Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

2015-01-2431
Published 09/15/2015
Copyright © 2015 SAE International
doi:10.4271/2015-01-2431
saeaero.saejournals.org

Planning for the Application of ARP4754A for New and Modified Aircraft
Projects with New, Simple, and Reused Systems
Robert E. Voros
Textron Aviation

ABSTRACT
Aerospace Recommended Practice (ARP) 4754 Revision A (ARP4754A), “Guidelines for Development of Civil Aircraft and
Systems,” [1] is recognized through Advisory Circular (AC) 20-174 (AC 20-174) [2] as a way (but not the only way) to provide
development assurance for aircraft and systems to minimize the possibility of development errors. ARP4754A and its companion,
Aerospace Information Report (AIR) 6110, “Contiguous Aircraft/System Development Process Example,” [3] primarily describe
development processes for an all new, complex and highly integrated aircraft without strong consideration for reused systems or simple
systems. While ARP4754A section 5 mentions reuse, similarity, and complexity, and section 6 is intended to cover modification
programs, the descriptions in these sections can be unclear and inconsistent.

The majority of aircraft projects are not completely new Products nor are they entirely comprised of complex and highly integrated
systems. Due to the lack of focus of ARP4754A on these conventional types of projects, planning for the use of the ARP4754A
processes becomes difficult. Further complicating such planning is a redundancy with conventional systems certification, which
processes such DO-178C [4] and DO-254 [5] do not face. Regulatory guidance involving ARP4754A (i.e., AC20-174, AC23-1309-1C
[6], Part 23 ARC [7], and Order 8110.4C [8]) can also be vague and in some cases conflict.

This work describes a recommended methodology for properly scoping the application of ARP4754A for an aircraft project with new
complex and highly integrated systems along with reused and simple systems. This planning methodology can also be applied on
modification projects allowing for “traditional techniques” where applicable. This work also provides a path forward for potential
changes to sections 5 and 6 in the next revision of ARP4754 to provide clarity and consistency.

CITATION: Voros, R., "Planning for the Application of ARP4754A for New and Modified Aircraft Projects with New, Simple, and Reused
Systems," SAE Int. J. Aerosp. 8(1):2015, doi:10.4271/2015-01-2431.

INTRODUCTION While a few manufacturers investigate the leading edge of technology

with new, complex and highly integrated systems, aircraft
Aircraft development programs take many forms. While the latest
development in the rest of the industry rarely implements leading
technology or extreme aircraft designs grab the headlines, the majority
edge technologies in a wholesale approach. This conventionality is
of programs focus on the routine development of variations to existing
based on practicality. As discussed in “Small Airplane Considerations
designs. “Blank sheet” designs are exciting, because they are rare. This
for the Guidelines for Development of Civil Aircraft and Systems,”
story is told in the Federal Aviation Administration's (FAA) Type
[10] not all advanced technologies scale down. In small aircraft, the
Certification Data Sheets (TCDS) database [9]. In this database only
size of hydraulic actuation systems does not beat the design
1227 TCDSs are used to define the 3403 aircraft models, categorized
efficiency of their pure mechanical counterparts. Flight control of
under the large, small, large/small, and rotorcraft aircraft categories.
small airplanes, including smaller Part 25 airplanes, can easily
Revision after revision has added model numbers to each sheet,
leverage the average pilot's strength with simple, cable operated
documenting decades of design reuse and modification. These TCDS's
systems. It is recognized that as technology in the personal computing
do not include the additional thousands of Supplemental Type
world shrinks, so too does the technology in aviation, but the pace
Certificates (STCs) which embody programs based on system reuse
within aviation is much slower.
and aircraft modifications. In many cases, these STCs cross-pollinate
legacy system between aircraft families and companies. From
The glass cockpit revolution for commercial aircraft began in the
modifications to existing aircraft designs to new designs which reuse
1980's. A “glass cockpit” features digital flight information on
systems from legacy aircraft, the majority of aircraft development
integrated, multi-function displays rather than traditional analog
programs focus on leveraging a company's traditional systems and
information presented on discrete gauges. Many of these aircraft
techniques to take advantage of their proven methods.
utilized a combination of complex integrated avionics with a set of
72
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015) 73

