BOEING’S SAFETY ASSESSMENT PROCESSES FOR COMMERCIAL
AIRPLANE DESIGNS
Jeff Hasson
Boeing Commercial Airplane Group
David Crotty
Scitor Corporation
ABSTRACT
Although the accident rate for transport category
aircraft has improved substantially since the
introduction of jet transports in the: late 1 9 5 0 the
~~
rate has become approximately constant over the
past fifteen years. Since the number of aircraft
operated in the airline fleets is projected to double
over the next twenty years, a corresponding
increase in the number of accident,s is expected to
result if the accident rate remains at its current
level. The increased complexity and integration
of airplane systems combined with the need to
reduce the accident rate has caused The Boeing
Company to enhance it’s methods of design
safety. This paper discusses the processes Boeing
uses to assure the safety of new airplane designs.
Keywords: functional hazard assessment,
survivability assessment, zonal analysis, fault tree
analysis, and failure modes and effects analysis
INTRODUCTION
Hull loss accident rates for the worldwide
commercial jet fleet are shown in Figure 1. The
accident rate for recent designs, such as the B757,
B767 and A3 10 are considerably better than the
first generation jet aircraft such as the B707 and
DC-8. Recently certificated designs such as the
B777, A330 and A340 are expected to
demonstrate even higher levels of safety as a
result of improvements in the safety design
process and more reliable implementation
methods.
0-7803-41
50-3/97$10.00 0 I997 IEEE
The annual hull loss annual rates, in accidents per
million departures, are shown in Figure 2. These
data show a steep decline in hull loss rates during
the 1960s, followed by a leveling out to a more or
less constant rate in the 1980s and 1990s. This is
in part the result of replacement of older, first
generation aircraft with newer designs, together
with the positive effects of updated regulatory
requirements, infrastructure, and training
improvements. Accident investigations and
continuing airworthiness activities of the
regulatory authorities also contribute to this low
accident rate.
Air travel is predicted to continue to expand in the
years ahead. As shown in Figure 3, annual
worldwide departures are predicted to increase
from the current level of approximately
16,000,000 to 30,000,000 in the year 2015. This
will be accomplished by an increase in the number
of transport airplanes in service from 12,343
today to 23,000 by the end of this period. If the
accident rate were to be held constant at the 1996
level of approximately one per million departures,
the future could result in a serious accident every
week in 2015. The perception of safety in air
travel by the flying public is based to some extent
on what is portrayed in the news rather than the
accident rate statistics. For many reasons, the
Boeing Company and aircraft industry consider
the projected number of accidents as being
unacceptable.
Additional improvements are required in the air
transport system if the hull-loss accident rate is to
be reduced.
4.4-1
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
Figure 1. Hull Loss Accident Rates
Worldwide Commercial Jet Fleet - 1959 through 1996
Trident
vc-10
5AClll
2
21
737-112
55
BAe146
A300-600
737131415
F-100/70
A32OlA321
747-4w
2
2
9
8
2
4
1
1
0
Accidents per million departures
Statistical accidents only.
*<100,000 departures
Figure 2. Hull Loss Accidents
All Aircraft: Worldwide Commercial Jet Fleet
30 T
25
Not included:
Sabotage
Military action
Commonweath of
independent States
aircraft
Annual
rates,
accidents
per million
departures
60
62
64
66 68
70
72
74 76
78 80
Year
82
84
86
88
90 92
94
96
4.4-2
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
Figure 3. We Need to Continuously Improve Aviation Safety
“V
45 -
Improvementareas:
Lessons learned
Airplanes in service
W
I
#
40 35 -
* Maintenance
0
Air traffic management
Infrastructure
30 Hull loss accidents
25 20 15105-
0-1
1965
1975
1985
1995
2005
201 5
Year
There are many areas which offer potential
reductions to the accident rate. These
improvement areas are: lessons learned,
regulations, airplane designs, flight operations,
maintenance, air traffic management, and
infrastructure. Airplane systems have been
implicated in a small percentage of the already
low accident rate. New technologies provide an
opportunity for enhancing safety, but also require
rigorous and detailed methodologies to assure the
design safety.
This paper will discuss the processes that Boeing
uses to assure the integrity of our airplane
designs, which will contribute to a lower accident
rate in the future.
DISCUSSION - COMPLEXITY AND
INTEGRATION
The general increase in airplane functionality,
complexity, integration, and technology requires
new methods of safety assessment,
implementation, and verification.
First generation jet transport airplanes, such as the
707 and 727 were designed with relatively simple
and independent systems. The monitoring and
management of these systems to support the
airplane functions were handled by the flight
engineer. Advances in technology and improved
system integration ultimately led to the
elimination of the need for the flight engineer on
the next generation of airplanes.
The 757/767 airplanes introduced the use of
digital implementations on Boeing models.
