Companies that are certifying a new product or a modification need to comply with the requirements set by the aviation authorities (EASA, FAA). The safety engineers have to assess the potential failures to ensure the inverse relationship between the probability and the severity of the effects of each function failure (i.e. AMC2X.1309 for aircrafts).
In DMD Solutions, we have identified what we think are the main safety-related pitfalls to avoid when planning for the certification during all phases of the V-diagram. The goal is to optimize the processes to comply with both time constraint and efficient management of the workload in the race for certification.
If your company has a product in the certification phase, keep reading and learn the main safety-related pitfalls to be avoided with the 3 example scenarios below.
1. Start the reliability and safety analysis early!
“An aircraft manufacturer has advanced in the design but has not considered reliability or safety aspects as those are expected to be performed during the verification and validation phase. The certification timelines approach and the safety assessments are finally performed; it is found that hazardous failure conditions exist in the hydraulic system, which does not comply with the required standards. Design modifications are thus required in the hydraulic system, leading to changes in the system architecture which increase the workload and costs, freezing the certification process and jeopardizing the deadlines set by the company.“
It is important to keep the iteration process between design and verification at the lowest level considering criticality and effort by realizing preliminary assessments to detect safety issues in the early phases of the design.
Preliminary assessments (see PSSA, FMEA, PFTA on ARP-4761A) are used to qualitatively verify system compliance and used to develop certification documentation (FTA, SSA…) with the completed design. As they say: “The early bird gets the worm!”
2. Documentation is key
“A fast-growing air taxi company is designing a new prototype whose demand is rapidly increasing. As their workload piles up, new engineers are hired. The incorporation of the new members is slow and not efficient as the technical documentation was not ready before the new hires. Additionally, as the certification phase approaches, it is found that in order to perform both reliability and safety assessments requires failure modes and rates from suppliers that were not requested at the beginning.”
Designing a complex product involves different parties, especially in aircraft integration where we find many systems combined in an exigent assembly. Even in the same system, different design engineers may work on the same prototype. It is important for all parties to produce the necessary output documentation for all the affected parts to retrieve the necessary information. Proper documentation is mandatory to effectively pass on the knowledge of each system.
The safety engineers need accurate literature on the architecture and functions of the systems in order to perform (FHAs, FMEA/FMECA …). It is important that the design engineers follow the ARP-4754A and produce the outputs needed in order to develop the assessments of the ARP-4761A.
3. Good judgement comes from experience!
“A rotorcraft manufacturer aims to enter the European Market and find out that they are not compliant with REACH and RoHS regulations as their Primary Display Unit (PDU) contains cadmium soldering. The PDU is replaced by a cadmium-free display from a new supplier. A supplemental type certificate (STC) has to be developed for the modification of the display as it is considered a major change. To do so, an update of the safety documents have to be performed in order to detect if the new PDU introduces new failure modes or modifies the safety assessments of the already certified rotorcraft. The PDU supplier does not provide a complete safety analysis of their products (incomplete FMEAs, failure rates not provided). The information they have is incomplete and the supplier demands an additional work package to perform the safety analysis.”
To perform the STC, it is important to understand if the modification could potentially have safety issues or have low to no detrimental safety effects. In order to reduce both effort and costs, they have to decide if new safety analysis is required from the supplier or not. Experience and system knowledge are key to decide whether an aggressive approach can be taken to comply with authorities’ requirements without further input from the supplier (e.g. The new display has the same DAL level than the previous one) or conservative approach is needed if the new PDU introduces new failure modes that have to be assessed.
Conclusions
In summary, the safety cycle for certification is not just a formality that can be approached at the last minute of the certification phase as this will surely result in delays from the schedule. Safety experts must be present supporting the design team from the very beginning. The latest they are incorporated, the more experienced they will need to be in order to achieve a convenient solution to the certifying authorities.
DMD Solutions offers support on a wide range of safety analyses in the scope of the certification including the following ARP-4761 processes:
- Functional Hazard Assessment (FHA)
- Failure Modes and Effects Analysis (FMEA)
- Fault Tree Analysis (FTA)/ Reliability Block Diagrams (RBD)
- System Safety Assessment (SSA)
- Development Assurance
- Support to Human Factor