simpler, federated primary systems - flight controls, landing gear, Regulatory Concerns about Systems Development
environmental controls, etc. Examples of aircraft that have been While the majority of aviation programs continue to leverage
developed with glass cockpits and conventional systems include the conventional designs, regulators have become increasingly concerned
Boeing 737-500, 737 Next Generation (NG), 757, 767, and 747-400. with the future growth of complexity seen on a few aircraft programs.
Yet, it wouldn't be until the 2000's when similar platforms would For certain, the development of these complex and highly integrated
become available for the general aviation community. aircraft pose potentially greater risk of generating errors in design
than conventional aircraft. This advanced technology possesses a
The development of glass cockpit aircraft was a significant feat and level of uncertainty that can be masked through the development
occurred without the more structured techniques offered by standards process, unlike their predecessors. Where testing and increasingly
such as ARP4754A - and in some cases, before the original capable analysis tools are able to tease out such faults in more
publication of the ARP. Evidence of the safety of these aircraft can be conventional systems, the fear of the unknown is a feasible concern
inferred from the “Statistical Summary of Commercial jet Airplane for these complicated and highly integrated systems. In 2011, AC
Accidents, Worldwide Operations 1959-2013” [11] and the 20-174 identified ARP4754A as a way (but not the only way) to
“Commercial Aviation Accidents 1958 - 2013: A Statistical Analysis” provide development assurance for aircraft and systems to minimize
[12] issued by Airbus. In this report, glass cockpit aircraft which the possibility of development errors. AC 20-174 stated its intent to
precede fly-by-wire systems are considered “third generation aircraft” address “the concern of possible development errors due to the ever
and have accident trends more similar to the “fourth generation increasing complexity of modem aircraft and systems.” This
aircraft” (fly-by-wire aircraft) than to their predecessors. Many of sentiment is repeated in ARP4754A, section 1.2, “While there can be
these glass cockpit aircraft are still in-service today as shown in Table considerable value gained when integrating systems with other
1 with remarkable safety records with few examples of development systems, the increased complexity yields increased possibilities for
errors. We should also not discount the fact that a significant portion errors, particularly with functions that are performed jointly across
of the larger aircraft population operating today in commercial multiple systems.”
aviation are still of that 1980's revolution and use a similar mix of
conventional systems and targeted advanced technologies as general
aviation. Further, fourth generation aircraft such as the Boeing 777 Industry Concerns about Regulatory Conflicts
have had exceptional safety records while being designed before the ARP4754A and its companion, AIR6110, “Contiguous Aircraft/
publication of the original revision of ARP4754. System Development Process Example,” primarily describe
development processes for an all new, complex and highly integrated
Table 1. “Glass Cockpit” Aircraft Developed without the More Structured aircraft without strong consideration for reused systems or simple
Techniques of ARP4754 systems despite the prevalence of such systems in the industry. While
ARP4754A discusses sections that are essential to planning of
ordinary programs such as reuse (sections 5.3.1.5 and 6.6.3),
similarity (sections 5.4.6 e, 5.5.5.5, and 6), simplicity (section 5.2.3.3
and 5.4), and modifications to existing aircraft (section 6) these
discussions are approached piecemeal, or, in the case of section 6,
inconsistently with the remainder of the ARP. Even though a planning
section, section 3, exists and includes many elements of the processes
which are covered later in the document, it does not discuss a
complete planning concept that aligns with the reality of most aircraft
programs. This work proposed a method to comprehensively
approach these topics as part of program development planning
which could be used on any program type. The proposed method
would be part of the planning section of ARP4754A and provide
coverage adequate to meet the objectives of sections 3, 4, and 5.
Section 6 would be removed, but the intent of this section will be
Today the philosophy of third generation types of programs is alive
covered in the methodology. The proposed methodology could be
and well. In general aviation, avionics “glass cockpit” packages are a
viewed as the development assurance applicable elements of section
standard feature of some smaller aircraft designs. These developers
6.2, “Modification Management Process,” which should be
are often integrating “off the shelf” packages onto their conventional
equivalent to section 3, “Planning.”
systems architectures - more similar to the start of the commercial
integration in the 1980's than the highly integrated fly-by-wire
For the majority of aircraft programs, these topics are the keys to
systems in commercial aircraft.
understanding how to appropriately plan for the application of the
process to give development assurance coverage where it will provide
When guidance is developed for a small portion of the aviation
a benefit. A planning method which includes these considerations is
community, complex and highly integrated aircraft, great care must
urgently need in the near term to both provide comprehensive
be taken to not forget the mundane reality of the majority of aircraft
coverage for complex and highly integrated systems, and not burden
development programs
the development of simpler aircraft or reused systems (particularly,
previously Type Certificated (TC) Engines and Technical Standard
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

74 Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015)