Moderate system integration was required on
these airplanes.
To achieve increased functionality and
performance, the 777 system architectures relied
heavily on the use of microprocessors. The 777
systems are even more highly integrated than
previous models. One aspect of this integration is
4.4-3
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
increased use of common resources which dictates
the sensor configurations and communication
infrastructure. The digital fly-by-wire technology
also required more extensive integration of the
systems than on previous airplane designs at
Boeing.
Functional Safety Assessments
This increase in functionality, complexity,
integration, and technology required Boeing and
the aircraft industry to rethink methods to show
compliance with the applicable safety
requirements. Several industry teams were
established to address the issues related to this
subject: (1) An Aviation Rulemaking Advisory
Committee (ARAC) Harmonization Working
Group to rewrite the FANJAA rule and advisory
material for 25.1309 that establishes many of the
safety requirements; (2) Two Society of
Automotive Engineers (SAE) committees to
develop aerospace recommended practices
(ARPs) to document the processes. These two
documents are ARP 4754 "Certification
Considerations for Highly Integrated or Complex
Aircraft Systems" and ARP 476 1 "Guidelines and
Methods for Conducting the Safety Assessment
Process on Civil Airborne Systems"; and (3) At
least two Radio Technical Commission for
Aeronautics (RTCA) committees to address
related software and hardware aspects of these
designs.
Functional Safety Requirements. The functional
safety requirements are derived from airplane and
system functions. At the airplane level, this
activity begins by identifying the airplane level
functions required for safe flight and landing (e.g.
pitch, roll, yaw, thrust, etc.). For each function, a
Functional Hazard Assessment (FHA) is
performed to identify potential failure conditions.
The assessment includes considerations for
environmental conditions and flight phase. Each
identified failure condition is then classified based
on the severity the hazard imposes on the aircraft,
crew, and occupants. The hazard severity
classifications are: catastrophic, hazardous, major,
and minor. Allowable probabilities are assigned
to each failure condition based on its classification
level. The hazard classifications and
corresponding probabilities are defined in the
advisory material of FAWJAR 25.1309. The
types of functional requirements that usually come
from this safety assessment are availability (e.g.
Loss of function) and integrity (e.g. Malfunction).
AIRPLANE SAFETY ASSESSMENTS
Boeing conducts safety assessments in three
general areas: functional, physical, and
operational. The assessments evaluate the
airplane and crews' ability for continued safe
flight and landing. The methods and tools for
establishing requirements, developing the design,
and performing the verification are different in
each assessment area.
Functional safety assessments address how well
systems and equipment perform given functions.
These assessments focus on the functional
architectures.
The FHA process is then repeated at the system
level. A system can be categorized as either a
primary or a supporting system. A primary
system is one that directly performs an airplane
function (e.g. flight control system, brake system,
high-lift system, etc.). The primary system FHA
is a subset of the airplane FHA and is easily
traceable to the airplane FHA. A supporting
system is one that does not directly perform an
airplane function but usually supports multiple
primary systems (e.g. electrical system, hydraulic
system, air data system, etc.). For this reason, the
supporting system FHA resembles a FMEA with
the effects being at the airplane functions. The
results of the system functional hazard
4.4-4
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
assessments provide the basis for system
functional safety requirements.
Functional Desim. The designers propose
airplane and system functional architectures that
meet the overall objectives for a given function
and also reduce or eliminate the hazards
associated with these functions. The requirements
and design are further developed for each
subsequent layer of the design while keeping the
FHA safety requirements in mind.
For availability of critical functions, the design
may take the form of a dual redundant primary
system which is backed up by a dissimilar standby
system. For integrity of critical functions, systems
may vote multiple sources and/or employ an
independent monitor.
Functional Verification. The verification of
functional designs usually takes the form of
numerical analyses. A top-down evaluation of the
more significant failure conditions is performed
using Fault Tree Analyses (FTAs). In addition, a
bottom-up review is performed for the major
systems using Failure Modes and Effects Analyses
(FMEAs). By combining the failure rates and
exposure times into the fault tree we show the
quantitative requirements are satisfjed. The two
types of analyses (FTA and FMEA) also provide a
cross-check that the proper item failures have
been addressed.
Physical Safety Assessments
Physical safety assessments address how systems
and equipment are installed on the aircraft. These
assessments focus on the physical layout and
configuration of the airplane. They are necessary
to validate the redundancy and independence
assumptions made in the functional assessments.
Physical Safety Requirements. The physical safety
requirements are derived from the physical threats
to the airplane and systems. The thireats fall into
two basic areas: threats originating from outside
the system, called particular threats (such as:
engine burst, birdstrike, tire burst, high intensity
radiated fields, lightning, etc.) and threats
originating within the system, called installation
threats (such as: wire chafing and cross
connection).
