2.1 Hazards in aircraft design are largely managed by employing aerospace design standards, since these standards represent many years of experience in the identification, analysis and control of hazards. However, while a system may be comprised of individual components that meet relevant reliability, safety or performance benchmarks on their own, the integration of these sub-systems can give rise to hazards at the system level. System safety is an engineering discipline that encompasses safety as a core aspect of any given system design (or design change). System safety comprises a number of tools and techniques to identify aircraft hazards and implement controls for those hazards to satisfy prescribed safety objectives. The application of these tools and techniques is an essential adjunct to a standards based approach to design, noting that design standards may:
not apply to a whole system, merely elements of the system
not be relevant for novel applications, which can pose novel hazards
not keep up with technology advances, since standards often have review and update cycles that span many years
allow different options depending on the system’s criticality.
2.2 The implementation of a robust and effective system safety approach to Defence aircraft design is prescribed by the Authority. As system safety involves a whole-of-system approach to design, achievement of safety objectives requires the application of the system safety tools and techniques during aircraft design activities, normally through the adoption of a formal System Safety Program. The framework and processes under which system safety is applied for Defence aircraft designs may be articulated in a dedicated artefact (for example via a System Safety Program Plan) or inherently included in a design organisation’s design processes.
2.3 Other National Airworthiness Authority (NAA)/Military Airworthiness Authority (MAA) approaches to system safety. The Authority has evaluated recognised NAA and MAA approaches to implementing system safety, and the associated aviation system safety standards, and concluded that intelligent application and in some cases expansion is required to satisfy Defence’s regulatory and statutory requirements. For example, system safety standards may not account for Defence’s obligations under the WHS legislation, since they may permit ‘risk acceptance’ once a specified risk level has been achieved. To promote the ‘intelligent application’ of system safety standards, this chapter adopts a different structure to other DASDRM chapters. Here, the chapter first defines the outcomes that are needed for a robust system safety program. The chapter then identifies where recognised NAA/MAA approaches to system safety require particular attention if they are to meet the Authority’s prescribed outcomes. This approach provides design organisations with guidance to embed robust system safety practices into their engineering procedures.
2.4 This chapter presents Authority prescribed system safety design requirements that are applicable to design activities conducted for new aircraft and design changes. The Authority’s prescribed design requirements for software safety are provided at Section 2 Chapter 3.
2.5 The application of system safety to Defence aircraft designs achieves three key outcomes:
Design safety objectives are:
defined, and
agreed by the Authority.
Design hazards11 are identified and controlled.
Hazards identified during design, and associated controls, are documented.
2.6 Authority prescribed system safety design requirements that support the achievement of each of these outcomes are defined in the following paragraphs.
2.7 The establishment of safety objectives for the particular aircraft type, cognisant of Defence’s role and operating environment, is fundamental to the implementation of a robust system safety program and represents good aviation engineering design practice. Over many decades of aviation operations, these safety objectives have been demonstrated to achieve safe aircraft design. Consequently, the defined safety objectives represent the point at which further elimination or minimisation of identified hazards is unlikely to be reasonably practicable.
2.8 Safety objectives may be articulated as specific outcomes to be achieved (eg no single point failures having a catastrophic severity) or through objective safety criteria applicable to a particular hazard severity (eg Failure Probability Objectives (FPOs) and Design Assurance Levels (DALs)).
2.9 SS Requirement (Essential) (Aircraft Acquisitions). Applicants for a Military Type Certificate must establish the quantitative safety criteria to be applied to the aircraft design (eg FPOs, catastrophic failure rate, and so on).
2.10 A design organisation’s design processes must describe how the organisation will ensure that quantitative safety criteria applicable to the Defence aircraft are identified and met for new aircraft designs. Prior to adopting the quantitative criteria as a basis for Defence aircraft certification, the design organisation must seek Authority agreement that the quantitative criteria represent an appropriate basis for safe aircraft operations and aircraft certification. The approved quantitative safety criteria will form an integral element of a Defence aircraft’s Type Certification Basis.