Order (TSO) Avionics). The urgency for this planning method is have been adequate to mitigate design errors for systems which
particularly pressing for smaller aircraft. Since the FAA identified were not complex and highly integrated.
Part 23 regulations as being applicable in the AC, a conflict is (Order 8110.4C sections 1-6 & 2-3 (d) Certification Plan)
imminent between the drive for use of the AC 20-174 and the • The demonstration of compliance relies on a validation that
simplified regulatory concepts of the Part 23 Aviation Rulemaking the proposed means of compliance per regulatory requirement
Committee (ARC). is appropriate. Further, a traceable path from the requirements
source (airworthiness regulations), to verification artifacts
A RECOMMENDED PLANNING METHOD (analysis, test, etc.), aircraft configuration, and finally to
accomplishment summaries (compliance reports) - similar to
Central to all aircraft development preparation is the certification ARP4754A tracing of requirements to their verification activity.
planning of the Product. As discussed, the majority of projects are
(Order 8110.4C sections 2-5. a. FAA Involvement, & 2-6. m.
those that are implementing new systems along with systems which
Compliance Reports)
are reused or not complex and highly integrated. When planning for
the use of ARP4754A, considerations of legacy systems, complexity, • All Type Certification is based on a verification that the aircraft
and certification basis must be taken into account as allowed by the design complies with the regulatory requirements, similar to
ARP and AC20-174. To do this, a consistent evaluation method of the ARP4754A.
program should be conducted to determine if all processes of (Order 8110.4C section 2-6. J. Compliance Substantiation)
ARP4754A are applicable. If a system to be developed by a means • To enable the processes described above, Type Certification also
other than that defined by ARP4754A, the requirements of that necessitates a level of configuration management to execute
“traditional technique” must be established. This work will first these processes. An applicant must describe how documentation
evaluate the requirements of acceptable “traditional techniques” in is to be controlled and maintained.
comparison to ARP4754A, and then discuss the evaluation method (Order 8110.4C sections 2-6. b. Conformity Inspections, g.
which may be conducted to decide to use them. Analysis, 2-7. F. Data Retention)
• Most foundationally, Type Certification relies on a level of
Defining “Traditional Techniques” process assurance - a critical process for ARP4754A - in the
form of requiring a qualified individual to make a finding of
Foundationally, one must identify a common technique that allows
compliance, which is involved in the review and approval of the
ARP4754A to interface with systems developed under the
artifacts described above against specific criterion.
conventional means of Type Certification for projects such as
amended TC's, STCs, or reuse of systems from Type Certificated (Order 8110.4C 2-5. b. Oversight and Delegation, and 2-6. c.
Products. Unlike processes as defined by DO-178 and DO-254, Applicant Test Plan and FAA Approval, d. Before Witnessing,
ARP4754A works at a level of detail, aircraft and system, for which and g. Analysis)
there already exists a process to demonstrate the compliance of a
significant number of regulatory requirements. Systems level Therefore, conventional Type Certification inherently provides a set
regulations can be found to define a variety of system aspects of traditional techniques which align with the more structured
including functions, performance, pilot interfaces, and even lever techniques of ARP4754A. Since, the ARP4754A modifications,
shapes. Because of this, certification plans and compliance reports derivatives, and reuse cases will likely involve systems that were not
regarding systems have an unmistakable similarity to ARP4754A's developed with the structured processes of the ARP, the ARP can
requirements documents and accomplishment summaries. When leverage the Type Certification process itself as a development
considering the Type Certification process further, it is easy to see assurance process, though less structured.
that it covers many of the foundational processes of ARP4754A
including: planning, requirements management, validation, This similarity between the ARP and the Type Certification process
verification, configuration management, and process assurance. These models -especially as described in Order 8110.4C-is particularly
processes are already present in all Type Certification projects as relevant for simpler systems which do not implement a large number
required by regulatory authorities, though these processes are not as of functions. Should the ARP4754A process be used as the
structured as those defined in ARP4754A.The processes are certification method, or conversely can the certification process be
discussed, though not necessarily by name through documents such used as another means of development assurance for these simpler
as FAA Order 8110.4C. The following are a few common concepts systems? Based on AC20-174, ARP4754A is only intended to cover
shared between the ARP and Type Certification process: the 2X.1301 and 2X.1309 regulations, though in multiple Parts - the
AC never mentions Part 21. However, the AC does mention the use
• All Type Certification projects require certification planning of “traditional techniques” which are not the same as the “more
to describe how the Product will demonstrate it complies with structured techniques described in ARP4754A.” Not only would such
regulatory requirements. certification data have to be available on modification programs and
programs with reused systems, but the processes used to achieve
(Order 8110.4C sections 1-6 & 2-3 (d) Certification Plan)
Type Certification would also be present in new programs with
• Certification plans document the regulatory requirements for the
systems that are not complex and highly integrated or with previously
project. These requirements include the required definition of
Type Certificated engines.
functions. For decades, more conventional means of compliance
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015) 75

