Appendix 1 – Assessment methods

Various methods for assessing the causes, severity, and probability of failure conditions are available to support experienced engineering and operational judgement. Some of these methods are structured. The various types of analysis are based on either inductive or deductive approaches. Probability assessments may be qualitative or quantitative. Descriptions of some types of analysis are provided below and in Document referenced in paragraph 3b(3).

a.       Design Appraisal. This is a qualitative appraisal of the integrity and safety of the system design.

b.      Installation Appraisal. This is a qualitative appraisal of the integrity and safety of the installation. Any deviations from normal, industry accepted installation practices, such as clearances or tolerances, should be evaluated, especially when appraising modifications made after entry into service.

c.       Failure Modes and Effects Analysis. This is a structured, inductive, bottom-up analysis, which is used to evaluate the effects on the system and the aeroplane of each possible element or component failure. When properly formatted, it will aid in identifying latent failures and the possible causes of each failure mode. Document referenced in paragraph 3b(3) provides methodology and detailed guidelines, which may be used to perform this type of analysis. A FMEA could be apiece part FMEA or a functional FMEA. For modern microcircuit based LRUs and systems an exhaustive piece part FMEA is not practically feasible with the present state of the art. In that context, a FMEA may be more functional than piece part oriented. A functional oriented FMEA can lead to uncertainties in the qualitative and quantitative aspects, which can be compensated for by more conservative assessment such as:

—          assuming all failure modes result in the failure conditions of interest,

—          careful choice of system architecture,

—          taking into account the experience lessons learned on the use of similar technology.

d.      Fault Tree or Dependence Diagram Analysis. Structured, deductive, top-down analyses that are used to identify the conditions, failures, and events that would cause each defined failure condition. They are graphical methods of identifying the logical relationship between each particular failure condition and the primary element or component failures, other events, or combinations thereof that can cause it. A failure modes and effects analysis may be used as the source document for those primary failures or other events.

e.       Markov Analysis. A Markov model (chain) represents various system states and the relationships among them. The states can be either operational or non-operational. The transitions from one state to another are a function of the failure and repair rates. Markov analysis can be used as a replacement for fault tree/dependence diagram analysis, but it often leads to more complex representation, especially when the system has many states. It is recommended that Markov analysis be used when fault tree or dependence diagrams are not easily usable, namely to take into account complex transition states of systems which are difficult to represent and handle with classical fault tree or dependence diagram analysis.

f.       Common-Cause Analysis. The acceptance of adequate probability of failure conditions is often derived from the assessment of multiple systems based on the assumption that failures are independent. Therefore, it is necessary to recognise that such independence may not exist in the practical sense and specific studies are necessary to ensure that independence can either be assured or considered to be acceptable. These studies may also identify a combination of failures and effects that would otherwise not have been foreseen by FMEA or fault tree analysis.

The common cause analysis is subdivided into three areas of study:

(1)     Zonal Safety Analysis. This analysis has the objective of ensuring that the equipment installations within each zone of the aeroplane are at an adequate safety standard with respect to design and installation standards, interference between systems, and maintenance errors. In those areas of the aeroplane where multiple systems and components are installed in close proximity, it should be ensured that the zonal analysis would identify any failure or malfunction which by itself is considered sustainable but which could have more serious effects when adversely affecting other adjacent systems or components.

(2)     Particular Risk Analysis. Particular risks are defined as those events or influences, which are outside the systems concerned. Examples are fire, leaking fluids, bird strike, tire burst, high intensity radiated fields exposure, lightning, uncontained failure of high energy rotating machines, etc. Each risk should be the subject of a specific study to examine and document the simultaneous or cascading effects or influences, which may violate independence.

(3)     Common Mode Analysis. This analysis is performed to confirm the assumed independence of the events, which were considered in combination for a given failure condition. The effects of specification, design, implementation, installation, maintenance, and manufacturing errors, environmental factors other than those already considered in the particular risk analysis, and failures of system components should be considered.

g.       Safety Assessment Process. Appendix 2 provides an overview of the safety assessment process.

[Amdt 25/14]

[Amdt 25/24]