 6): 3. AIRCRAFT SAFETY ASSESSMENT – Integrated controllers: - MAUs (considering for each MAU the loss of electrical power per channel at module level and loss of communications); - SPDAs (considering for each SPDA the loss of electrical power at model level and loss of communications); -AMS controllers (considering the loss of SPDA electrical power and loss of communications); -MRCs (loss of electrical power and loss of communications); -GCUs (loss of communications); -FADECs (loss of total electrical power and loss of communications); -MCDUs (loss of electrical power and loss of communications); and - CCDs (loss of electrical power and loss of communications). CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 115

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 6): 3. AIRCRAFT SAFETY ASSESSMENT The following are the main components for the matrix of potential failure cases (cont. ): – Control signals: - Air ground signals; - Wheel speed signals; - Engine signals; - Air data signals; - IRS signals; and - Flap position signal. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 116

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 7): 3. AIRCRAFT SAFETY ASSESSMENT The following are the main components for the matrix of potential failure cases (cont. ): – Power sources: - Main engines; - Electrical; - Hydraulics; and - Pneumatics. – Additional failure cases: - Power sources and integrated controllers; - Power sources and power sources – electrical, hydraulics, pneumatics; and - Integrated controllers and integrated controllers. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 117

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 8): 3. AIRCRAFT SAFETY ASSESSMENT For each failure case, a propagation analysis is conducted taking into account the scenario – configuration of the aircraft and flight phase – and predicting the effect/criticality of that failure on systems/functions that contribute to aircraft toplevel functions: 1. Provide lateral/directional control; 2. Provide pitch control; 3. Provide thrust; 4. Provide lift and drag control; 5. Provide primary flight information; 6. Provide navigation; 7. Provide communication; 8. Provide auto flight; 9. Provide habitable environment; 10. Protect structural integrity against system fail; 11. Provide unobstructed cockpit vision; 12. Provide protection against fire; and CTA (CENTRO TÉCNICO AEROESPACIAL) 13. Halt the airplane. BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 118

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 9): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT Once the effects/criticalities were predicted by the propagation analysis related to potential sources of cascading/common cause failures, Embraer will demonstrate those effects and verity criticalities using a certification vehicle entitled integrated iron bird rig which will contain the following actual aircraft systems and modeled systems: – Aircraft systems: - Integrated digital platform (includes MAUs, SPDAs, FADECs, AMS controllers, MCDUs, CCDs, displays, MRC and digital data buses); - Cockpit overhead panel (with systems modules that interface with the integrated digital platform); - Cockpit circuit breakers panels; - Electrical power systems (with actual electrical buses powering the corresponding systems); - Hydraulic system; - Flight controls system; - Auto pilot system; - Landing gear, brakes and steering; and CTA (CENTRO TÉCNICO AEROESPACIAL) - Thrust reversers. BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 119

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 10): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT – Aircraft aerodynamic model: - Aerodynamic data bank permitting the aerodynamic aircraft simulation. – Modeled aircraft systems: - Main engines (controlled by actual FADECs); - Mechanical portion of fuel system (controlled by actual SPDAs); - APU; - Mechanical portion of air management systems (controlled by actual AMS controllers); - Air data system outputs and sensors heating (controlled by actual MAUs and SPDAs); and - Flap/slat. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 120

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations EMBRAER POSITION (cont. 10): 4 VERIFICATION OF AIRCRAFT SAFETY ASSESSMENT – The integrated iron bird will be described in the report 170 MSD 001. The process for conducting the failure propagation assessment at aircraft level will be performed with the support of the human factor group in the verification of criticality of each failure case. All activities involving the integrated systems safety assessment shall be documented in the following reports: - 170 MSS 003 – Aircraft Functional Hazard Assessment; - 170 MSS 012 – Aircraft Safety Assessment; - 170 MSD 002 - Integrated Systems Overview; - 170 MSC 003 – Safety Assessment Methodology; - 170 MSD 001 – Failure Propagation Vehicle Description; - 170 MSP 001 – Failure Propagation Vehicle Test Proposal; - 170 MSR 001 – Failure Propagation Vehicle Test Results; - 170 ELS 005 – SPDA – Secondary Power Distribution Assembly – FMEA; - 170 LGA 058 – WOW Functional FMEA; and 170 AVA 004 – Functional FMEA – MAU. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 121