To facilitate alignment between ARP4754A and the traditional was able to use traditional techniques for its development, the more
techniques described above, the processes described by ARP4761 structured development techniques described in ARP4754Acould still
[15] should be used as part of the “traditional techniques.” Within the be applied to these systems if the design owner chose.
fundamental process structure of Type Certification described above,
the ARP4761 processes provide tools and methods which are
Product-Level Assessment
fundamental to aligning traditional techniques with the more
structured techniques as described in ARP4754A. ARP4761 has also This assessment covers the conceptual objectives of ARP4754A
been used for decades without necessitating application of all section 6.3 Modification Impact Analysis. Since, knowledge of the
processes described in ARP4754A for aircraft with systems that were program is required for new aircraft planning, just as it is for
not complex and highly integrated. ARP4761 is also the revision of modification, an assessment of the aircraft functionality and the role
the ARP upon which ARP4754A references. Therefore, ARP4761 is a of systems participating in it should be known in either case - new
key method for interfacing the traditional techniques used in program or modification. Unlike section 6.3, this approach to
conventional Type Certification with the more structured techniques planning creates a clearer association to all of the recommended
in ARP4754A. Tools such as the Functional Hazard Assessments practices in ARP4754A sections 3, 4, and 5. The planning for the
(FHAs) necessitate, though not formally, the development and application of ARP4754A on the project begins once the intended
documentation of functions so that they might be analyzed. Failure certification basis of the project is understood. The investigation of
Conditions (FCs) documented in these FHAs require some form of the regulatory basis occurs outside of the ARP4754A process since
documented validation which may include review, analysis, or test. certification basis is a concern of the project as a whole, and
The identifiers of those FCs are used for tracing from their origination development assurance is focused on systems aspects. The
through their verification. Verification of safety requirements is association to certification planning for a program to ARP4754A in
documented in the System Safety Assessments (SSAs) and Common section 5.8 is ambiguous as to the role of development assurance
Cause Analyses (CCA). All of these activities are configuration relative to that planning process, while section 6 seems to imply that
controlled and process assurance is provided through the appropriate certification planning is wholly controlled by the development
delegate as necessitated by Type Certification. assurance process. The implication of section 6 regarding this concept
seems to conflicts with the scope of the rest of the ARP and with the
Similar to certification basis, the challenge of implementing new regulatory intent of the guidance as shown through the lack of Part 21
systems along with systems which are not changing would also references in AC20-174.
include the management of different Development Assurance Levels
(DAL) determination methods. For Amended Type Certificates Regardless of project scope, the regulatory basis helps determine the
(ATCs) and STCs it is easy to see the inevitable challenge, a scope of tailoring of the ARP4754A process to that project. The date
surprising conflict in method determination comes from ARP4761, of project application determines the airworthiness regulations
which is yet to be revised. Because it hasn't been revised, ARP4761 applicable to the category of Product. It includes assessing changes to
still refers back to the original revision of ARP4754 for a DAL the airworthiness regulations to consider the whole Product and its
determination method, which does not include the use of Functional systems and the advisory materials to introduce new approaches, both
Development Assurance Levels (FDAL) or Item Development qualitative and quantitative, which may be used. Those new
Assurance Levels (IDAL). Other conflicting sources of DAL approaches assist in determining the safety requirements and
determination methods come from AC20-174, which, while it establishing compliance with these requirements, and reflect revisions
identifies the structured techniques of ARP4754A, it also provides in in the rule, considering the whole airplane and its systems. The
section 3 a caveat not just for “traditional techniques,” but for FDAL recommendation introduces the use of development assurance as one
and IDAL assignments in other ACs which are allowed to take of the new approaches. If the project has no change in certification
precedence. Together, these potential alternative paths for FDAL and basis, it may be possible to apply traditional techniques in whole.
IDAL determination provide a traditional technique for hardware and
software DAL. These alternates are likewise appropriate for aligning At the project planning phase, ARP4754A defines an umbrella of
existing systems with new complex and highly integrated systems. Product development and safety data that must be available. This data
These traditional techniques include previous methods by which the includes:
Design Assurance Level (as termed in DO-254) or Development
Assurance Level (as described in ARP4754, original revision, and 1. a list of Product-level functions,
DO-178), were determined. Particular to this legacy DAL 2. high level descriptions of systems including their functionality,
determination method, previous standards include PS- interfaces, and interactions (if known),
ANM-03-117-09 [16] and ARP4754, original revision. In these cases, 3. product-level FCs, (likely, from an Aircraft Functional Hazard
“DAL” can be considered equivalent to “IDAL” per ARP4754A. Assessment),
4. system-level FCs (likely, from System Functional Hazard
Assessments), and
Recommended Program Evaluation Method
5. an explanation of the association of Product-level FCs to
The decision tree shown in Figure 1 provides a recommended method
system-level FCs.
of how to assess a Product's and system's conventionality, criticality,
and complexity to determine the planning of the application of (This explanation may be in the form of a Preliminary Aircraft
ARP4754A on the project. While this method determines if a system Safety Assessment).
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