The particular threat requirements are developed
by reviewing the FARs/JARs and in-service
events. A list of threats is gathered and a damage
model is generated for each threat. The physical
threats and associated damage profiles are levied
as requirements to the airplane. The general safety
objective is that no single threat or event shall
result in a catastrophic failure condition.
The installation threats are generated by
reviewing in-service experience. These threats are
continuously evolving based on decades of inservice experience. We use these threats to
generate a set of design guidelines. The
guidelines define separation and orientation
requirements between the various transmission
methods (e.g. electrical wiring, fuel lines, flight
control cables, hydraulic line, oxygen lines,
pneumatics ducts, torque tubes, etc.).
Physical Design. Integrated product teams are
used to develop the physical design
implementation for each section of the airplane.
Using the established safety requirements and
design guidelines, the designers within these
teams determine the best layouts with respect to
producibility, maintainability, and safety.
Physical Verification. The physical verification
is performed throughout the design process.
The particular threats that result in physical
damage are addressed early in the design process
as the major transmission raceways for wiring,
hydraulic lines, etc. and equipment locations are
defined. This is done through a series of
survivability reviews. The survivabilty review
4.4-5
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
team evaluates each major section of the airplane
and verifies that the threats that apply to that
section are survivable.
Staged zonal reviews are performed as the
physical design matures. Before releasing the
drawings, 3-dimensional “fly-throughs” are
performed to verify adequate clearances exist
between transmission media. As systems are
installed in the factory, engineering safety reviews
are performed to verify proper installations.
Reviews of high vibration areas are also
performed following flight testing.
For the physical threats that are not as installation
dependent (e.g. high intensity radiated fields and
lightning) individual studies and reviews are
performed to verify that the requirements are
satisfied.
Operational Safety Assessments
Operational Design Verification. During the
development phase the operational scenarios are
evaluated to determine the effect on the airplane
and occupants. If the effects are not satisfactory,
changes are incorporated into the design.
In addition to the operational analysis described
above, Boeing performs a series of evaluations on
the flight crew and airplane interface. Early in the
development an engineering mock up of the
cockpit, called a Cab, is used to evaluate crew
interfaces. In the case of the 777, this concept
was greatly expanded to a systems integration lab
which was also used to integrate the airplane
systems. Using simulated inputs into the systems
we could fly the airplane and test various failure
scenarios. A full motion multi-purpose Cab is
used to evaluate handling qualities under various
scenarios. The final evaluation is performed
during flight test when the airplane, systems, and
procedures are thoroughly checked.
Experience has shown us that unusual operational
scenarios can lead to accidents. To address this
concern Boeing dedicates a team of engineers to
perform an operational safety assessment.
Operational Safety Requirements. In the early
development phase of a program, a team of
engineers and pilots is established to develop a set
of various operational scenarios. These scenarios
may include: flight in volcanic ash, engine out
scenarios, and return to land scenarios. From
these scenarios and subsequent analysis the
airplane operational safety requirements are
established.
Operational Design. Each developmental
program has a dedicated group of pilots and flight
deck engineers to analyze the airplane-to-crew
interface design and procedures. This group
works with the system designers to develop the
proper crew alerts and procedures. The activity
includes both the normal and non-normal
procedures.
SUMMARY
Given the current accident rate and the projected
increase in departures one could anticipate a
serious accident once a week by the year 2015.
Increased functionality and performance has
required airplane designs to become more
complex and integrated. While safety
considerations have always been paramount, the
above two considerations have caused the industry
and The Boeing Company to focus on further
safety improvements throughout the design
process.
The safety processes can be viewed from three
perspectives: functional, phjsicul, and
uperutional. Each view has different methods
for developing safety requirements and
performing safety a.ssessments.
4.4-6
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.
The functional view uses functional hazard
assessments to derive the high-level availability
and integrity safety requirements. ‘These
requirements are allocated to the systems and
equipment that perform the function. Fault Tree
Analyses are used to combine failure events and
verify that the high-level requirements are
satisfied. Failure Modes and Effects Analyses are
used to understand the failure modes of the
equipment and associated failure rates.
The physical assessment uses threat lists and
definitions to derive the survivability
requirements. These requirements ,are allocated in
the form of structure and system separation.
Different zonal analyses are used to verify that
these requirements are satisfied. Survivability
reviews are used in the early design phases to
examine major raceways and equipment
installations. As the physical design matures 3dimensional “fly-throughs” are performed. The
final reviews are conducted on the completed
product in the factory and following flight testing.
The operational assessment utilizes a set of
operational scenarios developed from unusual inservice events. Each scenario is evaluated to
determine the effect on the airplane design and
performance. Unsatisfactory results are fed back
into the design process.
4.4-7
Authorized licensed use limited to: University of Southern California. Downloaded on April 11,2022 at 02:51:01 UTC from IEEE Xplore. Restrictions apply.