Using DAL to show compliance to 2x.1309 probability requirement

[tb2944]

I am creating a Fault Tree Analysis for a Part 29 rotorcraft glass cockpit modification. The purpose is to verify compliance to 29.1309 – the design is frozen so unfortunately there is no scope to use the FTA for reliability/DAL allocation.

I know ARP 4754/4761, have a basic knowledge of FTA and have found the NASA Fault Tree Handbook very useful as a reference. I can construct the trees to the level of detail required, but have only incomplete reliability data. However, I do know the DO-178/DO-254 DALs for the displays, etc.

Can anyone confirm for me whether it is acceptable to use DAL in the fault tree (in some way) to arrive at a high-level failure probability? For example, for a display with DO-178 DAL B and DO-254 DAL A, simply include 1E-7 and 1E-9 under an OR gate?

Probably not, since an electronic display's reliability consists of more than software and complex hardware. I know it is also prohibited to conflate DAL with reliability (as opposed to, conversely, using the target reliability to allocate a DAL) (AC 29-2C Fig. AC 29.1309-2 Note 3).

I intend to request reliability data from the manufacturers and see what I can get, but for the time being I just have the DALs.

Many thanks.

 

[dgapilot]

I don't think it would be appropriate to use DAL as a substitute for reliability.

That said, it is appropriate to determine the safety criticality of the various components and be sure that software developed for those boxes (or the functions within the boxes) to the appropriate DAL level. If a given box is supposed to provide data that requires Level A, and the box was developed to Level B, you have an issue that no amount of fault tree manipulation can resolve.

You need a combination of reliability, and development assurance that gets you to the appropriate safety level.

 

[IRstuff]

DAL and reliability are two separate parts of overall system safety. Reliability deals with random failures components, while DAL deals with failures or defects of the design. For example, certain software programs were found to be vulnerable to exploits through buffer overflow. That would not be a reliability failure, because the cause is completely non-random and highly deterministic. DO178 coding objectives have to do with whether the design meets its functional requirements, if the functional requirements don't include fault tolerance, then no level of DAL can mitigate reliability failures.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[tb2944]

Many thanks.

I will use the fault trees to support my qualitative argument that equipment DALs are appropriate to the function. I see that it would be inappropriate to use DALs to support calculation of the overall reliability of the function.

 

[WKTaylor]

TB2944...Adding to what others have provided...

Might find following tangentially useful... plus you did not mention them...

ARP926 FAULT/FAILURE ANALYSIS PROCEDURE (Use ARP4761 for Aircraft Safety Assessment)
ARP1834 FAULT/FAILURE ANALYSIS FOR DIGITAL SYSTEMS AND EQUIPMENT (USE ARP 4761 FOR AIRCRAFT SAFETY ASSESSMENT)
AIAA JA V15#8 SNEAK CIRCUIT AND SOFTWARE SNEAK ANALYSIS
RADC-TR-89-223 IR SNEAK CIRCUIT ANALYSIS FOR THE COMMON MAN
ARINC 672 GUIDELINES FOR THE REDUCTION OF NO FAULT FOUND (NFF)

Regards, Wil Taylor

o Trust - But Verify!
o We believe to be true what we prefer to be true. [Unknown]
o For those who believe, no proof is required; for those who cannot believe, no proof is possible. [variation,Stuart Chase]
o Unfortunately, in science what You 'believe' is irrelevant. ["Orion", Homebuiltairplanes.com forum]