1. A key element of the WHS Legislation is the requirement for risks to be eliminated so far as is reasonably practicable (SFARP) or, where this is not reasonably practicable, for the risks to be minimised SFARP. In aircraft design, eliminating risks is often impractical. Consequently, minimisation of risk so far as is reasonably practicable is often necessary to satisfy Defence’s statutory responsibilities.
2. In determining whether a risk control is reasonably practicable the WHS Legislation requires a duty holder to take into account ‘what the person concerned knows, or ought reasonably to know, about: (i) the hazard or the risk; and (ii) ways of eliminating or minimising the risk.’11
3. Reasonable knowledge (ie what a person ought reasonably to know) of risks can be gained in multiple ways. The Safe Work Australia interpretive guideline, Model Work Health and Safety Act The Meaning of ‘Reasonably Practicable’, expands the concept of what a person ought reasonably to know (their ‘state of knowledge’) and includes the following sources of knowledge, among others, that are relevant to designers in the aviation context:
reputable standards;
consulting workers and others in the industry;
industry publications, and scientific and technical literature;
analysing previous incidents; and
relevant WHS Regulations and ‘codes of practice’.
4. This annex examines the contribution of each of these sources of knowledge to satisfying a designer’s responsibility to exercise reasonable knowledge in aircraft design. This annex does not consider whether the identified sources of reasonable knowledge contribute to, or satisfy, a designer’s broader statutory responsibilities with respect to WHS (eg ensuring the health and safety of maintenance personnel) unless directly relevant to aircraft design considerations.
5. A major source of knowledge of risks and associated controls in aircraft design is reputable standards. Standards applicable to aircraft design have been iteratively developed over many decades of civil and military aviation experience and represent the current state of knowledge for aircraft designers. Standards, including associated guidance material (eg Advisory Circulars, guidebooks, and so on), that are recognised by National/Military Airworthiness Authorities (NAAs/MAAs) and are employed within an appropriate context, have the potential to constitute ‘reputable standards’.
6. The Authority promulgates reputable standards for Defence aircraft design in the DASDRM. The standards are drawn from the following sources, sometimes with supplementation to overcome known deficiencies:22
standards prescribed by Authority recognised NAAs/MAAs (ie Authority recognised Airworthiness Codes);
standards issued by standards bodies that are widely accepted within civil/military aviation; and/or
standards prescribed by legislation (either Commonwealth or State) that are applicable to Defence aviation.
7. However, it is not sufficient for designers to assume they have exercised reasonable knowledge simply because they have applied a standard extracted from this publication. The remainder of this section is dedicated to helping designers understand how the standards in this publication must be applied if they are to constitute reasonable knowledge.
8. When an aircraft standard is created, the authors will inevitably have a particular context in mind. For example, the authors might assume the primary customer is civil aviation, and therefore the standard might be particularly relevant to the flight profiles and operating environments experienced by civil operators. Where Defence operates an aircraft in a more challenging way, it may invalidate some assumptions made by the authors.
9. Consequently, a standard in this publication can only contribute to reasonable knowledge to the extent that the application is relevant to the particular Defence aircraft. While Sections 2 and 3 of this publication provide some guidance on common areas where Defence’s operating environment often differs from that assumed in a standard, this is by no means comprehensive. Even minor differences in configuration, role and operating environment (CRE) between the intended or assumed application of a reputable standard and those applicable to the Defence aircraft may reduce the standard’s relevance and therefore limit its contribution to reasonable knowledge.
10. Professional judgement and experience is paramount in identifying such deltas. A robust CRE analysis and System Safety Program (SSP) will often assist designers in ensuring that the context adopted by/assumed in the reputable standard is consistent with the Defence context.
11. The following sections provide guidance in applying the standards prescribed in this publication and evaluating the correctness of their context.
