AC 25.1309-1A

P e/ U.S. Deportmmr olTronsportotion Federal Aviation Administration - Advisory Circular Subject: SYSTEM DESIGN AND ANALYSlS Dntc: G/21/88 ACNo: 25.1309-1A Initiated by: ANN- 110 CJWF 1. PURPOSE. This Advisory Circular (AC) describes various acceptable means for showing compliance with the requirements of fi 25.1309(b), (c), and (d) of the Federal Aviation Regulations (FAR). These means are intended to provide guidance for the experienced engineering and operational Judgment that must form the basis for'compliance findings. They are not mandatory. Other means may be used if they show compliance with this section of the FAR. 2. CANCELLATION. AC 25.1309-l dated g/7/82, is hereby cancelled. 3. APPL!CABILITY. Section 25.13U9(b) provides yeneral requirements for a logical and acceptable inverse relationship between the probability and the severity of each failure condition, and Ej 25.1309(d) requires that compliance be shown primarily by analysis. Section 25.1309(c) provides general requirements for system monitoring, failure warniny, and cap‘aaility for appropriate corrective crew action. Because 0 25.1309(b) and (c) is a regulation of general applicability, it may not be used to replace or alter any allowed design practices or specific requirements of Part 25, and each requirement of 6 2S.l309(b) and (c) applies only if other applicable sections of Part 25 do not provide a specific system requirement that has a similar purpose. While 9 25.13i19(b) and (c) does not apply to the performance, flight characteristics, and structural loads and strength requirements of Subparts B and C, it does apply to any system on which compliance with any of those requirements is based. For example, it does not apply to an airplane's inherent stall characteristics or their evaluation, but it does apply to a stall warning system used to enable compliance with 5 25.207. 4. BACKGROUND. The Part 25 airworthiness standards dre based on the fail-safe design concept that has evolved over the years. A brief description is provided in Paragraph 5. Section 25.1309(b) and (c) sets forth certain objective safety requirements based on this design concept. Many systems, equipment, and their installations have been successfully evaluated to*the applicable requirements of Part 25, including $j 25.1309(b), (c), and (d), without usiny structured means for safety assessments. However, in recent years there has been an increase in the degree of system complexity and integration, and in the number of safety-critical functions performed by systems. Difficulties had been experienced in assessing the hazards that could result from failures of such systems, or adverse interactions amony them. These difficulties led to the use of structured means for showing compliance AC 25.1309-1A 6/21/88 with Q 25.1309(b). For this and other reasons, yuidance was needed on acceptable means of-compliance with $ 25.1309(b), (c), and (d). a. Section 25.1309(b) and (d) specifies required safety levels in qualitative terms, and requires that a safety assessment be made. Various assessment techniques have been developed to assist applicants and the FAA in determining that a logical and acceptable inverse relationship exists between the probability and the severity of each failure condition. These techniques include the use of service experience data of similar, previously-approved systems, and thorough qualitative analyses. b. In addition, difficulties had been experienced in assessing the acceptability of some designs, especially those of systems, or parts of systems, that are complex, that have a high degree of integration, that use new technoloyy or new or different applications of conventional technology, or that perform safety-critical functions. These difficulties led to the selective use of rational analyses to estimate quantitative probabilities, and the development of related criteria based on historical data of accidents and hazardous incidents caused or contributed to by failures. These criteria, expressed as numerical probability ranyes associated with the terms used in Ej 25.1309(b), b ecame commonly-accepted for evaluatiny the quantitative analyses that are often used in such cases to support experienced engineering and operational judgment dnd to supplement qualitative analyses and tests. 5. THE FAA FAIL-SAFE DESIGN CONCEPT. The Part 25 airworthiness standards are based on, dnd incorporate, the obJectives, and principles or techniques, of the fail-safe design concept, which considers the effects of failures and Combinations of failures in defining a safe desiyn. a. The following basic objectives pertaining to failures apply: (1) In any system or subsystem, the failure of any sinyle element, component, or connection duriny any one flight (brake release through ground deceleration to stop) should be assumed, reyardless of its probability. Such .sinyle failures should not prevent continued safe flight and landing, or significantly reduce the capability of the airplane or the ability of the crew to cope with the resulting failure conditions. (2) Subsequent failures during the same flight, whether detected or latent, and combinations thereof, should also be assumed, unless their joint probability with the first failure is shown to be extremely improbable. Par 4 6/21/88 AC 25.1309-1A b. The fail-safe design concept uses the following design principles or techniques in order to ensure a safe design. The use of only one of these principles or techniques is seldom adequate. A combination of two or more is usually needed to provide a fail-safe design; i.e., to ensure that major failure conditions are improbable and that catastrophic tailure conditions are extremely improbable.' (1) Desiyned Inteyrity and Quality, including Life Limits, to ensure intended function and prevent failures. (2) Redundancy or Backup Systems to enable continued function after any single (or other defined number of) failure(s); e.g., two or more engines, hydraulic systems, flight control systems, etc. (3) Isolation of Systems, Components, and Elements so that the failure of one does not cause the failure of another. Isolation is also termed independence. (4) Proven Reliability so that multiple, independent failures are unlikely to occur during the same flight. (5) Failure Warning or Indication to provide detection. (6) Flightcrew Procedures for use after failure detect ion, to enable continued safe flight and landing by specifying crew corrective action. (7) Checkability: the capability to check a component 's condition. (8) Designed Failure Effect Limits, including the capability to sustain damage, to limit the safety impact or effects of a failure. (9) Designed Fdilure Path to control and direct the effects of a failure in a way that limits its safety impact. (10) haryins or Factors of Safety to allow for any undefined or unforeseeable adverse conditions. (11) Error-Tolerance that considers adverse effects of foreseeable errors during the airplane's design, test, manufacture, operation, and maintenance. 