76 Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015)

Fundamental to this process umbrella, both the Product functions and Modification.” Each decision block in Figure 1 has a circled number
the system boundaries have to be understood. For unchanged and which refers to the following sub-sections of this section which
reused systems, system boundary definition could easily be identified describes the intent and practice for that decision.
by existing definition. For new systems, complex or simple, a system
boundary is defined sufficiently to understand the allocation of Listed below are explanations of the decisions identified by circled
Product functions to each applicable system and to understand the numbers in Figure 1:
high level functional interactions of that system to other systems in
the Product architecture.
1. Criticality Evaluation

This data can initially be used to align the Product functions and Intent
failure condition sets with the different systems for further evaluation AC23.1309-1E and Systems Design and Analysis Harmonization
of the applicable design changes, as described in the following Working Group recommended version of AC 25.1309-1B (Arsenal
paragraphs. To ensure the processes through the project's Draft) [17] both recommended qualitative analysis for systems with
development are comprehensively applied, legacy systems should be only Major criticalities and which are either simple or redundant. If a
demonstrated to align to their application in the specific planned use system has no FCs that are more severe than major, and there is no
and installation in the Product's architecture. This alignment ensures need to produce quantitative analysis on any of these FCs, then there
that any traditional techniques from previous Product are applicable is no use of development assurance evidence by the system safety
to the systems use in the Product for which the planning occurs. process for that system, and therefore, no need to exercise any further
formal development assurance activities.
Aircraft Architecture Evaluation
Practice
For each system, all system-level FCs are compiled and evaluated for
criticality. If the most severe FC(s) of a given system is no worse than
Major, that FC(s) is evaluated against the project's Product-level FCs
to determine if that association requires quantitative analysis be
conducted for Major FCs. If none of the critical FCs for a given
system requires any more than qualitative analysis, the system can be
developed using traditional techniques. Systems which did not meet
this criterion continue through further evaluation.

2. Similarity Evaluation

Intent
In line with APR4754A sections 5.3.1.5, 5.4.6 e, 5.5.5.5, and 6.6.3, the
program should be evaluated for reuse and similarity. As mentioned in
this work, modification programs, STCs, and ATCs are all programs
which must align traditional techniques with the more structured
techniques of ARP4754A. Further, the frequent reuse of systems would
also align systems developed with traditional techniques with those
new systems that require the more structured techniques of ARP4754A.
Section 6.6.3 in particular focuses on “Adapting Existing Items or
System to a Different Aircraft Type.” Such a rationale should be
universally true for modifications and new aircraft programs. Of the
recommendations of this section are elements of a similarity analysis.
As stated in this section: “If the safety objectives are the same for the
Figure 1. Development Technique Decision Tree proposed installation as they were in the previous installation and
provided that an appropriate level of aircraft similarity is established,
The following steps illustrated in Figure 1 relate to the evaluation of no additional effort will be required.”
systems in context to the aircraft architecture discussed in the
preceding section. Beyond ARP4754A, this assessment takes into
consideration other guidance material regarding the system safety Practice
process which may influence the level of involvement for the Systems requiring further analysis are evaluated for similarity to
development assurance process. This process is in line with the systems on previously certified Products. To conduct this evaluation,
objectives of ARP4754A section 6.4, “Modification Categorization information used for the previous certification must be available to
and Administration,” which will result in evidence in line with the the evaluator(s). The information necessary can be ascertained from
objectives of section 6.5, “Evidence for Acceptability of a the following evaluation description. The evaluation involves a study
of the system's functional interactions with the Product, with other
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015) 77