2.11 SS Requirement (Essential) (Aircraft Design Changes). Aircraft design changes must comply with the quantitative safety criteria from the initial aircraft design (ie the original aircraft design FPOs, catastrophic failure rate, and so).
2.12 Once the quantitative safety criteria have been agreed by the Authority, they must be applied to all design changes unless prior agreement to adopt amended safety criteria has been obtained from the Authority. Any proposal to adopt amended safety criteria will represent a change to the approved TCB and, therefore, a Military Certification Review Item (MCRI) must be raised and submitted to the Authority for approval, regardless of whether the design is a Major or Minor change.
2.13 SS Requirement (Essential). Applicants for a Military Type Certificate or Major Change approval must seek Authority agreement where reduced ‘at risk’ time is proposed to be accounted for in satisfying prescribed safety objectives.
2.14 The use of limited exposure intervals (eg ‘at risk’ time) to justify a reduction in safety objectives for aircraft systems could lead designers into error. For example, it would be inappropriate to use a limited exposure interval for reducing safety objectives for a safety-critical system, where the adverse consequences of system failure cannot be clearly linked to a specific stage of flight or set of flight conditions (eg when establishing safety objectives for ejection seats). Where the use of ‘at risk’ time is proposed in support of meeting FPOs for a specific aircraft system, a determination on the adequacy of the proposed approach must be sought from the Authority.
2.15 SS Requirement (Essential). The design or design change must not permit a single-point failure, or permit a combination of independent failures (including human errors associated with the human machine interface) involving safety-critical functions, which have a consequence of catastrophic, critical (MIL-STD-882 definition) or hazardous (FAR/CS 2x.1309 definition) severity.
2.16 Safety-critical systems must be “fail-safe”, such that any single failure will cause the system to revert to a state which will not result in an unsafe condition. Independent system failures and human machine interface errors that have a consequence of catastrophic, critical (MIL-STD-882 definition) or hazardous (FAR/CS 2x.1309 definition) severity must be eliminated through design.
2.17 When establishing compliance with this requirement, the failure of any single element, component or connection in a system or sub-system during any one flight must be assumed regardless of its probability, and such failures should not be catastrophic. Subsequent failures during the same flight, whether detected or latent, must also be assumed unless the joint probability of such failure conditions satisfies the relevant catastrophic, critical or hazardous FPO.
2.18 Compliance with this requirement must be demonstrated through a thorough safety assessment, including both qualitative and quantitative assessment of the design for each catastrophic, critical or hazardous failure condition identified by a Functional Hazard Assessment (FHA).
2.19 Redundant subsystems may also be implemented as a hazard mitigation strategy for safety-critical systems. These systems are used when the primary system fails and the function of that system is required to maintain continued safe flight and landing. The separation or shielding of redundant subsystems from damage, adverse operating effects of neighbouring systems/components, common cause faults and other environmental factors is essential for a safe design.
2.20 SS Requirement (Essential). Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action.
2.21 SS Requirement (Essential). Systems and controls, including indications and annunciations, must be designed to minimise crew errors, which could create additional hazards.
2.22 SS Requirement (Essential). A ‘safe’ indication must not be presented to the crew when an ‘unsafe’ condition exists.
2.23 Where analysis identifies that some action by the crew is required to achieve safety objectives, the designer must verify that:
any identified indications are actually provided by the system
any identified indications will actually be recognised
any actions required have a reasonable expectation of being accomplished successfully and in a timely manner.
2.24 When failure monitoring and indication are provided by a system, its reliability must be compatible with the safety objectives associated with the system function for which it provides the indication. In the case of aircraft conditions requiring immediate crew action, a suitable warning indication must be provided to the crew, if not provided by inherent aircraft characteristics.
