How S-18 processes help make systems trustworthy SAE 2018 Aerospace Standards Summit, October 2, 2018 Presenter: Robert Voros Regulatory Compliance Lead – Development Assurance & System Safety Civil Certification & ODA, Textron Aviation Flight Controls ODA-UM SAE S-18 Committee Chair S-18: Aircraft & Systems Development and Safety Assessment Committee

SAE S-18 Committee Scope/Charter The S-18 Committee brings together qualified specialists for the advancement of aerospace safety and to support effective safety management. It provides a resource for other committees and organizations with common interests in safety and development processes. The committee develops Aerospace vehicle and system: Safety assessment processes Development assurance processes Practices for accomplishing in-service safety assessments S-18’s Core Objective: Assure an inverse relationship between the severity of an aircraft’s failure conditions’ effects and the probability of their occurrences. S-18

Guidelines and methods of performing the safety assessment for the aircraft. S-18 Documents S-18 S-18 S-18 Guidelines for the development, validation, and verification of aircraft systems requirements. Guidelines, methods, and tools to perform the ongoing safety assessment process in service. AIR6110–Contiguous Aircraft/System Development Process Example AIR6218–Constructing Development Assurance Plan for Integrated Systems AIR6219–Incorporation of Atmospheric Neutron Single Event Effects Analysis into Safety Assessment AIR6276–Use Of Modeling And Tools For Aircraft Systems Development (in work) AIR6913 –Using STPA During Development and Safety Assessment of Civil Aircraft (in work) S-18

S-18 Processes Accommodate a Wide Range of Vehicles ARP4754A Process S-18 Processes are structured around aircraft and system functions Function: Intended behavior of a product based on a defined set of requirements regardless of implementation. Therefore, the process can adapt, based on the set of a vehicle’s intended behaviors. Based on AIR6110, Figure 2 S-18

Systematic Assessments of Functions Determines Safety Criticality ARP4761 Process Once the conditions of the aircraft operation are defined, each function is systematically assessed to understand that function’s: Failure conditions, the effects of those conditions, and the severity of those effects Functional Hazard Assessment ARP4761 Process Loss of the Function Effects of Loss on the Aircraft, Crew and Passengers Catastrophic Hazardous Major Minor FUNCTION Failure Condition: A condition having an effect on the aircraft and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant adverse operational or environmental conditions or external events (AMC 25.1309). Malfunction Effects of Malfunction on the Aircraft, Crew and Passengers Catastrophic Hazardous Major Minor ARP4754A Process S-18

The Architecture Informs the Safety Requirements ARP4754A Process Function Procedures System Behaviors Mechanism Definition The balance of these attributes depends on the aircraft. Procedures System Behaviors Mechanism Definition Procedures Mechanism Definition System Behaviors A system architecture is established including the definition of the mechanisms which will produce the functionality, the behaviors they will provide, and the procedures necessary for appropriate operation. Procedures Mechanism Definition System Behaviors S-18

Safety Requirements are Used to Reduce the Occurrence of Failure Conditions Based on their Severity ARP4761 Process Procedures System Behaviors Mechanism Definition Preliminary System Safety Assessment Flight Maintenance Development Assurance Levels Independence Probability of Failure ARP4761 Process Severity Development Assurance Levels Activity per Severity Independence per Severity Probability of Failure Catastrophic A Assure Correctness and Completeness, Implementation Verification Validation Activity Independence, Verification Activity Independence, No single failures 1E-9 Hazardous B Validation Activity Independence, Verification Activity Independence 1E-7 Major C 1E-5 Minor D As negotiated 1E-3 S-18

How S-18 Processes Help make Systems Trustworthy S-18 processes provide a flexible framework within which a variety of configurations can be developed, assessed, and demonstrated to be safe. These processes provide assurance that: all functions, no matter their complexity, provided by an aircraft are systematically and comprehensively assessed; the most safety critical aspects of the aircraft’s systems are identified; that criticality drives both the aircraft’s systems’ architecture and its development process; and the final design can be shown to address these critical safety aspects S-18

How does Artificial Intelligence and Big Data Fit in to S-18 Processes? Procedures Mechanism Definition System Behaviors The S-18 Processes work on the idea that the aircraft functions are defined and knowable, and unintended behaviors are identifiable. Depending on implementation, this premise can be challenged by Artificial Intelligence. How can we address this? Define objectives, requirements, and constraints of Artificial Intelligence, Assure the AI is bound by constraints (what it shouldn’t be doing), and Show that the constraints cannot be overridden by the AI. This is conceptually similar to the treatment of the flight crew in a Full Fly-By-Wire system, which is bound based on human/machine interfaces S-18

Contact Information Bob Voros Regulatory Compliance Leader - Development Assurance & System Safety Civil Certification & ODA Textron Aviation 316.517.3856 OFFICE 316.644.9593 MOBILE revoros@txtav.com Committee Website: http://www.sae.org/servlets/works/committeeHome.do?comtID=TEAS18 S-18