systems, and between its components. The understanding of these ARP4754A were applied, the system was selected to be developed
functional relationships validates the system's similarity and using those techniques. If these more structured techniques were not
demonstrates the limited impact of any non-functional change used in its development, traditional techniques were selected to be
relative to the Product, the Product's FCs, and the system's FC's. The used to develop the system.
evaluation also considers the system components' operating
environment and failure modes. Figure 2 shows a decision process
4. Evaluation of Complexity and Integration
that can be used to determine if the new system architecture is similar
to previous system architectures on a previously certified Product. Intent
Systems found to be similar are reviewed for the development As discussed at length in “Small Airplane Considerations for the
technique which was used for their formation. Systems found not to Guidelines for Development of Civil Aircraft and Systems,” there are
be similar to those on previously certified Products require further several instances, particularly with regard to Part 23 aircraft where
evaluation for complexity and integration. simplicity is a consideration for development rigor. AC23.1309-1E
advocates qualitative safety assessments for “simple and conventional
mechanical or analog electromechanical systems, or both, with
well-established design and certification processes (where the
installation is not complex).” In the Systems Design and Analysis
Harmonization Working Group recommended version of AC
25.1309-1B (Arsenal Draft), the Depth of Analysis flowchart from
AC23.1309-1E is published including the consideration of the
system's similarity/conventionality, criticality, and simplicity. These
considerations divert the path of quantitative system safety analysis
towards qualitative means, but do not divert the path of development
assurance. This identification of simple systems in the system safety
process challenges the allocation of FDAL to systems which the AC's
for 1309 classify as simple. Even ARP4754A alludes to this, though
not clearly, in sections 5.2.3.3 and 5.4. A method must be used to not
burden systems and aircraft that are not complex and highly
integrated with processes which provide them no additional benefit.

Practice
For a system found not to be similar, an evaluation of its complexity
was conducted as illustrated in Figure 3. As illustrated, the focus of
this evaluation was not an alignment of an existing system to the
Product project, but to evaluate systems that are comprehensible to
the point that design errors would be obvious. The objective of this
evaluation was to explain how it can be shown that these potential
design errors are made obvious. There are three major considerations
that had to be evaluated to determine if this system could be
considered not complex and highly integrated. A “No” answer to any
of these steps caused the system to be determined to be complex and
highly integrated. First, there had to be a way to show that the analyst
could determine the effects of the system's functional failures on
other systems. Second, there had to be a way to show that the analyst
Figure 2. System Similarity Evaluation
could determine the effects of other systems' functional failure on the
system being analyzed. Third, the analyst had to have a means to
show that the system was Fully Analyzable and Testable (FAT). A
3. Development Assurance Check
FAT system is one of which the analyst has the ability to verify the
Intent system's correct functional performance with a combination of
A check must be performed to ensure that any similar system which deterministic tests and analyses under any foreseeable operating
was developed using more structured techniques as those defined in conditions with no anomalous behavior. If a system is found to be
ARP4754A continue to do so for the planned program. FAT, it was considered not complex and highly integrated. All
systems found not to be complex and highly integrated were selected
to use traditional techniques. All other systems were selected to use
Practice the more structured techniques as those described in ARP4754A.
For the systems found to be similar to systems on previously certified
Products, review of the design techniques used for the similar system
was conducted. If more structured techniques as those described in
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

78 Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015)

It is important to note the concept of a complex and highly integrated CONCLUSION/RECOMMENDATIONS

airplane systems architecture is differentiated from a federated
As demonstrated in this work, there is an urgent need to explain how
system's architecture by utilizing common hardware and software in
the development assurance process described in ARP4754A
supporting multiple Product system functions. A single system that
associates to the real world applications of aircraft development. The
provides a single function (e.g. provide hydraulic power) to several
majority of aircraft projects are modifications, derivates, and simple
systems does not automatically cause that shared resource to be
aircraft that may or may not include complex and highly integrated
considered complex and highly integrated since its relationship to
systems. While ARP4754A has many of the elements necessary to
those other systems, functionally and as a result of that system's
describe how such programs may be planned for, these elements are
failures, can be understood. In addition, subscribing to multiple
scattered throughout the document. These distributed concepts can be
systems does not necessarily make a system complex and highly
inconsistent with each other, making it difficult for the reader to
integrated. For example, a health management system may receive
understand the whole picture of development assurance planning for
inputs from multiple systems, but it does not use those inputs to
their particular type of project. The following sub-sections provide
support multiple Product-level functions.
recommendations for the next revision of the ARP and for the
committee which develops it to both provide for a more
comprehensive and consistent approach to planning for the
application of development assurance and for reducing bias which
may have lead to its current form.