2.25 Defence aircraft designs must also account for potential human error in interpretation of system operations and controls, or warnings, indications or annunciations, which could result in crew actions that introduce hazards. In particular, no probable system failure is to result in a ‘safe’ indication of an ‘unsafe’ condition so that the crew would incorrectly assume the system is available or functional. When an unsafe condition is annunciated or detected, the flying instructions must have clear and precise corrective procedures for handling the failure without an excessive increase in workload.
2.26 SS Requirement (Essential). The design of a safety-critical system must prevent the inadvertent initiation by human error of a catastrophic failure condition.
2.27 Defence aircraft designs must account for, and where reasonably practicable eliminate, potential impacts of human error in the design of safety-critical systems as a result of human machine interface issues. For example, the addition of a throttle lever detent prevents an inadvertent selection of reverse thrust without the conscious lifting of the throttle levers over the detent. Similarly, a guarded switch for activation of engine fire extinguishers prevents inadvertent switch selection.
2.28 SS Requirement (Essential). The operation of non-required equipment (eg mission systems), must not interfere with the proper functioning of safety-critical systems or present a hazard themselves.
2.29 Non-required systems do not need to perform their function throughout the entire aircraft operating and environmental conditions. However, in situations where the non-required equipment is to be operated, both normal operations and operation under failure conditions must not adversely affect safe aircraft operations, safety-critical systems or aircraft occupants. Hazardous conditions associated with normal operations, malfunction and erroneous behaviour of non-required equipment must be identified through FHAs.
2.30 Robust hazard identification and control is a cornerstone of safe aircraft design. Design organisations must implement processes that support effective hazard identification and control that accounts for Defence’s role and operating environment, and achieves the applicable safety objectives for each failure condition and associated hazard. Where safety objectives are not initially achieved, additional controls must be identified and implemented (using the hierarchy of controls) to meet the prescribed safety objectives.
2.31 SS Requirement (Essential). Systematic techniques must be implemented for identifying credible hazards attributable to hardware, software and human system integration.
2.32 System safety tools and techniques provide a robust means of hazard identification. These tools and techniques expose failure conditions where required safety criteria are not met or where integrated system hazards exist that have not been identified via compliance with design standards. For aircraft design changes, the existing aircraft Hazard Log (or similar) may also assist in identifying relevant hazards.
2.33 A design organisation’s design processes must describe the application of formal hazard identification techniques and any tailoring to suit the specific design activity being undertaken. In particular, the processes should describe how the design organisation intends to apply system safety tools and techniques defined in aerospace system safety standards, including for those hazards applicable to complex system interactions, such as formal Functional Hazard Assessment/Analysis and/or System/Sub-System Hazard Analyses.
2.34 SS Requirement (Essential). Identified hazards must be analysed to verify the achievement of safety objectives, or additional controls must be identified and implemented to achieve safety objectives.
2.35 Robust analysis of hazards identified during design activities is an essential contributor to aviation safety. A design organisation’s design processes must therefore describe the application of formal hazard analysis techniques and any tailoring to suit the specific design activity being undertaken. Hazard analysis techniques, commensurate with the scope of the design and potential impact on aviation safety must be employed to identify potential controls. For example, Fault Tree Analyses, Common Cause Analyses, Zonal Safety Analyses, Particular Risk Analyses and so on should be adopted where the design is complex and/or the consequences of failure are severe.
2.36 SS Requirement (Essential). Hazard controls must be implemented in accordance with the hierarchy of risk controls.
2.37 As discussed at paragraph 2.8, good practice in the aviation industry requires the identification of hazards and the implementation of controls to achieve prescribed safety objectives. However, where prescribed safety objectives are not met, and therefore the design falls outside of this good practice, any residual hazards must be robustly addressed through the implementation of additional controls. Implementation of controls must be undertaken with an appropriate understanding and application of the hierarchy of risk controls. The hierarchy of controls, per Regulation 36 of the WHS legislation, requires:
implementing one or more of: substitution of the hazardous design with something safer; isolation of the hazard from people; and reducing the risk through engineering controls (eg use of mechanical guards or circuit isolation devices)
if a risk remains, implementing administrative controls (ie procedures and training)
if a risk remains, implementing the use of PPE.