12. New Defence aircraft. Section 1 describes the approach adopted by the Authority to recognising Airworthiness Codes issued by civil and military Airworthiness Authorities. The Authority has assessed these Codes33 as providing a sound foundation for the safe design of Defence aircraft, and has supplemented the design requirements in the Codes with additional design requirements where necessary. The DASDRM consequently defines the Authority approved reputable standards for new Defence aircraft certifications.
13. Where a new Defence aircraft design is verified as complying with the reputable standards defined in this publication, a designer could sensibly conclude that potential risks, and ways of eliminating or minimising those risks, have been identified and the risk has therefore been minimised so far as is reasonably practicable. Such a determination should only be made where the designer has also confirmed that the context under which the standards were intended to be applied is consistent with the Defence aircraft context (refer to paragraphs 8 through 10).
14. Some Authorities, however, allow the application of standards ‘grandfathering’ to reduce aircraft design and production costs. Grandfathering permits, in some circumstances, the use of older standards for new designs if the aircraft is based on a previously certified design. The adoption of older standards under this ‘grandfathering’ approach will not always provide the level of safety afforded by newer standards.
15. Designers cannot automatically assume that grandfathered standards represent ‘reputable standards’ for Defence aircraft design, since they are knowingly adopting outdated standards. On the other hand, grandfathering of standards is permitted (within limits) by major airworthiness authorities, and has been employed successfully for decades. Consequently, a Defence prohibition on grandfathering would be contrary to common well-established aviation industry practice (refer paragraphs 30 to 42). For a designer to confirm that risks have been minimised so far as is reasonably practicable, the concepts of adopting current reputable standards and confirming the adequacy of grandfathered standards must be merged. Consequently, where a Defence civil-derivative aircraft has the same configuration as their civil equivalent, and operates in a substantially similar role and environment, designers should:
identify the delta between the grandfathered standard and the current version;
establish whether any amended/additional requirements in the current standard would markedly improve the level of safety;44 and
if so, critically examine whether the cost of adopting the updated standard is grossly disproportionate to the benefit.
16. Major design changes55 to Defence aircraft. Comprehensive application of the standards in this publication to Major changes to an aircraft type design inherently constitutes the application of reputable standards, provided the context of use is appropriate. However, common practice among Authority recognised civil Airworthiness Authorities is to not apply the latest airworthiness design requirements to a major design change where:
the change is not significant (eg the general principles of construction and/or configuration is retained; the assumptions used to originally certify the design remain valid); or
the change does not affect a system, component, equipment or appliance to which the previous iteration of the design requirements was applied; or
implementation of the updated requirements is determined to not materially contribute to the level of safety or would be impractical (ie the application of the updated reputable standard is not reasonably practicable).66 77
17. In these cases, provided the new design still meets the aircraft’s type certification basis (TCB), it is accepted as sufficient by most civil airworthiness authorities. This approach is such common practice amongst civil airworthiness authorities, that it can be considered a benchmark for reasonable practice (and therefore reasonable knowledge).
18. Consequently, for Major changes to Defence aircraft type design, the modified aircraft must continue to satisfy the airworthiness design requirements prescribed in the approved aircraft TCB as a minimum. However, more recent versions of airworthiness design requirements should be evaluated to determine whether compliance with the later version would contribute materially to the level of safety afforded by the design and would be practicable to implement88. It is the determination of whether an updated standard ‘materially contributes to the level of safety’ and is practicable to implement that is often the most contentious issue faced by designers.
19. To establish whether an updated standard should be applied to a major change to type design, designers should:
identify the differences between the standard defined in the aircraft’s TCB and the updated standard, which define improved safety outcomes;
assess the safety benefit that would be achieved by complying with the updated standard for the Defence aircraft CRE;
identify the costs associated with complying with the updated standard (costs will include delays in incorporation of the change, impact on capability, additional funding, impact on training and so on); and
based on this information, apply professional engineering judgement to determine whether compliance with the updated standard is reasonably practicable.