SYSTEM SAFETY ASSESSMENT PROCESS FCAR HSI-015: Equipment, Systems and Installations LIST OF REPORTS - 170 ADO 001 – FUNCTIONAL HAZARD ANALYSIS CRITERIA - 170 ADY 008 – FHA SUPPORTING CALCULATIONS GROUND ROLL DECELERATION AND CLIMB CAPABILITY - 170 AFS 001 - AFCS SYSTEM SAFETY ASSESSMENT - 170 AFS 004 – AFCS FHA VERIFICATION TEST PLAN - 170 AUS 001 – AUXILIARY POWER UNIT SYSTEM SAFETY ASSESSMENT - 170 AUS 002 – AUXILIARY POWER UNIT SYSTEM FUNCTIONAL HAZARD ANALYSIS (. . ) - 170 MSR 001 – Failure Propagation Vehicle Test Results; - 170 ELS 005 – SPDA – Secondary Power Distribution Assembly – FMEA; - 170 LGA 058 – WOW Functional FMEA; and 170 WWS 002 – VACUUM WASTE SYSTEM SAFETY ASSESSMENT 94 reports directly related to Safety Assessment. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 122

SYSTEM SAFETY ASSESSMENT PROCESS METHODOLOGY AND CERTIFICATION DOCUMENTATION AIRCRAFT FUNCTIONS TOP LEVEL FUNCTIONS 1. To provide aircraft lateral/directional control 2. To provide pitch control 3. To provide thrust 4. To provide lift and drag control 5. To provide Primary Flight Information 6. To provide navigation capability 7. To provide communication capability 8. To provide auto flight capability 9. To provide habitable environment 10. To protect structure integrity against systems failures 11. To provide unobstructed cockpit vision 12. To provide protection against fire CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 13. To land halt aircrat 123

SYSTEM SAFETY ASSESSMENT PROCESS ARP 4754 CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 124

SYSTEM SAFETY ASSESSMENT PROCESSO DE DESENVOLVIMENTO DE REQUISITOS PDR = Approval of Design Concept Um programa de desenvolvimento de aeronave Proceed with detailed design. genérico CDR = Approval of Detailed Design Proceed with fabrication. Aircraft Requirements Formulation Prelim Hardware Design Detailed Hardware Unit Hardware Fabrication Testing Design Hardware Requirements System Requirements Formulation PDR Hardware / System Software Testing Integration CDR Software Requirements Prelim Software Design Detailed Software Design System Requirements Review Hardware Assembly Software Coding Code Test HW / SW Test Readiness Review Lab / Flight Testing Production First Article Inspection Software Integration Testing System Test Readiness Review Source: Spitzer/Chilenski CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 125

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇÃO OPERAÇÃO ARP 4754 ØCERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS (nome atual) ØGUIDANCE FOR VALIDATION AND VERIFICATION OF AIRCRAFT SYSTEMS (nome a ser adotado) Abordagem Qualitativa. Reconhece que não existem métodos numéricos para caracterizar os erros de desenvolvimento (determinação de requisitos e erros de projeto). CAPTURA DE REQUISITOS E ATRIBUIÇ O DOS DAL Requisitos de Segurança PROCESSO DE SSA Requisitos Funcionais (combinação de desejos do cliente, restrições regulatóriais e “implementation reality”. Requisitos: do Cliente, Operacionais, de Desempenho, de Instalação, etc. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 126