ARP4754 Revision B Document Recommendations

It is recommend that several sections of ARP4754A be updated to
enable consistency in decision making across regulators and
manufacturers to provide relief from the more structured techniques
where traditional methods have been shown to provide adequate
coverage to ensure safety and minimizing development errors. The
methods proposed in this paper may be considered for updates to the
following sections:

• Section 3 for planning;

• Section 5.3.1.5, 5.4.6 e, 5.5.5.5, and 6.6.3for reuse and
similarity;
• Section 5.4 for complex and highly integrated;
• Section 5.2.3.3 for simplicity; and
• Section 6 for planning aspect relative to legacy system.

It is proposed that a more thorough approach to integrating these

sections into the planning section be taken. The current approach to
these topics is disjointed and incomplete. As shown, the concepts of
planning for application of the ARP to a derivative or modification
program is scattered across many sections. A company needs to go
Figure 3. Complexity and Integration Evaluation
through extensive effort to first understand the complete planning
A significant consideration to this complexity and integration method among these scattered parts; then, second, to establish a plan
evaluation is the ability to understand the functional and safety that would be consistent with the ARP and other guidance discussed
requirement relationship of the proposed system relative to the aircraft in this paper; and, finally, to familiarize the regulators of the scattered
and the other systems. Part of this evaluation should be open to concepts in the guidance material to align them to acceptability of
consider the inherent characteristics of Integrated Modular Avionics that approach. It is proposed that all the scattered information in the
(IMA) where application of DO-297 [18] is required. The concept of various sections mentioned above be consolidated into a clear,
an IMA is differentiated from the traditional federated line replaceable concise section which describes these practices in a complete picture.
unit systems architecture by the utilization of “a shared set of flexible, The recommended method mentioned in this work provides an initial
reusable, and interoperable hardware and software resources that, when approach to such a section. This consolidated approach would require
integrated, form a platform that provides services, designed and several examples of the planning process to ensure a complete
verified to a defined set of safety and performance requirements, to host understanding from beginning to end for several types of projects.
applications performing aircraft functions,” DO-297. Therefore, IMA’s
are defined with a requirement set which is specifically defined in a S-18 Committee Recommendations
manner which integrates into the umbrella of the process similar to a
The intended users of ARP4754B should be reflected in the makeup
reused system, and the questions of Figure 3 may be answered relative
of the committee which manages it. This should be reflected both in
to their application in the Product.
regulatory Parts to which it is applied (23, 25, 27, 29, 33, & 35) but,
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015) 79