20. Minor design changes to Defence aircraft. Common aviation industry practice is to require that all Minor changes to aircraft designs comply only with the airworthiness standards defined in the aircraft’s TCB. That is, there is no requirement to consider the most recent version of standards for Minor changes. The issue is whether these often superseded standards afford a level of safety that would not be materially improved through the application of an updated standard.
21. By definition, minor design changes should have, at most, a minor effect on aircraft safety. Consequently, Airworthiness Authorities accept that it is very unlikely that an updated standard would make a material contribution to aircraft safety. Such an approach is equally relevant to Defence aircraft. Nevertheless, designers should establish whether the standards applicable to a minor design change have been updated and apply normal professional engineering judgement to identify where updated standards should be applied. Note that, while the DASDRM occasionally identifies issues that warrant additional consideration for minor modifications to assist designers in applying professional judgement, the inclusions are by no means comprehensive99.
22. Tailoring of DASDRM standards. Some reputable standards may inherently require tailoring to accommodate a specific aircraft context. Others may permit tailoring of some requirements to suit a particular aircraft role or operating environment. In these cases, a simple reference to the standard in the aircraft TCB is not sufficient to articulate the scope of the reputable standard applied and clarification of the scope and level of tailoring is required. Tailoring of standards may inadvertently remove requirements that are fundamental to the standard being considered a reputable standard. Therefore, designers should ensure that any tailoring of reputable standards does not remove key elements that underpin the level of safety afforded by application of the standard.
23. In some circumstances, the Authority has determined that certain requirements cannot be tailored out or that specified performance levels must be achieved for particular elements of a standard, and has included these requirements in this publication. However, the Authority’s evaluation of potential tailoring of standards is not comprehensive and, therefore, additional tailoring may be appropriate depending on the design context. Prior to adopting tailoring of a standard, designers should ensure that the tailoring:
only removes requirements that are not applicable to the Defence aircraft configuration, role and operating environment;
does not remove or reduce benchmark performance criteria or characteristics inherent in the standard (ie those upon which the standard relies to achieve the defined level of safety); and
is compatible with the Defence aircraft role and operating environment.
24. Where doubt regarding the suitability of tailoring exists, the Authority should be petitioned for a determination on the proposed tailoring (Section 1 Chapter 1 of this publication provides further guidance).
25. Authority prescription of design requirements, which underpin the reputable standards defined in the DASDRM, is based on the following:
a clear understanding of the relevance of the requirement to achieving safe flight for the Defence CRE;
revising the requirement to reflect contemporary knowledge, based on monitoring advances by others (eg NAA/MAA, OEMs) and through local research (eg DSTG); and
interpreting the requirement to assess the adequacy of alternative means of compliance, approve proposed tailoring and characterise risks due to any shortfalls in compliance.
26. In some cases, the Authority will hold the required expertise to prescribe and interpret design requirements in house or can quickly gain the expertise if needed. However, the expertise for some complex design disciplines/technologies is resident elsewhere in Defence; in those cases, the Authority may elect to delegate this responsibility to a particular Defence individual, who will normally be designated as a Standards Delegate of the Safety Authority (DoSA).
27. Occasionally, designers may identify potential ‘reputable standards’ that the Authority has not yet included in the DASDRM. These ‘reputable standards’ must be evaluated by a suitable subject matter expert to confirm that their adoption is appropriate for Defence aircraft designs. Where a designer considers that a standard not currently recognised by the Authority warrants inclusion in the Authority defined reputable standards in this manual, the designer should petition the Authority, or relevant Standards DoSA, for approval to use the standard.
28. Changes to reputable standards that occur after an aircraft is introduced into service may identify new ways of eliminating or reducing risks. Such changes could undermine the determination that risks to Defence aircraft safety have been minimised so far as is reasonably practicable.