SYSTEM SAFETY ASSESSMENT PROCESS COMO GARANTIR A SEGURANÇA ? PROJETO FABRICAÇ O OPERAÇ O ARP 4754: CERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS “DEVELOPMENT ASSURANCE” Todas ações planejadas e sistemáticas usadas para substanciar, a um nível adequado de confiança, que erros de desenvolvimento foram identificados corrigidos, de tal modo que o sistema satisfaça a base de certificação aplicável. “ERRO DE DESENVOLVIMENTO” Um equívoco na determinação de requisitos, no projeto ou na implementação. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 127

SYSTEM SAFETY ASSESSMENT PROCESS Safety Assessment Process Guidelines & Methods ( ARP 4761 ) Intended Aircraft Function Aircraft System Development Process Function, Failure & Safety Information System Design System Development Processes ( ARP 4754 ) Aircraft System Development Hardware Life-Cycle Process Implementation Hardware Development Life-Cycle ( DO-254 ) Software Life-Cycle Process Functional System Software Development Life-Cycle ( DO-178 B ) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 128

SYSTEM SAFETY ASSESSMENT PROCESS SAE AEROSPACE RECOMMENDED PRACTICE 4754 – CERTIFICATION CONSIDERATIONS FOR HIGHLY INTEGRATED OR COMPLEX AIRCRAFT SYSTEMS The process includes the assignment of development assurance levels, similar to FHA hazard severity levels. The Development Assurance Levels defined in 4754 determine the necessary software and hardware design assurance levels of DO 178 B and DO-254. “Development assurance establishes confidence that the system development has been accomplished in a sufficiently disciplined manner to limit the likelihood of development errors that could impact aircraft safety” CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 129

SYSTEM SAFETY ASSESSMENT PROCESS System Development Assurance Level Assignment CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 130

SYSTEM SAFETY ASSESSMENT PROCESS 4. 3 Software Summary Software control and indication is accomplished via the SPDA, FADEC, and EICAS systems. Table 2 summarizes the ERJ-170 Functional Hazard Analysis - Software (See Annex C). The safety level required in the FHA is accomplished or exceeded by thesoftware. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 131

SYSTEM SAFETY ASSESSMENT PROCESS Supporting Processes Certification Coordination Aircraft Function 3 Aircraft Function 2 Aircraft Function 1 Safety Assessment Requirements Validation Implementation Verification System 3 System 2 System 1 Item 3 Item 2 Item 1 Configuration Management Hardware Life-Cycle Process Assurance Software Life-Cycle ITEM DEVELOPMENT SYSTEM DEVELOPMENT AIRCRAFT FUNCTION CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 132

SYSTEM SAFETY ASSESSMENT PROCESS Aircraft Functions Aircraft Level FHA Failure Conditions, Effects, Classification, Safety Requirements Functional Failure Conditions & Effects Systems Functions System-level FHA sections Failure Conditions, Effects, Classification, Safety Objectives CCAs Architectural Requirements Separation Requirements Aircraft Level Requirements Allocation of Aircraft Functions to systems Development of System Architecture SSAs Item requirements Separation & Verification Implementation Results Allocation of Item Requirements to Hardware & Software System Implementation Physical System Certification CTA (CENTRO TÉCNICO AEROESPACIAL) Safety Assessment Process BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION System Development Process 133

SYSTEM SAFETY ASSESSMENT PROCESS Requirements Baseline Overview Functional Safety requirements Requirements associated to Acft Level Functions Aircraft Systems ACFT Level FHA Certific. Requir. System Requir. DAL System Level FHA Sections Selected Functions Equipment / Sw Equip. /SW Requir. [Integrated Digital Platform] CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 134

SYSTEM SAFETY ASSESSMENT PROCESS CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 135

SYSTEM SAFETY ASSESSMENT PROCESS FUTURE WORK: ERJ 190 SSA l l l List of aircraft level functions reviewed and harmonized between all involved areas Requirements determination and traceability More extensive adoption of ARP 4754 – FHA, including assignment of DAL to systems and subsystems CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 136

