FLTLT Andrew STOCKWELL 8 August 2012 for International System Safety Conference 2012 Overview • • • • • • What is System Safety Overall RAAF safety philosophy How RAAF manages aircraft safety Tailoring and Integration Recognizing prior acceptance In-service safety What is System Safety • Some definitions: • FAA • System safety is a specialty within system engineering that supports program risk management. It is the application of engineering and management principles, criteria and techniques to optimize safety. The goal of System Safety is to optimize safety by the identification of safety related risks, eliminating or controlling them by design and/or procedures, based on acceptable system safety precedence. • MIL-STD-882C • The application of engineering and management principles, criteria, and techniques to optimize the safety of a system within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle. What is System Safety • Commonality • application of engineering and management principles, criteria and techniques to optimize the safety • Military Specific • Operational effectiveness; • Time; and • Cost. Why the difference? • When was the last time your saw a civilian make an approach like this: Why the difference? • Or saw a Fed Ex aircraft drop something weighing as much 10-12 cars? Another Difference • In civil aviation the responsibilities are spread, for example: • FAA are the regulators, • Manufacturer is responsible for design and developing certification artifacts, • Operator just wants to fly it forever • Military is regulator, certifier and operator • Conflict of interest? • Handled through delineation of responsibility to different organizations and staff • Formal process for transfer of risk RAAF System Safety Philosophy • Aircraft safety must be inherent in everything: • Design, • Maintenance, and • Operations • Must be ‘designed’ in the system, difficult to ‘reverse engineer’ in later • Instilling workforce change to place emphasis on thinking of safety in every action • Empowerment of all staff to ‘make it safe’ RAAF System Safety Philosophy • Ever heard of ALARP: • All risks must be kept As Low As Reasonably Practicable • Not formally used by RAAF, but great idea in principle • But what is reasonable? • Operational effectiveness? • Risk vs Reward • RAAF System Safety aims to better disclose the technical risk inherent in an aircraft system, to promote informed risk treatment decisions Effectiveness from a Transport Perspective • “Our job is to get important things to needy people in tough places” • Sometimes risk avoidance can jeopardize the safety of those needy people in tough places Airworthiness Manuals • Australian Air Publication (AAP) document set for RAAF • AAP 7001.048 (AM1) - ADF Airworthiness Manual • AAP 7001.053 (AM1) - Technical Airworthiness Management Manual (re-issued 21 Oct 10 Amendment List 1 update 6 Mar 12) • AAP 8000.010(AM1) - ADF Operational Airworthiness Manual Objectives of RAAF Safety Program • • • • • • • • • safety goals consistent with world’s best practice are established and documented; a safety management framework that clearly articulates the risk level to appropriate management authorities is established, implemented and maintained; safety, consistent with mission requirements, is designed into the system in a timely, cost-effective manner; hazards are identified, analyzed, evaluated and eliminated or the associated risk reduced to an acceptable level throughout the lifecycle of a system; hazards identified in-service are evaluated against established safety goals; hazard elimination/reduction is formally documented; pragmatic risk treatments are appropriately considered; historical safety data, including lessons learned are continually assessed, considered and used; and safety is not assured by a reliance on design standards alone How RAAF Manages Aircraft Safety • Design Achieving Safe Design of Aircraft AAP 7001.053 section 3 figure 22-1 How RAAF Manages Aircraft Safety • Whole of lifecycle safety considerations are achieved through: • Aircraft Certification Basis • Aircraft System Safety Program • Adherence to standards alone does not make an aircraft safe Aircraft Certification Basis • AAP 7001.054 “Airworthiness Design Requirements Manual” devoted to describing standards and process that comprise a suitable basis for certification • Selection of requirements and benchmarks from military and civil industry • Constantly evolving to ensure consistency with world’s best practice Standards • Because of the wide variety of aircraft in RAAF service no one standard is a coverall • AAP7001.054 defines acceptable standards and suitable means of compliance as well as required tailoring • Examples • 14 CFR 25.1309 (+ACs) needs additional requirements for military specific environment and usage • MIL-STD-882C needs additional requirements to specify how safety analysis should be conducted Standards Example from AAP 7001.054 Provides suitable standards and defines pros vs cons Later annexes detail how to put together a System Safety Program to best manage the cons Integration • A critical factor in any safety program is integration of the different aspects • One of these challenges particularly in civilian derivative military aircraft is Tailoring of Requirements to meet military need, particularly: • Design Assurance Levels, and • Software Safety Design Assurance Level Tailoring • RAAF adds unique design assurance levels for equipment that is: • Mission Critical • Mission Important • Not classifications in civil documentation • Important in military context Software Safety • Largest challenge in modern aircraft design • Simple in principle • Difficult to manage in practice • Difficult to quantify and accept risk • Managed through combination of standards • Aircraft software is expected to undergo multiple updates during a lifecycle • Each update effects configuration, roles and may change environment • Software changes are far more invasive than traditional system updates or changes Tailored Statements of Requirement • To allow for working with different standards and nations AAP7001.054 also specifies a number of contract deliverables • Up to each project or sustainment office to implement • Makes references to MIL-STD-DIDs, MIL-STD tasks and civil standard objectives from standards like ARPs, DOs etc • In conjunction with AAP 7001.053 defines goals for utilization of prior acceptance Recognition of Prior Acceptance • Aim to use acceptance of aircraft and modification by other airworthiness authority as basis for RAAF acceptance • Military Airworthiness Authorities: • USAF, • RAF, etc • Civil Airworthiness Authorities • FAA, • CASA, • EASA etc Challenges with Recognizing Prior Acceptance • What is the accepted configuration? • What operating roles or profiles were in the original design assumptions? • particularly relevant to military use of civil certified aircraft • What operating environment was the aircraft certified as safe in? • EMI/EMC, other intrinsic risks, etc In Service Safety • • • • • the System Safety Program Plan; the System Safety Group; the Safety Assessment Report; the Hazard Log; and the process for retention and management of residual risks Changing Safety Picture • Aircraft baseline only safe when used as ‘designed’ • Safety subject to changes in configuration, operating roles and operating environment • RAAF maintains annual review of airworthiness to ensure continued compliance Changing Safety Picture • Yesterday’s accepted level of safety is not Today’s ALARP • MIL-STD-882 constantly evolving, • Regular updates to 14 CFR 23/25, • Recent release of DO-178C • New modifications to existing aircraft are required to meet contemporary design requirements and standards So that’s why its different • Civil aviation industry sets the benchmark for required level of safety • Air Forces’ job is to do things that are not always safe • Policy needs to take both into account and develop a platform that is safe to operate and maintain in all roles Final Thoughts and the World of Tomorrow • Benchmark for safety is constantly moving • Standards are constantly evolving • Global requirements are changing daily • Military roles are changing to match • Where does that leave safety • If we take a snapshot we don’t get less safe, • But we get further from ideal safety and accept greater risk everyday Questions ?