29. Within the aviation industry, NAAs/MAAs hold broad responsibility for identifying and prescribing any changed reputable standards to which in-service aircraft must comply. Similarly, the Authority monitors changes to reputable standards defined in the DASDRM and evaluates the changes to determine whether their retrospective application to Defence in-service aircraft is warranted. Nevertheless, the actions of the Authority do not absolve designers from determining if retrospective application should be pursued. After all, designers have access to sources of information that are not necessarily available to the Authority, including OEMs, international operators, collaboration forums, and so on. Consequently, designers should monitor changes to reputable standards that are specific to the design they are responsible for, and confirm that retrospectivity of such changes is not reasonably practicable or take action to achieve compliance.
30. Designers can gain knowledge of risks in aircraft design through consultation with aircrew and maintenance personnel, or through engagement with aviation industry organisations, aviation domain SMEs and aircraft manufacturers and designers. This section discusses the contribution of such consultation in developing a designer’s ‘state of knowledge’ of risks, and ways of eliminating or reducing those risks, in aircraft design.
31. Aircraft operators and maintenance personnel provide designers with insight into risks that may be present in aircraft designs, particularly with regard to human-machine interface and procedural issues. Designers should consult with operators and maintenance personnel when developing Defence aircraft designs, to ensure that such risks are identified and appropriate controls are implemented.
32. Some common System Safety Program tools can assist in this consultation process. For example, the Operating and Support Hazard Analysis (O&SHA) and Health Hazard Analysis (HHA) in MIL STD-882 inherently require consultation with operators and maintainers on personnel injury hazards. Similarly, several system safety tools include a focus on human factors hazards (particularly in relation to the human-machine interface), and consequently drive operator consultation. Finally, forums such as the MIL-STD-882 System Safety Working Group encourage consultation on hazard identification and management between all key stakeholders. Each of these tools and forums can provide a contribution (but rarely a comprehensive solution) to robust operator and maintainer consultation.
33. While the implementation of risk controls identified in reputable standards is integral to establishing good practice, other aviation industry organisations in both the civil and military aviation domains may have identified and implemented additional risk controls not prescribed within reputable standards for aircraft designs. These additional risk controls, known as ‘industry good practice’, should be evaluated by designers and implemented where appropriate.
34. To ensure that good practice is part of an engineer’s consideration of potential risks and ways of controlling those risks in Defence aircraft design, designers should:
engage with other aviation industry organisations that are responsible for developing similar aircraft designs to identify implemented controls; and
evaluate the context under which the control was implemented to establish whether the control is applicable to the Defence aircraft (ie the control applies to the same risk and in the same context as that of the Defence aircraft design).
35. OEMs have a comprehensive understanding of their aircraft design and access to relevant design data. OEMs may therefore have additional insight into risks associated with the design, and ways of eliminating or reducing those risks that is not immediately apparent through application of relevant reputable standards. For example, the OEM may have applied a bespoke design requirement to control a risk associated with a novel or unique feature. Defence also engages design agencies (other than aircraft OEMs) to provide engineering support. These design agencies may also have additional insight into risks associated with the design, particularly for the Defence CRE context. Consultation with OEMs and other relevant design agencies during design development is therefore a key component of developing a designer’s state of knowledge.
36. Designers may gain knowledge of hazards and associated risk controls through consultation with aviation domain experts such as Defence Science and Technology Group (DSTG), other Defence organisations (for example System Program Offices (SPOs) responsible for common aviation systems), industry experts such as standards bodies and committees, and academia. Where information is gathered from a reputable Defence source such as DSTG or a SPO, designers can consider this information to be a valid contribution to their reasonable knowledge. However, before relying on information gained from other domain SMEs, designers should evaluate the information to establish its validity and applicability before using the information in Defence aircraft design.
37. Many aircraft related courses include content on the identification of risks associated with aircraft design and potential risk controls. For those courses that are delivered by the Authority (including Standards DoSAs), such content can be considered to provide a valid contribution to a designer’s body of knowledge.
38. For all other courses, the presenter may include additional content based on ‘expert opinion’ or experience. Consequently, while designers can consider the content to provide a general contribution to their reasonable knowledge, a designer should apply professional engineering judgement in its application to a particular aircraft hazard or risk.