SYSTEM SAFETY ASSESSMENT PROCESS ARP 4754 Scope l Tailoring criteria presented to CTA. FUTURE WORK: ERJ 190 SSA definition l Embraer teams currently applying the criteria l Certification l Preliminary procedures issued Coordination l Requirements Validation l Safety Assessment l Procedures are being analyzed to show compliance with ARP 4754 l Configuration Management l Process is being concluded (integration with product process) l Requirements Verification l Preliminary procedures issued Process is being discussed internally Process Assurance l l l l Procedures issued Teams are being trained Preliminary procedure issued Process is being discussed internally CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 137

SYSTEM SAFETY ASSESSMENT PROCESS Risco Específico CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 138

SYSTEM SAFETY ASSESSMENT PROCESS Average Probability PFH Definition l Average Probability Per Flight Hour: – is a representation of the number of times the subject Failure Condition is predicted to occur during the entire operating life of all airplanes of the type divided by the anticipated total operating hours of all airplanes of that type – (Note: The Average Probability Per Flight Hour is normally calculated as the probability of a failure condition occurring during a typical flight of mean duration divided by that mean duration). (AC/AMJ 25 -1309 ) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 139

SYSTEM SAFETY ASSESSMENT PROCESS SAE S-18 Specific Risk definition Specific Risk: the probability of failure for an individual airplane or flight, where one or more significant risk parameters differ from airplane to airplane (or flight to flight) and the values of those parameters are identifiable for those individual airplanes or flights CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 141

SYSTEM SAFETY ASSESSMENT PROCESS Specific Risk definition For example, individual airplanes (or flights) may be at a higher risk than the fleet average if: l One or more components are failed or inoperative (degraded configuration but OK per MMEL). l Components have more service time (“wearout” failure modes). l Components have less service time (“infant mortality” failure modes). l Flight length is shorter (cycle driven failure mode). l Flight length is longer (more time between pre-flight checks) l Longer time since last inspection (latent failure mode). l Components are outside design specifications (e. g. quality issue). l Operating environment or mission profile is more severe. l Aircraft Configuration (Weight and Balance) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 142

SYSTEM SAFETY ASSESSMENT PROCESS SAE S-18 Specific Risk definition While noting the controversy of specific risk as an assessment metric, it is recognized that there at least two examples of regulatory and industry guidance related to specific risk. · Gunstone ACJ 39. 3(b)(4) / CAAM (Continued Airrworthiness Assessment Methodology) AC 39 -XX · Time Limited Dispatch (TLD) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 143

SYSTEM SAFETY ASSESSMENT PROCESS FAA/EASA consensus Specific Risk definition The risk on an aircraft on a specific flight due to a condition that deviates from the fleet’s average risk. Deviation: 10 -x Deviation Fleet average: 10 -9 Exposure Do we limit exposure / deviation / both? Time Full-up: 10 -y Example Illustration : a Catastrophic Failure Condition CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 144

SYSTEM SAFETY ASSESSMENT PROCESS Feedback from SDAHWG l Authorities: – The risk on an aircraft on a specific flight due to a condition that deviates from the fleet’s average risk. l SDAHWG: – The risk on an aircraft per flight hour due to a condition that results in a deviation from the fleet's average risk. Conditions specifically of concern are significant latent failures and MMEL items. CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 145

SYSTEM SAFETY ASSESSMENT PROCESS What is the RULE? l FAA seeks a clearer and more integrated set of recommendations from ARAC, because – SDA, Flight Controls, and Powerplant HWGs each independently provided to the FAA varying philosophies on how specific risks should be managed (e. g. , recommendations range from prohibiting single+latent, to allowing single+latent and specifying a minimum level of integrity, to no specific risk evaluation at all. ) – Specific risk issues transcend any one system type, and need to be coordinated cross-functionally (e. g. , latent and MMEL issues are common issues. ) CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 146

SYSTEM SAFETY ASSESSMENT PROCESS CONCLUSIONS CTA (CENTRO TÉCNICO AEROESPACIAL) BRAZILIAN AERONAUTICAL CERTIFICATION DIVISION 147