Certification Considerations for Highly-Integrated or Complex Aircraft Systems
|Publication Date:||1 November 1996|
This document discusses the certification aspects of highly-integrated or complex systems installed on aircraft, taking into account the overall aircraft operating environment and functions. The term "highly-integrated" refers to systems that perform or contribute to multiple aircraft-level functions. The term "complex" refers to systems whose safety cannot be shown solely by test and whose logic is difficult to comprehend without the aid of analytical tools.
The guidance material in this document was developed in the context of Federal Aviation Regulations (FAR) and Joint Airworthiness Requirements (JAR) Part 25. It may be applicable to other regulations, such as Parts 23, 27, 29 and 33. In general. this material is also applicable to engine systems and related equipment. Final regulatory approval of all systems is assumed to be accomplished in conjunction with an aircraft certification.
This document has been prepared primarily for electronic systems which, by their nature, may be complex and are readily adaptable to high levels of integration. However, the guidance provided in this document may be considered for other aircraft systems.
This document addresses the total life cycle for systems that implement aircraft-level functions. It excludes specific coverage of detailed systems, software and hardware design processes beyond those of significance in establishing the safety of the implemented system. More detailed coverage of the software aspects of design are dealt with in RTCA document DO-178B and its EUROCAE counterpart, ED-12B. Coverage of complex hardware aspects of design are dealt with in RTCA document DO-xxx, (working title: "Design Assurance Guidance for Airborne Electronic Hardware,") currently under development by RTCA special committee SC-180. Methodologies for safety assessment processes are outlined in ARP4761. Figure 1 outlines the relationships between the various documents which provide guidance for system development, safety assessment, and the hardware and software life-cycle processes.
This document is intended to be a guide for both the certification authorities and applicants for certification of highly-integrated or complex systems, particularly those with significant software elements. As such, the focus is toward ensuring that safety is adequately assured through the development process and substantiating the safety of the implemented system. Specific guidance on how to do the substantiation work is beyond the scope of this document, though references are provided where applicable.
This document is intended to cover the needs of current technology and, as far as possible, emerging technology. It is anticipated that this document will be revised periodically to incorporate future technological changes and engineering process improvements.
These guidelines are intended to provide designers. manufacturers, installers, and certification authorities a common international basis for demonstrating compliance with airworthiness requirements applicable to highly-integrated or complex systems. The guidelines are primarily directed toward systems that integrate multiple aircraft-level functions and have failure modes with the potential to result in unsafe aircraft operating conditions. Typically, these systems are software based and involve significant interactions with other systems in a larger integrated environment. Frequently significant elements of these system are developed by separate individuals, groups or organizations. Highly-integrated or complex systems require added design discipline and development structure to ensure that safety and operational requirements can be fully realized and substantiated. While these guidelines could be applied to the development of simpler systems, the formality of the development structure, processes, and documentation should be reduced substantially.
Since this document is intended to provide a common basis for certification. the guidelines concentrate primarily on safety requirements associated with JAWFAR 25.1309. Other requirements that determine the basis for satisfactory functionality, such as JAFVFAR 25.1301, can be addressed using this same guidance or simple extensions.
Much of the material covered in this document is not new and, where relevant, references are included to related documents. Many of processes referred to in this document are undergoing rapid evolutionary development. Moreover, the extent to which different systems can be classified as complex or highly-integrated is subject to wide variation. By providing a single publication that addresses the generic, high-level aspects of certification of highly- integrated or complex systems, it is believed that a broader understanding of the fundamental issues will develop. This, in turn. should aid both the applicant and the certification authorities in reaching agreement on the detailed system certification process for a particular aircraft model.
This document does not provide guidelines concerning the structure of the applicant's organization nor how the responsibilities for certification activities are divided. Neither should any such guidance be inferred from the descriptions provided.
Table 1 outlines the content and purpose of each section of this document.
This document contains concepts and guidelines collected from representatives of the civil avionics, airframe, engine and regulatory communities. The contents are recommendations and are not mandated by law. For these reasons, the use of words such as "shall" and "must" is avoided. It is recognized that alternative methods to the processes described or referenced in this document may be available to an organization desiring to obtain certification of a highly-integrated or complex aircraft system.
The terms function and system can be applied at many different levels. Since the terms system and function are used at all levels of the development process, they create many opportunities for miscommunication. Any development program should identify the intended scope of these terms when they are used.
The term item is used in this document to describe any equipment, line replaceable unit, or line replaceable module. All items are characterized by a hardware definition and, where appropriate, a software definition. Components and software that are included in equipment, LRUs, or LRMs. and are not required to be controlled by part number at the aircraft level, are not items for the purpose of this document.
In this document, system generally means a combination of interrelated items arranged to implement a specific aircraft- level function or group of functions. A typical system will include such items as: power sources, sensors, control, processing, indications and functional outputs. This is a broader meaning than the typical ATA 100 system designation.
The term partition is used in this document to describe the mechanism used to separate portions of a system or an item with sufficient independence such that a specific development assurance level can be substantiated within the partitioned portion.
During development of Revision 6 to RTCA document DO-173 it became apparent that system-level information would be required as input to the software development process. Since many system- level decisions are fundamental to the safety and functional aspects of aircraft systems, regulatory involvement in the processes and results relating to such decisions is both necessary and appropriate.
This document was developed in response to a request from the FAA to SAE. The FAA requested that SAE define the appropriate nature and scope of system-level information for demonstrating regulatory compliance for highly-integrated or complex avionic systems. The Systems Integration Requirements Task group (SIRT) was formed to develop an ARP that would address this need.
The initial members of SIRT recognized that harmonization of international understanding in this undertaking was highly desirable and encouraged participation by both Federal Aviation Administration (FAA) and Joint Aviation Authorities (JAA) representatives. A companion working group was formed under EUROCAE, WG-42, to coordinate European input to the SIRT group. The task group included people with direct experience in design and support of large commercial aircraft, commuter aircraft, commercial and general aviation avionics, jet engines, and engine controls. Regulatory personnel with a variety of backgrounds and interests participated in the work of the task group. Both formal and informal links with RTCA special committees (SC-167 and SC-180) and SAE committee (S-16) were established and maintained. Communication with the harmonization working group addressing FAR/JAR 25.1309 was maintained throughout development of this document.
Throughout development of this document, discussion return repeatedly to the issue of guidance specificity. Strong arguments were presented in favor of providing a list of very specific certification steps-a checklist. Equally strong arguments were made that the guidance should focus on fundamental issues, allowing the applicant and the certification authority to tailor details to the specific system. It was recognized that in either case certification of all but the most idealized systems will require significant engineering judgment by both parties. The quality of those judgments is served best by a common understanding of, and attention to, fundamental principles. The decision to follow this course was supported by several other factors; the variety of potential systems applications, the rapid development of systems engineering, and industry experience with the evolving guidance contained in DO-178. DO-176A. and DO-1788 being particularly significant.
The generic systems development road map presented in Appendix A, together with the detailed definitions contained in Appendix 8.1, provides additional insight into systems development that can be of assistance to those not directly familiar with this type of work. The concept, task, and function index in Appendix C is intended to help users of the document quickly find specific types of information. The risk allocation discussion in Appendix D clarifies the relationship between this document and DO-1788.