39. Many professional bodies hold substantial domain knowledge either in specific technology related fields or in aviation more broadly and these may be an additional source of reasonable knowledge for designers. Examples include: Engineers Australia (and associated sub-Colleges and Technical Societies), the Royal Aeronautical Society, the Institute of Electrical and Electronics Engineers, and so on.
40. Knowledge of aircraft design related risks and control measures can be sourced from industry publications and scientific and technical literature, to the extent that it directly relates to aviation and is developed and published by a reputable source. Such knowledge can be categorised as either acceptable at face value or requiring additional evaluation to establish its validity.
41. The following industry publications can be considered to provide a valid source of reasonable knowledge:
generic aircraft OEM standard operating procedures or design guidelines/handbooks;
material safety data sheets (and other approved industry safety data);
technical reports/white papers published by reputable organisations (such as NASA); and
technical reports produced by Government agencies (for example, DST Group or Australian National Audit Office).
42. Other publications may reflect the author’s ‘opinion’ rather than established and verified knowledge and should be treated with caution. While they may inform a designer’s body of knowledge, the content should be subjected to professional engineering judgement to confirm the validity of any identified risks and associated controls. Such publications include:
generic reference books related to a particular engineering discipline or element of aircraft design; and
conference proceedings and published scientific papers.
43. Accident/incident investigations and their outcomes are integral to informing designers of risks in aircraft design and potential ways of eliminating or controlling those risks. Information related to risks in aircraft design may be sourced from investigations into Defence aircraft accidents/incidents or investigations conducted by external organisations such as NAAs/MAAs or accident investigation bodies (for example the Australian Transport Safety Bureau).
44. Internal accident/incident investigations. While design organisations will have an established process for evaluating the outcomes of accident/incident investigations associated with the aircraft they are responsible for, there may be risks identified in other aircraft investigations that are also relevant to their aircraft type. These investigation outcomes provide a readily accessible source of information to add to a designer’s body of knowledge of risks and means of controlling those risks in aircraft design.
45. External accident/incident investigations. Many NAAs/MAAs and national accident investigation bodies conduct investigations, make recommendations for safety improvements, and make their findings of causal factors and proposed remediation actions public. Some investigations may contain lessons learnt that may form part of the body of knowledge of risks, and ways of eliminating or minimising those risks, available to designers. Designers should maintain an awareness of the accidents/incidents that have occurred in aircraft that are similar (in terms of aircraft type and CRE) to that of the Defence aircraft design.
46. A Code of Practice is approved by the Minister responsible for work health and safety in the applicable jurisdiction and is ‘a practical guide to achieve the standards of health and safety required under the model Work Health and Safety Act and model WHS Regulations’.1010 Codes of Practice provide duty holders with guidance on effective ways to manage work health and safety risks. While there are no Codes of Practice specifically applicable and approved for aviation, the ‘generic’ Codes of Practice issued under the authority of the WHS Legislation may apply to aircraft design1111. These Codes of Practice should be considered by designers during aircraft design activities.
47. Finally, Australian legislation regarding specific WHS hazards (for example Radiation Protection Standards published by ARPANSA) and associated Defence policy may apply to aircraft design and should be considered by designers during aircraft design activities.
48. The application of the principles described in this annex will assist designers to apply an appropriate level of reasonable knowledge to the identification, elimination and minimisation of hazards and associated risks in aircraft design. However, designers must ensure that the knowledge is applicable to the Defence aircraft context and represents contemporary understanding of the hazards and controls for that design. Importantly, reasonable knowledge applied by designers is not static. Any decision that a risk has been minimised so far as is reasonably practicable will always be influenced by the particular circumstance. Changed circumstances include the evolution of standards and other knowledge that supported the original determination that reasonable knowledge had been applied. Consequently, designers should ensure that changes to applicable reputable standards (or other key knowledge sources) are monitored and assessed to ensure that identified hazards and controls remain valid.