2.38 The System Safety Design Order of Precedence, described in MIL-STD-882, needs intelligent application to fully satisfy the hierarchy of controls. Importantly, the effectiveness of procedures and training as a sole treatment strategy for hazards is unreliable as the primary control over the system life cycle. Warnings, cautions or other written advisory notifications must not be used as the only risk reduction method for hazards having catastrophic, critical (MIL-STD-882) or hazardous (FAR/CS 2x.1309) severities.
2.39 SS Requirement (Essential). Consultation, co-operation and co-ordination between stakeholders must ensure all potential risk controls are identified and assessed for implementation.
2.40 Consultation, co-operation and co-ordination frameworks enable robust hazard identification and analysis, and the identification and assessment of reasonably practicable controls, both design/technical and operational in nature. A design organisation’s design processes must include the means by which stakeholder consultation, co-operation and co-ordination will be achieved. Operational stakeholder engagement is essential to evaluate potential operational controls for hazards when the design cannot meet prescribed safety criteria due to an adverse impact on Defence capability. Importantly, the framework must ensure that proposed design changes do not invalidate or impact extant controls for hazards that may not be related to the design under consideration.
2.41 One framework under which consultation, co-operation and co-ordination can be enacted is through an established System Safety Group (SSG) or equivalent body, which is responsible for reviewing identified hazards and associated controls. If employed, the SSG should be structured to optimise timely and effective consultation, co-ordination and co-operation between technical, operational and maintenance subject matter experts, and other relevant specialists and stakeholders.
2.42 A key outcome of consultation, co-operation and co-ordination is the identification of and commitment to the means by which controls will be implemented, reviewed and maintained. Clear responsibilities for confirming that controls have been implemented and are being monitored for effectiveness must be established within the adopted framework.
2.43 SS Requirement (Essential). Where meeting design safety objectives would have an unacceptable adverse effect on capability, the non-compliance must be approved by the Authority.
2.44 Occasionally, compliance with design safety objectives may unacceptably impact Defence’s required capability outcomes. Where prescribed safety objectives cannot be met, the applicant must submit for Authority consideration and agreement any proposal to amend safety objectives. The proposal to amend the safety objectives must be supported by clear risk characterisation associated with the amended safety objectives and confirmation by the relevant operational commander that the operational impact of compliance with the prescribed safety objectives is unacceptable. Only where the Authority concludes that the risk has been appropriately characterised, the operational commander has made an informed determination that the risk has been minimised so far as is reasonably practicable and residual risk retention is appropriate, will the Authority approve the amended safety objectives via a Military Certification Review Item (MCRI).
2.45 To ensure that all controls necessary to achieve prescribed safety objectives are effectively captured and monitored, and will be considered during future design activities, robust hazard documentation is required.
2.46 SS Requirement (Essential). Hazards identified during design activities, and associated controls, must be documented.
2.47 While the identification of hazards and associated controls through a robust system safety program will result in the achievement of safety objectives, the continued safety of the design will only be achieved if any controls associated with identified hazards are implemented and remain effective. Hazard documentation also assists designers to ensure that future design activities do not introduce changes that either remove an existing hazard control or impact the effectiveness of a control. Consequently, hazard documentation is required to provide a safety baseline for the design and to support future design activities.
2.48 One means of documenting hazards and controls is via a Hazard Log. If employed, a Hazard Log should be updated during the aircraft’s service life whenever:
previously unidentified hazards, or new hazards introduced as part of a design change, are identified
new controls for an already identified hazard are implemented, or already implemented controls are removed/changed.
2.49 A Hazard Log (or equivalent) is a key artefact that supports the Military Type Certificate Holder to satisfy their obligations under DASR 21.A.44, regarding the in-service management of product hazards, and to support the outcomes required of organisational Safety Management Systems for the Defence aircraft. Where the relevant operational commander has agreed to retention of any safety risk that may be posed by hazards remaining after implementation of controls, a Hazard Log (or equivalent) may also be used to record risk retention details, including the criteria for review of control effectiveness and risk retention decision validity.