6. DEFINITI3NS. The following definitions apply to the system design and analysis requirements of 0 25,1309(b), (c), and (d) and the guidance material provided in this AC. They should not be assumed to apply to the same or Par 5 .AC 25.1309-1A 6/21/88 similar terms used in other regulations or ACs. Terms for which standard dictionary definitions apply are not defined herein. a. Attribute: A feature, characteristic, or aspect of a system or a device, or a condition affecting its operation. Some examples would include design, construction, technology, installation, functions, applications, operational uses, environmental and operational stresses, and relationships with other systems, functions, and flight or structural characteristics. b. Certification Check Requirement (CCR): A recurring flightcrew or groundcrew check that is required by design to help show compliance with 0 25.1309(b) and (d)(2) by detecting the presence of, and thereby limiting the exposure time to, a significant latent failure that would, in combination with one or more other specific failures or events identified in a safety analysis, result in a hazardous failure condition. c. Check: An examination (e.g., an inspection or test) to determine.the physicalintegrity or functional capability of an item. d. Complex: A system is considered to be complex if structured methods,of ana‘lysis are needed for a thorough and valid safety assessment. A structured method is very methodical and highly organized. Failure modes and effects, fault tree, and reliability block diagram analyses are examples of structured methods. e. Continued Safe Flight and Landing: The capability for continued controlled flight and landing at a suitable airport, possibly using emergency procedures, but without requiring exceptional pilot skill or strength. Some airplane damage may be associated with a failure condition, during flight or upon landing. f. Conventional: An attribute of a system is considered to be conventional if it is the same as, or closely similar to, that of previously- approved systems that are commonly-used. 9* Failure: A loss of function, or a malfunction, of a system or a part thereof. h. Failure Condition: The effects on the airpl-ane and its occupants, both direct and consequential, caused or contributed to by one or more failures, considering relevant adverse operational or environmental conditions. Failure conditions may be classified according to their severities as follows: (1) Minor: Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may.include, for examp'le,.a.slight reduction in safety margins or functional capabilities, a slight increase in Par 6/21/88 AC 25.1303-1A crew workload, such as routine fliyht plan changes, or some inconvenience to occupants. (2) Major: Failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, -- (i) A significant reduction in safety margins or functional capabilities, a siynificant increase in crew workload or in conditions impairing crew efficiency, or some discomfort to occupants; or (ii) In more severe cases, a large reduction in safety margins or functional capabilities, higher workload or physical distress such that the crew could not be relied on to perform its tasks accurately or completely, or adverse effects on occupants. (3) Catastrophic: Failure conditions which would prevent continued safe flight and landing. i. Redundancy: The presence of more than one independent means for accomplishing a given function or flight operation. Each means need not necessarily be identical. L Qualitative: Those analytical processes that assess system and airplane safety in a subjective, nonnumerical manner. k. Quantitative: Those analytical processes that apply mathematical methods to assess system and airplane safety. 7. IILSCUSSION. Section 25.1309(b) and (d) requires substantiation by analysis, and where necessary, by, appropriate ground, flight, or simulator tests, that a logical and acceptable inverse relationship exists between the probability and the severity of each failure condition. However, tests are not required to verify failure conditions that are postulated to be catastrophic. As discussed in Paragraph 3, some systems and some functions must be evaluated for compliance with certain specific system requirements that take precedence over certain requirements of 5 25.1309(b) and (c) that have similar purposes. In either case, however, the goal is to ensure an acceptable overall airplane safety level, considering all failure conditions of all systems. a. The requirements of 6 25.1309(b) and (d) are intended to ensure an orderly and thorough evaluation of the effects on safety of foreseeable failures or other events, such as errors or external circumstances, separately or in combination, involving one or more system functions. The interactions of these factors within a system and among relevant systems should be considered. Par 6 AC 25.1309-1A 6/21/88 b. The severities of failure conditions may be evaluated according to the following considerations: (1) Effects-on the airplane, such as reductions in safety margins, degradations in performance, loss of capability to conduct certain flight operations, or potential or consequential effects on structural integrity. (2) Effects on the crewmembers, such as increases above,their normal workload that would affect their ability to cope with adverse operational or environmental conditions or subsequent failures. (3) Effects on the occupants; i.e., passenyers and crewmembers. c. For convenience in conducting design assessments, failure conditions may be classified according to their severities as minor, major, or catastrophic. Paragraph 6h provides accepted definitions of these terms. (1) The classification of failure conditions does not depend on whether or not a system or function