The following sections provide a summary of the differences between SAE ARP4761 and ARP4761A. Also, see our Holistic Safety Analysis for Urban Air Mobility and our Regulations and Standards Gap Analysis Approach white papers.
ARP4761
The following is a depiction of the safety approach described by SAE ARP4761:
ARP4761A
The following is a depiction of the safety approach described by SAE ARP4761A:
Differences Summary
The following is a summary comparison between the different versions of the standard:
| ARP4761 | ARP4761A | |
| Applicability | “It is primarily associated with showing compliance with FAR/JAR 25.1309. The methods outlined here identify a systematic means, but not the only means, to show compliance. A subset of this material may be applicable to non-25.1309 equipment.” | “It may be used when addressing compliance with certification requirements (e.g., 14 CFR/CS Parts 23, 25, 27, 29 and 14 CFR Parts 33, 35, CS-E and CS-P). It may also be used to assist a company in meeting its own internal safety assessments standards.” |
| In-service safety assessment | No mention of a separate in-service safety assessment. | References ARP5150 “Safety Assessment of Transport Airplanes in Commercial Service” and ARP5151 “Safety Assessment of General Aviation Airplanes and Rotorcraft in Commercial Service.” |
| Tiers | Two tiers are shown. | Two tiers are shown. However, there is now an AFHA and SFHA as opposed to just an FHA and the concept of a PASA and ASA is introduced to analyze integrated systems. |
| Model Based Safety Analysis (MBSA) | No mention of model-based safety analysis. | The concept of a model-based safety analysis and a Failure Propagation Model (FPM) is introduced. It’s hierarchical, iterative and progressive nature are highlighted as advantages versus other analysis techniques. |
| Systems Theoretic Process Anslysis (STPA) | No mention of STPA. | SAE AIR6913 “Using STPA During Development and Safety Assessment of Civil Aircraft” and ASTM WK60748 “New Guide for Application of Systems-Theoretic Process Analysis to Aircraft” exist separately, but in order to remain “technology neutral” are not referenced. |
| Single event effects analysis | No mention of single event effects analysis. | AIR6219 “Development of Atmospheric Neutron Single Event Effects Analysis for use in Safety Assessments” is referenced. |
| Analysis of development and design errors i.e. FDAL/ IDAL | Is in ARP4754A and not in ARP4761. | Is in ARP4761A and not in ARP4754B. However, the FDAL/ IDAL approach has not changed and doesn’t account for the Part 23 airworthiness level 1-4 and Part 27 class I-IV FDAL/ IDAL reductions. |
| Depth of analysis | Specifies that the approach i.e. qualitative, quantitative or both should be established. ARP4761 Fig. 4 provides guidance on MAJ failure condition. | Is more explicit about the relationship between the failure condition classification and the depth of analysis. Also, it defers to advisory circular material. |
| Minimum Equipment List (MEL)/ Master Minimum Equipment List (MMEL) | Mentioned by ARP4761 F.5.2 “a scheduled maintenance example.” | The relationship between dispatch relief time and exposure time derived from a fault tree analysis is explained. The concept of a specific risk analysis as opposed to an average risk analysis to derive exposure time is introduced. Also, ARP5107B “Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems” is referenced. |
| Electrical Wiring Interconnect System (EWIS) | ARP4761 precedes regulatory changes introducing EWIS concept. | Applies safety analysis techniques to EWIS. However, EWIS applies to Part 25 not Part 23. Regardless, the EWIS concept is particularly relevant to a UAM aircraft. |
| Human factors | Mentioned by ARP4761 D.6 “FTA analysis definition.” Otherwise, not considered or mentioned. | Credit is taken that flight crew and maintenance crew follow documented procedures. Evaluation of human factors is deferred. Both intentional and unintentional deviation is not considered. |
| Cascading effects analysis | No explicit mention of cascading effect analysis. However, consideration of the cascading effects of a failure condition is standard practice. | Explicitly requires the analysis of the system level, aircraft level and multi-system effects of failure modes, combinations of failure modes and failure conditions. |
Adapted Approach
Despite the propularity of ARP4761/ 4761A based approaches in our experience, they have the following deficiencies:
- Not know how safe the aircraft is until late in the design/ development life cycle (when changes are costly)
- Inability to react to unanticipated change
- Aircraft can be over-designed (reliability impact) or under-designed (safety impact)
- Design decisions are not guided by safety
- Development assurance for software and complex hardware with very little requirements validation activities
The following is an adapted approach that incorporates Model Based Safety Analysis (MBSA) e.g Systems Theoretic Process Analysis (STPA) and is a more iterative approach versus ARP4761 and ARP4761A. The benefits of this modified approach are as follows:
- Iterative step-by-step assessment repeated as necessary to remove conservatism/ show compliance to probability budgets
- The approach supports decisions throughout design/ development life cycle
- Rapid reassessment and ability to assess the impact of changes
- Harmonization of safety process with Model Based Systems Engineering (MBSE) for requirements validation
- Supports the design/ development of autonomous and semi-autonomous aircraft and digital safety systems for pilot workload reduction and Single Pilot Operations (SPO)