2.50 As previously discussed the common civil and military system safety standards require intelligent application and in some cases expansion if they are to meet Authority prescribed system safety requirements. Where the application of these standards is subject to oversight by an Authority recognised NAA/MAA, and within the framework and scope of that authority’s regulatory approach, application of the standards may entirely satisfy the Authority prescribed system safety requirements. However, where the standards are applied outside of the regulatory system of the relevant NAA/MAA, tailoring of the standards may result in the Authority prescribed requirements no longer being met.
2.51 This section describes how the adoption of common system safety standards, under Authority recognised NAA/MAA oversight, contributes to meeting the Authority prescribed system safety requirements in this chapter. This section also provides designers with guidance on the intelligent application of the common system safety standards, where a Defence aircraft design is not subject to oversight by an Authority recognised NAA/MAA.
2.52 Common civil system safety standards applicable to aviation consist of the FAR/CS 2x.1309, the associated Acceptable Means of Compliance (AMC) (eg AC25.1309 and AMJ 25-1309), and the SAE standards ARP4754 Guidelines for Development of Civil Aircraft and Systems, and ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. The civil standards describe methodologies and processes to establish safety objectives (both quantitative and qualitative) for the aircraft design, and to identify and control hazards. Indeed, the civil approach to system safety in aircraft design is closely aligned with Defence’s approach to system safety.
2.53 Designs certified by an Authority recognised NAA. For new aircraft or modifications to existing aircraft, the extant civil certification applies where the Defence aircraft design meets the configuration, role and operating environment (CRE) approved by the certifying authority. Application of the civil system safety standards in this case will achieve compliance with all Authority prescribed system safety requirements, since:
the role and operating environment of the aircraft is known and accounted for, by both the designer and certifying NAA, in the civil certification program
risk retention due to shortfalls against the prescribed safety objectives is not permitted by Authority recognised NAAs
there is a well-established history of designers enacting system safety programs that meet recognised NAA requirements for the development of safe aircraft designs using appropriate hazard controls
hazards will have been documented, and controls established and published in relevant OIP to ensure safety objectives continue to be met.
2.54 However, designs certified under a civil certification framework may not provide clear disclosure of all hazards and associated controls (per paragraphs 2.47 through 2.51), which is an important contributor to the MTCH meeting their DASR obligations. Consequently, additional insight into these hazards and implemented controls, or the ability to access this information where required, should be arranged.
2.55 Designs developed using civil system safety standards, but not certified by an Authority recognised NAA. As discussed above, application of the civil system safety standards within a civil regulatory context will satisfy the Authority’s system safety requirements. Similarly, where the civil system safety standards are faithfully applied to designs that are not certified by an Authority recognised NAA, the design should also satisfy the Authority’s prescribed safety objectives. However, where the prescribed safety objectives are not met, or the Defence aircraft CRE is outside of the scope of the CRE approved by the original certifying NAA, additional analysis of hazards that may be impacted will be required.
2.56 For all Defence aircraft designs where the civil system safety standards are adopted, the designer must ensure that the civil standards are rigorously applied. In particular, all prescribed safety objectives must be met, and the hierarchy of controls, per paragraphs 2.38 and 2.39, must be applied to those design elements where safety objectives cannot be met. Where the Defence CRE is outside of the scope of the CRE approved for the extant civil certification, designers must ensure that the CRE deltas are assessed to confirm that prescribed safety objectives are still met for the Defence CRE, or that additional controls are implemented where required. Finally, any identified hazards must be documented per paragraphs 2.47 through 2.51 to support in-service hazard management.
2.57 MIL-HBK-516 Airworthiness Certification Criteria and MIL-STD-882 Department of Defense Standard Practice – System Safety define the US DoD system safety requirements for military systems. MIL-STD-882 describes methodologies and processes to establish safety objectives (both quantitative and qualitative) for the aircraft design, and to identify and control hazards.