also, to the technical specialties which apply it. Because regulators Highly Integrated Systems,” the committee likely only attracted those
are applying this ARP broadly across multiple regulatory Parts, and skilled and experienced with such “complex and highly integrated
its scope is not limited to specific technologies, committee leadership systems.” Such a bias would explain the perception that all systems are
should actively balance this membership. becoming more complex and highly integrated. Even though there
were committee members that worked for companies from all
regulatory Parts, the topic likely attracted only the specialists in those
By Part
companies that were attracted by those types of systems. This bias may
As ARP4754A is applied to more projects, it is becoming also explain why the committee membership listed in the
increasingly important that all affected parties are adequately acknowledgements of ARP4754A didn't have any representation from
represented for creation of the industry guidelines and to allow a companies that solely produced Part 23 aircraft. Specialists from
better understanding of the intent and practice of the guidelines. As companies which produced Part 23 and Part 25 aircraft may have been
illustrated in Figure 4, most projects are Part 23 projects. Part 23 specialists that only supported the more complex end of their Product
aircraft by their development lifecycle lend themselves to high lines. The addition of more Part 23 manufacturers and suppliers would
frequency, short duration projects. Part 25 aircraft development inherently broaden the technology spectrum to which the ARP is being
projects are fewer in number due to their longer development applied and better round-out the experience base of committee.
lifecycle. Rotorcraft projects are fewer in raw count still. ARP4754A
is also being applied throughout the supply chain; Original
Equipment Manufacturers (OEMs) and suppliers are responsible for REFERENCES
showing compliance to ARP4754 A. 1. SAE International Aerospace Recommended Practice, “Guidelines for
Development of Civil Aircraft and Systems,” SAE Standard ARP4754A,
Rev. Dec. 2010.
Regardless of the number of projects, the basic fact that ARP4754A is 2. FAA (Federal Aviation Administration) Advisory Circular 20-174,
being applied to more and more commercial projects should spark “Guidelines for Development of Civil Aircraft and Systems,” 2011.
interest from suppliers and OEMs across all Parts. The committee 3. SAE International Aerospace Information Report, “Contiguous Aircraft/
System Development Process Example,” SAE Standard AIR6110, Issued
does an excellent job of welcoming all interested parties to the table Dec. 2011.
and should continue and perhaps increase soliciting participation 4. RTCA (Radio Technical Commission for Aeronautics), Inc.. “Software
from other members of industry. Considerations in Airborne Systems and Equipment Certification,”
Prepared by RTCA SC-167 and ERUOCAE WG-12, Washington, D.C.,
DO-178C, 2011.
5. RTCA, Inc., “Design Assurance Guidance for Airborne Electronic
Hardware,” Prepared by RTCA SC-180, Washington, D.C. DO-254,
2000.
6. FAA Advisory Circular 23.1309-1E, System Safety Analysis and
Assessment for Part 23 Airplanes, 2011.
7. 14 Code of Federal Regulations (CFR) Part 23 Reorganization ARC,
“Recommendations for increasing the safety of small general aviation
airplanes certificated to 14 CFR Part 23,” 2013.
8. FAA Order 8110.4C. “Type Certification.” 2007.
9. FAA, “Type Certificate Data Sheets (Make Model),” http://rgl.
faa.gov/Regulatory_and_Guidance_Library/rgMakeModel.nsf/
MainFrame?OpenFrameset, accessed March 2015.
10. Voros, R., “Small Airplane Considerations for the Guidelines for
Development of Civil Aircraft and Systems,” SAE Int. J. Aerosp.
6(2):578-590, 2013, doi:10.4271/2013-01-2233.
11. Aviation Safety, Boeing Commercial Airplanes, “Statistical Summary
of Commercial Jet Airplane Accidents Worldwide Operations | 1959 -
2013,” Seattle, WA., August 2014.
12. Airbus S.A.S., “Commercial Aviation Accidents 1958 - 2013: A
Statistical Analysis,” Blagnac Cedex, FR., April 2014.
13. Boeing, “Current Products and Services”, http://www.boeing.com/
commercial/#/orders-deliveries, accessed March, 2015.
14. AIRFLEETS.NET, “Production Summary,” http://www.airfleets.net/
exploit/exploitation.htm, accessed March 2015.
15. SAE International Aerospace Recommended Practice, “Guidelines
and Methods for Conducting the Safety Assessment Process on Civil
Figure 4. Breakdown of Model Development by Part Airborne Systems and Equipment,” SAE Standard ARP4761, Issued
Dec. 1996.
16. Acting Manager, Transport Airplane Directorate, Aircraft Certification
By Technology Service, ANM-100, “Policy Statement on Guidance for Determination
of System, Hardware, and Software Development Assurance Levels on
Whereas DO-178 and DO-254 are scoped by technical content and, Transport Category Airplanes,” Memorandum PS-ANM-03-117-09,
therefore, specialty, ARP4754A's expanded scope is not bound by January 2004.
particular types of technology and should consider representation of a 17. FAA Advisory Circular 25.1309-1B, “System Design and Analysis,”
Rev. Arsenal Draft (to be released).
variety of technical perspectives. While a balance by regulatory Part 18. RTCA, Inc., “Integrated Modular Avionics (IMA) Development
may inherently bring some technical balance to the committee, close Guidance and Certification Considerations.” Prepared by RTCA SC-200,
attention to technical specialty must also be considered. For example, Washington, D.C. DO-297, 2005.
since the original version of ARP4754 was scoped to “Complex or
 Downloaded from SAE International by Stony Brook Univ, Sunday, August 12, 2018

80 Voros / SAE Int. J. Aerosp. / Volume 8, Issue 1 (September 2015)

CONTACT INFORMATION FAA - Federal Aviation Administration

Robert Voros FAT - Fully Analyzable and Testable
Development Assurance Team Leader FC - Failure Condition
Textron Aviation FDAL - Functional Development Assurance Level
revoros@txtav.com
FHA - Functional Hazard Assessment
316.644.9593
IDAL - Item Development Assurance Level
IMA - Integrated Modular Avionics
DEFINITIONS/ABBREVIATIONS
OEM - Original Equipment Manufacturer
AC - Advisory Circular
RTCA - Radio Technical Commission for Aeronautics
AIR - Aerospace Information Report
SAE - Society of Automotive Engineers
ARC - Aviation Rulemaking Committee
SSA - System Safety Assessments
ARP - Aerospace Recommended Practice
STC - Supplemental Type Certificate
ATC - Amended Type Certificate
TC - Type Certificate
CCA - Common Cause Analyses
TCDS - Type Certification Data Sheets
DAL - Development Assurance Level
TSO - Technical Standard Order

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of SAE International.

Positions and opinions advanced in this paper are those of the author(s) and not necessarily those of SAE International. The author is solely responsible for the content of the paper.