is required by any specific regulation. Some systems required by specific regulations, such as transponders, position lights, and public address systems, may have the potential for only minor Conversely, other systems not required by any specific flight management systems and automatic landing systems, ial for major or catastrophic failure condi'tions. failure conditions. regulation, such as may have the potent (2) Regard less of the types of assessment used, the classification of failure conditions should always be accomplished with consideration of all relevant factors; e.g., system, crew, performance, operational, external, etc. Examples of factors would include the nature of the failure modes, any effects or limitations on performance, and any required or likely crew action. It is particularly important to consider factors that would alleviate or intensify the severity of a failure condition. An example of an alleviating factor would be the continued performance of identical or operationally-similar functions by other systems not affected by a failure condition. Examples of intensifying factors would include unrelated conditions that would reduce the ability of the crew to cope with a failure condition, such as weather or other adverse operational or environmental conditions, or failures of other unrelated systems or functions. d. The probability that a failure condition would occur may be assessed as probable, improbable, or extremely improbable. These terms are explained in Paragraphs 9e and 1Ub. Each failure condition should have a probability 6 Par 7 c/21/88 AC 25.1309-1A that is inversely-related to its severity. Figure 1, Probability vs. Consequence Graph, illustrates this relationship. (1) Minor failure conditions may be probable. (2) Major failure conditions must be improbable. (3) Catastrophic failure conditions must be extremely improbable. Figure 1: Probability vs. Consequence Graph Catastrophic Accident AdVeRGe Effects on occupants Airpbne Damage Emergency Procedures Procedures Probability of Failwe Condition e. An assessment to identify and classify failure conditions is necessarily qualitative. On the other hand, an assessment of the probability of a failure condition may be either qualitative or quantitative. An analysis may range from a simple report that interprets test results or compares two similar systems to a detailed analysis that may (or may not) include estimated numerical probabilities. The depth and scope of an analysis depends on the types of functions performed by the system, the severities of system failure conditions, and whether or not the system is complex. Regardless of its type, an analysis should show that the system and its installation can tolerate failures to the extent that major failure conditions, are improbable and catastrophic failure conditions are extremely improbable. (1) Experienced engineering and operational judgment should be applied when determining whether or not a system is complex. Comparison with similar, previously-approved systems is sometimes helpful. All relevant system Par 7 AC 25.1309-1A 6/21/88 attributes should be considered; however, the complexity of the software used to program a digital computer-based system should not be considered because the software is assessed and controlled by other means, as described in Paragraph 7i. - (2) An analysis should always consider the application of the fail- safe design concept described in Paragraph 5, and give special attention to ensuring the etfective use of design techniques that would prevent single failures or other events from damaying or otherwise adversely affecting more than one redundant system channel or more than one system performing operationally-similar functions. When considering such common-cause failures or other events, consequential or cascading effects should be taken into account if they would be inevitable or reasonably likely. (3) Some examples of such potential common-cause failures or other events would include rapid release of energy from concentrated sources such as uncontained failures of rotating parts' or pressure vessels, pressure differentials, noncatastrophic structural failures, loss of environmental conditioning, disconnection of more than one subsystem or component by overtemperature protection devices, contamination by fluids, damage from localized fires, loss of power, excessive voltage, physical or environmental interactions among parts, use of incorrect, faulty, or boyus parts, human or machine errors, and foreseeable adverse operational conditions, environmental conditions, or events external to the system or to the airplane. f. As discussed in Paragraphs 8c(l) and 8d(2), compliance for a system or part thereof that is not complex may sometimes be shown by design and installation appraisals and evidence of satisfactory service experience on other airplanes using the same or other systems that are similar in their relevant attributes. Y- In general, a failure condition resulting from a single failure mode of a device cannot be accepted as being extremely improbable. In very unusual cases, however, experienced engineering judgment may enable an assessment that such a failure mode is not a practical possibility. When making such an assessment, all possible and relevant considerations should be taken into account, including all relevant attributes of the device. Service experience showiny that the failure mode has not yet occurred may be extensive, but it can never be enough. Furthermore, flightcrew or groundcrew checks have no value if a catastrophic failure mode would occur suddenly and without any prior indication or warning. The assessment’s logic and rationale should be so straightforward and readily-obvious that, viewpoint, from a realistic and practical any knowledgeable, experienced person would unequivocally conclude that the failure mode simply would not occur, unless it is associated with a wholly-unrelated failure condition that would itself be catastrophic. 8 Par 7 6/21/88 AC 25.1309-1A h. Section 25.1309(c) provides requirements for system monitoring, failure warning, and capability for appropriate corrective crew action. Guidance on acceptable means of compliance is provided in Paragraph 89. i. In general, the means of compliance described in this AC are not directly applicable to software assessments because it is not feasible to assess the number or kinds of softw