2.58 Designs certified by an Authority recognised US MAA. US militaries have a well-established history of producing safe aircraft designs under their regulatory systems, which includes application of MIL-STD-882 and the adoption of system safety requirements prescribed in MIL-HDBK-516. Therefore, for new aircraft or modifications to existing aircraft, where the Defence configuration, role and operating environment (CRE) is consistent with that assumed for the US certification, application of MIL-STD-882 will achieve compliance with the majority of Authority prescribed system safety requirements.
2.59 However, a key aspect of the MIL-STD-882 approach to system safety is the ability for the ‘program executive’ to accept residual risk associated with hazards where the quantitative safety criteria (established per paragraphs 2.9 and 2.11 of this chapter) have not been met. This acceptance of residual risk may be inconsistent with both theDASRs and WHS legislation obligations. Therefore, any hazards ‘accepted’ under the MIL-STD-882 system safety approach will need to subsequently be evaluated by Defence, and additional controls implemented if reasonably practicable, to satisfy Defence regulatory and statutory requirements.
2.60 Finally, designs certified under a recognised US MAA certification framework may not provide clear disclosure of all hazards and associated controls (per paragraphs 2.47 through 2.51), which is an important contributor to the MTCH meeting their DASR obligations. Consequently, additional insight into these hazards and implemented controls, or the ability to access this information where required, should be arranged.
2.61 Designs developed and certified outside of an Authority recognised US MAA’s regulatory system. When employed outside of the context of a recognised US MAA’s regulatory approach, MIL-HBK-516 and MIL STD-882 require considerable intelligent application if the Authority requirements for identification and control of hazards are to be met. The following issues may result in non-compliance with Authority prescribed system safety requirements:
The specific system safety activities (ie ‘tasks’) described in MIL-STD-882 are intended to be tailored, such that only those relevant to the particular design under consideration are conducted. Therefore, intelligent selection of relevant ‘tasks’ is required if Authority prescribed safety outcomes are to be met.
The MIL-STD-882 approach to documenting and characterising risk associated with hazards may lead to the definition of ‘acceptable’ risk levels, which is inconsistent with the DASR approach to hazard management and Australian WHS legislation.
The adoption of a purely MIL-STD-882 system safety program may lead a designer into error since it does not require that all safety objectives are met and therefore implies that the designer has some discretion in terms of compliance.
The MIL-STD-882 approach to identifying hazards may not be undertaken using formal system safety tools and techniques that are commensurate with the degree of criticality and/or complexity of the design under consideration.
MIL-STD-882 does not explicitly include considerations for fail safe design (noting that fail safe design is included in MIL-HBK-516C Airworthiness Certification Criteria, although not all US military aircraft designs adopt this Airworthiness Code) or for establishing safety criteria for systems with limited at risk exposure times.
2.62 Where a designer proposes to adopt MIL-HBK-516 and MIL-STD-882 for Defence-unique designs that will be certified outside of a recognised US MAA regulatory approach, all of the potential shortfalls at paragraph 2.63 will need to be resolved through intelligent application of the standard. In all cases, the Authority prescribed system safety requirements detailed in the preceding sections of this chapter must be met.
2.63 DEF STAN 00-056 Safety Requirements for Defence Systems describes the generic UK MoD approach to implementing system safety for Defence systems, including aircraft designs. DEF STAN 00-056 is primarily a risk management standard that describes the process by which military equipment can be verified to have satisfied the UK safety legislation requirements. Without considerable intelligent application, the standard’s ‘risk management’ approach is incompatible with the DASR approach to type certification/design approval and is inconsistent with Australian WHS legislation. As a result, DEF STAN 00-056 can only be used as the system safety standard for Defence aircraft design activities where agreement with the Authority has been reached on how the perceived deficiencies in the standard can be resolved.
2.64 Further guidance on implementing the system safety requirements prescribed in this chapter can be provided by the chapter sponsor.